release: github.com/cloudfoundry/cf-release / 217

Github source: 68a2ec67 or master branch

The cf-release v217 was released on September 09, 2015.

Important: - This release introduces significant improvements to the security of the consul cluster, however the operator must introduce these changes over the course of multiple deployments. If you are not running any consul servers as part of your deployment, you can ignore these instructions. Otherwise, please do the following:
1. Scale the number of consul servers in your existing deployment down to 1 instance. The consul.agent.servers.lan property must be updated to reflect this; this should happen for free if you are using the standard tooling for manifest generation. If you are deploying Diego alongside CF, you must redeploy Diego as well to pick up the consul.agent.servers.lan change; again, this should happen for free if using the standard manifest generation tooling.
2. Generate SSL certificates, keys, and a separate encryption key for the gossip protocol used by consul (instructions). Upload the v217 release and generate your manifest for CF (and then Diego, if also deploying Diego). 3. Deploy CF (and then Diego, if also deploying Diego). 4. Scale the number of consul servers back up to whatever you had it at before. Regenerate all relevant manifests and deploy. - cf-release v216 was skipped. After cutting a final release, the final release changes need to be committed back to the repo. We do one final deploy of the final release before committing its changes to master. In this case, a bug was found after doing the deploy, so we did not commit its changes. The bug was fixed, a new final release was deployed, and its changes have been committed. Since the director where the deploy was done already had a 216 deployed to it, we could not call the fixed release 216 as well, hence 217.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Release and Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version

CC and Service Broker APIs

CC API Version: 2.35.0

Service Broker API Version: 2.6

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Private Brokers details
  • [Experimental] Work reverted on Dashboard Clients per Service Instance details
  • [Experimental] Work started on Route Services details
  • cloudfoundry/cloud_controller_ng #411: Update cf-message-bus which includes latest NATS client details
  • Add a description to the Resource Match API page to apidocs details
  • Add description for recursive delete flag on Orgs and Spaces to apidocs details
  • Update ruby version to 2.1.7 details
  • Remove experimental flags for total_private_domains and app_instance_limit in Creating a Organization Quota Definition details
  • Added new endpoint to get number of started instances by Org GET /v2/organizations/:guid/instance_usage apidoc details

Runtime

DEA

Warden

  • Remove guard against using aufs for nested warden containers to match current garden behavior. details
  • Bump ruby version to 2.1.7. details

HM9000

No functional changes.

Buildpacks and Stacks

stacks

updated to 1.7.0 (from 1.4.0)

1.7.0

Notably, this release addresses USN-2726-1, “Expat vulnerability”, which is related to CVE-2015-1283.

1.6.0

Notably, this release addresses USN-2722-1, “gdk-pixbuf vulnerability”.

1.5.0

Notably, this release addresses: - USN-2710-1, “OpenSSH vulnerabilities” - USN-2710-2, “openssh regression”

which are related to: - CVE-2015-5352 - CVE-2015-5600

in addition to two other vulnerabilities which do not yet have CVE numbers assigned.

go-buildpack

updated to v1.6.0 (from v1.5.0)

v1.6.0

Packaged binaries:

name version cf_stacks
go 1.2.1 cflinuxfs2
go 1.2.2 cflinuxfs2
go 1.3.2 cflinuxfs2
go 1.3.3 cflinuxfs2
go 1.4.1 cflinuxfs2
go 1.4.2 cflinuxfs2
go 1.5 cflinuxfs2

ruby-buildpack

updated to v1.6.5 (from v1.6.2)

v1.6.5

Packaged binaries:

name version cf_stacks
ruby 2.0.0 cflinuxfs2
ruby 2.1.6 cflinuxfs2
ruby 2.1.7 cflinuxfs2
ruby 2.2.2 cflinuxfs2
ruby 2.2.3 cflinuxfs2
jruby ruby-1.9.3-jruby-1.7.21 cflinuxfs2
jruby ruby-2.0.0-jruby-1.7.21 cflinuxfs2
jruby ruby-2.2.2-jruby-9.0.0.0 cflinuxfs2
node 0.12.7 cflinuxfs2
bundler 1.9.7 cflinuxfs2
libyaml 0.1.6 cflinuxfs2
openjdk1.8-latest 1.8.0_51 cflinuxfs2
rails3_serve_static_assets - cflinuxfs2
rails_log_stdout - cflinuxfs2

v1.6.4

Note that v1.6.3 was not released. - Add support for Ruby 2.1.7 and 2.0.0-p647, which addresses CVE-2015-3900. Remove support for Ruby 2.1.5 and 2.0.0-p645. (https://www.pivotaltracker.com/story/show/101589968)

Identity

Updated to UAA Release 2.6.1

Routing

  • Work continues on support for Route Services details, more details
  • Gorouter now logs X-Forwarded-Proto details
  • Gorouter no longer responds to a publish NATS message with an empty subject details
  • Work begun on support for TCP Routing in Routing API details
  • Routing API no longer logs the Authorization header details
  • A bug was introduced in v217 wherein gorouter logs are no longer rotated as frequently as they used to be. This could lead to failure if the disk fills up. A fix has been committed and will be included in v219 details.

Loggregator

Internal Components

etcd

No functional changes.

consul

  • Improve operability of consul cluster when scaling down. details
  • Consul servers determine whether they are synced with the rest of the cluster in the officially recommended manner. details
  • Consul agents and servers communicate securely with one another. details
  • Consul servers leave and join the cluster more reliably during a rolling deploy. details

route_registrar

  • Added new route_registrar job to centralize route registration logic in one place, and move it out of the source code of other components that aren’t primarily concerned with route registration. details

Job Spec Changes

  • Removed networks.apps property from all jobs. details
  • Removed numerous unused properties:
    • Removed cc.internal_service_hostname, cc.jobs.model_deletion.timeout_in_seconds, cc.info.support_address, and ccdb.max_ar_connections from all CC-related jobs.
    • Removed uaa.clients.cloud_controller_username_lookup.client from cloud_controller_ng spec.
    • Removed nats_props from nats_stream_forwarder spec.
  • Added cc.diego.nsync_url, cc.diego.stager_url, and cc.diego.tps_url to all CC-related jobs. details
  • Added consul.require_ssl, consul.ca_cert, consul.server_cert, consul.server_key, consul.agent_cert, consul.agent_key, and consul.encrypt_keys to consul_agent job. details
  • Added doppler.sink_dial_timeout_seconds and doppler.sink_io_timeout_seconds to doppler spec. details
  • Added router.logrotate.freq_min, router.logrotate.rotate, router.logrotate.size, and router.extra_headers_to_log to gorouter spec. details
  • Removed traffic_controller.host and traffic_controller.incoming_port from loggregator_trafficcontroller spec. details
  • Added metron_agent.logrotate.freq_min, metron_agent.logrotate.rotate, and metron_agent.logrotate.size to metron_agent spec. details
  • Added uaa.logging_level to uaa job. details
  • Added login.prompt.username.text and login.prompt.password.text to uaa job. details

Recommended BOSH Release and Stemcell Versions

  • BOSH Release Version: bosh/201
  • BOSH Stemcell Version(s): bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3026

These are soft recommendations; several different versions of the BOSH release and stemcell are likely to work fine with this version of cf-release.

Recommended Diego Version

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended Garden Linux Version

  • garden-linux Release Version: garden-linux/0.303.0

This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=217

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- {name: cf, version: "217"}

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 6b41a35cf3f362f644ab0ce552d578dfd682e9a1 release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=217

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=217