Pivotal Isolation Segment v2.7 Release Notes

Page last updated:

This topic contains release notes for Pivotal Isolation Segment v2.7.


Releases

2.7.21

Release Date: 08/11/2020

  • [Feature] Support Maestro’s rotation capability by adding Services TLS CA to all App containers
  • [Bug Fix] Fix issue where requests to internal routes could fail due to incorrect case-sensitivity in DNS lookup in the service discovery controller.
  • [Bug Fix] Fix prom_scraper job to have scrape certs property. Restores Prometheus-style metrics emitting to Firehose.
  • Bump ubuntu-xenial stemcell to version 456.115
  • Bump cf-networking to version 2.31.0
  • Bump cflinuxfs3 to version 0.202.0
  • Bump garden-runc to version 1.19.14
  • Bump silk to version 2.31.0
Component Version
ubuntu-xenial stemcell456.115
bpm1.1.1
cf-networking2.31.0
cflinuxfs30.202.0
diego2.47.0
garden-runc1.19.14
haproxy9.6.1
loggregator-agent3.21.11
mapfs1.2.4
nfs-volume2.3.9
routing0.203.0
silk2.31.0
smb-volume3.0.1
syslog11.6.1

2.7.20

Release Date: 07/16/2020

  • [Security Fix] Fix for CVE-2020-15586: Bump golang to version 1.14.5 with a fix in the net/http/httputil package for an issue which could cause the Gorouter to crash if a malicious client sends specially crafted HTTP requests.
  • Bump cflinuxfs3 to version 0.198.0
  • Bump routing to version 0.203.0
Component Version
ubuntu-xenial stemcell456.114
bpm1.1.1
cf-networking2.30.0
cflinuxfs30.198.0
diego2.47.0
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.11
mapfs1.2.4
nfs-volume2.3.9
routing0.203.0
silk2.30.0
smb-volume3.0.1
syslog11.6.1

2.7.19

Release Date: 07/09/2020

  • Bump cflinuxfs3 to version 0.197.0
Component Version
ubuntu-xenial stemcell456.114
bpm1.1.1
cf-networking2.30.0
cflinuxfs30.197.0
diego2.47.0
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.11
mapfs1.2.4
nfs-volume2.3.9
routing0.201.0
silk2.30.0
smb-volume3.0.1
syslog11.6.1

2.7.18

Release Date: 06/25/2020

  • [Breaking Change] Improper Application HTTP(S) Proxy Configuration breaks CredHub interpolation in container. In order to detect and update applications with improper HTTP(S) proxy, please see KB 9305.
  • [Bug Fix] Add a new cache configuration to the NFS service allowing service instances to enable file attribute caching and achieve directory listing performance similar to the nfs-legacy service
  • [Bug Fix] Remove invalid characters in hostnames in outgoing application syslog messages to comply with RFC 5424
  • Bump ubuntu-xenial stemcell to version 456.114
  • Bump cflinuxfs3 to version 0.195.0
  • Bump diego to version 2.47.0
  • Bump loggregator-agent to version 3.21.11
  • Bump nfs-volume to version 2.3.9
Component Version
ubuntu-xenial stemcell456.114
bpm1.1.1
cf-networking2.30.0
cflinuxfs30.195.0
diego2.47.0
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.11
mapfs1.2.4
nfs-volume2.3.9
routing0.201.0
silk2.30.0
smb-volume3.0.1
syslog11.6.1

2.7.17

Release Date: 06/11/2020

  • [Bug Fix] Gorouter - Drain timeout always uses configured value
  • [Bug Fix] Silk - Continue container networking during cell drain
  • Bump cf-networking to version 2.30.0
  • Bump cflinuxfs3 to version 0.191.0
  • Bump routing to version 0.201.0
  • Bump silk to version 2.30.0
Component Version
ubuntu-xenial stemcell456.112
bpm1.1.1
cf-networking2.30.0
cflinuxfs30.191.0
diego2.36.5
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.10
mapfs1.2.4
nfs-volume2.3.6
routing0.201.0
silk2.30.0
smb-volume3.0.1
syslog11.6.1

2.7.16

Release Date: 06/02/2020

  • [Feature] Allow egress traffic from apps to addresses on host via host_tcp_services
  • [Bug Fix] Add a new cache configuration to the NFS service allowing service instances to enable file attribute caching and achieve directory listing performance similar to the nfs-legacy service
  • Bump cflinuxfs3 to version 0.189.0
  • Bump nfs-volume to version 2.3.6
Component Version
ubuntu-xenial stemcell456.112
bpm1.1.1
cf-networking2.28.0
cflinuxfs30.189.0
diego2.36.5
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.10
mapfs1.2.4
nfs-volume2.3.6
routing0.199.0
silk2.28.0
smb-volume3.0.1
syslog11.6.1

2.7.15

Release Date: 05/18/2020

  • [Bug Fix] Fix scheduling bug in loggregator agent by upgrading to Go 1.14.2
  • Bump ubuntu-xenial stemcell to version 456.112
  • Bump cflinuxfs3 to version 0.178.0
  • Bump loggregator-agent to version 3.21.10
Component Version
ubuntu-xenial stemcell456.112
bpm1.1.1
cf-networking2.28.0
cflinuxfs30.178.0
diego2.36.5
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.10
mapfs1.2.4
nfs-volume2.3.5
routing0.199.0
silk2.28.0
smb-volume3.0.1
syslog11.6.1

2.7.14 - Withdrawn

Warning: This release has been removed from VMware Tanzu Network due to the severity of the Forwarder Agent CPU Causes Apps to Fail to Stage in v2.7.13 and v2.7.14 known issue.

Release Date: 05/05/2020

  • [Security Fix] Update debian packages and source libraries in nfs and mapfs releases
  • Bump ubuntu-xenial stemcell to version 456.110
  • Bump cflinuxfs3 to version 0.177.0
  • Bump mapfs to version 1.2.4
  • Bump nfs-volume to version 2.3.5
  • Bump smb-volume to version 3.0.1
Component Version
ubuntu-xenial stemcell456.110
bpm1.1.1
cf-networking2.28.0
cflinuxfs30.177.0
diego2.36.5
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.9
mapfs1.2.4
nfs-volume2.3.5
routing0.199.0
silk2.28.0
smb-volume3.0.1
syslog11.6.1

2.7.13 - Withdrawn

Warning: This release has been removed from VMware Tanzu Network due to the severity of the Forwarder Agent CPU Causes Apps to Fail to Stage in v2.7.13 and v2.7.14 known issue.

Release Date: 04/22/2020

  • [Feature] HAProxy can now be configured with custom certificate authorities
  • [Bug Fix] Loggregator Agent handles deployment with no Dopplers
  • Bump ubuntu-xenial stemcell to version 456.104
  • Bump cflinuxfs3 to version 0.175.0
  • Bump loggregator-agent to version 3.21.9
Component Version
ubuntu-xenial stemcell456.104
bpm1.1.1
cf-networking2.28.0
cflinuxfs30.175.0
diego2.36.5
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.9
mapfs1.2.0
nfs-volume2.3.2
routing0.199.0
silk2.28.0
smb-volume2.1.1
syslog11.6.1

2.7.12

Release Date: 04/07/2020

  • [Bug Fix] garden-runc - bump to latest release in supported versions
  • [Bug Fix] GoRouter correctly handles control characters in URLs
  • [Bug Fix] App developers now receive a 401 when using an expired access token with policy server
  • Bump ubuntu-xenial stemcell to version 456.103
  • Bump cf-networking to version 2.28.0
  • Bump cflinuxfs3 to version 0.174.0
  • Bump garden-runc to version 1.19.10
  • Bump routing to version 0.199.0
  • Bump silk to version 2.28.0
Component Version
ubuntu-xenial stemcell456.103
bpm1.1.1
cf-networking2.28.0
cflinuxfs30.174.0
diego2.36.5
garden-runc1.19.10
haproxy9.6.1
loggregator-agent3.21.6
mapfs1.2.0
nfs-volume2.3.2
routing0.199.0
silk2.28.0
smb-volume2.1.1
syslog11.6.1

2.7.11

Release Date: 03/13/2020

  • Bump ubuntu-xenial stemcell to version 456.100
  • Bump cflinuxfs3 to version 0.169.0
Component Version
ubuntu-xenial stemcell456.100
bpm1.1.1
cf-networking2.23.5
cflinuxfs30.169.0
diego2.36.5
garden-runc1.19.9
haproxy9.6.1
loggregator-agent3.21.6
mapfs1.2.0
nfs-volume2.3.2
routing0.198.0
silk2.23.5
smb-volume2.1.1
syslog11.6.1

2.7.10

Release Date: 02/27/2020

  • [Feature Improvement] Bring bug fixes and improvements in latest routing releases to all supported PAS versions
  • [Bug Fix] Fix Race Condition in Loggregator Agent
  • Bump ubuntu-xenial stemcell to version 456.98
  • Bump cflinuxfs3 to version 0.164.0
  • Bump loggregator-agent to version 3.21.6
  • Bump routing to version 0.198.0
Component Version
ubuntu-xenial stemcell456.98
bpm1.1.1
cf-networking2.23.5
cflinuxfs30.164.0
diego2.36.5
garden-runc1.19.9
haproxy9.6.1
loggregator-agent3.21.6
mapfs1.2.0
nfs-volume2.3.2
routing0.198.0
silk2.23.5
smb-volume2.1.1
syslog11.6.1

2.7.9

Release Date: 02/07/2020

  • [Feature Improvement] Use the Diego logging format for the Garden job
  • Bump ubuntu-xenial stemcell to version 456.93
  • Bump cflinuxfs3 to version 0.161.0
Component Version
ubuntu-xenial stemcell456.93
bpm1.1.1
cf-networking2.23.5
cflinuxfs30.161.0
diego2.36.5
garden-runc1.19.9
haproxy9.6.1
loggregator-agent3.21.5
mapfs1.2.0
nfs-volume2.3.2
routing0.191.7
silk2.23.5
smb-volume2.1.1
syslog11.6.1

2.7.8

Release Date: 01/16/2020

  • [Bug Fix] mapfs - Fix error when appending to a file
  • Bump ubuntu-xenial stemcell to version 456.84
  • Bump cflinuxfs3 to version 0.153.0
Component Version
ubuntu-xenial stemcell456.84
bpm1.1.1
cf-networking2.23.5
cflinuxfs30.153.0
diego2.36.5
garden-runc1.19.9
haproxy9.6.1
loggregator-agent3.21.5
mapfs1.2.0
nfs-volume2.3.2
routing0.191.7
silk2.23.5
smb-volume2.1.1
syslog11.6.1

2.7.7

Release Date: 12/26/2019

  • [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for syslog release
  • [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for garden-runc release
  • [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for loggregator releases
  • [Bug Fix] Passwords containing commas no longer cause the SMB volume service to crash at startup with a “mount failed” error
  • Bump ubuntu-xenial stemcell to version 456.77
  • Bump cflinuxfs3 to version 0.151.0
  • Bump garden-runc to version 1.19.9
  • Bump loggregator-agent to version 3.21.5
  • Bump smb-volume to version 2.1.1
  • Bump syslog to version 11.6.1
Component Version
ubuntu-xenial stemcell456.77
bpm1.1.1
cf-networking2.23.5
cflinuxfs30.151.0
diego2.36.5
garden-runc1.19.9
haproxy9.6.1
loggregator-agent3.21.5
mapfs1.2.1
nfs-volume2.3.2
routing0.191.7
silk2.23.5
smb-volume2.1.1
syslog11.6.1

2.7.6

Release Date: 12/09/2019

  • [Feature Improvement] Upgrade Routing, Networking, and Silk releases to use go 1.13 release
  • Bump cf-networking to version 2.23.5
  • Bump cflinuxfs3 to version 0.150.0
  • Bump routing to version 0.191.7
  • Bump silk to version 2.23.5
Component Version
ubuntu-xenial stemcell456.74
bpm1.1.1
cf-networking2.23.5
cflinuxfs30.150.0
diego2.36.5
garden-runc1.19.8
haproxy9.6.1
loggregator-agent3.21.4
mapfs1.2.1
nfs-volume2.3.2
routing0.191.7
silk2.23.5
smb-volume2.1.0
syslog11.4.0

2.7.5

Release Date: 12/02/2019

  • [Feature] Allow operator to set a new bind configuration “version” on volume mounts. Operators with older versions of smb software can now use volume services.
  • Bump ubuntu-xenial stemcell to version 456.74
  • Bump cflinuxfs3 to version 0.149.0
  • Bump smb-volume to version 2.1.0
Component Version
ubuntu-xenial stemcell456.74
bpm1.1.1
cf-networking2.23.4
cflinuxfs30.149.0
diego2.36.5
garden-runc1.19.8
haproxy9.6.1
loggregator-agent3.21.4
mapfs1.2.1
nfs-volume2.3.2
routing0.191.2
silk2.22.2
smb-volume2.1.0
syslog11.4.0

2.7.4

Release Date: 11/20/2019

  • [Security Fix] Address CVE-2019-17596
  • [Security Fix] Improve Gorouter resiliency to panics
  • Bump ubuntu-xenial stemcell to version 456.58
  • Bump cflinuxfs3 to version 0.143.0
  • Bump mapfs to version 1.2.1
  • Bump nfs-volume to version 2.3.2
  • Bump routing to version 0.191.2
  • Bump smb-volume to version 2.0.4
Component Version
ubuntu-xenial stemcell456.58
bpm1.1.1
cf-networking2.23.4
cflinuxfs30.143.0
diego2.36.5
garden-runc1.19.8
haproxy9.6.1
loggregator-agent3.21.4
mapfs1.2.1
nfs-volume2.3.2
routing0.191.2
silk2.22.2
smb-volume2.0.4
syslog11.4.0

2.7.3

Release Date: 10/31/2019

  • [Security Fix] Upgrade Go, runc and containerd to latest to include security fixes
  • [Security Fix] CVE-2019-17596 bump Go
  • Bump ubuntu-xenial stemcell to version 456.40
  • Bump cflinuxfs3 to version 0.137.0
  • Bump garden-runc to version 1.19.8
  • Bump loggregator-agent to version 3.21.4
Component Version
ubuntu-xenial stemcell456.40
bpm1.1.1
cf-networking2.23.4
cflinuxfs30.137.0
diego2.36.5
garden-runc1.19.8
haproxy9.6.1
loggregator-agent3.21.4
mapfs1.2.0
nfs-volume2.3.0
routing0.191.0
silk2.22.2
smb-volume2.0.3
syslog11.4.0

2.7.2

Release Date: 10/16/2019

  • [Security Fix] Bump Go to address CVE-2019-16276
  • [Security Fix] Improve redaction of sensitive data in SMB driver bosh logs
  • [Bug Fix] Fix defect disallowing “domain” option in SMB volume service
  • [Bug Fix] Increase task result file size to ensure apps with very long start commands stage successfully
  • Bump ubuntu-xenial stemcell to version 456.30
  • Bump cf-networking to version 2.23.4
  • Bump cflinuxfs3 to version 0.133.0
  • Bump diego to version 2.36.5
  • Bump loggregator-agent to version 3.21.3
  • Bump smb-volume to version 2.0.3
Component Version
ubuntu-xenial stemcell456.30
bpm1.1.1
cf-networking2.23.4
cflinuxfs30.133.0
diego2.36.5
garden-runc1.19.7
haproxy9.6.1
loggregator-agent3.21.3
mapfs1.2.0
nfs-volume2.3.0
routing0.191.0
silk2.22.2
smb-volume2.0.3
syslog11.4.0

2.7.1

Release Date: 10/08/2019

  • [Security Fix] Upgrade Diego Components to Use grpc v1.23.0 and Go 1.12.9 to Fix HTTP2 CVEs
  • [Security Fix] UAA Patch release to address privilege escalation vulnerabilities
  • [Security Fix] Bump garden-runc release to take Go HTTP/2 and containerd gRPC fixes
  • [Security Fix] Upgrade gRPC-java to patch HTTP/2 vulnerability
  • [Feature Improvement] Make TCP Router Request Timeout Configurable
  • [Feature Improvement] Metric Registrar - Allow app developers to register custom routes for metrics endpoints
  • [Feature Improvement] Docker image applications hosted in AWS ECR continue to run when restarted after the typical AWS ECR credential expiration period
  • [Bug Fix] Fixes a regression bug causing mounts for applications bound to smb volume services with an older version of the smbbroker to fail on restart or upgrade
  • [Bug Fix] PXC Release - Stale pid files are cleaned up so that processes start reliably
  • [Bug Fix] Fix Usage Service SQL errors when MySQL has ONLY_FULL_GROUP_BY enabled
  • [Bug Fix] Allow users to set custom memory and disk limits when running tasks against applications in Apps Manager
  • [Bug Fix] Improve performance of organization/space user role endpoint
  • [Bug Fix] Improve scalability of container-to-container service discovery by increasing file descriptor limit on bosh-dns-adapter
  • [Bug Fix] Tag system containers with network.healthcheck so that 3rd party networking plugins can ignore them.
  • Bump ubuntu-xenial stemcell to version 456.27
  • Bump capi to version 1.84.2
  • Bump cf-networking to version 2.23.2
  • Bump cflinuxfs3 to version 0.130.0
  • Bump credhub to version 2.5.6
  • Bump diego to version 2.36.4
  • Bump garden-runc to version 1.19.7
  • Bump java-offline-buildpack to version 4.22
  • Bump metric-registrar to version 1.1.1
  • Bump push-apps-manager-release to version 670.0.10
  • Bump push-usage-service-release to version 670.0.10
  • Bump pxc to version 0.20.0
  • Bump smb-volume to version 2.0.1
  • Bump uaa to version 73.4.8
Component Version
ubuntu-xenial stemcell456.27
backup-and-restore-sdk1.16.0
binary-offline-buildpack1.0.33
bosh-dns-aliases0.0.3
bosh-system-metrics-forwarder0.0.18
bpm1.1.1
capi1.84.2
cf-autoscaling222
cf-backup-and-restore0.0.11
cf-cli1.19.0
cf-networking2.23.2
cf-smoke-tests40.0.119
cflinuxfs30.130.0
credhub2.5.6
diego2.36.4
dotnet-core-offline-buildpack2.2.12
garden-runc1.19.7
go-offline-buildpack1.8.42
haproxy9.6.1
istio1.3.0
java-offline-buildpack4.22
leadership-election1.4
log-cache2.1.6
loggregator-agent3.21
loggregator105.6
mapfs1.2.0
metric-registrar1.1.1
mysql-monitoring9.4.0
nats27
nfs-volume2.3.0
nginx-offline-buildpack1.0.15
nodejs-offline-buildpack1.6.52
notifications-ui36
notifications61
php-offline-buildpack4.3.78
push-apps-manager-release670.0.10
push-usage-service-release670.0.10
pxc0.20.0
python-offline-buildpack1.6.36
r-offline-buildpack1.0.11
routing0.191.0
ruby-offline-buildpack1.7.42
silk2.22.2
smb-volume2.0.1
staticfile-offline-buildpack1.4.43
statsd-injector1.10.0
syslog11.4.0
uaa73.4.8

2.7.0

Breaking Change: The Diego file server is now serving on port 8447. This port must be open for communications between Pivotal Isolation Segment and PAS.

See New Features.

Component Version
ubuntu-xenial stemcell456.25
bpm1.1.1
cf-networking2.23.1
cflinuxfs30.128.0
diego2.36.0
garden-runc1.19.5
haproxy9.6.1
loggregator-agent3.21
mapfs1.2.0
nfs-volume2.3.0
routing0.191.0
silk2.22.2
smb-volume1.3.0
syslog11.4.0

About Pivotal Isolation Segment

The Pivotal Isolation Segment v2.7 tile is available for installation with Pivotal Platform v2.7.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different Pivotal Platform deployments but avoids redundant management and network complexity. For more information about isolation segments, see Isolation Segments in PAS Security.

For more information about using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

To install Pivotal Isolation Segment v2.7, see Installing Pivotal Isolation Segment.

To install Pivotal Isolation Segment v2.7, you must first install Pivotal Platform v2.7.

New Features in Pivotal Isolation Segment v2.7

Pivotal Isolation Segment v2.7 includes the following major features:

SSH Into Linux and Windows Apps on NSX-T

You can SSH into Linux and Windows apps on vSphere deployments with NSX-T enabled.

For more information, see Accessing Apps with SSH.

Agent-Based Syslog Egress Is Enabled by Default

Pivotal Isolation Segment v2.7 contains Syslog Agent, an agent that forwards logs to configured syslog drains and Loggregator. Syslog Agent is enabled by default, and the option to enable or disable syslog egress is removed from the Pivotal Application Service (PAS) UI.

Additionally, the instance groups syslog_adapter and syslog_scheduler, and the property syslog_metrics_to_syslog_enabled are removed, as agent-based syslog egress removes the need for VMs dedicated to syslog drains.

For more information about how Syslog Agent functions within Loggregator, see Loggregator Architecture and the Loggregator Agent Release repository on GitHub.

Improved Route Consistency in Diego Route-Emitter

PAS v2.7 improves route consistency in the route-emitter component of Diego.

This Diego enhancement ensures better routing resiliency in the event of control plane downtime. For example, if NATS experiences downtime or the network becomes unstable, apps can remain routable since PAS no longer prunes routes on time-to-live (TTL).

This modification to route-emitter removes the need for the Prune routes on TTL expiry for TLS back ends configuration option in Pivotal Isolation Segment v2.7. For more information, see Intermittent Misrouting of Apps in Large PCF Foundations in Pivotal Application Service v2.6 Release Notes.

Support for Pushing Container Images Hosted in AWS ECR

When you push container images hosted in AWS Elastic Container Registry (ECR) with the Cloud Foundry CLI (cf CLI), you can provide the access key ID and secret for an AWS IAM user as a Docker username and password as part of the cf push command. Apps are able to then continuously restart and restage successfully.

This update allows the cf CLI to successfully pull container images hosted in ECR with valid AWS Identity and Access Management (IAM) user credentials.

For more information, see Amazon Elastic Container Registry (ECR) in Deploying an App with Docker.

About Advanced Features

The Advanced Features section of the Pivotal Isolation Segment v2.7 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Known Issues

Pivotal Isolation Segment v2.7 includes the following known issue:

Forwarder Agent CPU Causes Apps to Fail to Stage in v2.7.13 and v2.7.14

After upgrading to Pivotal Isolation Segment v2.7.13 and v2.7.14, apps can fail to stage with one the following errors:

  • stderr: Error staging application: StagingTimeExpired

  • "description": "Stager error: bbs stager client staging failed: the requested resource already exists", "error_code": "CF-StagerError"

These errors occur because the Loggregator Forwarder Agent has high CPU usage. The Forwarder Agent high CPU usage is caused by the upgrade to Golang v1.14.1.

To resolve this issue, do one of the following:

  • Schedule a cron job to restart the loggr-forwarder-agent process for diego_database and diego_brain. Run:

    bosh -d CF-DEPLOYMENT ssh diego_database -c "PATH=$PATH:/var/vcap/bosh/bin sudo monit restart loggr-forwarder-agent"
    

    Where CF-DEPLOYMENT is your deployment name.

  • Increase the vm_type for diego_database and diego_brain to assign more CPU instances.

For more information about the related issue in PAS, see the Applications failing to stage after upgrading to PAS 2.7.13 or 2.7.14 Knowledge Base article.