Releases: apache/trafficcontrol
Apache Traffic Control 5.1.4
Released November 8th, 2021
Downloads
Apache Traffic Control 5.1.4 is available here:
Release Notes
Fixed
- Traffic Ops: Sanitize username before executing LDAP query
Apache Traffic Control 6.0.0
Traffic Ops
Added
- #4982 Added the ability to support queueing updates by server type and profile
- #5412 Added last authenticated time to user API's (
GET /user/current, GET /users, GET /user?id=
) response payload - #5451 Added change log count to user API's response payload and query param (username) to logs API
- CDN Locks: An Operations-level user can now lock a CDN to prevent other users from trying to modify it at the same time.
- Postgres Traffic Vault backend: Traffic Ops now supports a Postgres Traffic Vault backend with the option to fetch the Traffic Vault secret key from HashiCorp Vault
- Python client: #5611 Added server_detail endpoint
- Ported the Postinstall script to Python. The Perl version has been moved to
install/bin/_postinstall.pl
and has been deprecated, pending removal in a future release. - CDN-in-a-Box: Generate config files using the Postinstall script
- Traffic Ops/Traffic Portal: #5479 - Added the ability to change a server capability name
- Traffic Ops: #3577 - Added a query param (server host_name or ID) for servercheck API
- #5316 - Add router host names and ports on a per interface basis, rather than a per server basis.
- Traffic Ops: Adds API endpoints to fetch (GET), create (POST) or delete (DELETE) a cdn notification. Create and delete are limited to users with operations or admin role.
- Added ACME certificate renewals and ACME account registration using external account binding
- Added functionality to automatically renew ACME certificates.
- Traffic Ops: #6069 - prevent unassigning all ONLINE ORG servers from an MSO-enabled delivery service
- Added an endpoint for statuses on asynchronous jobs and applied it to the ACME renewal endpoint.
- Added two new cdn.conf options to make Traffic Vault configuration more backend-agnostic:
traffic_vault_backend
andtraffic_vault_config
- Traffic Ops API version 4.0 - This version is unstable meaning that breaking changes can occur at any time - use at your own peril!
GET
request method for/deliveryservices/{{ID}}/assign
GET
request method for/deliveryservices/{{ID}}/status
- Added integration to use ACME to generate new SSL certificates.
- Added
GetServersByDeliveryService
method to the TO Go client - Added asynchronous status to ACME certificate generation.
- Added per Delivery Service HTTP/2 and TLS Versions support, via ssl_server_name.yaml and sni.yaml. See overview/delivery_services and t3c docs.
- Added headers to Traffic Portal, Traffic Ops, and Traffic Monitor to opt out of tracking users via Google FLoC.
- Add logging scope for logging.yaml generation for ATS 9 support
DELETE
request method fordeliveryservices/xmlId/{name}/urlkeys
anddeliveryservices/{id}/urlkeys
.- Added
traffic_ops/app/db/traffic_vault_migrate
to help with migrating Traffic Ops Traffic Vault backends - Added a tool at
/traffic_ops/app/db/reencrypt
to re-encrypt the data in the Postgres Traffic Vault with a new key. - Added a new field to Delivery Services -
tlsVersions
- that explicitly lists the TLS versions that may be used to retrieve their content from Cache Servers.
Fixed
- CVE-2021-42009: Customer names in payloads sent to the
/deliveryservices/request
Traffic Ops API endpoint can no longer contain characters besides alphanumerics, @, !, #, $, %, ^, &, *, (, ), [, ], '.', ' ', and '-'. This fixes a vulnerability that allowed email content injection. - #2471 - A PR check to ensure added db migration file is the latest.
- #5609 - Fixed GET /servercheck filter for an extra query param.
- #5954 - Traffic Ops HTTP response write errors are ignored
- #6104 - PUT /api/x/federations only respects first item in request payload
- #5288 - Fixed the ability to create and update a server with MTU value >= 1280.
- #5284 - Fixed error message when creating a server with non-existent profile
- #5739 - Prevent looping in case of a failed login attempt
- #5407 - Make sure that you cannot add two servers with identical content
- #2881 - Some API endpoints have incorrect Content-Types
- #5405 - Prevent Tenant update from choosing child as new parent
- #5548 - Don't return a
403 Forbidden
when the user tries to get servers of a non-existent DS usingGET /servers?dsId={{nonexistent DS ID}}
- #5732 - TO API POST /cdns/dnsseckeys/generate times out with large numbers of delivery services
- #5902 - Fixed issue where the TO API wouldn't properly query all SSL certificates from Riak.
- Fixed server creation through legacy API versions to default
monitor
totrue
. - #5965 - Fixed Traffic Ops /deliveryserviceservers If-Modified-Since requests.
- #5981 -
/deliveryservices/{{ID}}/safe
returns incorrect response for the requested API version - #5984 -
/servers/{{ID}}/deliveryservices
returns incorrect response for the requested API version - #6027 - Collapsed DB migrations
- #6066 - Fixed missing/incorrect indices on some tables
- #5576 - Inconsistent Profile Name restrictions
- Fixed Federations IMS so TR federations watcher will get updates.
- #6093 - Fixed Let's Encrypt to work for delivery services where the domain does not contain the XMLID.
- #5893 - A self signed certificate is created when an HTTPS delivery service is created or an HTTP delivery service is updated to HTTPS.
Changed
- Updated the Traffic Ops Python client to 3.0
- apache/trafficcontrol is now a Go module
- Updated Traffic Ops supported database version from PostgreSQL 9.6 to 13.2
- #3342 - Updated the
db/admin
tool to use Migrate instead of Goose and converted the migrations to Migrate format (split up/down for each migration into separate files) - Refactored the Traffic Ops - Traffic Vault integration to more easily support the development of new Traffic Vault backends
- Improved the DNSSEC refresh Traffic Ops API (
/cdns/dnsseckeys/refresh
). As of TO API v4, its method isPUT
instead ofGET
, its response format was changed to return an alert instead of a string-based response, it returns a 202 instead of a 200, and it now works with theasync_status
API in order for the client to check the status of the async job: #3054 - Delivery Service Requests now keep a record of the changes they make.
- Changed the
goose
provider to the maintained forkgh.neting.cc/kevinburke/goose
- The format of the
/servers/{{host name}}/update_status
Traffic Ops API endpoint has been changed to use a top-levelresponse
property, in keeping with (most of) the rest of the API. - The API v4 Traffic Ops Go client has been overhauled compared to its predecessors to have a consistent call signature that allows passing query string parameters and HTTP headers to any client method.
- Go version 1.17 is used to compile Traffic Ops, T3C, Traffic Monitor, Traffic Stats, and Grove.
- #6179 Updated the Traffic Ops rpm to include the
ToDnssecRefresh
binary and make thetrafops_dnssec_refresh
cron job use it
Deprecated
- The Riak Traffic Vault backend is now deprecated and its support may be removed in a future release. It is highly recommended to use the new PostgreSQL backend instead.
- The
riak.conf
config file and its corresponding--riakcfg
option intraffic_ops_golang
have been deprecated. Please use"traffic_vault_backend": "riak"
and"traffic_vault_config"
(with the existing contents of riak.conf) instead. - The Traffic Ops API route
GET /api/{version}/vault/bucket/{bucket}/key/{key}/values
has been deprecated and will no longer be available as of Traffic Ops API v4 - The Traffic Ops API route
POST /api/{version}/deliveryservices/request
has been deprecated and will no longer be available as of Traffic Ops API v4 - The Traffic Ops API routes
GET /api/{version}/cachegroupparameters
,POST /api/{version}/cachegroupparameters
,GET /api/{version}/cachegroups/{id}/parameters
, and `DELETE /api/{ve...
Apach Traffic Control 5.1.3
Apache Traffic Control 5.1.3
Released October 11th, 2021
Downloads
Apache Traffic Control 5.1.3 is available here:
Release Notes
Changed
- Customer names in payloads sent to the
/deliveryservices/request
Traffic Ops API endpoint can no longer contain characters besides alphanumerics, @, !, #, $, %, ^, &, *, (, ), [, ], '.', ' ', and '-'. This fixes a vulnerability that allowed email content injection.
Apache Traffic Control 5.1.2
Apache Traffic Control 5.1.2
Released May 17th, 2021
Downloads
Apache Traffic Control 5.1.2 is available here:
Release Notes
Fixed
- Fixed the return error for GET api
cdns/routing
to avoid incorrect success response. - #5712 - Ensure that 5.x Traffic Stats is compatible with 5.x Traffic Monitor and 5.x Traffic Ops, and that it doesn't log all 0's for
cache_stats
- Fixed ORT being unable to update URLSIG keys for Delivery Services
- Fixed ORT service category header rewrite for mids and topologies.
- Fixed an issue where Traffic Ops becoming unavailable caused Traffic Monitor to segfault and crash
- #5754 - Ensure Health Threshold Parameters use legacy format for legacy Monitoring Config handler
- #5695 - Ensure vitals are calculated only against monitored interfaces
- Fixed Traffic Monitor to report
ONLINE
caches as available. - #5744 - Sort TM Delivery Service States page by DS name
- #5724 - Set XMPPID to hostname if the server had none, don't error on server update when XMPPID is empty
- #5739 - Prevent looping in case of a failed login attempt
Apache Traffic Control 5.1.1
Apache Traffic Control 5.1.1
Released April 1st, 2021
Downloads
Apache Traffic Control 5.1.1 is available here:
Release Notes
Added
- Atscfg: Added a rule to ip_allow such that PURGE requests are allowed over localhost
Fixed
- #5565 - TO GET /caches/stats panic converting string to uint64
- #5558 - Fixed
TM UI
and/api/cache-statuses
to report aggregatebandwidth_kbps
correctly. - Fix for config gen missing max_origin_connections on mids in certain scenarios
- #5192 - Fixed TO log warnings when generating snapshots for topology-based delivery services.
- Fixed Invalid TS logrotate configuration permissions causing TS logs to be ignored by logrotate.
- #5604 - traffic_monitor.log is no longer truncated when restarting Traffic Monitor
- #1624 - Fixed ORT to reload Traffic Server if LUA scripts are added or changed.
- #5554 - TM UI overflows screen width and hides table data
v5.1.0
Apache Traffic Control 5.1.0
Released March 11th, 2021
Downloads
Apache Traffic Control 5.1.0 is available here:
Release Notes
Added
- Traffic Portal: #5394 - Converts the tenant table to a tenant tree for usability
- Traffic Portal: #5317 - Clicking IP addresses in the servers table no longer navigates to server details page.
- Traffic Portal: upgraded delivery service UI tables to use more powerful/performant ag-grid component
- Traffic Ops: added a feature so that the user can specify
maxRequestHeaderBytes
on a per delivery service basis - Traffic Router: log warnings when requests to Traffic Monitor return a 503 status code
- #5344 - Add a page that addresses migrating from Traffic Ops API v1 for each endpoint
- #5296 - Fixed a bug where users couldn't update any regex in Traffic Ops/ Traffic Portal
- Added API endpoints for ACME accounts
- Traffic Ops: Added validation to ensure that the cachegroups of a delivery services' assigned ORG servers are present in the topology
- Traffic Ops: Added validation to ensure that the
weight
parameter ofparent.config
is a float - Traffic Ops Client: New Login function with more options, including falling back to previous minor versions. See traffic_ops/v3-client documentation for details.
- Added license files to the RPMs
Fixed
- #5445 - When updating a registered user, ignore updates on registration_sent field.
- #5335 - Don't create a change log entry if the delivery service primary origin hasn't changed
- #5333 - Don't create a change log entry for any delivery service consistent hash query params updates
- #5341 - For a DS with existing SSLKeys, fixed HTTP status code from 403 to 400 when updating CDN and Routing Name (in TO) and made CDN and Routing Name fields immutable (in TP).
- #5192 - Fixed TO log warnings when generating snapshots for topology-based delivery services.
- #5284 - Fixed error message when creating a server with non-existent profile
- #5287 - Fixed error message when creating a Cache Group with no typeId
- #5382 - Fixed API documentation and TP helptext for "Max DNS Answers" field with respect to DNS, HTTP, Steering Delivery Service
- #5396 - Return the correct error type if user tries to update the root tenant
- #5378 - Updating a non existent DS should return a 404, instead of a 500
- Fixed a potential Traffic Router race condition that could cause erroneous 503s for CLIENT_STEERING delivery services when loading new steering changes
- #5195 - Correctly show CDN ID in Changelog during Snap
- #5438 - Correctly specify nodejs version requirements in traffic_portal.spec
- Fixed Traffic Router logging unnecessary warnings for IPv6-only caches
- #5294 - TP ag grid tables now properly persist column filters
on page refresh. - #5295 - TP types/servers table now clears all filters instead
of just column filters - #5407 - Make sure that you cannot add two servers with identical content
- #2881 - Some API endpoints have incorrect Content-Types
- #5311 - Better TO log messages when failures calling TM CacheStats
- #5364 - Cascade server deletes to delete corresponding IP addresses and interfaces
- #5390 - Improve the way TO deals with delivery service server assignments
- #5339 - Ensure Changelog entries for SSL key changes
- #5461 - Fixed steering endpoint to be ordered consistently
- #5395 - Added validation to prevent changing the Type any Cache Group that is in use by a Topology
- Fixed an issue with 2020082700000000_server_id_primary_key.sql trying to create multiple primary keys when there are multiple schemas.
- Fix for public schema in 2020062923101648_add_deleted_tables.sql
- Moved move_lets_encrypt_to_acme.sql, add_max_request_header_size_delivery_service.sql, and server_interface_ip_address_cascade.sql past last migration in 5.0.0
- #5505 - Make
parent_reval_pending
for servers in a Flexible Topology CDN-specific onGET /servers/{name}/update_status
Changed
- Refactored the Traffic Ops Go client internals so that all public methods have a consistent behavior/implementation
- Pinned external actions used by Documentation Build and TR Unit Tests workflows to commit SHA-1 and the Docker image used by the Weasel workflow to a SHA-256 digest
- Set Traffic Router to only accept TLSv1.1 and TLSv1.2 protocols in server.xml
- Updated Apache Tomcat from 8.5.57 to 8.5.63
- Updated Apache Tomcat Native from 1.2.16 to 1.2.23
Apache Traffic Control 5.0.0
Apache Traffic Control 5.0.0
Released January 21st, 2021
Downloads
Apache Traffic Control 5.0.0 is available here:
Release Notes
Added
-
A transliteration of the
traffic_ops_ort.pl
Perl script to the Go language. Seetraffic_ops_ort/t3c/README.md
-
Traffic Ops API v3
-
Flexible Topologies
For full details, refer tothe blueprint.
- Added a Traffic Ops API v3.0 endpoint:
/topologies
, to create, read, update and delete flexible topologies - Added the ability to queue or dequeue updates for all servers assigned to the Cachegroups in a given Topology
- Added new "Topology" property to Delivery Services as an alternative to direct server assignments
- Added "Topology" section to CDN Snapshot Comparison page
- The CiaB default Delivery Service is now "Topology-based"
- Added a Traffic Ops API v3.0 endpoint:
-
Edge Traffic Routing - a feature which allows Traffic Router to localize more DNS record types than just the routing name for DNS Delivery Services
-
Traffic Portal table performance improvements
We've begun the process of shifting away from jQuery-plugin-based "data tables" to the much more performant AG-Grid table system.
So far the following tables have been improved:
- Servers - including when viewing the servers assigned to a Delivery Service etc.
- The API Change Log table
- DSRs
-
astats_over_http
plugin CSV supportThe
astats_over_http
plugin for ATS now supports outputting data in CSV format when
given thetext/csv
MIME-Type in theAccept
header. Traffic Monitor is capable of requesting this new format (which
is faster to parse than the JSON format) in its Profile'shttp_polling_format
Parameter.As 5.0.0 also adds support to Traffic Monitor for the more standard
stats_over_http
plugin, CSV format using thathealth.polling.format
value is also supported - but note that one must also install thesystem_stats
plugin to
provide all of the data necessary for Traffic Monitor's evaluations. Note also that this usage requires ATS version 9 or higher. -
Multi-Interface Servers
Servers are now allowed to have multiple network interfaces specified. For full details, refer to the blueprint.
- Traffic Portal allows editing of a server's interfaces
- Traffic Ops exposes server interface data in response payloads
- Traffic Monitor is capable of evaluating a set of network interfaces, optionally with some limited thresholds set on any, all, or none of them
-
The ability to view Hash ID field (aka
xmppId
) on Traffic Portals' server summary page -
The ability to delete invalidation requests, accessible in Traffic Portal
-
A UI indiciator to the Traffic Monitor when using a disk backup of configuration from Traffic Ops.
-
Support for the
If-Match
andIf-Unmodified-Since
HTTP headers to Traffic Ops and its native Go client -
The "Status Last Updated" field to servers, which makes visible the time when the last status change took place for a server
-
TR using the default miss location of a Delivery Service in case the location (for the client's IP address) returned was the default location for the country
-
Traffic Ops, Traffic Ops ORT, Traffic Monitor, Traffic Stats, and Grove are now compiled using Go version 1.15
-
User-Agent
string to Traffic Router log output -
locationByDeepCoverageZone
to thecrs/stats/ip/{{ip}}
endpoint in the Traffic Router API -
The number of days of API change logs to fetch is now configurable in
traffic_portal_properties.json
(default is 7 days) and can be overridden by the user in Traffic Portal -
Support for building RPMs that target CentOS version 8
Fixed
- #3455 - Alphabetically sorting CDN Read API call
- #5010 - Fixed Reference urls for Cache Config on Delivery service pages (HTTP, DNS) in Traffic Portal
- #5147 - GET /servers?dsId={id} should only return mid servers (in addition to edge servers) for the CDN of the Delivery Service if the mid-tier is employed
- #4981 - Cannot create routing regular expression with a blank pattern param in Delivery Service
- #4979 - Returns a Bad Request error during server creation with missing profileId
- #4237 - Do not return an internal server error when Delivery Service's capacity is zero.
- #2712 - Invalid TM logrotate configuration permissions causing TM logs to be ignored by logrotate
- #3400 - Allow "0" as a TTL value for Static DNS entries
- #5050 - Allows the TP administrator to name a TP instance (production, staging, etc) and flag whether it is production or not in traffic_portal_properties.json
- #4743 - Validate absolute DNS name requirement on Static DNS entry for CNAME type
- #4848 -
GET /api/x/cdns/capacity
gives back 500, with the messagecapacity was zero
- #2156 - Renaming a host in TC, does not impact xmpp_id and thereby hashid
- #3661 - Anonymous Proxy ipv4 whitelist does not work
- #1847 - Delivery Service with SSL keys are no longer allowed to be updated when the fields changed are relevant to the SSL Keys validity.
- Fixed the
/jobs
and/jobs/:id
Traffic Ops API routes to allow falling back to Perl via the routing blacklist - Fixed ORT config generation not using the
coalesce_number_v6
Parameter. - #4735 - Fixed
POST deliveryservices/request
(designed to simple send an email) regression which erroneously required deep caching type and routing name - Fixed an issue that caused Traffic Monitor to poll caches that did not have the status ONLINE/REPORTED/ADMIN_DOWN
- #4740- Fixed
/deliveryservice_stats
regression restricting metric type to a predefined set of values - #4116- Fixed update procedure of servers, so that if a server is linked to one or more delivery services, you cannot change its CDN
- Fixed ORT bug miscalculating Mid Max Origin Connections as all servers, usually resulting in 1
- Added Delivery Service Raw Remap
__RANGE_DIRECTIVE__
directive to allow inserting the Range Directive after the Raw Remap text. This allows Raw Remaps which manipulate the Range - #4984 - Lets
create_tables.sql
be run concurrently without issue
Changed
- When creating invalidation jobs through TO/TP, if an identical regex is detected that overlaps its time, then warnings will be returned indicating that overlap exists.
- Changed Traffic Portal to disable browser caching on GETs until it utilizes the If-Modified-Since functionality that the TO API now provides.
- Changed Traffic Portal to use Traffic Ops API v3
- Changed ORT to find the local ATS config directory and use it when location Parameters don't exist for many required configs, including all Delivery Service files (Header Rewrites, Regex Remap, URL Sig, URI Signing).
- Changed the access logs in Traffic Ops to now show the route ID with every API endpoint call. The Route ID is appended to the end of the access log line.
- Changed the format of Traffic Monitor's
tmconfig.backup
to that of aGET
request to/cdns/{{name}}/configs/monitoring
instead of a transformed map - Changed Tomcat Java dependency to 8.5.57.
- Changed Spring Framework Java dependency to 4.2.5.
- Updated CiaB to CentOS 8
Deprecated
- Importing Traffic Ops Go clients via the un-versioned
github.com/apache/trafficcontrol/traffic_ops/client
is now deprecated in favor of versioned import paths e.g.github.com/apache/trafficcontrol/traffic_ops/v3-client
.
Removed
- Removed deprecated Traffic Ops Go Client methods.
- Configuration generation logic in the TO API (v1) for all files and the "meta" route - this means that versions of Traffic Ops ORT earlier than 4.0.0 will not work any longer with versions of Traffic Ops moving forward.
- Removed from Traffic Portal the ability to view cache server config files as the contents are no longer reliable through the TO API due to the introduction of
atstccfg
.
Apache Traffic Control 4.1.1
Added
- Added the ability to set TLS config provided here: https://golang.org/pkg/crypto/tls/#Config in Traffic Ops
- Added
--traffic_ops_insecure=<0|1>
optional option to traffic_ops_ort.pl - Added ORT CentOS 8 support
Fixed
- Fixed #5188 - DSR (delivery service request) incorrectly marked as complete and error message not displaying when DSR fulfilled and DS update fails in Traffic Portal. Related Github issues
- Fixed #5006 - Traffic Ops now generates the Monitoring on-the-fly if the snapshot doesn't exist, and logs an error. This fixes upgrading to 4.x to not break the CDN until a Snapshot is done.
- Fixed #5180 - Global Max Mbps and Tps is not send to TM
- Fixed #3528 - Fix Traffic Ops monitoring.json missing DeliveryServices
- Fixed #5074 - Traffic Monitor logging "CreateStats not adding availability data for server: not found in DeliveryServices" for MID caches
- Fixed #5274 - CDN in a Box's Traffic Vault image failed to build due to Basho's repo responding with 402 Payment Required. The repo has been removed from the image.
- Fixed an issue that causes Traffic Router to mistakenly route to caches that had recently been set from ADMIN_DOWN to OFFLINE
- Fixed a NullPointerException in Traffic Router that prevented it from properly updating cache health states
- Fixed an issue where Traffic Router would erroneously return 503s or NXDOMAINs if the caches in a cachegroup were all unavailable for a client's requested IP version, rather than selecting caches from the next closest available cachegroup.
- Traffic Ops Ort: Disabled ntpd verification (ntpd is deprecated in CentOS)
- Fixed #5005: Traffic Monitor cannot be upgraded independently of Traffic Ops
- Fixed an issue with Traffic Router failing to authenticate if secrets are changed
- Fixed #4825 - Traffic Monitor error log spamming "incomparable stat type int"
- Fixed #4899 - Traffic Monitor Web UI showing incorrect delivery service availability states
- Fixed Traffic Monitor Web UI styling for unavailable caches
- Fixed an issue with Traffic Monitor to fix peer polling to work as expected
- Fixed #4845 - issue with ATS logging.yaml generation (missing newlines when filters are used)
- Fixed ORT atstccfg to use log appending and log rotation
- Fixed a bug in ATS remap.config generation that caused a double range directive if there was a
__RANGE_DIRECTIVE__
override - Fixed ORT to be backwards compatible with Traffic Ops 3.x
Changed
- Changed ORT/atstccfg ATS configuration generation to be deterministic in order to simplify diff checking
- Changed ORT to not update ip_allow.config on
SYNCDS
runs by default
Deprecated
- Deprecated the
insecure
option intraffic_ops_golang
in favor of"tls_config": { "InsecureSkipVerify": <bool> }
RELEASE-5.0.0-RC1
Release 5.0.0
RELEASE-5.0.0-RC0
Release 5.0.0