PCF Isolation Segment v2.5 Release Notes

Page last updated:

Releases

2.5.16

Release Date: 12/09/2019

  • [Feature Improvement] Upgrade Routing, Networking, and Silk releases to use go 1.13 release
  • Bump cf-networking to version 2.20.8
  • Bump cflinuxfs2 to version 1.307.0
  • Bump cflinuxfs3 to version 0.150.0
  • Bump routing to version 0.187.9
  • Bump silk to version 2.20.8
Component Version
ubuntu-xenial stemcell250.159
bpm1.1.1
cf-networking2.20.8
cflinuxfs21.307.0
cflinuxfs30.150.0
diego2.27.12
garden-runc1.19.8
haproxy9.5.2
loggregator-agent2.3.4
mapfs1.2.1
nfs-volume1.7.12
routing0.187.9
silk2.20.8
smb-volume2.1.0
syslog11.4.0

2.5.15

Release Date: 12/02/2019

  • [Feature] Allow operator to set a new bind configuration “version” on volume mounts. Operators with older versions of smb software can now use volume services.
  • Bump ubuntu-xenial stemcell to version 250.159
  • Bump cflinuxfs3 to version 0.149.0
  • Bump smb-volume to version 2.1.0
Component Version
ubuntu-xenial stemcell250.159
bpm1.1.1
cf-networking2.20.6
cflinuxfs21.306.0
cflinuxfs30.149.0
diego2.27.12
garden-runc1.19.8
haproxy9.5.2
loggregator-agent2.3.4
mapfs1.2.1
nfs-volume1.7.12
routing0.187.5
silk2.20.1
smb-volume2.1.0
syslog11.4.0

2.5.14

Release Date: 11/19/2019

  • [Security Fix] Address CVE-2019-17596
  • [Security Fix] Improve Gorouter resiliency to panics
  • Bump ubuntu-xenial stemcell to version 250.147
  • Bump cflinuxfs2 to version 1.306.0
  • Bump cflinuxfs3 to version 0.143.0
  • Bump mapfs to version 1.2.1
  • Bump nfs-volume to version 1.7.12
  • Bump routing to version 0.187.5
  • Bump smb-volume to version 2.0.4
Component Version
ubuntu-xenial stemcell250.147
bpm1.1.1
cf-networking2.20.6
cflinuxfs21.306.0
cflinuxfs30.143.0
diego2.27.12
garden-runc1.19.8
haproxy9.5.2
loggregator-agent2.3.4
mapfs1.2.1
nfs-volume1.7.12
routing0.187.5
silk2.20.1
smb-volume2.0.4
syslog11.4.0

2.5.13

Release Date: 10/31/2019

  • [Security Fix] Upgrade Go, runc and containerd to latest to include security fixes
  • [Security Fix] CVE-2019-17596 bump Go
  • [Bug Fix] Fix goroutine leak for websockets.
  • Bump ubuntu-xenial stemcell to version 250.130
  • Bump cflinuxfs2 to version 1.297.0
  • Bump cflinuxfs3 to version 0.137.0
  • Bump garden-runc to version 1.19.8
  • Bump loggregator-agent to version 2.3.4
  • Bump routing to version 0.187.4
Component Version
ubuntu-xenial stemcell250.130
bpm1.1.1
cf-networking2.20.6
cflinuxfs21.297.0
cflinuxfs30.137.0
diego2.27.12
garden-runc1.19.8
haproxy9.5.2
loggregator-agent2.3.4
mapfs1.1.4
nfs-volume1.7.11
routing0.187.4
silk2.20.1
smb-volume2.0.3
syslog11.4.0

2.5.12

Release Date: 10/16/2019

  • [Security Fix] Bump Go to address CVE-2019-16276
  • [Security Fix] Improve redaction of sensitive data in SMB driver bosh logs
  • [Bug Fix] Fix defect disallowing “domain” option in SMB volume service
  • Bump ubuntu-xenial stemcell to version 250.116
  • Bump cflinuxfs2 to version 1.295.0
  • Bump cflinuxfs3 to version 0.133.0
  • Bump loggregator-agent to version 2.3.2
  • Bump smb-volume to version 2.0.3
Component Version
ubuntu-xenial stemcell250.116
bpm1.1.1
cf-networking2.20.6
cflinuxfs21.295.0
cflinuxfs30.133.0
diego2.27.12
garden-runc1.19.7
haproxy9.5.2
loggregator-agent2.3.2
mapfs1.1.4
nfs-volume1.7.11
routing0.187.3
silk2.20.1
smb-volume2.0.3
syslog11.4.0

2.5.11

Release Date: 10/08/2019

  • [Security Fix] Upgrade Diego Components to Use grpc v1.23.0 and Go 1.12.9 to Fix HTTP2 CVEs
  • [Security Fix] Bump garden-runc release to take Go HTTP/2 and containerd gRPC fixes
  • [Feature Improvement] Set maximum database connection lifetime to 1 hour for Diego Locket component to reduce resource contention on PAS database
  • [Bug Fix] Improve scalability of container-to-container service discovery by increasing file descriptor limit on bosh-dns-adapter
  • Bump ubuntu-xenial stemcell to version 250.112
  • Bump cf-networking to version 2.20.6
  • Bump cflinuxfs2 to version 1.294.0
  • Bump cflinuxfs3 to version 0.130.0
  • Bump diego to version 2.27.12
  • Bump garden-runc to version 1.19.7
Component Version
ubuntu-xenial stemcell250.112
bpm1.1.1
cf-networking2.20.6
cflinuxfs21.294.0
cflinuxfs30.130.0
diego2.27.12
garden-runc1.19.7
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.11
routing0.187.3
silk2.20.1
smb-volume2.0.1
syslog11.4.0

2.5.10

Release Date: 09/24/2019

  • [Bug Fix] Fixes a regression bug causing mounts for applications bound to smb volume services with an older version of the smbbroker to fail on restart or upgrade
  • Bump ubuntu-xenial stemcell to version 250.110
  • Bump cflinuxfs2 to version 1.292.0
  • Bump cflinuxfs3 to version 0.128.0
  • Bump smb-volume to version 2.0.1
Component Version
ubuntu-xenial stemcell250.110
bpm1.1.1
cf-networking2.20.5
cflinuxfs21.292.0
cflinuxfs30.128.0
diego2.27.9
garden-runc1.19.5
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.11
routing0.187.3
silk2.20.1
smb-volume2.0.1
syslog11.4.0

2.5.9

Release Date: 09/17/2019

  • [Security Fix] Improve LDAP username validation for NFS LDAP integration
  • [Feature Improvement] Add configuration for router balancing algorithm
  • [Bug Fix] Fix race condition in garden-external-networker
  • [Bug Fix] Keep resending route unregistration message to prevent application misrouting in case of NATS routing tier instability
  • Bump ubuntu-xenial stemcell to version 250.99
  • Bump cf-networking to version 2.20.5
  • Add new release cflinuxfs2 at version 1.289.0
  • Bump cflinuxfs3 to version 0.123.0
  • Bump diego to version 2.27.9
  • Bump nfs-volume to version 1.7.11
Component Version
ubuntu-xenial stemcell250.99
bpm1.1.1
cf-networking2.20.5
cflinuxfs21.289.0
cflinuxfs30.123.0
diego2.27.9
garden-runc1.19.5
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.11
routing0.187.3
silk2.20.1
smb-volume1.3.0
syslog11.4.0

2.5.8

Release Date: 08/15/2019

  • [Security Fix] Upgrade libseccomp in bpm to 2.4.1 to address CVE-2019-9893
  • [Bug Fix] Improve output of Garden diagnostic tool (i.e. dontpanic) and increase resiliency in edge cases through improvements in containerd
  • Bump ubuntu-xenial stemcell to version 250.84
  • Bump bpm to version 1.1.1
  • Bump garden-runc to version 1.19.5
Component Version
ubuntu-xenial stemcell250.84
bpm1.1.1
cf-networking2.20.2
cflinuxfs30.118.0
diego2.27.6
garden-runc1.19.5
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.10
routing0.187.3
silk2.20.1
smb-volume1.3.0
syslog11.4.0

2.5.7

Release Date: 07/30/2019

  • [Bug Fix] Fixes a regression causing mount bind configuration to be rejected by the SMB volume service broker
  • [Bug Fix] Fix issue in SMB startup scripts that can cause restart failure or inadvertent application data permission change
  • Bump ubuntu-xenial stemcell to version 250.82
  • Bump cflinuxfs3 to version 0.118.0
  • Bump smb-volume to version 1.3.0
Component Version
ubuntu-xenial stemcell250.82
bpm1.0.4
cf-networking2.20.2
cflinuxfs30.118.0
diego2.27.6
garden-runc1.19.0
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.10
routing0.187.3
silk2.20.1
smb-volume1.3.0
syslog11.4.0

2.5.6

  • [Bug Fix] Add optional TTL pruning for TLS routes
  • Bump ubuntu-xenial stemcell to version 250.73
  • Bump cflinuxfs3 to version 0.109.0
  • Bump routing to version 0.187.3
Component Version
ubuntu-xenial stemcell250.73
bpm1.0.4
cf-networking2.20.2
cflinuxfs30.109.0
diego2.27.6
garden-runc1.19.0
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.10
routing0.187.3
silk2.20.1
smb-volume1.1.0
syslog11.4.0

2.5.5

  • [Bug Fix] Fix drain script in SMB volume driver to prevent it from unmounting shares before Diego has finished evacuating the cell
  • [Bug Fix] Fix issue with Azure Gateway was keeping connections alive longer than they were available when using HAProxy
  • Bump ubuntu-xenial stemcell to version 250.58
  • Bump cflinuxfs3 to version 0.101.0
  • Bump haproxy to version 9.5.2
  • Bump routing to version 0.187.2
  • Bump smb-volume to version 1.1.0
  • Removed loggregator release
Component Version
ubuntu-xenial stemcell250.58
bpm1.0.4
cf-networking2.20.2
cflinuxfs30.101.0
diego2.27.6
garden-runc1.19.0
haproxy9.5.2
loggregator-agent2.3
mapfs1.1.4
nfs-volume1.7.10
routing0.187.2
silk2.20.1
smb-volume1.1.0
syslog11.4.0

2.5.4

  • [Feature Improvement] Update default polling interval and idle connection limits for networking components to reduce resource contention on PAS database
  • [Bug Fix] Fixes NFS resource leak issues
  • Bump cf-networking to version 2.20.2
  • Bump cflinuxfs3 to version 0.88.0
  • Bump nfs-volume to version 1.7.10
  • Bump silk to version 2.20.1
Component Version
ubuntu-xenial stemcell250.38
bpm1.0.4
cf-networking2.20.2
cflinuxfs30.88.0
diego2.27.6
garden-runc1.19.0
haproxy9.4.1
loggregator-agent2.3
loggregator103.4
mapfs1.1.4
nfs-volume1.7.10
routing0.187.1
silk2.20.1
smb-volume1.0.0
syslog11.4.0

2.5.3

  • [Bug Fix] Fixes backward compatibility issue with NFS that can prevent apps from binding to service instances created in PAS 2.2 or earlier
  • Bump ubuntu-xenial stemcell to version 250.38
  • Bump cflinuxfs3 to version 0.86.0
  • Bump nfs-volume to version 1.7.9
Component Version
ubuntu-xenial stemcell250.38
bpm1.0.4
cf-networking2.20.0
cflinuxfs30.86.0
diego2.27.6
garden-runc1.19.0
haproxy9.4.1
loggregator-agent2.3
loggregator103.4
mapfs1.1.4
nfs-volume1.7.9
routing0.187.1
silk2.20.0
smb-volume1.0.0
syslog11.4.0

2.5.2

  • [Feature Improvement] Configure Diego LRP zones in Azure to point to BOSH AZs Zone
  • [Feature Improvement] Add support for staging Docker images from repositories using schema version 2 manifests
  • Bump ubuntu-xenial stemcell to version 250.29
  • Bump bpm to version 1.0.4
  • Bump cflinuxfs3 to version 0.80.0
  • Bump diego to version 2.27.6
Component Version
ubuntu-xenial stemcell250.29
bpm1.0.4
cf-networking2.20.0
cflinuxfs30.80.0
diego2.27.6
garden-runc1.19.0
haproxy9.4.1
loggregator-agent2.3
loggregator103.4
mapfs1.1.4
nfs-volume1.7.8
routing0.187.1
silk2.20.0
smb-volume1.0.0
syslog11.4.0

2.5.1

  • [Feature Improvement] Add support for TCP hitless reloads in haproxy to avoid connection reset errors
  • [Feature Improvement] Add ability to enable/disable gorouter hairpinning
  • [Bug Fix] Fix failed access checks on mount for NFS volume service with some Windows NFS servers
  • [Bug Fix] Fix feature: “Operator can specify headers to be stripped from the response by the router”
  • [Bug Fix] Fix diego rep to always clean up temporary download cache directory
  • Bump ubuntu-xenial stemcell to version 250.25
  • Bump cflinuxfs3 to version 0.76.0
  • Bump diego to version 2.27.4
  • Bump garden-runc to version 1.19.0
  • Bump nfs-volume to version 1.7.8
  • Bump routing to version 0.187.1
Component Version
ubuntu-xenial stemcell250.25
bpm1.0.3
cf-networking2.20.0
cflinuxfs30.76.0
diego2.27.4
garden-runc1.19.0
haproxy9.4.1
loggregator-agent2.3
loggregator103.4
mapfs1.1.4
nfs-volume1.7.8
routing0.187.1
silk2.20.0
smb-volume1.0.0
syslog11.4.0

2.5.0

See also:

  • Breaking Changes
  • New Features

  • [Breaking Change] Remove cflinuxfs2 root filesystem and buildpacks

  • [Breaking Change] Remove inactive DNS server configuration that only applied to older deployments without BOSH DNS

  • [Feature] Add ability to disable network policy enforcement between applications. See Disable Network Policy Enforcement Between Apps.

  • [Feature] Include garden debug tooling alongside garden

Component Version
ubuntu-xenial stemcell250.21
bpm1.0.3
cf-networking2.20.0
cflinuxfs30.72.0
diego2.27.0
garden-runc1.18.0
haproxy9.4.1
loggregator-agent2.3
loggregator103.4
mapfs1.1.4
nfs-volume1.7.7
routing0.186.0
silk2.20.0
smb-volume1.0.0
syslog11.4.0

About PCF Isolation Segment

The PCF Isolation Segment v2.5 tile is available for installation with PCF v2.5.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v2.5 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v2.5.

New Features in PCF Isolation Segment v2.5

Disable Network Policy Enforcement Between Apps

You can now disable Silk network policy enforcement between apps in the Networking pane of the Isolation Segment tile. Disabling network policy enforcement allows all apps to send network traffic to all other apps in the foundation despite no policy specifically allowing it.

Silk is a network fabric for containers designed for Cloud Foundry. For more information about Silk, see silk in GitHub.

mysql-restore and mysql-backup Jobs Are Removed

PAS v2.5 does not use the mysql-restore and mysql-backup jobs to back up MySQL internally. Instead, each BOSH job is backed up separately with the BBR. mysql-restore and mysql-backup have therefore been removed.

For more information, see Backing Up and Restoring Pivotal Cloud Foundry.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment v2.5 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Known Issues

NSX-T v2.3.1 and Earlier Not Compatible with PCF Isolation Segment

NSX-T tiles v2.3.1 and earlier are not compatible with PCF Isolation Segment. The Gorouters in an Isolation Segment are not given access in the firewall rules for NSX-T v2.3.1 and earlier, which prevents them from communicating with apps.

NSX-T tiles v2.3.2 and later give access to the Gorouters in an Isolation Segment and are compatible with PCF Isolation Segment.