Pivotal Operations Manager v2.8 Release Notes

Page last updated:

This topic contains release notes for Pivotal Operations Manager v2.8.

Pivotal Platform is certified by the Cloud Foundry Foundation for 2020.

Read more about the certified provider program and the requirements of providers.


Releases

2.8.5

  • [Feature] Operators can configure multiple certificates in the Server SSL Cert field during LDAP Server configuration.
  • [Feature] Adds Set VM-HOST Affinity rule as SHOULD checkbox to the Availability Zones pane.
  • [Bug Fix] Deployed certificates endpoint show configurable: true for CredHub certs marked as generated: null.
  • [Bug Fix] BOSH DNS certificates are regenerated during a certificate rotation when BOSH and product are redeployed.
  • [Bug Fix] The /api/v0/staged/products/:guid/properties Ops Manager API endpoint rejects malformed secret properties.
  • [Bug Fix] Non-configurable jobs that default to zero instances do not appear in the Resource Config pane.
  • [Bug Fix] Ops Manager marks RSA certificates with extra characters as invalid before deployment.

Ops Manager v2.8.5 uses the following component versions:

Component Version
Ops Manager2.8.5-build.234*
Stemcell621.59*
BBR SDK1.17.2
BOSH Director270.11.1
BOSH DNS1.17.0
Metrics Server0.0.24
System Metrics2.0.11
CredHub2.5.11
Syslog11.6.1
Windows Syslog1.0.3
UAA74.5.11*
BPM1.1.7*
Networking9
OS Conf21.0.0
AWS CPI79
Azure CPI37.2.0
Google CPI30.0.0
OpenStack CPI43
vSphere CPI53.0.7
BOSH CLI6.2.1*
Credhub CLI2.7.0*
BBR CLI1.7.2*
Telemetry1.0.3*
* Components marked with an asterisk have been updated.

2.8.4 - Withdrawn

Warning: This release has been removed from VMware Tanzu Network because it shipped with an unintentional breaking change in BOSH DNS which causes Pivotal Application Service for Windows deployments to fail.

  • [Feature] Adds VM-HOST Affinity Rule dropdown to the Availability Zones pane. This dropdown is available if you have availability zones (AZs) on vSphere. In the dropdown, you can select either MUST or SHOULD to add a Distributed Resource Scheduler (DRS) rule for the AZ.

Ops Manager v2.8.4 uses the following component versions:

Component Version
Ops Manager2.8.4-build.224*
Stemcell621.57*
BBR SDK1.17.2
BOSH Director270.11.1
BOSH DNS1.18.0*
Metrics Server0.0.24
System Metrics2.0.11
CredHub2.5.11
Syslog11.6.1
Windows Syslog1.0.3
UAA74.5.9*
BPM1.1.7*
Networking9
OS Conf21.0.0
AWS CPI79
Azure CPI37.2.0
Google CPI30.0.0
OpenStack CPI43
vSphere CPI53.0.7
BOSH CLI6.2.1*
Credhub CLI2.6.2
BBR CLI1.7.0
Telemetry1.0.1
* Components marked with an asterisk have been updated.

2.8.3

  • [Bug Fix] Multi-datacenter vSphere configurations deploys to the datacenter that matches to the availability zone and network the operator has selected.

Ops Manager v2.8.3 uses the following component versions:

Component Version
Ops Manager2.8.3-build.217*
Stemcell621.51*
BBR SDK1.17.2
BOSH Director270.11.1*
BOSH DNS1.17.0
Metrics Server0.0.24
System Metrics2.0.11*
CredHub2.5.11*
Syslog11.6.1
Windows Syslog1.0.3
UAA74.5.5
BPM1.1.6
Networking9
OS Conf21.0.0
AWS CPI79
Azure CPI37.2.0*
Google CPI30.0.0
OpenStack CPI43
vSphere CPI53.0.7*
BOSH CLI6.2.0
Credhub CLI2.6.2
BBR CLI1.7.0*
Telemetry1.0.1*
* Components marked with an asterisk have been updated.

2.8.2

  • [Bug Fix] Fixes issue where tiles that contain build numbers in product_version incorrectly fail to meet the requirements for minimum_version_for_upgrade version.
  • [Bug Fix] Fixes performance issues with the Ops Manager change log page.
  • [Bug Fix] Fixes issue where setting the HTTP(S) Proxy in Ops Manager to an empty value causes apply changes to fail.

Ops Manager v2.8.2 uses the following component versions:

Component Version
Ops Manager2.8.2-build.203*
Stemcell621.41
BBR SDK1.17.2
BOSH Director270.10.0
BOSH DNS1.17.0
Metrics Server0.0.24
System Metrics2.0.9*
CredHub2.5.9
Syslog11.6.1
Windows Syslog1.0.3
UAA74.5.5
BPM1.1.6
Networking9
OS Conf21.0.0
AWS CPI79
Azure CPI37.0.0
Google CPI30.0.0
OpenStack CPI43
vSphere CPI53.0.5*
BOSH CLI6.2.0*
Credhub CLI2.6.2
BBR CLI1.5.2
Telemetry1.0.0
* Components marked with an asterisk have been updated.

2.8.1

  • [Feature] Operators can use an encrypted private key for Provider Client Certificate Private Key when configuring HSM in BOSH.
  • [Feature] Operators can use an encrypted private key in Tile settings.
  • [Bug Fix] System metrics certificate is redacted in BOSH output.
  • [Bug Fix] Fixes upgrade issue for deployments where operators have used the add_job_to_instance_group Ops Manager API endpoint.
  • [Bug Fix] Apply Changes no longer fails when tiles use the allow_encrypted_key feature.

Ops Manager v2.8.1 uses the following component versions:

Component Version
Ops Manager2.8.1-build.198*
Stemcell621.41*
BBR SDK1.17.2
BOSH Director270.10.0
BOSH DNS1.17.0*
Metrics Server0.0.24
System Metrics2.0.8*
CredHub2.5.9
Syslog11.6.1
Windows Syslog1.0.3
UAA74.5.5
BPM1.1.6
Networking9
OS Conf21.0.0
AWS CPI79
Azure CPI37.0.0
Google CPI30.0.0*
OpenStack CPI43
vSphere CPI53.0.4*
BOSH CLI6.1.1
Credhub CLI2.6.2
BBR CLI1.5.2
Telemetry1.0.0
* Components marked with an asterisk have been updated.

2.8.0

Component Version
Ops Manager2.8.0-build.187*
Stemcell621.29*
BBR SDK1.17.2
BOSH Director270.10.0
BOSH DNS1.16.0
Metrics Server0.0.24
System Metrics2.0.5*
CredHub2.5.9
Syslog11.6.1
Windows Syslog1.0.3
UAA74.5.5
BPM1.1.6
Networking9
OS Conf21.0.0
AWS CPI79
Azure CPI37.0.0
Google CPI29.0.1
OpenStack CPI43
vSphere CPI53.0.3
BOSH CLI6.1.1
Credhub CLI2.6.2
BBR CLI1.5.2
Telemetry1.0.0
* Components marked with an asterisk have been updated.

How to Upgrade

To upgrade to Ops Manager v2.8, see Upgrading Pivotal Platform.

New Features in Ops Manager v2.8

Ops Manager v2.8 includes the following major features:

CredHub Maestro Rotates BOSH DNS Certificate Authorities

CredHub Maestro rotates BOSH DNS CAs and runs safety checks.

CredHub Maestro is a CLI for discovering and rotating CredHub-managed certificates. For more information about using CredHub Maestro, see Rotating Certificates, Getting Started with CredHub Maestro, and Advanced Certificate Rotation with CredHub Maestro.

Certificate Authentication to vSphere NSX Manager

For Pivotal Platform deployments on vSphere that use NSX networking, the BOSH Director can authenticate to the NSX Manager with a certificate and private key, as well as with a username and password.

This change means that the BOSH Director, NSX-T Container Plugin (NCP), and Enterprise PKS can all authenticate to the NSX Manager with a certificate and private key. BOSH Director uses NSX to network and secure platform components, NCP uses NSX-T to network and secure app containers, and Enterprise PKS uses NSX to create load balancers.

For how to configure BOSH Director authentication to NSX, see Step 2: Configure vCenter in Configuring BOSH Director on vSphere.

All Platform VMs Emit System Metrics

The runtime_config code in Ops Manager v2.8 installs a system metrics agent on all Pivotal Platform VMs. This lets Pivotal Healthwatch, Pivotal App Metrics and other platform tools consume VM metrics from Pivotal Application Service (PAS), Enterprise Pivotal Container Service (PKS), hosted services, and any other products deployed by Ops Manager.

System metrics report usage and status of VM memory, disk, CPU, network, load, and swap space. For a complete list of metrics, see VM Metrics in System Metrics Agent in the System Metrics repository on GitHub.

Before Ops Manager v2.8, the metrics agent was installed only on PAS VMs, and VMs deployed by other products did not emit the system metrics described above.

TLS Always Enabled for Internal Blobstore

TLS is now always enabled for the internal blobstore. You can no longer toggle TLS for the internal blobstore with the UI or API.

Pivotal recommends that you enable TLS for the internal blobstore before you upgrade. You can do this by selecting Enable TLS in the Director Config pane. There may be errors if the blobstore CA is expired.

Ops Manager UI and API Show More Information about Dependencies

Ops Manager v2.8 changes the way dependencies appear when you selectively deploy products. When you click Review Pending Changes in the Ops Manager UI, each product lists its dependencies in the Depends on section. When you make a request to the pending_changes Ops Manager API endpoint, the response lists each product’s dependencies in the depends_on section.

See the following table for information about how dependencies appear in the Ops Manager UI and API:

UI Appearance API Status Key Explanation Can Apply Changes?
Dependency listed in green text satisfied The correct version of the dependency is installed. Yes
Dependency listed in green text, followed by (optional) satisfied The correct version of the dependency is installed, although it is optional. Yes
Dependency listed in red text unsatisfied An incompatible version of the dependency is installed. You must update the dependency to apply changes. No
Dependency listed in red text, followed by (optional) unsatisfied An incompatible version of the dependency is installed, but the dependency is optional. Yes
Dependency listed in gray text, followed by (optional) not_present No version of the dependency is installed, but it is optional. Yes

HTTP Install-Time Verifier

Tile authors can define an HttpSuccessVerifier install-time verifier that calls an HTTP endpoint on the broker.

Ops Manager executes this verifier after you click Apply Changes. If the HTTP response is not successful, the deployment fails and the verifier displays a warning message.

Tile authors can use this verifier to check if all service instances on an existing broker are on the current version. This prevents service instances from becoming orphaned after an upgrade. Tile authors can also specify that the verifier should only run on major or minor upgrades.

Revert Staged Changes With the API

You can use the DELETE /api/v0/staged Ops Manager API endpoint to revert all staged changes in Ops Manager. For more information, see Revert staged changes in the Ops Manager API documentation.

Configure Multiple HSMs With the API

You can use the PUT /api/v0/staged/director/properties endpoint of the Ops Manager API to configure multiple hardware security modules (HSMs) for BOSH CredHub. For more information, see Updating director and Iaas properties (Experimental) in the Ops Manager API documentation.

Pivotal Telemetry for Ops Manager Is Imported by Default

Ops Manager automatically imports the Pivotal Telemetry for Ops Manager tile. When you install Ops Manager, the Pivotal Telemetry tile appears under IMPORT A PRODUCT.

This tile collects product usage data, which helps Pivotal improve our products and services. Using Pivotal Telemetry for Ops Manager is optional, and the tile does not share product usage data until you add and configure it.

For more information, see the Pivotal Telemetry for Ops Manager documentation.

Known Issues

Ops Manager v2.8 includes the following known issues:

Reset Manually Set Certificates in CredHub Before Rotating Certificates with CredHub Maestro CLI

If you have manually set any certificates in CredHub on Ops Manager v2.6 or earlier, you need to reset those certificates before using the CredHub Maestro CLI to rotate CredHub certificates. The CredHub Maestro CLI is available on the Ops Manager VM.

Resetting these certificates is not a required condition for the Ops Manager v2.8 upgrade. You can reset them either before or after the upgrade.

To reset a certificate in CredHub, see Reviewing and Resetting Manually Set Certificates in CredHub. For more information about CredHub Maestro, see CredHub Maestro Rotates BOSH DNS Certificate Authorities.

BOSH VMs Report Unresponsive Agent After Activating New Root CA

After activating a new root CA in Ops Manager, some BOSH VMs report an unresponsive agent. This error occurs if you do not recreate all service instances for a service tile when rotating the root CA.

You can recreate all service instances by enabling the Recreate all service instance errand in the service tile before applying changes.

For service tiles that do not have this errand, first apply changes in Ops Manager and then run the following BOSH command manually for each service instance deployment:

bosh -d SERVICE-INSTANCE-DEPLOYMENT recreate

Where SERVICE-INSTANCE-DEPLOYMENT is the BOSH deployment name of the service instance.

For more information, see Rotate CAs and Leaf Certificates.

The services tiles that do not have the Recreate all service instance errand include:

  • VMware Tanzu GemFire
  • MySQL for Pivotal Platform v2.7.5 and earlier
  • MySQL for PCF v2.6.6 and earlier
  • MySQL for PCF v2.5.10 and earlier
  • RabbitMQ for PCF v1.15.4 and earlier
  • Redis for PCF v2.0.22 and earlier