|Pivotal Cloud Foundry||1.7|
In Pivotal Cloud Foundry (PCF) version 1.7, floating stemcells were introduced as a new feature. To increase the security of your deployment, all product tiles use floating stemcells by default. This enables tiles to automatically use the latest patched version of a stemcell.
When an operator upgrades a product tile, Ops Manager checks to see whether there is a new version of the stemcell. If an updated stemcell is available, Ops Manager installs the upgraded tile and all compatible product tiles in the deployment on the new stemcell. This ensures that when a vulnerability is discovered, PCF can quickly propagate a patched stemcell to all VMs in the deployment.
Operators can now perform certain deployment-wide updates, such as CVEs, by uploading a new stemcell instead of uploading .pivotal files for each tile, which reduces the time spent waiting for files to upload. Operators can upload new stemcells using the Ops Manager API or through a product tile in the Ops Manager Installation Dashboard.
However, operators who want to upgrade a single product tile may face significantly longer wait times, depending on the number of tiles in the deployment and the availability of a new stemcell. This article discusses how to disable floating stemcells if operators don't want stemcells being automatically upgraded.
Please follow the steps to disable floating stemcells:
Connect via SSH into Ops Manager VM,
sudo grep enable_patch_security_updates *, it lists up metadata files of tiles which have floating stemcells enabled,
- sudo vi <file name>, turn enable_patch_security_updates under stemcell_criteria from true to false, save file.
- If operator wants disable floating stemcells for certain tiles only, simply disable enable_patch_security_updates in metadata file of the tiles.
Stemcell of tiles with enable_patch_security_updates configured as false won't be automatically updated.
Please refer Pivotal Docs -- Understanding Floating Stemcells for details.