PCF Isolation Segment v2.4 Release Notes
- Bump ubuntu-xenial stemcell to version
- Bump cflinuxfs2 to version
- Bump cflinuxfs3 to version
- Bump silk to version
[Breaking Change] Improve GrootFS garbage collection
[Breaking Change] Remove option to disable route integrity
[Feature] Add smb-volume-release
[Feature] co-locate BPM on all VMs in PAS and IST
[Feature Improvement] Change default HAProxy instance count to 0
cf sshis now compatible with mutual-TLS-based verification of ingress traffic from gorouters to application instances’
[Feautre Improvement] Improve UI for route integrity options
[Feature Improvement] Metrics emitted from each deployment are tagged with additional metadata
Add new release loggregator-agent at version
Add new release smb-volume at version
Bump bpm to version
Bump cflinuxfs2 to version
Bump cflinuxfs3 to version
Bump cf-networking to version
Bump consul to version 196
Bump diego to version
Bump garden-runc to version
Bump haproxy to version
Bump loggregator to version
Bump mapfs to version
Bump nfs-volume to version
Bump routing to version 0.182.0
Bump silk to version
Bump syslog to version
Bump ubuntu-xenial stemcell to version
The PCF Isolation Segment v2.4 tile is available for installation with PCF v2.4.
Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.
For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.
The procedure for installing PCF Isolation Segment v2.4 is documented in the Installing PCF Isolation Segment topic.
To install a PCF Isolation Segment, you must first install PCF v2.4.
IST v2.4 does not deploy the optional HAProxy component by default. Previous versions of IST deployed three instances of HAProxy by default.
Breaking Change: This is a breaking change if you are using HAProxy with the Automatic setting for your instance count. On upgrading to IST v2.4, you will have zero HAProxy instances unless you specify an instance count other than the Automatic setting. For example, if you have the instance count set to Automatic: 3, modify the instance count to 3 in the Resource Config pane before you upgrade.
Note: PAS still deploys one HAProxy instance for vSphere environments by default.
cf ssh into apps when mutual TLS (mTLS) is enabled for app identity verification.
Operators enable mTLS by selecting the Router and applications use mutual TLS to verify each other’s identity option in the Application Containers pane of IST.
This removes the
cf ssh known issue described in the Limitations with Mutual TLS App Identity Verification section of the PAS v2.3 Release Notes.
IST v2.4 adds support for SMB volume services, allowing developers to bind existing SMB shares to their apps. The SMB protocol has native password authentication, which means you can control access to file shares without the overhead of configuring an LDAP server.
This feature is disabled by default. To enable this feature, see Enable SMB Volume Services.
For information about how to bind a volume service to an app, see Using an External File System (Volume Services).
IST now tags metrics with additional metadata to help operators better parse the metrics coming from their different deployments. These metadata tags also enable downstream monitoring products, such as PCF Healthwatch, to easily display human-readable names.
The tags are as follows:
product: The value of this tag is always
PCF Isolation Segmentfor IST. The tags for other products are
Pivotal Application Service,
PCF Small Footprint,
Pivotal Application Service for Windows 2012R2, and
Pivotal Application Service for Windows.
system_domain: The value of this tag corresponds to what you set in the System Domain field in the Domains tab of IST.
placement_tag: The value of this tag is always
nullfor PAS. However, for PAS for Windows and PCF Isolation Segment tiles, you can configure this value using the Segment Name field in the Application Containers pane.
Previously, you could not easily know the deployment that a metric from an Isolation Segment was emitted from. Now, an operator can display capacity and other relevant metrics using the
placement_tag name. This makes it easier to reason the importance of a given segment when issues arise.
These tags are properties of the metron agent running on each VM in a deployment.
For IST v2.4, the Gorouter always uses TLS to verify app identity. Verifying app identity improves resiliency and consistency for app routes, as well as increases security by encrypting data in flight from the Gorouter.
In IST v2.3 and earlier, you can have insecure routing without TLS. Before you upgrade to v2.4, you must have secure routing with TLS enabled. For more information, see Upgrade Preparation Checklist for PCF v2.4.
For more information about the verifying app identity feature, see Increased Resiliency, Consistency, and Security for HTTP Routing in the PAS v2.1 release notes.
Operators can configure container filesystem garbage collection based on the disk usage of other jobs in their deployment rather than a garbage collection threshold.
IST v2.4 replaces the Clean up disk-space once threshold is reached option with Clean up disk-space once usage fills disk in the Application Containers pane.
For information about configuring garbage collection values, see Configuring Cell Disk Cleanup Scheduling.
Starting in v2.3, some IST components used BOSH Process Manager (BPM). In v2.4, all components use BPM. For more information, see BOSH Process Manager in the PCF Isolation Segment v2.3 Release Notes.
IST v2.4.0 includes the following bug fixes:
- Fix parse error for syslog rules when iptables logging is enabled
- Metron emitted product_version format is inconsistent
- Logs marked as “DEBUG” are no longer forwarded by default
- Stop emitting product version in logging agent metrics to prevent rolling VMs unnecessarily on upgrades
- Fix monit scripting bug in nfsv3driver job that could cause the process
- Improve app/task placement reliability when apps are configured to receive TLS traffic from gorouters
- [Security Fix] Rotate diego intermediate CA before current certificate expires to continue running after a monit stop
The NSX-T tile versions 2.3.1 and earlier are not compatible with IST v2.4. The upcoming release of NSX-T 2.3.2 will address this issue.
The Advanced Features section of the IST v2.4 tile includes new functionality that may have certain constraints.
Although these features are fully supported, Pivotal recommends caution when using them in production.