release: github.com/cloudfoundry/cf-release / 219

Github source: 0e63f392 or master branch

The cf-release v219 was released on October 02, 2015.

Important: - The bump in v219 to etcd-metrics-server turned out to not play nicely with collector, and caused collector to periodically crash. If your system is dependent on collector for metrics, this will affect your deployment. However, if you are not concerned with metrics from the etcd component, you can opt to not include etcd-metrics-server as part of your deployment. In standard deployments, it is colocated with the etcd_zN jobs; you can simply remove the template from the list of colocated jobs. - The uaa job has a property called router.servers which is meant to be an array of the IPs of the routers, and the haproxy job has two properties called router.servers.z1 and router.servers.z2. Specifying these properties in the global properties map in your deployment manifest will be troublesome; it is advised to specify these properties at the job level. The usual “spiff” manifest generation templates provided in the cf-release repository will do this out of the box for you.

Contents: - CC and Service Broker APIs - Runtime - Buildpacks and Stacks - Identity - Routing - Loggregator - Internal Components - Job Spec Changes - Recommended BOSH Release and Stemcell Versions - Recommended Diego Version - Recommended Garden Linux Version

CC and Service Broker APIs

CC API Version: 2.37.0

Service Broker API Version: 2.6

NOTE: upgrading to this release includes a truncate of the events table

Cloud Controller

  • [Experimental] Work continues on /v3 and Application Process Types details
  • [Experimental] Work continues on Private Brokers details
  • [Experimental] Work continues on Route Services details
  • [Experimental] As an operator or Org Manager, I expect to be able to CRUD app instance limits in a space quota details
  • Added api docs for new feature flags introduced in cf-release 218 to control if roles can be managed by username by org managers/space managers details
  • Remove experimental labels on Org/Space user management by username details
  • Updated description and removed experimental flag for purge parameter on service instance delete details
  • Remove experimental flag for accepts_incomplete and last_operation.* on service_instances endpoints details
    • Will be bumping the service broker api to v2.7 in the next cf-release
  • Add app_ssh_oauth_client to /v2/info details
  • Add routing_endpoint to /v2/info details
  • cloudfoundry/cloud_controller_ng #438: Upgrade to Ruby 2.2.3 for Cloud Controller details
  • cloudfoundry/cloud_controller_ng #416: Service binding validation should assert syslog_drain_url is empty details
  • cloudfoundry/cloud_controller_ng #431: 430 use U.S. spelling of ‘rspec’, drop –profile details
  • cloudfoundry/cloud_controller_ng #418: Added new events table index on timestamp and id. details
  • add index to actee_type on events table and truncate events table details
  • Ensure file mode is considered for package blobs details
  • Fixed issue where purge-service-offering failed if there’s a service instance that’s marked as “in progress” details
  • Fixed bug where Space auditor could not view routes with private domains details

Runtime

No changes.

Buildpacks and Stacks

stacks

updated to 1.9.0 (from 1.8.0)

1.9.0

Notably, this release addresses USN-2740-1, “ICU vulnerabilities”, which is related to: - CVE-2015-1270 - CVE-2015-2632 - CVE-2015-4760

go-buildpack

updated to v1.6.2 (from v1.6.0)

v1.6.2

Go 1.4.3 is a security update for the following CVEs: - CVE-2015-5739 Content Length treated as valid header - CVE-2015-5740 Double content-length headers does not return 400 error - CVE-2015-5741 Additional hardening, not sending Content-Length w/Transfer-Encoding

Packaged binaries:

name version cf_stacks
go 1.2.1 cflinuxfs2
go 1.2.2 cflinuxfs2
go 1.3.2 cflinuxfs2
go 1.3.3 cflinuxfs2
go 1.4.2 cflinuxfs2
go 1.4.3 cflinuxfs2
go 1.5 cflinuxfs2
go 1.5.1 cflinuxfs2

v1.6.1

php-buildpack

updated to v4.1.4 (from v4.1.2)

v4.1.4

  • update binaries for ICU vulnerabilities: USN-2740-1, CVE-2015-1270, CVE-2015-2632, CVE-2015-4760 this commit removes libicu from the buildpack, and instead relies upon the libraries delivered by the rootfs (note that rootfs 1.9.0 addresses this vulnerability). (https://www.pivotaltracker.com/story/show/103531876)

Packaged binaries:

name version cf_stacks modules
php 5.4.44 cflinuxfs2 amqp, apc, apcu, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib, zookeeper
php 5.4.45 cflinuxfs2 amqp, apc, apcu, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib, zookeeper
php 5.5.28 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.5.29 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xhprof, xsl, yaf, zip, zlib
php 5.6.12 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xsl, yaf, zip, zlib
php 5.6.13 cflinuxfs2 amqp, bz2, curl, dba, exif, fileinfo, ftp, gd, gettext, gmp, igbinary, imagick, imap, intl, ioncube, ldap, lua, mailparse, mbstring, mcrypt, memcache, memcached, mongo, msgpack, mysql, mysqli, opcache, openssl, pcntl, pdo, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, phalcon, phpiredis, protobuf, protocolbuffers, pspell, readline, redis, snmp, soap, sockets, suhosin, sundown, twig, xcache, xdebug, xsl, yaf, zip, zlib
hhvm 3.5.0 cflinuxfs2
hhvm 3.5.1 cflinuxfs2
hhvm 3.6.0 cflinuxfs2
hhvm 3.6.1 cflinuxfs2
composer 1.0.0-alpha10 cflinuxfs2
httpd 2.4.16 cflinuxfs2
newrelic 4.23.3.111 cflinuxfs2
nginx 1.6.3 cflinuxfs2
nginx 1.8.0 cflinuxfs2
nginx 1.9.4 cflinuxfs2

v4.1.3

Please note that PHP 5.4 will reach “End of Life” on 2015-09-14. We intend to remove support for this version of PHP on or before 2015-10-16. - Updating PHP binaries for redis 2.2.7 (https://www.pivotaltracker.com/story/show/100925176) - Add support for PHP 5.4.45, 5.5.29, 5.6.13 - Remove support for PHP 4.4.43, 5.5.27, 5.6.11 (https://www.pivotaltracker.com/story/show/102517700) - Upgrade nginx to 1.9.4

python-buildpack

updated to v1.5.1 (from v1.5.0)

v1.5.1

Packaged binaries:

name version cf_stacks
python 2.7.10 cflinuxfs2
python 2.7.9 cflinuxfs2
python 3.3.5 cflinuxfs2
python 3.3.6 cflinuxfs2
python 3.4.2 cflinuxfs2
python 3.4.3 cflinuxfs2
python 3.5.0 cflinuxfs2
libffi 3.1 cflinuxfs2
libmemcache 1.0.18 cflinuxfs2

Identity

  • Bumped UAA to version 2.7.0.2 details

Routing

  • Operator can now specify a preferred order of ciphers for Gorouter (details)
  • Fixed issues causing logged errors for Gorouter log rotation (details, more details)
  • Thanks to LAMD team, Gorouter now emits metrics through loggregator firehose (details, more details)
  • Gorouter now logs response_time for tcp and websocket connections details
  • Fixed bug where uptime metric emitted by gorouter via /varz endpoint (used by collector) was not updated details

Work continues on adding support for Route Services with: - a change to how keys used to encypt the Signature header can be rotated (details) - X-Cf-Forwarded-Url is not expected with requests forwarded by route services details - updates to CC API for binding service instances to routes (epic)

Work continues on support for TCP routes in CF with: - updated scopes for routing api (details) - consolidating tcp routing api and routing-api, and updating tcp router and tcp emitter to us routing api (epic) - updates to expose router groups through CLI (epic)

Loggregator

Internal Components

consul

No functional changes.

etcd

No functional changes.

etcd-metrics-server

  • Submit metrics to metron_agent in service of eventually deprecating /varz and the Collector. details
  • Support stats from more recent version of etcd. details

route_registrar

  • Now supports specifying tags for registered routes, used when gorouter emits metrics (e.g. latency). details

Job Spec Changes

  • Replaced router.servers.z1 and router.servers.z2 properties with router.servers in uaa job, to not limit deployments to 2 AZs. details
  • Added uaa.id_token.disable property to uaa job. details
  • Set default value of login.protocol property in uaa job to https and change default value of cc.external_protocol property from http to https in cloud_controller_ng, cloud_controller_worker, and cloud_controller_clock jobs. details
  • Removed uaa.openid.fallbackToAuthcode property from uaa job. details
  • Added uaa.disableInternalAuth and uaa.disableInternalUserManagement properties to uaa job. details
  • Added app_ssh.oauth_client_id property to cloud_controller_ng job. details
  • Added cc.packages.max_valid_packages_stored and cc.droplets.max_staged_droplets_stored properties to cloud_controller_ng job. details
  • Changed consul.encrypt_keys property in consul_agent job to support specifying encryption keys as plain strings, rather than requiring base64 encodings of 16-byte strings. details
  • Changed route_registrar.routes property in route_registrar job to include tag data. details
  • Remove many references to /varz and NATS properties in various Logging and Metrics jobs. details:
    • Remove nats.port, nats.machines, nats.password, nats.user, and doppler.collector_registrar_interval_milliseconds properties from doppler job.
    • Remove traffic_controller.collector_registrar_interval_milliseconds property from loggregator_trafficcontroller job.
    • Remove nats.port, nats.machines, nats.password, nats.user, metron_agent.collector_registrar_interval_milliseconds, metron_agent.status.port, metron_agent.status.password, and metron_agent.status.user properties from metron_agent job.
  • Separate router.route_service_secrets property into router.route_services_secret and router.route_services_secret_decrypt_only properties in gorouter job. details
  • Remove default value for router.cipher_suites property in gorouter job. details
  • Rename ha_proxy.buffer_size property to ha_proxy.buffer_size_byets in haproxy job. details
  • Added syslog_daemon_config.custom_rule property to metron_agent job. details

Recommended BOSH Release and Stemcell Versions

  • BOSH Release Version: 201
  • BOSH Stemcell Version(s): 3026

These are soft recommendations; several different versions of the BOSH release and stemcell are likely to work fine with this version of cf-release.

Recommended Diego Version

This is a soft recommendation; several different versions of the diego-release may work fine with this version of cf-release.

Recommended Garden Linux Version

This is a soft recommendation; several different versions of the garden-linux release may work fine with this version of cf-release and the aforementioned version of diego-release.

Upload this release version to the Director:

$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-release?v=219 --sha1 8f184915d4ad0bf27c49e03922364e3c13fed85d

Modify deployment manifest to use this release in addition to any other used releases:

releases:
- name: cf
  version: "219"

Finally add needed deployment jobs and specify values for required properties.

Optionally download sha1: 8f184915d4ad0bf27c49e03922364e3c13fed85d release tarball locally:

# ...or download it directly using curl
$ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-release?v=219

# or with wget...
$ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-release?v=219