Skip to content

Latest commit

 

History

History
227 lines (196 loc) · 26.7 KB

CHANGELOG-3.4.md

File metadata and controls

227 lines (196 loc) · 26.7 KB

v3.4.0 (TBD 2018-06-01)

See code changes and v3.4 upgrade guide for any breaking changes.

Improved

Breaking Changes

Dependency

Metrics, Monitoring

Security, Authentication

See security doc for more details.

  • Add etcd --host-whitelist flag, etcdserver.Config.HostWhitelist, and embed.Config.HostWhitelist, to prevent "DNS Rebinding" attack.
    • Any website can simply create an authorized DNS name, and direct DNS to "localhost" (or any other address). Then, all HTTP endpoints of etcd server listening on "localhost" becomes accessible, thus vulnerable to DNS rebinding attacks (CVE-2018-5702).
    • Client origin enforce policy works as follow:
      • If client connection is secure via HTTPS, allow any hostnames..
      • If client connection is not secure and "HostWhitelist" is not empty, only allow HTTP requests whose Host field is listed in whitelist.
    • By default, "HostWhitelist" is "*", which means insecure server allows all client HTTP requests.
    • Note that the client origin policy is enforced whether authentication is enabled or not, for tighter controls.
    • When specifying hostnames, loopback addresses are not added automatically. To allow loopback interfaces, add them to whitelist manually (e.g. "localhost", "127.0.0.1", etc.).
    • e.g. etcd --host-whitelist example.com, then the server will reject all HTTP requests whose Host field is not example.com (also rejects requests to "localhost").
  • Support etcd --cors in v3 HTTP requests (gRPC gateway).
  • Support TLS cipher suite lists.
  • Support ttl field for etcd Authentication JWT token.
    • e.g. etcd --auth-token jwt,pub-key=<pub key path>,priv-key=<priv key path>,sign-method=<sign method>,ttl=5m.
  • Allow empty token provider in etcdserver.ServerConfig.AuthToken.
  • Fix TLS reload when certificate SAN field only includes IP addresses but no domain names.
    • In Go, server calls (*tls.Config).GetCertificate for TLS reload if and only if server's (*tls.Config).Certificates field is not empty, or (*tls.ClientHelloInfo).ServerName is not empty with a valid SNI from the client. Previously, etcd always populates (*tls.Config).Certificates on the initial client TLS handshake, as non-empty. Thus, client was always expected to supply a matching SNI in order to pass the TLS verification and to trigger (*tls.Config).GetCertificate to reload TLS assets.
    • However, a certificate whose SAN field does not include any domain names but only IP addresses would request *tls.ClientHelloInfo with an empty ServerName field, thus failing to trigger the TLS reload on initial TLS handshake; this becomes a problem when expired certificates need to be replaced online.
    • Now, (*tls.Config).Certificates is created empty on initial TLS client handshake, first to trigger (*tls.Config).GetCertificate, and then to populate rest of the certificates on every new TLS connection, even when client SNI is empty (e.g. cert only includes IPs).

Added: etcd

  • Add --pre-vote flag to enable to run an additional Raft election phase.
    • For instance, a flaky(or rejoining) member may drop in and out, and start campaign. This member will end up with a higher term, and ignore all incoming messages with lower term. In this case, a new leader eventually need to get elected, thus disruptive to cluster availability. Raft implements Pre-Vote phase to prevent this kind of disruptions. If enabled, Raft runs an additional phase of election to check if pre-candidate can get enough votes to win an election.
    • --pre-vote=false by default.
    • v3.5 will enable --pre-vote=true by default.
  • --initial-corrupt-check flag is now stable (--experimental-initial-corrupt-check is deprecated).
    • --initial-corrupt-check=true by default, to check cluster database hashes before serving client/peer traffic.
  • --corrupt-check-time flag is now stable (--experimental-corrupt-check-time is deprecated).
    • --corrupt-check-time=12h by default, to check cluster database hashes for every 12-hour.
  • --enable-v2v3 flag is now stable (--experimental-enable-v2v3 is deprecated).
    • --enable-v2=true --enable-v2v3='' by default, to enable v2 API server that is backed by v2 store.
    • --enable-v2=true --enable-v2v3=/aaa to enable v2 API server that is backed by v3 storage.
    • --enable-v2=false --enable-v2v3='' to disable v2 API server.
    • --enable-v2=false --enable-v2v3=/aaa to disable v2 API server. TODO: error?
    • v4.0 will configure --enable-v2=true --enable-v2v3=/aaa to enable v2 API server that is backed by v3 storage.
  • Add --discovery-srv-name flag to support custom DNS SRV name with discovery.
    • If not given, etcd queries _etcd-server-ssl._tcp.[YOUR_HOST] and _etcd-server._tcp.[YOUR_HOST].
    • If --discovery-srv-name="foo", then query _etcd-server-ssl-foo._tcp.[YOUR_HOST] and _etcd-server-foo._tcp.[YOUR_HOST].
    • Useful for operating multiple etcd clusters under the same domain.
  • Support etcd --cors in v3 HTTP requests (gRPC gateway).
  • Add --logger flag to support structured logger and logging to file in server-side.
    • e.g. --logger=capnslog --log-output=default is the default setting and same as previous etcd server logging format.
    • TODO: --logger=zap is experimental, and journald logging may not work when etcd runs as PID 1.
    • e.g. --logger=zap --log-output=/tmp/test.log will log server operations in JSON-encoded format and writes logs to the specified file /tmp/test.log.
    • e.g. --logger=zap --log-output=default will log server operations in JSON-encoded format and writes logs to os.Stderr (detect systemd journald TODO).
    • e.g. --logger=zap --log-output=stderr will log server operations in JSON-encoded format and writes logs to os.Stderr (bypass journald TODO).
    • e.g. --logger=zap --log-output=stdout will log server operations in JSON-encoded format and writes logs to os.Stdout (bypass journald TODO).
    • e.g. --logger=zap --log-output=a.log,b.log,c.log,stdout writes server logs to multiple files a.log, b.log and c.log at the same time and outputs to stdout, in JSON-encoded format.
    • e.g. --logger=zap --log-output=/dev/null will discard all server logs.

Added: embed

Added: API

Added: v3 etcdctl

Added: gRPC gateway

Package raft

Fixed: v3

Go

  • Require Go 1.10+.
  • Compile with Go 1.10.