Pivotal Application Service v2.6 Release Notes
Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2019.
Release Date: 07/15/2019
- [Security Fix] Fix high severity CVE in UAA: CVE-2019-3787
- [Security Fix] UAA should prevent SCIM query injection attacks
- Bump cf-smoke-tests to version
- Bump cflinuxfs3 to version
- Bump uaa to version
- [Security Fix] Bump UAA to address CVE-2019-3788
- [Security Fix] Update CF CLI for Autoscaler
- [Feature] Allow users to configure max package size so that they can upload packages larger than 2GB
- [Feature Improvement] Add ability to configure max search depth for LDAP in UAA
- [Feature Improvement] Set maximum database connection lifetime to 1 hour for Diego Locket component to reduce resource contention on PAS database
- [Bug Fix] Fix missing “actee_name” for certain CAPI user role related audit events
- [Bug Fix] Make sure logged-in users are rate-limited according to authenticated rate limit
- [Bug Fix] Fix failure of inviting new members via Apps Manager in some networking configurations
- [Bug Fix] Cause Apps Manager errand to fail if environment variable assignment fails
- [Bug Fix] Fix issue where creating a new organization fails in Apps Manager
- [Bug Fix] Fix credentials for service instances in Apps Manager that failed to display
- [Bug Fix] Add labels to key value forms in Apps Manager to enhance accessibility
- [Bug Fix] Generate valid form ids in Apps Manager to enhance accessibility
- [Bug Fix] Ellipsify long names of service instances in the services tables of Apps Manager
- [Bug Fix] Fix issue in which flyouts in Apps Manager did not open in Internet Explorer
- [Bug Fix] Fix error that prevented sharing domains across organizations in Apps Manager
- [Bug Fix] Add optional TTL pruning for TLS routes
- [Bug Fix] Allow operators to omit backup bucket fields
- [Bug Fix]
diego_braininstances no longer update concurrently with
diego_cellVMs to prevent application downtime in case of deployment update failure
- [Bug Fix] Send Isolation Segment smoke test application requests on port 443
- Bump ubuntu-xenial stemcell to version
- Bump capi to version
- Bump cf-autoscaling to version
- Bump cf-cli to version
- Bump cf-smoke-tests to version
- Bump cflinuxfs3 to version
- Bump diego to version
- Bump dotnet-core-offline-buildpack to version
- Bump go-offline-buildpack to version
- Bump nginx-offline-buildpack to version
- Bump nodejs-offline-buildpack to version
- Bump php-offline-buildpack to version
- Bump push-apps-manager-release to version
- Bump python-offline-buildpack to version
- Bump r-offline-buildpack to version
- Bump routing to version
- Bump ruby-offline-buildpack to version
- Bump staticfile-offline-buildpack to version
- See New Features in PAS v2.6
- See Breaking Changes
- [Breaking Change] Disables ssh proxy HTTP healthcheck server used for some GCP load balancers
- [Feature] Apps Manager sidebar is collapsible
- [Feature] Google Cloud Storage (GCS) blobstores are now backed up with BOSH backup and restore (BBR)
- [Feature] Improve scalability of application syslog drain system with new syslog agent architecture
- [Feature] Apps Manager announces page title changes to screen readers
- [Feature] Space Developers can now terminate a specific instance of an app in Apps Manager
- [Feature] Update the side bar, header and footer visuals in Apps Manager
- [Feature Improßvement] Garden will now delegate container creates and destroys to containerd, an industry standard container runtime.
- [Feature] Enable Metric Registrar by default to enable App Developers to output custom application metrics that can be monitored by platform-provided tooling
- [Feature] Add optional System Metric Agent to allow monitoring a more complete set of metrics for all VMs in the deployment
push-apps-managerjob can read configured UAA SAML providers
- [Feature] New color palette and other improvements for better accessibility when navigating Apps Manager
- [Feature Improvement] Improved performance in loading Apps Manager foundation home page
- [Feature Improvement] Apps Manager styling and accessibility improvements
- [Feature Improvement] Increase default number of CPUs for router from 1 to 2
- [Feature Improvement] Move ‘Enable SMB Volume Services’ checkbox from Advanced pane to Application Containers pane
- [Feature Improvement] Removes
nfs-legacyNFS mounter. Existing
nfs-legacyservice instances will continue to work, but will use the newer
- [Security Fix] Usage service BBR script now uses ssl validation by default when logging into CAPI
- [Security Fix] Introduce and trust new Diego “root CA” in advance of existing CA expiration
The procedure for upgrading to Pivotal Application Service (PAS) v2.6 is documented in the Upgrading Pivotal Cloud Foundry topic.
When upgrading to PAS v2.6, be aware of the following upgrade considerations:
If you previously used an earlier version of PAS, you must first upgrade to PAS v2.5 to successfully upgrade to PAS v2.6.
Some partner service tiles may be incompatible with PCF v2.6. Pivotal is working with partners to ensure their tiles are updated to work with the latest versions of PCF.
For information about which partner service releases are currently compatible with PCF v2.6, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.
See the following new features for PAS v2.6:
System Metrics Agent provides more visibility into VM compute, network, and storage metrics. These VM metrics help with troubleshooting and diagnosing issues for potential infrastructure problems.
When enabled, the metrics are emitted through Loggregator. For more information about viewing logs and metrics, see the Platform components row of Viewing Logs and Metrics.
For a list of the VM metrics that the System Metric Agent emits, see VM Metrics in GitHub.
To enable the System Metric Agent, go to the System Logging pane in the PAS tile and select Enable System Metrics.
In the Metric Registrar pane, Metric Registrar is enabled by default. This allows you to output custom application metrics that can be monitored by platform-provided tooling.
For information about configuring Metric Registrar, see the (Optional) Configure Metric Registrar section of the Configuring PAS topic.
PAS supports revisions for apps. A revision is an object that represents code and configuration used by an app at a specific time. Some uses cases for revisions include rolling back your app to a previous version and viewing changes in your app over time. You can also add metadata to revisions.
For more information, see App Revisions.
You can run additional processes, or sidecars, in the same container as your app. Sidecars are useful for processes that depend on each other or must run in the same container. This includes processes that must communicate through localhost or share the same filesystem, such as an Application Performance Monitoring (APM) tool.
For more information, see Pushing Apps with Sidecar Processes (Beta).
Traditionally, Garden uses runc directly to create, delete, and run container processes. Garden v1.15.0 and later support delegating some of the container lifecycle through containerd, which is the industry standard wrapper around runc.
Containerd mode is enabled by default to bring PAS in line with other container providers. To disable containerd mode, deselect the Enable Containerd Delegation checkbox in the Application Containers pane of the PAS tile.
For more information, see opsguide-containerd.md on GitHub.
PAS v2.6 removes the
nfs-legacy NFS mounter. Existing
nfs-legacy service instances will continue to work, but will use the newer
PAS v2.3 introduced the
nfs-experimental service. PAS v2.4 made this the default
nfs service, and the original service became
nfs-legacy. For more information, see Experimental NFS Volume Service Supports NFSv4 and NFS-Experimental Service Graduation.
The current Diego root CA included with PAS v2.3 and later expires in mid-2020. To prevent potential expiration issues with intermediate CAs when the root CA expires, PAS v2.6 includes another Diego root CA that extends the root CA expiration date.
The Diego root CA is used to sign intermediate CAs, which are used to sign app identity certificates. In turn, app identity certificates are used to establish trust between applications and various components.
PAS v2.6 includes both the original root CA and the new root CA for Diego. This release note is informational only. No operator intervention is required.
PAS v2.6 improves the speed of read-write mounted file systems that use UID mapping. This improvement addresses performance issues in mapfs, which is enabled when you specify a UID that maps to an NFS volume.
For more information about using external file systems and NFS volume services, see Using an External File System (Volume Services).
To improve reliability, PAS v2.6 increases the default and minimum CPU core count from one to two for Router VMs.
PAS migrates Router VMs with a single core to a VM type with two CPU cores during the upgrade.
WARNING: See the following known issue related to this feature: App Syslog Drains Fail After Enabling Agent-Based Syslog.
The Loggregator architecture includes optional Syslog Agents. Syslog Agents run on PCF component VMs and host VMs to manage connections with and write to syslog drains for app logs. The addition of Syslog Agents increases the number of syslog drain service bindings supported by the Loggregator system and reduces the workload for Loggregator VMs.
To enable Syslog Agents, select Enable agent-based syslog egress for app logs in the System Logging PAS configuration pane.
Note: Enabling this feature disables the Syslog Adapter and Syslog Scheduler to avoid log duplication.
This update resolves a known issue where app log loss occurs at 10,000 syslog drain service bindings. For more information about the known issue, see the Known Loggregator Scaling Issues knowledge base article.
For more information about Syslog Agents, see Loggregator Architecture.
Apps Manager allows you to terminate a specific instance of an app through the UI. On the list of apps in the Apps Manager UI, a menu option called Terminate Instance appears.
For more information about terminating an instance, see Terminate a process instance in the Cloud Foundry API documentation.
The Apps Manager UI has an updated look and feel as well as updated resource navigation.
You can navigate to resources, such as the app Overview and Settings panes, from a panel on the left side of the screen in Apps Manager. You can find resources that previously appeared in the panel, such as links to documentation and Support, in the Apps Manager footer.
For more information, see Using Apps Manager.
In the Settings pane of the Apps Manager UI, the Metadata section contains lists of labels and annotations associated with an organization. You can edit these labels and annotations.
For more information, see the Add Metadata section of the Managing Orgs and Spaces Using Apps Manager topic.
If you select Enable agent-based syslog egress for app logs in the System Logging pane of the PAS tile, external syslog drains that are bound to Windows Apps cannot collect logs. For more information, see Enable agent-based syslog egress for app logs" interrupts external log collection for PAS Windows apps in the Pivotal Knowledge Base.
When using the
cflinuxfs3 stack in PAS v2.3 or later, if you provide environment variables containing periods or dashes, the environment variables do not appear in the process environment of the app.
To resolve this issue, ensure that all applications are using environment variables that do not contain periods or dashes.
For more information, see Missing environment variables when using PAS 2.3+ and the cflinuxfs3 stack in the Pivotal Knowledge Base.
When the CredHub database fails to migrate with a
Flyway exception, it may be caused by the issue detailed here.
Gorouter may retain stale routes in its routing table. These routes can point to non-existent or incorrect app containers and can cause apps to intermittently return HTTP codes 404 or 502.
This issue typically occurs in larger-sized foundations where a single Gorouter instance misses a deregistration message when a user unmaps routes to a running app.
This issue been fixed in PAS v2.6.1.
If you experience intermittent misrouting in apps, do the following:
- Log in to Ops Manager.
- Update the PAS tile to PAS v2.6.1.
- In the PAS tile, select the Application Containers tab.
- Select the Prune Routes on TTL Expiry for TLS Backends checkbox.
- Click Apply Changes.
For more information, see Enabling TLS from the Gorouter to application instances results in bad routes in PAS 2.3+.