These are the release notes for VMware Tanzu Application Service for VMs (TAS for VMs) v4.0.
TAS for VMs is certified by the Cloud Foundry Foundation for 2024.
For more information about the Cloud Foundry Certified Provider Program, see How Do I Become a Certified Provider? on the Cloud Foundry website.
Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs containing that patch.
- v4.0.27 - v4.0.31 versions contain a bug that causes intermittent TCP connectivity issues between TAS for VMs and tiles that use
routing
release 0.301.0 or earlier, such as Tanzu for MySQL on Cloud Foundry v3.3.0 and earlier, and Redis for Tanzu Application Service v3.5.0 and earlier. For details, see TCP Routes from Tiles are Pruned Intermittently Resulting in connectivity issues - v4.0.5 to 4.0.23 versions contain an RFC protocol issue with Gorouter, CVE-2024-22279, that can lead to denial of service. The issue has been fixed. For details, see TNZ-2024-0100.
New features in TAS for VMs v4.0
TAS for VMs v4.0 includes the following major features:
App syslog drains now support Mutual TLS and internal Certificate Authorities
When you upgrade to TAS for VMs v4.0 it opens up more security options for application syslog drains. Syslog drains are now compatible with syslog servers.
Syslog drains help:
- Enforce client identity
- Have their own internal or domain-specific certificate authority
You can configure your syslog drains to use Mutual TLS by specifying a client certificate and a private key. You can also configure your syslog drains to communicate with syslog servers by using internal or domain specific Certificate Authorities (CA).
For example:
$ cf create-user-provided-service DRAIN-NAME -l SYSLOG-URL -p {"example-cert":"-----BEGIN CERTIFICATE-----\nMIIH...-----END CERTIFICATE-----","key":"-----BEGIN PRIVATE KEY-----\nMIIE...-----END PRIVATE KEY-----", "ca":"-----BEGIN CERTIFICATE-----\nMIIH...-----END CERTIFICATE-----"}
Dynamic app renaming for logs and metrics
If you rename your apps, you can see emitted logs and metrics that are tagged with the new application name without starting the application again. This is useful in blue or green deployments.
Note: This feature does not update the VCAP_APPLICATION
environment variable that the platform sets in the container, which may be used by agents co-located in the container such as AppDynamics. To update this environment variable and propagate the change to agents in the container, manually restart the application.
Depending on your configuration, app name caching can be used outside of TAS for VMs by other products such as Splunk Nozzle.
For applications hosted on Diego Cells that are provided by the Isolation Segment TAS for VMs [Windows] tiles, you must update those tiles to v4.0 to get the full benefit of this new feature. After you upgrade TAS for VMs, the access log entries are generated by the TAS for VMs and Isolation Segment Gorouters. They reflect the new application names even if you have not upgraded the Isolation Segment or TAS for VMs [Windows] tiles.
Breaking changes
These are the breaking changes for VMware Tanzu Application Service for VMs v4.0.
Default stack is changed to cflinuxfs4
You can still use the cflinuxfs3 stack, but the default is now cflinuxfs4.
Newly pushed apps will usee cflinuxfs4. Existing applications will continue to run using cflinuxfs3 stack. See Changing Stacks for migrating to the new stack. The default stack can be configured. You can turn off cflinuxfs3.
All system apps that are packaged with TAS for VMs now use cflinuxfs4. The Stack Auditor has been updated and is available to identify apps still running on the cflinuxfs3 stack.
Support for the cflinuxfs3 stack will be removed in a future release of TAS for VMs. We recommend that migrate all applications to cflinuxf4 soon.
Java Buildpack 4.62.0 removes Spring AutoReconfiguration library for Spring Boot 3 applications
From v4.62.0, the Java Buildpack will no longer install the Spring AutoReconfiguration (SAR) library for Spring Boot 3 applications. This library was deprecated in May 2022 and overwrites your configured Spring Beans to connect to bound services. This is not recommended for use in production environments. The recommended replacement is the Java CfEnv library.
Applications should not be affected by this change if:
- They are using Spring Boot 2.x - SAR will be installed and supported for the life of Spring Boot 2, although it is recommended to migrate to Java CfEnv as soon as possible.
- They are using Spring Boot 3 and
- have already migrated from SAR to Java CfEnv** or
- have already migrated from Spring Cloud Connectors to Java CfEnv**
** The buildpack will not install Java CfEnv if it is already detected as an app dependency.
Your applications might be affected by the following two scenarios:
- The app uses Spring Boot 3 and does not have Spring Cloud Connectors as a dependency.
- The app uses Spring Boot 3 and does have Spring Cloud Connectors as a dependency.
If your application is affected by this change see this KB article for troubleshooting: Spring AutoReconfiguration will be no longer installed for Spring Boot 3 applications since JBP v4.62.0
Component logs always use human-readable RFC3339 timestamp format
Non-standardized and non-human readable timestamps in logs make debugging TAS for VMs more difficult. Since TAS for VMs 2.10.0, there was an option in the System Logging tab named Optionally Use Human-Readable Timestamps for Component Logs. In TAS for VMs 4.0, this radio button is removed and all components use the human readable RFC3339 format for the timestamps in their logs.
Max request header size now defaults to 48 KB
When you upgrade to TAS for VMs 4.0, it sets the Max request header size in KB to 48 KB, unless the existing configuration was already lower. Lowering this value establishes a better security for TAS for VMs and applications. You can still configure this setting to a value up to 1024 KB in the Networking tab. For any requests with headers larger than this value, returns a 431 status code.
To update a single Gorouter configuration, add the following line to the file:
/var/vcap/jobs/gorouter/config/gorouter.yml max_header_kb: 48
To monitor Gorouter access logs in the /var/vcap/sys/log/gorouter/access.log
file, verify that there are no entries with the HTTP/1.1 431 status code.
Recent logs endpoint is removed from Traffic Controller
New versions of Traffic Controller do not have the recent logs endpoint. Versions of the cf CLI before v6.52.0 cannot retrieve logs when they are called using the cf logs --recent
command.
Add validation for Certificate Authorities that are trusted by the Gorouter property
TAS for VMs 4.0 contains validations for the Certificate Authorities (CA) that are trusted by the Gorouter property in the Networking tab. Any entries that are not valid CA certificates can cause an error in Operations Manager. You must remove or replace invalid entries.
Option to activate (deprecated) Global Log Rate Limit was removed (TAS for VMs 4.0.0+LTS-T - TAS for VMs 4.0.19+LTS-T)
The global log rate limit feature was removed in TAS for VMs 4.0.0+LTS-T. It was restored in TAS for VMs 4.0.20+LTS-T to ease migration to the newer granular app log rate limit feature.
Important If you were using this feature to limit your overall app log throughput, then you might see an increase in log load after you upgrade prior to configuring granular app log rate limiting. To avoid the increase ensure you upgrade to TAS for VMs 4.0.20+LTS-T or greater to retain the ability to configure a global log rate limit.
Ruby and Python have been removed from the cflinuxfs4 stack
The cflinuxfs4 stack versions prior to v1.0.0 contain both Ruby and Python interpreters. These exist to enable the execution of the PHP and Java buildpacks that are written in those languages.
To improve the security posture for all applications based on the cflinuxfs4 stack, the Ruby and Python interpreters have been removed from the stack. New versions of the PHP and Java buildpacks have been introduced to run on top of the stack if it no longer includes the required interpreter.
These include:
- cflinuxfs4 - v1.2.0
- PHP buildpack - v4.6.0 and higher
- Java buildpack - v4.56
Any buildpacks outside of those maintained by VMware and installed as part of TAS for VMs that might be written in either Ruby or Python can now break unless those other buildpacks take steps to bring their own runtimes.
This breaking change applies to Tanzu Application Service and Small Footprint TAS.
App developers can use Web Servers Buildpack based on CNBs (beta)
TAS for VMs 4.0 introduces a new slate of buildpacks, based on the Cloud Native Buildpack project, that are installed with TAS for VMs and managed by the Tanzu Application Service tile. These buildpacks are still in beta and have some limitations.
For more information on the limitations, see Limitations.
The first buildpack is the Web Servers CNB, which allows app developers to push nginx, httpd, and front-end JavaScript apps.
For more information about how to use the Web Servers Buildpack, see the documentation page.
Known issues
TAS for VMs v4.0 includes the following known issues:
Potential data loss for service usage data after upgrading TAS
Release 4.0.9 introduced a bug that could result in the loss of Service Usage data. To avoid data loss, customers that depend on usage data should follow the workaround in this KB article or upgrade to a later version of VMware Tanzu Application Service for VMs within 30 days of upgrading to this version.
Stale routes might not be pruned properly in Gorouter
This version of TAS for VMs contains a known issue with Gorouter error handling for backend app requests. Failures that previously returned HTTP Status Codes 496, 499, 503, 525, or 526 might instead return 502. Additionally, stale routes might fail to be pruned properly, which could result in apps unexpectedly returning HTTP Status Code 502.
For more information, see this Knowledge Base Article
UAA Single Sign-On Copy button is broken
In the User Account and Authentication (UAA) user interface (UI), the button that copies single sign-on (SSO) codes does not work.
To work around this issue, you must manually copy and paste the displayed code.
Dynamic ASG Updates require the use of Cloud Foundry v3 API for external integrations
Any external integrations with the CF API to create, update, and delete Application Security Group (ASG) definitions or bindings require the use of the Cloud Foundry v3 API. Any ASG updates made with the v2 API are not synchronized until an ASG update using the v3 API is made.
Recommended course of action:
- Verify that the integration uses the latest CF CLI binary, which already uses the v3 API endpoints.
- Update any HTTP based integrations to use the v3 API endpoints for security groups.
Dynamic App renaming does not take effect For Silk Security group log entries
Silk emits log entries to application log streams when ASGs are dynamically changed. If you use Silk for container networking and have activated Dynamic ASGs, you might find the log entries are tagged with old application names.
To mitigate this issue, you can start the applications again after they are renamed.
Check your NATS server version
In TAS for VMs 2.11.26, VMware introduced a nats
release that replaced the underlying package from NATS v1.0 with NATS v2.0. TAS for VMs. Version 4.0 is the first LTS major version that includes NATS v2.0 from the beginning of the release line. The migration happens invisibly. However, if the migration is not successful, your NATS servers might still be running NATS v1.0.
As described in the TAS Support Lifecycle Policy, VMware keeps the NATS v1.0 as a fallback, but removes it in a future version.
Follow the instructions in this Knowledge Base article to confirm that your nats
instances have migrated successfully, and learn how to troubleshoot if they have not.
TAS Portal uses apps domain
TAS Portal erroneously uses the default app domain instead of the operator-configured system domain. In future patch versions of TAS, TAS Portal is available at tas-portal.SYSTEM-DOMAIN
.
TAS Portal Application Accelerators use HTTP
When Application Accelerators are activated for TAS Portal, TAS Portal communicates with the Application Accelerator backend server using HTTP on port 80. If TAS for VMs or its associated load balancers are not configured to allow HTTP ingress on port 80, then the TAS Portal Application Accelerators page is blank.
A future patch version of TAS for VMs changes this traffic to use HTTPS on port 443. To work around this issue, configure TAS for VMs to accept HTTP traffic on port 80.
BBR restore fails after upgrading to TAS for VMs v4.0.2 or earlier version
This issue affects those who are leveraging the TAS for VMs internal MySQL cluster and attempting a BBR Restore after upgrading to TAS 4.0.2 or earlier version. If you are using an external database and are facing this issue, open a ticket with VMware Tanzu Support and refer to the TAS for VMs documentation.
UAA causes database overload (for VMware Tanzu Application Service for VMs 4.0.20 and 4.0.21)
The UAA can cause and experience slowness in its database when attempting to hit its /Users
endpoint. The issue is especially noticeable when the UAA contains a large number of users; for example, in the millions. This only happens when using a MySQL database.
Releases
4.0.33
Release Date: 03/11/2025
- [Feature] Backport GA OpenTelemetry Collector
- [Feature] Operators can now “Enable comma-delimited lists of IPs for application security group (ASG) destinations” via the property in the “Networking” tab. WARNING: for foundations with the NSX-T tile installed, you MUST deploy NSX-T tile version 9.0.0 in policy mode before enabling this feature.
- [Feature Improvement] Operators can now let Puma auto-configure the number of workers based on the number of available cores.
- [Feature Improvement] Remove the need to track mapfs-release
- [Bug Fix] SMB Broker now supports all the mount parameters that the SMB Driver does (‘sec’, ‘dir_mode’, ‘file_mode’ were missing)
- Bump backup-and-restore-sdk to version
1.19.45
- Bump binary-offline-buildpack to version
1.1.32
- Bump bpm to version
1.4.16
- Bump capi to version
1.203.0
- Bump cf-autoscaling to version
250.4.1
- Bump cf-networking to version
3.66.0
- Bump cflinuxfs3 to version
0.618.0
- Bump cflinuxfs4 to version
1.288.0
- Bump credhub to version
2.12.105
- Bump dotnet-core-offline-buildpack to version
2.4.51
- Bump garden-runc to version
1.70.0
- Bump go-offline-buildpack to version
1.10.43
- Bump java-offline-buildpack to version
4.80.0
- Bump log-cache to version
3.1.9
- Bump loggregator to version
107.0.20
- Bump loggregator-agent to version
7.8.1
- Bump metrics-discovery to version
3.2.32
- Bump mysql-monitoring to version
10.22.0
- Bump nats to version
56.41.0
- Bump nfs-volume to version
7.23.0
- Bump nginx-offline-buildpack to version
1.2.37
- Bump nodejs-offline-buildpack to version
1.8.49
- Bump otel-collector to version
0.11.2
- Bump php-offline-buildpack to version
4.6.40
- Bump push-apps-manager-release to version
677.0.67
- Bump push-usage-service-release to version
674.0.156
- Bump pxc to version
1.0.37
- Bump python-offline-buildpack to version
1.8.44
- Bump r-offline-buildpack to version
1.2.32
- Bump routing to version
0.331.0
- Bump ruby-offline-buildpack to version
1.10.36
- Bump silk to version
3.66.0
- Bump smb-volume to version
3.22.0
- Bump staticfile-offline-buildpack to version
1.8.26
- Bump statsd-injector to version
1.11.47
- Bump syslog to version
12.3.7
- Bump system-metrics-scraper to version
4.0.17
- Bump uaa to version
77.20.3
Security Fixes
The following table lists CVEs that were fixed in each TAS for VMs component since the previous patch version of TAS for VMs:
Component | Vulnerabilities Resolved |
---|---|
credhub | |
smb-volume | |
statsd-injector | |
system-metrics-scraper | |
pxc | |
mysql-monitoring | |
cf-autoscaling | |
mapfs | |
cflinuxfs4 | |
log-cache | |
metrics-discovery | |
push-apps-manager-release | |
uaa | |
syslog | |
nfs-volume | |
loggregator | |
loggregator-agent | |
nats | |
backup-and-restore-sdk | |
bpm | |
silk | |
garden-runc | |
cf-networking | |
capi |
Component Release Notes
4.0.32
Release Date: 02/03/2025
- [Bug Fix] Fix intermittent connectivity issue for TCP routes from external tiles with old routing-release versions
- [Feature Improvement] Apps Manager only lists the name of a space that hosts shared services if you have access to that space; otherwise it lists the space’s GUID.
- [Feature Improvement] Enable Space Auditors to view app autoscaling rules
- [Feature Improvement] Explicitly set the allowed ciphers for Diego ssh proxy. Previously these were set in the code.
- [Feature Improvement] Puma web server is no longer beta
- Bump backup-and-restore-sdk to version
1.19.39
- Bump binary-offline-buildpack to version
1.1.28
- Bump bpm to version
1.4.11
- Bump capi to version
1.200.0
- Bump cf-autoscaling to version
250.4.0
- Bump cf-networking to version
3.63.0
- Bump cflinuxfs3 to version
0.592.0
- Bump cflinuxfs4 to version
1.274.0
- Bump credhub to version
2.12.102
- Bump dotnet-core-offline-buildpack to version
2.4.47
- Bump garden-runc to version
1.67.0
- Bump go-offline-buildpack to version
1.10.37
- Bump java-offline-buildpack to version
4.77.0
- Bump log-cache to version
3.1.8
- Bump loggregator to version
107.0.19
- Bump loggregator-agent to version
7.8.0
- Bump mapfs to version
1.17.0
- Bump metric-registrar to version
4.0.6
- Bump metrics-discovery to version
3.2.30
- Bump mysql-monitoring to version
10.21.0
- Bump nats to version
56.36.0
- Bump nfs-volume to version
7.17.0
- Bump nginx-offline-buildpack to version
1.2.33
- Bump nodejs-offline-buildpack to version
1.8.44
- Bump notifications to version
77.0.0
- Bump php-offline-buildpack to version
4.6.36
- Bump push-apps-manager-release to version
677.0.66
- Bump push-usage-service-release to version
674.0.147
- Bump pxc to version
1.0.34
- Bump python-offline-buildpack to version
1.8.40
- Bump r-offline-buildpack to version
1.2.28
- Bump routing to version
0.329.0
- Bump ruby-offline-buildpack to version
1.10.32
- Bump silk to version
3.63.0
- Bump smb-volume to version
3.16.0
- Bump staticfile-offline-buildpack to version
1.8.21
- Bump statsd-injector to version
1.11.46
- Bump syslog to version
12.3.6
- Bump system-metrics-scraper to version
4.0.15
- Bump uaa to version
77.20.2
Security Fixes
The following table lists CVEs that were fixed in each TAS for VMs component since the previous patch version of TAS for VMs:
Component | Vulnerabilities Resolved |
---|---|
metric-registrar | |
metrics-discovery | |
syslog | |
uaa | |
log-cache | |
loggregator | |
statsd-injector | |
push-apps-manager-release | |
notifications | |
garden-runc | |
credhub | |
mysql-monitoring | |
system-metrics-scraper | |
capi | |
loggregator-agent | |
backup-and-restore-sdk | |
bpm |
Component Release Notes
4.0.31
Release Date: 01/09/2025
- [Bug Fix] Stop Autoscaler panic when RabbitMQ password includes reserved characters
- Bump backup-and-restore-sdk to version
1.19.36
- Bump binary-offline-buildpack to version
1.1.15
- Bump bpm to version
1.4.6
- Bump capi to version
1.197.0
- Bump cf-autoscaling to version
250.3.6
- Bump cf-cli to version
1.68.0
- Bump cf-networking to version
3.60.0
- Bump credhub to version
2.12.98
- Bump dotnet-core-offline-buildpack to version
2.4.36
- Bump garden-runc to version
1.64.0
- Bump go-offline-buildpack to version
1.10.24
- Bump log-cache to version
3.1.7
- Bump loggregator to version
107.0.18
- Bump loggregator-agent to version
7.7.14
- Bump mapfs to version
1.12.0
- Bump metric-registrar to version
4.0.5
- Bump metrics-discovery to version
3.2.29
- Bump nats to version
56.32.0
- Bump nfs-volume to version
7.13.0
- Bump nginx-offline-buildpack to version
1.2.20
- Bump nodejs-offline-buildpack to version
1.8.30
- Bump notifications to version
74.0.0
- Bump notifications-ui to version
51.0.0
- Bump php-offline-buildpack to version
4.6.25
- Bump push-apps-manager-release to version
677.0.64
- Bump push-usage-service-release to version
674.0.137
- Bump pxc to version
1.0.33
- Bump python-offline-buildpack to version
1.8.30
- Bump r-offline-buildpack to version
1.2.16
- Bump routing to version
0.325.0
- Bump ruby-offline-buildpack to version
1.10.19
- Bump silk to version
3.60.0
- Bump smb-volume to version
3.13.0
- Bump staticfile-offline-buildpack to version
1.6.18
- Bump statsd-injector to version
1.11.45
- Bump syslog to version
12.3.5
- Bump system-metrics-scraper to version
4.0.13
- Bump uaa to version
77.20.0
Security Fixes
The following table lists CVEs that were fixed in each TAS for VMs component since the previous patch version of TAS for VMs:
Component Release Notes
4.0.21 - 4.0.30
See TAS Patch Version v4.0.21-v4.0.30 Release Notes.
4.0.11 - 4.0.20
See TAS Patch Version v4.0.11-v4.0.20 Release Notes.
Content feedback and comments