Releases: cloudfoundry/capi-release
Releases · cloudfoundry/capi-release
CAPI 1.48.0
Highlights
- Read-only Admins can view app stats.
- Brokers can determine what space a binding request is from.
CC API Version: 2.102.0 and 3.37.0
Service Broker API Version: 2.13
CAPI Release
Cloud Controller
- API client should NOT fail to query v3 APIs when value includes '+' details
- As a SpaceAuditor in the target space, when I POST /v3/service_instances/:guid/relationships/shared_spaces, the error message contains multiple errors if needed details
- As a service broker author, I can see the GUID of the space the app belongs to when I create a binding for an app details
- As an Operator, I can see schema objects in the Events API List Service Plan Create Events docs details
- As an app dev (receiver), I see a relevant error message when I try to delete a service instance that has been shared with me details
- As an app dev (receiver), I see a relevant error message when I try to update a service instance that has been shared with me details
- As an app dev (sharer) I can list a service instance's share relationships details
- As an app dev (sharer) I no longer get a related shared_spaces link in the space object details
- CC sends the permissions to Perm when it creates the role details
- Read-Only Admins can see stats for app details
Pull Requests and Issues
CAPI 1.47.0
Important
There is an issue with MySQL 5.5 that can cause application downtime when deploying this release. Other databases and versions are not affected by application downtime, but may have other issues.
| Database | Issue |
|---|---|
| MySQL 5.5 and earlier, MariaDB using InnoDB 5.5 | Application downtime. |
| MySQL 5.6 or later, MariaDB using InnoDB/XtraDb 5.6 | No issues. |
| PostgresSQL | No application downtime. In rare cases a deploy may fail, but succeed on a subsequent attempt. If subsequent attempts fail, follow the mitigation plan below. |
Mitigation Plan
Mitigation for cf-release
There is a cloud_controller_clock job running on each of the clock_z* instances.
If the only jobs on a clock instance are cloud_controller_clock, metron_agent, consul_agent,
and system_localhost, you can stop the entire instance with this command:
bosh stop -d DEPLOYMENT_NAME clock_z1
Repeat for each clock_z* instance.
Otherwise, for each clock instance i, do the following:,
bosh ssh -d DEPLOYMENT_NAME clock_z[i]
sudo
monit stop cloud_controller_clock
After the upgrade deployment has completed, bosh vms should report that all
clock_* instances are running. If any aren't, bosh ssh to each non-running
clock_* instance, sudo, and run monit start cloud_controller_clock.
Mitigation for cf-deployment
There is a cloud_controller_clock job on each of the scheduler instances. Unlike
for cf-release, there is only one option. The cloud_controller_clock job should be explicitly stopped
on each node as follows:
bosh ssh -d DEPLOYMENT_NAME scheduler/i
sudo
monit stop cloud_controller_clock
After the upgrade deployment has completed, bosh vms should report that all
scheduler instances are running. If any aren't, bosh ssh to each non-running
scheduler instance, sudo, and run monit start cloud_controller_clock.
Notes
Highlights
- Resolves an issue that causes tasks to sometimes be canceled prematurely or marked as failed after completing successfully.
CC API Version: 2.101.0 and 3.36.0
Service Broker API Version: 2.13
CAPI Release
- As an operator I can take a backup of only the relevant parts of the cc blobstore details
Cloud Controller
- A Cloud Foundry administrator should see a log when there is a discrepancy between Perm and CC details
- As an app dev (receiver), I can continue to bind apps to a service instance that has been shared with me when the feature flag is disabled details
- As an app dev (sharer), I can unshare a service instance from a space where I do not have access details
- As an app dev (sharer), I cannot rename a service instance that has been shared details
- As an app dev (sharer), I cannot share a service instance that is using an inactive plan details
- As an app dev (sharer), if I try to share a service instance into a space where access to that service is not enabled, the share fails details
- As an app dev (sharer), if the service instance sharing feature flag is disable, I should still be able to unshare existing shares details
- As an app dev I can filter v3 service instances by space guid details
- As an app dev, I can only see bindings in spaces that I have access to for shared service instances details
- Cloud Controller should check to see if a user can perform an action with Perm (V3) details
- Improve performance of GET /v2/service_instances details
- Permission denied while trying to V3 copy a droplet with NFS blobstore details
- Service instance sharing-related errors should usually return 422 instead of 400 details
- V3 droplet/package/other blobstore resources downloads don't work when using an NFS server details
- change tld to apps.internal details
Pull Requests and Issues
CAPI 1.46.0
Highlights
- Default to secure communication between Cloud Controller and Diego. See here for more details.
- Resolves thread leak with diego synchronization.
- Resolves issue causing periodic cleanup jobs to stop running.
- Introduce experimental support for named service bindings.
Job Spec Changes
- Removed
cc.users_can_select_backendproperty. Diego is the only supported backend, so this property is no longer relevant.
Known Issues
- Tasks are sometimes canceled prematurely or marked as failed after completing successfully. Resolved in capi-release 1.47.0
CC API Version: 2.100.0 and 3.35.0
Service Broker API Version: 2.13
CAPI Release
- Add
set -o pipefailto the bbr scripts along withset -edetails - As a CF operator, I expect the BBS eventually to exit when its backing Postgres database is unavailable details
- As a CF operator, if I configure the stager with a whitelist of insecure docker registries, I expect the docker app lifecycle builder to allow insecure communication with those registries (regression)4 details
- Operator sees that local bridge is used by default. details
- Potential drain failure on tps_watcher drain script details
- monit_stop_job shouldn't try to run if monit_unmonitor_job is still running in pre-backup-lock script details
- wait_unmonitor_job's regex is not strict enough details
Cloud Controller
- API client can filter service bindings by name details
- API client can observe binding name in VCAP_SERVICES environment variable details
- API client does not see running task for a task that completed but had its droplet deleted details
- API client gets actionable error message when starting an app without a droplet details
- API client observes a audit.app.restart audit event details
- API client with a role that allows service instance read can view dashboard url details
- As a CAPI developer, when I create an org or space with the V3 API, corresponding roles should be created in Perm details
- As an API client I can discover the /v3/service_instances resource details
- As an app dev (receiver), I can see information regarding service instances that have been shared with me details
- As an app dev (receiver), I can see minimal space information in the shared_from endpoint when a service instance has been shared with me details
- As an app dev (receiver), I can see sharing information regarding service instances that have been shared with me (shared_from) details
- As an app dev (receiver), I cannot delete a service instance that has been shared with me details
- As an app dev (receiver), I cannot rename a service instance to the same name of a service instance that has been shared with me details
- As an app dev (receiver), I cannot share a service instance that has been shared with me where I do not have access to the service instance details
- As an app dev (receiver), I cannot update a service instance that has been shared with me details
- As an app dev (receiver), I shouldn't be able to create a service instance with the same name as an instance that has been shared with me details
- As an app dev (sharer), I can see sharing information regarding service instances that I have shared (shared_to) details
- As an app dev (sharer), I can see the number of bindings made to service instances that I have shared details
- As an app dev (sharer), I cannot delete a service instance that I have shared which does not have bindings in another space details
- As an app dev (sharer), I cannot delete a service instance that I have shared which has bindings in another space details
- As an app dev (sharer), I cannot share service instances with myself details
- As an app dev (sharer), if I try to share a service instance into a space when the service has not specified shareable: true the share fails details
- As an app dev (sharer), if I try to share a service instance into a space where a service instance exists with the same name, the share fails details
- As an app dev, I cannot create a service key for a service instance that I do not have access to (i.e. has been shared with me) details
- As an app dev, I cannot list service keys for a service instance that I do not have access to (i.e. has been shared with me) details
- As an app dev, I can list non-shared service instances using the v3 API details
- As an app dev, I can list shared service instances using the v3 API details
- As an app dev, I cannot share a route service details
- As an app dev, I cannot share user provided services details
- As an app dev, I cannot view a specific service key or delete a service key for a service instance that I do not have access to (i.e. has been shared with me) details
- Cloud Controller has a feature flag to enable the querying of perm details
- Threads leak during errors in sync details
Pull Requests and Issues
- cloudfoundry/capi-release #66: some clock_jobs never run if last_completed_at < last_started_at value details
- cloudfoundry/cloud_controller_ng #942:
users_can_select_backenddefaults to true details - cloudfoundry/cloud_controller_ng #971: API docs - "Update an Organization" should have example values details
- cloudfoundry/cloud_controller_ng #972: Implement bare-bones GET /v3/service_instances details
CAPI 1.45.0
Highlights
- Support multiple UAA origins when configuring user roles.
Job Spec Changes
- Breaking logging change with introduction of property
cc.log_db_querieswhich defaults tofalsefor jobscloud_controller_ng,cloud_controller_worker, andcloud_controller_clock. This causes DB logs to not be logged by default. If you want to see these logs then you'll need to switch this value totrue. An example of the logs in question:
{"timestamp":1510256720.2370548,"message":"(0.001166s) SELECT * FROM `delayed_jobs` WHERE ((((`run_at` <= '2017-11-09 19:45:20') AND (`locked_at` IS NULL)) OR (`locked_at` < '2017-11-09 15:45:20') OR (`locked_by` = 'cc_api_worker.api.0.2')) AND (`failed_at` IS NULL) AND (`queue` IN ('cc-api-0'))) ORDER BY `priority` ASC, `run_at` ASC LIMIT 5","log_level":"info","source":"cc.background","data":{},"thread_id":46994475118420,"fiber_id":46994498232380,"process_id":1759344,"file":"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/2.4.0/gems/sequel-4.49.0/lib/sequel/database/logging.rb","lineno":88,"method":"block in log_each"}
CC API Version: 2.99.0 and 3.34.0
Service Broker API Version: 2.13
CAPI Release
- Operator should find valid defaults in BOSH job spec files details
Cloud Controller
- /v2/buildpacks pagination includes invalid order-by parameter details
- API client can associate users to orgs by username and origin details
- API client can associate users to spaces by username and origin details
- API client can remove users from orgs by username and origin details
- API client can remove users from spaces by username and org details
- API client can restart an app details
- API client can supply a name for a service binding details
- API client can view the organization relationship on a space resource details
- API clients can order isolation segments by name details
- As an Operator, I can enable service sharing for all services across my CF deployment details
- As an app dev (receiver) API client, I can bind my app to a service instance that has been shared with me details
- As an app dev (receiver), I can see service instances that have been shared with me details
- As an app dev (sharer), I can see shared service instances in the space summary details
- As an app dev (sharer), I can share a service instance into another space details
- As an app dev (sharer), I can unshare a service instance that I have shared which has bindings in another space details
- As an app dev (sharer), I can unshare a service instance that I have shared which has no bindings in any space details
- As an auditor, I see an event when a service instance is shared details
- As an auditor, I see an event when a service instance is unshared details
- As an operator, I expect CC to disallow an app developer from setting the health check timeout on their app to 0 so that I do not have apps starting up without timeouts details
- BPM config
envshould be a hash instead of an array of strings details - BPM learns the config option
ephemeral_disk:details - CC is not emitting the CEF logs details
- Credhub api location comes via manifest property rather than being generated from link information details
- Improve blobstore error handling details
- Improve performance of V3 processes#index endpointx details
- Missing X-Broker-API-Originating-Identity on delete binding request from CF CLI details
- Operator deploys successfully when data service availability is dependent on BOSH DNS details
- Remove unused exceptions in ServiceBindingDelete action details
- Service instance name field length should be apparent when the name length is exceeded details
- Setting running and staging environment variable groups doesn't validate length of keys details
- We can remove /v2/syslog_drains_urls once the new internal version is being used details
- Write migrations to remove v1 broker properties from services and service_auth_tokens tables details
Pull Requests and Issues
- cloudfoundry/capi-release #49: Please put the cloud controller job spec in the conventional location details
- cloudfoundry/capi-release #61: Please add patch for nginx-http-upload-module details
- cloudfoundry/cloud_controller_ng #776: Should cf update-service work from bindable service plan to non-bindable service plan? details
- cloudfoundry/cloud_controller_ng #832: MEMORY_LIMIT environment variable should be ignored. details
- cloudfoundry/cloud_controller_ng #859: hostnames containing underbar should lead to CF-RouteInvalid error details
- cloudfoundry/cloud_controller_ng #881: Add routing endpoint to root payload details
- cloudfoundry/cloud_controller_ng #919: Log message has credential and salt in clear text details
- cloudfoundry/cloud_controller_ng #925: api docs for app events include non-app related events? details
- cloudfoundry/cloud_controller_ng #930: Add current_user_guid to service unbind details
- cloudfoundry/cloud_controller_ng #931: Update BPM to 0.2.0 details
- cloudfoundry/cloud_controller_ng #955: Route being created in CCDB even cloud controller throwing CF-NotAuthorized details
- cloudfoundry/cloud_controller_ng #964: Bump bits_service_client version to 0.3.0 details
CAPI 1.44.0
Highlights
- Improve BOSH Backup and Restore support
- Add experimental support for service brokers storing credentials in CredHub
Job Spec Changes
release_level_backup: Now defaults totruecc.credential_references.interpolate_service_bindings: When set totrue, does not interpolate CredHub references for staging and running apps and tasks.
CC API Version: 2.98.0 and 3.33.0
Service Broker API Version: 2.13
CAPI Release
- CAPI release 1.42 sometimes tries and fails to compile ruby-debug-ide details
- BBR
release_level_backupproperty is true by default for all capi-release jobs details
Cloud Controller
- API client can view the space relationship on an app resource details
- V3 Droplets should not have a link to V2 Buildpack details
- Remove
/internal/log_access/:guidendpoint details - Bump nokogiri to 1.8.1 details
- API client can find credhub link at "/" endpoint details
- App developer sees that service credentials from credhub are interpolated for staging details
- App developer sees that service credentials from credhub are interpolated for running apps and tasks details
- Operator can configure CF to NOT interpolate service credentials from credhub details
- API client can view service keys that are credhub references details
Pull Requests and Issues
- cloudfoundry/capi-release #61: Add patch for nginx-http-upload-module details
- cloudfoundry/capi-release #60: cloud_controller_ng pre-restore-lock exits before monit finished details
- cloudfoundry/capi-release #58: un-namespace
release_level_backupproperty details - cloudfoundry/cloud_controller_ng #864: 500 unknown error when binding route to app in org with quota of 0M app instance mem details
- cloudfoundry/capi-release #63: cloud_controller_ng pre-backup-lock does not work when there is more than 1 CC instance details
- cloudfoundry/cloud_controller_ng #897: App Staging buildpack cache not getting updated when using NFS Fog Local blobstore details
- Operators using NFS blobstores will need to
DELETE /v2/blobstores/buildpack_cacheto remove existing read-only cache files
- Operators using NFS blobstores will need to
CAPI 1.43.0
Highlights
- Includes support for BOSH Backup and Restore
- Includes support for Open Service Broker API 2.13
- Use Ruby 2.4.2
- Resolves issue that caused
properties.uaa.clients.cc-service-dashboards.secretto become a required manifest property. It is now optional again.
Job Spec Changes
cloud_controller.release_level_backup: Set totrueto include cloud_controller jobs in backup and restore operations. Used by jobscloud_controller_ng,cloud_controller_clock,cloud_controller_worker,tps, andblobstore.
CC API Version: 2.97.0 and 3.32.0
Service Broker API Version: 2.13
CAPI Release
- As an operator I can enable blobstore backup in the CAPI release with a feature flag details
- Upgrade to ruby 2.4.X details
Cloud Controller
- API client can view the space relationship on an app resource details
- As a SBA I receive the most appropriate error when a schema has multiple errors details
- As a SBA, I can register a JSON schema without the type field details
- As a SBA, I cannot register a JSON schema without the $schema field details
- As a service broker author, I can register a single plan with a service binding schema details
- As a service broker author, I can register multiple plans with schemas details
- As a service broker author, I can register multiple services with multiple plans with schemas details
- As an operator, I can use bbr to take a consistent backup and restore of my cloud controller database details
- As an operator, I can use scripts to backup and restore my cloud controller database details
- Cloud Controller reports v2.13 OSBAPI to service brokers details
- Deploy fails if previously optional properties
uaa.clients.cc-service-dashboards.secretanduaa.clients.cc_service_broker_client.secretare not provided details - Improve spec description for cc logging level properties details
- PM sees that credhub is a reserved system route details
- Process's "command" property is sometimes null when process type is web details
- Service Broker observes Cloud Controller client in bind request details
Pull Requests and Issues
- cloudfoundry/cloud_controller_ng #900: List UPS Routes documents invalid query parameter details
- cloudfoundry/cloud_controller_ng #908: Support Open Service Broker API v2.13 details
- cloudfoundry/cloud_controller_ng #912: Add network info to staging tasks details
- cloudfoundry/cloud_controller_ng #915: Add internal-routes to the route info. details
CAPI 1.42.0
Highlights
- Resolves several issues when removing legacy bridge components.
- Now compatible with NFS
- Now works with service bindings that include volume services
Job Spec Changes
properties.uaa.clients.cc_service_key_client.secret: This release introduces a new UAA client. Operators must provide a client secret. Any sufficiently strong password-like string will suffice.properties.uaa.clients.cc-service-dashboards.secret: capi-release 1.42.0 includes a regression that marked the previously optional properties.uaa.clients.cc-service-dashboards.secret property as required. Temporarily set this property to any strong password if you haven't already provided a value. The next capi-release will again mark this property as optional.
CC API Version: 2.96.0 and 3.31.0
Service Broker API Version: 2.12
CAPI Release
- cf-deployment can deploy windows2016 and windows2012R2 cells details
Cloud Controller
- API client can discover if SSH is enabled for an app details
- API client can enable/disable the SSH feature for an app details
- API client observes proper pagination links when viewing app features details
- App logs do not get emitted from CC workers/CC Clock details
- As a CTA I have documentation on the schema work in the CAPI documentation details
- As a SBA I can see the Originating Identity HTTP header on all requests details
- As a SBA, I want to receive a context object when creating a service binding details
- As an SBA, I can register a schema using either draft 4 or draft 6 details
- Spec files only contain meaningful properties for their jobs details
- cf push with stack and instance_count fails. details
- stop leaking pre-start processes details
Pull Requests and Issues
- cloudfoundry/cloud_controller_ng #883: cf ssh broken for docker containers that don't expose a port details
- cloudfoundry/cloud_controller_ng #892: volume services broken if nsync not available on cc_bridge details
- cloudfoundry/cloud_controller_ng #893: Fog nfs local blobstore not compatible with tls details
CAPI 1.41.0
Highlights
- Support for SSL connection to CCDB
- Resolve an issue where the non-bridge syncing component was marking successfully completed tasks as FAILED
- Always perform orphan blob cleanup
CC API Version: 2.95.0 and 3.30.0
Service Broker API Version: 2.12
CAPI Release
Cloud Controller
- API client can view Features for an App details
- API client can view the SSH feature for an app details
- API client should NOT see 'endpoint' field for non-http health check types details
- As an operator, I'd like to be able to configure my database connection to use SSL details
- Delayed job workers keep crashing with "Attempt to delete object did not result in a single row modification" details
- Include a droplets link in the call to /v3 details
- Move off fork of delayed_jobs_sequel details
- Operator can find ASG guids on diego lrp and task egress rules details
- Operator can see that orphan blob cleanup is happening by default. details
- Tasks failed by sync job should create TASK_STOPPED usage events details
- We should not fail tasks that are actually still running on Diego details
- v2 Put/Post apps doesn't accept empty buildpack parameters anymore details
Pull Requests and Issues
- cloudfoundry/cloud_controller_ng #888: Fix infinite loop bug when UAA returns empty key map details
- cloudfoundry/cloud_controller_ng #871: Update v2.yml details
- cloudfoundry/cloud_controller_ng #886: Execute bpm from /var/vcap/jobs/bpm/bin details
- cloudfoundry/capi-release #51: Bump ruby version details
- cloudfoundry/capi-release #52: Execute bpm from /var/vcap/jobs/bpm/bin details
Job Spec Changes
Cloud Controller can now be configured to communicate with its database using SSL. All three components must be configured: cloud_controller_ng, cloud_controller_clock, cloud_controller_worker. Each component takes the same new properties described below.
ccdb.ca_cert- The ca cert to use when communicating with the database over SSLccdb.ssl_verify_hostname- Verify that the database SSL certificate matches the host to which the connection is attempted - defaults totrue
CAPI 1.40.0
Highlights
- Some Cloud Foundry deployments may have
TASK_STARTEDusage events without correspondingTASK_STOPPEDevents, even though the task is completed or the app has been deleted. The bug that caused that was fixed in capi-release 1.36.0. This release will backfill missingTASK_STOPPEDevents to allow billing to complete the task lifecycle. Because we do not know when the task completed, we will record as if it ran for one second, to prevent over billing.
CC API Version: 2.94.0 and 3.29.0
Service Broker API Version: 2.12
CAPI Release
- Bump to latest nginx in capi-release details
Cloud Controller
- API client can view a specific organization details
- API client should NOT see unknown error when restaging a V3 app details
- As a service broker author, I can register a single plan with a service binding schema details
- API client can create a space details
- API client can create an organization details
- API client can discover app ssh info from the '/' endpoint details
- API client can observe an audit event when application bits are uploaded in v2 details
- API client can order organizations by name details
- API client can order spaces by name details
- API client can view an organization link on space details
- API client does NOT see documentation for 'order-by' filter accepting 'name' filter on all List droplets endpoints details
- API client does NOT see incorrect docs for env_var_visibility feature flag details
- API client should see better error message when updating user provided service instances using the managed service instance API details
- Do a better job of improving the performance of add_missing_task_stopped_usage_events migration details
- Docker-image-based app fails to start if it exposes no ports details
- Operator observes that a CC job does not receive traffic when the CC is down. details
- Operator sees network metadata on diego task definitions details
- V2 -> V3 App model migration fails when duplicate route mappings exist details
Pull Requests and Issues
CAPI 1.39.0
Please do not use this release. It contains a migration that can take very long to execute.