v1.0.0

Release 1.0.0

About 1.0

What does marking OpenZiti as 1.0 mean?

Backwards Compatibility

We've guaranteed API stability for SDK clients for years and worked hard to ensure that routers
and controllers would be backwards and forward compatible. However, we have had a variety of
management API changes and CLI changes. For post 1.0 releases we expect to make additions to the
APIs and CLI, but won't remove anything until it's been first marked as deprecated and then only
with a major version bump.

Stability and Scale

Recent releases have seen additional testing using chaos testing techniques. These tests involve
setting up relatively large scale environments, knocking out various components and then verifying
that the network is able to return to a stable state. These test are run for hours to try and
eliminate race conditions and distributed state machine problems.

OpenZiti is also being used as underlying infrastrcture for the zrok public service. Use of this
network has grown quickly and proven that it's possible to build ziti native apps that can scale
up.

Backward Incompatible Changes to pre-1.0 releases

Administrators no longer have access to dial/bind all services by default. See below for details.

What's New

• Administrators no longer have access to dial/bind all services by default.
• TLS Handshakes can now be rate limited in the controller
• TLS Handshake timeouts can now be set on the controller when using ALPN
• Bugfixes

DEFAULT Bind/Dial SERVICE PERMISSIONS FOR Admin IDENTITIES HAVE CHANGED

Admin identities were able to Dial and Bind all services regardless of the effective service policies
prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin
identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with
any addresses in its intercept configuration.

Please create service policies to grant Bind or Dial permissions to Admin identities as needed.

TLS Handshake

A TLS handhshake rate limiter can be enabled. This is useful in cases where there's a flood of TLS requests and the
controller can't handle them all. It can get into a state where it can't respond to TLS handshakes quickly enough,
so the clients time out. They then retry, adding to the the load. The controller ends up wasting time doing work
that isn't use.

This uses the same rate limiting as the auth rate limiter.

Additionally the server side handshake timeout can now be configured.

Configuration:

tls: 
  handshakeTimeout: 15s

  rateLimiter:
    # if disabled, no tls handshake rate limiting with be enforced
    enabled: true
    # the smallest window size for tls handshakes
    minSize: 5
    # the largest allowed window size for tls handshakes
    maxSize: 5000
    # after how long to consider a handshake abandoned if neither success nor failure was reported
    timeout: 30s

New metrics:

• tls_handshake_limiter.in_process - number of TLS handshakes in progress
• tls_handshake_limiter.window_size - number of TLS handhshakes allowed concurrently
• tls_handshake_limiter.work_timer - timer tracking how long TLS handshakes are taking

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.122 -> v2.0.128

• github.com/openziti/edge-api: v0.26.14 -> v0.26.16

• github.com/openziti/foundation/v2: v2.0.40 -> v2.0.42

• github.com/openziti/identity: v1.0.73 -> v1.0.75

• github.com/openziti/metrics: v1.2.48 -> v1.2.51

• github.com/openziti/runzmd: v1.0.41 -> v1.0.43

• github.com/openziti/sdk-golang: v0.23.15 -> v0.23.19

• github.com/openziti/secretstream: v0.1.18 -> v0.1.19

• github.com/openziti/storage: v0.2.33 -> v0.2.36

• github.com/openziti/transport/v2: v2.0.125 -> v2.0.131

  • Issue #79 - Add adaptive rate limiting to shared tls listener

• github.com/openziti/ziti: v0.34.2 -> v1.0.0

  • Issue #1923 - Add release validation test suite
  • Issue #1904 - Add TLS handshake rate limiter
  • Issue #1921 - Tidy CLI
  • Issue #1916 - SDK dials fails with 'token is malformed' error
  • Issue #1911 - Fix panic on first HA controller startup
  • Issue #1914 - Fix panic in PeerConnected
  • Issue #1781 - Admin identities have bind and dial permissions to services

v0.34.2

Release 0.34.2

What's New

• The circuit id is now available in the SDK on the client and hosting side
  • Requires 0.34.2+ routers
  • Requests SDK support. Currently supported in the Go SDK 0.23.11+
• Bug fixes

Component Updates and Bug Fixes

• github.com/openziti/edge-api: v0.26.13 -> v0.26.14

• github.com/openziti/sdk-golang: v0.23.14 -> v0.23.15

• github.com/openziti/secretstream: v0.1.17 -> v0.1.18

  • Issue #24 - Potential side channel issue
  • Issue #25 - Reads from crypto/rand not checked for errors

• github.com/openziti/ziti: v0.34.1 -> v0.34.2

  • Issue #1831 - Circuit ID should be returned in the response to a Dial request
  • Issue #1873 - host.v1 health check time.Duration unconvertible

v0.34.1

Release 0.34.1

What's New

• Updates version of go to 1.22.x
  • As usual when updating the go version, this is the only change in this release

v0.34.0

Release 0.34.0

What's New

• Bug fixes and performance enhancements
• Version number is bumped as a large chunk of HA was merged up. The next version bump is likely to bring HA to alpha status.

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.119 -> v2.0.122

• github.com/openziti/edge-api: v0.26.12 -> v0.26.14

• github.com/openziti/foundation/v2: v2.0.37 -> v2.0.40

• github.com/openziti/identity: v1.0.70 -> v1.0.73

• github.com/openziti/metrics: v1.2.45 -> v1.2.48

• github.com/openziti/runzmd: v1.0.38 -> v1.0.41

• github.com/openziti/sdk-golang: v0.22.28 -> v0.23.14

  • Issue #524 - Add circuit id to edge.Conn, so sdk connections can be correlated with network traffic
  • Issue #515 - Service hosting improvements
  • Issue #501 - Improve hosting session management

• github.com/openziti/secretstream: v0.1.16 -> v0.1.17

• github.com/openziti/storage: v0.2.30 -> v0.2.33

• github.com/openziti/transport/v2: v2.0.122 -> v2.0.125

• github.com/openziti/ziti: v0.33.1 -> v0.34.0

  • Issue #1858 - add option to create a generic env file instead of a BASH script
  • Issue #1428 - Investigate policy integrity performance
  • Issue #1854 - Controller can try to send unroute to router which has since disconnected, causing panic
  • Issue #1576 - Don't scan for posture checks if there are no posture checks
  • Issue #1849 - Session Sync shouldn't be able to block the control channel
  • Issue #1846 - Looking up api session certs for api sessions is inefficient

v0.33.1

Release 0.33.1

What's New

• Backward compatibility router <-> controller fix to address metrics parsing panic

Component Updates and Bug Fixes

• github.com/openziti/ziti: v0.33.0 -> v0.33.1
  • Issue #1826 - 0.33.+ routers can cause panic in pre-0.33 controller with new metric

v0.33.0

Release 0.33.0

What's New

• SDK Terminator stability improvements
• Minor feature updates and bug fixes

SDK Terminator stability improvements

This release was focused on creating a chaos test for SDK terminators, running it and fixing any issues found.
The test repeatedly and randomly restarts the controller, routers and tunnelers then verifies that terminators
end up in the correct state.

The following tools were also used/added to aid in diagnosing and fixing issues:

• ziti fabric validate router-sdk-terminators
  • Compares the controller state with the router state
• ziti fabric validate terminators
  • Checks each selected terminator to ensure it's still valid on the router and/or sdk
• ziti fabric inspect sdk-terminators
  • Allows inspecting each routers terminator state
• ziti fabric inspect router-messaging
  • Allows inspecting what the controller has queued for router state sync and terminator validations
• ziti edge validate service-hosting
  • Shows how many terminators each identity which can host a service has

Several changes were made to the terminator code to ensure that terminators are properly created and cleaned up.
The routers now use an adaptive rate limiter to control how fast they send terminator related requests to the
controller. For this to work properly, the rate limiting on the controller must be enabled, so it can report
back to the routers when it's got too much work.

Component Updates and Bug Fixes

• github.com/openziti/edge-api: v0.26.10 -> v0.26.12
• github.com/openziti/ziti: v0.32.2 -> v0.33.0
  • Issue #1815 - Panic if api session sync failed handler is called twice in the router
  • Issue #1794 - Add SDK terminator chaos test and fix any bugs found as part of chaos testing
  • Issue #1781 - Improve performance when adding intercepted services
  • Issue #1369 - Allow filtering by policy type when listing identities for service or services for identity
  • Issue #1791 - route dial isn't checking for network timeouts correctly
  • Issue #1204 - ziti cli identity tags related flags misbehaving
  • Issue #987 - "ziti create config router edge" doesn't know about --tunnelerMode proxy
  • Issue #652 - Update CLI script M1 Support when github actions allows

v0.32.2

NOTE: This release has an incompatibility with the latest c-based tunnelers, which will cause hosting services to fail.

Release 0.32.2

What's New

• Terminator performance improvements
• API Rate Limiter enabled by default

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.117 -> v2.0.119

  • Issue #127 - Support some additional types in message headers

• github.com/openziti/foundation/v2: v2.0.36 -> v2.0.37

• github.com/openziti/identity: v1.0.69 -> v1.0.70

• github.com/openziti/metrics: v1.2.43 -> v1.2.45

• github.com/openziti/runzmd: v1.0.37 -> v1.0.38

• github.com/openziti/sdk-golang: v0.22.21 -> v0.22.28

  • Issue #495 - Refresh edge session if listen attempt fails, to ensure that session is still valid

• github.com/openziti/storage: v0.2.28 -> v0.2.30

• github.com/openziti/transport/v2: v2.0.121 -> v2.0.122

• github.com/openziti/ziti: v0.32.1 -> v0.32.2

  • Issue #1741 - Prevent stuck links
  • Issue #1736 - controller crashes generating create circuit responses
  • Issue #1733 - Improve terminator creation performance
  • Issue #1734 - Make API rate limiter enabled by default
  • Issue #1726 - Fix some sdk hosting logging
  • Issue #1725 - Fix panic in entity event processing

v0.32.1

Do not use, the release contains a deadlock which can be triggered if many SDK terminators are being created at a time.

Release 0.32.1

What's New

• Bugfixes
• New router setting to control startup timeout

Router startup timeout

The router now has a configuration setting to control how long it wait on startup to be able to
connect to a controller, before it gives up and exits.

ctrl:
  endpoints: 
    - tls:localhost:1280
  startupTimeout: 5m 

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.116 -> v2.0.117

  • Issue #125 - Ensure reconnecting channel is marked as connected before calling reconnect callback

• github.com/openziti/edge-api: v0.26.8 -> v0.26.10

• github.com/openziti/sdk-golang: v0.22.17 -> v0.22.21

• github.com/openziti/ziti: v0.32.0 -> v0.32.1

  • Issue #1709 - Fix link management race conditions found by chaos testing
  • Issue #1715 - Ensure controller raft peers don't end up with duplicate connections
  • Issue #1702 - Add link management chaos test
  • Issue #1691 multiple er re-enrolls creates multiple enrollments

v0.32.0

NOTE: This release has bugs related to link management and is not recommended for production use!

Release 0.32.0

What's New

• Auth Rate Limiter
• Link Management Fixes
• ziti edge quickstart command deprecates redundant --already-initialized flag. The identical behavior is implied by --home.

Backwards compatibility

This release includes new response types from the REST authentication APIS. They are now able to return
429 (server too busy) responses to auth requests. As this is an API change, the version number is
being bumped to 0.32.

If controller and router are both v0.32 or later, only the router which dialed a link will report it to the controller.
If the controller is older, newer routers will report links from both the dialing and listening side of the link.

Auth Rate Limiter

In order to prevent clients from overwhelming the server with auth requests, an auth rate limiter has been introduced.
The rate limiter is adaptive, in that it will react to auth attempts timing out by shrinking the number of allowed
queued auth attempts. The number will slowly recover over time.

Example configuration:

edge:
  # This section allows configurating the rate limiter for auth attempts
  authRateLimiter:
    # if disabled, no auth rate limiting with be enforced
    enabled: true
    # the smallest window size for auth attempts
    minSize: 5
    # the largest allowed window size for auth attempts
    maxSize: 250

New metrics:

• auth.limiter.queued_count - current number of queued auth attempts
• auth.limiter.window_size - current size at which new auth attempts will be rejected
• auth.limiter.work_timer - tracks the rate at which api sessions are being created and how long it's taking to create them

Link Management Fixes

With long lived link ids, there was potential for link control message to be ambiguous, as the link id wasn't enough to identify
a specific iteration of that link. An iteration field has been added to links so that messaging is unambiguous.
Links will also only be reported from the dialing router now to reduce ambiguouity and race condition in link control channel
messaging.

Router SSL Handshake Timeout Config

There is a new router config setting which allows setting the SSL handshake timeout for TLS connections, when using ALPN for listeners.

tls:
  handshakeTimeout: 15s

Component Updates and Bug Fixes

• github.com/openziti/channel/v2: v2.0.111 -> v2.0.116

  • Issue #123 - Ensure hello messages respect connect timeout
  • Issue #120 - Allow handling new underlay instances with function instead of channel

• github.com/openziti/edge-api: v0.26.6 -> v0.26.8

• github.com/openziti/foundation/v2: v2.0.35 -> v2.0.36

  • Issue #391 - goroutine pool can stall if configured for 0 min workers and with single producer

• github.com/openziti/identity: v1.0.68 -> v1.0.69

• github.com/openziti/metrics: v1.2.41 -> v1.2.43

• github.com/openziti/runzmd: v1.0.36 -> v1.0.37

• github.com/openziti/sdk-golang: v0.22.0 -> v0.22.17

  • Issue #482 - Deprecate ListenOptions.MaxConnections in favor of MaxTerminators

• github.com/openziti/secretstream: v0.1.14 -> v0.1.16

• github.com/openziti/storage: v0.2.27 -> v0.2.28

• github.com/openziti/transport/v2: v2.0.119 -> v2.0.121

  • Issue #73 - Allow overriding shared TLS/ALPN listener SSL handshake timeout

• github.com/openziti/ziti: v0.31.4 -> v0.32.0

  • Issue #1692 - Improve link stability with long lived link ids
  • Issue #1693 - Make links owned by the dialing router
  • Issue #1685 - Race condition where we try to create terminator after client connection is closed
  • Issue #1678 - Add link validation utility
  • Issue #1673 - xgress dialers not getting passed xgress config
  • Issue #1669 - Make sure link accepts are not single threaded
  • Issue #1657 - Add api session rate limiter

v0.31.4

Release 0.31.4

What's New

• Bug fix for a data flow stall which is especially likely to happen on circuits with single router paths

Thanks

• @marvkis - for providing high quality debug data which made tracking down a couple of flow control stall issues much easier

Component Updates and Bug Fixes

• github.com/openziti/metrics: v1.2.40 -> v1.2.41

• github.com/openziti/sdk-golang: v0.21.2 -> v0.22.0

  • Issue #468 - SDK does an unnecessary number of session refreshes

• github.com/openziti/storage: v0.2.26 -> v0.2.27

• github.com/openziti/ziti: v0.31.3 -> v0.31.4

  • Issue #1645 - Once routers share a link id, we can't use the link id to decide which duplicate link to discard
  • Issue #1642 - Revert posture check optimization
  • Issue #1586 - If ack is received before payload is processed by link send buffer, a stall can result