Mention all more significant changes since 2.16.0~beta1. Signed-off-by: Viktor Bachraty <[email protected]> --- NEWS | 469 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 456 insertions(+), 13 deletions(-)
diff --git a/NEWS b/NEWS index a6c9803..0f5e3c5 100644 --- a/NEWS +++ b/NEWS @@ -1,11 +1,10 @@ News ==== - Version 2.16.0 beta2 -------------------- -*(unreleased)* +*(Released Tue, 27 Jan 2016)* Incompatible/important changes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -14,16 +13,6 @@ Incompatible/important changes Instead, the cluster configuration parameter ``modify_ssh_setup`` is used to determine whether or not to manipulate the SSH setup of a new node. - - -Version 2.16.0 beta1 --------------------- - -*(Released Tue, 28 Jul 2015)* - -Incompatible/important changes -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - The IAllocator protocol has been extended by a new ``allocate-secondary`` request type. Currently, this new request type is only used when in disk conversion to DRBD no secondary node is specified. As long as this new @@ -33,6 +22,10 @@ Incompatible/important changes storage. To obtain the old behavior, add the ``--no-capacity-checks`` option. - ``hail`` now tries to keep the overall cluster balanced; in particular it now prefers more empty groups over groups that are internally more balanced. +- Timeouts for communication with luxid have been increased. As a consequence, + Ganeti tools communicating (directly or indirectly) with luxid also time out + later. Please increase all timeouts for higher level tools interacting with + Ganeti accordingly. New features ~~~~~~~~~~~~ @@ -50,6 +43,457 @@ New dependencies On Debian-based systems, it is available as a part of the 'libcap2-bin' package. +Changes since beta1 +~~~~~~~~~~~~~~~~~~~ +- Set block buffering for UDSServer +- Fix failover in case the source node is offline +- Add a parameter to ignore groups in capacity checks +- Make hspace correctly handle --independent-groups +- Accept BoringSSL as a known good ssl library +- Make CommitTemporaryIPs call out to WConfD +- Fix requested instance desired location tags in IAllocator +- monitor: Use hvinfo in QMP methods +- KVM: Work around QEMU commit 48f364dd +- KVM: Introduce scsi_controller_type and kvm_pci_reservations hvparams +- Improvements in SSH key handling +- Do not generate the ganeti_pub_keys file with --no-ssh-init +- Support force option for deactivate disks on RAPI +- Add a --dry-run option to htools +- Extended logging to improve traceability +- Many documentation improvements and cleanups +- Performance optimizations on larger clusters +- Various QA and testing improvements + +Fixes inherited from 2.15 branch: + +- Metad: ignore instances that have no communication NIC +- For queries, take the correct base address of an IP block +- Fix computation in network blocks +- Use bulk-adding of keys in renew-crypto +- Introduce bulk-adding of SSH keys +- Handle SSH key distribution on auto promotion +- Do not remove authorized key of node itself +- Support force option for deactivate disks on RAPI +- renew-crypto: use bulk-removal of SSH keys +- Bulk-removal of SSH keys +- Catch IOError of SSH files when removing node +- Fix renew-crypto on one-node-cluster +- Increase timeout of RPC adding/removing keys +- After TestNodeModify, fix the pool of master candidates + +Fixes inherited from 2.14 branch: + +- bdev: Allow userspace-only disk templates +- Export disk's userspace URI to OS scripts +- Fix instance failover in case of DTS_EXT_MIRROR +- Set node tags in iallocator htools backend +- Fix faulty iallocator type check +- Allow disk attachment to diskless instances +- Allow disk attachment with external storage + +Fixes inherited from 2.13 branch: + +- Improve xl socat migrations +- Renew-crypto: stop daemons on master node first +- Extend timeout for gnt-cluster renew-crypto + +Fixes inherited from 2.12 branch: + +- Accept timeout errors when luxi down +- Fix disabling of user shutdown reporting +- gnt-node add: password auth is only one method +- Fix inconsistency in python and haskell objects +- Increase default disk size of burnin to 1G +- Only search for Python-2 interpreters +- Handle Xen 4.3 states better +- Return the correct error code in the post-upgrade script +- Make openssl refrain from DH altogether +- Fix upgrades of instances with missing creation time +- Check for healthy majority on master failover with voting +- Pass arguments to correct daemons during master-failover + +Fixes inherited from 2.11 branch: + +- At IAlloc backend guess state from admin state +- Fix default for --default-iallocator-params + +Fixes inherited from 2.10 branch: + +- Make htools tolerate missing "dtotal" and "dfree" on luxi +- KVM: explicitly configure routed NICs late + +Fixes inherited from the 2.9 branch: + +- Security patch for CVE-2015-7944 RAPI Vulnerable to DoS via SSL renegotiation +- Security patch for CVE-2015-7945 Leak DRBD secret via RAPI +- replace-disks: fix --ignore-ipolicy + +Version 2.16.0 beta1 +-------------------- + +*(Released Tue, 28 Jul 2015)* + +This was the first beta release of the 2.16 series. All important changes +are listed in the latest 2.16 entry. + +Version 2.15.2 +-------------- + +*(Released Wed, 16 Dec 2015)* + +Important changes and security notes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Security release. + +CVE-2015-7944 + +Ganeti provides a RESTful control interface called the RAPI. Its HTTPS +implementation is vulnerable to DoS attacks via client-initiated SSL +parameter renegotiation. While the interface is not meant to be exposed +publicly, due to the fact that it binds to all interfaces, we believe +some users might be exposing it unintentionally and are vulnerable. A +DoS attack can consume resources meant for Ganeti daemons and instances +running on the master node, making both perform badly. + +Fixes are not feasible due to the OpenSSL Python library not exposing +functionality needed to disable client-side renegotiation. Instead, we +offer instructions on how to control RAPI's exposure, along with info +on how RAPI can be setup alongside an HTTPS proxy in case users still +want or need to expose the RAPI interface. The instructions are +outlined in Ganeti's security document: doc/html/security.html + +CVE-2015-7945 + +Ganeti leaks the DRBD secret through the RAPI interface. Examining job +results after an instance information job reveals the secret. With the +DRBD secret, access to the local cluster network, and ARP poisoning, +an attacker can impersonate a Ganeti node and clone the disks of a +DRBD-based instance. While an attacker with access to the cluster +network is already capable of accessing any data written as DRBD +traffic is unencrypted, having the secret expedites the process and +allows access to the entire disk. + +Fixes contained in this release prevent the secret from being exposed +via the RAPI. The DRBD secret can be changed by converting an instance +to plain and back to DRBD, generating a new secret, but redundancy will +be lost until the process completes. +Since attackers with node access are capable of accessing some and +potentially all data even without the secret, we do not recommend that +the secret be changed for existing instances. + +Minor changes +~~~~~~~~~~~~~ + +- Allow disk aittachment to diskless instances +- Reduce memory footprint: Compute lock allocation strictly +- Calculate correct affected nodes set in InstanceChangeGroup + (Issue 1144) +- Reduce memory footprint: Don't keep input for error messages +- Use bulk-adding of keys in renew-crypto +- Reduce memory footprint: Send answers strictly +- Reduce memory footprint: Store keys as ByteStrings +- Reduce memory footprint: Encode UUIDs as ByteStrings +- Do not retry all requests after connection timeouts to prevent + repeated job submission +- Fix reason trails of expanding opcodes +- Make lockConfig call retryable +- Extend timeout for gnt-cluster renew-crypto +- Return the correct error code in the post-upgrade script +- Make OpenSSL refrain from DH altogether +- Fix faulty iallocator type check +- Improve cfgupgrade output in case of errors +- Fix upgrades of instances with missing creation time +- Support force option for deactivate disks on RAPI +- Make htools tolerate missing "dtotal" and "dfree" on luxi +- Fix default for --default-iallocator-params +- Renew-crypto: stop daemons on master node first +- Don't warn about broken SSH setup of offline nodes (Issue 1131) +- Fix computation in network blocks +- At IAlloc backend guess state from admin state +- Set node tags in iallocator htools backend +- Only search for Python-2 interpreters +- Handle Xen 4.3 states better +- Improve xl socat migrations + + +Version 2.15.1 +-------------- + +*(Released Mon, 7 Sep 2015)* + +New features +~~~~~~~~~~~~ + +- The ext template now allows userspace-only disks to be used + +Bugfixes +~~~~~~~~ + +- Fixed the silently broken 'gnt-instance replace-disks --ignore-ipolicy' + command. +- User shutdown reporting can now be disabled on Xen using the + '--user-shutdown' flag. +- Remove falsely reported communication NIC error messages on instance start. +- Fix 'gnt-node migrate' behavior when no instances are present on a node. +- Fix the multi-allocation functionality for non-DRBD instances. + + +Version 2.15.0 +-------------- + +*(Released Wed, 29 Jul 2015)* + +Incompatible/important changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- In order to improve allocation efficiency when using DRBD, the cluster + metric now takes the total reserved memory into account. A consequence + of this change is that the best possible cluster metric is no longer 0. + htools(1) interprets minimal cluster scores to be offsets of the theoretical + lower bound, so only users interpreting the cluster score directly should + be affected. +- This release contains a fix for the problem that different encodings in + SSL certificates can break RPC communication (issue 1094). The fix makes + it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates' + after the cluster is fully upgraded to 2.14.1 + +New features +~~~~~~~~~~~~ + +- On dedicated clusters, hail will now favour allocations filling up + nodes efficiently over balanced allocations. + +New dependencies +~~~~~~~~~~~~~~~~ + +- The indirect dependency on Haskell package 'case-insensitive' is now + explicit. + + +Version 2.15.0 rc1 +------------------ + +*(Released Wed, 17 Jun 2015)* + +This was the first release candidate in the 2.15 series. All important +changes are listed in the latest 2.15 entry. + +Known issues: +~~~~~~~~~~~~~ + +- Issue 1094: differences in encodings in SSL certificates due to + different OpenSSL versions can result in rendering a cluster + uncommunicative after a master-failover. + + +Version 2.15.0 beta1 +-------------------- + +*(Released Thu, 30 Apr 2015)* + +This was the second beta release in the 2.15 series. All important changes +are listed in the latest 2.15 entry. + + +Version 2.14.2 +-------------- + +*(Released Tue, 15 Dec 2015)* + +Important changes and security notes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Security release. + +CVE-2015-7944 + +Ganeti provides a RESTful control interface called the RAPI. Its HTTPS +implementation is vulnerable to DoS attacks via client-initiated SSL +parameter renegotiation. While the interface is not meant to be exposed +publicly, due to the fact that it binds to all interfaces, we believe +some users might be exposing it unintentionally and are vulnerable. A +DoS attack can consume resources meant for Ganeti daemons and instances +running on the master node, making both perform badly. + +Fixes are not feasible due to the OpenSSL Python library not exposing +functionality needed to disable client-side renegotiation. Instead, we +offer instructions on how to control RAPI's exposure, along with info +on how RAPI can be setup alongside an HTTPS proxy in case users still +want or need to expose the RAPI interface. The instructions are +outlined in Ganeti's security document: doc/html/security.html + +CVE-2015-7945 + +Ganeti leaks the DRBD secret through the RAPI interface. Examining job +results after an instance information job reveals the secret. With the +DRBD secret, access to the local cluster network, and ARP poisoning, +an attacker can impersonate a Ganeti node and clone the disks of a +DRBD-based instance. While an attacker with access to the cluster +network is already capable of accessing any data written as DRBD +traffic is unencrypted, having the secret expedites the process and +allows access to the entire disk. + +Fixes contained in this release prevent the secret from being exposed +via the RAPI. The DRBD secret can be changed by converting an instance +to plain and back to DRBD, generating a new secret, but redundancy will +be lost until the process completes. +Since attackers with node access are capable of accessing some and +potentially all data even without the secret, we do not recommend that +the secret be changed for existing instances. + +Minor changes +~~~~~~~~~~~~~ + +- Allow disk attachment to diskless instances +- Calculate correct affected nodes set in InstanceChangeGroup + (Issue 1144) +- Do not retry all requests after connection timeouts to prevent + repeated job submission +- Fix reason trails of expanding opcodes +- Make lockConfig call retryable +- Extend timeout for gnt-cluster renew-crypto +- Return the correct error code in the post-upgrade script +- Make OpenSSL refrain from DH altogether +- Fix faulty iallocator type check +- Improve cfgupgrade output in case of errors +- Fix upgrades of instances with missing creation time +- Make htools tolerate missing "dtotal" and "dfree" on luxi +- Fix default for --default-iallocator-params +- Renew-crypto: stop daemons on master node first +- Don't warn about broken SSH setup of offline nodes (Issue 1131) +- At IAlloc backend guess state from admin state +- Set node tags in iallocator htools backend +- Only search for Python-2 interpreters +- Handle Xen 4.3 states better +- Improve xl socat migrations +- replace-disks: fix --ignore-ipolicy +- Fix disabling of user shutdown reporting +- Allow userspace-only disk templates +- Fix instance failover in case of DTS_EXT_MIRROR +- Fix operations on empty nodes by accepting allocation of 0 jobs +- Fix instance multi allocation for non-DRBD disks +- Redistribute master key on downgrade +- Allow more failover options when using the --no-disk-moves flag + + +Version 2.14.1 +-------------- + +*(Released Fri, 10 Jul 2015)* + +Incompatible/important changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- The SSH security changes reduced the number of nodes which can SSH into + other nodes. Unfortunately enough, the Ganeti implementation of migration + for the xl stack of Xen required SSH to be able to migrate the instance, + leading to a situation where full movement of an instance around the cluster + was not possible. This version fixes the issue by using socat to transfer + instance data. While socat is less secure than SSH, it is about as secure as + xm migrations, and occurs over the secondary network if present. As a + consequence of this change, Xen instance migrations using xl cannot occur + between nodes running 2.14.0 and 2.14.1. +- This release contains a fix for the problem that different encodings in + SSL certificates can break RPC communication (issue 1094). The fix makes + it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates' + after the cluster is fully upgraded to 2.14.1 + +Other Changes +~~~~~~~~~~~~~ + +- The ``htools`` now properly work also on shared-storage clusters. +- Instance moves now work properly also for the plain disk template. +- Filter-evaluation for run-time data filter was fixed (issue 1100). +- Various improvements to the documentation have been added. + + +Version 2.14.0 +-------------- + +*(Released Tue, 2 Jun 2015)* + +New features +~~~~~~~~~~~~ + +- The build system now enforces external Haskell dependencies to lie in + a supported range as declared by our new ganeti.cabal file. +- Basic support for instance reservations has been added. Instance addition + supports a --forthcoming option telling Ganeti to only reserve the resources + but not create the actual instance. The instance can later be created with + by passing the --commit option to the instance addition command. +- Node tags starting with htools:nlocation: now have a special meaning to htools(1). + They control between which nodes migration is possible, e.g., during hypervisor + upgrades. See hbal(1) for details. +- The node-allocation lock as been removed for good, thus speeding up parallel + instance allocation and creation. +- The external storage interface has been extended by optional ``open`` + and ``close`` scripts. + +New dependencies +~~~~~~~~~~~~~~~~ + +- Building the Haskell part of Ganeti now requires Cabal and cabal-install. + +Known issues +~~~~~~~~~~~~ + +- Under certain conditions instance doesn't get unpaused after live + migration (issue #1050) + +Since 2.14.0 rc1 +~~~~~~~~~~~~~~~~ + +- The call to the IAllocator in 'gnt-node evacuate' has been fixed. +- In opportunistic locking, only ask for those node resource locks where + the node lock is held. +- Lock requests are repeatable now; this avoids failure of a job in a + race condition with a signal sent to the job. +- Various improvements to the QA. + + +Version 2.14.0 rc2 +------------------ + +*(Released Tue, 19 May 2015)* + +This was the second release candidate in the 2.14 series. All important +changes are listed in the 2.14.0 entry. + +Since 2.14.0 rc1 +~~~~~~~~~~~~~~~~ + +- private parameters are now properly exported to instance create scripts +- unnecessary config unlocks and upgrades have been removed, improving + performance, in particular of cluster verification +- some rarely occuring file-descriptor leaks have been fixed +- The checks for orphan and lost volumes have been fixed to also work + correctly when multiple volume groups are used. + + +Version 2.14.0 rc1 +------------------ + +*(Released Wed, 29 Apr 2015)* + +This was the first release candidate in the 2.14 series. All important +changes are listed in the latest 2.14 entry. + +Since 2.14.0 beta2 +~~~~~~~~~~~~~~~~~~ + +The following issue has been fixed: + +- A race condition where a badly timed kill of WConfD could lead to + an incorrect configuration. + +Version 2.16.0 beta1 +-------------------- + +*(Released Tue, 28 Jul 2015)* + +This was the first beta release of the 2.16 series. All important changes +are listed in the latest 2.16 entry. Version 2.15.2 -------------- @@ -439,7 +883,6 @@ Version 2.14.0 beta1 This was the first beta release of the 2.14 series. All important changes are listed in the latest 2.14 entry. - Version 2.13.3 -------------- -- 2.7.0.rc3.207.g0ac5344
