... | @@ -4,7 +4,7 @@ Welcome to Kea 1.9.6, the seventh monthly release of the 1.9 development branch. |
... | @@ -4,7 +4,7 @@ Welcome to Kea 1.9.6, the seventh monthly release of the 1.9 development branch. |
|
|
|
|
|
This release adds new features, improves existing features, clarifies documentation, and fixes a few bugs. The most notable changes introduced in this version are:
|
|
This release adds new features, improves existing features, clarifies documentation, and fixes a few bugs. The most notable changes introduced in this version are:
|
|
|
|
|
|
**Experimental TLS support**. This release introduces support for TLS in CA (Control Agent). The CA can now be configured to accept incoming https connections. Right now three modes of operation. First is a plain HTTP with TLS completely disabled. This mode what the only mode available. The second mode is encryption, where the CA accepts TLS connections. You need to provide CA (Certificate Authority) and server public certificate and private key. This is the typical mode when securing a website, where clients and servers are not under the control of the same organization. The third mode is mutual authentication between connecting clients and the CA server. In this mode, clients are required to identify themselves using TLS certificates.
|
|
**Experimental TLS support**. This release introduces support for TLS in CA (Control Agent). The CA can now be configured to accept incoming https connections. Right now three modes of operation. First is a plain HTTP with TLS completely disabled. This mode what the only mode available. The second mode is encryption, where the CA accepts TLS connections. You need to provide CA (Certificate Authority) and server public certificate and private key. This is the typical mode when securing a website, where clients and servers are not under the control of the same organization. The third mode is mutual authentication between connecting clients and the CA server. In this mode, clients are required to identify themselves using TLS certificates. #1726, #1661, #1662, #1663, #1664, #1748, #1758
|
|
|
|
|
|
The TLS support is considered experimental and currently has a number of limitations:
|
|
The TLS support is considered experimental and currently has a number of limitations:
|
|
|
|
|
... | @@ -16,36 +16,31 @@ The TLS support is considered experimental and currently has a number of limitat |
... | @@ -16,36 +16,31 @@ The TLS support is considered experimental and currently has a number of limitat |
|
|
|
|
|
- The TLS is not yet tested for HA and is likely broken.
|
|
- The TLS is not yet tested for HA and is likely broken.
|
|
|
|
|
|
The work on TLS will continue in the upcoming releases.
|
|
- The documentation is somewhat lacking, especially in the new Kea ARM section about security. There's a good tutorial available [in the src/lib/asiolink/testutils/ca](https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/lib/asiolink/testutils/ca/doc.txt).
|
|
|
|
|
|
We do encourage people to test this and report your experience. We're particularly interested in which OS was used, which OpenSSL and boost versions are present in your system.
|
|
The TLS work will continue in the upcoming releases.
|
|
|
|
|
|
|
|
We do encourage people to test this and report their experience. We're particularly interested in which OS, OpenSSL or Botan, and Boost versions were used.
|
|
|
|
|
|
**Database connection recovery rework** A new parameter "on-fail" now dictates what to do on
|
|
**Database connection recovery rework**. A new parameter "on-fail" now controls what to do on
|
|
database connection loss. It has three possible values: "stop-retry-exit", "serve-retry-exit",
|
|
database connection loss. It has three possible values: "stop-retry-exit" (stop DHCP service, attempt to reconnect and terminate if unable to reconnect), "serve-retry-exit" (continue serving DHCP traffic, attempt to reconnect and terminate if unable to reconnect), and "serve-retry-continue" (continue serving DHCP traffic, try to reconnect, and continue serving even if reconnection fails) which govern if the DHCP service should be disabled and if Kea should shut
|
|
"serve-retry-continue" which govern if the DHCP service should be disabled and if Kea should shut
|
|
down or continue retrying after all the configured tries. This is particularly useful for forensic logging and config backend services. Depending on your specific deployment, you may prefer one strategy or another #1621.
|
|
down or continue retrying after all the configured tries. #1621
|
|
|
|
|
|
|
|
**Database connection recovery support in forensic logging** Forensic logging now is able to
|
|
**Multi-threaded HA work**. Kea 1.8 introduced multi-threaded support for DHCP packet processing, which offers substantial performance gains. Unfortunately, if used with HA, the current implementation makes the lease updates sequential, effectively eliminating the benefits of multi-threading. This limitation requires substantial rework of how HA connections are established. In this milestone we made substantial progress towards solving this bottleneck. The MT-HA design has been proposed and reviewed #1315. Also, the first major element of the solution (a multi-threaded HTTP listener) has been reviewed and merged #1748. The HA-MT solution is not functional yet, but definitely completed the experiments and planning phase and moved onto the implementation phase. This work will continue in the next releases.
|
|
reconnect to the database after a connection failure. #1621
|
|
|
|
|
|
|
|
**Bug fix in database connection recovery** Fixed a bug where the database connection would not be
|
|
**Test farm migration**. While this is not something users are normally concerned with, it's an aspect that took a substantial amount of our team's time. Our Jenkins test farm was running on ISC hosted hardware that was aging and was not very powerful. We often struggled with test execution times and were limited in the number of systems we could test on. Our QA team set up a new Jenkins instance using AWS (Amazon Web Services). Kea test environment is exceedingly complicated (with MySQL, PostgreSQL, Cassandra backends, Radius, NETCONF, DNS servers, multiple Kea instances running in a variety of stand-alone, HA, load-balancing modes, and various API and traffic generators). We managed to migrate the great majority of our environment. While the bulk of the migration is done, not everything is running smoothly on the new platform yet. As such, our testing of this release is more lightweight than usual. It doesn't mean the release is broken or has lower quality than usual. It simply means that we were not able to confirm its stability. Use with caution! #1774, #1761, #1773, #1770, #1751, #1757, #1752
|
|
recovered if more than one cycle of "reconnect-wait-time" worth of time was waited. #1621
|
|
|
|
|
|
|
|
**TLS capabilities in internal libraries** asiolink and http libraries have gained TLS capabilities. #1726, #1664
|
|
**Design for incremental lease updates**. The Stork project would like to be able to provide more insight into leases being assigned. However, the current API is not well prepared for it. It can enumerate all leases, but using existing calls periodically would incur a substantial burden on a Kea server. As such, a design for cached mode and incremental lease updates has been written. #1230
|
|
|
|
|
|
**TLS support in kea-shell** If run with python3, kea-shell can now connect to an HTTPS endpoint. #1663
|
|
**kea-admin can now use non-standard port** You may now run kea-admin commands on databases exposed through custom ports using `-P` or `--port`. #1674
|
|
|
|
|
|
**TLS support in kea-ctrl-agent** kea-ctrl-agent can now connect to an HTTPS endpoint. #1662
|
|
**Bug fixes**. Fixed a problem where DHCP service would remain disabled after the HA hook was unloaded #1697. Distcheck was failing due to missing kea_conn python module #1775. There was a faulty locking system in DB_LOG logger, used in forensic logging #1719.
|
|
|
|
|
|
**Bug fix in HA hook unloading** Fix DHCP service from remaining disabled after the HA hook was
|
|
**Documentation updates**. A variety of doc updates has been completed #1717, #1726, #1696.
|
|
unloaded. #1697
|
|
|
|
|
|
|
|
**kea-admin -P|--port** You may now run kea-admin commands on databases exposed through custom ports. #1674
|
|
|
|
|
|
|
|
## Incompatible Changes
|
|
## Incompatible Changes
|
|
|
|
|
|
There are no backward-incompatible changes in this release.
|
|
1. The default behavior when forensic logging and config backend loses DB connection has changed. Earlier Kea versions stopped serving DHCP traffic immediately. By default, the current Kea version will continue serving DHCP traffic. To alter this behavior, see the new `on-fail` parameter (discussed above).
|
|
|
|
|
|
## Known Issues
|
|
## Known Issues
|
|
|
|
|
... | | ... | |