Pivotal Operations Manager v2.7 Release Notes

Page last updated:

Pivotal Platform is certified by the Cloud Foundry Foundation for 2019.

Read more about the certified provider program and the requirements of providers.


How to Upgrade

The Upgrading Pivotal Platform topic contains instructions for upgrading to Pivotal Operations Manager v2.7.

Releases

2.7.4

  • [Feature] Operators can configure multiple HSM hosts in BOSH CredHub using the Ops Manager API.
  • [Security Fix]: When an operator makes a request to the UAA server, the server does not log credentials within the query parameters.

Ops Manager v2.7.4 uses the following component versions:

Component Version
Ops Manager2.7.4-build.216*
Stemcell456.69*
BBR SDK1.17.2
BOSH Director270.4.2
BOSH DNS1.12.0
Metrics Server0.0.24
CredHub2.5.7*
Syslog11.6.0
Windows Syslog1.0.3
UAA73.4.15
BPM1.1.5
Networking9
OS Conf21.0.0
AWS CPI78
Azure CPI36.0.1
Google CPI29.0.1
OpenStack CPI43
vSphere CPI53.0.2*
BOSH CLI5.5.1
Credhub CLI2.6.1
BBR CLI1.5.2
* Components marked with an asterisk have been updated.

2.7.3

  • [Bug Fix] Fix unbound variable in UAA that causes bosh director to fail

Ops Manager v2.7.3 uses the following component versions:

Component Version
Ops Manager2.7.3-build.208*
Stemcell456.51*
BBR SDK1.17.2
BOSH Director270.4.2
BOSH DNS1.12.0
Metrics Server0.0.24
CredHub2.5.6
Syslog11.6.0*
Windows Syslog1.0.3
UAA73.4.15*
BPM1.1.5
Networking9
OS Conf21.0.0
AWS CPI78
Azure CPI36.0.1
Google CPI29.0.1
OpenStack CPI43
vSphere CPI53.0.1
BOSH CLI5.5.1
Credhub CLI2.6.1*
BBR CLI1.5.2
* Components marked with an asterisk have been updated.

2.7.2

  • [Security Fix] This patch addresses CVE-2019-15587
  • [Feature] Operators see a warning about unrecognized verifiers instead of failing an Apply Changes
  • [Feature] Operators can use the DELETE /api/v0/staged endpoint to revert pending changes
  • [Bug Fix] API shows correct message for a given product when enabling or disabling unknown verifier
  • [Bug Fix] Operators cannot modify vSphere availability zones that are associated with a deployed product with the API
  • [Bug Fix] Ops Manager does not show the Revert button in the UI after Apply Changes
  • [Bug Fix] Users are allowed to uncheck all options in a multi_select_options property that is nested under a selector

Ops Manager v2.7.2 uses the following component versions:

Component Version
Ops Manager2.7.2-build.201*
Stemcell456.40*
BBR SDK1.17.2
BOSH Director270.4.2*
BOSH DNS1.12.0
Metrics Server0.0.24
CredHub2.5.6
Syslog11.5.0
Windows Syslog1.0.3
UAA73.4.14*
BPM1.1.5*
Networking9
OS Conf21.0.0
AWS CPI78*
Azure CPI36.0.1
Google CPI29.0.1
OpenStack CPI43
vSphere CPI53.0.1
BOSH CLI5.5.1
Credhub CLI2.6.0
BBR CLI1.5.2
* Components marked with an asterisk have been updated.

2.7.1

  • [Feature] Improves Nginx security configuration. Nginx now uses a more secure cipher suite and updates OpenSSL DH parameters to prevent fingerprinting.
  • [Feature] External DB password is not frozen after a successful deploy
  • [Feature] Begins consuming credhub-release from the Pivotal CredHub LTS repo to ensure users will be able to consume patches
  • [Bug Fix] Root CA certificate is only written to disk when it has changed
  • [Bug Fix] Add AWS AMI IDs for eu-west-3 and eu-north-1 to the PDFs on Pivotal Network
  • [Bug Fix] Tomcat logs from the UAA process are readable by the syslog user
  • [Bug Fix] When an operator exports a runtime config only tile from Ops Manager 2.6 on AWS, they can successfully import their installation.zip into Ops Manager 2.7. Previously there was a 5th generation AWS instance schema migration failure.
  • [Bug Fix] Submitting a form with multiple unselected selector properties does not raise a 500 error
  • [Bug Fix] Resolves an issue in which Ops Manager hangs during Apply Changes
  • [Bug Fix] Ops Manager API shows deployed certificates when only the BOSH Director has been deployed

Ops Manager v2.7.1 uses the following component versions:

Component Version
Ops Manager2.7.1-build.189*
Stemcell456.30*
BBR SDK1.17.2*
BOSH Director270.4.1
BOSH DNS1.12.0
Metrics Server0.0.24*
CredHub2.5.6*
Syslog11.5.0*
Windows Syslog1.0.3
UAA73.4.10*
BPM1.1.3
Networking9
OS Conf21.0.0
AWS CPI77
Azure CPI36.0.1
Google CPI29.0.1
OpenStack CPI43
vSphere CPI53.0.1
BOSH CLI5.5.1
Credhub CLI2.6.0*
BBR CLI1.5.2
* Components marked with an asterisk have been updated.

2.7.0

Ops Manager v2.7.0 uses the following component versions:

Component Version
Ops Manager2.7.0-build.161*
Stemcell456.16*
BBR SDK1.17.1*
BOSH Director270.4.1*
BOSH DNS1.12.0
Metrics Server0.0.22
CredHub2.5.3*
Syslog11.4.0
Windows Syslog1.0.3
UAA73.4.4
BPM1.1.3
Networking9
OS Conf21.0.0
AWS CPI77
Azure CPI36.0.1
Google CPI29.0.1
OpenStack CPI43
vSphere CPI53.0.1
BOSH CLI5.5.1
Credhub CLI2.5.2
BBR CLI1.5.2*
* Components marked with an asterisk have been updated.

New Features in Ops Manager v2.7

Ops Manager v2.7 includes the following major features:

Resource Config Redesign

Ops Manager v2.7 introduces a redesigned Resource Config pane. The new Resource Config pane appears in every Ops Manager product tile, including the BOSH Director.

In the redesigned Resource Config pane, you can expand the row that contains each job to reveal additional configuration options. The additional options that you can configure depend on your IaaS. For example, if you use vSphere, you can configure NSX-T or NSX-V settings within each job row.

The new Ops Manager Resource Config pane also has improved error handling. When there is an error, Ops Manager displays both a banner and an error message next to the field that contains the error. When a value you enter violates the constraints of a job, Ops Manager highlights the corresponding Instances, VM Type, and Persistent Disk Type fields and displays an error message about the violation.

For more information, see the Resource Config section of the BOSH Director configuration topic for your IaaS:

Valid cron Input Verification

For string type form fields in tiles, Ops Manager supports a constraints.must_be_cron_schedule attribute that verifies whether the input is a valid cron expression. Tiles can use this attribute for fields that schedule backups, for example. For information about the string blueprint type, see string.

Ops Manager Sanitizes Certificate Input for Carriage Returns and Line Feeds

When you reset the value of a certificate in an Ops Manager tile, Ops Manager sanitizes the certificate for carriage returns and line feeds. This prevents BOSH from interpreting the certificate you reset as a new certificate and recreating VMs. You do not need to manually remove newline characters such as \n.

API Call Returns All Certs

Calling the Ops Manager API deployed/certificates endpoint returns listings for the root certificate authority (CA), NATS CA, and certificates that Ops Manager stores in CredHub, in addition to leaf-level certificates that Ops Manager stores directly.

For more information, see List all RSA Certificates.

Download a Platform Information Bundle from the Ops Manager UI or API

You can download a Platform Information Bundle as a ZIP file from the Ops Manager UI or API. The bundle includes Ops Manager logs, deployed manifests and configurations, and BOSH deployment diagnostics.

The contents of the bundle help Pivotal Support more quickly address any issues in your deployment.

To download the ZIP file from the UI, click Support in the footer of any page in the Ops Manager UI.

To download the ZIP file from the Ops Manager API, use the /api/v0/support_bundle endpoint. For more information, see Support Bundle in the Ops Manager API documentation.

BOSH Director Access Events Appear in Syslog Output

Syslog output includes BOSH Director access events when syslog is enabled in Ops Manager.

BOSH Director access events correspond to the execution of BOSH CLI commands. The addition of these events allows you to audit BOSH Director access and activity for security monitoring purposes.

For more information, see Syslog and Logging API Access in BOSH Documentation.

Request Parameters in Ops Manager User Activity Logs

The Ops Manager audit_log.txt file includes request parameters. This provides additional information about requests made in the Ops Manager UI, such as the timestamp of the request and the username that made the request.

These request parameters improve Ops Manager logs for auditing user activity.

To access the audit_log.txt file, SSH into the Ops Manager VM and navigate to /var/log/opsmanager/audit_log.txt.

For more information about the types of user activity that you can audit in the Ops Manager logs, see Auditing User Activity in Ops Manager.

BBR Backs Up GCS Blobstore

BOSH Backup and Restore (BBR) backs up BOSH Director blobstores that save externally to Google Cloud Storage (GCS), as configured in the Director Config pane. See the External Storage Support Across Pivotal Platform Versions section of Backing Up Pivotal Platform with BBR.

PCF Ops Manager Renamed to Pivotal Ops Manager

PCF Ops Manager is renamed to Pivotal Ops Manager in the Installation Dashboard. Additionally, the file names for Ops Manager downloads are renamed in Pivotal Network.

Known Issues

Log Page Accuracy and Behavior

The Change Log page may not show the correct results of each Apply Changes deploy attempt, and the Installation Log may omit later logs that show whether the deployment succeeded or how it failed.

For more information and a workaround, see Operations Manager changelog does not show any errors after failed deployment in Pivotal Support.

The Installation Log also takes time to load, and the link menu for each stage of the deployment scrolls away when you scroll down through the log output.

You access the Installation Log page from the Change Log page by clicking the Logs button for a listed deployment event.

Syslog Does Not Receive UAA Audit Logs

Audit logs from the Ops Manager UAA component do not forward to a syslog server due to file permission issues.

Operators Must Reset Manually Set Certificates

After you upgrade to Ops Manager v2.7, you must reset any manually set certificates in CredHub to prevent their accidental rotation in Ops Manager v2.8.

CredHub v2.5 adds a field that tracks whether a certificate has been manually set or generated. However, existing certificates are not migrated to use this field. When you upgrade to Ops Manager v2.7, existing CredHub certificates are assigned a null value in the generated field.

When instructed to rotate certificates, Ops Manager v2.8 does a bulk rotation of all certificates where generated is set to either true or null. To prevent rotation of a manually set certificate in CredHub, you must manually reset the certificate, which updates the generated field to false.

To reset a certificate in CredHub, see Reviewing and Resetting Manually Set Certificates in CredHub.