Apache Traffic Control - Current Release



Apache Traffic Control 8.0.2 - October 4th, 2024

Apache Traffic Control 8.0.2 is available here:

Release Notes

Traffic Ops

  • #8081 Updates the versions used for actions/artifact-download and actions/artifact-upload.
  • #8079 Update Postgres version to 13.16.
  • #8071 Improve validation for the `id` field of the `PUT /deliveryservice_request_comments.
  • #8056 Remove the `version` key from compose files and use `docker compose` instead of `docker-compose`.


Signing Keys

It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures.

The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the `ASC` signature file for the relevant distribution. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures using:


% pgpk -a KEYS % pgpv apache-trafficcontrol-8.0.2.tar.gz.asc

or

% pgp -ka KEYS
% pgp apache-trafficcontrol-8.0.2.tar.gz.asc

or

% gpg --import KEYS
% gpg --verify apache-trafficcontrol-8.0.2.tar.gz.asc apache-trafficcontrol-8.0.2.tar.gz
 

$ gpg --verify apache-trafficcontrol-8.0.2.tar.gz.asc apache-trafficcontrol-8.0.2.tar.gz
gpg: Signature made Fri Sep 27 16:42:38 2024 MDT
gpg:                using RSA key 383FAA8E2028BB4796DFE5A177B0253DC9954099
gpg: Good signature from "Rima Shah <rshah@apache.org>" [ultimate]

Additionally, you should verify the SHA signature on the files. A unix program called `sha` or `shasum` is included in many unix distributions. It is also available as part of GNU Textutils. An MD5 signature (deprecated) consists of 32 hex characters, and a SHA512 signature consists of 128 hex characters. Ensure your generated signature string matches the signature string published in the files above.


Past Releases

Apache Traffic Control 8.0.1 - April 3rd, 2024

Apache Traffic Control 8.0.1 is available here:

Release Notes

Traffic Ops

  • #7957 Fix the incorrect display of delivery services assigned to ORG servers.
  • #7929 Ensure read-only role can perform only GET requests.

Apache Traffic Control 8.0.0 - January 30th, 2024

Apache Traffic Control 8.0.0 is available here:

Release Notes

Traffic Ops

  • Client Certificate Authentication: The ability for a Traffic Ops (TO) instance to accept TLS certificates from a client request and verify them against specified Root CA’s certificate as a form of login. This is not to be confused with mTLS, albeit a similar design. Should a client not send a TLS certificate as part of the request login functionality will default to standard form authentication.
  • Assignment of multiple Server Capabilities to a Server and vice-versa: Previous releases only allowed 1:1 assignment of server to a capability and vice-versa. This release now supports multiple assignments (1:many).
  • Simplification of CDN configs by removing hypnotoad section (used in deploying TO locally or in CIAB) was no longer being used.
  • Layered Profile: Aggregation of parameters based on profile priority.
  • Delivery Services: Regional field added to aid maxOriginConnections
  • Permission and Roles: Added new permissions (e.g.: SSL-KEY_EXPIRATION:READ, ACME:READ, etc.) to various roles. Also created a new role (trouter) to monitor Traffic Ops resources. Return empty array when no permission are given for a roles API (PUT, POST)
  • Reporting: Added a feature to indicate success and failure during server upgrade.
  • OAuth Added OAuth security when using Microsoft Authenticator and an optional field oauth_user_attribute for OAuth login credentials along with usage of ID token instead of Access Token for authentication.
  • #7674 Added the ability to indicate if a server failed its revalidate/config update.
  • Python Client uses APIv5
  • Fixed the following issues/bugs:
    • #7891 Created clause to distinguish api versions < 5 when handling 403 in middleware wrappers and updated job routes for v4 and v5.
    • #7890 Fixed missing changelog entries to v5 routes.
    • #7887 Limit Delivery Services returned for GET /servers/{id}/deliveryservices to ones in the same CDN
    • #7878 Fixed the case where TO was failing to assign delivery services to a server, due to a bug in the way the list of preexisting delivery services was being returned.
    • #4428 Fixed Internal Server Error with POST to profileparameters when POST body is empty
    • #7047 Allow apply_time query parameters on the servers/{id-name}/update when the CDN is locked.
    • #7046 API deliveryservices/sslkeys/add now checks that each cert in the chain is related.
    • #6340 Fixed alert messages for POST and PUT invalidation job APIs.
    • #7519 Fixed TO API /servers/{id}/deliveryservices endpoint to responding with all DS’s on cache that are directly assigned and inherited through topology.
    • #7130 Fixed service_categories response to POST API.
    • #6229 Fixed error message for assignment of non-existent parameters to a profile.
    • #6775 Invalid “orgServerFqdn” in Delivery Service creation/update causes Internal Server Error
    • #6385 Fixed reserved consistentHashQueryParameters from causing internal server error to a client error
    • #4393 Fixed the error code and alert structure when TO is queried for a delivery service with no ssl keys.
    • #7762 Fixed /phys_locations PUT API to remove error related to mismatching region name and ID.
    • #7511 Fixed the changelog registration message to include the username instead of duplicate email entry.
    • #7441 Fixed the invalidation jobs endpoint to respect CDN locks.
    • #7282 Fixed issue with user getting correctly logged when using an access or bearer token authentication.
    • #7231 Fixed sharedUserNames display while retrieving CDN locks.
    • #7628 Fixed an issue where certificate chain validation failed based on leading or trailing whitespace.
    • #7688 Fixed ability to view secured parameters when role has correct permissions.
    • #7697 Fixed display of iloPassword and xmppPassword, now based on permissions and instead of priv-level.
Breaking changes:
  • Fixed DS “ACTIVE” flag (Blueprint): Previously setting a Delivery Service (DS) to “Inactive” actually only sets it to “not routed”. There is no way to create a Delivery Service (with assigned servers) that will not be distributed to cache server configuration. This fix changes the Active property of Delivery Services from a boolean to an enumerated string constant that can represent three different “Activity States” for a Delivery Service.
  • Updated LastUpdated field across multiple APIs to use RFC3339 instead of deprecated time.Time.
  • Capabilities are now part of DS structure instead of a separate struct.

Traffic Portal

Delivery Service (DS):

  • Added server capability (removed from DS context menu), lastUpdated fields to the DS forms.
  • Added the ability to tell if a DS has the target of another steering DS.
  • New config options in traffic_portal_properties.json for DS active flag feature.

Certs: Added visuals to DS cert expiration grid rows and the the ability to inspect a user provider cert, or the cert chain on DS SSL keys, and to delete a cert. Also added a revert certificate functionality.

Servers: Improved information about profile priorities with respect to layered profile.

Change Log: Ability to view entire log message by clicking on it.

CDN: Added TTLOverride field to allow a quick turnaround time when performing TR maintenance that involves restarts.

UI Beautification: Added better labels for widgets, simplifying DS button bar by moving DS changes/ DSRs under More menu, obscure sensitive text in raw remap fields, private SSL keys, “Header Rewrite” rules, and ILO interface passwords.

  • Dependent on NodeJS version 16 or later
  • Fixed the following issues/bugs:
    • #7885 Fixed the issue where Compare Profiles page was not being displayed.
    • #7879 Fixed broken capability links for delivery service and added required capability as a column in DS table.
    • #7049, #7052 Fixed server table’s quick search and filter option for multiple profiles.
    • #7080, #6335 Fixed redirect links for server capability.
    • #7414 Fixed DSR difference for DS required capability.
    • #5557 Moved Fair Queueing Pacing Rate Bps DS field to Cache Configuration Settings section.
    • #7216 Fixed sort for Server’s Capabilities Table
    • #7179 Fixed search filter for Delivery Service Table
    • #7174 Fixed topologies sort (table and Delivery Service’s form)
    • #5970 Fixed numeric sort in Delivery Service’s form for DSCP
    • #5971 Fixed Max DNS Tool Top link to open in a new page

Traffic Router

  • Optimized TR’s logic in zone detection and ability to handle DDOS attack by increasing TTL value.
  • Logging improved for a better connection and user experience.
  • Removed dnssec.zone.diffing.enabled and dnssec.rrsig.cache.enabled parameters
  • #7808 Set SOA minimum field to a custom value defined in the tld.soa.minimum param, and remove the previously added dns.negative.caching.ttl property.
  • Fixed the following issues/bugs:
    • #7340 Fixed TR logging for the cqhv field when absent.
    • #7252 Fixed integer overflow for czCount, by resetting the count to max value when it overflows.
    • #7093 Updated Apache Tomcat from 9.0.43 to 9.0.67
    • #3965 TR now always includes a Content-Length header in the response.
    • #6533 TR should not rename/recreate log files on rollover

Traffic Stats

  • Improved logic to handle connection leaks and client requests timeout to Traffic Ops

Traffic Monitor

  • Improved logging with respect to ip availability for both, v4 and v6
  • Fixed the bandwidth doubling issue per cache.

Traffic Control Cache Config (T3C) (formerly ORT)

  • Config Generation: Addition of t3c-apply flag to allow ease of usage locally and a descriptive exit error message on failure.
  • RPM Checks added to keep cache config up to date in case of RPM failures.
  • Added support for anycast
  • Decreased the amount of commits to the repo by removing timestamp from metadata file.
  • #7719 Added automatic self-healing when using slice plugin.
  • Fixed the following:
    • #7817 Fixed issue that would cause null ptr panic on client fallback.
    • #7866 Fixed rpm db check to work with rocky linux 9.
    • #7021 Fixed cache config for Delivery Services with IP Origins.
    • #7043 Fixed cache config missing retry parameters for non-topology MSO Delivery Services going direct from edge to origin.
    • #7163 Fix cache config for multiple profiles
    • #6695 Directory creation was erroneously reporting an error when actually succeeding.
    • #7590 Fixed issue with git detected dubious ownership in repository.
    • #7137 parent.config simulate topology for non topo delivery services.
    • #7153 Adds an extra T3C check for validity of an ssl cert (crash fix).
    • #7182 Sort peers used in strategy.yaml to prevent false positive for reload.
    • #7204 strategies.yaml hash_key only for consistent_hash
    • #7277 remapdotconfig: remove skip check at mids for nocache/live
    • #7346 Fixed issue with stale lock file when using git to track changes.
    • #7352 Fixed issue with application locking which would allow multiple instances of t3c apply to run concurrently.
    • #7411 Fixed issue with wrong parent ordering with MSO non-topology delivery services.
    • #7425 Fixed issue with layered profile iteration being done in the wrong order.
    • #7471 Fixed issue with MSO non topo origins from multiple cache groups.

TC Health Client

Added a peer monitoring flag in strategies.yaml
Added three health mechanisms: L4 health (a TCP syn-ack-rst), L7 health (a successful HTTP response), and a meta-parent poll which polls the parent’s own health client parent health and uses a heuristic of unavailable parents on the parent.
T3C Traffic Control Health Client upgraded to Apache Traffic Server (ATS) 9.2.

Other Components

CDN in a Box, the t3c integration tests, and the tc health client integration tests now use 9.1.
#7896 ATC Build system: Count commits since the last release, not commits.