... | ... | @@ -4,31 +4,31 @@ Welcome to Kea 1.9.4, the fifth monthly release of the 1.9 development branch. A |
|
|
|
|
|
This release adds new features, improves existing features, clarifies documentation and fixes a few bugs. The most notable changes introduced in this version are:
|
|
|
|
|
|
**Experiments with TLS support** Kea has never supported TLS, so we have always recommended that more security conscious deployments set up a reverse https proxy to secure access. This is inconvenient and can introduce additional problems. We finally managed to get enough resources (and courage) to tackle the problem of implementing native TLS support in Kea. We did several experiments with Boost.SSL library that provides a nice C++/ASIO abstraction over OpenSSL layer. We now have a working PoC (proof of concept). The code for the PoC is not included in this release as it's not yet production quality, but you can find it in our open Gitlab repo. Adding native TLS support is a fairly big project and will take more than one monthly development cycle to complete. The plan is to turn this PoC into production-quality code in the coming releases. Stay tuned! #1619.
|
|
|
**Experiments with TLS support.** Kea has never supported TLS, so we have always recommended that more security-conscious deployments set up a reverse HTTPS proxy to secure access. This is inconvenient and can introduce additional problems. We finally got the necessary resources (and courage) to tackle the problem of implementing native TLS support in Kea. We did several experiments with the Boost.SSL library, which provides a nice C++/ASIO abstraction over the OpenSSL layer. We now have a working proof of concept (PoC). The code for the PoC is not included in this release as it is not yet production quality, but you can find it in our open GitLab repo. Adding native TLS support is a fairly big project and will take more than one monthly development cycle to complete. The plan is to turn this PoC into production-quality code in the coming releases. Stay tuned! #1619.
|
|
|
|
|
|
**Cache Threshold** The renew-timer governs when the devices are supposed to renew their leases. Clients sometimes renew earlier than specified, whether because they are ignoring the timer, or are otherwise broken. Frequent early renewals put an extra burden on the server, which has to write an updated lease, even though it may have been already renewed seconds ago. The ``cache-threshold`` (expressed as a percentage) and ``cache-max-age`` (expressed in seconds) help reduce that extra burden on Kea. Kea will still respond to the client, but will merely re-send the existing lease lifetime, thus eliminating the need to update the lease database. Cache threshold is a popular feature of ISC DHCP that so far was missing in Kea. This has changed now. The implementation is considered experimental, as we were unable to test it properly by release time. If you're willing to test it, please do report your findings #1418.
|
|
|
**Cache threshold.** The renew-timer governs when the devices are supposed to renew their leases. Clients sometimes renew earlier than specified, either because they are ignoring the timer or because they are broken. Frequent early renewals put an extra burden on the server, which has to write updated leases, even though they may have been already renewed seconds earlier. The ``cache-threshold`` (expressed as a percentage) and ``cache-max-age`` (expressed in seconds) parameters help reduce that extra burden on Kea. Kea still responds to the client but merely resends the existing lease lifetime, thus eliminating the need to update the lease database. Cache threshold is a popular feature of ISC DHCP that so far was missing in Kea. The implementation is considered experimental, as we were unable to test it properly by release time. If you're willing to test it, please do report your findings. #1418
|
|
|
|
|
|
**HA improvement: responsive when recovering from communication failure** The failover procedure in the Kea High Availability library has been improved by introducing a new communication-recovery state. In this state, the load balancing servers remain responsive to DHCP queries when the communication between them is interrupted. The new feature is controlled using the ``delayed-updates-limit`` configuration parameter #1402.
|
|
|
**HA improvement: responsive when recovering from communication failure.** The failover procedure in the Kea High Availability library has been improved by introducing a new communication-recovery state. In this state, the load balancing servers remain responsive to DHCP queries when the communication between them is interrupted. The new feature is controlled using the ``delayed-updates-limit`` configuration parameter. #1402
|
|
|
|
|
|
**HA improvement: dhcp-enable/dhcp-disable improvements** - The DHCP service can be independently enabled or disabled by a user command, by the database connection mechanics, or by the HA library. The DHCP service is disabled when any of those originators disable the service, and it is enabled when all those who previously disabled the service enable it. The 'dhcp-enable' and 'dhcp-disable' commands accept an 'origin' parameter with valid values of 'user' (which is the default), indicating a user generated command and 'ha-partner' which is used internally by the HA library #1601.
|
|
|
**HA improvement: dhcp-enable/dhcp-disable upgrades.** The DHCP service can be independently enabled or disabled by a user command, by the database connection mechanics, or by the HA library. The DHCP service is disabled when any of those originators disable the service, and it is enabled when all those that previously disabled the service enable it. The ``dhcp-enable`` and ``dhcp-disable`` commands accept an "origin" parameter with valid values of "user," which is the default and indicates a user-generated command, and "ha-partner," which is used internally by the HA library. #1601
|
|
|
|
|
|
**Small performance improvement in host backend** The host retrieval algorithm has been optimized slightly when retrieving hosts data from a database. In certain situations, a single query can retrieve retrieve multiple reservations. This should improve performance slightly, especially in cases with shared networks and many reservations #1458.
|
|
|
**Small performance improvement in host backend.** The host retrieval algorithm has been optimized slightly when retrieving host data from a database: in certain situations, a single query can retrieve multiple reservations. This should improve performance a bit, especially in cases with shared networks and many reservations. #1458
|
|
|
|
|
|
**Doc update** - Vendor option examples (options 43 and 125) were added. We also detected several oddities in the option handling, so we plan to add more code fixes and examples in the near future #1546. The ARM has been updated to clarify that the lease sanitizer fixes lease records in memory only. Kea only reads stored lease files when starting #1618. The section about running Kea as a non-root user has been corrected #1629. The example in Section 8.2.12 has been corrected by removing unbalanced parentheses #1589. In some cases, Kea does not adhere to RFC standards. The new section dedicated to RFC conformance exceptions mentions two such cases and explains why they're there. Usually, the practical aspects of supporting real-life non-conformant devices outweigh the compliance benefits. The two documented exceptions are 1. DECLINE packet with missing mandatory 'server id' option is handled #1615 and 2. on REQUEST packet with no `requested IP address` Kea should respond with NAK #1608.
|
|
|
**Documentation updates.** Vendor option examples (options 43 and 125) were added. We also detected several oddities in the option handling, so we plan to add more code fixes and examples in the near future. #1546 The Administrator Reference Manual (ARM) has been updated to clarify that the lease sanitizer fixes lease records in memory only. Kea only reads stored lease files when starting. #1618 The section about running Kea as a non-root user has been corrected. #1629 The example in Section 8.2.12 has been corrected by removing unbalanced parentheses. #1589 In some cases, Kea does not adhere to RFC standards. The new ARM section dedicated to RFC conformance exceptions mentions two such cases and explains why they exist. Usually, the practical aspects of supporting real-life non-conformant devices outweigh the compliance benefits. The two documented exceptions are: 1) a DECLINE packet with a missing mandatory "server id" option is handled #1615, and 2) on REQUEST, for a packet with no ``requested IP address`` Kea should respond with NAK. #1608
|
|
|
|
|
|
**Build improvements** Hammer, our build automation tool, has been extended with support for recently released Fedora 33 and Ubuntu 20.10 systems. This is the first step towards building packages #1527, #1528. The Perfdhcp build system was overly strict #1637. Hammer exception handling was improved. It now handles the scenario in which required tools are missing in a gentler way #1512.
|
|
|
**Build improvements.** Hammer, our build automation tool, has been extended with support for recently released Fedora 33 and Ubuntu 20.10 systems. This is the first step towards building packages. #1527, #1528 The Perfdhcp build system was overly strict. #1637 Hammer exception handling was improved. It now handles the scenario in which required tools are missing in a gentler way. #1512
|
|
|
|
|
|
**Bug fixes** A handful of bugs were fixed in this release. When using the config backend, the server converts the old 'reservation-mode' global parameter internally to new reservation flags. The new flags are listed when issuing the config-get command #1598. Kea was not handling sub-options with option code 125 well, incorrectly assuming that 125 is always a vendor option. That is now fixed. If you previously experienced problems with Kea misinterpreting sub-options, your problem may have been fixed as well #1585. The Kea-LFC (lease file cleanup tool) now processes all lines, even if the last line misses a trailing blank line #1603.
|
|
|
**Bug fixes.** A handful of bugs were fixed in this release. When using the configuration backend, the server converts the old ``reservation-mode`` global parameter internally to new reservation flags. The new flags are listed when issuing the ``config-get`` command. #1598 Kea previously did not handle sub-options with option code 125 well, incorrectly assuming that 125 was always a vendor option. That is now fixed. If you previously experienced problems with Kea misinterpreting sub-options, your problem may have been fixed as well. #1585 The Kea-LFC (lease file cleanup) tool now processes all lines, even if the last trailing blank line is missing. #1603
|
|
|
|
|
|
**Test improvements** We continue our efforts to improve testing capabilities. Investments in testing infrastructure make the code more stable and more maintainable in the long term. Unit tests for HA running with thread sanitizer (#1627), lfc timer, and shell tests were improved #1630. A tricky off-by-one error was fixed in HA failover tests #1578. The shell tests now report their results in an XML file, similar to the way Google tests do #437. A unit test failure on FreeBSD 12.0 is now fixed #673. One Cassandra test (cql_update_hosts) has been fixed #1616. Jenkins, our testing and build farm, did not report crashes under some circumstances. This is now fixed #1519.
|
|
|
**Test improvements.** We continue our efforts to improve testing capabilities. Investments in testing infrastructure make the code more stable and more maintainable in the long term. Unit tests for HA running with thread sanitizer (#1627), lfc timer, and shell tests were improved. #1630 A tricky off-by-one error was fixed in HA failover tests. #1578 The shell tests now report their results in an XML file, similar to Google tests. #437 A unit test failure on FreeBSD 12.0 is now fixed. #673 One Cassandra test (cql_update_hosts) has been fixed. #1616 Jenkins, our testing and build farm, did not report crashes under some circumstances. This is now fixed. #1519
|
|
|
|
|
|
**Dev tools** Our team also spent some time improving our processes. Code formatting is now automated using ``uncrustify`` and ``clang-format`` #1455. The kea-msg-compiler tool no longer adds dates to generated files. This will reduce commits in Kea's git history #1511. We added a script to check for duplicate includes. These are mostly harmless, but slow down the compilation a bit #1602. A new section about best practices for maintaining and developing shell scripts was added to the Developer's guide #1610.
|
|
|
**Developer tools.** Our team also spent some time improving our processes. Code formatting is now automated using ``uncrustify`` and ``clang-format``. #1455 The kea-msg-compiler tool no longer adds dates to generated files, which will reduce commits in Kea's git history. #1511 We added a script to check for duplicate includes, which are mostly harmless but which slow down the compilation a bit. #1602 A new section about best practices for maintaining and developing shell scripts was added to the Developer's Guide. #1610
|
|
|
|
|
|
## Incompatible changes
|
|
|
## Incompatible Changes
|
|
|
|
|
|
This release introduces one incompatible change:
|
|
|
|
|
|
1. The ``config-get`` command now returns the reservation mode using the new syntax. This affects only people who implemented specific code that relies on the now obsolete `reservation-mode` as returned by Kea. The parameter is deprecated, but still supported when setting the config or reading the configuration from a file.
|
|
|
1. The ``config-get`` command now returns the reservation mode using the new syntax. This affects only people who implemented specific code that relies on the now obsolete ``reservation-mode`` as returned by Kea. The parameter is deprecated, but is still supported when setting the config or reading the configuration from a file.
|
|
|
|
|
|
## Known Issues
|
|
|
|
... | ... | @@ -56,7 +56,7 @@ For more details on the plan, see ISC's Software Support Policy at: |
|
|
|
|
|
https://kb.isc.org/docs/aa-00896
|
|
|
|
|
|
## Kea overview
|
|
|
## Kea Overview
|
|
|
|
|
|
Kea is a DHCP implementation developed by Internet Systems Consortium, Inc. that features fully functional DHCPv4 and DHCPv6 servers, a dynamic DNS update daemon, a Control Agent (CA) that provides a REST API to control the DHCP and DNS update servers, an example shell client to connect to the CA, a daemon that is able to retrieve YANG configuration and updates from Sysrepo, and a DHCP performance-measurement tool. Both DHCP servers support server discovery, address assignment, renewal, rebinding, release, decline, information request, DNS updates, client classification, and host reservations. The DHCPv6 server also supports prefix delegation. Lease information is stored in a CSV file by default; it can optionally be stored in a MySQL, PostgreSQL, or Cassandra database instead. Host reservations can be stored in a configuration file, or in a MySQL, PostgreSQL, or Cassandra database. They can also be retrieved from a RADIUS server, although this functionality is somewhat limited. Kea DHCPv4 and DHCPv6 daemons provide support for YANG models, which are stored in a Sysrepo datastore and can be configured via the NETCONF protocol.
|
|
|
|
... | ... | @@ -82,7 +82,7 @@ The Kea source and PGP signature for this release may be downloaded from: |
|
|
|
|
|
https://www.isc.org/download
|
|
|
|
|
|
The signature was generated with the ISC code signing key which is available at:
|
|
|
The signature was generated with the ISC code-signing key which is available at:
|
|
|
|
|
|
https://www.isc.org/pgpkey
|
|
|
|
... | ... | |