Release Notes

Ops Manager 2.5

The filename for the artifact downloaded from Ops Manager is changed! If your resources or pipelines have a regex for the Ops Manager filename, you may be affected. (Please see Ops Manager's official notice for more information)

Azure Updating to 2.5

Ops Manager will be removing the necessity to provide availability zones for azure. If your director.yml(see staged-director-config) has a block like the following in the networks section:

   availability_zone_names:
   - "null"

your deployment will have the following error:

{"errors":["Availability zones cannot find availability zone with name null"]}

To fix this error, please remove the availability_zone_names section from your azure config, or re-run staged-director-config to update your director.yml.

v3.0.18

Released February 20, 2020

CLI Versions

Name	version
om	3.0.0
bosh-cli	6.1.1
credhub	2.6.1
winfs-injector	0.13.0

The full Docker image-receipt: Download

Bug Fixes

GCP create-vm now correctly handles an empty tags list
CVE update to container image. Resolves USN-4274-1. The CVEs are related to vulnerabilities with libxml2.
Bumped the following low-severity CVE packages: libsystemd0 libudev1

v3.0.17

Released February 3, 2020

CLI Versions

Name	version
om	3.0.0
bosh-cli	6.1.1
credhub	2.6.1
winfs-injector	0.13.0

The full Docker image-receipt: Download

Bug Fixes

CVE update to container image. Resolves USN-4243-1. The CVEs are related to vulnerabilities with libbsd.
CVE update to container image. Resolves USN-4249-1. The CVEs are related to vulnerabilities with e2fsprogs.
CVE update to container image. Resolves USN-4233-2. The CVEs are related to vulnerabilities with libgnutls30.
CVE update to container image. Resolves USN-4256-1. The CVEs are related to vulnerabilities with libsasl2-2.
Bumped the following low-severity CVE packages: libcom-err2, libext2fs2, libss2, linux-libc-dev

v3.0.16

Released January 28, 2020

CLI Versions

Name	version
om	3.0.0
bosh-cli	6.1.1
credhub	2.6.1
winfs-injector	0.13.0

Bug Fixes

CVE update to container image. Resolves USN-4236-1. The CVEs are related to vulnerabilities with Libgcrypt.
CVE update to container image. Resolves USN-4233-1. The CVEs are related to vulnerabilities with GnuTLS.
Bumped the following low-severity CVE package: linux-libc-dev

v3.0.15

Released December 12, 2019

CLI Versions

Name	version
om	3.0.0
bosh-cli	6.1.1
credhub	2.6.1
winfs-injector	0.13.0

Bug Fixes

CVE update to container image. Resolves USN-4220-1. The CVEs are related to vulnerabilities with git.
Bumped the following low-severity CVE package: linux-libc-dev

v3.0.14

Released December 3, 2019

CLI Versions

Name	version
om	3.0.0
bosh-cli	6.1.1
credhub	2.6.1
winfs-injector	0.13.0

Bug Fixes

CVE update to container image. Resolves USN-4205-1. This CVE is related to vulnerabilities with libsqlite3. None of our code calls libsqlite3 directly, but the IaaS CLIs rely on this package.

v3.0.13

Released November 14, 2019, includes om version 3.0.0

Bug Fixes

CVE update to container image. Resolves USN-4172-1. This CVE is related to vulnerabilities with file and libmagic.
CVE update to container image. Resolves USN-4168-1. This CVE is related to vulnerabilities with libidn2.
Bump bosh CLI to v6.1.1
Bump credhub CLI to v2.6.1

v3.0.12

Released October 25, 2019, includes om version 3.0.0

Bug Fixes

CVE update to container image. Resolves USN-4151-1. This CVE is related to vulnerabilities with python. None of our code calls python directly, but the IaaS CLIs rely on this package.

v3.0.11

Released October 15, 2019, includes om version 3.0.0

Bug Fixes

CVE update to container image. Resolves USN-4142-1. (related to vulnerabilities with e2fsprogs. While none of our code directly used these, they are present on the image.)
Bumped the following low-severity CVE packages: libcom-err2, libext2fs2, libss2, linux-libc-dev

v3.0.10

Released September 26, 2019, includes om version 3.0.0

Bug Fixes

CVE update to container image. Resolves USN-4127-1. This CVE is related to vulnerabilities with python. None of our code calls python directly, but the IaaS CLIs rely on this package.
CVE update to container image. Resolves USN-4129-1. (related to vulnerabilities with curl and libcurl. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4132-1. (related to vulnerabilities with expat. While none of our code directly used these, they are present on the image.)
Bumped the following low-severity CVE packages: libsystemd0, libudev1, linux-libc-dev

v3.0.8

Released September 4, 2019, includes om version 3.0.0

Bug Fixes

CVE update to container image. Resolves USN-4108-1. (related to vulnerabilities with libzstd. While none of our code directly used these, they are present on the image.)
Bumped the following low-severity CVE packages: libpython2.7, libpython2.7-dev, libpython2.7-minimal, libpython2.7-stdlib, libssl1.1 openssl, python-cryptography, python2.7, python2.7-dev, python2.7-minimal

v3.0.7

Released August 28, 2019, includes om version 3.0.0

Bug Fixes

When using AWS to create the Ops Manager VM with encrypted disks, the task create-vm and upgrade-opsman will wait for disk encryption to be completed. An exponential backoff will be and timeout after an hour if disk is not ready.
CVE update to container image. Resolves USN-4071-1. (related to vulnerabilities with patch. While none of our code directly used these, they are present on the image.)
Bumped the following low-severity CVE packages: linux-libc-dev, libldap-2.4-2, libldap-common, linux-libc-dev

v3.0.5

Released July 22, 2019, includes om version 3.0.0

Bug Fixes

in credhub-interpolate, upload-product, and upload-stemcell setting SKIP_MISSING: false the command would fail. This has been fixed.
upgrade-opsman would fail on the import-installation step if the env file did not contain a target or decryption passphrase. This will now fail before the upgrade process begins to ensure faster feedback.
upgrade-opsman now respects environment variables when it makes calls internally to om (env file still required).
download-product-s3 does not require pivnet-api-token anymore.
om CLI has been bumped to v3.0.0. This includes the following bug fixes:
- apply-changes --product <product> will error with product not found if that product has not been staged.
- upload-stemcell now accepts --floating false in addition to floating=false. This was done to offer consistency between all of the flags on the command.
- skip-unchanged-products was removed from apply-changes. This option has had issues with consistent successful behaviour. For example, if the apply changes fails for any reason, the subsequent apply changes cannot pick where it left off. This usually happens in the case of errands that are used for services.
  
  We are working on scoping a selective deploy feature that makes sense for users. We would love to have feedback from users about this.
- remove revert-staged-changes unstage-product functionally does the same thing, but uses the API.
- Bumped the following low-severity CVE packages: unzip

v3.0.4

Released July 11, 2019, includes om version 2.0.0

Bug Fixes

Both configure-ldap-authentication and configure-saml-authentication will now automatically create a BOSH UAA admin client as documented here. This is only supported in OpsManager 2.4 and greater. You may specify the option skip-create-bosh-admin-client in your config YAML to skip creating this client. After the client has been created, you can find the client ID and secret by following steps three and four found here.

This feature needs to be enabled to properly automate authentication for the bosh director when using LDAP and SAML. If skip-create-bosh-admin-client: true is specified, manual steps are required, and this task is no longer "automation".
create-vm and upgrade-opsman now function with gcp_service_account_name on GCP. Previously, only providing a full gcp_service_account as a JSON blob worked.
Environment variables passed to create-vm, delete-vm, and upgrade-opsman will be passed to the underlying IAAS CLI invocation. This allows our tasks to work with the https_proxy and no_proxy variables that can be set in Concourse.
download-product task output of assign-stemcell.yml will have the correct product-name

When using the env.yml for a task, extra values passed in the env file will now fail if they are not recognized properties. Invalid properties might now produce the following:

  $ om --env env.yml upload-product --product product.pivotal
  could not parse env file: yaml: unmarshal errors:
  line 5: field invalid-field not found in type main.options

credhub CLI has been bumped to v2.5.1. This includes a fix of not raising an error when processing an empty YAML file.
om CLI has been bumped to v2.0.0. This includes the following bug fixes:
- download-product will now return a download-file.json if stemcell-iaas is defined but the product has no stemcell. Previously, this would exit gracefully, but not return a file.
- Non-string environment variables can now be read and passed as strings to Ops Manager. For example, if your environment variable (OM_NAME) is set to "123" (with quotes escaped), it will be evaluated in your config file with the quotes.
  
  Given config.yml
  1
  value: ((NAME))
  om interpolate -c config.yml --vars-env OM
  
  Will evaluate to:
  1
  value: "123"
- bosh-env will now set BOSH_ALL_PROXY without a trailing slash if one is provided
- When using bosh-env, a check is done to ensure the SSH private key exists. If does not the command will exit 1.
- config-template will enforce the default value for a property to always be configurable: false. This is inline with the OpsManager behaviour.
CVE update to container image. Resolves USN-4040-1. (related to vulnerabilities with Expat. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4038-1 and USN-4038-3. (related to vulnerabilities with bzip. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4019-1. (related to vulnerabilities with SQLite. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves CVE-2019-11477. (related to vulnerabilities with linux-libc-dev. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4049-1. (related to vulnerabilities with libglib. While none of our code directly used these, they are present on the image.)

v3.0.2

Released July 8, 2019, includes om version 1.0.0

Bug Fixes

CVE update to container image. Resolves USN-4014-1. (related to vulnerabilities with GLib. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4015-1. (related to vulnerabilities with DBus. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-3999-1. (related to vulnerabilities with GnuTLS. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4001-1. (related to vulnerabilities with libseccomp. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-4004-1. (related to vulnerabilities with Berkeley DB. While none of our code directly used these, they are present on the image.)
CVE update to container image. Resolves USN-3993-1. (related to vulnerabilities with curl. While none of our code directly used these, they are present on the image.)

v3.0.1

Released May 24, 2019, includes om version 1.0.0

Breaking Changes

om will now follow conventional Semantic Versioning, with breaking changes in major bumps, non-breaking changes for minor bumps, and bug fixes for patches.

The credhub-interpolate task can have multiple interpolation paths. The INTERPOLATION_PATH param is now plural: INTERPOLATION_PATHS. IF you are using a custom INTERPOLATION_PATH for credhub-interpolate, you will need to update your pipeline.yml to this new param. As an example, if your credhub-interpolate job is defined as so:

# OLD pipeline.yml PRIOR TO 3.0.0 RELEASE
- name: example-credhub-interpolate
  plan:
  - get: platform-automation-tasks
  - get: platform-automation-image
  - get: config
  - task: credhub-interpolate
    image: platform-automation-image
    file: platform-automation-tasks/tasks/credhub-interpolate.yml
    input_mapping:
      files: config
    params:
      # all required
      CREDHUB_CA_CERT: ((credhub_ca_cert))
      CREDHUB_CLIENT: ((credhub_client))
      CREDHUB_SECRET: ((credhub_secret))
      CREDHUB_SERVER: ((credhub_server))
      PREFIX: /private-foundation
      INTERPOLATION_PATH: foundation/config-path
      SKIP_MISSING: true

it should now look like

# NEW pipeline.yml FOR 3.0.0 RELEASE
- name: example-credhub-interpolate
  plan:
  - get: platform-automation-tasks
  - get: platform-automation-image
  - get: config
  - task: credhub-interpolate
    image: platform-automation-image
    file: platform-automation-tasks/tasks/credhub-interpolate.yml
    input_mapping:
      files: config
    params:
      # all required
      CREDHUB_CA_CERT: ((credhub_ca_cert))
      CREDHUB_CLIENT: ((credhub_client))
      CREDHUB_SECRET: ((credhub_secret))
      CREDHUB_SERVER: ((credhub_server))
      PREFIX: /private-foundation
      INTERPOLATION_PATHS: foundation/config-path
      SKIP_MISSING: true

the upload-product option --sha256 has been changed to --shasum. IF you are using the --config flag in upload-product, your config file will need to update from:

# OLD upload-product-config.yml PRIOR TO 3.0.0 RELEASE
product-version: 1.2.3-build.4
sha256: 6daededd8fb4c341d0cd437a

to:

# NEW upload-product-config.yml FOR 3.0.0 RELEASE
product-version: 1.2.3-build.4
shasum: 6daededd8fb4c341d0cd437a # NOTE the name of this value is changed

This change was added to future-proof the param name for when sha256 is no longer the de facto way of defining shasums.

What's New

The new command assign-multi-stemcell assigns multiple stemcells to a provided product. This feature is only available in OpsMan 2.6+.
download-product ensures sha sum checking when downloading the file from Tanzu Network.
download-product can now disable ssl validation when connecting to Tanzu Network. This helps with environments with SSL and proxying issues. Add pivnet-disable-ssl: true in your download-product-config to use this feature.
On GCP, if you did not assign a public IP, Google would assign one for you. This has been changed to only assign a public IP if defined in your opsman.yml.
On Azure, if you did not assign a public IP, Azure would assign one for you. This has been changed to only assign a public IP if defined in your opsman.yml.
om interpolate (example in the test task) now supports the ability to accept partial vars files. This is added support for users who may also be using credhub-interpolate or who want to mix interpolation methods. To make use of this feature, include the --skip-missing flag.
credhub-interpolate now supports the SKIP_MISSING parameter. For more information on how to use this feature and if it fits for your foundation(s), see the Secrets Handling section.
the reference pipeline has been updated to give an example of credhub-interpolate in practice. For more information about credhub, see Secrets Handling
om now has support for config-template (a Platform Automation Toolkit encouraged replacement of tile-config-generator). This is an experimental command that can only be run currently using docker run. For more information and instruction on how to use config-template, please see Creating a Product Config File.
upload-stemcell now supports the ability to include a config file. This allows you to define an expected shasum that will validate the calculated shasum of the provided stemcell uploaded in the task. This was added to give feature parity with upload-product
Azure now allows NSG(network security group) to be optional. This change was made because NSGs can be assigned at the subnet level rather than just the VM level. This param is also not required by the Azure CLI. Platform Automation Toolkit now reflects this.
staged-director-config now supports returning multiple IaaS configurations. iaas-configurations is a top level key returned in Ops Manager 2.2+. If using an Ops Manager 2.1 or earlier, iaas_configuration will continue to be a key nested under properties-configuration.

configure-director now supports setting multiple IaaS configurations. If using this feature, be sure to use the top-level iaas-configurations key, rather than the nested properties-configuration.iaas_configuration key. If using a single IaaS, properties-configuration.iaas_configuration is still supported, but the new iaas_configurations top-level key is recommended.

# Configuration for 2.2+
iaas-configurations:
- additional_cloud_properties: {}
  name: ((iaas-configurations_0_name))
- additional_cloud_properties: {}
  name: ((iaas-configurations_1_name))
  ...
networks-configuration: ...
properties-configuration: ...

# Configuration 2.1 and earlier
networks-configuration: ...
properties-configuration:
    director_configuration: ...
    iaas_configuration:
      additional_cloud_properties: {}
      name: ((iaas-configurations_0_name))
      ...
    security_configuration: ...

Bug Fixes

OpenStack would sometimes be unable to associate the public IP when creating the VM, because it was waiting for the VM to come up. The --wait flag has been added to validate that the VM creation is complete before more work is done to the VM.
credhub-interpolate now accepts multiple files for the INTERPOLATION_PATHS.
CVE update to container image. Resolves USN-3911-1. (related to vulnerabilities with libmagic1. While none of our code directly used these, they are present on the image.)
Improved error messaging for vSphere VM creation if neither ssh-password or ssh-public-key are set. One or the other is required to create a VM.