Support for ATS Slice plugin in Traffic Ops, including new Delivery Service Raw Remap
Ability to enable EDNS0 client subnet at the delivery service level
New IPv6 changes:
Traffic Portal and Traffic Ops now accept IPv6-only servers
Traffic Monitor now polls caches over IPv6 in addition to IPv4, separating the
availability status of each (make sure to update the allow_ip6
profile parameter to include the IPv6 addresses of your Traffic Monitors,
otherwise they will fail to poll over IPv6 and consider those caches to be
unavailable over IPv6)
Traffic Router will route IPv4 clients to caches with IPv4 availability and
route IPv6 clients to caches with IPv6 availability
Traffic Router DNSSEC zone diffing performance enhancement
Traffic Monitor optimistic quorum
Traffic Ops API 2.0. This new major API version contains several new routes but does not
contain many deprecated routes from API 1.x (which will be available until the ATC 5.0
release). API clients should begin migrating to API 2.0 as soon as possible. For the
full lists of new or deprecated routes, please see the changelog.
Ability to choose the TLS version used for Traffic Ops to make requests to Traffic
Vault. Note: the default is now TLSv1.1, which may require configuration changes to
Riak. See Enabling TLS 1.1
This release contains many new bug fixes. For the full list, please see the changelog.
The Traffic Ops db/admin.pl script has now been removed. Please use the
db/admin binary instead.
Removed from Traffic Portal the ability to view cache server config files as the
contents are no longer reliable through the TO API due to the introduction of atstccfg.
Traffic Ops Python client no longer supports Python 2.
It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures.
The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the `ASC` signature file
for the relevant distribution. Make sure you get these files from the main distribution directory, rather than
from a mirror. Then verify the signatures using:
% pgpk -a KEYS % pgpv apache-trafficcontrol-4.1.0.tar.gz.asc
% pgp -ka KEYS
% pgp apache-trafficcontrol-4.1.0.tar.gz.asc
% gpg --import KEYS
% gpg --verify apache-trafficcontrol-4.1.0.tar.gz.asc apache-trafficcontrol-4.1.0.tar.gz
$ gpg --verify apache-trafficcontrol-4.1.0.tar.gz.asc apache-trafficcontrol-4.1.0.tar.gz
gpg: Signature made Tue Feb 11 09:38:30 2020 MST
gpg: using RSA key BF4A8D7307B8EEC7BFB4D8CB8A0712500C70C06E
gpg: Good signature from "Rawlin Peters (apache signing key) " [ultimate]
Additionally, you should verify the SHA signature on the files. A unix program called `sha` or `shasum` is
included in many unix distributions. It is also available as part of GNU Textutils. An MD5 signature
(deprecated) consists of 32 hex characters, and a SHA512 signature consists of 128 hex characters. Ensure your
generated signature string matches the signature string published in the files above.
Server Capabilities: server capabilities can now be created and
assigned to servers. Delivery services can now require certain server
capabilities, and servers that lack the required capabilities will not serve those
delivery services. As as an example, by default, MID caches will serve all
delivery services in a given CDN, but this feature can be used to allow a only a subset
of MID caches to serve certain delivery services (based on the server
capabilities assigned to the MID caches and required by the delivery
services). See the blueprint
Certificate deletion upon delivery service deletion: Snapshotting the
CRConfig now deletes HTTPS certificates in Riak for delivery services which have been
deleted in Traffic Ops.
SSO login using OAuth: Traffic Ops now provides the ability to login
using an OAuth provider, and this functionality is now integrated in Traffic Portal. A
field is added to cdn.conf to configure whitelisted URLs for Json Key Set URL returned
from OAuth provider. Added fields to traffic_portal_properties.json to configure SSO
through OAuth for Traffic Portal.
API rewrite from Perl to Go: A large number of API endpoints were
rewritten from Perl to Go
API Routing Blacklist: via the routing_blacklist field in
cdn.conf, enable certain whitelisted Go routes to be handled by Perl
instead (via the perl_routes list) in case a regression is found in the Go
handler, and explicitly disable any routes via the disabled_routes list.
Requests to disabled routes are immediately given a 503 response. Both fields are lists
of Route IDs, and route information (ID, version, method, path, and whether or not it
can bypass to Perl) can be found by running ./traffic_ops_golang
--api-routes. To disable a route or have it bypassed to Perl, find its Route
ID using the previous command and put it in the disabled_routes or perl_routes
Regional Geo-blocking for steering delivery services: Regional
Geo-blocking is now supported for steering-based delivery services
Added pagination support to some Traffic Ops endpoints via three new query parameters,
limit and offset/page
Traffic Ops now supports a "sortOrder" query parameter on some endpoints to return API
responses in descending order
Traffic Ops now uses a consistent format for audit logs across all Go endpoints
Added an optional SMTP server configuration to the TO configuration file, api now has
ability to send emails
To support reusing a single riak cluster connection, an optional parameter is added to
riak.conf: "HealthCheckInterval". This options takes a 'Duration' value (ie: 10s, 5m)
which affects how often the riak cluster is health checked. Default is currently set to:
Fixed a regression where the Expires cookie header was not being set
properly in responses. Also, added the Max-Age cookie header in responses.
Fixed issue #3497: TO
API clients that don't specify the latest minor version will overwrite/default any
fields introduced in later versions
Fixed issue #3587:
Fixed Traffic Ops Golang reverse proxy and Riak logs to be consistent with the format of
other error logs.
Database migrations have been collapsed. Rollbacks to 3.1 and earlier migrations are no
longer possible. As always, backup your database before upgrading.
The TO API /cachegroup_fallbacks endpoint is now deprecated. That
functionality was added to the /cachegroups API.
The db/admin.pl script is now deprecated. There is a new Go
db/admin binary to replace the Perl db/admin.pl script, which will be
removed in a future release. The new db/admin binary is essentially a drop-in
replacement for db/admin.pl since it supports all of the same commands and options;
therefore, it should be used in place of db/admin.pl for all the same tasks.
The deprecated Traffic Ops UI has been removed in favor of the Traffic Portal UI
The location of the Traffic Ops influxdb.conf config file has changed from
traffic_ops/app/conf/production/influxdb.conf to traffic_ops/app/conf/influxdb.conf.
Please move any existing influxdb.conf to the new location.
The /api/1.1/osversions endpoint (used for ISO generation) now expects the
Perl osversions.cfg configuration file to be JSON. Added a traffic_ops/app/bin/osversions-convert.pl
script to convert the osversions.cfg file from Perl to JSON as part of the
/osversions endpoint rewrite.
traffic_ops/app/bin/checks/ToDnssecRefresh.pl now requires "user" and "pass" parameters
of an operations-level user! Update your scripts accordingly! This was necessary to move
to an API endpoint with proper authentication, which may be safely exposed.
Consistent Hash Query Parameters: Traffic Ops now allows HTTP delivery
services to have a set of query parameter keys to be retained for consistent hash
generation by Traffic Router. This should be used for query parameters that produce
unique content from the origin. For example, if the paths /foo?a=1 and
/foo?a=2 each return unique content, you should add a to the
list of consistent hash query parameters for that delivery service. This allows clients
to be routed to edges for that content more efficiently.
Client Steering Forced Diversity: force Traffic Router to return more
unique edge caches in CLIENT_STEERING results instead of the default behavior which can
sometimes return a result of multiple targets using the same edge cache. In the case of
edge cache failures, this feature will give clients a chance to retry a different edge
cache. This can be enabled with the new client.steering.forced.diversity
Traffic Router profile parameter.
Tunable bounded queue to support DNS request processing.
Default Certificate: TR now generates a self-signed certificate at
startup and uses it as the default TLS cert. The default certificate is used whenever a
client attempts an SSL handshake for an SNI host which does not match any of the other
TLS certificate validation on certificates imported from Traffic Ops:
validates modulus of private and public keys
validates current timestamp falls within the certificate date bracket
validates certificate subjects against the DS URL
Fixed a bug which would cause REFUSED DNS answers if the zone priming
execution did not complete within the configured zonemanager.init.timeout
Fixed issue #2821:
Traffic Router may choose wrong certificate when SNI names overlap
Modified Traffic Router logging format to include an additional field for DNS log
entries, namely rhi. This defaults to '-' and is only used when EDNS0
client subnet extensions are enabled and a client subnet is present in the request. When
enabled and a subnet is present, the subnet appears in the chi field and
the resolver address is in the rhi field.
Fixed issue #3476:
Traffic Router returns partial result for CLIENT_STEERING Delivery Services when
Regional Geoblocking or Anonymous Blocking is enabled.
Modified Traffic Router API to be available via HTTPS.
Added a context menu in place of the "Actions" column from the following tables in
Traffic Portal: cache group tables, CDN tables, delivery service tables, parameter
tables, profile tables, server tables.
Removed the need to specify line breaks using __RETURN__ in delivery
service edge/mid header rewrite rules, regex remap expressions, raw remap text and
traffic router additional request/response headers.
Provided the ability to clone delivery service assignments from one cache to another
cache of the same type. Issue #2963.
Delivery service table columns can now be rearranged and their visibility toggled on/off
as desired by the user. Hidden table columns are excluded from the table search. These
settings are persisted in the browser.
Server table columns can now be rearranged and their visibility toggled on/off as
desired by the user. Hidden table columns are excluded from the table search. These
settings are persisted in the browser.
All tables now include a 'CSV' link to enable the export of table data in CSV format.
Fixed issue #3275:
Improved the snapshot diff performance and experience.
The "Clone Delivery Service Assignments" menu item is now hidden on a cache when the
cache has zero delivery service assignments to clone.
Users with a specified role now have the ability to mark any delivery service request as
Cache-side ATS config generation: Added cache-side config generator,
atstccfg, installed with ORT. Includes all configs. Includes a plugin
Fixed ATS config generation to omit regex remap, header rewrite, URL Sig, and URI
Signing files for delivery services not assigned to that server.
Changed traffic_ops_ort.pl so that hdr_rw-.config files are compared with strict
ordering and line duplication when detecting configuration changes.
Fix to traffic_ops_ort.pl to strip specific comment lines before checking if a file has
changed. Also promoted a changed file message from DEBUG to ERROR for report mode.
ANYMAP override: in traffic_ops_ort.pl added the ability to handle
##OVERRIDE## delivery service ANY_MAP raw remap text to replace and comment out a base
delivery service remap rules. Note: this is a temporary feature and may be replaced in
Traffic Monitor now has "gbps" calculated stat, allowing operators to monitor bandwidth
Added monitoring.json snapshotting. This stores the monitoring json in the same TO
database table as the crconfig snapshot. Snapshotting is now required in order to push
out monitoring changes.
UI updated to support HTTP or HTTPS traffic.
health/stat time now includes full body download (like prior TM <=2.1 version)
Issue #3605: Fixed
Traffic Monitor custom ports in health polling URL.