This article describes the upgrade procedures that we follow for PWS, how these procedures might affect your applications and any actions required of you to keep your applications up-to-date.
Part of responsibly running public infrastructure, software, applications and web sites is keeping them up-to-date. What worked the day you released your software may in fact be out-of-date shortly after and given enough time it will almost certainly become vulnerable to some form of attack. To combat this, it's essential to patch and upgrade your software in a timely manner.
Because you've chosen to run your application on PWS, we're able to assist you with keeping some of the software necessary to run your application up-to-date. The updates required break down into two parts, system or platform updates, which update the software that runs PWS, and build pack updates, which update the software that runs your applications.
Cloud Foundry is developed using the principles of continuous deployment. Through the process of continuous integration, CF is able to incorporate the latest features, bug fixes and security fixes in a timely manner. Cloud Foundry is designed to handle these upgrades while maintaining the operations of your application as long as your application is deployed with two or more instances running. This is an improvement over past deployment strategies where the hosting platform required downtime to bring system updates in a timely manner. As a result, the PWS platform is frequently updated and in most cases no action is required by you the developer. However, there are some exceptions we will cover below.
Build Pack Upgrades
All of the software that is required to run an application on PWS is assembled by our build packs. This includes language runtimes like Java, Ruby, Python, PHP and Go, but also server software like Apache HTTPD, Nginx and everything else necessary to run your application. The software is downloaded and installed as the build pack runs, and unless configured otherwise, the build pack will install the latest version of that software that is available at the time it runs.
Like all of the components of PWS, we update the build packs and all of the software that they install as necessary. Security fixes are given priority, but in general we try to keep up with the latest versions of the software required to run your apps. In addition, we phase out older versions of the software so that you do not accidentally run with insecure, older versions. For details on available versions please see this KB.
It’s important to note that while we update the build packs, which in turn update all of the software necessary to run your application, we do not update your application. For your application to update, you need to run cf push or cf restage on the application. This will run the build pack and, unless you have locked your build pack version, automatically update your application to run with the latest language runtime and server software.
If you have locked the buildpack, done by using the -b argument to cf push or by setting the buildpack attribute in your manifest.yml file, then it’s your responsibility to update this setting and in turn the buildpack. Failure to do this can result in your application running on old and possibly vulnerable software.
For the smoothest possible upgrade path we recommend using blue-green deployment, which gives you a chance to push new changes and test them before actually switching your traffic over to the new or upgraded application. You can find more about this in the documentation here.
Impact / Risks
Running your application on Cloud Foundry reduces the risk of old and insecure software by automatically upgrading, or making it very easy to upgrade, most of the software required to run your application. This reduces the surface area that you as a software developer are responsible for maintaining and upgrading ultimately helping you to save time and be more secure. PWS does not guarantee complete security though. It is up to the developer to follow the instructions in this article, as well as update dependencies packaged with the application and to write secure application code.
Because PWS is managed by Pivotal, it often receives bug fixes, security updates, new features and improvements before any other public Cloud Foundry provider. This means not only will you get security and bug fixes faster, but you'll also get to play around with all the new features of Cloud Foundry as soon as they are available.