PCF Ops Manager v2.4 Release Notes
Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2019.
The Upgrading Pivotal Cloud Foundry topic contains instructions for upgrading to Pivotal Cloud Foundry (PCF) Ops Manager v2.4.
- [Security Fix]: The BOSH Director’s UAA client now requires HTTPS for inbound connection requests.
Ops Manager v2.4.6 uses the following component versions:
|BBR CLI||1.4.0||* Components marked with an asterisk have been updated.|
- [Security Fix]: Updates bootstrap from 3.4.0 to 3.4.1.
Ops Manager v2.4.5 uses the following component versions:
|BBR CLI||1.4.0*||* Components marked with an asterisk are updated.|
- [New Feature]: Operators can now rotate the NATS Certificate Authority (CA).
- [New Feature]: You can now change a selected option of a selector via the API using the human-readable name of the option. Send a PUT to
PUTAPI endpoint can also parse both
value, for the human-readable value, and
option_value, for the machine-readable value.
- [New Feature]: All NATS CA public keys and their expiration dates now appear in the UI and API. Create a new root certificate, deploy the BOSH Director, and visit
/api/v0/deployed/certificatesor the credentials tab of the BOSH Director to view them.
- [New Feature]: Tile authors can now implement user-facing warnings that display when a pre-delete or post-deploy errand is implemented. Use the
post_deploy_errandsto specify a warning.
- [Bug Fix]: When an Azure-based Ops Manager Director is configured with invalid Azure account credentials (such as a subscription ID, tenant, or other credentials) and you try to create a network, you now see an error message, rather than a 500 error.
- [Bug Fix]: Reverts the Azure CPI to 34.4 to resolve a customer issue.
Ops Manager v2.4.4 uses the following component versions:
|vSphere CPI||51.1*||* Components marked with an asterisk are updated.|
- [Security Fix]: A potential XXS vulnerability in the
resource_configAPI endpoint is mitigated.
- [New Feature]: Tile authors can now use a double-parens accessor to pull information from Ops Manager. Use the
(($ops_manager.restricted_view_api_access_credentials))to make read-only, non-credential requests to Ops Manager.
- [New Feature]: You can now use the BOSH Backup and Restore (BBR) CLI from the Ops Manager VM. This means you no longer have to download or upgrade BBR when you upgrade the Ops Manager VM.
- [Bug Fix]: Ops Manager now reloads NGINX when the configuration is updated. Previously, Ops Manager would restart NGINX, which could cause temporary downtime. NGINX now serves traffic consistently when it is updating.
- [Bug Fix]: Ops Manager now uses GCP images that are located in the United States. This should prevent image object generation problems sometimes seen in images based in Europe and Asia.
Ops Manager v2.4.3 uses the following component versions:
|vSphere CPI||51.0.4||* Components marked with an asterisk are updated.|
- [Bug Fix]: Tile authors can now get the VM type catalog via a double parens accessor.
- [Bug Fix]: You can now change the Ops Manager decryption passphrase consistently.
- [Bug Fix]: The AWS verifier now fails gracefully, rather than crashing on failure.
- [Bug Fix]:
/api/v0/deployed/director/manifestnow works during upgrades.
- [Bug Fix]: You can no longer export via the API without having deployed anything.
- [UI Improvement]: Notification banners now have a more consistent appearance.
- [UI Improvement]: In the Ops Manager API, some malformed properties now return more reader-friendly error messages.
Ops Manager v2.4.2 uses the following component versions:
|vSphere CPI||51.0.4||* Components marked with an asterisk are updated.|
- [Security Fix]: GETs to any Ops Manager or UAA API endpoint no longer return any information about the web server, including version numbers.
- [New Feature]: Ops Manager operators with sufficient permissions to see credentials can send a GET to
redact=falseparameter to see an API response that includes credentials.
- [New Feature]: You can use a checkbox on the Director Settings page to opt-in to running the
drainlifecycle when deploying the BOSH Director. Alternatively, in the API, send a GET to
/api/v0/staged/director/propertiesto see a new property under
skip_director_drainto see the status of this checkbox.
- [Feature Improvement]: More detailed selector properties are now available from the API through a new field called
selected_value. This field returns the selected machine-readable option name.
- [Bug Fix]: The PUT
/api/v0/settings/ssl_certificateAPI docs are now correct.
Ops Manager v2.4.1 uses the following component versions:
|vSphere CPI||51.0.4*||* Components marked with an asterisk are updated.|
Ops Manager v2.4.0 uses the following component versions:
|vSphere CPI||51.0.2||* Components marked with an asterisk are updated.|
Ops Manager v2.4 includes the following major features:
Multiple Ops Manager administrators can use Ops Manager at the same time, to reconfigure and manage a PCF deployment. For more information, see Managing Simultaneous Ops Manager Administrators.
BOSH CredHub, the instance that manages credentials on the Ops Manager VM, now uses CredHub v2.0. For more information about where your credentials are stored, see BOSH CredHub.
CredHub v2.0 includes bug fixes, improved security, and new options for managing credential permissions. These updates are not directly visible to PCF operators, but CredHub v2.0 introduces breaking changes for tile and service authors. For more information, see the PCF v2.4 Partners Release Notice in the PCF Tile Developer Guide.
find command in the CredHub CLI supports filtering searches for certificates by their expiration date. This command returns any certificate values visible to the requester, including certificates that have already expired.
To search for certificates by their expiration date, run the
find command with the following parameter:
credhub find expires_within_days=NUMBER-OF-DAYS
NUMBER-OF-DAYS is an integer representing the upper limit of days you are searching within for expiring certificates.
$ credhub find expires_within_days=5
Users on AWS China accounts can now access downloads from Pivotal Network on their AWS China console. Find specific Ops Manager images in your AWS China console by searching for the AMI IDs for those images.
The Ops Manager Review Pending Changes page has a Select All Products checkbox. Enabling the checkbox selects all available products to deploy with the next Apply Changes. Disabling the checkbox deselects all products from deploying.
For more information, see Review Pending Changes Page.
The Syslog pane in Ops Manager’s Settings menu and in the BOSH Director tile are now identical. The Syslog pane in the Settings menu allows syslog configuration for Ops Manager, and the Syslog pane in the BOSH Director tile allows configuration for the BOSH Director exclusively. For more information, see Settings Page.
Both of these panes use the new Syslog form template available to all tile authors. For more information about the template, see Syslog Form Template Available for Tile Authors.
You can now view the details from previous deployments for manifests and cloud, runtime, and CPI configs, from new API endpoints. This can be useful for troubleshooting or duplicating historical configurations for a deployment.
For more information, see Getting BOSH manifests from historical installations in the Ops Manager API documentation.
You can now use the API to access various aspects of your deployment during an upgrade, when the rest of your deployment is unavailable. The CPI configs, runtime configs, cloud config, and manifest are all available during upgrade from the Ops Manager API.
Tile authors can insert a templatized Syslog form into their tiles by using the
opsmanager_syslog key in their tile’s
metadata.yml. The pane that the form creates is identical to the Syslog pane in Ops Manager and the BOSH Director tile. The form template is an opportunity to make tile users’ experience more consistent and secure.
For more information about modifying
metadata.yml, see Property Template References.
You can now add custom BOSH releases to a BOSH Director by modifying a deployment’s
manifest.yml. Custom BOSH releases can enhance antivirus capabilities, add security features, or support monitoring features. The BOSH Director supports custom and standard BOSH releases, but all releases referenced in a manifest must be available at an HTTP address, either locally hosted or available on the internet. You cannot upload a second BOSH release directly to Ops Manager.
To learn more about adding BOSH releases to a BOSH Director, see Deploying Software with BOSH.
Note: If a hosted BOSH release is no longer available but not removed from Ops Manager, it may cause the BOSH Director not to boot or Apply Changes to fail.
The BOSH Director tile has a new page for configuring BOSH DNS. The BOSH DNS Config page lets you specify recursor addresses the DNS server should not use, enforce a recursor timeout, and add custom DNS handlers.
For more information, see BOSH DNS Config Page in the GCP documentation, or find an entry for that page in the documentation for any IaaS.
Note: BOSH DNS replaces Consul DNS, which had caused stability issues in some deployments. PCF v2.0 through v2.3 progressively phased out Consul DNS, and v2.4 completes its removal. For more information, see the Pivotal Application Service v2.3 Release Notes.
You can use the
resource_config API endpoint to associate multiple networks to Diego cells or instance groups. Define the networks as usual with the Ops Manager UI or API, and then set the networks for a job with the
additional_networks key in the API. This workflow supports complex container networking integrations, including precise management of per-instance group network settings for sets of VMs.
For more information, see Retrieving resources for a job.
You can customize the size of the swap partition of a VM’s memory as a percent of total memory size per instance group. This allows more refined control of memory allocation across a deployment.
For more information, see Retrieving resources for a job in the Ops Manager API documentation.
You can view the expiration date for your SAML service provider certificate with the
/api/v0/deployed/certificates endpoint, or use a different endpoint to rotate the certificates.
For more information, see Getting Information About Certificates from Products.
You can enable BOSH Director to include the Ops Manager root certificate authority certificate in the trust store of every VM it deploys. This forces each VM to trust the Ops Manager root CA certificate by default.
For more information, see the Security section of the BOSH Director configuration topic for your IaaS.
Now a notification banner appears in the Ops Manager UI when a certificate needs to be rotated or replaced.
You can provide additional global CPI properties via the
additional_cloud_properties endpoint in the Ops Manager API. This allows you to set properties that would otherwise be unavailable in Ops Manager. The specific CPI properties you can set varies depending on your IaaS.
After adding new global CPI properties, you can view the global CPI properties in use by sending a GET to
For more information, see Updating Director and IaaS Properties.
You can set a custom banner to display on Ops Manager. Due to a visualization issue in Ops Manager, the custom banner does not display on the Stemcell library, Review Pending Changes, Change Log, and Previous Installation History pages.
Ops Manager v2.4 includes the following updates to the API. Some of these updates are referenced in the New Features section.
The following existing sections of the API documentation are updated in Ops Manager v2.4:
- DNS Configuration in Updating director and Iaas properties (Experimental): This section includes a new parameter:
- Security Configuration in Updating director and Iaas properties (Experimental): This section includes the following new parameters:
- Iaas Configuration in Updating director and Iaas properties (Experimental) : This section includes a new parameter:
- Retrieving resources for a job (Experimental): This section is designated as experimental and includes a new parameter:
- Configuring resources for a job (Experimental): This section is designated as experimental and includes a new parameter:
- Setting the Custom Banners: This section includes a new parameter:
- Updating the Syslog configuration: This section includes a new parameter:
- Retrieving manifest for a deployed product: This section includes a new parameter:
Note: In Ops Manager v2.4, the
excluded_recursors API endpoints have moved. This could cause some scripts to break. For more information, see Excluded Recursors API Field Has Moved.
The following sections are new in Ops Manager v2.4:
- Custom Manifest Operations (Experimental)
- Getting a List of All Manifest Operations
- Deleting a Manifest Operation
- Adding a Job to the Director VM
- Retrieving syslog configuration for a product
- Configuring product syslog
- Fetching the staged director runtime configs
- Fetching staged product runtime configs
- Retrieving syslog configuration for a deployed product
- Fetching deployed product runtime configs
- Getting BOSH CPI Config from historical installations
- Getting BOSH runtime configs from historical installations
- Fetching the deployed director runtime configs