Apache Traffic Control 8.0.0 - January 30th, 2024
Apache Traffic Control 8.0.0 is available here:
Release Notes
Traffic Ops
- Client Certificate Authentication: The ability for a Traffic Ops (TO) instance to accept TLS certificates from a client request and verify them against specified Root CA’s certificate as a form of login. This is not to be confused with mTLS, albeit a similar design. Should a client not send a TLS certificate as part of the request login functionality will default to standard form authentication.
- Assignment of multiple Server Capabilities to a Server and vice-versa: Previous releases only allowed 1:1 assignment of server to a capability and vice-versa. This release now supports multiple assignments (1:many).
- Simplification of CDN configs by removing hypnotoad section (used in deploying TO locally or in CIAB) was no longer being used.
- Layered Profile: Aggregation of parameters based on profile priority.
- Delivery Services: Regional field added to aid
maxOriginConnections
- Permission and Roles: Added new permissions (e.g.:
SSL-KEY_EXPIRATION:READ, ACME:READ, etc.) to various roles. Also created a new role (trouter) to monitor Traffic Ops resources. Return empty array when no permission are given for a roles API (PUT, POST)
- Reporting: Added a feature to indicate success and failure during server upgrade.
- OAuth Added OAuth security when using Microsoft Authenticator and an optional field
oauth_user_attribute for OAuth login credentials along with usage of ID token instead of Access Token for authentication.
- #7674 Added the ability to indicate if a server failed its revalidate/config update.
- Python Client uses APIv5
-
Fixed the following issues/bugs:
- #7891 Created clause to distinguish api versions < 5 when handling 403 in middleware wrappers and updated job routes for v4 and v5.
- #7890 Fixed missing changelog entries to v5 routes.
- #7887 Limit Delivery Services returned for GET /servers/{id}/deliveryservices to ones in the same CDN
- #7878 Fixed the case where TO was failing to assign delivery services to a server, due to a bug in the way the list of preexisting delivery services was being returned.
- #4428 Fixed Internal Server Error with POST to
profileparameters when POST body is empty
- #7047 Allow
apply_time query parameters on the servers/{id-name}/update when the CDN is locked.
- #7046 API
deliveryservices/sslkeys/add now checks that each cert in the chain is related.
- #6340 Fixed alert messages for POST and PUT invalidation job APIs.
- #7519 Fixed TO API
/servers/{id}/deliveryservices endpoint to responding with all DS’s on cache that are directly assigned and inherited through topology.
- #7130 Fixed service_categories response to POST API.
- #6229 Fixed error message for assignment of non-existent parameters to a profile.
- #6775 Invalid “orgServerFqdn” in Delivery Service creation/update causes Internal Server Error
- #6385 Fixed reserved consistentHashQueryParameters from causing internal server error to a client error
- #4393 Fixed the error code and alert structure when TO is queried for a delivery service with no ssl keys.
- #7762 Fixed
/phys_locations PUT API to remove error related to mismatching region name and ID.
- #7511 Fixed the changelog registration message to include the username instead of duplicate email entry.
- #7441 Fixed the invalidation jobs endpoint to respect CDN locks.
- #7282 Fixed issue with user getting correctly logged when using an access or bearer token authentication.
- #7231 Fixed
sharedUserNames display while retrieving CDN locks.
- #7628 Fixed an issue where certificate chain validation failed based on leading or trailing whitespace.
- #7688 Fixed ability to view secured parameters when role has correct permissions.
- #7697 Fixed display of
iloPassword and xmppPassword, now based on permissions and instead of priv-level.
Breaking changes:
- Fixed DS “ACTIVE” flag (Blueprint): Previously setting a Delivery Service (DS) to “Inactive” actually only sets it to “not routed”. There is no way to create a Delivery Service (with assigned servers) that will not be distributed to cache server configuration. This fix changes the
Active property of Delivery Services from a boolean to an enumerated string constant that can represent three different “Activity States” for a Delivery Service.
- Updated
LastUpdated field across multiple APIs to use RFC3339 instead of deprecated time.Time.
- Capabilities are now part of DS structure instead of a separate struct.
Traffic Portal
Delivery Service (DS):
- Added server capability (removed from DS context menu), lastUpdated fields to the DS forms.
- Added the ability to tell if a DS has the target of another steering DS.
- New config options in traffic_portal_properties.json for DS active flag feature.
Certs: Added visuals to DS cert expiration grid rows and the the ability to inspect a user provider cert, or the cert chain on DS SSL keys, and to delete a cert. Also added a revert certificate functionality.
Servers: Improved information about profile priorities with respect to layered profile.
Change Log: Ability to view entire log message by clicking on it.
CDN: Added TTLOverride field to allow a quick turnaround time when performing TR maintenance that involves restarts.
UI Beautification: Added better labels for widgets, simplifying DS button bar by moving DS changes/ DSRs under More menu, obscure sensitive text in raw remap fields, private SSL keys, “Header Rewrite” rules, and ILO interface passwords.
- Dependent on NodeJS version 16 or later
-
Fixed the following issues/bugs:
- #7885 Fixed the issue where Compare Profiles page was not being displayed.
- #7879 Fixed broken capability links for delivery service and added required capability as a column in DS table.
- #7049, #7052 Fixed server table’s quick search and filter option for multiple profiles.
- #7080, #6335 Fixed redirect links for server capability.
- #7414 Fixed DSR difference for DS required capability.
- #5557 Moved
Fair Queueing Pacing Rate Bps DS field to Cache Configuration Settings section.
- #7216 Fixed sort for Server’s Capabilities Table
- #7179 Fixed search filter for Delivery Service Table
- #7174 Fixed topologies sort (table and Delivery Service’s form)
- #5970 Fixed numeric sort in Delivery Service’s form for DSCP
- #5971 Fixed Max DNS Tool Top link to open in a new page
Traffic Router
- Optimized TR’s logic in zone detection and ability to handle DDOS attack by increasing TTL value.
- Logging improved for a better connection and user experience.
- Removed
dnssec.zone.diffing.enabled and dnssec.rrsig.cache.enabled parameters
- #7808 Set SOA
minimum field to a custom value defined in the tld.soa.minimum param, and remove the previously added dns.negative.caching.ttl property.
-
Fixed the following issues/bugs:
- #7340 Fixed TR logging for the
cqhv field when absent.
- #7252 Fixed integer overflow for
czCount, by resetting the count to max value when it overflows.
- #7093 Updated Apache Tomcat from 9.0.43 to 9.0.67
- #3965 TR now always includes a
Content-Length header in the response.
- #6533 TR should not rename/recreate log files on rollover
Traffic Stats
- Improved logic to handle connection leaks and client requests timeout to Traffic Ops
Traffic Monitor
- Improved logging with respect to ip availability for both, v4 and v6
- Fixed the bandwidth doubling issue per cache.
Traffic Control Cache Config (T3C) (formerly ORT)
- Config Generation: Addition of t3c-apply flag to allow ease of usage locally and a descriptive exit error message on failure.
- RPM Checks added to keep cache config up to date in case of RPM failures.
- Added support for anycast
- Decreased the amount of commits to the repo by removing timestamp from metadata file.
- #7719 Added automatic self-healing when using slice plugin.
-
Fixed the following:
- #7817 Fixed issue that would cause null ptr panic on client fallback.
- #7866 Fixed rpm db check to work with rocky linux 9.
- #7021 Fixed cache config for Delivery Services with IP Origins.
- #7043 Fixed cache config missing retry parameters for non-topology MSO Delivery Services going direct from edge to origin.
- #7163 Fix cache config for multiple profiles
- #6695 Directory creation was erroneously reporting an error when actually succeeding.
- #7590 Fixed issue with git detected dubious ownership in repository.
- #7137 parent.config simulate topology for non topo delivery services.
- #7153 Adds an extra T3C check for validity of an ssl cert (crash fix).
- #7182 Sort peers used in strategy.yaml to prevent false positive for reload.
- #7204 strategies.yaml hash_key only for consistent_hash
- #7277 remapdotconfig: remove skip check at mids for nocache/live
- #7346 Fixed issue with stale lock file when using git to track changes.
- #7352 Fixed issue with application locking which would allow multiple instances of
t3c apply to run concurrently.
- #7411 Fixed issue with wrong parent ordering with MSO non-topology delivery services.
- #7425 Fixed issue with layered profile iteration being done in the wrong order.
- #7471 Fixed issue with MSO non topo origins from multiple cache groups.
TC Health Client
Added a peer monitoring flag in strategies.yaml
Added three health mechanisms: L4 health (a TCP syn-ack-rst), L7 health (a successful HTTP response), and a meta-parent poll which polls the parent’s own health client parent health and uses a heuristic of unavailable parents on the parent.
T3C Traffic Control Health Client upgraded to Apache Traffic Server (ATS) 9.2.
Other Components
CDN in a Box, the t3c integration tests, and the tc health client integration tests now use 9.1.
#7896 ATC Build system: Count commits since the last release, not commits.