Appliance Release v0.32

This page contains the release notes for the v0.32 Anapaya appliance software release. The appliance software release is applicable for the following Anapaya products:

  • Anapaya CORE

  • Anapaya EDGE

  • Anapaya GATE

We recommend always upgrading to the latest available patch release. Please refer to Upgrade Notes (if any) of each release if there are any special steps to be taken when upgrading. For general information on how to upgrade your appliance, please refer to Appliance Software Updates.

Warning

Known issues

  • When an interface with VPP driver has an IPv6 link-local address configured and the interface is down (L1, e.g. there is no physical connection) when the EDGE is booted, the interfaces with VPP driver do not work. The problem is resolved as soon as the physical connection is established (e.g. by plugging in the cable) and the device is rebooted.

  • Devices with Mellanox network cards don’t work correctly with the v0.32.0 release.

  • There is a race condition when setting up SCION interfaces with IPv6 LL addresses. If a SCION interface with IPv6 LL address doesn’t come up, remove it and re-add it. If that doesn’t make it working please contact Anapaya support.

  • On releases before v0.32.3 there is a rare bug in the IP-in-SCION tunneling component that could make the component be hung up. A restart of the gateway helps. To restart use the restart API (use gateway as the {service_name}). It is recommended to upgrade to v0.32.3.

v0.32.0 (2022-11-30)

Features

OAuth2/OIDC support in Appliance API

The appliance API now supports authentication based on OAuth2/OIDC. Users can authenticate with their existing identity provider (either Azure AD or Auth0) via the appliance web UI or register an application to use the API. Furthermore, each user or application can be granted read-only or read-write permissions. For further details, see the configuration documentation and the setup guide.

Source NAT

It is now possible to set up source NAT on the appliance.

The feature is useful when replies to the packets coming out from a IP-in-SCION tunnel are supposed to be routed back to the tunnel while other packets can still be routed in an arbitrary user-defined way.

For further details consult the documentation: Network Address Translation (NAT).

Debug endpoints

The appliance API is extended with various debug endpoints. Those endpoints provide insights during the debugging of a problem with the appliance. Note that those endpoints are experimental and can change in the future. Check the API documentation for more details.

Fixes

  • The appliance no longer automatically migrates old configurations if the previous version was older than v0.30. This is to prevent issues that happened during those upgrades. In Upgrade Notes it is explained how to properly upgrade from older versions.

  • The router correctly handles an error during the creation of a SCION interface. Previously, it could occasionally fail to create the internal interface properly.

  • The router no longer configures sibling interfaces if no local interfaces are defined. A router with no local links would not be configured on peer routers and therefore one-sided BFD session would be created, leading to a confusing state.

  • Address a memory leak in the IPFIX feature.

  • The IP-in-SCION tunneling component no longer fails if there is an ISD-AS configured on the appliance which for which no TRC is present.

  • The IP-in-SCION tunneling component correctly tunnels small packets. There was an issue where very small packets were incorrectly encapsulated under some circumstances.

Breaking Changes

  • The /management/telemetry/logging/loki/external_labels is removed from the appliance configuration. Instead there is a new field /management/telemetry/labels that can be used to set labels on metrics and logging at the same time. The appliance will automatically migrate old configurations.

  • The public_key field is removed from the wireguard interfaces section. The field was read-only and was not meant to be set by an appliance operator. To retrieve wireguard keys use the new /network/wireguards API endpoint. For further information, check out the documentation for the API endpoint.

Upgrade Notes

Warning

When upgrading from a release older than v0.30.0 it is recommended to first create the new configuration for the current release and store it on the appliance under /etc/anapaya/appliance/migrations/v0_32/config.json. The file needs to be owned by the scion user and should only have read-write permissions for this user (0600). This will make sure that the appliance is correctly configured when it starts in the new version.

v0.32.1 (2023-01-03)

Fixes

  • The appliance now correctly validates the system/vpp/tun section of the configuration.

  • The dataplane no longer crashes when an interface with traffic on it is removed.

v0.32.2 (2023-01-06)

Fixes

  • Dataplane reconfiguration with NAT enabled no longer fails.

v0.32.3 (2023-02-06)

Fixes

  • Fix renewing of self-signed certificate in the management API, if the listening address is 127.0.0.1.

  • Fix a rare bug that leaves the IP-in-SCION tunneling component in a hanging (non-working) state after an error occurred.

  • Fix crash loop on the router component that happened sometimes after a restart.

v0.32.4 (2023-02-22)

Fixes

  • The gateway dataplane reconfiguration logic was improved to better handle large number of changes in IP prefixes.

v0.32.5 (2023-04-28)

Improvements

  • The default password of the anapaya` use on the appliance API is changed to anapaya.

v0.32.6 (2023-05-04)

Fixes

  • The new default password in v0.32.5` did not work due to an internal issue.