On Wed, 27 Jan 2016 at 17:23 'Viktor Bachraty' via ganeti-devel < [email protected]> wrote:
> Mention all more significant changes since 2.16.0~beta1. > > Signed-off-by: Viktor Bachraty <[email protected]> > --- > NEWS | 469 > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 456 insertions(+), 13 deletions(-) > > diff --git a/NEWS b/NEWS > index a6c9803..0f5e3c5 100644 > --- a/NEWS > +++ b/NEWS > @@ -1,11 +1,10 @@ > News > ==== > > - > Version 2.16.0 beta2 > -------------------- > > -*(unreleased)* > +*(Released Tue, 27 Jan 2016)* > The 27th is Wed and not Tue :) Also, I doubt you will make a complete release today, so it is usually better to set the date to the next day. Also, I think doclint will yell at the line that you removed above. > > Incompatible/important changes > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > @@ -14,16 +13,6 @@ Incompatible/important changes > Instead, the cluster configuration parameter ``modify_ssh_setup`` is > used to determine whether or not to manipulate the SSH setup of a new > node. > - > - > -Version 2.16.0 beta1 > --------------------- > - > -*(Released Tue, 28 Jul 2015)* > - > -Incompatible/important changes > -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > - - The IAllocator protocol has been extended by a new ``allocate-secondary`` > request type. Currently, this new request type is only used when in disk > conversion to DRBD no secondary node is specified. As long as this new > @@ -33,6 +22,10 @@ Incompatible/important changes > storage. To obtain the old behavior, add the ``--no-capacity-checks`` > option. > - ``hail`` now tries to keep the overall cluster balanced; in particular > it > now prefers more empty groups over groups that are internally more > balanced. > +- Timeouts for communication with luxid have been increased. As a > consequence, > + Ganeti tools communicating (directly or indirectly) with luxid also > time out > + later. Please increase all timeouts for higher level tools interacting > with > + Ganeti accordingly. > > New features > ~~~~~~~~~~~~ > @@ -50,6 +43,457 @@ New dependencies > On Debian-based systems, it is available as a part of the 'libcap2-bin' > package. > > +Changes since beta1 > +~~~~~~~~~~~~~~~~~~~ > +- Set block buffering for UDSServer > +- Fix failover in case the source node is offline > +- Add a parameter to ignore groups in capacity checks > +- Make hspace correctly handle --independent-groups > +- Accept BoringSSL as a known good ssl library > +- Make CommitTemporaryIPs call out to WConfD > +- Fix requested instance desired location tags in IAllocator > +- monitor: Use hvinfo in QMP methods > +- KVM: Work around QEMU commit 48f364dd > +- KVM: Introduce scsi_controller_type and kvm_pci_reservations hvparams > +- Improvements in SSH key handling > +- Do not generate the ganeti_pub_keys file with --no-ssh-init > +- Support force option for deactivate disks on RAPI > +- Add a --dry-run option to htools > +- Extended logging to improve traceability > +- Many documentation improvements and cleanups > +- Performance optimizations on larger clusters > +- Various QA and testing improvements > + > +Fixes inherited from 2.15 branch: > + > +- Metad: ignore instances that have no communication NIC > +- For queries, take the correct base address of an IP block > +- Fix computation in network blocks > +- Use bulk-adding of keys in renew-crypto > +- Introduce bulk-adding of SSH keys > +- Handle SSH key distribution on auto promotion > +- Do not remove authorized key of node itself > +- Support force option for deactivate disks on RAPI > +- renew-crypto: use bulk-removal of SSH keys > +- Bulk-removal of SSH keys > +- Catch IOError of SSH files when removing node > +- Fix renew-crypto on one-node-cluster > +- Increase timeout of RPC adding/removing keys > +- After TestNodeModify, fix the pool of master candidates > + > +Fixes inherited from 2.14 branch: > + > +- bdev: Allow userspace-only disk templates > +- Export disk's userspace URI to OS scripts > +- Fix instance failover in case of DTS_EXT_MIRROR > +- Set node tags in iallocator htools backend > +- Fix faulty iallocator type check > +- Allow disk attachment to diskless instances > +- Allow disk attachment with external storage > + > +Fixes inherited from 2.13 branch: > + > +- Improve xl socat migrations > +- Renew-crypto: stop daemons on master node first > +- Extend timeout for gnt-cluster renew-crypto > + > +Fixes inherited from 2.12 branch: > + > +- Accept timeout errors when luxi down > +- Fix disabling of user shutdown reporting > +- gnt-node add: password auth is only one method > +- Fix inconsistency in python and haskell objects > +- Increase default disk size of burnin to 1G > +- Only search for Python-2 interpreters > +- Handle Xen 4.3 states better > +- Return the correct error code in the post-upgrade script > +- Make openssl refrain from DH altogether > +- Fix upgrades of instances with missing creation time > +- Check for healthy majority on master failover with voting > +- Pass arguments to correct daemons during master-failover > + > +Fixes inherited from 2.11 branch: > + > +- At IAlloc backend guess state from admin state > +- Fix default for --default-iallocator-params > + > +Fixes inherited from 2.10 branch: > + > +- Make htools tolerate missing "dtotal" and "dfree" on luxi > +- KVM: explicitly configure routed NICs late > + > +Fixes inherited from the 2.9 branch: > + > +- Security patch for CVE-2015-7944 RAPI Vulnerable to DoS via SSL > renegotiation > +- Security patch for CVE-2015-7945 Leak DRBD secret via RAPI > +- replace-disks: fix --ignore-ipolicy > + > +Version 2.16.0 beta1 > +-------------------- > + > +*(Released Tue, 28 Jul 2015)* > + > +This was the first beta release of the 2.16 series. All important changes > +are listed in the latest 2.16 entry. > + > +Version 2.15.2 > +-------------- > + > +*(Released Wed, 16 Dec 2015)* > + > +Important changes and security notes > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Security release. > + > +CVE-2015-7944 > + > +Ganeti provides a RESTful control interface called the RAPI. Its HTTPS > +implementation is vulnerable to DoS attacks via client-initiated SSL > +parameter renegotiation. While the interface is not meant to be exposed > +publicly, due to the fact that it binds to all interfaces, we believe > +some users might be exposing it unintentionally and are vulnerable. A > +DoS attack can consume resources meant for Ganeti daemons and instances > +running on the master node, making both perform badly. > + > +Fixes are not feasible due to the OpenSSL Python library not exposing > +functionality needed to disable client-side renegotiation. Instead, we > +offer instructions on how to control RAPI's exposure, along with info > +on how RAPI can be setup alongside an HTTPS proxy in case users still > +want or need to expose the RAPI interface. The instructions are > +outlined in Ganeti's security document: doc/html/security.html > + > +CVE-2015-7945 > + > +Ganeti leaks the DRBD secret through the RAPI interface. Examining job > +results after an instance information job reveals the secret. With the > +DRBD secret, access to the local cluster network, and ARP poisoning, > +an attacker can impersonate a Ganeti node and clone the disks of a > +DRBD-based instance. While an attacker with access to the cluster > +network is already capable of accessing any data written as DRBD > +traffic is unencrypted, having the secret expedites the process and > +allows access to the entire disk. > + > +Fixes contained in this release prevent the secret from being exposed > +via the RAPI. The DRBD secret can be changed by converting an instance > +to plain and back to DRBD, generating a new secret, but redundancy will > +be lost until the process completes. > +Since attackers with node access are capable of accessing some and > +potentially all data even without the secret, we do not recommend that > +the secret be changed for existing instances. > + > +Minor changes > +~~~~~~~~~~~~~ > + > +- Allow disk aittachment to diskless instances > +- Reduce memory footprint: Compute lock allocation strictly > +- Calculate correct affected nodes set in InstanceChangeGroup > + (Issue 1144) > +- Reduce memory footprint: Don't keep input for error messages > +- Use bulk-adding of keys in renew-crypto > +- Reduce memory footprint: Send answers strictly > +- Reduce memory footprint: Store keys as ByteStrings > +- Reduce memory footprint: Encode UUIDs as ByteStrings > +- Do not retry all requests after connection timeouts to prevent > + repeated job submission > +- Fix reason trails of expanding opcodes > +- Make lockConfig call retryable > +- Extend timeout for gnt-cluster renew-crypto > +- Return the correct error code in the post-upgrade script > +- Make OpenSSL refrain from DH altogether > +- Fix faulty iallocator type check > +- Improve cfgupgrade output in case of errors > +- Fix upgrades of instances with missing creation time > +- Support force option for deactivate disks on RAPI > +- Make htools tolerate missing "dtotal" and "dfree" on luxi > +- Fix default for --default-iallocator-params > +- Renew-crypto: stop daemons on master node first > +- Don't warn about broken SSH setup of offline nodes (Issue 1131) > +- Fix computation in network blocks > +- At IAlloc backend guess state from admin state > +- Set node tags in iallocator htools backend > +- Only search for Python-2 interpreters > +- Handle Xen 4.3 states better > +- Improve xl socat migrations > + > + > +Version 2.15.1 > +-------------- > + > +*(Released Mon, 7 Sep 2015)* > + > +New features > +~~~~~~~~~~~~ > + > +- The ext template now allows userspace-only disks to be used > + > +Bugfixes > +~~~~~~~~ > + > +- Fixed the silently broken 'gnt-instance replace-disks --ignore-ipolicy' > + command. > +- User shutdown reporting can now be disabled on Xen using the > + '--user-shutdown' flag. > +- Remove falsely reported communication NIC error messages on instance > start. > +- Fix 'gnt-node migrate' behavior when no instances are present on a node. > +- Fix the multi-allocation functionality for non-DRBD instances. > + > + > +Version 2.15.0 > +-------------- > + > +*(Released Wed, 29 Jul 2015)* > + > +Incompatible/important changes > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +- In order to improve allocation efficiency when using DRBD, the cluster > + metric now takes the total reserved memory into account. A consequence > + of this change is that the best possible cluster metric is no longer 0. > + htools(1) interprets minimal cluster scores to be offsets of the > theoretical > + lower bound, so only users interpreting the cluster score directly > should > + be affected. > +- This release contains a fix for the problem that different encodings in > + SSL certificates can break RPC communication (issue 1094). The fix makes > + it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates' > + after the cluster is fully upgraded to 2.14.1 > + > +New features > +~~~~~~~~~~~~ > + > +- On dedicated clusters, hail will now favour allocations filling up > + nodes efficiently over balanced allocations. > + > +New dependencies > +~~~~~~~~~~~~~~~~ > + > +- The indirect dependency on Haskell package 'case-insensitive' is now > + explicit. > + > + > +Version 2.15.0 rc1 > +------------------ > + > +*(Released Wed, 17 Jun 2015)* > + > +This was the first release candidate in the 2.15 series. All important > +changes are listed in the latest 2.15 entry. > + > +Known issues: > +~~~~~~~~~~~~~ > + > +- Issue 1094: differences in encodings in SSL certificates due to > + different OpenSSL versions can result in rendering a cluster > + uncommunicative after a master-failover. > + > + > +Version 2.15.0 beta1 > +-------------------- > + > +*(Released Thu, 30 Apr 2015)* > + > +This was the second beta release in the 2.15 series. All important changes > +are listed in the latest 2.15 entry. > + > + > +Version 2.14.2 > +-------------- > + > +*(Released Tue, 15 Dec 2015)* > + > +Important changes and security notes > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Security release. > + > +CVE-2015-7944 > + > +Ganeti provides a RESTful control interface called the RAPI. Its HTTPS > +implementation is vulnerable to DoS attacks via client-initiated SSL > +parameter renegotiation. While the interface is not meant to be exposed > +publicly, due to the fact that it binds to all interfaces, we believe > +some users might be exposing it unintentionally and are vulnerable. A > +DoS attack can consume resources meant for Ganeti daemons and instances > +running on the master node, making both perform badly. > + > +Fixes are not feasible due to the OpenSSL Python library not exposing > +functionality needed to disable client-side renegotiation. Instead, we > +offer instructions on how to control RAPI's exposure, along with info > +on how RAPI can be setup alongside an HTTPS proxy in case users still > +want or need to expose the RAPI interface. The instructions are > +outlined in Ganeti's security document: doc/html/security.html > + > +CVE-2015-7945 > + > +Ganeti leaks the DRBD secret through the RAPI interface. Examining job > +results after an instance information job reveals the secret. With the > +DRBD secret, access to the local cluster network, and ARP poisoning, > +an attacker can impersonate a Ganeti node and clone the disks of a > +DRBD-based instance. While an attacker with access to the cluster > +network is already capable of accessing any data written as DRBD > +traffic is unencrypted, having the secret expedites the process and > +allows access to the entire disk. > + > +Fixes contained in this release prevent the secret from being exposed > +via the RAPI. The DRBD secret can be changed by converting an instance > +to plain and back to DRBD, generating a new secret, but redundancy will > +be lost until the process completes. > +Since attackers with node access are capable of accessing some and > +potentially all data even without the secret, we do not recommend that > +the secret be changed for existing instances. > + > +Minor changes > +~~~~~~~~~~~~~ > + > +- Allow disk attachment to diskless instances > +- Calculate correct affected nodes set in InstanceChangeGroup > + (Issue 1144) > +- Do not retry all requests after connection timeouts to prevent > + repeated job submission > +- Fix reason trails of expanding opcodes > +- Make lockConfig call retryable > +- Extend timeout for gnt-cluster renew-crypto > +- Return the correct error code in the post-upgrade script > +- Make OpenSSL refrain from DH altogether > +- Fix faulty iallocator type check > +- Improve cfgupgrade output in case of errors > +- Fix upgrades of instances with missing creation time > +- Make htools tolerate missing "dtotal" and "dfree" on luxi > +- Fix default for --default-iallocator-params > +- Renew-crypto: stop daemons on master node first > +- Don't warn about broken SSH setup of offline nodes (Issue 1131) > +- At IAlloc backend guess state from admin state > +- Set node tags in iallocator htools backend > +- Only search for Python-2 interpreters > +- Handle Xen 4.3 states better > +- Improve xl socat migrations > +- replace-disks: fix --ignore-ipolicy > +- Fix disabling of user shutdown reporting > +- Allow userspace-only disk templates > +- Fix instance failover in case of DTS_EXT_MIRROR > +- Fix operations on empty nodes by accepting allocation of 0 jobs > +- Fix instance multi allocation for non-DRBD disks > +- Redistribute master key on downgrade > +- Allow more failover options when using the --no-disk-moves flag > + > + > +Version 2.14.1 > +-------------- > + > +*(Released Fri, 10 Jul 2015)* > + > +Incompatible/important changes > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +- The SSH security changes reduced the number of nodes which can SSH into > + other nodes. Unfortunately enough, the Ganeti implementation of > migration > + for the xl stack of Xen required SSH to be able to migrate the instance, > + leading to a situation where full movement of an instance around the > cluster > + was not possible. This version fixes the issue by using socat to > transfer > + instance data. While socat is less secure than SSH, it is about as > secure as > + xm migrations, and occurs over the secondary network if present. As a > + consequence of this change, Xen instance migrations using xl cannot > occur > + between nodes running 2.14.0 and 2.14.1. > +- This release contains a fix for the problem that different encodings in > + SSL certificates can break RPC communication (issue 1094). The fix makes > + it necessary to rerun 'gnt-cluster renew-crypto --new-node-certificates' > + after the cluster is fully upgraded to 2.14.1 > + > +Other Changes > +~~~~~~~~~~~~~ > + > +- The ``htools`` now properly work also on shared-storage clusters. > +- Instance moves now work properly also for the plain disk template. > +- Filter-evaluation for run-time data filter was fixed (issue 1100). > +- Various improvements to the documentation have been added. > + > + > +Version 2.14.0 > +-------------- > + > +*(Released Tue, 2 Jun 2015)* > + > +New features > +~~~~~~~~~~~~ > + > +- The build system now enforces external Haskell dependencies to lie in > + a supported range as declared by our new ganeti.cabal file. > +- Basic support for instance reservations has been added. Instance > addition > + supports a --forthcoming option telling Ganeti to only reserve the > resources > + but not create the actual instance. The instance can later be created > with > + by passing the --commit option to the instance addition command. > +- Node tags starting with htools:nlocation: now have a special meaning to > htools(1). > + They control between which nodes migration is possible, e.g., during > hypervisor > + upgrades. See hbal(1) for details. > +- The node-allocation lock as been removed for good, thus speeding up > parallel > + instance allocation and creation. > +- The external storage interface has been extended by optional ``open`` > + and ``close`` scripts. > + > +New dependencies > +~~~~~~~~~~~~~~~~ > + > +- Building the Haskell part of Ganeti now requires Cabal and > cabal-install. > + > +Known issues > +~~~~~~~~~~~~ > + > +- Under certain conditions instance doesn't get unpaused after live > + migration (issue #1050) > + > +Since 2.14.0 rc1 > +~~~~~~~~~~~~~~~~ > + > +- The call to the IAllocator in 'gnt-node evacuate' has been fixed. > +- In opportunistic locking, only ask for those node resource locks where > + the node lock is held. > +- Lock requests are repeatable now; this avoids failure of a job in a > + race condition with a signal sent to the job. > +- Various improvements to the QA. > + > + > +Version 2.14.0 rc2 > +------------------ > + > +*(Released Tue, 19 May 2015)* > + > +This was the second release candidate in the 2.14 series. All important > +changes are listed in the 2.14.0 entry. > + > +Since 2.14.0 rc1 > +~~~~~~~~~~~~~~~~ > + > +- private parameters are now properly exported to instance create scripts > +- unnecessary config unlocks and upgrades have been removed, improving > + performance, in particular of cluster verification > +- some rarely occuring file-descriptor leaks have been fixed > +- The checks for orphan and lost volumes have been fixed to also work > + correctly when multiple volume groups are used. > + > + > +Version 2.14.0 rc1 > +------------------ > + > +*(Released Wed, 29 Apr 2015)* > + > +This was the first release candidate in the 2.14 series. All important > +changes are listed in the latest 2.14 entry. > + > +Since 2.14.0 beta2 > +~~~~~~~~~~~~~~~~~~ > + > +The following issue has been fixed: > + > +- A race condition where a badly timed kill of WConfD could lead to > + an incorrect configuration. > + > +Version 2.16.0 beta1 > +-------------------- > + > +*(Released Tue, 28 Jul 2015)* > + > +This was the first beta release of the 2.16 series. All important changes > +are listed in the latest 2.16 entry. The order of Version entries here is odd. you have 2.15 stuff below 2.16.0 beta1, but also above? Please check how it should be from previous commit and ensure consistency! > Version 2.15.2 > -------------- > @@ -439,7 +883,6 @@ Version 2.14.0 beta1 > This was the first beta release of the 2.14 series. All important changes > are listed in the latest 2.14 entry. > > - > Randomly removed line? > Version 2.13.3 > -------------- > > -- > 2.7.0.rc3.207.g0ac5344 > > Please run doclint on it, the formatting of the NEWS file is checked really thoroughly there! Cheers, Helga -- Helga Velroyen Software Engineer [email protected] Google Germany GmbH Erika-Mann-Strasse 33 80636 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks.
