PCF Ops Manager v2.4 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2019.

Read more about the certified provider program and the requirements of providers.


How to Upgrade

The Upgrading Pivotal Cloud Foundry topic contains instructions for upgrading to Pivotal Cloud Foundry (PCF) Ops Manager v2.4.

Releases

2.4.11

  • [Security Fix] Bumps stemcell to 170.69 to resolve USN-3977-1.
  • [Feature] Operators can override the NATS max payload using the Ops Manager API. For more information, see Updating director and Iaas properties (Experimental) in the Ops Manager API documentation.
  • [Bug Fix] Ops Manager does not allow a revert on upgrade without deploying the BOSH Director.
  • [Bug Fix] Dropdowns for certain VM types are easier to use.
  • [Bug Fix] UAA session timeouts obey the access or refresh token lifetime.

Ops Manager v2.4.11 uses the following component versions:

Component Version
Ops Manager2.4-build.202*
Stemcell170.69*
BBR SDK1.7.1
BOSH Director268.2.3
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.6
Syslog11.4.0
Windows Syslog1.0.3
UAA60.13
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.5.0
Credhub CLI2.4.0
BBR CLI1.5.1*
* Components marked with an asterisk have been updated.

2.4.10

  • [Bug Fix]: You can now log in to Ops Manager when you have set up Ops Manager with LDAP over SSL.
  • [Bug Fix]: Apply Changes no longer fails if copying credentials to CredHub takes longer than ten minutes.
  • [Bug Fix]: Exporting installation settings no longer causes the BOSH Director to incorrectly show that it has staged changes.
  • [Bug Fix]: Harbor now installs successfully on deployments that already have PKS installed. For more information about Harbor, see VMware Harbor Registry.
  • [Bug Fix]: Operators can no longer change persistent disk size to custom values.

Ops Manager v2.4.10 uses the following component versions:

Component Version
Ops Manager2.4-build.192*
Stemcell170.51*
BBR SDK1.7.1
BOSH Director268.2.3*
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.6*
Syslog11.4.0
Windows Syslog1.0.3
UAA60.13
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.5.0*
Credhub CLI2.4.0
BBR CLI1.5.0
* Components marked with an asterisk have been updated.

2.4.9

  • This patch contains no new features or fixes. It updates Ops Manager components to address dependency requirements for other products.

Ops Manager v2.4.9 uses the following component versions:

Component Version
Ops Manager2.4-build.180*
Stemcell170.48*
BBR SDK1.7.1
BOSH Director268.2.2
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.5*
Syslog11.4.0
Windows Syslog1.0.3
UAA60.13
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.4.0
Credhub CLI2.4.0
BBR CLI1.5.0
* Components marked with an asterisk have been updated.

2.4.8

  • [Bug Fix]: You can configure Azure deployments to use Availability Zones after upgrading from an earlier version.

Ops Manager v2.4.8 uses the following component versions:

Component Version
Ops Manager2.4-build.177*
Stemcell170.45*
BBR SDK1.7.1
BOSH Director268.2.2
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.2
Syslog11.4.0
Windows Syslog1.0.3
UAA60.13
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.4.0
Credhub CLI2.4.0*
BBR CLI1.5.0*
* Components marked with an asterisk have been updated.

2.4.7

  • [Security Fix]: This patch addresses CVE-2019-5418, a Rails file content disclosure vulnerability.
  • [Security Fix]: This patch addresses CVE-2019-5419, a Rails vulnerability that could lead to denial of service (DoS) attacks.
  • [Security Fix]: Ops Manager operators cannot set secrets that do not match the constraints defined by the must_match_regex parameter.
  • [Bug Fix]: When a redeploy is triggered by Apply Changes and that redeploy last multiple days, logs are generated for that entire time.
  • [UI Improvement]: The notification banner that appears when a certificate in your deployment is about to expire is updated for clarity.

Ops Manager v2.4.7 uses the following component versions:

Component Version
Ops Manager2.4-build.171*
Stemcell170.39*
BBR SDK1.7.1
BOSH Director268.2.2
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.2
Syslog11.4.0
Windows Syslog1.0.3
UAA60.13*
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.4.0
Credhub CLI2.3.0*
BBR CLI1.4.0
* Components marked with an asterisk have been updated.

2.4.6

  • [Security Fix]: The BOSH Director’s UAA client now requires HTTPS for inbound connection requests.

Ops Manager v2.4.6 uses the following component versions:

Component Version
Ops Manager2.4-build.168*
Stemcell170.38*
BBR SDK1.7.1
BOSH Director268.2.2
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.2
Syslog11.4.0
Windows Syslog1.0.3
UAA60.12*
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.4.0
Credhub CLI2.2.1
BBR CLI1.4.0
* Components marked with an asterisk have been updated.

2.4.5

  • [Security Fix]: Updates bootstrap from 3.4.0 to 3.4.1.

Ops Manager v2.4.5 uses the following component versions:

Component Version
Ops Manager2.4-build.163*
Stemcell170.30*
BBR SDK1.7.1
BOSH Director268.2.2
BOSH DNS1.10.0
Metrics Server0.0.22
CredHub2.1.2
Syslog11.4.0
Windows Syslog1.0.3
UAA60.9
BPM0.12.3
Networking8
OS Conf20.0.0
AWS CPI72
Azure CPI35.4.0
Google CPI27.0.1
OpenStack CPI39
vSphere CPI51.1.0
BOSH CLI5.4.0
Credhub CLI2.2.1
BBR CLI1.4.0*
* Components marked with an asterisk are updated.

2.4.4

  • [New Feature]: Operators can now rotate the NATS Certificate Authority (CA).
  • [New Feature]: You can now change a selected option of a selector via the API using the human-readable name of the option. Send a PUT to /api/v0/staged/products/:guid/properties with a selected_option key. The PUT API endpoint can also parse both value, for the human-readable value, and option_value, for the machine-readable value.
  • [New Feature]: All NATS CA public keys and their expiration dates now appear in the UI and API. Create a new root certificate, deploy the BOSH Director, and visit /api/v0/deployed/certificates or the credentials tab of the BOSH Director to view them.
  • [New Feature]: Tile authors can now implement user-facing warnings that display when a pre-delete or post-deploy errand is implemented. Use the impact_warning key in pre_delete_errands or post_deploy_errands to specify a warning.
  • [Bug Fix]: When an Azure-based Ops Manager Director is configured with invalid Azure account credentials (such as a subscription ID, tenant, or other credentials) and you try to create a network, you now see an error message, rather than a 500 error.
  • [Bug Fix]: Reverts the Azure CPI to 35.4 to resolve a customer issue.

Ops Manager v2.4.4 uses the following component versions:

Component Version
Ops Manager2.4-build.152*
Stemcell170.24 (Xenial)
BBR SDK1.7.0
BOSH Director268.2.2
BOSH DNS1.10
Metrics Server0.0.22
CredHub2.1.2*
Syslog11.4
UAA60.9
AWS CPI72
Azure CPI35.4*
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI51.1*
* Components marked with an asterisk are updated.

2.4.3

  • [Security Fix]: A potential XXS vulnerability in the resource_config API endpoint is mitigated.
  • [New Feature]: Tile authors can now use a double-parens accessor to pull information from Ops Manager. Use the (($ops_manager.restricted_view_api_access_credentials)) to make read-only, non-credential requests to Ops Manager.
  • [New Feature]: You can now use the BOSH Backup and Restore (BBR) CLI from the Ops Manager VM. This means you no longer have to download or upgrade BBR when you upgrade the Ops Manager VM.
  • [Bug Fix]: Ops Manager now reloads NGINX when the configuration is updated. Previously, Ops Manager would restart NGINX, which could cause temporary downtime. NGINX now serves traffic consistently when it is updating.
  • [Bug Fix]: Ops Manager now uses GCP images that are located in the United States. This should prevent image object generation problems sometimes seen in images based in Europe and Asia.

Ops Manager v2.4.3 uses the following component versions:

Component Version
Ops Manager2.4-build.145*
Stemcell170.24 (Xenial)
BBR SDK1.7.0
BOSH Director268.2.2*
BOSH DNS1.10
Metrics Server0.0.22*
CredHub2.0.2
Syslog11.4
UAA60.9
AWS CPI72
Azure CPI35.5
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI51.0.4
* Components marked with an asterisk are updated.

2.4.2

  • [Bug Fix]: Tile authors can now get the VM type catalog via a double parens accessor.
  • [Bug Fix]: You can now change the Ops Manager decryption passphrase consistently.
  • [Bug Fix]: The AWS verifier now fails gracefully, rather than crashing on failure.
  • [Bug Fix]: /api/v0/deployed/director/manifest now works during upgrades.
  • [Bug Fix]: You can no longer export via the API without having deployed anything.
  • [UI Improvement]: Notification banners now have a more consistent appearance.
  • [UI Improvement]: In the Ops Manager API, some malformed properties now return more reader-friendly error messages.

Ops Manager v2.4.2 uses the following component versions:

Component Version
Ops Manager2.4-build.142*
Stemcell170.9 (Xenial)
BBR SDK1.7.0
BOSH Director268.2.1
BOSH DNS1.10
Metrics Server0.0.21
CredHub2.0.2
Syslog11.4
UAA60.9*
AWS CPI72
Azure CPI35.5
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI51.0.4
* Components marked with an asterisk are updated.

2.4.1

  • [Security Fix]: GETs to any Ops Manager or UAA API endpoint no longer return any information about the web server, including version numbers.
  • [New Feature]: Ops Manager operators with sufficient permissions to see credentials can send a GET to director/properties, director/iaas_configurations/guid, director/iaas_configurations, or products/guid/properties with the redact=false parameter to see an API response that includes credentials.
  • [New Feature]: You can use a checkbox on the Director Settings page to opt-in to running the drain lifecycle when deploying the BOSH Director. Alternatively, in the API, send a GET to /api/v0/staged/director/properties to see a new property under director_configuration called skip_director_drain to see the status of this checkbox.
  • [Feature Improvement]: More detailed selector properties are now available from the API through a new field called selected_value. This field returns the selected machine-readable option name.
  • [Bug Fix]: The PUT /api/v0/settings/ssl_certificate API docs are now correct.

Ops Manager v2.4.1 uses the following component versions:

Component Version
Ops Manager2.4-build.131*
Stemcell170.9 (Xenial)
BBR SDK1.7.0
BOSH Director268.2.1
BOSH DNS1.10
Metrics Server0.0.21
CredHub2.0.2
Syslog11.4*
UAA60.8
AWS CPI72
Azure CPI35.5
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI51.0.4*
* Components marked with an asterisk are updated.

2.4.0

Ops Manager v2.4.0 uses the following component versions:

Component Version
Ops Manager2.4-build.117*
Stemcell170.9 (Xenial)*
BBR SDK1.7.0
BOSH Director268.2.1
BOSH DNS1.10
Metrics Server0.0.21
CredHub2.0.2
Syslog11.3
UAA60.8
AWS CPI72
Azure CPI35.5
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI51.0.2
* Components marked with an asterisk are updated.

New Features in Ops Manager v2.4

Ops Manager v2.4 includes the following major features:

Ops Manager Allows Multiple Simultaneous Administrators

Multiple Ops Manager administrators can use Ops Manager at the same time, to reconfigure and manage a PCF deployment. For more information, see Managing Simultaneous Ops Manager Administrators.

Ops Manager Uses CredHub v2.0

BOSH CredHub, the instance that manages credentials on the Ops Manager VM, now uses CredHub v2.0. For more information about where your credentials are stored, see BOSH CredHub.

CredHub v2.0 includes bug fixes, improved security, and new options for managing credential permissions. These updates are not directly visible to PCF operators, but CredHub v2.0 introduces breaking changes for tile and service authors. For more information, see the PCF v2.4 Partners Release Notice in the PCF Tile Developer Guide.

Operators Can Search for Certificates by Expiration Date in CredHub

The find command in the CredHub CLI supports filtering searches for certificates by their expiration date. This command returns any certificate values visible to the requester, including certificates that have already expired.

To search for certificates by their expiration date, run the find command with the following parameter:

credhub find expires_within_days=NUMBER-OF-DAYS

Where NUMBER-OF-DAYS is an integer representing the upper limit of days you are searching within for expiring certificates.

For example:

$ credhub find expires_within_days=5

Pivotal Images Publish to AWS China

Users on AWS China accounts can now access downloads from Pivotal Network on their AWS China console. Find specific Ops Manager images in your AWS China console by searching for the AMI IDs for those images.

Operators Can Select or Deselect All Products For Deployment

The Ops Manager Review Pending Changes page has a Select All Products checkbox. Enabling the checkbox selects all available products to deploy with the next Apply Changes. Disabling the checkbox deselects all products from deploying.

For more information, see Review Pending Changes Page.

Consistent Syslog Panes in Ops Manager and BOSH Director

The Syslog pane in Ops Manager’s Settings menu and in the BOSH Director tile are now identical. The Syslog pane in the Settings menu allows syslog configuration for Ops Manager, and the Syslog pane in the BOSH Director tile allows configuration for the BOSH Director exclusively. For more information, see Settings Page.

Both of these panes use the new Syslog form template available to all tile authors. For more information about the template, see Syslog Form Template Available for Tile Authors.

Files Used During Previous Deployments Are Available From the API

You can now view the details from previous deployments for manifests and cloud, runtime, and CPI configs, from new API endpoints. This can be useful for troubleshooting or duplicating historical configurations for a deployment.

For more information, see Getting BOSH manifests from historical installations in the Ops Manager API documentation.

Staged and Current Config Details Are Available During Upgrade From the API

You can now use the API to access various aspects of your deployment during an upgrade, when the rest of your deployment is unavailable. The CPI configs, runtime configs, cloud config, and manifest are all available during upgrade from the Ops Manager API.

For more information, see Staged BOSH Director and Staged Products in the Ops Manager API documentation.

Syslog Form Template Available for Tile Authors

Tile authors can insert a templatized Syslog form into their tiles by using the opsmanager_syslog key in their tile’s metadata.yml. The pane that the form creates is identical to the Syslog pane in Ops Manager and the BOSH Director tile. The form template is an opportunity to make tile users’ experience more consistent and secure.

For more information about modifying metadata.yml, see Property Template References.

The BOSH Director Supports Custom BOSH Releases

You can now add custom BOSH releases to a BOSH Director by modifying a deployment’s manifest.yml. Custom BOSH releases can enhance antivirus capabilities, add security features, or support monitoring features. The BOSH Director supports custom and standard BOSH releases, but all releases referenced in a manifest must be available at an HTTP address, either locally hosted or available on the internet. You cannot upload a second BOSH release directly to Ops Manager.

To learn more about adding BOSH releases to a BOSH Director, see Deploying Software with BOSH.

Note: If a hosted BOSH release is no longer available but not removed from Ops Manager, it may cause the BOSH Director not to boot or Apply Changes to fail.

BOSH DNS Config Page in the BOSH Director Tile

The BOSH Director tile has a new page for configuring BOSH DNS. The BOSH DNS Config page lets you specify recursor addresses the DNS server should not use, enforce a recursor timeout, and add custom DNS handlers.

For more information, see BOSH DNS Config Page in the GCP documentation, or find an entry for that page in the documentation for any IaaS.

Note: BOSH DNS replaces Consul DNS, which had caused stability issues in some deployments. PCF v2.0 through v2.3 progressively phased out Consul DNS, and v2.4 completes its removal. For more information, see the Pivotal Application Service v2.3 Release Notes.

Associate an Instance Group with Multiple Networks or Diego Cells Simultaneously

You can use the resource_config API endpoint to associate multiple networks to Diego cells or instance groups. Define the networks as usual with the Ops Manager UI or API, and then set the networks for a job with the additional_networks key in the API. This workflow supports complex container networking integrations, including precise management of per-instance group network settings for sets of VMs.

For more information, see Retrieving resources for a job.

Swap Partition Size Is Configurable From the API

You can customize the size of the swap partition of a VM’s memory as a percent of total memory size per instance group. This allows more refined control of memory allocation across a deployment.

For more information, see Retrieving resources for a job in the Ops Manager API documentation.

SAML Certificate Expiration Information Is Available From the API

You can view the expiration date for your SAML service provider certificate with the /api/v0/deployed/certificates endpoint, or use a different endpoint to rotate the certificates.

For more information, see Getting Information About Certificates from Products.

BOSH Director Can Require All Deployments To Trust Ops Manager Root Certificate Authority

You can enable BOSH Director to include the Ops Manager root certificate authority certificate in the trust store of every VM it deploys. This forces each VM to trust the Ops Manager root CA certificate by default.

For more information, see the Security section of the BOSH Director configuration topic for your IaaS.

Notification Banner Appears When A Certificate Nears Expiration

Now a notification banner appears in the Ops Manager UI when a certificate needs to be rotated or replaced.

IaaS-Specific Global CPI Properties Are Configurable From the API

You can provide additional global CPI properties via the additional_cloud_properties endpoint in the Ops Manager API. This allows you to set properties that would otherwise be unavailable in Ops Manager. The specific CPI properties you can set varies depending on your IaaS.

After adding new global CPI properties, you can view the global CPI properties in use by sending a GET to /api/v0/staged/director/iaas_configurations.

For more information, see Updating Director and IaaS Properties.

Known Issues

Custom Banner Does Not Display On All Ops Manager Pages

You can set a custom banner to display on Ops Manager. Due to a visualization issue in Ops Manager, the custom banner does not display on the Stemcell library, Review Pending Changes, Change Log, and Previous Installation History pages.

BOSH Process Manager Fails to Start Job Process with Exit Status 1

Some Monit processes fail to start, and the bpm.log shows an exit status of 1 with no other cause for the failure.

BOSH Process Manager (BPM) calls runC to create a new container and launch a job process. However, runC cannot start the container because there is a stale state.json in /var/vcap/bpm/runc/CONTAINER-ID/state.json, where state.json is a zero-byte file. When running runC manually to start the job process, runC has an EOF error and the exit status is 1. runC fails to read the state.json and exits.

To resolve this issue, delete the zero-byte state.json file by deleting its parent directory with the following command: rm -rf /var/vcap/data/bpm/runc/MJRHG---
Then run monit start JOB to start the job process and review the job logs to check if there are any further failures.

For more information, see BPM fails to start job process with exit status 1 in the Pivotal Knowledge Base.

API Documentation Updates

Ops Manager v2.4 includes the following updates to the API. Some of these updates are referenced in the New Features section.

Updated Sections

The following existing sections of the API documentation are updated in Ops Manager v2.4:

Note: In Ops Manager v2.4, the excluded_recursors API endpoints have moved. This could cause some scripts to break. For more information, see Excluded Recursors API Field Has Moved.

New Sections

The following sections are new in Ops Manager v2.4:

Create a pull request or raise an issue on the source for this page in GitHub