Pivotal Cloud Foundry DocumentationPCF Security Processes Pivotal Cloud Foundry Security Overview...

PivotalCloudFoundry

Documentation

Version1.12

Published:19December2018

©2018PivotalSoftware,Inc.

21015161962758298100135141142144145147148149173188222223229231245281285288291292296300308323358361364365369372373391394405409446448450

TableofContents

TableofContentsPCFv1.12FeatureHighlightsPivotalCloudFoundryReleaseNotesPCFv1.12BreakingChangesPivotalElasticRuntimev1.12ReleaseNotesPCFOpsManagerv1.12ReleaseNotesPCFRuntimeforWindowsv1.12ReleaseNotesPCFIsolationSegmentv1.12ReleaseNotesStemcellReleaseNotesStemcell(Linux)ReleaseNotesStemcellv1200.x(Windows2012R2)ReleaseNotesInstallingPivotalCloudFoundryPreparingYourFirewallforDeployingPCFPCFIaaSUserRoleGuidelinesInstallingPivotalCloudFoundryonAWSGuidelinesforCreatingUserRolesonAWSInstallingPCFonAWSManuallyConfiguringAWSforPCFConfiguringOpsManagerDirectoronAWSDeployingElasticRuntimeonAWSInstallingPCFonAWSusingCloudFormationDeployingtheCloudFormationTemplateforPCFonAWSConfiguringDNSforPCFonAWSConfiguringOpsManagerDirectoronAWSUsingCloudFormationDeployingElasticRuntimeonAWSUsingCloudFormationDeletinganAWSInstallationfromtheConsoleCreatingaProxyELBforDiegoSSHInstallingPCFonAzureInstallingPCFonAzureManuallyPreparingtoDeployPCFonAzureLaunchinganOpsManagerDirectorInstancewithanARMTemplateDeployingBOSHandOpsManagertoAzureManuallyConfiguringOpsManagerDirectoronAzureDeployingElasticRuntimeonAzureDeployingPCFonAzureGovernmentCloudDeployingPCFinAzureGermanyDeletingaPCFonAzureInstallationUpgradingOpsManagerDirectoronAzureInstallingPCFonGCPRecommendedGCPQuotasPreparingtoDeployPCFonGCPLaunchinganOpsManagerDirectorInstanceonGCPConfiguringOpsManagerDirectoronGCPConfiguringaSharedVPConGCPDeployingElasticRuntimeonGCPDeletingaGCPInstallationfromtheConsoleTroubleshootingPCFonGCPUpgradingOpsManagerDirectoronGCP

©CopyrightPivotalSoftwareInc,2013-2018 2 1.12

454457468485520523527530545578580583585587589592606614623631632634636639641642643647653656659669682684687695697699720725729730734746753764766770773775

InstallingPivotalCloudFoundryonOpenStackProvisioningtheOpenStackInfrastructureConfiguringOpsManagerDirectoronOpenStackDeployingElasticRuntimeonOpenStackInstallingPivotalCloudFoundryonvSpherevSphereServiceAccountRequirementsDeployingBOSHandOpsManagertovSphereConfiguringOpsManagerDirectoronvSphereDeployingElasticRuntimeonvSphereProvisioningaVirtualDiskinvSphereUsingtheCiscoNexus1000vSwitchwithOpsManagerUsingOpsManagerResurrectoronVMwarevSphereConfiguringPivotalCloudFoundrySSLTerminationforvSphereDeploymentsUnderstandingAvailabilityZonesinVMwareInstallationsUpdatingNSXSecurityGroupandLoadBalancerInformationInstallingPCFIsolationSegmentGettingStartedwithSmallFootprintRuntimeUpgradingPivotalCloudFoundryUpgradeChecklistforPCFv1.12WhatHappensDuringPASUpgradesPASComponentBehaviorDuringUpgradeUpgradeConsiderationsforSelectingFileStorageinPivotalCloudFoundryPivotalWebServicesPerformanceDuringUpgradeUpgradingElasticRuntimeandOtherPivotalCloudFoundryProductscfpushAvailabilityDuringElasticRuntimeUpgradesReferenceArchitecturesReferenceArchitectureforPivotalCloudFoundryonAWSReferenceArchitectureforPivotalCloudFoundryonAzureReferenceArchitectureforPivotalCloudFoundryonGCPReferenceArchitectureforPivotalCloudFoundryonOpenStackReferenceArchitectureforPivotalCloudFoundryonvSphereUsingEdgeServicesGatewayonVMwareNSXHowtoUpgradevSpherewithoutPCFDowntimeHowtoMigratePCFtoaNewDatastoreinvSphereControlPlaneReferenceArchitecturesPCFDevOverviewMonitoringPivotalCloudFoundryKeyPerformanceIndicatorsKeyCapacityScalingIndicatorsConfiguringaMonitoringSystemBackingUpandRestoringPivotalCloudFoundryDisasterRecoveryinPivotalCloudFoundryBackingUpPivotalCloudFoundrywithBBREnablingExternalBlobstoreBackupsRestoringPCFfromBackupwithBBRSettingUpYourJumpboxforBBRRestoringanERTBackupIn-placeTroubleshootingBBRUsingOpsManagerUnderstandingtheOpsManagerInterface


777781782786787789791794796797800803805807815817819826827830832836839844848851858862865867869871880882886891892895896896896897898899901903907910912914

AddingandDeletingProductsApplyingChangestoOpsManagerDirectorRetrievingCredentialsfromYourDeploymentUnderstandingFloatingStemcellsCreatingUAAClientsforBOSHDirectorUsingYourOwnLoadBalancerUnderstandingPivotalCloudFoundryUserTypesCreatingandManagingOpsManagerUserAccountsLoggingintoAppsManagerModifyingYourOpsManagerInstallationandProductTemplateFilesManagingErrandsinOpsManagerLimitingComponentInstancesDuringRestartMonitoringVirtualMachinesinPCFPivotalCloudFoundryTroubleshootingGuideTroubleshootingOpsManagerforVMwarevSphereTroubleshootingPCFonAzureAdvancedTroubleshootingwiththeBOSHCLICloudFoundryConceptsCloudFoundryOverviewHowApplicationsAreStagedHighAvailabilityinCloudFoundryOrgs,Spaces,Roles,andPermissionsUnderstandingCloudFoundrySecurityUnderstandingContainerSecurityUnderstandingContainer-to-ContainerNetworkingUnderstandingApplicationSecurityGroupsUnderstandingGrootFSDiskUsageCloudFoundryComponentsComponent:CloudControllerComponent:Messaging(NATS)Component:GorouterComponent:UserAccountandAuthentication(UAA)ServerComponent:GardenHTTPRoutingDiegoArchitectureUnderstandingApplicationSSHHowtheDiegoAuctionAllocatesJobsOperator'sGuideUnderstandingtheElasticRuntimeNetworkArchitectureLoadBalancerRouterIdentifyingtheAPIEndpointforyourElasticRuntimeInstanceCreatingNewElasticRuntimeUserAccountsConfiguringSSL/TLSTerminationatHAProxyConfiguringProxySettingsforAllApplicationsRestrictingAppAccesstoInternalPCFComponentsConfiguringApplicationSecurityGroupsforEmailNotificationsConfiguringSSHAccessforPCFIdentifyingElasticRuntimeJobsUsingvCenterConfiguringLogginginElasticRuntime


918920927929932933935938943945948951955963965967969970972974976982986989992996100210041007100910101011102010231026102810301033103510361038104010411044104610471048105010511055

ConfiguringUAAPasswordPolicyConfiguringAuthenticationandEnterpriseSSOforElasticRuntimeConfiguringADFSasanIdentityProviderConfiguringCAasanIdentityProviderConfiguringPingFederateasanIdentityProviderAddingExistingSAMLorLDAPUserstoaPCFDeploymentSwitchingApplicationDomainsScalingElasticRuntimeScalingDownYourMySQLClusterUsingDockerRegistriesConfiguringCellDiskCleanupSchedulingCustomBrandingAppsManagerMonitoringApp,Task,andServiceInstanceUsageMonitoringInstanceUsagewithAppsManagerProvidingaCertificateforYourSSL/TLSTerminationPointEnablingNFSVolumeServicesAdministeringandOperatingCloudFoundryManagingCustomBuildpacksUsingDockerinCloudFoundryCreatingandManagingUserswiththecfCLICreatingandManagingUserswiththeUAACLI(UAAC)CreatingandModifyingQuotaPlansGettingStartedwiththeNotificationsServiceConfiguringContainer-to-ContainerNetworkingManagingIsolationSegmentsRoutingforIsolationSegmentsUsingFeatureFlagsStoppingandStartingVirtualMachinesManagingDiegoCellLimitsDuringUpgradeSettingaMaximumNumberofStartingContainersEnablingIPv6forHostedApplicationsSecuringTrafficintoCloudFoundryEnablingTCPRoutingTroubleshootingTCPRoutesSupportingWebSocketsConfiguringLoadBalancerHealthchecksforCloudFoundryRoutersTroubleshootingSlowRequestsinCloudFoundryTroubleshootingRouterErrorResponsesRouterBackendKeepaliveConnectionsUsingPCFRuntimeforWindowsUnderstandingWindowsCellsUnderstandingStemcellSecurityDeployingPCFRuntimeforWindowsUsingWindowsStemcellsDeployingonAzureCreatingavSphereStemcellManuallyUpgradingWindowsCellsConfiguringaKMSHostTroubleshootingWindowsCellsDeploying.NETAppstoWindowsCells


10581059106110641070108310881092109410971104110511081113111611181121112211301132113511391141114411461147115711581169117211731176118411871192119411991201120212031205120712121214121612181225122712281232

UsingAppsManagerGettingStartedwithAppsManagerManagingOrgsandSpacesUsingAppsManagerManagingUserRoleswithAppsManagerManagingAppsandServiceInstancesUsingAppsManagerScalinganApplicationUsingAppAutoscalerUsingtheAppAutoscalerCLIViewingASGsinAppsManagerConfiguringSpringBootActuatorEndpointsforAppsManagerUsingSpringBootActuatorswithAppsManagerUsingtheCloudFoundryCommandLineInterface(cfCLI)InstallingthecfCLIGettingStartedwiththecfCLIUsingthecfCLIwithanHTTPProxyServerUsingthecfCLIwithaSelf-SignedCertificateUsingcfCLIPluginsDevelopingcfCLIPluginsCloudFoundryCLIReferenceGuideDeveloperGuideConsiderationsforDesigningandRunninganApplicationintheCloudDeployanApplicationDeployingaLargeApplicationDeployanAppwithDockerStarting,Restarting,andRestagingApplicationsApplicationContainerLifecycleRoutesandDomainsChangingStacksDeployingwithApplicationManifestsUsingApplicationHealthChecksScalinganApplicationUsingcfscaleRunningTasksCloudFoundryEnvironmentVariablesUsingBlue-GreenDeploymenttoReduceDowntimeandRiskTroubleshootingApplicationDeploymentandHealthApplicationSSHOverviewAccessingAppswithSSHAccessingServiceswithSSHTrustedSystemCertificatesCloudControllerAPIClientLibrariesUsingExperimentalcfCLICommandsDeliveringServiceCredentialstoanApplicationManagingServiceInstanceswiththecfCLIManagingServiceKeysUser-ProvidedServiceInstancesStreamingApplicationLogstoLogManagementServicesService-SpecificInstructionsforStreamingApplicationLogsStreamingApplicationLogstoSplunkStreamingApplicationLogswithFluentdStreamingApplicationLogstoAzureOMSLogAnalytics(Beta)ConfiguringPlayFrameworkServiceConnections


1233

123512351235123612361239124112421243124512481249125012561258126212631266126812691270127212731274127512771278127912841285128512861288128912941295129612971299130113051307131413151322132813341335

MigratingaDatabaseinCloudFoundryDetaileddocumentationtohelpyouinstall,understand,andsucceedwithPivotal'senterprise-gradesoftware.PrerequisiteCreateandBindaServiceInstanceAccesstheVolumeServicefromyourAppNFSVolumeServiceSecurityGuideSecurityConceptsPCFSecurityProcessesPivotalCloudFoundrySecurityOverviewandPolicyPCFTesting,Release,andSecurityLifecycleIdentityManagementPCFInfrastructureSecurityManagingTLSCertificatesAddingaCustomCertificateAuthorityStemcellHardeningFAQNetworkSecurityTLSConnectionsinPCFDeploymentsCloudControllerNetworkCommunicationsConsulNetworkCommunicationsContainer-to-ContainerNetworkingCommunicationsDiegoNetworkCommunicationsLoggregatorNetworkCommunicationsMySQLNetworkCommunicationsNATSNetworkCommunicationsRoutingNetworkCommunicationsUAANetworkCommunicationsSecurity-RelatedPCFTilesGeneralDataProtectionRegulationOtherSecurityTopicsSecurityGuidelinesforYourIaaSProviderHowtoUseThisTopicBuildpacksAboutBuildpacksUnderstandingBuildpacksPushinganApplicationwithMultipleBuildpacksUsingaProxySupportedBinaryDependenciesProductionServerConfigurationBinaryBuildpackGoBuildpackJavaBuildpackTipsforJavaDevelopersGettingStartedDeployingJavaAppsGettingStartedDeployingGrailsAppsGettingStartedDeployingRatpackAppsGettingStartedDeployingSpringAppsConfiguringServiceConnectionsConfiguringServiceConnectionsforGrails


13381339134713501355135813611362136413671368137113741376137713781381138413901391139613991400140114041405141014111414141714181423142414261427142814291433143614401441144314441449145014511451145414571460

ConfiguringServiceConnectionsforPlayFrameworkConfiguringServiceConnectionsforSpringCloudFoundryJavaClientLibrary.NETCoreBuildpackNode.jsBuildpackTipsforNode.jsApplicationsEnvironmentVariablesDefinedbytheNodeBuildpackConfiguringServiceConnectionsforNode.jsPHPBuildpackTipsforPHPDevelopersGettingStartedDeployingPHPAppsPHPBuildpackConfigurationComposerSessionsNewRelicPythonBuildpackRubyBuildpackTipsforRubyDevelopersGettingStartedDeployingRubyAppsGettingStartedDeployingRubyAppsGettingStartedDeployingRubyonRailsAppsConfigureRakeTasksforDeployedAppsEnvironmentVariablesDefinedbytheRubyBuildpackConfigureServiceConnectionsforRubySupportforWindowsGemfilesStaticfileBuildpackCustomizingandDevelopingBuildpacksCreatingCustomBuildpacksPackagingDependenciesforOfflineBuildpacksMergingfromUpstreamBuildpacksUpgradingDependencyVersionsUsingCIforBuildpacksReleasingaNewBuildpackVersionUpdatingBuildpack-RelatedGemsServicesOverviewManagingServiceBrokersAccessControlDashboardSingleSign-OnExampleServiceBrokersBindingCredentialsApplicationLogStreamingRouteServicesSupportingMultipleCloudFoundryInstancesLoggingandMetricsOverviewoftheLoggregatorSystemUsingLoggregatorLoggregatorGuideforCloudFoundryOperatorsApplicationLogginginCloudFoundrySecurityEventLoggingforCloudControllerandUAA


146414701471147214731478148414871490

DeployingaNozzletotheLoggregatorFirehoseCloudFoundryDataSourcesInstallingtheLoggregatorFirehosePluginforcfCLITroubleshootingandDiagnosticsDiagnosingProblemsinPCFRecoveringFromMySQLClusterDowntimeRunningmysql-diagUsingtheOpsManagerAPIDeployingPCFRuntimeforWindows


PCFv1.12FeatureHighlightsThistopichighlightsimportantnewfeaturesincludedinPivotalCloudFoundry(PCF)v1.12.

OpsManagerHighlightsOpsManagerv1.12includesthefollowingmajorfeatures:

MigrateNon-ConfigurableSecretstoCredHubTileAuthorscanwriteaJavaScriptmigrationtomovetheirexistingnon-configurablesecretsintoCredHub.OpsManagerv1.12supportsmigrating secret ,simple_credential , rsa_pkey_credential ,and salted_credential types.

Formoreinformationaboutthisfeature,seeMigratingExistingCredentialstoCredHub inthePCFTileDevelopersGuide.

SecureBOSHDirector/AgentHTTPTrafficviaTLSOpsManagercreatesaTLScertificateandpassesittoBOSH.ThisfacilitatesmutuallyauthenticatedandencryptedHTTPtrafficbetweentheBOSHDirectorandtheAgentthatexistsoneachBOSH-createdVM.

FasterUpgradeandInstallationExportOpsManagerdecreasesthetimerequiredtoupgradebyreducingthesizeofthefileproducedbyExportInstallationSettingsbyseveralordersofmagnitude.

Forupgradeinstructions,seeUpgradingPivotalCloudFoundry.

Manifest-onlyWorkflowwithCredHubThisfeatureisrelevantforoperatorswhouseOpsManageronlyformanifestgenerationanddonotclickApplyChanges.

OperatorswhoextractOpsManager-generatedmanifestsinordertomanuallydeployPCFproductswithBOSHcanensurecredentialsaremigratedtoCredHubandcontinuetobeincludedinthedeploy.

OlderOpsManager-generatedmanifestscontainedcredentialsinplaintext.ButasproductsmigratetouseCredHub,manifestsnowcontainplaceholderssothatcredentialsarefetchedatdeploytime.TheextractedmanifestsforsupportingPCFproductreleasesautomaticallycontainareferencetoCredHub-storedcredentials.

ThenewOpsManagerAPIgeneratesafileusedbyCredHubtobulkloadcredentialsfromOpsManager.SubsequentBOSHdeploymentsresultinexistingcredentialscontinuingtobesupplied.ThenewAPIalsoincludesanadditionalendpointthatoperatorscanusetodeletecredentialsfromOpsManagerifneeded.

FormoreinformationaboutusingtheOpsManagerAPI,seeUsingtheOpsManagerAPI.ForthecompleteOpsManagerAPIdocumentation,browsetohttps://YOUR-OPS-MANAGER-FQDN/docs .

BOSHDirectorSupportsMultipleRuntimeConfigsTheBOSHDirectornowsupportsmultiplenamedruntimeconfigs.Operatorscanadd,remove,andupdateeachruntimeconfigfileindependently,inordertomoreeasilyconfigurewhichPivotalCloudFoundryAdd-onsareappliedtowhichdeploymentsandinstancegroups.

Formoreinformationaboutruntimeconfigs,seetheBOSHdocumentation .

MoreAWSRegions


https://docs.pivotal.io/tiledev/migrating-credhub-credentials.htmlhttps://bosh.io/docs/runtime-config.html

OperatorscandeployPCFandsupportedproductstoadditionalAWSregions.PCFnowsupportsthefollowingpublicregions:

us-east-1

us-east-2

us-west-1

us-west-2

ca-central-1

ap-south-1

ap-northeast-1

ap-northeast-2

ap-southeast-1

ap-southeast-2

eu-central-1

eu-west-1

eu-west-2

sa-east-1

PivotalpublishesAMIsforalloftheseregions.ThePDFdownloadedfromPivNetcontainthenewAMIIDs.

AWSGovCloud(US)OperatorscandeployOpsManagerv1.12toAWSGovCloud(US) .FormoreinformationaboutdeployingAWSGovCloud(US),seethefollowingAWSinstallationtopics:

DeployingtheCloudFormationTemplateforPivotalCloudFoundryonAWS

ConfiguringAWSforPCF

GoogleSharedVirtualPrivateCloudGoogleSharedVirtualPrivateCloud(VPC),formerlyknownasGoogleCross-ProjectNetworking(XPN),enablesyoutoassignGoogleCloudPlatform(GCP)resourcestoindividualprojectswithinanorganizationbutallowscommunicationandsharedservicesbetweenprojects.

Formoreinformationaboutthisfeature,seeConfiguringaSharedVPConGCP.

BOSHCLIv2+OpsManagerv1.12usesthenewversionoftheBOSHCLI .

TherearetwomajorreleasesoftheBOSHCLI,andtheOpsManagerDirectorVMincludesbothversions.Youcan bosh commandsfortheoldCLIandbosh2 commandsforthenewCLI,butmanyoldCLIcommandsareincompatiblewiththeBOSHDirector.SeethecorrespondingKnowledgeBase articleformoreinformation.

FormoreinformationaboutthedifferencesbetweentheoldandnewversionsoftheBOSHCLI,seetheBOSHdocumentation .

OtherFeaturesForinformationaboutothernewfeaturesinOpsManagerv1.12,seethePivotalCloudFoundryOpsManagerv1.12ReleaseNotes .

ElasticRuntimeHighlightsElasticRuntimev1.12includesthefollowingmajorfeatures:


https://aws.amazon.com/govcloud-us/https://bosh.io/docs/cli-v2.htmlhttps://discuss.pivotal.io/hc/en-us/articles/115012374148-Permissions-error-when-running-BOSH-commands-on-the-Directorhttps://bosh.io/docs/cli-v2-diff.htmlhttps://docs.pivotal.io/pcf-release-notes/opsmanager-rn.html

MultipleBuildpackApplicationsDeveloperscandeployapplicationsthatutilizemultiplebuildpacksinsequence.DevelopersspecifythebuildpackseitherwiththeCloudFoundryCommandLineInterface(cfCLI)orthroughanapplicationmanifest.

SupportformultiplebuildpacksenablesdeveloperstousesystembuildpacksratherthancustombuildpacksorDockerpackaging.SystembuildpacksprovidebenefitssuchasautomatedpatchingofapplicationserverCVEs,andassuresaconstantlypatchedrootfilesystemacrossapplications.

ElasticRuntimeUsesCredHubforSimplisticCredentialsTheinternalcredentials( secret and simple_credentials )thatElasticRuntimeusesforintra-componentcommunicationaregeneratedandstoredinCredHubinsteadofOpsManager.

GrootFSinGarden-runCGrootFSreplacespreviouslybuilt-infunctionalityinGarden-runC,including:

Filesystemisolation

Diskquotaenforcement

Containerimagemanagement

ThisispartofongoingworkdesignedtomakePCFcompliantwiththeOpenContainerInitiative(OCI)standards.

ApplicationInstanceIdentityCredentialsEachapplicationinstancehasauniquecertificateandkeyavailabletoitthatcanbeusedtoverifytheidentityoftheapplication.

Thisgivesapplicationsaneasierwaytoasserttheiridentitytootherclientsandservices,sothatappropriateauthenticationandauthorizationdecisionscanbemadeoneithersideofthecommunication.

Formoreinformation,seetheAppInstanceContainerIdentityCredentialssectionoftheTLSConnectionsinPCFDeploymentstopic.

HAProxyReleaseElasticRuntimenowusesthenewlyincubatedhaproxy-boshrelease .ThisreplacementofthisjoballowsthetiletoexposenewHAProxyfeatures.

OtherFeaturesForinformationaboutothernewfeaturesinElasticRuntimev1.12,seethePivotalCloudFoundryElasticRuntimev1.12ReleaseNotes .

AppsManagerHighlightsAppsManagerv1.12includesthefollowingfeatures:

In-ContextServiceCreationDeveloperscancreateserviceswithoutleavingtheapplicationorspaceviewforanacceleratedworkflow.

ServiceConfigurationParameterDiscoveryWhencreatinganewservice,developerscandiscoveradditionalparameteroptionsasfields,oraJSONeditorthatenablesthemtodefinetheparameters.


https://github.com/cloudfoundry-incubator/haproxy-boshreleasehttps://docs.pivotal.io/pcf-release-notes/runtime-rn.html

PCFIsolationSegmentHighlightsThePCFIsolationSegmentv1.12tileincludesthefollowingfeatures:

ShardedRoutersOperatorscannowconfigureshardingmodeforrouters.Formoreinformation,seeInstallingPCFIsolationSegment.

HAProxyYoucannowuseanHAProxyfortheIsolationSegmenttilethatisindependentfromtheElasticRuntimeHAProxy.

TheIsolationSegmenttileincludesitsownHAProxyVM,whichusesthehaproxy-boshrelease .Formoreinformation,seeInstallingPCFIsolationSegment.

PCFRuntimeforWindowsHighlightsThePCFRuntimeforWindowsv1.12tileincludesthefollowingfeatures:

OperatorsCanManagetheWindowsAdminPasswordOperatorscannowmanageapasswordstrategyfortheWindowsadminuseronWindowsVMswhenconfiguringthePCFRuntimeforWindowsv1.12tile.TheycanusetheWindowsdefaultpassword,specifyapassword,orgeneraterandompasswordsforeachVM.Formoreinformation,seeDeployingPCFRuntimeforWindows.

WindowsEventLogsConsumableviaSyslogOperatorscannowconfigureasyslogendpointforWindowsEventLogsinthePCFRuntimeforWindowsv1.12tile.WindowsEventsLogsprovideaconsolidated,system-levelloggingmechanismthatisespeciallyusefulintroubleshootingproblemswithrunningapplications.

Formoreinformation,seeDeployingPCFRuntimeforWindows.

ServicesHighlights

PCFMetricsv1.4ThePCFMetricsv1.4tilereleasesalongsidePCFv1.12andincludesthefollowingmajorfeatures:

SupportforSpringBootActuatormetrics

Supportforcustomappmetrics

Instance-levelmetricsvisualization

ImprovedUI

Formoreinformation,seethePCFMetricsv1.4documentation .

SingleSign-Onv1.5TheSingleSign-On(SSO)v1.5tilereleasesalongsidePCFv1.12andincludesthefollowingmajorfeatures:

SupportforenterpriseSSOwithAzureActiveDirectoryusingOpenIDConnect(OIDC)

ImprovedframeworksupportforSSOandtheSSOconnectorforappdevelopersusingSpringBootonPCF


https://github.com/cloudfoundry-incubator/haproxy-boshreleasehttp://docs.pivotal.io/pcf-metrics/1-4/

Newsampleappstohelpdeveloperonboarding

Supportfortokenexchangeflow,includingintegrationwithexistingenterpriseidentityproviders

Formoreinformation,seetheSSOv1.5documentation .

PivotalCloudCachev1.2PivotalCloudCachev1.2includesthefollowingfeature:

AsaPCCOperator,youcanuseOperationalMonitoringtomonitormultiplePCCclustersusingadashboardofyourchoicewithoutencounteringaservicedisruption.Thisfeatureincludeslogmonitoringandmetrics.YoucanopttousemetricsforserviceinstancesatthePCCserviceplanlevelonOpsManager.BrokermetricsarealwayssenttotheFirehose.

RabbitMQforPCFv1.10RabbitMQforPCFv1.10offersanon-demandclusterplan.Nowoperatorscanofferthreetypesofplans:

Pre-provisioned

On-demandsinglenode

On-demandcluster

Forapplicationteamsthatrequiremoreisolation,on-demandplansempowerthemtoself-servetheirownRabbitMQonasinglenodeorcluster.

Releasev1.10alsoprovidessmoketestsfortheon-demandplanssothatoperationsteamscanvalidatetheapplicationdeveloperworkflowforon-demandservices.

Formoreinformation,seetheRedisforPCFv1.10documentation .

RedisforPCFv1.10TheRedisforPCFv1.10tileincludesthefollowingmajorfeatures:

Generalmetricsenhancementsforon-demandservices

SyslogenablementwithorwithoutTLSencryption

Formoreinformation,seetheRabbitMQforPCFv1.10documentation .

MySQLforPCFv2.1TheMySQLforPCFv2.1tileincludesthefollowingmajorfeatures:

Providesanewrestoreutilityoneachserviceinstancetomakerestoringfromabackupartifacteasier

Addstheabilitytoenableordisable lower_case_table_names forallMySQLserviceinstancesoronlyspecificserviceinstances,whichhelpswhenmigratingfromlegacysystemsthatneedcaseinsensitivity

ChangesseveralMySQLserverdefaultconfigurationstoprovidebetterconsistencyandexpectedbehaviorwhenmigratingfromtheMySQLforPCFv1series

Formoreinformation,seetheMySQLforPCFv2.1documentation .


https://docs.pivotal.io/p-identity/1-5/https://docs.pivotal.io/redis/1-10/index.htmlhttps://docs.pivotal.io/rabbitmq-cf/1-10/index.htmlhttps://docs.pivotal.io/p-mysql/2-1/

PivotalCloudFoundryReleaseNotesPivotalCloudFoundryiscertifiedbytheCloudFoundryFoundationfor2018.

Readmoreaboutthecertifiedproviderprogram andtherequirementsofproviders .

ThistopicprovideslinkstothereleasenotesforPivotalCloudFoundry(PCF)andPCFservices.Releasenotesincludenewfeatures,breakingchanges,bugfixes,andknownissues.

PCFReleaseNotesPCFv1.12BreakingChanges

PCFOpsManagerv1.12ReleaseNotes

PivotalElasticRuntimev1.12ReleaseNotes

PCFRuntimeforWindowsv1.12ReleaseNotes

PCFIsolationSegmentv1.12ReleaseNotes

StemcellReleaseNotes

PCFServicesReleaseNotesAppDistributionServiceforPCF

GemFireforPCF

MySQLforPCF

ApplicationWatchdogforPCF(Beta)

PCFHealthwatch

PCFMetrics

PCFServiceBrokerforAWS

PushNotificationServiceforPCF

RabbitMQ®forPCF

RedisforPCF

SessionStateCachingPoweredbyGemFire

SingleSign-OnforPCF

SpringCloudServicesonPCF

SchedulerforPCF


https://www.cloudfoundry.org/provider-faq/https://www.cloudfoundry.org/provider-requirements/https://docs.pivotal.io/app-dist/release-notes.htmlhttps://docs.pivotal.io/gemfire-cf/relnotes.htmlhttps://docs.pivotal.io/p-mysql/release-notes.htmlhttps://docs.pivotal.io/pcf-appdog/rn-ki.htmlhttps://docs.pivotal.io/pcf-healthwatch/release-notes.htmlhttps://docs.pivotal.io/pcf-metrics/rn-ki.htmlhttps://docs.pivotal.io/aws-services/release-notes.htmlhttps://docs.pivotal.io/push/release-notes.htmlhttps://docs.pivotal.io/rabbitmq-cf/releases.htmlhttps://docs.pivotal.io/redis/release.htmlhttps://docs.pivotal.io/ssc-gemfire/relnotes.htmlhttps://docs.pivotal.io/p-identity/release-notes.htmlhttps://docs.pivotal.io/spring-cloud-services/release-notes.htmlhttps://docs.pivotal.io/pcf-scheduler/release-notes.html

PCFv1.12BreakingChangesThistopicdescribesthebreakingchangesyouneedtobeawareofwhenupgradingtoPivotalCloudFoundry(PCF)v1.12.Formoreinformationaboutimportantpreparationstepsyoumustfollowbeforebeginninganupgrade,seeUpgradingPivotalCloudFoundry.

ElasticRuntime

CloudControllerBridgeInpreviousversionsofPCF,theDiegoBrainVMrantheCloudControllerBridgecomponent,whichtranslatedCloudControllerrequestsintoDiegoAPIcommands.TheCloudControllerBridgeconveyedcommunicationsbetweentheCloudControllerandDiegooverplain-textHTTP.

InPCFv1.12,theEnablesecurecommunicationbetweenDiegoandCloudControlleroptionintheCloudControllerpaneoftheElasticRuntimetileallowsyoutoenabledirectcommunicationsbetweentheCloudControllerandDiegooversecureTLSanddeactivatetheCloudControllerBridge.IfyoudeployafreshinstallationofPCFv1.12,theEnablecheckboxisselectedbydefault.

Forupgrades,ifyouwanttousethisnewfeature,youmustmanuallyselecttheEnablecheckboxaftertheupgradeiscompleteandthenclickApplyChanges.SelectingthecheckboxbeforetheupgraderesultsinAPIdowntime.

GorouterandHAProxyTLSConfigurationInpreviousversionsofPCF,youhadtheoptionofselectingForwardunencryptedtraffictoElasticRuntimeRouterintheNetworkingpaneofElasticRuntime.Ifyouselectedthisoption,youdidnothavetoprovideacertificateorprivatekeyforGorouterconfiguration.

InPCFv1.12,theGorouterandHAProxynowalwayslistenforTLSrequests.Therefore,youmustconfigureanSSLcertificatefortheGorouterandHAProxyinElasticRuntime.YouconfiguretheGorouterandHAProxyusingthesamefieldandwiththesamecertificate.

Inaddition,youmustspecifyTLSciphersuitesforbothHAProxyandtheGorouter.Theseciphersuitesarespecifiedindependentlyindifferentfields.IfyouconfiguredapreviousinstallationwithTLSciphersuites,theseconfigurationspersistthroughtheupgrade.MakesurethatyouhaveconfiguredthecorrectsetofTLSciphersuitesandminimumTLSversiontosupportyourclientandloadbalancerneeds.

Inbothcases,theHAProxyconfigurationisignoredifyouarenotusingHAProxy.

Formoreinformation,seetheElasticRuntimeinstallationtopicforyourIaaS .

InternalElasticRuntimeCredentialsTheinternalcredentialsthatElasticRuntimeusesforinter-componentcommunicationarenowgeneratedandstoredinCredHubinsteadofOpsManager.ForalistofthecredentialsmigratedtoCredHub,seePivotalElasticRuntimeReleaseNotes.

Ifyouwanttoaccessthesecredentials,youmustusetheCredHubCLIortheOpsManagerAPIinsteadoftheCredentialstaboftheElasticRuntimetile.

CredHubAPICommunicationonPort8844InorderfortheCredHubAPItocommunicatewiththeBOSHDirector,TCPPort8844mustbeopenonthenetworkswhereOpsManagerandElasticRuntimeVMsaredeployed.TCPPort8844mustbeopentoenableinternalnetworkingbetweenVMslocatedinsidethelocalnetwork.Formoreinformation,seePreparingYourFirewallforDeployingPCF.

PostgresThisreleaseremovesthelegacyPostgresdatabaseVMsfortheCloudControllerandUAA.IfyourdeploymentwasoriginallyinstalledbeforePCFv1.6andstillusesPostgres,youmustcontactyourdedicatedSupportEngineerorPlatformArchitectforassistanceinmigratingyourCloudControllerandUAAdatabasestoMySQL.TheyhaveaccesstothePostgreSQL-to-MySQLMigratortoolandinstructionsonPivotalNetwork.

IfyoudonotmigratetoMySQLbeforeupgradingtoElasticRuntimev1.12,theupgradefails.Formoreinformation,seeMigratetheCCandUAADatabases


https://docs.pivotal.io/pivotalcf/1-12/customizing/pas.html

fromPostgrestoMySQL.

MySQLforPCFandPCFRuntimeforWindowsIfyourexistingPCFv1.11.xinstallationincludesbothPCFRuntimeforWindows andMySQLforPCFv1.x,youmustupgradetoMySQLforPCFv1.10.3orlaterbeforeyouupgradetoPCFElasticRuntimev1.12.ForinstructionsonhowtoupgradeMySQLforPCF,seetheMySQLforPCF documentation.

IfyoudonotupgradeMySQLforPCF,theupgradefails.Formoreinformation,seeUpgradeMySQLforPCF.

Read-onlyVolumeMountsWeback-portedafixfromNFS1.3.1toNFS1.2.1foranincompatibilitybetweenourNFSVolumereleaseandDiego’scontainerruntime,garden.But,becausethefixwasintheNFSServiceBroker,andservicebindingscreatedbyoldversionsofthisbrokerwon’tgetmigratedduringupgrade,existingNFSservicebindingsthatspecifyread-onlymountswillstillexhibittheincompatibility.

Asaresult,customersupgradingfromversionscontainingnfs-volume-release<1.2.1thathaveNFSservicesboundread-onlytotheirapplicationswillseethattheirapplicationscrashafterupgrade.

Tofixthiscondition,customersshouldunbindtheservice,rebindit,andthenrestagetheapplication.

Alternately,customerswishingtoavoidapplicationdowntimecantemporarilyre-bindtheirapplicationsasread/writebeforeupgrading,andthenswtichtoread-onlyafterwards.

OpsManager

BOSHCLIv2OpsManagerv1.12usestheBOSHCommandLineInterface(CLI)v2.Inv2,theformattingoftheCLIoutputhaschanged.IfyourdeploymentusesscriptsthatrelyonBOSHoutput,youmustrefactorthemtointerpretthecommandoutputoftheBOSHCLIv2.FormoreinformationabouttheBOSHCLIv2,seePivotalOperationsManagerReleaseNotes.

MissingStemcellCausesFailuretoDeployInPCFv1.12andearlier,theBOSHDirectormaydeletestemcellsrequiredbyerrands.ThiscausesdeploymentsorupgradestofailwithError:Stemcelldoesn'texist

.Topreventthiserror,dothefollowingbeforeyouclickApplychangesinOpsManagertoupgrade:

1. DownloadacurrentstemcellfromPivotalNetwork .

2. UploadthestemcellbyclickingImportaProductinOpsManager,orbymanuallyrunning boshupload-stemcell withtheBOSHCLI.

SeethePivotalKnowledgeBasearticleDeployfailswithError:Stemcelldoesn’texist fordetails.

ThisknownissuehasbeenfixedinOpsManagerv2.0andlater.

DirectorCertificateRotationIfyouroriginalElasticRuntimedeploymentwasPCFv1.6orearlier,youmustregeneratethenon-configurableDirectorcertificatestodeployCredHub.Duringadeploy,CredHubattemptstoverifytheconnectiontoUAAontheBOSHDirectorwiththeOpsManagercertificateSubjectAlternativeName(SAN).OpsManagerv1.6andearliergeneratednon-configurablecertificateSANsinaformatthatCredHubdoesnotunderstand.Formoreinformation,seeCredHubRequiresDirectorCertificateRotation.

PCFLogSearchPCFLogSearchisnotcompatiblewithPCFv1.12.IfyourdeploymentcontainsPCFLogSearch,youmustremovetheproducttilebeforeupgradingtoPCF


https://docs.pivotal.io/pivotalcf/1-12/windows/index.htmlhttp://docs.pivotal.io/p-mysql/1-10/index.htmlhttps://network.pivotal.iohttps://community.pivotal.io/s/article/Deploy-fails-with-Error-Stemcell-doesnt-exist

v1.12.Failuretoremovethisproductpriortotheupgrademaycauseissueswithyourdeployment.

Formoreinformation,seetheUpgradingPivotalCloudFoundrytopic.


PivotalElasticRuntimev1.12ReleaseNotesPivotalCloudFoundryiscertifiedbytheCloudFoundryFoundationfor2018.

Readmoreaboutthecertifiedproviderprogram andtherequirementsofproviders .

Releases

1.12.29[Bugfix]Preventdowntimewhenupgradingfrom1.12to2.0whendeploymentincludesHAProxy

Bumpcf-smoke-teststoversion 40.0.6

Bumpcflinuxfs2toversion 1.228.0

Bumproutingtoversion 0.163.15

Bumpstemcelltoversion 3468.55

Component Version

stemcell 3468.55

binary-offline-buildpack 1.0.21

capi 1.40.54*

cf-autoscaling 96.2

cf-backup-and-restore 0.0.9

cf-mysql 36.11.0

cf-networking 1.4.3*

cf-smoke-tests 40.0.6

cflinuxfs2 1.228.0

consul 195

diego 1.25.15

dotnet-core-offline-buildpack 2.1.3

garden-runc 1.13.3

go-offline-buildpack 1.8.25

haproxy 8.4.1

java-offline-buildpack 4.13.1

loggregator 96.5

mysql-backup 2.1.0

mysql-monitoring 8.18.0

nats 24

nfs-volume 1.2.1

nodejs-offline-buildpack 1.6.28

notifications 37

notifications-ui 33

php-offline-buildpack 4.3.57

pivotal-account 1.8.8

push-apps-manager-release 662.0.36

push-usage-service-release 663.0.8

python-offline-buildpack 1.6.18

routing 0.163.15

ruby-offline-buildpack 1.7.21


https://www.cloudfoundry.org/provider-faq/https://www.cloudfoundry.org/provider-requirements/

scalablesyslog 12

service-backup 18.1.2

staticfile-offline-buildpack 1.4.29

statsd-injector 1.0.29

syslog-migration 8.0.2

uaa 45.11

*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.

Component Version

1.12.28[SecurityFix]Bumppivotalaccountto1.8.8

[FeatureImprovment]Bumploggregatortopreventdopplerbackpressureunderhighload

[FeatureImprovement]LoggregatoragentegressespreferredtagsinsteadofDeprecatedTagsinloggregatorenvelopes.ThisfixesahighCPUissueinDopplercluster.

[BugFix]AppsusingaDockerimagefromaninsecureregistryconfiguredinthePrivateDockerInsecureRegistryWhitelistcannowbestagedsuccessfully.

[BugFix]Fixintermittenterrandfailureinpivotalaccount

ErrandsintermittentlyfailwithEOFerrorwhenexecuting‘cfauth’onNetScaler

[BugFix]Dockerimagebasedappresourcereportingcorrectlyincludesimagesizeindiskusage

[BugFix]Setcloudcontrollerstagingtimeoutvalueonallcloudcontrollerjobstoallowlargeappstostagebeforethetimeout.

Bumpdiegotoversion 1.25.15

Bumpjava-offline-buildpacktoversion 4.13.1

Bumploggregatortoversion 96.5

Bumppivotal-accounttoversion 1.8.8


Component Version

stemcell 3468.54


capi 1.40.54*

cf-autoscaling 96.2


cf-mysql 36.11.0


cf-smoke-tests 40.0.5

cflinuxfs2 1.227.0

consul 195

diego 1.25.15


garden-runc 1.13.3


haproxy 8.4.1


loggregator 96.5

mysql-backup 2.1.0


nats 24

nfs-volume 1.2.1

nodejs-offline-buildpack 1.6.28*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.


https://community.pivotal.io/s/article/Errands-intermittently-fail-with-EOF-error-when-executing-cf-auth-on-NetScaler

notifications 37

notifications-ui 33






routing 0.163.14*


scalablesyslog 12





uaa 45.11


Component Version

1.12.27[FeatureImprovement]AddabilitytoconfigureHAproxyclientcertificateverification

[SecurityFix]BumpUAAfor[CVE-2018-11047(https://www.cloudfoundry.org/blog/cve-2018-11047/ )

Bumpcflinuxfs2version 1.227.0

Bumpjava-offline-buildpackversion 4.13

Bumpuaaversion 45.11

Component Version

stemcell 3468.51


capi 1.40.54*

cf-autoscaling 96.2


cf-mysql 36.11.0


cf-smoke-tests 40.0-.5

cflinuxfs2 1.227.0

consul 195

diego 1.25.14


garden-runc 1.13.3


haproxy 8.4.1

java-offline-buildpack 4.13

loggregator 96.2.0*

mysql-backup 2.1.0


nats 24

nfs-volume 1.2.1




https://www.cloudfoundry.org/blog/cve-2018-11047/

notifications 37

notifications-ui 33






routing 0.163.14*


scalablesyslog 12





uaa 45.11


Component Version

1.12.26[FeatureImprovement]AllowsPCFMetricstobeinstalledwithbothv1.5andv1.4versionstopreventdataloss.

[BugFix]Bumpcf-smoke-tests-releaseto40.0.5tofixsomeflakiness

[SecurityFix]BumpUAAforCVE2018-11041

[SecurityFix]BumpappsmanagerforCVE-2018-11044

OrgManagersandAdminscanleaveorganizations

[BugFix]bumpconsultov195

Includesgolang1.9.7,removesgolang1.8.*.Deployingv193couldfailonsomedeploymentsduetoaconflictwithothertilesthatcompiledthereleasedifferentlyFixesintermittentconsulDNSissuesonWindowsCells

Bumpbinary-offline-buildpacktoversion 1.0.21

Bumpcf-smoke-teststoversion 40.0.5


Bumpconsultoversion 195

Bumpdotnet-core-offline-buildpacktoversion 2.1.3

Bumpgo-offline-buildpacktoversion 1.8.25

Bumpnodejs-offline-buildpacktoversion 1.6.28

Bumpphp-offline-buildpacktoversion 4.3.57

Bumppush-apps-manager-releasetoversion 662.0.36

Bumppython-offline-buildpacktoversion 1.6.18

Bumpruby-offline-buildpacktoversion 1.7.21

Bumpstaticfile-offline-buildpacktoversion 1.4.29

Bumpuaatoversion 45.10

Bumpstemceslltoversion 3468.51

Component Version

stemcell 3468.51


capi 1.40.54*

cf-autoscaling 96.2



cf-backup-and-restore 0.0.9cf-mysql 36.11.0


cf-smoke-tests 40.0-.5

cflinuxfs2 1.223.0

consul 195

diego 1.25.14


garden-runc 1.13.3


haproxy 8.4.1


loggregator 96.2.0*

mysql-backup 2.1.0


nats 24

nfs-volume 1.2.1


notifications 37

notifications-ui 33






routing 0.163.14*


scalablesyslog 12





uaa 45.10


Component Version

1.12.25[SecurityFix]Bumpdiegotoversion 1.25.14

CVE-2018-1265

[SecurityFix]Bumppivotal-accounttoversion 1.8.5

CVE-142112 CVE-130424

[Bugfix]bumpnfs-volume-releasetoversion 1.2.1

Fixincompatibilitywithnewgarden-runcreleasewhenusingread-onlyNFSvolumemounts

[BugFix]Bumpgardentoversion 1.13.3

Fixissuewithdeletedfilesinapplicationcontainerscreatedfromdockerimages


https://www.cloudfoundry.org/blog/cve-2018-1265/https://nodesecurity.io/advisories/130https://www.kb.cert.org/vuls/id/576313

[FeatureImprovement]Bumpnotifications-uitoversion 33

Addcookiesettingtonotifications-uiforGDPRcompliance

[FeatureImprovement]CFNetworkingdatabaseconnectiontimeoutsarenowconfigurable

[FeatureImprovement]MaxconnectionsfortheInternalMySQLDatabasearenowconfigurable

[FeatureImprovement]Bumpscalablesyslogtoversion 12

Removesnoisydebuglogmessages


Bumpconsultoversion 193 tousego 1.9

Bumpdotnet-core-offline-buildpacktoversion 2.0.7

Bumpgo-offline-buildpacktoversion 1.8.23

Bumpjava-offline-buildpacktoversion 4.12.1

Bumpnodejs-offline-buildpacktoversion 1.6.25

Bumpphp-offline-buildpacktoversion 4.3.56

Bumppython-offline-buildpacktoversion 1.6.17

Bumpruby-offline-buildpacktoversion 1.7.19

Bumpstaticfile-offline-buildpacktoversion 1.4.28


Component Version

Stemcell 3468.46


capi 1.40.54*

cf-autoscaling 96.2


cf-mysql 36.11.0


cf-smoke-tests 38

cflinuxfs2 1.218.0

consul 193

diego 1.25.14


garden-runc 1.13.3


haproxy 8.4.1


loggregator 96.2.0*

mysql-backup 2.1.0


nats 24

nfs-volume 1.2.1


notifications 37

notifications-ui 33







routing 0.163.14*


scalablesyslog 12





uaa 45.8


Component Version

1.12.24[SecurityFix]Bumpcflinuxfs2toversion 1.210.0 :

USN-3643-1

UpdategrootfscheckboxtoindicatetherecreatingVMsisrecommended

Bumpcapitoversion 1.40.54

Updatedazurefoggemstoimprovereliabilitywhenusinganazureblobstore

Bumpcf-networkingtoversion 1.4.3

Bumpnatstoversion 24

Bumpgoto1.10.1

Bumppush-apps-manager-releasetoversion 662.0.34

UsagereportpagetakesintoaccountrenamedspacesFixbugthatcausesapptocrashonapppagesettingstab

Bumpjava-offline-buildpacktoversion 4.12

Component Version

Stemcell 3468.42


capi 1.40.54*

cf-autoscaling 96.2


cf-mysql 36.11.0


cf-smoke-tests 38

cflinuxfs2 1.210.0

consul 187

diego 1.25.13


garden-runc 1.13.1


haproxy 8.4.1


loggregator 96.2.0*

mysql-backup 2.1.0



https://usn.ubuntu.com/3643-1/

nats 24

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.14*


scalablesyslog 11





uaa 45.8


Component Version

1.12.23[SecurityFix]Bumpstemcelltov3468.42:

USN-3641 USN-3631-2 USN-3628-1 USN-3625-1 USN-3624-1

[SecurityFix]Bumpcflinuxfs2-releasetov1.201.0:

USN-3628-1 USN-3625-1 USN-3624-1 USN-3622-1

[FeatureImprovement]Bumprouting-releasetov0.163.14toenableoperatortodisableloggingofclientIPs,incompliancewiththeEUGeneralDataProtectionRegulation(GDPR).

[FeatureImprovement]Bumpapps-manager-releasetov662.0.33:

Whenbindingaserviceinstance,notifytheusertorestagetheirappfromtheCLI.Whenlogged-inusercanseenoapps,show“Noresults”insteadof“Loading…”intheappsearch.

[BugFix]ProvidetheOpsManagerrootCAcertificateandanyotheroperator-providedtrustedcertificatestoallcontainersinthe/etc/cf-system-certificates directory.

[BugFix]Bumploggregator-releasetov96.2topreventTrafficControllerfromfailingwhenconsulDNSisstoppedfirstduringaBOSHstoporrestart.

Bumpmysql-monitoring-releasetov8.18.0.

Bumpsthefollowingbuildpacks:

Nodejs-offline-buildpacktov1.6.23.Php-offline-buildpacktov4.3.54.Python-offline-buildpacktov1.6.15.Ruby-offline-buildpacktov1.7.18.

Component Version

Stemcell 3468.42



https://usn.ubuntu.com/3641-1/https://usn.ubuntu.com/3631-2/https://usn.ubuntu.com/3628-1/https://usn.ubuntu.com/3625-1/https://usn.ubuntu.com/3624-1/https://usn.ubuntu.com/3628-1/https://usn.ubuntu.com/3625-1/https://usn.ubuntu.com/3624-1/https://usn.ubuntu.com/3622-1/

binary-offline-buildpack 1.0.18capi 1.40.53*

cf-autoscaling 96.2


cf-mysql 36.11.0


cf-smoke-tests 38

cflinuxfs2 1.201.0

consul 187

diego 1.25.13


garden-runc 1.13.1


haproxy 8.4.1


loggregator 96.2.0*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.14*


scalablesyslog 11





uaa 45.8


Component Version

1.12.22[SecurityFix]Bumpsgarden-releasetov1.13.1forCVE-2018-1277 .

[BugFix]WhenupgradingfromElasticRuntimev1.11tov.12,theEnablesecurecommunicationbetweenDiegoandCloudControlleroptionintheCloudControllertabshouldbedisabledbydefault,insteadofenabledbydefault.

[BugFix]Bumpsautoscaling-releasetov96.2touseCFCLIv6.36.1.

[BugFix]Bumpscapi-releasetov1.40.53topreventduplicateappusageevents.

[FeatureImprovement]Bumpsdiego-releasetov1.25.13toaddcellandinstanceidentifiersinthecontainerlifecyclelogs.

[FeatureImprovement]Bumpsapps-manager-releasetov662.0.32:

IntroducecustommemorylimitsettingforAppsManagerandinvitationapps.



Showfullpageerrorwhencriticalenvvarsarenotset.Applastpushtimenowreflectstimeofmostrecentreadypackage.Introduceflagtohideappsearchbar.Appsearchbarqueriesappsonlywhenfocused.Tellusertore-stageappafterbindingaservice.

Bumpsthefollowingbuildpacks:

Binary-offine-buildpacktov1.0.18.Dotnet-core-offline-buildpacktov2.0.6.Go-offline-buildpacktov1.8.21.Java-offline-buildpacktov4.10.0.Nodejs-offline-buildpacktov1.6.22.Php-offline-buildpacktov4.3.53.Python-offline-buildpacktov1.6.14.Ruby-offline-buildpacktov1.7.16.Staticfile-offline-buildpacktov1.4.27.

Component Version

Stemcell 3468.30


capi 1.40.53*

cf-autoscaling 96.2


cf-mysql 36.11.0


cf-smoke-tests 38

cflinuxfs2 1.196.0

consul 187

diego 1.25.13


garden-runc 1.13.1


haproxy 8.4.1


loggregator 96.0.17*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.13*


scalablesyslog 11


staticfile-offline-buildpack 1.4.27*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.




uaa 45.8


Component Version

1.12.21[BugFix]WhenupgradingfromElasticRuntimev1.11tov1.12,theEnablesecurecommunicationbetweenDiegoandCloudControlleroptionintheCloudControllertabshouldbedisabledbydefault,insteadofenabledbydefault.OnlynewinstallationsofElasticRuntimev1.12shouldenablesecurecommunicationbydefault.

[SecurityFix]Bumpscflinuxfs2tov1.196.0:

USN-3611-1 USN-3610-1

[SecurityFix]Bumpsstemcelltov3468.30:

USN-3619-2 USN-3611-1 USN-3610-1 USN-3598-1 USN-3586-1 USN-3584-1

[BugFix]Bumpssyslog-migration-releasetov8.0.2:

Preventlogsfromblackboxfrombeingwrittentothedefaultsysloglogfilestopreventlogsfrombeingwrittentothedisk3additionaltimes.Fixrfc5424compatibilitybyensuringonly1spaceoccursbetweenthemessageandthestructureddata.

[BugFix]FixesabugthatcausedtheCloudControllersyncjobtofailwhenpushinganappwithTCProutingenabled,whichcausesDiegotonotknowifitsdesiredstateisconsistentwithCloudController.

[FeatureImprovement]Bumpscapi-releasetov1.40.52toimprovedatabaseconnectionvalidation.

[FeatureImprovement]AddsfieldCustomsyslogConfigurationtospecifycustomloggingrulesintheSystemLoggingtab.Formoreinformation,seecustomsyslogrules .

Component Version

Stemcell 3468.30


capi 1.40.52*

cf-autoscaling 95


cf-mysql 36.11.0


cf-smoke-tests 38

cflinuxfs2 1.196.0

consul 187

diego 1.25.3


garden-runc 1.12.1


haproxy 8.4.1



mysql-backup 2.1.0


nats 22*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.


https://usn.ubuntu.com/3611-1/https://usn.ubuntu.com/3610-1/https://usn.ubuntu.com/3619-2/https://usn.ubuntu.com/3611-1/https://usn.ubuntu.com/3610-1/https://usn.ubuntu.com/3598-1/https://usn.ubuntu.com/3586-1/https://usn.ubuntu.com/3584-1/https://docs.pivotal.io/pivotalcf/1-12/customizing/custom-syslog-rules.html

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.13*


scalablesyslog 11





uaa 45.8


Component Version

1.12.20[BugFix]Bumpscapi-releasetov1.40.51to:

Preventappuploadfromfailingwhentheapphasbrokensymlinks.FixbrokencfsshforDockerapps.

[BugFix]Bumpscf-mysql-releasetov36.11.0.ReleaseNotes

[FeatureImprovement]Bumpsmysql-monitoring-releasetov8.16.0.ReleaseNotes

[FeatureImprovement]Bumpsloggregator-releasetov96.0.17toaddstricterappidvalidationinTrafficController.

[FeatureImprovement]TheSSOOperatorDashboardnowallowsplanadministratortosendpasswordresetemails.

[BugFix]Bumpspush-apps-manager-releasetov662.0.28

Reintroducecachebustingforjs/cssfilesFixedabugthatwouldcauseappsmanagertofailtoloadwhenenvironmentvariablescontainednewlinesFixheadersforendpointsthatweserveUpdatedtheCFCLIthatisusedtopushAppsManagerandInvitations

Component Version

Stemcell 3468.25


capi 1.40.51*

cf-autoscaling 95


cf-mysql 36.11.0


cf-smoke-tests 38

cflinuxfs2 1.188.0

consul 187

diego 1.25.3


garden-runc 1.12.1


https://github.com/cloudfoundry/cf-mysql-release/releases/tag/v36.11.0http://docs.pivotal.io/p-mysql/1-10/mysql-components-release-notes.html#monitoring-8.16.0


haproxy 8.4.1



mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.13*


scalablesyslog 11





uaa 45.8


Component Version

1.12.19[Bugfix]Bumpsapps-manager-releasetov662.0.25:

[IE]Fixesalignmentoftheappsearchbarintheheader.Fixesabugthatpreventedmid-levelfetchtasksfrombeingclearedwhenswitchingroutesandonthe30secondrefresh.Fixesabugthatcausedmarketplaceserviceplanstoshow“Nopriceavailable”.

[Bugfix]Bumpsuaa-releasetov45.8:

UpdatesJDKversionto8u162.

[SecurityFix]Bumpscapi-releaseto1.40.49:

CVE-2018-1266 :Fixesrandomnumberguessingexploit.Fixesbuildpackpagination.

Component Version

Stemcell 3468.25


capi 1.40.49*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.188.0



https://www.cloudfoundry.org/blog/cve-2018-1266

consul 187

diego 1.25.3


garden-runc 1.12.1


haproxy 8.4.1


loggregator 96*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.13*


scalablesyslog 11





uaa 45.8


Component Version

1.12.18[FeatureImprovment]Bumpsgarden-runc-releasetov1.12.1:

Includesfixforbugwhereusers’filescouldgomissingindocker-basedapplications.

[Bugfix]Bumpsrouting-releaseto0.163.13:

Removesbackendsonanyerrortoprevent502errorsfrombeingreturnedtoclients.Updatesgolangtov1.9.4.

[BugFix]Removesunneededpersistentdiskfromdiegobrainvms.

Component Version

Stemcell 3468.25


capi 1.40.47*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.


cflinuxfs2 1.188.0

consul 187

diego 1.25.3


garden-runc 1.12.1


haproxy 8.4.1


loggregator 96*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.13*


scalablesyslog 11





uaa 45.7


Component Version

1.12.17[FeatureImprovement]Bumpsapps-managerto662.0.24,whichusesnginxandthestaticfilebuildpack.

[BugFix]Bumpscapi-releasetoversion1.40.47:

APInolongerloadsallusersintoanarrayinmemory.

[BugFix]Cloudcontrollerisconfiguredtoset cc.diego.pid_limit to0(unlimited)sothatapplicationinstanceswhichcreatedmanythreadsdonotcrash.Thepreviouslimitwasdefaultingto1024.

Component Version

Stemcell 3468.25


capi 1.40.47*

cf-autoscaling 95


cf-mysql 36.10.0




cf-smoke-tests 38

cflinuxfs2 1.188.0

consul 187

diego 1.25.3


garden-runc 1.11.1


haproxy 8.4.1


loggregator 96*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11





uaa 45.7


Component Version

1.12.16Note:itisrecommendedthatyoure-createallVMswhenupgradingtothisrelease,duetotheupdateto garden-runc-release .Thiswillhappenautomaticallyifyouareupdatingyourstemcell.Ifnot,youcancheckthe“RecreateAllVMs”checkboxontheOpsManagerDirector>DirectorConfigtab.

[SecurityFix]Bumpsstemcellfromversion3468.21toversion3468.25toaddressissues:

USN-3582-2

[SecurityFix]Bumpscflinuxfs2-releasefromv181.0tov1.188.0toaddressissues:

USN-3577-1 USN-3569-1 USN-3554-1 USN-3547-1 USN-3543-1 USN-3540-2 USN-3538-1

[FeatureImprovement]Bumpsgarden-runc-releasetov1.11.1 whichincludesgrootfsrootfilesystembydefault.

[FeatureImprovement]Patchescloudcontrollersouserswith admin_read_only scopecanviewstatsforapps,whichisneededbythe cf v3-apps


http://www.ubuntu.com/usn/usn-3581-2/http://www.ubuntu.com/usn/usn-3577-1/http://www.ubuntu.com/usn/usn-3569-1/http://www.ubuntu.com/usn/usn-3554-1/http://www.ubuntu.com/usn/usn-3547-1/http://www.ubuntu.com/usn/usn-3543-1/http://www.ubuntu.com/usn/usn-3540-2/http://www.ubuntu.com/usn/usn-3538-1/https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.11.1

command.

[BugFix]Patchescloudcontrollernginxhttpuploadmoduletofixissuewhereincorrectinitializationoftheuploadpathcouldcausesegmentationfaults.

Component Version

Stemcell 3468.25


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.188.0

consul 187

diego 1.25.3


garden-runc 1.11.1


haproxy 8.4.1


loggregator 96*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11





uaa 45.7


1.12.15[SecurityFix]Patchesrouting-releaseforCVE-2018-1221 .

[BugFix]Bumpspush-usage-servicetoincreasememoryfootprint,toavoidoccasionalcrashesthatsomeuserswereseeing.



[BugFix]EnablesprivilegedcontainerstosupportupgradingfromERT1.11withappsthatspecifyprivilegedcontainers.

[BugFix]FixtoensurethatDiegorepwillalwaysexitduringevacuation,evenifGarden destroy hangsduringevacuation.

[BugFix]Patchessyslogtopreventduplicationfromblackboxlogforwarding.

[FeatureImprovements]Bumpmysql-backup-releasetov2inrecognitionofthefactthatv1.38.0requiredTLS.Seeotherchangeshere

[FeatureImprovements]NewoptionintheNetworkingpagetoallowoperatorstoenableGoroutersupportforthePROXYprotocol.Thisisdisabledbydefault.

[FeatureImprovement]EnableGarden debug_listen_address tolistenonalocalinterface.

[FeatureImprovement]AddscredentialsforHealthwatchalerts.

Component Version

Stemcell 3468.21


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.181.0

consul 187

diego 1.25.3


garden-runc 1.10.0


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 2.1.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11





uaa 45.7



http://docs.pivotal.io/p-mysql/1-10/mysql-components-release-notes.html#backup-2.1.0

Component Version

1.12.14[SecurityFix]Bumpsapps-manager-releasetov662.0.22tofixvulnerabilitythatallowedarbitraryfileaccessonserver.

[BugFix]Patchesdiego-releasetoallowHTTP-basedhealthcheckonanHTTPendpointthatexpectsTLS-terminatedtraffic.

[BugFix]Bumpsjava-offline-buildpacktov4.8toaddressanissuewithmultiplejava-offline-buildpacksbeingincluded,whichmaycausedeploymentstohavedifferentversionsofjava-offline-buildpackinstalled.

Bumpbuildpackstolatestversions,including:

dotnet-core-offline-buildpacktov2.0.1.go-offline-buildpacktov1.8.16.java-offline-buildpacktov4.8.nodejs-offline-buildpacktov1.6.15.php-offline-buildpacktov4.3.48.python-offline-buildpacktov1.6.7.ruby-offline-buildpacktov1.7.11.staticfile-offline-buildpacktov1.4.21.

Component Version

Stemcell 3468.21


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.181.0

consul 187

diego 1.25.3


garden-runc 1.10.0


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.38.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*




scalablesyslog 11





uaa 45.7


Component Version

1.12.13[SecurityFix]Bumpsstemcelltoversion3468.21toaddressissues:

USN-3534-1 USN-3540-2

[SecurityFix]Bumpscflinuxfs2-releasetov1.181.0toaddressissues:

USN-3532-1 USN-3534-1 USN-3535-1

[SecurityFix]Bumpsapps-manager-releasetov662.0.19

Addsnewsecurityheaders:'Strict-Transport-Security’,'X-Content-Type-Options’,and'X-XSS-Protection’

[SecurityFix]Patchescapi-releasetofixissuewhererefreshtokensarenotacceptedwhereaccesstokensarerequired.

CVE-2018-1195

[BugFix]Bumpsmysql-monitoring-releasetov8.14.0

[BugFix]Patchescapi-releasetousedelayedjobqueuetoknowwhenajobisinprogress

[FeatureImprovement]Bumpssyslog-migration-releasetov8.0.1andaddacheckboxforlogfileforwardingthroughTCPtoworkaroundtheTruncatedSyslogMessagesissue.

NOTE:UsingTCPinsteadofthedefaultUDPconfigurationmayhaveanegativeimpactonperformance.

Component Version

Stemcell 3468.21


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.181.0

consul 187

diego 1.25.3


garden-runc 1.10.0


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.38.0

mysql-monitoring 8.14.0*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.


http://www.ubuntu.com/usn/usn-3534-1/http://www.ubuntu.com/usn/usn-3540-2/http://www.ubuntu.com/usn/usn-3532-1/http://www.ubuntu.com/usn/usn-3534-1/http://www.ubuntu.com/usn/usn-3535-1/https://www.cloudfoundry.org/cve-2017-14388/

nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11





uaa 45.7


Component Version

1.12.12[BugFix]Bumpsuaa-releasetov45.7.

[BugFix]PatchtoallowtheBBStomaintainitslockwhentheMySQLVMsarebeingupgraded.

[BugFix]Bumpsapps-manager-releasetov662.0.18toresolveanumberofissues:

Ifinstancehealthisnotloaded,donotrenderrowdraweronappstatustable.Whendeletingapps,usecapiv3endpoint.FixedbugwhereusingDockerwouldcrashAppsManagerbecauseofnon-existentbuildpackinfo.Forappthreadstab,handlewhentherearenoappinstances.FixeddownloadofSpringthreadsonIE.HidenativeselectdropdownonIEandFirefox.DisplayformattedcostwithallcurrenciesinsteadofjustUSDinplansummary.Fixedwiringissuethatcausestheflyouttoalwaysbelievenon-basicserviceswerenotallowed.Fixedselectvsupgradeyouraccountbuttonwhencomingfromappservicestabpanelheader.Loadapphealthafterscaling.Updatedgitandbuildpacktexttomatchaccessibilitystandards.Showv3appscalingeventsontheapppageeventpanel.Loadeventsafterscalingapp.Whenacallto/cloudfoundryapplicationfails,donotcontinuetocheckiftheappisaspringapp.Addclickjackingprotection,whilestillallowingAppsManagertoloadsingular.Longorgnamesinthenavbarorgdropdownareellipsified.Whencheckingenvvariables,donotthrowifuserdoesnothavepermission.Spacememberstabshouldshowallmembersintheorgeveniftheyarenotpermittedtothespace.Fixed404pagefooterinIE.Fixedstylinginaccountingreportdownloadbutton.Fetchallroutesforspacesinsteadofjustthefirstpage.

[BugFix]Addsmissingdefaultdomain streaming-mysql-backup-tool tomysql-backupcertificate.Note:ifyouinstalled1.12.10or1.12.11,youwillhavetorotatecertificates.SeethisKBarticleformoredetails:PivotalApplicationServiceBackupandRestorefailsduetoMissingStreamingmysql-backup-toolDomain

[BugFix]Bumpspivotal-account-releasetov1.8.2tofixbugthatpreventederrandsfromrunningmorethanonce.

[FeatureImprovement]TheSAML'EntityIdOverride’fieldhasbeenmovedfromtheAuthenticationandEnterpriseSSOtabtotheUAAtabinOpsManager,toaccompanytheotherSAMLfieldsintheUAAtab.

Component Version



https://discuss.pivotal.io/hc/en-us/articles/360000139954

Stemcell 3445.22


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.176.0

consul 187

diego 1.25.3


garden-runc 1.10.0


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.38.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11




syslog-migration 8

uaa 45.7


Component Version

1.12.11

[SecurityFix]Bumpsstemcellversionto3445.22forUSN-3544-2 andUSN-3544-4

Component Version

ThisreleaseintroducesabugthatcausesBBRbackupstofailduetoamissingdefaultdomaininthemysql-backupcertificate.Werecommendskippingthisreleaseandupgradingto1.12.12orhigher,whichresolvesthisissue.SeethecorrespondingKnowledgeBase formoreinformation.


https://discuss.pivotal.io/hc/en-us/articles/360000139954http://www.ubuntu.com/usn/usn-3522-2/http://www.ubuntu.com/usn/usn-3522-4/

Stemcell 3445.22


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.176.0

consul 187

diego 1.25.3


garden-runc 1.10.0


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.38.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11




syslog-migration 8

uaa 45.4


Component Version

1.12.10

[SecurityFix]Bumpscflinuxfs2-releasetov1.176.0forUSN-3513-1 .

[BugFix]Resolvesanissueincontainer-networkingwhereacomponentinthesamenetworkwithmTLScancauseansqlinjectiononthe

ThisreleaseintroducesabugthatcausesBBRbackupstofailduetoamissingdefaultdomaininthemysql-backupcertificate.Werecommendskippingthisreleaseandupgradingto1.12.12orhigher,whichresolvesthisissue.SeethecorrespondingKnowledgeBase formoreinformation.


https://discuss.pivotal.io/hc/en-us/articles/360000139954https://usn.ubuntu.com/usn/usn-3513-1/

DeleteEntry databasehandler.

[BugFix]Resolvesabugwheretaskstatesarenotupdatedwhendropletsaredeleted.

[FeatureImprovement]OpsManagernowallowsoperatorstospecifyanAzureenvironmentnameotherthanthedefault'AzureCloud’.TheoptionisintabFileStorage,undertheExternalAzureStorageintheEnvironmentfield.

[FeatureImprovement]Bumpsmysql-monitoring-releasetov8.13.0toadddiskusagemetricsasapercentage.

[FeatureImprovement]Bumpsmysql-backup-releasetov1.38.0whichenablesmutualTLSbetweenthebackupnodeandserver.

[Feature]Bumpsgarden-runc-releasetov1.10.0:

Itisnowpossibletospecifya ProcessSpec.Image .Processescannowhavetheirownfilesystemview.Limitation:Itisonlypossibletouse ProcessSpec.Image and ProcessSpec.OverrideContainerLimits withunprivilegedcontainers.Thiswillbefixedinfuturereleases.Limitation:APIssuchas BulkMetrics and Process.Signal maynotworkimmediatelyafter container.Run(ProcessSpec) returnsforprocesseswith Image and/or OverrideContainerLimits specified.Thiswillbefixedinfuturereleases.Reducedlogvolumein BulkMetrics forlargeenvironments.CorrectlydeclaresthatbundlesitcreatesareOCIRuntimeSpecversion1.0.0compliant.

Component Version

Stemcell 3445.19


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.176.0

consul 187

diego 1.25.3


garden-runc 1.10.0


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.38.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11






syslog-migration 8

uaa 45.4


Component Version

1.12.9[SecurityFix]Bumpsstemcellversionto3445.19forUSN-3509-2 .

[SecurityFix]Bumpscflinuxfs2-releasetov1.171.0toresolveseveralsecurityvulnerabilities:

USN-3489-1:BerkeleyDBvulnerability USN-3496-1:Pythonvulnerability USN-3496-3:Pythonvulnerability USN-3498-1:curlvulnerabilities USN-3501-1:libxcursorvulnerability

[BugFix]Bumpsapps-manager-releasetov662.0.17toresolvesomebugs:

Longorgnamesinthenavbarorgdropdownareellipsified.FixthelookoftheselectcomponentinFirefox.Fixapagecrashthatcouldoccurwhenrefreshinganapppageasaspaceauditor.ImprovedtheresiliencyoftheAppsManagerserverwhenaproxyerroroccurs.Showallorgandspacemembersinthespacememberstableontheorg/spacepagememberstabs.

[BugFix]Bumpscf-mysql-releasetov36.10.0tofinalizeafixforconfigurationandmanagementofsyslog.ReleaseNotes

[BugFix]Bumpsmysql-monitoring-releasetov8.12.0tofinalizeafixforconfigurationandmanagementofsyslog.

[BugFix]OperatorscannowoptionallydisableRouterAccesslogs.ThiswillpreventtheRouterlocaldiskfrombecomingfilledwhentheRoutersareexperiencingincreasedincomingtraffic.

[FeatureImprovement]OperatorscannowspecifythemutualTLScertificatevalidationbehaviorfortheRouter.TheRouterwillrequestcertificatesbydefaultandvalidatethemifprovided.OperatorscanoptionallyconfiguretheRouternottorequestcertificatesortorequirethemwitheveryrequest.

[FeatureImprovement]OperatorscannowoverridetheirSAMLEntityIDwhenconfigurationSAMLasanIdentityProvider.

Component Version

Stemcell 3445.19


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.10.0


cf-smoke-tests 38

cflinuxfs2 1.171.0

consul 187

diego 1.25.3


garden-runc 1.9.4


grootfs 0.30.0

haproxy 8.4.1

java-offline-buildpack 4.6*Componentsmarkedwithanasteriskhavebeenpatchedtoresolvesecurityvulnerabilitiesorfixcomponentbehavior.

WARNING:RequeststotheplatformwillfailuponupgradeifyourloadbalancerisconfiguredwithclientcertificatesandGorouterdoesnothavethecertificateauthority.Tomitigatethisissue,selectRouterdoesnotrequestclientcertificatesforRouterbehaviorforClientCertificateValidationintheNetworkingpane.


https://www.cloudfoundry.org/usn-3509-2/https://usn.ubuntu.com/usn/usn-3489-1/https://usn.ubuntu.com/usn/usn-3496-1/https://usn.ubuntu.com/usn/usn-3496-3/https://usn.ubuntu.com/usn/usn-3498-1/https://usn.ubuntu.com/usn/usn-3501-1/https://github.com/cloudfoundry/cf-mysql-release/releases/tag/v36.10.0

loggregator 96*

mysql-backup 1.35.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0*


scalablesyslog 11




syslog-migration 8

uaa 45.4


Component Version

1.12.8[SecurityFix]Bumpsapps-manager-releasetov662.0.16toresolveanumberofissues:

Upgradestonodejsv8.0toresolveanumberofsecurityissues.WhenviewingaSpringApp’sThreadstab,andtherearenorunninginstances,thereisnowtexttoconveythis.FixdownloadingofSpringthreadsinInternetExplorer.FixappearanceofselectinputsinInternetExplorer.FormatserviceplancostsaccordingtosupportedcurrenciesinAppsManagerconfigurationonthespacepage,servicestabFixbugwherepaidplanswouldnotbeallowedwhentryingtoaddaservicefromthespaceorapppage.Whenscalinganapp,showupdatedapphealthmorequickly.Showappscalingeventsintheeventspanelontheapppage.Changecolorofbuildpacktexttomeetaccessibilitystandards.PreventAppsManagerfrombeingrenderedinaniframe.

[SecurityFix]Bumpsbuildpackreleasesversionstopickupsecurityandbugfixes:

binary-buildpackv1.0.15 dotnet-core-buildpackv1.0.30 go-buildpackv1.8.13 java-buildpackv4.6 nodejs-buildpackv1.6.10 php-buildpackv4.3.43 python-buildpackv1.6.1 ruby-buildpackv1.7.5 staticfile-buildpackv1.4.18

[SecurityFix]Bumpsthestemcelltov3445.17toresolvethefollowingsecurityissues:

USN-3457-1:curlvulnerability USN-3458-1:ICUvulnerability USN-3464-1:Wgetvulnerabilities USN-3469-2:Linuxkernel(XenialHWE)vulnerabilities USN-3475-1:OpenSSLvulnerabilities


https://github.com/cloudfoundry/binary-buildpack/releases/tag/v1.0.15https://github.com/cloudfoundry/dotnet-core-buildpack/releases/tag/v1.0.30https://github.com/cloudfoundry/go-buildpack/releases/tag/v1.8.13https://github.com/cloudfoundry/java-buildpack/releases/tag/v4.6https://github.com/cloudfoundry/nodejs-buildpack/releases/tag/v1.6.10https://github.com/cloudfoundry/php-buildpack/releases/tag/v4.3.43https://github.com/cloudfoundry/python-buildpack/releases/tag/v1.6.1https://github.com/cloudfoundry/ruby-buildpack/releases/tag/v1.7.5https://github.com/cloudfoundry/staticfile-buildpack/releases/tag/v1.4.18https://usn.ubuntu.com/usn/usn-3457-1/https://usn.ubuntu.com/usn/usn-3458-1/https://usn.ubuntu.com/usn/usn-3464-1/https://usn.ubuntu.com/usn/usn-3469-2/https://usn.ubuntu.com/usn/usn-3475-1/

USN-3478-1:Perlvulnerabilities USN-3485-2:Linuxkernel(XenialHWE)vulnerabilities

[SecurityFix]Bumpscflinuxfs2-releasetov1.168.0toresolveUSN-3478-1:Perlvulnerabilities .

[SecurityFix]PatchesCloudControllertopreventusersfrombeingabletocreateaprivatesubdomainofarouteinanorganizationtheydonothaveaccessto.

[BugFix]RevertsthepreviouspatchereleasechangetotheSAMLEntityIDfield.Thefieldisonceagainusing http foritsURLscheme.

[Improvement]Thecustombrandingfieldsforthesquarelogoandfaviconarenowseparatefields.

Component Version

Stemcell 3445.17


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.9.0


cf-smoke-tests 38

cflinuxfs2 1.168.0

consul 187

diego 1.25.3


garden-runc 1.9.4


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.35.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0


scalablesyslog 11




syslog-migration 8

uaa 45.4



https://usn.ubuntu.com/usn/usn-3478-1/https://usn.ubuntu.com/usn/usn-3485-2/https://usn.ubuntu.com/usn/usn-3478-1/

1.12.7

[SecurityFix]Bumpscflinuxfs2-releasetov1.166.0toresolveUSN-3475-1 .ReleaseNotes

[BugFix]Bumpscf-mysql-releasetov36.9.0toresolveanissuewhereIPseccausesmariadb_ctrltobeleftinan Execution Failed state.ReleaseNotes

[SecurityFix]Bumpsusage-service-releasetov663.0.6tohidesensitivecredentialinformationwhentheUsageServicedeploymenterrandisrun.

[SecurityFix]Bumpsgrootfs-releasetov0.30.0toresolveCVE-2017-14388 .ReleaseNotes .

[BugFix]ChangestheschemefortheSAMLEntityIDfrom http to https .

Component Version

Stemcell 3445.16


capi 1.40.0*

cf-autoscaling 95


cf-mysql 36.9.0


cf-smoke-tests 38

cflinuxfs2 1.166.0

consul 181

diego 1.25.3


garden-runc 1.9.4


grootfs 0.30.0

haproxy 8.4.1


loggregator 96*

mysql-backup 1.35.0


nats 22

nfs-volume 1.0.9


notifications 37

notifications-ui 29






routing 0.163.0


scalablesyslog 11





ThisreleasehasbeenpulledduetoaregressionintroducedintheSAMLidentityproviderinterface.Pleaseupgradeto1.12.8orhighertoresolvethisissuewiththeSAMLentityID.


http://www.ubuntu.com/usn/usn-3475-1/https://github.com/cloudfoundry/cflinuxfs2/releases/tag/1.166.0https://github.com/cloudfoundry/cf-mysql-release/releases/tag/v36.9.0https://www.cloudfoundry.org/cve-2017-14388/https://github.com/cloudfoundry/grootfs-release/releases/tag/v0.30.0

syslog-migration 8uaa 45.4


Component Version

1.12.6[SecurityFix]Bumpsthestemcelltov3445.16toresolveseveralsecurityvulnerabilities:

USN-3424-1 USN-3432-1 USN-3434-1 USN-3441-1 USN-3444-2

[SecurityFix]Bumpsthecflinuxfs2-releasetov1.165.0toresolveseveralsecurityvulnerabilities:

USN-3457-1 USN-3458-1 USN-3464-1

[BugFix]Bumpsuaa-releasetov45.4topreventadenialofserviceattackagainstthetokenrevocationendpoint.

[BugFix]Patchesloggregator-releasetoremovethe totalReceivedMessageCount metricfromthev2API.

ThelogginglevelfortheCloudController

Pivotal Cloud Foundry DocumentationPCF Security Processes Pivotal Cloud Foundry Security Overview...

Documents

Transcript of Pivotal Cloud Foundry DocumentationPCF Security Processes Pivotal Cloud Foundry Security Overview...