Releases: openziti/ziti
v0.31.0
Release 0.31.0
What's New
- Rate limited for model changes
Rate Limiter for Model Changes
To prevent the controller from being overwhelmed by a flood of changes, a rate limiter
can be enabled in the configuration file. A maximum number of queued changes can also
be configured. The rate limited is disabled by default for now. If not specified the
default number of queued changes is 100.
When the rate limit is hit, an error will be returned. If the request came in from
the REST API, the response will use HTTP status code 429 (too many requests).
The OpenAPI specs have been updated, so if you're using a generated client to make
REST calls, it's recommened that you regenerate your client.
commandRateLimiter:
enabled: true
maxQueued: 100
If the rate limiter is enabled, the following metrics will be produced:
command.limiter.queued_count
- guage of the current number of queued operationscommand.limiter.work_timer
- timer for operations. Includes the following:- A histogram of how long operations take to complete
- A meter showing that rate at which operations are executed
- A count of how many operations have been executed
Component Updates and Bug Fixes
-
github.com/openziti/agent: v1.0.15 -> v1.0.16
-
github.com/openziti/channel/v2: v2.0.101 -> v2.0.105
-
github.com/openziti/edge-api: v0.25.38 -> v0.26.0
- Issue #49 - Add 429 responses to allow indicating that the server is too busy
-
github.com/openziti/identity: v1.0.64 -> v1.0.66
-
github.com/openziti/metrics: v1.2.36 -> v1.2.37
-
github.com/openziti/sdk-golang: v0.20.122 -> v0.20.129
- Issue #443 - Don't send close in reponse to a close on a listener
-
github.com/openziti/secretstream: v0.1.12 -> v0.1.13
-
github.com/openziti/storage: v0.2.20 -> v0.2.23
-
github.com/openziti/transport/v2: v2.0.109 -> v2.0.113
-
github.com/openziti/ziti: v0.30.5 -> v0.31.0
- Issue #1471 - Router links not resilient to controller crash
- Issue #1468 - Quickstart quietly fails if password is < 5 characters long
- Issue #1445 - Add controller update guardrail
- Issue #1442 - Network watchdog not shutting down when controller shuts down
- Issue #1465 - Upgrade functions
getZiti
andperformMigration
were only functional on Mac OS, now they are functional for Linux and Mac OSs. - Issue #1217 - Quickstart was improperly handling special characters in
ZITI_PWD
. Special characters are now supported forZITI_PWD
in quickstart functions.
v0.30.5
Release 0.30.5
What's New
- Initial proxy support in host.v1/host.v2
Proxy Support in host.v1/host.v2
host.v1
and host.v2
configurations may now specify a proxy to use.
Currently only HTTP Connect proxies which don't require authentication are supported.
Example using host.v1
{
"address": "192.168.2.50",
"port": 1234,
"protocol": "tcp",
"proxy": {
"address": "192.168.1.110:3128",
"type": "http"
}
}
Component Updates and Bug Fixes
-
github.com/openziti/channel/v2: v2.0.99 -> v2.0.101
-
github.com/openziti/edge-api: v0.25.37 -> v0.25.38
-
github.com/openziti/foundation/v2: v2.0.32 -> v2.0.33
-
github.com/openziti/identity: v1.0.63 -> v1.0.64
-
github.com/openziti/metrics: v1.2.35 -> v1.2.36
-
github.com/openziti/runzmd: v1.0.32 -> v1.0.33
-
github.com/openziti/sdk-golang: v0.20.116 -> v0.20.122
- Issue #436 - HTTP calls should respect environment proxy settings
-
github.com/openziti/storage: v0.2.18 -> v0.2.20
- Issue #52 - Grammar should expect single valid query followed by EOF
-
github.com/openziti/transport/v2: v2.0.107 -> v2.0.109
-
github.com/openziti/ziti: v0.30.4 -> v0.30.5
- Issue #1336 -
ziti edge quickstart
did
not create the usual edge router/service edge router policy. - Issue #1397 - HTTP Proxy suport for host.v1/host.v2 config types
- Issue #1423 - Controller crashes when edge router reconnects (Client Hello)
- Issue #1414 - Race condition in xgress_edge_tunnel tunneller at start but not seen in pre-compiled binary
- Issue #1406 - Entity change event dispatcher isn't shutting down properly when controller shuts down
- Issue #1382 - service failure costs are not shrinking over time
- Issue #1336 -
v0.30.4
Release 0.30.4
What's New
ziti edge quickstart
- Edge SDK terminator improvements
- host.v1 and host.v2 connectTimeout/connectTimeoutSeconds
- edge/fabric merge
ziti edge quickstart
-
ziti edge quickstart
](#1298). You can now download
theziti
CLI and have a functioning network with just one command. The network it creates is
ephemeral and is intended to be torn down when the process exits. It is intended for quick
evaluation and testing of an overlay network. It supports the following flags:--already-initialized Specifies the PKI does not need to be created and the db does not need to be initialized. Recommended to be combined with --home. If --home is not specified the environment will be destroyed on shutdown! default: false --ctrl-address string Sets the advertised address for the control plane and API --ctrl-port int16 Sets the port to use for the control plane and API -h, --help help for quickstart --home string Sets the directory the environment should be installed into. Defaults to a temporary directory. If specified, the environment will not be removed on exit. -p, --password string Password to use for authenticating to the Ziti Edge Controller. default: admin --router-address string Sets the advertised address for the integrated router --router-port int16 Sets the port to use for the integrated router -u, --username string Username to use when creating the Ziti Edge Controller. default: admin
Example Usage:
ziti edge quickstart \ --ctrl-address potato \ --ctrl-port 12345 \ --router-address avacado \ --router-port 23456 \ --home $HOME/.ziti/pet-ziti \ --already-initialized \ --username someOtherUsername \ --password someOtherPassword
Edge SDK Terminator Improvements
There was a race condition in edge sdk terminator handling, where if sdk noticed a broken connection
before the router did, it would reconnect and rebind while the router still though it had the old
connection and old binding. Because we were using the session token to key terminator state in the
router, the new terminator information would overwrite the old terminator information in the router.
However, in the controller, the information wouldn't get overridden, since we use a UUID to key
things in the controller. When the router noticed the old connection was gone it would try to clean
things up, but since the state had been overwritten, it couldn't and the controller would be left
with an orphaned terminator.
The router now uses a UUID as well so there shouldn't be any more orphaned terminators.
host.v1/host.v2 change
The host.v2 config type was mostly a collection of host.v1 instances. However, there was a one small
difference. The host.v1 type had connectTimeoutSeconds
in listenOptions
, where host.v2
had connectTimeout
, defined as a duration.
To bring them into alignment, both attributes are now supported in both config types.
However, connectTimeout
will take precedence if both are present. connectTimeout
is not yet
supported by all tunnelers. The following still need to be updated:
- ziti-edge-tunnel
- Desktop Edge for Windows
- Desktop Edge for Mac
- Mobile Edge for Android
- Mobile Edge for IOS
Once it is supported, we will deprecate connectTimeoutSeconds
with a lengthy deprecation period.
At the end of the deprecation period we will migrate any remaining connectTimeoutSeconds
values
to connectTimeout
.
Edge and Fabric Merges
The code from the fabric and edge repositories has been merged into the ziti repository. Once issues have been migrated, those two projects will be archived.
Component Updates and Bug Fixes
-
github.com/openziti/channel/v2: v2.0.95 -> v2.0.99
-
github.com/openziti/edge: v0.24.404 -> v0.24.420
- Issue #1610 - Don't update identity on auth if sdkInfo and envInfo haven't changed
- Issue #1611 - Some entity changes events are unattributed when generated from edge client rest endpoint
- Issue #1616 - host.v1 and host.v2 are out of sync
- Issue #1599 - entityChange events should mask or redact jwt token
- Issue #1607 - remove enrollment tokens
not before
- Issue #1310 - router run --extend doesn't wait for control channel
-
github.com/openziti/edge-api: v0.25.33 -> v0.25.37
- Issue #44 - create session can return 404 if service id is invalid
-
github.com/openziti/fabric: v0.24.23 -> v0.24.36
- Issue #799 - Alll controllers to advertise capabilities to routers/other controllers
- Issue #796 - Make link heartbeats configurable, including an unresponive close timeout
- Issue #794 - Add output file to ziti agent controller snapshot-db command
- Issue #792 - include raft index in DB snapshot filename
- Issue #791 - FieldError Reason field not parsed correct when transmitted from cluster node to cluster node
- Issue #789 - Retransmitting prevents circuit from being idle checked
-
github.com/openziti/foundation/v2: v2.0.30 -> v2.0.32
-
github.com/openziti/identity: v1.0.61 -> v1.0.63
-
github.com/openziti/metrics: v1.2.33 -> v1.2.35
-
github.com/openziti/runzmd: v1.0.30 -> v1.0.32
-
github.com/openziti/sdk-golang: v0.20.101 -> v0.20.116
- Issue #431 - sdk can panic when re-authenticating and rebinding at the same time
- Issue #238 - service binding needs to restart if service is recreated
- Issue #115 - Don't use hostname for CN in CSR
- Issue #429 - error handling is broken, so we don't properly retry
-
github.com/openziti/secretstream: v0.1.11 -> v0.1.12
-
github.com/openziti/storage: v0.2.14 -> v0.2.18
- Issue #31 - Fix ANTLR int overflow error on arm 32
-
github.com/openziti/transport/v2: v2.0.103 -> v2.0.107
-
github.com/openziti/ziti: v0.30.3 -> v0.30.4
- Fixed an issue causing router configs to be rewritten when docker compose was brought up with existing configs
v0.30.3
Release 0.30.3
What's New
- Bugfixes
Component Updates and Bug Fixes
-
github.com/openziti/edge: v0.24.401 -> v0.24.404
-
github.com/openziti/fabric: v0.24.20 -> v0.24.23
- Issue #786 - entityChangeEventDispatcher.flushLoop doesn't shutdown when controller shuts down
- Issue #785 - Allow link groups to be single string value
- Issue #783 - Raft cluster connections not updated for ALPN
-
github.com/openziti/ziti: v0.30.2 -> v0.30.3
v0.30.2
Release 0.30.2
What's New
- Identity type consolidation
- HTTP Connect Proxy support for control channel and links
Identity Type Consolidation
Prior to this release there were four identity types:
- User
- Service
- Device
- Router
Of these four types, only Router has any functional purpose. Given that, the other three have been merged into
a single Default
identity type. Since Router identities can only be created by the system, it's no longer
necesary to specify the identity type when creating identities.
The identity type may still be provided, but a deprecation warning will be emitted.
Backwards Compatibility
Existing non-Router identities will be migrated to the Default
identity type. If an identity type other
than Default
is provided when creating an identity, it will be coerced to the Default
type. Existing
code may have issues with the new identity type being returned.
HTTP Connect Proxy support
Routers may now specify a proxy configuation which will be used when establishing connections to controllers
and data links to other routers. At this point only HTTP Connect Proxies with no authentication required are
supported.
Example router config:
proxy:
type: http
address: localhost:3128
Component Updates and Bug Fixes
-
github.com/openziti/channel/v2: v2.0.91 -> v2.0.95
-
github.com/openziti/edge: v0.24.381 -> v0.24.401
- Issue #1597 - ER/T cached API sessions aren't remembered when pulled from cache
- Issue #1428 - Make identity type optional. Consolidate User/Service/Device to 'Default'.
- Issue #1584 - AuthPolicyDetail is incompatible with API response
-
github.com/openziti/edge-api: v0.25.31 -> v0.25.33
-
github.com/openziti/fabric: v0.24.2 -> v0.24.20
- Issue #775 - Add support for proxies for control channel and links
-
github.com/openziti/foundation/v2: v2.0.29 -> v2.0.30
-
github.com/openziti/identity: v1.0.60 -> v1.0.61
-
github.com/openziti/runzmd: v1.0.29 -> v1.0.30
-
github.com/openziti/sdk-golang: v0.20.90 -> v0.20.101
-
github.com/openziti/storage: v0.2.12 -> v0.2.14
-
github.com/openziti/transport/v2: v2.0.99 -> v2.0.103
- Issue #54 - Support HTTP Connect proxying for TLS connections
-
github.com/openziti/metrics: v1.2.31 -> v1.2.33
-
github.com/openziti/secretstream: v0.1.10 -> v0.1.11
-
github.com/openziti/ziti: v0.30.1 -> v0.30.2
- Issue #1266 - Outdated README.md: Some links return "Page Not Found"
v0.30.1
Release 0.30.1
What's New
Component Updates and Bug Fixes
- github.com/openziti/ziti: v0.30.0 -> v0.30.1
- Issue #1225 - Updated ZITI_ROUTER_ADVERTISED_HOST to use the more common naming convention of ZITI_ROUTER_ADVERTISED_ADDRESS
- Issue #1233 - Added
lsof
to the list of prerequisites to be checked during quickstart
v0.30.0
Release 0.30.0
What's New
- Link management is now delegated to routers
- Controller and routers can operate with a single listening port
Link Management Updates
Previously, the controller would do its best to determine where links needed to be established.
It would send messages to the routers, telling them which addresses to dial on other routes.
The routers would in turn let the controller know if link establishment was successful or
if the router already had a link to the given endpoint.
With this release, the controller will only let routers know which routers exist, whether they
are currently connected to the controller, and what link listeners they are advertising. The
routers will now decide which links to make and let the controllers know as links are created
and broken.
Link Groups
Both dialers and listeners can now specify a set of groups. If no groups are specified, the
dialer or listener will be placed in the default
group. Dialers will only attempt to dial
listeners who have at least one group in common with them.
Failed Links
Previously when a link failed, the controller would show it in the link list as failed for a time
before removing it. Now failed links are removed immediately. There are existing link events for
link creation and link failure which can be used for forensics.
Duplicate Links
There is a new link status Duplicate
used when a router receives a link request and determines
that it's a duplicate of an existing link. This happens when two routers both have listeners
and dialers. They will often dial each other at the same time, resulting in a duplicate link.
Compatibility
If you use a 0.30+ controller with older routers, the controller will still do link calculation
and send dial messages, as long as the enableLegacyLinkMgmt
setting is set to true.
If you use a pre 0.30.0 controller with newer routers, the new routers will still accept the
dial messages.
New Configuration
Controller
The controller has three new options:
network:
routerMessaging:
queueSize: 100
maxWorkers: 100
enableLegacyLinkMgmt: true
When a router connects or disconnects from the controller, we send two sets of updates.
- If a router has connected we send it the the state of the other routers
- We send all the other routers the updated state of the connecting/disconnecting router
These messages are sent using a worker pool. The size of the queue feeding the worker pool is controlled with
routerMessaging.queueSize
. The max size of the worker pool is controlled used the routerMessaging.maxWorkers
option.
- queueSize
- Min value: 0
- Max value: 1,000,000
- Default: 100
- maxWorkers
- Min value: 1
- Max value: 10,000
- Default: 100
If you have routers older than 0.30.0, the controller will calculate which links to dial. This can be disabled
by setting enableLegacyLinkMgmt
to false. This setting currently defaults to true, but will default to false
in a future release. In a subsequent release this functionality will be removed all together.
Router
The router has new configuration options for link dialing.
link:
dialers:
- binding: transport
groups:
- public
- vpc1234
healthyDialBackoff:
retryBackoffFactor: 1.5
minRetryInterval: 5s
maxRetryInterval: 5m
unhealthyDialBackoff:
retryBackoffFactor: 10
minRetryInterval: 1m
maxRetryInterval: 1h
listeners:
- binding: transport
groups: vpc1234
Groups
See above for a description of link groups work.
Default value: default
Dial Back-off
Dialers can be configured with custom back-off behavior. Each dialer has a back-off policy for dialing
healthy routers (those that are connected to a controller) and a separate policy for unhealthy routers.
The back-off policies have the following attributes:
- minRetryInterval - duration specifying the minimum time between dial attempts
- Min value: 10ms
- Max value: 24h
- Default: 5s for healthy, 1m for unhealthy
- Format: Golang Durations, see: https://pkg.go.dev/maze.io/x/duration#ParseDuration
- maxRetryInterval - duration specifying the maximum time between dial attempts
- Min value: 10ms
- Max value: 24h
- Default: 5m for healthy, 1h for unhealthy
- Format: Golang duration, see: https://pkg.go.dev/maze.io/x/duration#ParseDuration
- retryBackoffFactor - factor by which to increase the retry interval between failed dial attempts
- Min value: 1
- Max value: 100
- Default: 1.5 for healthy, 100 for unhealthy
Single Port/ALPN Changes
Ziti Controller and Routers can operate with a single open port. In order to implement this feature we use
ALPN (Application Layer Protocol Negotiation)
TLS extension. It allows TLS client to request and TLS server to select appropriate application protocol handler during
TLS handshake.
Protocol Details
The following protocol identifiers are defined:
id | purpose |
---|---|
ziti-ctrl | Control plane connections |
ziti-link | Fabric link connections |
ziti-edge | Client SDK connection to Edge Routers |
Standard HTTP protocol identifiers (h2
, http/1.1
) are used for Controller REST API and Websocket listeners.
Backward Compatibility
This feature is designed to be backward compatible with SDK clients: older client will still be able to connect without
requesting ziti-edge
protocol.
Breaking
Older routers won't be able to establish control channel or fabric links with updated network.
However, newer Edge Routers should be able to join older network in some circumstances -- only outbound links from new Routers would work.
Component Updates and Bug Fixes
-
github.com/openziti/agent: v1.0.14 -> v1.0.15
-
github.com/openziti/channel/v2: v2.0.84 -> v2.0.91
- Issue #108 - Reconnecting underlay not returning headers from hello message
-
github.com/openziti/edge: v0.24.364 -> v0.24.381
- Issue #1548 - Panic in edge@v0.24.326/controller/sync_strats/sync_instant.go:194
-
github.com/openziti/edge-api: v0.25.30 -> v0.25.31
-
github.com/openziti/fabric: v0.23.45 -> v0.24.2
- Issue #766 - Lookup of terminators with same instance id isn't filtering by instance id
- Issue #692 - Add ability to control link formation between devices more granularly
- Issue #749 - Move link control to router
- Issue #343 - Link state Failed on startup
-
github.com/openziti/foundation/v2: v2.0.28 -> v2.0.29
-
github.com/openziti/identity: v1.0.59 -> v1.0.60
-
github.com/openziti/runzmd: v1.0.28 -> v1.0.29
-
github.com/openziti/sdk-golang: v0.20.78 -> v0.20.90
-
github.com/openziti/storage: v0.2.11 -> v0.2.12
-
github.com/openziti/transport/v2: v2.0.93 -> v2.0.99
-
github.com/openziti/xweb/v2: v2.0.2 -> v2.1.0
-
github.com/openziti/ziti-db-explorer: v1.1.1 -> v1.1.3
- Issue #4 - db explore timeout error is uninformative
-
github.com/openziti/metrics: v1.2.30 -> v1.2.31
-
github.com/openziti/ziti: v0.29.0 -> v0.30.0
- Issue #1199 - ziti edge list enrollments - CLI gets 404
- Issue #1135 - Edge Router: Support multiple protocols on the same listener port
- Issue #65 - Add ECDSA support to PKI subcmd
- Issue #1212 - getZiti fails on Mac OS
- Issue #1220 - Fixed getZiti function not respecting user input for custom path
v0.29.0
Release 0.29.0
What's New
Deprecated Binary Removal
This release removes the following deprecated binaries from the release archives.
ziti-controller
- replaced byziti controller
ziti-router
- replaced byziti router
ziti-tunnel
- replaced byziti tunnel
The release archives now only contain the ziti
executable. This executable is now at the root of the archive instead of nested under a ziti
directory.
Ziti CLI Demo Consolidation
The ziti CLI functions under ziti learn
, namely ziti learn demo
and ziti learn tutorial
have been consolidated under ziti demo
.
Continued Quickstart Changes
The quickstart continues to evolve. A breaking change has occurred as numerous environment variables used to customize the quickstart
have changed again. A summary of changes is below
- All
ZITI_EDGE_ROUTER_
variables have been changed to justZITI_ROUTER_
.ZITI_EDGE_ROUTER_NAME
->ZITI_ROUTER_NAME
ZITI_EDGE_ROUTER_PORT
->ZITI_ROUTER_PORT
ZITI_EDGE_ROUTER_ADVERTISED_HOST
->ZITI_ROUTER_ADVERTISED_HOST
ZITI_EDGE_ROUTER_IP_OVERRIDE
->ZITI_ROUTER_IP_OVERRIDE
ZITI_EDGE_ROUTER_ENROLLMENT_DURATION
->ZITI_ROUTER_ENROLLMENT_DURATION
ZITI_EDGE_ROUTER_ADVERTISED_HOST
->ZITI_ROUTER_ADVERTISED_HOST
ZITI_EDGE_ROUTER_LISTENER_BIND_PORT
->ZITI_ROUTER_LISTENER_BIND_PORT
- Additional variables have been added to support "alternative addresses" and "alternative PKI", for example
to support using Let's Encrypt certificates easily in the quickstarts. - New variables were introduced to allow automatic generation of the
alt_server_certs
section. Both variables
must be supplied for the variables to impact the configurations.ZITI_PKI_ALT_SERVER_CERT
- "Alternative server certificate. Must be specified with ZITI_PKI_ALT_SERVER_KEY"ZITI_PKI_ALT_SERVER_KEY
- "Key to use with the alternative server certificate. Must be specified with ZITI_PKI_ALT_SERVER_CERT"
- New variables were introduced to allow one to override and customize the CSR section of routers which is used during enrollment.
ZITI_ROUTER_CSR_C
- "The country (C) to use for router CSRs"ZITI_ROUTER_CSR_ST
- "The state/province (ST) to use for router CSRs"ZITI_ROUTER_CSR_L
- "The locality (L) to use for router CSRs"ZITI_ROUTER_CSR_O
- "The organization (O) to use for router CSRs"ZITI_ROUTER_CSR_OU
- "The organization unit to use for router CSRs"ZITI_ROUTER_CSR_SANS_DNS
- "The DNS name used in the CSR request"
- New variable
ZITI_CTRL_EDGE_BIND_ADDRESS
allows controlling the IP the edge API uses
Component Updates and Bug Fixes
-
github.com/openziti/channel/v2: v2.0.81 -> v2.0.84
-
github.com/openziti/edge: v0.24.348 -> v0.24.364
- Issue #1543 - controller ca normalization can go into infinite loop on startup with bad certs
-
github.com/openziti/edge-api: v0.25.29 -> v0.25.30
-
github.com/openziti/fabric: v0.23.39 -> v0.23.45
-
github.com/openziti/foundation/v2: v2.0.26 -> v2.0.28
-
github.com/openziti/identity: v1.0.57 -> v1.0.59
-
github.com/openziti/runzmd: v1.0.26 -> v1.0.28
-
github.com/openziti/sdk-golang: v0.20.67 -> v0.20.78
-
github.com/openziti/storage: v0.2.8 -> v0.2.11
-
github.com/openziti/transport/v2: v2.0.91 -> v2.0.93
-
github.com/openziti/metrics: v1.2.27 -> v1.2.30
-
github.com/openziti/secretstream: v0.1.9 -> v0.1.10
-
github.com/openziti/ziti: v0.28.4 -> v0.29.0
- Issue #1180 - Add ability to debug failed smoketests
- Issue #1169 - Consolidate demo and tutorial under demo
- Issue #1168 - Remove ziti-controller, ziti-router and ziti-tunnel executables from build
- Issue #1158 - Add iperf tests to ziti smoketest
v0.28.4
Release 0.28.4
Component Updates and Bug Fixes
- Restores Ziti Edge Client API as the default handler for
/version
and as the root handler to support previously enrolled GO SDK clients
v0.28.3
Release 0.28.3
What's New
Bug fix
Component Updates and Bug Fixes
- github.com/openziti/ziti: v0.28.2 -> v0.28.3