Apache Traffic Control 4.0.0 - March 26th, 2020
Apache Traffic Control 4.0.0 is available here:
Release Notes
Traffic Ops
- Server Capabilities: server capabilities can now be created and assigned to servers. Delivery services can now require certain server capabilities, and servers that lack the required capabilities will not serve those delivery services. As as an example, by default,
MID caches will serve all delivery services in a given CDN, but this feature can be used to allow a only a subset of MID caches to serve certain delivery services (based on the server capabilities assigned to the MID caches and required by the delivery services). See the blueprint
- Certificate deletion upon delivery service deletion: Snapshotting the CRConfig now deletes HTTPS certificates in Riak for delivery services which have been deleted in Traffic Ops.
- SSO login using OAuth: Traffic Ops now provides the ability to login using an OAuth provider, and this functionality is now integrated in Traffic Portal. A field is added to cdn.conf to configure whitelisted URLs for Json Key Set URL returned from OAuth provider. Added fields to traffic_portal_properties.json to configure SSO through OAuth for Traffic Portal.
- API rewrite from Perl to Go: A large number of API endpoints were rewritten from Perl to Go
- API Routing Blacklist: via the
routing_blacklist field in cdn.conf, enable certain whitelisted Go routes to be handled by Perl instead (via the perl_routes list) in case a regression is found in the Go handler, and explicitly disable any routes via the disabled_routes list. Requests to disabled routes are immediately given a 503 response. Both fields are lists of Route IDs, and route information (ID, version, method, path, and whether or not it can bypass to Perl) can be found by running ./traffic_ops_golang --api-routes. To disable a route or have it bypassed to Perl, find its Route ID using the previous command and put it in the disabled_routes or perl_routes list, respectively.
- Regional Geo-blocking for steering delivery services: Regional Geo-blocking is now supported for steering-based delivery services
- Added pagination support to some Traffic Ops endpoints via three new query parameters, limit and offset/page
- Traffic Ops now supports a "sortOrder" query parameter on some endpoints to return API responses in descending order
- Traffic Ops now uses a consistent format for audit logs across all Go endpoints
- Added an optional SMTP server configuration to the TO configuration file, api now has ability to send emails
- To support reusing a single riak cluster connection, an optional parameter is added to riak.conf: "HealthCheckInterval". This options takes a 'Duration' value (ie: 10s, 5m) which affects how often the riak cluster is health checked. Default is currently set to: "HealthCheckInterval": "5s".
- Fixed a regression where the
Expires cookie header was not being set properly in responses. Also, added the Max-Age cookie header in responses.
- Fixed issue #3497: TO API clients that don't specify the latest minor version will overwrite/default any fields introduced in later versions
- Fixed issue #3587: Fixed Traffic Ops Golang reverse proxy and Riak logs to be consistent with the format of other error logs.
- Database migrations have been collapsed. Rollbacks to 3.1 and earlier migrations are no longer possible. As always, backup your database before upgrading.
Deprecations
- The TO API
/cachegroup_fallbacks endpoint is now deprecated. That functionality was added to the /cachegroups API.
- The
db/admin.pl script is now deprecated. There is a new Go db/admin binary to replace the Perl db/admin.pl script, which will be removed in a future release. The new db/admin binary is essentially a drop-in replacement for db/admin.pl since it supports all of the same commands and options; therefore, it should be used in place of db/admin.pl for all the same tasks.
Breaking Changes
- The deprecated Traffic Ops UI has been removed in favor of the Traffic Portal UI
- The location of the Traffic Ops
influxdb.conf config file has changed from traffic_ops/app/conf/production/influxdb.conf to traffic_ops/app/conf/influxdb.conf. Please move any existing influxdb.conf to the new location.
- The
/api/1.1/osversions endpoint (used for ISO generation) now expects the Perl osversions.cfg configuration file to be JSON. Added a traffic_ops/app/bin/osversions-convert.pl script to convert the osversions.cfg file from Perl to JSON as part of the /osversions endpoint rewrite.
- traffic_ops/app/bin/checks/ToDnssecRefresh.pl now requires "user" and "pass" parameters of an operations-level user! Update your scripts accordingly! This was necessary to move to an API endpoint with proper authentication, which may be safely exposed.
Traffic Router
- Consistent Hash Query Parameters: Traffic Ops now allows HTTP delivery services to have a set of query parameter keys to be retained for consistent hash generation by Traffic Router. This should be used for query parameters that produce unique content from the origin. For example, if the paths
/foo?a=1 and /foo?a=2 each return unique content, you should add a to the list of consistent hash query parameters for that delivery service. This allows clients to be routed to edges for that content more efficiently.
- Client Steering Forced Diversity: force Traffic Router to return more unique edge caches in CLIENT_STEERING results instead of the default behavior which can sometimes return a result of multiple targets using the same edge cache. In the case of edge cache failures, this feature will give clients a chance to retry a different edge cache. This can be enabled with the new
client.steering.forced.diversity Traffic Router profile parameter.
- Tunable bounded queue to support DNS request processing.
- Default Certificate: TR now generates a self-signed certificate at startup and uses it as the default TLS cert. The default certificate is used whenever a client attempts an SSL handshake for an SNI host which does not match any of the other certificates.
- TLS certificate validation on certificates imported from Traffic Ops:
- validates modulus of private and public keys
- validates current timestamp falls within the certificate date bracket
- validates certificate subjects against the DS URL
- Fixed a bug which would cause
REFUSED DNS answers if the zone priming execution did not complete within the configured zonemanager.init.timeout period.
- Fixed issue #2821: Traffic Router may choose wrong certificate when SNI names overlap
- Modified Traffic Router logging format to include an additional field for DNS log entries, namely
rhi. This defaults to '-' and is only used when EDNS0 client subnet extensions are enabled and a client subnet is present in the request. When enabled and a subnet is present, the subnet appears in the chi field and the resolver address is in the rhi field.
- Fixed issue #3476: Traffic Router returns partial result for CLIENT_STEERING Delivery Services when Regional Geoblocking or Anonymous Blocking is enabled.
- Modified Traffic Router API to be available via HTTPS.
Traffic Portal
- Added a context menu in place of the "Actions" column from the following tables in Traffic Portal: cache group tables, CDN tables, delivery service tables, parameter tables, profile tables, server tables.
- Removed the need to specify line breaks using
__RETURN__ in delivery service edge/mid header rewrite rules, regex remap expressions, raw remap text and traffic router additional request/response headers.
- Provided the ability to clone delivery service assignments from one cache to another cache of the same type. Issue #2963.
- Delivery service table columns can now be rearranged and their visibility toggled on/off as desired by the user. Hidden table columns are excluded from the table search. These settings are persisted in the browser.
- Server table columns can now be rearranged and their visibility toggled on/off as desired by the user. Hidden table columns are excluded from the table search. These settings are persisted in the browser.
- All tables now include a 'CSV' link to enable the export of table data in CSV format.
- Fixed issue #3275: Improved the snapshot diff performance and experience.
- Disabled TLSv1
- The "Clone Delivery Service Assignments" menu item is now hidden on a cache when the cache has zero delivery service assignments to clone.
- Users with a specified role now have the ability to mark any delivery service request as complete.
- Improved profile comparison view in Traffic Portal.
ORT
- Cache-side ATS config generation: Added cache-side config generator,
atstccfg, installed with ORT. Includes all configs. Includes a plugin system.
- Fixed ATS config generation to omit regex remap, header rewrite, URL Sig, and URI Signing files for delivery services not assigned to that server.
- Changed traffic_ops_ort.pl so that hdr_rw-.config files are compared with strict ordering and line duplication when detecting configuration changes.
- Fix to traffic_ops_ort.pl to strip specific comment lines before checking if a file has changed. Also promoted a changed file message from DEBUG to ERROR for report mode.
- ANYMAP override: in traffic_ops_ort.pl added the ability to handle ##OVERRIDE## delivery service ANY_MAP raw remap text to replace and comment out a base delivery service remap rules. Note: this is a temporary feature and may be replaced in the future.
Traffic Monitor
- Traffic Monitor now has "gbps" calculated stat, allowing operators to monitor bandwidth in Gbps.
- Added monitoring.json snapshotting. This stores the monitoring json in the same TO database table as the crconfig snapshot. Snapshotting is now required in order to push out monitoring changes.
- UI updated to support HTTP or HTTPS traffic.
- health/stat time now includes full body download (like prior TM <=2.1 version)
- Issue #3605: Fixed Traffic Monitor custom ports in health polling URL.
- Issue #3646: Fixed Traffic Monitor Thresholds.