Pivotal Application Service v2.7 Release Notes

Page last updated:

Pivotal Platform is certified by the Cloud Foundry Foundation for 2019.

Read more about the certified provider program and the requirements of providers.


Releases

2.7.6

Release Date: 12/09/2019

  • [Security Fix] Prevent logging of secure information
  • [Feature Improvement] Upgrade Routing, Networking, and Silk releases to use go 1.13 release
  • [Bug Fix] Add length constraint to credhub internal encryption provider keys
  • Bump cf-cli to version 1.23.0
  • Bump cf-networking to version 2.23.5
  • Bump cflinuxfs3 to version 0.150.0
  • Bump routing to version 0.191.7
  • Bump silk to version 2.23.5
  • Bump uaa to version 73.4.16
Component Version
ubuntu-xenial stemcell456.74
backup-and-restore-sdk1.17.2
binary-offline-buildpack1.0.35
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.23.0
cf-networking2.23.5
cf-smoke-tests40.0.123
cflinuxfs30.150.0
credhub2.5.6
diego2.36.5
dotnet-core-offline-buildpack2.3.2
garden-runc1.19.8
go-offline-buildpack1.9.3
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.26
leadership-election1.4.2
log-cache2.1.11
loggregator-agent3.21.4
loggregator105.6.2
mapfs1.2.1
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.2
nginx-offline-buildpack1.1.1
nodejs-offline-buildpack1.7.4
notifications-ui36
notifications61
php-offline-buildpack4.4.2
push-apps-manager-release670.0.11
push-usage-service-release670.0.12
pxc0.20.0
python-offline-buildpack1.7.2
r-offline-buildpack1.1.0
routing0.191.7
ruby-offline-buildpack1.8.2
silk2.23.5
smb-volume2.1.0
staticfile-offline-buildpack1.5.1
statsd-injector1.11.1
syslog11.4.0
uaa73.4.16

2.7.5

Release Date: 12/02/2019

  • [Feature] Allow operator to set a new bind configuration “version” on volume mounts. Operators with older versions of smb software can now use volume services.
  • [Bug Fix] S3 unversioned backup and restore now works if the unversioned target bucket used to be versioned
  • Bump ubuntu-xenial stemcell to version 456.74
  • Bump backup-and-restore-sdk to version 1.17.2
  • Bump cflinuxfs3 to version 0.149.0
  • Bump java-offline-buildpack to version 4.26
  • Bump nodejs-offline-buildpack to version 1.7.4
  • Bump php-offline-buildpack to version 4.4.2
  • Bump python-offline-buildpack to version 1.7.2
  • Bump r-offline-buildpack to version 1.1.0
  • Bump smb-volume to version 2.1.0
Component Version
ubuntu-xenial stemcell456.74
backup-and-restore-sdk1.17.2
binary-offline-buildpack1.0.35
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.22.0
cf-networking2.23.4
cf-smoke-tests40.0.123
cflinuxfs30.149.0
credhub2.5.6
diego2.36.5
dotnet-core-offline-buildpack2.3.2
garden-runc1.19.8
go-offline-buildpack1.9.3
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.26
leadership-election1.4.2
log-cache2.1.11
loggregator-agent3.21.4
loggregator105.6.2
mapfs1.2.1
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.2
nginx-offline-buildpack1.1.1
nodejs-offline-buildpack1.7.4
notifications-ui36
notifications61
php-offline-buildpack4.4.2
push-apps-manager-release670.0.11
push-usage-service-release670.0.12
pxc0.20.0
python-offline-buildpack1.7.2
r-offline-buildpack1.1.0
routing0.191.2
ruby-offline-buildpack1.8.2
silk2.22.2
smb-volume2.1.0
staticfile-offline-buildpack1.5.1
statsd-injector1.11.1
syslog11.4.0
uaa73.4.15

2.7.4

Release Date: 11/20/2019

  • [Security Fix] Address CVE-2019-17596
  • [Security Fix] Improve Gorouter resiliency to panics and address CVE-2019-11289
  • [Bug Fix] Fixes a bug that made the UAA fail to start up successfully any time the env.no_proxy property was set
  • Bump ubuntu-xenial stemcell to version 456.69
  • Bump cf-cli to version 1.22.0
  • Bump cf-smoke-tests to version 40.0.123
  • Bump cflinuxfs3 to version 0.144.0
  • Bump dotnet-core-offline-buildpack to version 2.3.2
  • Bump go-offline-buildpack to version 1.9.3
  • Bump mapfs to version 1.2.1
  • Bump nfs-volume to version 2.3.2
  • Bump nginx-offline-buildpack to version 1.1.1
  • Bump nodejs-offline-buildpack to version 1.7.2
  • Bump php-offline-buildpack to version 4.4.1
  • Bump python-offline-buildpack to version 1.7.1
  • Bump routing to version 0.191.2
  • Bump ruby-offline-buildpack to version 1.8.2
  • Bump smb-volume to version 2.0.4
  • Bump staticfile-offline-buildpack to version 1.5.1
  • Bump uaa to version 73.4.15
Component Version
ubuntu-xenial stemcell456.69
backup-and-restore-sdk1.16.0
binary-offline-buildpack1.0.35
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.22.0
cf-networking2.23.4
cf-smoke-tests40.0.123
cflinuxfs30.144.0
credhub2.5.6
diego2.36.5
dotnet-core-offline-buildpack2.3.2
garden-runc1.19.8
go-offline-buildpack1.9.3
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.24
leadership-election1.4.2
log-cache2.1.11
loggregator-agent3.21.4
loggregator105.6.2
mapfs1.2.1
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.2
nginx-offline-buildpack1.1.1
nodejs-offline-buildpack1.7.2
notifications-ui36
notifications61
php-offline-buildpack4.4.1
push-apps-manager-release670.0.11
push-usage-service-release670.0.12
pxc0.20.0
python-offline-buildpack1.7.1
r-offline-buildpack1.0.13
routing0.191.2
ruby-offline-buildpack1.8.2
silk2.22.2
smb-volume2.0.4
staticfile-offline-buildpack1.5.1
statsd-injector1.11.1
syslog11.4.0
uaa73.4.15

2.7.3

Release Date: 10/31/2019

  • [Security Fix] Eliminate risk of Jackson Databind vulnerabilities
  • [Security Fix] Upgrade Go, runc and containerd to latest to include security fixes
  • [Security Fix] Bump Usage Service Ruby to 2.5.7 and Loofah gem to 2.3.1
  • [Security Fix] CVE-2019-17596 bump Go
  • [Feature] Enable metrics for delayed job failures for Usage Service Release
  • [Feature Improvement] Correct System Logging TLS Destination Certificate Label
  • [Feature Improvement] Add marketplace url field and change sidebar links to secondary navigation links in Apps Manager configuration
  • [Bug Fix] Fix loading state on panels in Apps Manager
  • [Bug Fix] Increase width of Apps Manager logs tab
  • [Bug Fix] Do not attempt to start an app if the app droplet fails to build in Apps Manager
  • [Bug Fix] Redesign Apps Manager footer to accommodate footer links
  • [Bug Fix] Show buildpack name for java_buildpack in Apps Manager
  • [Bug Fix] Show correct Cloud Controller target on Apps Manager’s tools page
  • [Bug Fix] Match CLI default timeouts when waiting for app restages and start health checks in Apps Manager
  • [Bug Fix] When starting an app via Apps Manager, do not build a new droplet unless it’s necessary to do so
  • Bump ubuntu-xenial stemcell to version 456.40
  • Bump cf-cli to version 1.21.0
  • Bump cflinuxfs3 to version 0.137.0
  • Bump garden-runc to version 1.19.8
  • Bump java-offline-buildpack to version 4.24
  • Bump leadership-election to version 1.4.2
  • Bump log-cache to version 2.1.11
  • Bump loggregator-agent to version 3.21.4
  • Bump loggregator to version 105.6.2
  • Bump push-apps-manager-release to version 670.0.11
  • Bump push-usage-service-release to version 670.0.12
  • Bump ruby-offline-buildpack to version 1.8.1
  • Bump statsd-injector to version 1.11.1
  • Bump uaa to version 73.4.14
Component Version
ubuntu-xenial stemcell456.40
backup-and-restore-sdk1.16.0
binary-offline-buildpack1.0.35
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.21.0
cf-networking2.23.4
cf-smoke-tests40.0.119
cflinuxfs30.137.0
credhub2.5.6
diego2.36.5
dotnet-core-offline-buildpack2.3.1
garden-runc1.19.8
go-offline-buildpack1.9.1
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.24
leadership-election1.4.2
log-cache2.1.11
loggregator-agent3.21.4
loggregator105.6.2
mapfs1.2.0
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.0
nginx-offline-buildpack1.1.0
nodejs-offline-buildpack1.7.0
notifications-ui36
notifications61
php-offline-buildpack4.4.0
push-apps-manager-release670.0.11
push-usage-service-release670.0.12
pxc0.20.0
python-offline-buildpack1.6.37
r-offline-buildpack1.0.13
routing0.191.0
ruby-offline-buildpack1.8.1
silk2.22.2
smb-volume2.0.3
staticfile-offline-buildpack1.5.0
statsd-injector1.11.1
syslog11.4.0
uaa73.4.14

Warning: Before installing or upgrading to PAS v2.7, review the PAS Breaking Changes v2.7.

2.7.2

Release Date: 10/16/2019

  • [Security Fix] Bump Go to address CVE-2019-16276
  • [Security Fix] Add TLS to external policy server
  • [Security Fix] Improve redaction of sensitive data in SMB driver bosh logs
  • [Bug Fix] Fix defect disallowing “domain” option in SMB volume service
  • [Bug Fix] Disallow injection into the query parameter
  • [Bug Fix] Increase task result file size to ensure apps with very long start commands stage successfully
  • [Bug Fix] Replace hard-coded MySQL Buffer Pool size with sane percentage value.
  • [Bug Fix] Disable internal blobstore backups when using an external blobstore
  • Bump ubuntu-xenial stemcell to version 456.30
  • Bump binary-offline-buildpack to version 1.0.35
  • Bump cf-networking to version 2.23.4
  • Bump cflinuxfs3 to version 0.135.0
  • Bump diego to version 2.36.5
  • Bump dotnet-core-offline-buildpack to version 2.3.1
  • Bump go-offline-buildpack to version 1.9.1
  • Bump java-offline-buildpack to version 4.23
  • Bump leadership-election to version 1.4.1
  • Bump log-cache to version 2.1.10
  • Bump loggregator-agent to version 3.21.3
  • Bump loggregator to version 105.6.1
  • Bump nginx-offline-buildpack to version 1.1.0
  • Bump nodejs-offline-buildpack to version 1.7.0
  • Bump php-offline-buildpack to version 4.4.0
  • Bump python-offline-buildpack to version 1.6.37
  • Bump r-offline-buildpack to version 1.0.13
  • Bump smb-volume to version 2.0.3
  • Bump staticfile-offline-buildpack to version 1.5.0
  • Bump statsd-injector to version 1.11.0
  • Bump uaa to version 73.4.10
Component Version
ubuntu-xenial stemcell456.30
backup-and-restore-sdk1.16.0
binary-offline-buildpack1.0.35
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.19.0
cf-networking2.23.4
cf-smoke-tests40.0.119
cflinuxfs30.135.0
credhub2.5.6
diego2.36.5
dotnet-core-offline-buildpack2.3.1
garden-runc1.19.7
go-offline-buildpack1.9.1
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.23
leadership-election1.4.1
log-cache2.1.10
loggregator-agent3.21.3
loggregator105.6.1
mapfs1.2.0
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.0
nginx-offline-buildpack1.1.0
nodejs-offline-buildpack1.7.0
notifications-ui36
notifications61
php-offline-buildpack4.4.0
push-apps-manager-release670.0.10
push-usage-service-release670.0.10
pxc0.20.0
python-offline-buildpack1.6.37
r-offline-buildpack1.0.13
routing0.191.0
ruby-offline-buildpack1.7.42
silk2.22.2
smb-volume2.0.3
staticfile-offline-buildpack1.5.0
statsd-injector1.11.0
syslog11.4.0
uaa73.4.10

2.7.1

Release Date: 10/08/2019

  • [Security Fix] Upgrade Diego Components to Use grpc v1.23.0 and Go 1.12.9 to Fix HTTP2 CVEs
  • [Security Fix] UAA Patch release to address privilege escalation vulnerabilities
  • [Security Fix] Bump garden-runc release to take Go HTTP/2 and containerd gRPC fixes
  • [Security Fix] Upgrade gRPC-java to patch HTTP/2 vulnerability
  • [Feature Improvement] Make TCP Router Request Timeout Configurable. For more information, see Configuring TCP Routing in PAS.
  • [Feature Improvement] Metric Registrar - Allow app developers to register custom routes for metrics endpoints
  • [Feature Improvement] Docker image applications hosted in AWS ECR continue to run when restarted after the typical AWS ECR credential expiration period
  • [Feature Improvement] Show revision number on processes in Apps Manager when revisions are enabled for an application
  • [Feature Improvement] Show panels in Apps Manager for each web process during a rolling deployment
  • [Bug Fix] Fixes a regression bug causing mounts for applications bound to smb volume services with an older version of the smbbroker to fail on restart or upgrade
  • [Bug Fix] PXC Release: Stale pid files are cleaned up so that processes start reliably
  • [Bug Fix] Fix Usage Service SQL errors when MySQL has ONLY_FULL_GROUP_BY enabled
  • [Bug Fix] Show an app’s buildpack information in Apps Manager based on the app’s current droplet, to account for autodetected buildpacks
  • [Bug Fix] Fix filter to remove Apps Manager requests from logs shown in Apps Manager when apps are deployed to a path
  • [Bug Fix] Keep search results in Apps Manager from disappearing while they are being refreshed
  • [Bug Fix] Fix Apps Manager search server crashes in cases where requests to Cloud Controller fail
  • [Bug Fix] Fix links to documentation in Apps Manager to point to the correct PAS version
  • [Bug Fix] Allow slashes to be typed in the Apps Manager search bar
  • [Bug Fix] Fix bug where Spring Boot logo was shown instead of Steeltoe logo in the Apps Manager sidebar for Steeltoe apps
  • [Bug Fix] Add plan column to the app services tab in Apps Manager so plan names do not get cut off
  • [Bug Fix] Stretch background of flyout in Apps Manager to accommodate sidebar being closed
  • [Bug Fix] Keep service icons from changing size in Apps Manager when an action is in progress
  • [Bug Fix] Allow users to set custom memory and disk limits when running tasks against applications in Apps Manager
  • [Bug Fix] Fix bug that prevented users from inviting others to organizations and spaces through Apps Manager that did not appear in the first page of results from Cloud Controller
  • [Bug Fix] Improve performance of organization/space user role endpoint
  • [Bug Fix] Improve scalability of container-to-container service discovery by increasing file descriptor limit on bosh-dns-adapter
  • [Bug Fix] Tag system containers with network.healthcheck so that 3rd party networking plugins can ignore them.
  • [Bug Fix] Metric Registrar - Metric Registrar Monitor app now gets deleted after Deploy Metric Registrar errand completes, reducing load on Cloud Controller
  • Bump ubuntu-xenial stemcell to version 456.27
  • Bump capi to version 1.84.2
  • Bump cf-networking to version 2.23.2
  • Bump cflinuxfs3 to version 0.130.0
  • Bump credhub to version 2.5.6
  • Bump diego to version 2.36.4
  • Bump garden-runc to version 1.19.7
  • Bump java-offline-buildpack to version 4.22
  • Bump metric-registrar to version 1.1.1
  • Bump push-apps-manager-release to version 670.0.10
  • Bump push-usage-service-release to version 670.0.10
  • Bump pxc to version 0.20.0
  • Bump smb-volume to version 2.0.1
  • Bump uaa to version 73.4.8
Component Version
ubuntu-xenial stemcell456.27
backup-and-restore-sdk1.16.0
binary-offline-buildpack1.0.33
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.19.0
cf-networking2.23.2
cf-smoke-tests40.0.119
cflinuxfs30.130.0
credhub2.5.6
diego2.36.4
dotnet-core-offline-buildpack2.2.12
garden-runc1.19.7
go-offline-buildpack1.8.42
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.22
leadership-election1.4
log-cache2.1.6
loggregator-agent3.21
loggregator105.6
mapfs1.2.0
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.0
nginx-offline-buildpack1.0.15
nodejs-offline-buildpack1.6.52
notifications-ui36
notifications61
php-offline-buildpack4.3.78
push-apps-manager-release670.0.10
push-usage-service-release670.0.10
pxc0.20.0
python-offline-buildpack1.6.36
r-offline-buildpack1.0.11
routing0.191.0
ruby-offline-buildpack1.7.42
silk2.22.2
smb-volume2.0.1
staticfile-offline-buildpack1.4.43
statsd-injector1.10.0
syslog11.4.0
uaa73.4.8

2.7.0

Component Version
ubuntu-xenial stemcell456.25
backup-and-restore-sdk1.16.0
binary-offline-buildpack1.0.33
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.1
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.19.0
cf-networking2.23.1
cf-smoke-tests40.0.119
cflinuxfs30.128.0
credhub2.5.2
diego2.36.0
dotnet-core-offline-buildpack2.2.12
garden-runc1.19.5
go-offline-buildpack1.8.42
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.21
leadership-election1.4
log-cache2.1.6
loggregator-agent3.21
loggregator105.6
mapfs1.2.0
metric-registrar1.0.4
mysql-monitoring9.4.0
nats27
nfs-volume2.3.0
nginx-offline-buildpack1.0.15
nodejs-offline-buildpack1.6.52
notifications-ui36
notifications61
php-offline-buildpack4.3.78
push-apps-manager-release670.0.8
push-usage-service-release670.0.8
pxc0.19.0
python-offline-buildpack1.6.36
r-offline-buildpack1.0.11
routing0.191.0
ruby-offline-buildpack1.7.42
silk2.22.2
smb-volume1.3.0
staticfile-offline-buildpack1.4.43
statsd-injector1.10.0
syslog11.4.0
uaa73.4.4

How to Upgrade

The procedure for upgrading to Pivotal Application Service v2.7 is documented in Upgrading Pivotal Platform.

When upgrading to PAS v2.7, be aware of the following upgrade considerations:

  • If you previously used an earlier version of PAS, you must first upgrade to PAS v2.6 to successfully upgrade to PAS v2.7.

  • Some partner service tiles may be incompatible with Pivotal Platform v2.7. Pivotal is working with partners to ensure their tiles are updated to work with the latest versions of Pivotal Platform.

    For information about which partner service releases are currently compatible with Pivotal Platform v2.7, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.

New Features in PAS v2.7

Sidecars for Java Apps (Beta)

PAS v2.7 supports pushing Java apps with sidecars. Pushing apps with sidecars is a beta feature that released with PAS v2.6.0.

For more information about the PAS v2.6 feature, see Pushing Apps with Sidecar Processes (Beta) in the PAS v2.6 release notes. To understand how you can push Java apps with sidecars, see the Requirements for Java Apps section in the Pushing Apps with Sidecar Processes topic.

Rotate the Cloud Controller Database Encryption Key

PAS v2.7 supports rotating the Cloud Controller Database (CCDB) encryption key. This key is used to encrypt sensitive data at rest in the CCDB, such as app environment variables.

You can rotate the key using the new Encryption key ledger field and Rotate CC Database Key errand in the PAS tile. For more information, see Rotating the Cloud Controller Database Encryption Key.

Consul Server Instance Removed from PAS

The Consul server instance is removed from PAS. This saves VM resources and reduces maintenance for managing a clustered component.

In PAS v2.4, the instance count for Consul server VMs was scaled down to zero. This allowed the Consul server to continue to provide the Consul link for tiles that consume it. In PAS v2.7, the Consul server instance is removed from PAS.

Warning: This feature causes breaking changes. For information about breaking changes caused by the removal of the Consul server instance, see Consul Clients Not Supported in PAS in the Pivotal Platform v2.7 Breaking Changes topic.

Maximum Envelopes Per Source Raised for Log Cache

By default, Log Cache keeps 100,000 envelopes per source. An envelope wraps an event and adds metadata. For sources that produce more than 100,000 envelopes, this default may not provide a long enough duration for you to specify a time period for a historical query. PAS v2.7 allows you to raise the maximum number of envelopes stored per source above the default 100,000 if needed.

For more information about configuring this limit, see the Configure Advanced Features section of the Configuring PAS topic. For more information about envelopes, see Protocol Documentation in the dropsonde-protocol repository on GitHub.

Support for Upgrading Service Instances

PAS v2.7 includes CAPI v1.83.0, which supports upgrading service instances to the latest version of a service plan. This is an optional feature that service authors can implement.

App developers can check the upgrade available column in the output of the cf services command to see if a service broker supports upgrades. For more information, see the Upgrade a Service Instance section of the Managing Service Instances with the cf CLI topic.

If you are a service author and want to enable this feature, see Updating a Service Instance in the Open Service Broker API Specification on GitHub.

Updated Resource Navigation in Apps Manager UI

The Apps Manager UI has an updated look and feel as well as updated resource navigation.

You can navigate to resources, such as the app Overview and Settings panes, from a panel on the left side of the screen in Apps Manager. You can find resources that previously appeared in the panel, such as links to documentation and Support, in the Apps Manager footer.

For more information, see Using Apps Manager.

Manage App Re-Deployments and Revisions in Apps Manager

You can do the following in Apps Manager to manage app re-deployments and revisions:

  • View revisions for an app.
  • Deploy a revision of an app.
  • View the deployment status of an app revision.
  • View the environment variables associated with an app revision.

You can manage app re-deployments and revisions in the Revisions pane of the Apps Manager UI.

For more information, see the Manage App Revisions section of the Managing Apps and Service Instances Using Apps Manager topic.

UAA Property uaadb.tls Consolidates TLS Configuration Options

The UAA property uaadb.tls replaces uaadb.tls_enabled and uaadb.skip_ssl_validation. This simplifies and consolidates existing configuration options for TLS connections to an external database.

uaadb.tls enables TLS connections by default. The following are supported values for this property:

  • enabled: Enables TLS connections to an external database.
  • enabled_skip_hostname_validation: Enables TLS connections to an external database and ignores hostnames in database server certificates.
  • enabled_skip_all_validation: Enables TLS connections to an external database and skips SSL validation in database server certificates.
  • disabled: Disables TLS connections to the UAA database.

Warning: This is a breaking change. For more information, see UAA Properties uaadb.tls_enabled and uaadb.skip_ssl_validation Are Removed in the Pivotal Platform v2.7 Breaking Changes topic.

CredHub Supports KMS

You can configure Key Management Service (KMS) encryption providers for CredHub. Configuring KMS encryption providers for CredHub allows you to more easily create and manage the encryption keys that you use in your environment.

For more information about how to configure KMS providers for CredHub in PAS, see the Configure CredHub section of the Configuring PAS topic.

Enable Inactive MySQL Port for Auditing and Reporting

PAS v2.7 introduces the option to enable MySQL proxies to listen on port 3336. If you enable this option, you can run auditing and reporting queries on a MySQL node that is not currently serving traffic. By running these queries on an inactive node, the active MySQL nodes continue to serve requests with no effect on performance.

To enable this option, select the Enable inactive MySQL port checkbox in the Internal MySQL pane of the PAS tile. For more information, see the Configure Internal MySQL section of the Configuring PAS topic.

SSH Into Linux and Windows Apps on NSX-T

You can SSH into Linux and Windows apps on vSphere deployments with NSX-T enabled.

For more information, see Accessing Apps with SSH.

Agent-Based Syslog Egress Is Enabled by Default

PAS v2.7 contains Syslog Agents, which forward logs to configured syslog drains and Loggregator. Syslog Agents are enabled by default, and the option to enable or disable syslog egress is removed from the PAS UI.

Additionally, the instance groups syslog_adapter and syslog_scheduler, and the property syslog_metrics_to_syslog_enabled are removed, as agent-based syslog egress removes the need for VMs dedicated to syslog drains.

For more information about how Syslog Agents function within Loggregator, see Loggregator Architecture and the loggregator-agent-release repository on GitHub.

Improved Route Consistency in Diego Route-Emitter

PAS v2.7 improves route consistency in the route-emitter component of Diego.

This Diego enhancement ensures better routing resiliency in the event of control plane downtime. For example, if NATS experiences downtime or the network becomes unstable, apps can remain routable since PAS no longer prunes routes on time-to-live (TTL).

This modification to the route-emitter removes the need for the Prune routes on TTL expiry for TLS back ends configuration option in PAS v2.7. For more information, see Intermittent Misrouting of Apps in Large PCF Foundations in the PAS v2.6 release notes.

Mutual TLS Communication Between Routing API and Other Components

Communication between the PAS Routing API and other PAS routing components is authenticated with mutual TLS (mTLS).

In mTLS communication, both components verify each other’s identity. This adds additional security for communication between the Routing API and other routing components.

Configure Multiple Internal Domains

You can configure multiple internal domains that apps use for internal DNS service discovery.

This allows you to create separate domains for different organizations in your foundation. For example, you can create a separate domain for apps on the development tier and apps on the production tier.

For more information about configuring internal domains for PAS, see Configure App Developer Controls in the Configuring PAS topic.

Configure File Storage Backup Level

You can configure PAS v2.7 to exclude droplets or to exclude both droplets and packages from your blobstore backup. This feature reduces the size of your backup artifact and can enable you to take more frequent backups without using a large amount of storage space.

Excluding droplets or both droplets and packages from your blobstore backup can cause shorter periods of app downtime. However, you must re-push or restage all apps, which results in a higher Recovery Time Objective (RTO).

For more information about the advantages and disadvantages of excluding droplets or excluding both droplets and packages, see File Storage Backup Level. To configure your blobstore backup level, see the Configure File Storage section of the Configuring PAS topic.

Rolling App Deployments Is GA

The rolling app deployments feature is GA. It was released as a beta feature in PAS v2.4. This feature allows you to push updates to apps without incurring downtime.

This feature is enabled by default. You can optionally disable it in the Advanced Features pane.

For more information, see Rolling App Deployments.

nfsbroker Backing Store Is in CredHub

The nfsbroker backing store is migrated from your external PAS database to CredHub, provided that CredHub exists in the deployment. This allows you to specify LDAP credentials when you create an NFS Volume Service instance.

NFS Volume Service only uses CredHub as its backing store. If CredHub is not deployed, you cannot use NFS Volume Service.

For more information, see the Configure LDAP Credentials with Service Instance Creation section of the Using an External File System (Volume Services) topic.

Enable or Disable Firehose in Loggregator

The Firehose is enabled by default and configurable. You can enable or disable the Firehose by selecting or deselecting the Enable V1 Firehose checkbox in the System Logging pane of PAS v2.7. Disabling the Firehose disables the Traffic Controller job in Loggregator, which causes logs to be sent to the Traffic Controller VM through Log Cache instead.

To enable or disable the firehose, see the Configure System Logging section of the Configuring PAS topic. For more information about Traffic Controller and how it handles logs, see Loggregator Architecture.

Annotation Keys and Key Prefixes Use Kubernetes Format

In PAS v2.7, annotation keys and key prefixes use the same metadata format as Kubernetes. This feature enables creating services with a consistent metadata format across PAS and Kubernetes. For more information about annotation keys and key prefixes, see Using Metadata.

Support for Pushing Container Images Hosted in AWS ECR

When you push container images hosted in AWS Elastic Container Registry (ECR) with the Cloud Foundry CLI (cf CLI), you can provide the Access Key ID and Secret for an AWS IAM User as a Docker username and password as part of the cf push command. Apps are able to then continuously restart and restage successfully.

This update allows the cf CLI to successfully pull container images hosted in ECR with valid AWS Identity and Access Management (IAM) user credentials.

Known Issues

You Cannot Install PAS v2.7.0 or v2.7.1 with External Blobstores

Warning: This is a breaking change for PAS v2.7.0 and v2.7.1. Do not attempt to upgrade to PAS v2.7.0 or v2.7.1 if you have one or more external blobstores. You can deploy PAS v2.7.2 with external blobstores.

You cannot install PAS v2.7.0 or v2.7.1 with external blobstores. If you try to install and deploy PAS v2.7.0 or v2.7.1 with one or more external blobstores, the deploy fails with a pipeline error.

This issue is caused by changes to the blobstore backup options in PAS v2.7.0. For more information about these changes, see Configure File Storage Backup Level.

This issue is resolved in PAS v2.7.2.

Some Environment Variables Are Missing When Using cflinuxfs3

When using the cflinuxfs3 stack in PAS v2.3 or later, if you provide environment variables containing periods or dashes, the environment variables do not appear in the process environment of the app.

To resolve this issue, ensure that all apps are using environment variables that do not contain periods or dashes.

For more information, see Missing environment variables when using PAS 2.3+ and the cflinuxfs3 stack in the Pivotal Knowledge Base.

Duplicate or Missing Logs

When upgrading to PAS v2.7, you may see duplicate logs or no logs for a short time on syslog endpoints while BOSH enables the Syslog Agent component.

If BOSH removes Syslog Adapters before enabling Syslog Agents, there are no logs until BOSH enables the Syslog Agents. If BOSH enables Syslog Agents before removing Syslog Adapters, there are duplicate logs until BOSH removes Syslog Adapters.

For more information about Syslog Agents, see Agent-Based Syslog Egress Is Enabled by Default.

Cannot Delete Last Remaining Syslog Drain

PAS v2.7 has a known issue in which you cannot delete the last remaining app syslog drain in a foundation. This issue only applies if there is a single drain in the entire foundation, and you delete that drain.

When you delete the last remaining drain, logs continue to be sent to its syslog endpoint. This happens even though the deletion appears to succeed. As a workaround, you can create another drain to cause the previously deleted drain to stop sending logs. You can use the following command: cf drain APP-NAME invalid://invalid.

Note: To view the number of syslog drains in a foundation, ensure that the Log Cache CLI plugin is installed, and run cf tail syslog_agent -n 100 | grep 'GAUGE drains'.

Cannot Choose Drain Type

Syslog drains provide the ability to send only logs or metrics to their syslog endpoint, rather than a combination of both. However, PAS v2.7 has a known issue in which both logs and metrics are sent, regardless of the settings for any given drain. This corresponds to the --type option of cf drain.

Autoscaler Scales Only Web Processes Based on HTTP Metrics From All Processes

If a multi-process app is set to scale on HTTP Metrics, the metrics of non-web processes can cause Autoscaler to scale the web process incorrectly.

Cannot Invite New Users or Add Space Roles in Apps Manager

In PAS v2.7.0, the service that handles inviting new users to PAS fails to do the following in many cases:

  • Add space roles for users
  • Invite new users with space roles

As a workaround, you can use the CLI to manage user roles. See User Admin in the cf CLI Reference Guide.

This issue is resolved in PAS v2.7.1.

Pivotal Spring Cloud Services v2.0.x Not Compatible with PAS v2.7

Pivotal Spring Cloud Services v2.0.x is not compatible with PAS v2.7 because Consul server is no longer available in PAS v2.7.