swift/CHANGELOG
John Dickinson 11bd6c82ec 2.13.0 authors/changelog updates
Change-Id: I4d90075bd1eb6775b9d736668aa9c7af5eb41f4e
2017-02-15 16:16:49 -08:00

2223 lines
86 KiB
Plaintext

swift (2.13.0, OpenStack Ocata)
* Improvements in key parts of the consistency engine
- Improved performance by eliminating an unneeded directory
structure hash.
- Optimized the common case for hashing filesystem trees, thus
eliminating a lot of extraneous disk I/O.
- Updated the `hashes.pkl` file format to include timestamp information
for race detection. Also simplified hashing logic to prevent race
conditions and optimize for the common case.
- The erasure code reconstructor will now shuffle work jobs across all
disks instead of going disk-by-disk. This eliminates single-disk I/O
contention and allows continued scaling as concurrency is increased.
- Erasure code reconstruction handles moving data from handoff nodes
better. Instead of moving the data to another handoff, it waits
until it can be moved to a primary node.
Upgrade Impact: If you upgrade and roll back, you must delete all
`hashes.pkl` files.
* If using erasure coding with ISA-L in rs_vand mode and 5 or more parity
fragments, Swift will emit a warning. This is a configuration that is
known to harm data durability. In a future release, this warning will be
upgraded to an error unless the policy is marked as deprecated. All data
in an erasure code storage policy using isa_l_rs_vand with 5 or more
parity should be migrated as soon as possible. Please see
https://bugs.launchpad.net/swift/+bug/1639691 for more information.
* The erasure code reconstructor `handoffs_first` option has been
deprecated in favor of `handoffs_only`. `handoffs_only` is far more
useful, and just like `handoffs_first` mode in the replicator, it gives
the operator the option of forcing the consistency engine to focus
solely on revert (handoff) jobs, thus improving the speed of
rebalances. The `handoffs_only` behavior is somewhat consistent with
the replicator's `handoffs_first` option (any error on any handoff in
the replicator will make it essentially handoff only forever) but the
`handoff_only` option does what you want and is named correctly in the
reconstructor.
* The default for `object_post_as_copy` has been changed to False. The
option is now deprecated and will be removed in a future release. If
your cluster is still running with post-as-copy enabled, please update
it to use the "fast-post" method. Future versions of Swift will not
support post-as-copy, and future features will not be supported under
post-as-copy. ("Fast-post" is where `object_post_as_copy` is false).
* Temporary URLs now support one common form of ISO 8601 timestamps in
addition to Unix seconds-since-epoch timestamps. The ISO 8601 format
accepted is '%Y-%m-%dT%H:%M:%SZ'. This makes TempURLs more
user-friendly to produce and consume.
* Listing containers in accounts with json or xml now includes a
`last_modified` time. This does not change any on-disk data, but simply
exposes the value to offer consistency with the object listings on
containers.
* Fixed a bug where the ring builder would not allow removal of a device
when min_part_seconds_left was greater than zero.
* PUT subrequests generated from a client-side COPY will now properly log
the SSC (server-side copy) Swift source field. See
https://docs.openstack.org/developer/swift/logs.html#swift-source for
more information.
* Fixed a bug where an SLO download with a range request may have resulted
in a 5xx series response.
* SLO manifest PUT requests can now be properly validated by sending an
ETag header of the md5 sum of the concatenated md5 sums of the
referenced segments.
* Fixed the stats calculation in the erasure code reconstructor.
* Rings with min_part_hours set to zero will now only move one partition
replica per rebalance, thus matching behavior when min_part_hours is
greater than zero.
* I/O priority is now supported on AArch64 architecture.
* Various other minor bug fixes and improvements.
swift (2.12.0)
* Ring files now include byteorder information about the endian of
the machine used to generate the file, and the values are
appropriately byteswapped if deserialized on a machine with a
different endianness.
Newly created ring files will be byteorder agnostic, but
previously generated ring files will still fail on different
endian architectures. Regenerating older ring files will cause
them to become byteorder agnostic. The regeneration of the ring
files will not cause any new data movement. Newer ring files
will still be usable by older versions of Swift (on machines
with the same endianness--this maintains existing behavior).
* All 416 responses will now include a Content-Range header with
an unsatisfied-range value. This allows the caller to know the
valid range request value for an object.
* TempURLs now support a validation against a common prefix. A
prefix-based signature grants access to all objects which share the
same prefix. This avoids the creation of a large amount of signatures,
when a whole container or pseudofolder is shared.
* Correctly handle deleted files with if-none-match requests.
* Correctly send 412 Precondition Failed if a user sends an
invalid copy destination. Previously Swift would send a 500
Internal Server Error.
* In SLO manifests, the `etag` and `size_bytes` keys are now fully
optional and not required. Previously, the keys needed to exist
but the values were optional. The only required key is `path`.
* Fixed a rare infinite loop in `swift-ring-builder` while placing parts.
* Ensure update of the container by object-updater, removing a rare
possibility that objects would never be added to a container listing.
* Fixed non-deterministic suffix updates in hashes.pkl where a partition
may be updated much less often than expected.
* Fixed regression in consolidate_hashes that occurred when a new
file was stored to new suffix to a non-empty partition. This bug
was introduced in 2.7.0 and could cause an increase in rsync
replication stats during and after upgrade, due to inconsistent
hashing of partition suffixes.
* Account and container databases will now be quarantined if the
database schema has been corrupted.
* Removed "in-process-" from func env tox name to work with
upstream CI.
* Respect server type for --md5 check in swift-recon.
* Remove empty db hash and suffix directories if a db gets quarantined.
* Various other minor bug fixes and improvements.
swift (2.11.0)
* We have made significant improvements and changes to the erasure
code implementation.
- Instead of using a separate .durable file to indicate the
durable status of an EC fragment archive, we rename the .data
to include a durable marker in the filename. This saves one
inode for every EC .data file. Existing .durable files will not
be removed, and they will continue to work just fine.
Note that after writing EC data with Swift 2.11.0 or later, that
data will not be accessible to earlier versions of Swift.
- Closed a bug where ssync may have written bad fragment data in
some circumstances. A check was added to ensure the correct number
of bytes is written for a fragment before finalizing the write.
Also, erasure coded fragment metadata will now be validated on read
requests and, if bad data is found, the fragment will be quarantined.
- The improvements to EC reads made in Swift 2.10.0 have also been
applied to the reconstructor. This allows fragments to be rebuilt
in more circumstances, resulting in faster recovery from failures.
- WARNING: If you are using the ISA-L library for erasure codes,
please upgrade to liberasurecode 1.3.1 (or later) as soon as
possible. If you are using isa_l_rs_vand with more than 4 parity,
please read https://bugs.launchpad.net/swift/+bug/1639691 and take
necessary action.
- Updated the PyECLib dependency to 1.3.1.
* Added a configurable URL base to staticweb.
* Support multi-range GETs for static large objects.
* TempURLs using the "inline" parameter can now also set the
"filename" parameter. Both are used in the Content-Disposition
response header.
* Mirror X-Trans-Id to X-Openstack-Request-Id.
* SLO will now concurrently HEAD segments, resulting in much faster
manifest validation and object creation. By default, two HEAD requests
will be done at a time, but this can be changed by the operator via
the new `concurrency` setting in the "[filter:slo]" section of
the proxy server config.
* Suppressed the KeyError message when auditor finds an expired object.
* Daemons using InternalClient can now be properly killed with SIGTERM.
* Added a "user" option to the drive-audit config file. Its value is
used to set the owner of the drive-audit recon cache.
* Throttle update_auditor_status calls so it updates no more than once
per minute.
* Suppress unexpected-file warnings for rsync temp files.
* Various other minor bug fixes and improvements.
swift (2.10.0, OpenStack Newton)
* Object versioning now supports a "history" mode in addition to
the older "stack" mode. The difference is in how DELETE requests
are handled. For full details, please read
http://docs.openstack.org/developer/swift/overview_object_versioning.html.
* New config variables to change the schedule priority and I/O
scheduling class. Servers and daemons now understand
`nice_priority`, `ionice_class`, and `ionice_priority` to
schedule their relative importance. Please read
http://docs.openstack.org/developer/swift/deployment_guide.html
for full config details.
* On newer kernels (3.15+ when using xfs), Swift will use the O_TMPFILE
flag when opening a file instead of creating a temporary file
and renaming it on commit. This makes the data path simpler and
allows the filesystem to more efficiently optimize the files on
disk, resulting in better performance.
* Erasure code GET performance has been significantly
improved in clusters that are not completely healthy.
* Significant improvements to the api-ref doc available at
http://developer.openstack.org/api-ref/object-storage/.
* A PUT or POST to a container will now update the container's
Last-Modified time, and that value will be included in a
GET/HEAD response.
* Include object sysmeta in POST responses. Sysmeta is still
stripped from the response before being sent to the client, but
this allows middleware to make use of the information.
* Fixed a bug where a container listing delimiter wouldn't work
with encryption.
* Fixed a bug where some headers weren't being copied correctly
in a COPY request.
* Container sync can now copy SLOs more efficiently by allowing
the manifest to be synced before all of the referenced segments.
This fixes a bug where container sync would not copy SLO manifests.
* Fixed a bug where some tombstone files might never be reclaimed.
* Update dnspython dependency to 1.14, removing the need to have
separate dnspython dependencies for Py2 and Py3.
* Deprecate swift-temp-url and call python-swiftclient's
implementation instead. This adds python-swiftclient as an
optional dependency of Swift.
* Moved other-requirements.txt to bindep.txt. bindep.txt lists
non-python dependencies of Swift.
* Various other minor bug fixes and improvements.
swift (2.9.0)
* Swift now supports at-rest encryption. This feature encrypts all
object data and user-set object metadata as it is sent to the cluster.
This feature is designed to prevent information leaks if a hard drive
leaves the cluster. The encryption is transparent to the end-user.
At-rest encryption in Swift is enabled on the proxy server by
adding two middlewares to the pipeline. The `keymaster` middleware
is responsible for managing the encryption keys and the `encryption`
middleware does the actual encryption and decryption.
Existing clusters will continue to work without enabling
encryption. Although enabling this feature on existing clusters
is supported, best practice is to enable this feature on new
clusters when the cluster is created.
For more information on the details of the at-rest encryption
feature, please see the docs at
http://docs.openstack.org/developer/swift/overview_encryption.html.
* `swift-recon` can now be called with more than one server type.
* Fixed a bug where non-ascii names could cause an error in logging
and cause a 5xx response to the client.
* The install guide and API reference have been moved into Swift's
source code repository.
* Various other minor bug fixes and improvements.
swift (2.8.0)
* Allow concurrent bulk deletes for server-side deletes of static
large objects. Previously this would be single-threaded and each
DELETE executed serially. The new `delete_concurrency` value
(default value is 2) in the `[filter:slo]` and `[filter:bulk]`
sections of the proxy server config controls the concurrency
used to perform the DELETE requests for referenced segments. The
default value is recommended, but setting the value to 1
restores previous behavior.
* Refactor server-side copy as middleware
The COPY verb is now implemented in the `copy` middleware instead
of in the proxy server code. If not explicitly added, the server
side copy middleware is auto-inserted to the left of `dlo`, `slo`
and `versioned_writes` middlewares in the proxy server pipeline.
As a result, dlo and slo `copy_hooks` are no longer required. SLO
manifests are now validated when copied so when copying a
manifest to another account the referenced segments must be
readable in that account for the manifest copy to succeed
(previously this validation was not made, meaning the manifest
was copied but could be unusable if the segments were not
readable).
With this change, there should be no change in functionality or
existing behavior.
* `fallocate_reserve` can now be a percentage (a value ending in "%"),
and the default has been adjusted to "1%".
* Now properly require account/container metadata be valid UTF-8
* TempURL responses now include an `Expires` header with the
expiration time embedded in the URL.
* Non-Python dependencies are now listed in other-requirements.txt.
* `swift-ring-builder` now supports a `--yes` option to assume a
yes response to all questions. This is useful for scripts.
* Write requests to a replicated storage policy with an even number
of replicas now have a quorum size of half the replica count
instead of half-plus-one.
* Container sync now logs per-container stat information so operators
can track progress. This is logged at INFO level.
* `swift-dispersion-*` now allows region to be specified when there
are multiple Swift regions served by the same Keystone instance
* Fix infinite recursion during logging when syslog is down.
* Fixed a bug where a backend failure during a read could result in
a missing byte in the response body.
* Stop `staticweb` revealing container existence to unauth'd requests.
* Reclaim isolated .meta files if they are older than the `reclaim_age`.
* Make `rsync` ignore its own temporary files instead of spreading
them around the cluster, wasting space.
* The object auditor now ignores files in the devices directory when
auditing objects.
* The deprecated `threads_per_disk` setting has been removed. Deployers
are encouraged to use `servers_per_port` instead.
* Fixed an issue where a single-replica configuration for account or
container DBs could result in the DB being inadvertently deleted if
it was placed on a handoff node.
* `disable_fallocate` now also correctly disables `fallocate_reserve`.
* Fixed a bug where the account-reaper did not delete all containers
in a reaped account.
* Correctly handle delimiter queries where results start with the
delimiter and no prefix is given.
* Changed the recommended ports for Swift services from ports
6000-6002 to unused ports 6200-6202 so they do not conflict with
X-Windows or other services. Since these config values must be
explicitly set in the config file, this doesn't impact existing
deployments.
* Fixed an instance where REPLICATE requests would not use
`replication_ip`.
* Various other minor bug fixes and improvements.
swift (2.7.0, OpenStack Mitaka)
* Bump PyECLib requirement to >= 1.2.0
* Update container on fast-POST
"Fast-POST" is the mode where `object_post_as_copy` is set to
`False` in the proxy server config. This mode now allows for
fast, efficient updates of metadata without needing to fully
recopy the contents of the object. While the default still is
`object_post_as_copy` as True, the plan is to change the default
to False and then deprecate post-as-copy functionality in later
releases. Fast-POST now supports container-sync functionality.
* Add concurrent reads option to proxy.
This change adds 2 new parameters to enable and control concurrent
GETs in Swift, these are `concurrent_gets` and `concurrency_timeout`.
`concurrent_gets` allows you to turn on or off concurrent
GETs; when on, it will set the GET/HEAD concurrency to the
replica count. And in the case of EC HEADs it will set it to
ndata. The proxy will then serve only the first valid source to
respond. This applies to all account, container, and replicated
object GETs and HEADs. For EC only HEAD requests are affected.
The default for `concurrent_gets` is off.
`concurrency_timeout` is related to `concurrent_gets` and is
the amount of time to wait before firing the next thread. A
value of 0 will fire at the same time (fully concurrent), but
setting another value will stagger the firing allowing you the
ability to give a node a short chance to respond before firing
the next. This value is a float and should be somewhere between
0 and `node_timeout`. The default is `conn_timeout`, meaning by
default it will stagger the firing.
* Added an operational procedures guide to the docs. It can be
found at http://swift.openstack.org/ops_runbook/index.html and
includes information on detecting and handling day-to-day
operational issues in a Swift cluster.
* Make `handoffs_first` a more useful mode for the object replicator.
The `handoffs_first` replication mode is used during periods of
problematic cluster behavior (e.g. full disks) when replication
needs to quickly drain partitions from a handoff node and move
them to a primary node.
Previously, `handoffs_first` would sort that handoff work before
"normal" replication jobs, but the normal replication work could
take quite some time and result in handoffs not being drained
quickly enough.
In order to focus on getting handoff partitions off the node
`handoffs_first` mode will now abort the current replication
sweep before attempting any primary suffix syncing if any of the
handoff partitions were not removed for any reason - and start
over with replication of handoffs jobs as the highest priority.
Note that `handoffs_first` being enabled will emit a warning on
start up, even if no handoff jobs fail, because of the negative
impact it can have during normal operations by dog-piling on a
node that was temporarily unavailable.
* By default, inbound `X-Timestamp` headers are now disallowed
(except when in an authorized container-sync request). This
header is useful for allowing data migration from other storage
systems to Swift and keeping the original timestamp of the data.
If you have this migration use case (or any other requirement on
allowing the clients to set an object's timestamp), set the
`shunt_inbound_x_timestamp` config variable to False in the
gatekeeper middleware config section of the proxy server config.
* Requesting a SLO manifest file with the query parameters
"?multipart-manifest=get&format=raw" will return the contents of
the manifest in the format as was originally sent by the client.
The "format=raw" is new.
* Static web page listings can now be rendered with a custom
label. By default listings are rendered with a label of:
"Listing of /v1/<account>/<container>/<path>". This change adds
a new custom metadata key/value pair
`X-Container-Meta-Web-Listings-Label: My Label` that when set,
will cause the following: "Listing of My Label/<path>" to be
rendered instead.
* Previously, static large objects (SLOs) had a minimum segment
size (default to 1MiB). This limit has been removed, but small
segments will be ratelimited. The config parameter
`rate_limit_under_size` controls the definition of "small"
segments (1MiB by default), and `rate_limit_segments_per_sec`
controls how many segments per second can be served (default is 1).
With the default values, the effective behavior is identical to the
previous behavior when serving SLOs.
* Container sync has been improved to perform a HEAD on the remote
side of the sync for each object being synced. If the object
exists on the remote side, container-sync will no longer
transfer the object, thus significantly lowering the network
requirements to use the feature.
* The object auditor will now clean up any old, stale rsync temp
files that it finds. These rsync temp files are left if the
rsync process fails without completing a full transfer of an
object. Since these files can be large, the temp files may end
up filling a disk. The new auditor functionality will reap these
rsync temp files if they are old. The new object-auditor config
variable `rsync_tempfile_timeout` is the number of seconds old a
tempfile must be before it is reaped. By default, this variable
is set to "auto" or the rsync_timeout plus 900 seconds (falling
back to a value of 1 day).
* The Erasure Code reconstruction process has been made more
efficient by not syncing data files when only the durable commit
file is missing.
* Fixed a bug where 304 and 416 response may not have the right
Etag and Accept-Ranges headers when the object is stored in an
Erasure Coded policy.
* Versioned writes now correctly stores the date of previous versions
using GMT instead of local time.
* The deprecated Keystone middleware option is_admin has been removed.
* Fixed log format in object auditor.
* The zero-byte mode (ZBF) of the object auditor will now properly
observe the `--once` option.
* Swift keeps track, internally, of "dirty" parts of the partition
keyspace with a "hashes.pkl" file. Operations on this file no
longer require a read-modify-write cycle and use a new
"hashes.invalid" file to track dirty partitions. This change
will improve end-user performance for PUT and DELETE operations.
* The object replicator's succeeded and failed counts are now logged.
* `swift-recon` can now query hosts by storage policy.
* The log_statsd_host value can now be an IPv6 address or a hostname
which only resolves to an IPv6 address.
* Erasure coded fragments now properly call fallocate to reserve disk
space before being written.
* Various other minor bug fixes and improvements.
swift (2.6.0)
* Dependency changes
- Updated minimum version of eventlet to 0.17.4 to support IPv6.
- Updated the minimum version of PyECLib to 1.0.7.
* The ring rebalancing algorithm was updated to better handle edge cases
and to give better (more balanced) rings in the general case. New rings
will have better initial placement, capacity adjustments will move less
data for better balance, and existing rings that were imbalanced should
start to become better balanced as they go through rebalance cycles.
* Added container and account reverse listings.
A GET request to an account or container resource with a "reverse=true"
query parameter will return the listing in reverse order. When
iterating over pages of reverse listings, the relative order of marker
and end_marker are swapped.
* Storage policies now support having more than one name.
This allows operators to fix a typo without breaking existing clients,
or, alternatively, have "short names" for policies. This is implemented
with the "aliases" config key in the storage policy config in
swift.conf. The aliases value is a list of names that the storage
policy may also be identified by. The storage policy "name" is used to
report the policy to users (eg in container headers). The aliases have
the same naming restrictions as the policy's primary name.
* The object auditor learned the "interval" config value to control the
time between each audit pass.
* `swift-recon --all` now includes the config checksum check.
* `swift-init` learned the --kill-after-timeout option to force a service
to quit (SIGKILL) after a designated time.
* `swift-recon` now correctly shows timestamps in UTC instead of local
time.
* Fixed bug where `swift-ring-builder` couldn't select device id 0.
* Documented the previously undocumented
`swift-ring-builder pretend_min_part_hours_passed` command.
* The "node_timeout" config value now accepts decimal values.
* `swift-ring-builder` now properly removes devices with zero weight.
* `swift-init` return codes are updated via "--strict" and "--non-strict"
options. Please see the usage string for more information.
* `swift-ring-builder` now reports the min_part_hours lockout time
remaining
* Container sync has been improved to more quickly find and iterate over
the containers to be synced. This reduced server load and lowers the
time required to see data propagate between two clusters. Please see
http://swift.openstack.org/overview_container_sync.html for more details
about the new on-disk structure for tracking synchronized containers.
* A container POST will now update that container's put-timestamp value.
* TempURL header restrictions are now exposed in /info.
* Error messages on static large object manifest responses have been
greatly improved.
* Closed a bug where an unfinished read of a large object would leak a
socket file descriptor and a small amount of memory. (CVE-2016-0738)
* Fixed an issue where a zero-byte object PUT with an incorrect Etag
would return a 503.
* Fixed an error when a static large object manifest references the same
object more than once.
* Improved performance of finding handoff nodes if a zone is empty.
* Fixed duplication of headers in Access-Control-Expose-Headers on CORS
requests.
* Fixed handling of IPv6 connections to memcache pools.
* Continued work towards python 3 compatibility.
* Various other minor bug fixes and improvements.
swift (2.5.0, OpenStack Liberty)
* Added the ability to specify ranges for Static Large Object (SLO)
segments.
* Replicator configs now support an "rsync_module" value to allow
for per-device rsync modules. This setting gives operators the
ability to fine-tune replication traffic in a Swift cluster and
isolate replication disk IO to a particular device. Please see
the docs and sample config files for more information and
examples.
* Significant work has gone in to testing, fixing, and validating
Swift's erasure code support at different scales.
* Swift now emits StatsD metrics on a per-policy basis.
* Fixed an issue with Keystone integration where a COPY request to a
service account may have succeeded even if a service token was not
included in the request.
* Ring validation now warns if a placement partition gets assigned to the
same device multiple times. This happens when devices in the ring are
unbalanced (e.g. two servers where one server has significantly more
available capacity).
* Various other minor bug fixes and improvements.
swift (2.4.0)
* Dependency changes
- Added six requirement. This is part of an ongoing effort to add
support for Python 3.
- Dropped support for Python 2.6.
* Config changes
- Recent versions of Python restrict the number of headers allowed in a
request to 100. This number may be too low for custom middleware. The
new "extra_header_count" config value in swift.conf can be used to
increase the number of headers allowed.
- Renamed "run_pause" setting to "interval" (current configs with
run_pause still work). Future versions of Swift may remove the
run_pause setting.
* Versioned writes middleware
The versioned writes feature has been refactored and reimplemented as
middleware. You should explicitly add the versioned_writes middleware to
your proxy pipeline, but do not remove or disable the existing container
server config setting ("allow_versions"), if it is currently enabled.
The existing container server config setting enables existing
containers to continue being versioned. Please see
http://swift.openstack.org/middleware.html#how-to-enable-object-versioning-in-a-swift-cluster
for further upgrade notes.
* Allow 1+ object-servers-per-disk deployment
Enabled by a new > 0 integer config value, "servers_per_port" in the
[DEFAULT] config section for object-server and/or replication server
configs. The setting's integer value determines how many different
object-server workers handle requests for any single unique local port
in the ring. In this mode, the parent swift-object-server process
continues to run as the original user (i.e. root if low-port binding
is required), binds to all ports as defined in the ring, and forks off
the specified number of workers per listen socket. The child, per-port
servers drop privileges and behave pretty much how object-server workers
always have, except that because the ring has unique ports per disk, the
object-servers will only be handling requests for a single disk. The
parent process detects dead servers and restarts them (with the correct
listen socket), starts missing servers when an updated ring file is
found with a device on the server with a new port, and kills extraneous
servers when their port is found to no longer be in the ring. The ring
files are stat'ed at most every "ring_check_interval" seconds, as
configured in the object-server config (same default of 15s).
In testing, this deployment configuration (with a value of 3) lowers
request latency, improves requests per second, and isolates slow disk
IO as compared to the existing "workers" setting. To use this, each
device must be added to the ring using a different port.
* Do container listing updates in another (green)thread
The object server has learned the "container_update_timeout" setting
(with a default of 1 second). This value is the number of seconds that
the object server will wait for the container server to update the
listing before returning the status of the object PUT operation.
Previously, the object server would wait up to 3 seconds for the
container server response. The new behavior dramatically lowers object
PUT latency when container servers in the cluster are busy (e.g. when
the container is very large). Setting the value too low may result in a
client PUT'ing an object and not being able to immediately find it in
listings. Setting it too high will increase latency for clients when
container servers are busy.
* TempURL fixes (closes CVE-2015-5223)
Do not allow PUT tempurls to create pointers to other data.
Specifically, disallow the creation of DLO object manifests via a PUT
tempurl. This prevents discoverability attacks which can use any PUT
tempurl to probe for private data by creating a DLO object manifest and
then using the PUT tempurl to head the object.
* Ring changes
- Partition placement no longer uses the port number to place
partitions. This improves dispersion in small clusters running one
object server per drive, and it does not affect dispersion in
clusters running one object server per server.
- Added ring-builder-analyzer tool to more easily test and analyze a
series of ring management operations.
- Stop moving partitions unnecessarily when overload is on.
* Significant improvements and bug fixes have been made to erasure code
support. This feature is suitable for beta testing, but it is not yet
ready for broad production usage.
* Bulk upload now treats user xattrs on files in the given archive as
object metadata on the resulting created objects.
* Emit warning log in object replicator if "handoffs_first" or
"handoff_delete" is set.
* Enable object replicator's failure count in swift-recon.
* Added storage policy support to dispersion tools.
* Support keystone v3 domains in swift-dispersion.
* Added domain_remap information to the /info endpoint.
* Added support for a "default_reseller_prefix" in domain_remap
middleware config.
* Allow SLO PUTs to forgo per-segment integrity checks. Previously, each
segment referenced in the manifest also needed the correct etag and
bytes setting. These fields now allow the "null" value to skip those
particular checks on the given segment.
* Allow rsync to use compression via a "rsync_compress" config. If set to
true, compression is only enabled for an rsync to a device in a
different region. In some cases, this can speed up cross-region
replication data transfer.
* Added time synchronization check in swift-recon (the --time option).
* The account reaper now runs faster on large accounts.
* Various other minor bug fixes and improvements.
swift (2.3.0, OpenStack Kilo)
* Erasure Code support (beta)
Swift now supports an erasure-code (EC) storage policy type. This allows
deployers to achieve very high durability with less raw capacity as used
in replicated storage. However, EC requires more CPU and network
resources, so it is not good for every use case. EC is great for storing
large, infrequently accessed data in a single region.
Swift's implementation of erasure codes is meant to be transparent to
end users. There is no API difference between replicated storage and
EC storage.
To support erasure codes, Swift now depends on PyECLib and
liberasurecode. liberasurecode is a pluggable library that allows for
the actual EC algorithm to be implemented in a library of your choosing.
As a beta release, EC support is nearly fully feature complete, but it
is lacking support for some features (like multi-range reads) and has
not had a full performance characterization. This feature relies on
ssync for durability. Deployers are urged to do extensive testing and
not deploy production data using an erasure code storage policy.
Full docs are at http://swift.openstack.org/overview_erasure_code.html
* Add support for container TempURL Keys.
* Make more memcache options configurable. connection_timeout,
pool_timeout, tries, and io_timeout are all now configurable.
* Swift now supports composite tokens. This allows another service to
act on behalf of a user, but only with that user's consent.
See http://swift.openstack.org/overview_auth.html for more details.
* Multi-region replication was improved. When replicating data to a
different region, only one replica will be pushed per replication
cycle. This gives the remote region a chance to replicate the data
locally instead of pushing more data over the inter-region network.
* Internal requests from the ratelimit middleware now properly log a
swift_source. See http://swift.openstack.org/logs.html for details.
* Improved storage policy support for quarantine stats in swift-recon.
* The proxy log line now includes the request's storage policy index.
* Ring checker has been added to swift-recon to validate if rings are
built correctly. As part of this feature, storage servers have learned
the OPTIONS verb.
* Add support of x-remove- headers for container-sync.
* Rings now support hostnames instead of just IP addresses.
* Swift now enforces that the API version on a request is valid. Valid
versions are configured via the valid_api_versions setting in swift.conf
* Various other minor bug fixes and improvements.
swift (2.2.2)
* Data placement changes
This release has several major changes to data placement in Swift in
order to better handle different deployment patterns. First, with an
unbalance-able ring, less partitions will move if the movement doesn't
result in any better dispersion across failure domains. Also, empty
(partition weight of zero) devices will no longer keep partitions after
rebalancing when there is an unbalance-able ring.
Second, the notion of "overload" has been added to Swift's rings. This
allows devices to take some extra partitions (more than would normally
be allowed by the device weight) so that smaller and unbalanced clusters
will have less data movement between servers, zones, or regions if there
is a failure in the cluster.
Finally, rings have a new metric called "dispersion". This is the
percentage of partitions in the ring that have too many replicas in a
particular failure domain. For example, if you have three servers in a
cluster but two replicas for a partition get placed onto the same
server, that partition will count towards the dispersion metric. A
lower value is better, and the value can be used to find the proper
value for "overload".
The overload and dispersion metrics have been exposed in the
swift-ring-build CLI tools.
See http://docs.openstack.org/developer/swift/overview_ring.html
for more info on how data placement works now.
* Improve replication of large out-of-sync, out-of-date containers.
* Added console logging to swift-drive-audit with a new log_to_console
config option (default False).
* Optimize replication when a device and/or partition is specified.
* Fix dynamic large object manifests getting versioned. This was not
intended and did not work. Now it is properly prevented.
* Fix the GET's response code when there is a missing segment in a
large object manifest.
* Change black/white listing in ratelimit middleware to use sysmeta.
Instead of using the config option, operators can set
"X-Account-Sysmeta-Global-Write-Ratelimit: WHITELIST" or
"X-Account-Sysmeta-Global-Write-Ratelimit: BLACKLIST" on an account to
whitelist or blacklist it for ratelimiting. Note: the existing
config options continue to work.
* Use TCP_NODELAY on outgoing connections.
* Improve object-replicator startup time.
* Implement OPTIONS verb for storage nodes.
* Various other minor bug fixes and improvements.
swift (2.2.1)
* Swift now rejects object names with Unicode surrogates.
* Return 403 (instead of 413) on unauthorized upload when over account
quota.
* Fix a rare condition when a rebalance could cause swift-ring-builder
to crash. This would only happen on old ring files when "rebalance"
was the first command run.
* Storage node error limits now survive a ring reload.
* Speed up reading and writing xattrs for object metadata by using larger
xattr value sizes. The change is moving from 254 byte values to 64KiB
values. There is no migration issue with this.
* Deleted containers beyond the reclaim age are now properly reclaimed.
* Full Simplified Chinese translation (zh_CN locale) for errors and logs.
* Container quota is now properly enforced during cross-account COPY.
* ssync replication now properly uses the configured replication_ip.
* Fixed issue were ssync did not replicate custom object headers.
* swift-drive-audit now has the 'unmount_failed_device' config option
(default to True) that controls if the process will unmount failed
drives or not.
* swift-drive-audit will now dump drive error rates to a recon file.
The file location is controlled by the 'recon_cache_path' config value
and it includes each drive and its associated number of errors.
* When a filesystem does't support xattr, the object server now returns
a 507 Insufficient Storage error to the proxy server.
* Clean up empty account and container partitions directories if they
are empty. This keeps the system healthy and prevents a large number
of empty directories from slowing down the replication process.
* Show the sum of every policy's amount of async pendings in swift-recon.
* Various other minor bug fixes and improvements.
swift (2.2.0, OpenStack Juno)
* Added support for Keystone v3 auth.
Keystone v3 introduced the concept of "domains" and user names
are no longer unique across domains. Swift's Keystone integration
now requires that ACLs be set on IDs, which are unique across
domains, and further restricts setting new ACLs to only use IDs.
Please see http://swift.openstack.org/overview_auth.html for
more information on configuring Swift and Keystone together.
* Swift now supports server-side account-to-account copy. Server-
side copy in Swift requires the X-Copy-From header (on a PUT)
or the Destination header (on a COPY). To initiate an account-to-
account copy, the existing header value remains the same, but the
X-Copy-From-Account header (on a PUT) or the Destination-Account
(on a COPY) are used to indicate the proper account.
* Limit partition movement when adding a new placement tier.
When adding a new placement tier (server, zone, or region), Swift
previously attempted to move all placement partitions, regardless
of the space available on the new tier, to ensure the best possible
durability. Unfortunately, this could result in too many partitions
being moved all at once to a new tier. Swift's ring-builder now
ensures that only the correct number of placement partitions are
rebalanced, and thus makes adding capacity to the cluster more
efficient.
* Per storage policy container counts are now reported in an
account response headers.
* Swift will now reject, with a 4xx series response, GET requests
with more than 50 ranges, more than 3 overlapping ranges, or more
than 8 non-increasing ranges.
* The bind_port config setting is now required to be explicitly set.
* The object server can now use splice() for a zero-copy GET
response. This feature is enabled with the "splice" config variable
in the object server config and defaults to off. Also, this feature
only works on recent Linux kernels (AF_ALG sockets must be
supported). A zero-copy GET response can significantly reduce CPU
requirements for object servers.
* Added "--no-overlap" option to swift-dispersion populate so that
multiple runs of the tool can add coverage without overlapping
existing monitored partitions.
* swift-recon now supports filtering by region.
* Various other minor bug fixes and improvements.
swift (2.1.0)
* swift-ring-builder placement was improved to allow gradual addition
of new regions without causing a massive migration of data to the new
region. The change was to prefer device weight first, then look at
failure domains.
* Logging updates
- Eliminated "Handoff requested (N)" log spam.
- Added process pid to the end of storage node log lines.
- Container auditor now logs a warning if the devices path contains a
non-directory.
- Object daemons now send a user-agent string with their full name.
* 412 and 416 responses are no longer tracked as errors in the StatsD
messages from the backend servers.
* Parallel object auditor
The object auditor can now be controlled with a "concurrency" config
value that allows multiple auditor processes to run at once. Using
multiple parallel auditor processes can speed up the overall auditor
cycle time.
* The object updater will now concurrently update each necessary node
in a new greenthread.
* TempURL updates
- The default allowed methods have changed to also allow POST and
DELETE. The new default list is "GET HEAD PUT POST DELETE".
- TempURLs for POST now also allow HEAD, matching existing GET and PUT
functionality.
- Added filename*= support to TempURL Content-Disposition response
header.
* X-Delete-At/After can now be used with the FormPost middleware.
* Make swift-form-signature output a sample form.
* Add v2 API to list endpoints middleware
The new API adds better support for storage policies and changes the
response from a list of backend urls to a dictionary with the keys
"endpoints" and "headers". The endpoints key contains a list of the
backend urls, and the headers key is a dictionary of headers to send
along with the backend request.
* Added allow_account_management and account_autocreate values to /info
responses.
* Enable object system metadata on PUTs (Note: POST support is ongoing).
* Various other minor bug fixes and improvements.
swift (2.0.0)
* Storage policies
Storage policies allow deployers to configure multiple object rings
and expose them to end users on a per-container basis. Deployers
can create policies based on hardware performance, regions, or other
criteria and independently choose different replication factors on
them. A policy is set on a Swift container at container creation
time and cannot be changed.
Full docs are at http://swift.openstack.org/overview_policies.html
* Add profiling middleware in Swift
The profile middleware provides a tool to profile Swift
code on the fly and collects statistical data for performance
analysis. A native simple Web UI is also provided to help
query and visualize the data.
* Add --quoted option to swift-temp-url
* swift-recon now supports checking the md5sum of swift.conf, which
helps deployers verify configurations are consistent across a cluster.
* Users can now set the transaction id suffix by passing in
a value in the X-Trans-Id-Extra header.
* New log_max_line_length option caps the maximum length of a log line.
* Support If-[Un]Modified-Since for object HEAD
* Added missing constraints and ratelimit parameters to /info
* Add ability to remove subsections from /info
* Unify logging for account, container, and object server processes
to provide a consistent message format. This change reorders the
fields logged for the account server.
* Add targeted config loading to swift-init. This allows an easier
and more explicit way to tell swift-init to run specific server
process configurations.
* Properly quote www-authenticate (CVE-2014-3497)
* Fix logging issue when services stop on py26.
* Change the default logged length of the auth token to 16.
* Explicitly set permissions on generated ring files to 0644
* Fix file uploads larger than 2GiB in the formpost feature
* Fixed issue where large objects would fail to download if the
auth token expired partway through the download
* Various other minor bug fixes and improvements
swift (1.13.1, OpenStack Icehouse)
* Change the behavior of CORS responses to better match the spec
A new proxy config variable (strict_cors_mode, default to True)
has been added. Setting it to False keeps the old behavior. For
an overview of old versus new behavior, please see
https://review.openstack.org/#/c/69419/
* Invert the responsibility of the two instances of proxy-logging in
the proxy pipeline
The first proxy_logging middleware instance to receive a request
in the pipeline marks that request as handling it. So now, the
left most proxy_logging middleware handles logging for all
client requests, and the right most proxy_logging middleware
handles all other requests initiated from within the pipeline to
its left. This fixes logging related to large object
requests not properly recording bandwidth.
* Added swift-container-info and swift-account-info tools
* Allow specification of object devices for audit
* Dynamic large object COPY requests with ?multipart-manifest=get
now work as expected
* When a client is downloading a large object and one of the segment
reads gets bad data, Swift will now immediately abort the request.
* Fix ring-builder crash when a ring partition was assigned to a
deleted device, zero-weighted device, and normal device
* Make probetests work with conf.d configs
* Various other minor bug fixes and improvements.
swift (1.13.0)
* Account-level ACLs and ACL format v2
Accounts now have a new privileged header to represent ACLs or
any other form of account-level access control. The value of
the header is a JSON dictionary string to be interpreted by the
auth system. A reference implementation is given in TempAuth.
Please see the full docs at
http://swift.openstack.org/overview_auth.html
* Added a WSGI environment flag to stop swob from always using
absolute location. This is useful if middleware needs to use
out-of-spec Location headers in a response.
* Container sync proxies now support simple load balancing
* Config option to lower the timeout for recoverable object GETs
* Add a way to ratelimit all writes to an account
* Allow multiple storage_domain values in cname_lookup middleware
* Moved all DLO functionality into middleware
The proxy will automatically insert the dlo middleware at an
appropriate place in the pipeline the same way it does with the
gatekeeper middleware. Clusters will still support DLOs after upgrade
even with an old config file that doesn't mention dlo at all.
* Remove python-swiftclient dependency
* Add secondary groups to process user during privilege escalation
* When logging request headers, it is now possible to specify
specifically which headers should be logged
* Added log_requests config parameter to account and container servers
to match the parameter in the object server. This allows a deployer
to turn off log messages for these processes.
* Ensure swift.source is set for DLO/SLO requests
* Fixed an issue where overwriting segments in a dynamic manifest
could cause issues on pipelined requests.
* Properly handle COPY verb in container quota middleware
* Improved StaticWeb 404 error message on web-listings and index
* Various other minor bug fixes and improvements.
swift (1.12.0)
* Several important pieces of information have been added to /info:
- Configured constraints are included and allow a client to discover
the limits on names and object sizes that the cluster supports.
- The supported tempurl methods are now included.
- Static large object constraints are now included.
* The Last-Modified header value returned will now be the object's
timestamp rounded up to the next second. This allows subsequent
requests with If-[un]modified-Since to use the Last-Modified
value as expected.
* Non-integer values for if-delete-at headers will now properly
report a 400 error instead of a 503.
* Fix object versioning with non-ASCII container names.
* Bulk delete with POST now works properly.
* Generic means for persisting system metadata
Swift now supports system-level metadata on accounts and
containers. System metadata provides a means to store internal
custom metadata with associated Swift resources in a safe and
secure fashion without actually having to plumb custom metadata
through the core swift servers. The new gatekeeper middleware
prevents this system metadata from leaking into the request or
being set by a client.
* catch_errors and gatekeeper middleware are now forced into the proxy
pipeline if not explicitly referenced.
* New container sync configuration option, separating the end user
from knowing the required end point and adding more secure
signed requests. See
http://swift.openstack.org/overview_container_sync.html for full
information.
* bulk middleware now can be configured to retry deleting containers.
* The default yield_frequency used to keep client connections alive
during slow bulk requests was reduced from 60 seconds to 10 seconds.
While this is a change to a default, it should not affect deployments
and there is no migration process needed.
* Swift processes will attempt to set RLIMIT_NPROC to 8192.
* Server processes will now exit with a non-zero error code on config
errors.
* Warn if read_affinity is configured but not enabled.
* Fix checkmount error parsing in swift-recon.
* Log at warn level when an object is quarantined.
* Fixed CVE-2014-0006 to avoid a potential timing attack with tempurl.
* Various other minor bug fixes and improvements.
swift (1.11.0)
* Added discoverable capabilities
A Swift proxy server now by default (although it can be turned off)
will respond to requests to /info. The response to these requests
include information about the cluster and can be used by clients to
determine which features are supported in the cluster.
* Object replication ssync (an rsync alternative)
A Swift storage node can now be configured to use Swift primitives
for replication transport instead of rsync. This is an experimental
feature that is not yet considered production ready.
* If a source times out on an object server read, try another one
of them with a modified range.
* The proxy now responds to many types of requests as soon as it
has a quorum. This can help speed up responses (without
changing the results), especially when one node is acting up.
There is a post_quorum_timeout config value that can tune how
long to wait for requests to finish after a quorum has been
established.
* Add accurate timestamps in proxy log lines for the start and
end of a request. These are added as new fields on the end of
the existing log lines, and therefore should not break
existing, well-behaved log processors.
* Add an "inline" query parameter to tempurl
By default, temporary URLs add a "Content-Disposition" header
that forces many clients to download the object. Now, temporary
URLs support an optional "inline" query parameter that will
force a "Content-Disposition: inline" header to be added to the
response, overriding the default.
* Use TCP_NODELAY for created sockets. This can dramatically
lower latency for small object workloads.
* DiskFile API, with reference implementation
The DiskFile abstraction for talking to data on disk has been
refactored to allow alternate implementations to be developed.
Included in the codebase is an in-memory reference
implementation. For full documentation, please see the developer
documentation. The DiskFile API is still a work in progress and
is not yet finalized.
* Removal of swift-bench
The included benchmarking tool swift-bench has been extracted
from the codebase and is now in its own repository at
https://github.com/openstack/swift-bench. New swift-bench
binaries and packages may be found on PyPI at
https://pypi.python.org/pypi/swift-bench
* Bulk delete now also supports the POST verb, in addition to DELETE
* Added functionality to the swift-ring-builder to support
limited recreation of ring builder files from the ring file itself.
* HEAD on account now returns 410 if account was deleted and
not yet reaped. The old behavior was to return a 404.
* Fixed a bug introduced since the 1.10.0 release that
prevented expired objects from being removed from the system.
This resulted in orphaned expired objects taking up space on
the system but inaccessible to the API. This regression and
fix are only important if you have deployed code since the
1.10.0 release. For a full discussion, including a script that
can be used to clean up orphaned objects, see
https://bugs.launchpad.net/swift/+bug/1257330
* Tie socket write buffer size to server chunk size parameter. This
pairs the underlying network buffer size with the size of data
that Swift attempts to read from the connection, thereby
improving efficiency and throughput on connections.
* Fix 500 from account-quota middleware. If a user had set
X-Account-Meta-Quota-Bytes to something non-integer prior to
the installation of the account-quota middleware, then the
quota check would choke on it. Now a non-integer value is
treated as "no quota".
* Quarantine objects with busted metadata. Before, if you
encountered an object with corrupt or missing xattrs, the
object server would return a 500 on GET, and wouldn't quarantine
anything. Now the object server returns a 404 for that GET and
the corrupted file is quarantined, thus giving replication a
chance to fix it.
* Fix quarantine and error counts in audit logs
* Report transaction ID in failure exception logs
* Make pbr a build-time only dependency
* Worked around a bug in eventlet 0.9.16 where the size of the
memcache connection pools would grow unbounded.
* Tempurl keys are now properly stored as utf8
* Fixed an issue where concurrent PUT requests to accounts or
containers may result in errors due to locked databases.
* Handle copy requests in account and container quota middleware
* Now ensure that a WWW-Authenticate header is on all 401 responses
* Various other bug fixes and improvements
swift (1.10.0, OpenStack Havana)
* Added support for pooling memcache connections
* Added support to replicating handoff partitions first in object
replication. Can also configure how many remote nodes a storage node
must talk to before removing a local handoff partition.
* Fixed bug where memcache entries would not expire
* Much faster calculation for choosing handoff nodes
* Added container listing ratelimiting
* Fixed issue where the proxy would continue to read from a storage
server even after a client had disconnected
* Added support for headers that are only visible to the owner of a Swift
account
* Fixed ranged GET with If-None-Match
* Fixed an issue where rings may not be balanced after initial creation
* Fixed internationalization support
* Return the correct etag for a static large object on the PUT response
* Allow users to extract archives to containers with ACLs set
* Fix support for range requests against static large objects
* Now logs x-copy-from header in a useful place
* Reverted back to old XML output of account and container listings to
ensure older clients do not break
* Account quotas now appropriately handle copy requests
* Fix issue with UTF-8 handling in versioned writes
* Various other bug fixes and improvements, including support for running
Swift under Pypy and continuing work to support storage policies
swift (1.9.1)
* Disallow PUT, POST, and DELETE requests from creating older tombstone
files, preventing the possibility of filling up the disk and removing
unnecessary container updates.
* Set default wsgi workers to cpu_count
Change the default value of wsgi workers from 1 to auto. The new
default value for workers in the proxy, container, account & object
wsgi servers will spawn as many workers per process as you have cpu
cores. This will not be ideal for some configurations, but it's much
more likely to produce a successful out of the box deployment.
* Added reveal_sensitive_prefix config setting to filter the auth token
logged by the proxy server.
* Ensure Keystone's reseller prefix ends with an underscore. Previously
this was a recommendation--now it is enforced.
* Added log_file_pattern config to swift-drive-audit for drive errors
* Add support for telling Swift to detect a content type on a request.
* Additional object stats are now logged in the object auditor
* Moved the DiskFile interface into its own module
* Ensure the SQLite cursors are closed when creating functions
* Better support for valid Accept headers
* In Keystone, don't allow users to delete their own account
* Return a UTC timezone designator in container listings
* Ensure that users can't remove their account quotas
* Allow floating point value for dispersion coverage
* Fix incorrect error page handling in staticweb
* Add utf-8 charset to multipart-manifest=get response.
* Allow dispersion tools to use keystone server with insecure certificate
* Ensure that files are always closed in tests
* Use OpenStack's "Hacking" guidelines for code formatting
* Various other minor bug fixes and improvements
swift (1.9.0)
* Global clusters support
The "region" concept introduced in Swift 1.8.0 has been augmented with
support for using a separate replication network and configuring read
and write affinity. These features combine to offer support for a single
Swift cluster spanning wide geographic area.
* Disk performance
The object server now can be configured to use threadpools to increase
performance and smooth out latency throughout the system. Also, many
disk operations were reordered to increase reliability and improve
performance.
* Added config file conf.d support
Allow Swift daemons and servers to optionally accept a directory as the
configuration parameter. This allows different parts of the config file
to be managed separately, eg each middleware could use a separate file
for its particular config settings.
* Allow two TempURL keys per account
By adding a second key, a user can safely rotate keys and prevent URLs
already in use from becoming invalid. TempURL middlware has also been
updated to allow a configuable set of allowed methods and to prevent a
bugrelated to content-disposition names.
* Added crossdomain.xml middleware. See
http://docs.openstack.org/developer/swift/crossdomain.html for details
* Added rsync bandwidth limit setting for object replicator
* Transaction ID updated to include the time and an optional suffix
* Added x-remove-versions-location header to disable versioned writes
* Improvements to support for Keystone ACLs
* Added parallelism to object expirer daemon
* Added support for ring hash prefix in addition to the existing suffix
* Allow all headers requested for CORS
* Stop getting useless bytes on manifest Range requests
* Improved container-sync resiliency
* Added example Apache config files. See
http://docs.openstack.org/developer/swift/apache_deployment_guide.html
for more info
* If an account is marked as deleted but hasn't been reaped and is still
on disk, responses will include an "X-Account-Status" header
* Fix 503 on account/container HEAD with invalid format
* Added extra safety on account-level DELETE when using bulk deletes
* Made colons quote-safe in logs (mainly for IPv6)
* Fixed bug with bulk delete max items
* Fixed static large object manifest range requests
* Prevent static large objects from containing other static large objects
* Fixed issue with use of delimiter in container queries where some
objects would not be listed
* Various other minor bug fixes and improvements
swift (1.8.0, OpenStack Grizzly)
* Make rings' replica count adjustable
* Added a region tier to the ring above zones
* Added timing-based sorting of object servers on read requests
* Added support for auto-extract archive uploads
* Added support for bulk delete requests
* Added support for large objects with static manifests
* Added list_endpoints middleware to provide an API for determining where
the ring places data
* proxy-logging middleware can now handle logging for other middleware
proxy-logging should be used twice in the proxy pipeline. The first
handles middleware logs for requests that never made it all the way
to the server. The last handles requests that do make it to the server.
This is a change that may require an update to your proxy server
config file or custom middleware that you may be using. See the full
docs at http://docs.openstack.org/developer/swift/misc.html#module-swift.common.middleware.proxy_logging.
* Changed the default sample rate for a few high-traffic requests.
Added log_statsd_sample_rate_factor to globally tune the StatsD
sample rate. This tunable can be used to reduce StatsD traffic
proportionally for all metrics and is intended to replace
log_statsd_default_sample_rate, which is left alone for
backward-compatibility, should anyone be using it.
* Added swift_hash_path_prefix option to swift.conf
New deployments are advised to set this value to a random secret
to protect against hash collisions
* Added user-managed container quotas
* Added support for account-level quotas managed by an auth reseller
* Added --run-dir option to swift-init
* Added more options to swift-bench
* Added support for CORS "actual requests"
* Added fallocate_reserve option to protect against full drives
* Allow ring rebalance to take a seed
* Ring serialization will now produce the same gzip file (Py2.7)
* Added support to swift-drive-audit for handling rotated logs
* Added first-byte latency timings for GET requests
* Added per disk PUT timing monitoring support
* Added speed limit options for DB auditor
* Force log entries to be one line
* Ensure that fsync is used and not just fdatasync
* Improved handoff node selection
* Deprecated keystone is_admin feature
* Fix large objects with unicode in the segment names
* Update Swift's MemcacheRing to provide API compatibility with
standard Python memcache libraries
* Various other minor bug fixes and improvements
swift (1.7.6)
* Better tempauth storage URL guessing
* Added --top option to swift-recon -d
* Allow optional, temporary healthcheck failure
* keystoneauth middleware now supports cross-tenant ACLs
* Add dispersion report flags to limit reports
* Add config option to turn eventlet debug on/off
* Added override option for swift-init's KILL_WAIT
* Added oldest and most recent replication pass to swift-recon
* Fixed 500 error response when GETing a many-segment manifest
* Memcached keys now use a delta timeout when possible
* Refactor DiskFile to hide temp file names and exts
* Remove IP-based container-sync ACLs from auth middlewares
* Fixed bug in deleting memcached account info data
* Fixed lazy-listing of object manifest segments
* Fixed bug where a ? in the object name caused an error
* Swift now returns 406 if it can't satisfy Accept
* Fix infinite recursion bug in object replicator
* Swift will now reject names with NULL characters
* Fixed object-auditor logging to use a minimum of unix sockets
* Various other minor bug fixes and improvements
swift (1.7.5)
* Support OPTIONS verb, including CORS preflight requests
* Added support for custom log handlers
* Range support is extended to support GET requests with multiple ranges.
Multi-range GETs are not yet supported against large-object manifests.
* Cluster constraints are now settable by config
* Replicators can now run against specific devices or partitions
* swift-bench now supports running on multiple cores and multiple servers
* Added partition option to swift-get-nodes
* Allow underscores in account and user in tempauth via base64 encodings
* New option to the dispersion report to output the missing partitions
* Changed storage server StatsD metrics to report timings instead of
counts for errors. See the admin guide for the updated metric names.
* Removed a dependency on WebOb and replaced it with an internal module
* Fixed config parsing in swift-bench -x
* Fixed sample_rate in StatsD logging
* Track unlinks of async_pendings with StatsD
* Remove double GET on range requests
* Allow unsetting of X-Container-Sync-To and ACL headers
* DB reclamation now removes empty suffix directories
* Fix non-standard 100-continue behavior
* Allow object-expirer to delete the last copy of a versioned object
* Only set TCP_KEEPIDLE on systems where it is supported
* Fix stdin flush and fdatasync issues on BSD platforms
* Allow object-expirer to delete the last version of an object
* Various other minor bug fixes and improvements
swift (1.7.4, OpenStack Folsom)
* Fix issue where early client disconnects may have caused a memory leak
swift (1.7.2)
* Fix issue where memcache serialization was not properly loading
the config value
swift (1.7.0)
* Use custom encoding for ring data instead of pickle
Serialize RingData in a versioned, custom format which is a combination
of a JSON-encoded header and .tostring() dumps of the
replica2part2dev_id arrays. This format deserializes hundreds of times
faster than rings serialized with Python 2.7's pickle (a significant
performance regression for ring loading between Python 2.6 and Python
2.7). Fixes bug 1031954.
The new implementation is backward-compatible; if a ring
does not begin with a new-style magic string, it is assumed to be an
old-style pickle-dumped ring and is handled as before. So new Swift
code can read old rings, but old Swift code will not be able to read
newly-serialized rings.
* Do not use pickle for serialization in memcache, but JSON
To avoid issues on upgrades (unability to read pickled values, and cache
poisoning for old servers not understanding JSON), we add a
memcache_serialization_support configuration option, with the following
values:
0 = older, insecure pickle serialization
1 = json serialization but pickles can still be read (still insecure)
2 = json serialization only (secure and the default)
To avoid an instant full cache flush, existing installations should
upgrade with 0, then set to 1 and reload, then after some time (24
hours) set to 2 and reload. Support for 0 and 1 will be removed in
future versions.
* Update proxy-server StatsD logging. This is a significant change to the
existing StatsD intigration. Docs for this feature can be found in
doc/source/admin_guide.rst.
* Improved swift-bench to allow random object sizes and better usability
* Updated probe tests
* Replicator removal metrics are now generated on a per-device basis
* Made object replicator locking more optimistic
* Split proxy-server code into separate modules
* Fixed bug where swift-recon would not report all unmounted drives
* Fixed issue where a LockTimeout may have caused a file descriptor to
not be closed properly
* Fixed a bug where an error may have caused the proxy to stop returning
data to a client
* Fixed bug where expirer would get confused by odd deletion times
* Fixed a bug where auto-creating accounts would return an error if they
were recreated after being deleted
* Fix when rate_limit_after_segment kicks in
* fallocate() failures properly return HTTPInsufficientStorage from
object-server before reading from wsgi.input, allowing the proxy
server to quickly error_limit that node
* Fixed error with large object manifests and x-newest headers on GET
* Various other minor bug fixes and improvements
swift (1.6.0)
* Removed bin/swift and swift/common/client.py from the swift repo. These
tools are now managed in the python-swiftclient project. The
python-swiftclient project is a second deliverable of the openstack
swift project.
* Moved swift_auth (openstack keystone) middleware from keystone project
into swift project
* Made dispersion report work with any replica count other than 3. This
substantially affects the JSON output of the dispersion report, and any
tools written to consume this output will need to be updated.
* Added Solaris (Illumos) compatibility
* Added -a option to swift-get-nodes to show all handoffs
* Add UDP protocol support for logger
* Added config options for rate limiting of large object downloads.
* Added config option `log_handoffs` (defaults to True) to proxy server
to log and update statsd with information about when a handoff node is
used. This is helpful to track the health of the cluster.
* swift-bench can now use auth 2.0
* Support forbidding substrings based on a regexp in name_filter
middleware
* Hardened internal server processes so only authorized methods can be
called.
* Made ranged requests on large objects work correctly when size of
manifest file is not 0 byte
* Added option to dispersion report to print 404s to stdout
* Fix object replication on older rsync versions when using ipv4
* Fixed bug with container reclaim/report race
* Make object server's caching more configurable.
* Check disk failure before syncing for each partition
* Allow special characters to be referenced by manifest objects
* Validate devices and partitions to avoid directory traversals
* Support WebOb 1.2
* Ensure that accessing the ring devs reloads the ring if necessary.
Specifically, this allows replication to work when it has been started
with an empty ring.
* Various other minor bug fixes and improvements
swift (1.5.0)
* New option to toggle SQLite database preallocation with account
and container servers.
IMPORTANT:
The default for database preallocation is now off when before
it was always on. This will affect performance on clusters that
use standard drives with shared account, container, object
servers. Such deployments will need to update their
configurations to turn database preallocation back on (see
account-server.conf-sample and container-server.conf.sample
files).
If you are using dedicated account and container servers with
SSDs, you should defragment your file systems after upgrade and
should notice dramatically less disk usage.
* swift3 middleware removed and moved to http://github.com/fujita/swift3.
This will require a config change in the proxy server and adds a new
dependency for deployers using this middleware.
* Moved proxy server logging to middleware. This requires a config change
in the proxy server.
* Added object versioning feature. (See docs for full description)
* Add statsd logging throughout the system (beta, some event names may
change)
* Expanded swift-recon middleware support
* The ring builder now supports as-unique-as-possible partition
placement, unified balancing methods, and can work on more than one
device at a time.
* Numerous bug fixes to StaticWeb (previously unusable at scale).
* Bug fixes to all middleware to allow passthrough requests under various
conditions and to share pre-authed request code (which previously had
differing behaviors and interaction bugs).
* Bug fix to object expirer that could cause infinite looping.
* Added optional delay to account reaping.
* Async-pending write optimization.
* Dispersion tools now support multiple auth versions
* Updated man pages
* Proxy server can now deny requests to particular hostnames
* Updated docs for domain remap middleware
* Updated docs for cname lookup middleware
* Made swift CLI binary easier to wrap
* Proxy will now also return X-Timestamp header
* Added associated projects doc as a place to track ecosystem projects
* end_marker made consistent across both object and container listings
* Various other minor bug fixes and improvements
swift (1.4.8, OpenStack Essex)
* Added optional max_containers_per_account restriction
* Added alternate metadata header removal method
* Added optional name_check middleware filter
* Added support for venv-based test runs with tox
* StaticWeb behavior change with X-Web-Mode: true and
non-StaticWeb-enabled containers (immediately 404s instead of passing
the request on down the WSGI pipeline).
* Fixed typo in swift-dispersion-report JSON output.
* Swift-Recon-related fix to create temporary files on the same disk as
their final destinations.
* Updated return codes in swift3 middleware
* Fixed swift3 middleware to allow Content-Range header in response
* Updated swift.common.client and swift CLI tool with auth 2.0 changes
* Swift CLI tool now supports common openstack auth args
* Body of HTTP responses now included in error messages of swift CLI tool
* Refactored some ring building functions for clarity and simplicity
swift (1.4.7)
* Improvements to account and container replication.
* Fix for account servers allowing .pending to exist before .db.
* Fixed possible key-guessing exploit in formpost.
* Fixed bug in ring builder when removing a large percentage of devices.
* Swift CLI tool now supports openstack-standard CLI flags.
* New JSON output option for swift-dispersion-report.
* Removed old stats tools.
* Other bug fixes and documentation updates.
swift (1.4.6)
* TempURL and FormPost middleware added
* Added memcache.conf option
* Dropped eval-based json parser fallback
* Properly lose all groups when dropping privileges
* Fix permissions when creating files
* Fixed bug regarding negative Content-Length in requests
* Consistent formatting on Last-Modified response header
* Added timeout option to swift-recon
* Allow arguments to be passed to nosetest
* Removed tools/rfc.sh
* Other minor bug fixes
swift (1.4.5)
* New swift-orphans and swift-oldies command line tools to detect
orphaned Swift processes and long running processes.
* Command line tool "swift" now supports marker queries.
* StaticWeb middleware improved to save an extra request when
possible.
* Updated swift-init to support swift-object-expirer.
* Fixed object replicator timeout handling [bug 814263].
* Fixed accept header 503 vs. 400 [bug 891247].
* More exception handling for auditors.
* Doc updates for PPA [bug 905608].
* Doc updates to explain replication more clearly [bug 906976].
* Updated SAIO instructions to no longer mention ~/swift/trunk.
* Fixed docstrings in the ring code.
* PEP8 Updates.
swift (1.4.4)
* Fixes to prevent socket hoarding (memory leak)
* Add sockstat info to recon.
* Fixed leak from SegmentedIterable.
* Fixed bufferedhttp to deref socks and fps.
* Add support for OS Auth API version 2.
* Make Eventlet's WSGI server log differently.
* Updated TimeoutError and except Exception refs.
* Fixed time-sensitive tests.
* Fixed object manifest etags.
* Fixes for swift-recon disk usage distribution graph.
* Adding new manpages for configuration files.
* Change bzr to swift in getting_started doc.
* Fixes the HTTPConflict import.
* Expiring Objects Support.
* Fixing bug with x-trans-id.
* Requote the source when doing a COPY.
* Add documentation for Swift Recon.
* Make drive audit regexes detect 4-letter drives.
* Adding what acc/cont/obj into the ratelimit error messages.
* Query only specific zone via swift-recon.
swift (1.4.3, OpenStack Diablo)
* Additional quarantine catching code.
* Added client_ip to all proxy log lines not otherwise containing it.
* Content-Type is now application/xml for "GET services/bucket" swift3
middleware requests.
* Alpha release of the Swift Recon Experiment
* Fix last modified date for swift3 middleware.
* Fix to clear account/container metadata on account/container deletion.
* Fix for corner case regarding X-Newest.
* Fix for object auditor running out of file descriptors.
* Fix to return all proper headers for manifest objects.
* Fix to the swift tool to strip any leading slashes on file names when
uploading.
swift (1.4.2)
* Removed stats/logging code from Swift [now in separate slogging project].
* Container Synchronization Feature - First Edition
* Fix swift3 authentication bug about the Date and X-Amz-Date handling.
* Changing ratelimiting so that it only limits PUTs/DELETEs.
* Object POSTs are implemented as COPYs now by default (you can revert to
previous implementation with conf object_post_as_copy = false)
* You can specify X-Newest: true on GETs and HEADs to indicate you want
Swift to query all backend copies and return the newest version
retrieved.
* Object COPY requests now always copy the newest object they can find.
* Account and container GETs and HEADs now shuffle the nodes they use to
balance load.
* Fixed the infinite charset: utf-8 bug
* This fixes the bug that drop_buffer_cache() doesn't work on systems where
off_t isn't 64 bits.
swift (1.4.1)
* st renamed to swift
* swauth was separated froms swift. It is now its own project and can be
found at https://github.com/gholt/swauth.
* tempauth middleware added as an extremely limited auth system for dev
work.
* Account and container listings now properly labeled UTF-8 (previously the
label was "utf8").
* Accounts are auto-created if an auth token is valid when the
account_autocreate proxy config parameter is set to true.
swift (1.4.0)
* swift-bench now cleans up containers it creates.
* WSGI servers now load WSGI filters and applications after forking for
better plugin support.
* swauth-cleanup-tokens now handles 404s on token containers and tokens
better.
* Proxy logs the remote IP address as the client IP in the absence of
X-Forwarded-For and X-Cluster-Client-IP headers instead of - like it did
before.
* Swift3 WSGI middleware added support for param-signed URLs.
* swauth- scripts now exit with proper exit codes.
* Fixed a bug where allowed_headers weren't honored for HEAD requests.
* Double quarantining of corrupted sqlite3 databases now works.
* Fix for Object replicator breaking when running object replicator with no
objects on the server.
* Added the Accept-Ranges header to GET and HEAD requests.
* When a single object has multiple async pending updates on a single
device, only latest async pending is now sent.
* Fixed issue of Swift3 WSGI middleware not working correctly with '/' in
object names.
* Renamed swift-stats-* to swift-dispersion-* to avoid confusion with log
stats stuff.
* Added X-Trans-Id transaction id header to every response.
* Fixed a Python 2.7 compatibility problem.
* Now using bracketed notation for ip literals in rsync calls, so
compressed ipv6 literals work.
* Added a container stats collector and refactoring some of the stats code.
* Changed subdir nodes in XML formatted object listings to align with
object nodes. Now: <subdir name="foo"><name>foo</name></subdir> Before:
<subdir name="foo" />.
* Fixed bug in Swauth to support for multiple swauth instances.
* swift-ring-builder: Added list_parts command which shows common
partitions for a given list of devices.
* Object auditor now shows better statistics updates in the logs.
* Stats uploaders now allow overrides for source_filename_pattern and
new_log_cutoff values.
---
Changelog entries for previous versions are incomplete
swift (1.3.0, OpenStack Cactus)
swift (1.2.0, OpenStack Bexar)
swift (1.1.0, OpenStack Austin)
swift (1.0.0, Initial Release)