PCF Isolation Segment v2.4 Release Notes

Releases

2.4.4

  • [Security Fix] Bump BPM to v1.0.3 for RunC CVE
  • [Bug Fix] Fixes access issue for NFS shares with root_squash enabled and no world read permissions
  • [Bug Fix] Fix potential routing-api failure to start due to DNS query issue in golang 1.11
  • Bump ubuntu-xenial stemcell to version 170.30
  • Bump bpm to version 1.0.3
  • Bump cflinuxfs2 to version 1.267.0
  • Bump cflinuxfs3 to version 0.62.0
  • Bump loggregator-agent to version 2.3
  • Bump loggregator to version 103.4
  • Bump mapfs to version 1.1.4
  • Bump routing to version 0.182.3
Component Version
ubuntu-xenial stemcell170.30
bpm1.0.3
cf-networking2.18.2
cflinuxfs21.267.0
cflinuxfs30.62.0
diego2.22.1
garden-runc1.18.0
haproxy9.3.0
loggregator-agent2.3
loggregator103.4
mapfs1.1.4
nfs-volume1.7.7
routing0.182.3
silk2.18.1
smb-volume0.2.6
syslog11.4.0

2.4.3

  • [Feature] Include garden debug tooling alongside garden
  • [Bug Fix] Fix accumulating TCP Router HAProxy instances
  • [Bug Fix] Fix concurrency bug in the Router’s route pool, which could manifest as a fatal error: “Unlock of unlocked RWMutex”
  • [Bug Fix] Fix allowNativePassword error when using external IaaS MySql as a system database
  • Bump ubuntu-xenial stemcell to version 170.25
  • Bump cflinuxfs2 to version 1.260.0
  • Bump cflinuxfs3 to version 0.51.0
  • Bump garden-runc to version 1.18.0
  • Bump nfs-volume to version 1.7.7
  • Bump routing to version 0.182.2
Component Version
ubuntu-xenial stemcell170.25
bpm0.13.0
cf-networking2.18.2
cflinuxfs21.260.0
cflinuxfs30.51.0
diego2.22.1
garden-runc1.18.0
haproxy9.3.0
loggregator-agent2.2
loggregator103.3
mapfs1.1.2
nfs-volume1.7.7
routing0.182.2
silk2.18.1
smb-volume0.2.6
syslog11.4.0

2.4.2

  • [Bug Fix] Volume service broker deployment errands use unique CF_HOME directories to avoid login conflicts
  • [Bug Fix] Bump NFS release to avoid possible golang 1.11.0 DNS resolution bugs
  • Bump ubuntu-xenial stemcell to version 170.15
  • Bump cflinuxfs2 to version 1.259.0
  • Bump cflinuxfs3 to version 0.50.0
  • Bump diego to version 2.22.1
  • Bump nfs-volume to version 1.7.6
  • Bump smb-volume to version 0.2.6
Component Version
ubuntu-xenial stemcell170.15
bpm0.13.0
cf-networking2.18.2
cflinuxfs21.259.0
cflinuxfs30.50.0
diego2.22.1
garden-runc1.16.7
haproxy9.3.0
loggregator-agent2.2
loggregator103.3
mapfs1.1.2
nfs-volume1.7.6
routing0.182.0
silk2.18.1
smb-volume0.2.6
syslog11.4.0

2.4.1

  • Bump ubuntu-xenial stemcell to version 170.14
  • Bump cflinuxfs2 to version 1.255.0
  • Bump cflinuxfs3 to version 0.46.0
  • Bump silk to version 2.18.1
Component Version
ubuntu-xenial stemcell170.14
bpm0.13.0
cf-networking2.18.2
cflinuxfs21.255.0
cflinuxfs30.46.0
diego2.22.0
garden-runc1.16.7
haproxy9.3.0
loggregator-agent2.2
loggregator103.3
mapfs1.1.2
nfs-volume1.7.4
routing0.182.0
silk2.18.1
smb-volume0.2.2
syslog11.4.0

2.4.0

See also:

  • Breaking Changes

  • [Breaking Change] Improve GrootFS garbage collection

  • [Breaking Change] Remove option to disable route integrity

  • [Feature] Add smb-volume-release

  • [Feature] co-locate BPM on all VMs in PAS and IST

  • [Feature Improvement] Change default HAProxy instance count to 0

  • [Feature Improvement] cf ssh is now compatible with mutual-TLS-based verification of ingress traffic from gorouters to application instances’

  • [Feautre Improvement] Improve UI for route integrity options

  • [Feature Improvement] Metrics emitted from each deployment are tagged with additional metadata

  • Add new release loggregator-agent at version 2.2

  • Add new release smb-volume at version 0.2.2

  • Bump bpm to version 0.13.0

  • Bump cflinuxfs2 to version 1.251.0

  • Bump cflinuxfs3 to version 0.42.0

  • Bump cf-networking to version 2.18.2

  • Bump consul to version 196

  • Bump diego to version 2.22.0

  • Bump garden-runc to version 1.16.7

  • Bump haproxy to version 9.1.0

  • Bump loggregator to version 103.3

  • Bump mapfs to version 1.1.2

  • Bump nfs-volume to version 1.7.4

  • Bump routing to version 0.182.0

  • Bump silk to version 2.17.0

  • Bump syslog to version 11.4.0

  • Bump ubuntu-xenial stemcell to version 170.9

Component Version
ubuntu-xenial stemcell170.9
bpm0.13.0
cf-networking2.18.2
cflinuxfs21.251.0
cflinuxfs30.42.0
diego2.22.0
garden-runc1.16.7
haproxy9.3.0
loggregator-agent2.2
loggregator103.3
mapfs1.1.2
nfs-volume1.7.4
routing0.182.0
silk2.17.0
smb-volume0.2.2
syslog11.4.0

About PCF Isolation Segment

The PCF Isolation Segment v2.4 tile is available for installation with PCF v2.4.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v2.4 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v2.4.

New Features in PCF Isolation Segment v2.4

HAProxy Defaults to Zero Instances

IST v2.4 does not deploy the optional HAProxy component by default. Previous versions of IST deployed three instances of HAProxy by default.

Breaking Change: This is a breaking change if you are using HAProxy with the Automatic setting for your instance count. On upgrading to IST v2.4, you will have zero HAProxy instances unless you specify an instance count other than the Automatic setting. For example, if you have the instance count set to Automatic: 3, modify the instance count to 3 in the Resource Config pane before you upgrade.

Note: PAS still deploys one HAProxy instance for vSphere environments by default.

Support for cf ssh with Mutual TLS App Identity Verification

Developers can cf ssh into apps when mutual TLS (mTLS) is enabled for app identity verification.

Operators enable mTLS by selecting the Router and applications use mutual TLS to verify each other’s identity option in the Application Containers pane of IST.

This removes the cf ssh known issue described in the Limitations with Mutual TLS App Identity Verification section of the PAS v2.3 Release Notes.

SMB Volume Services

IST v2.4 adds support for SMB volume services, allowing developers to bind existing SMB shares to their apps. The SMB protocol has native password authentication, which means you can control access to file shares without the overhead of configuring an LDAP server.

This feature is disabled by default. To enable this feature, see Enable SMB Volume Services.

For information about how to bind a volume service to an app, see Using an External File System (Volume Services).

See Human-Friendly Metadata for Metrics

IST now tags metrics with additional metadata to help operators better parse the metrics coming from their different deployments. These metadata tags also enable downstream monitoring products, such as PCF Healthwatch, to easily display human-readable names.

The tags are as follows:

  • product: The value of this tag is always PCF Isolation Segment for IST. The tags for other products are Pivotal Application Service, PCF Small Footprint, Pivotal Application Service for Windows 2012R2, and Pivotal Application Service for Windows.

  • system_domain: The value of this tag corresponds to what you set in the System Domain field in the Domains tab of IST.

  • placement_tag: The value of this tag is always null for PAS. However, for PAS for Windows and PCF Isolation Segment tiles, you can configure this value using the Segment Name field in the Application Containers pane.

Previously, you could not easily know the deployment that a metric from an Isolation Segment was emitted from. Now, an operator can display capacity and other relevant metrics using the placement_tag name. This makes it easier to reason the importance of a given segment when issues arise.

These tags are properties of the metron agent running on each VM in a deployment.

Gorouter Always Verifies App Identity

For IST v2.4, the Gorouter always uses TLS to verify app identity. Verifying app identity improves resiliency and consistency for app routes, as well as increases security by encrypting data in flight from the Gorouter.

In IST v2.3 and earlier, you can have insecure routing without TLS. Before you upgrade to v2.4, you must have secure routing with TLS enabled. For more information, see Upgrade Preparation Checklist for PCF v2.4.

For more information about the verifying app identity feature, see Increased Resiliency, Consistency, and Security for HTTP Routing in the PAS v2.1 release notes.

Improved Garbage Collection

Operators can configure container filesystem garbage collection based on the disk usage of other jobs in their deployment rather than a garbage collection threshold.

IST v2.4 replaces the Clean up disk-space once threshold is reached option with Clean up disk-space once usage fills disk in the Application Containers pane.

For information about configuring garbage collection values, see Configuring Cell Disk Cleanup Scheduling.

All Components Use BOSH Process Manager

Starting in v2.3, some IST components used BOSH Process Manager (BPM). In v2.4, all components use BPM. For more information, see BOSH Process Manager in the PCF Isolation Segment v2.3 Release Notes.

Bug Fixes

IST v2.4.0 includes the following bug fixes:

  • Fix parse error for syslog rules when iptables logging is enabled
  • Metron emitted product_version format is inconsistent
  • Logs marked as “DEBUG” are no longer forwarded by default
  • Stop emitting product version in logging agent metrics to prevent rolling VMs unnecessarily on upgrades
  • Fix monit scripting bug in nfsv3driver job that could cause the process
  • Improve app/task placement reliability when apps are configured to receive TLS traffic from gorouters
  • [Security Fix] Rotate diego intermediate CA before current certificate expires to continue running after a monit stop

Known Issues

NSX-T Version Compatibility

The NSX-T tile versions 2.3.1 and earlier are not compatible with IST v2.4. The upcoming release of NSX-T 2.3.2 will address this issue.

About Advanced Features

The Advanced Features section of the IST v2.4 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Create a pull request or raise an issue on the source for this page in GitHub