Appliance Release v0.37

This page contains the release notes for the v0.37 Anapaya appliance software release. The appliance software release is applicable for the following Anapaya products:

  • Anapaya CORE

  • Anapaya EDGE

  • Anapaya GATE

We recommend always upgrading to the latest available patch release. Please refer to Upgrade Notes (if any) of each release if there are any special steps to be taken when upgrading. For general information on how to upgrade your appliance, please refer to Appliance Update Guide.

Upgrade Notes

Warning

In release v0.37.0, new configuration validation checks regarding VPP buffer allocations were added. In case your configuration is not compliant with the new validation checks, the appliance controller will start but wait for the configuration to be fixed.

To ensure that your configuration is compliant, check the appliance controller logs after the upgrade:

journalctl -u appliance-controller.service -e

Verify that the logs do not contain any log events with the following message:

"validating latest configuration","cause":{"msg":"invalid configuration"...

Such a log message also contains a detailed description of the validation error, pointing out what needs to be fixed in the configuration.

Warning

Release v0.34.0 and newer require Ubuntu 22.04 as the system and at least the anapaya-system package with version 2.8.0. Please refer to Upgrade Notes for more information.

v0.37.1 (2024-09-11)

Fixes

  • Make sure the frr-exporter exports metrics again if BFD is not configured.

  • The ca-frontend no longer uses 100% CPU.

  • Fix an issue where the IP-in-SCION tunneling component would not read all the locally available IP prefixes.

Improvements

  • The ISD-AS number in the Distinguished Name of the CPPKI certificates is now shown in the output of scion-pki certificate inspect.

v0.37.0 (2024-09-06)

Features

Azure support

This release adds support for the netsvc network driver, which is driver used on Microsoft Azure VMs. Therefore you can now use the appliance on Azure VMs.

Please refer to Anapaya EDGE on Microsoft Azure for more information.

Improvements

Improved IP-in-SCION tunneling path selection algorithm

The internal path and remote endpoint selection algorithm for IP-in-SCION tunneling has been reworked significantly. The new algorithm reduces the traffic caused by the monitoring system and with this also reduces the CPU usage.

The new monitoring will also detect internal network disconnects in the destination ISD-AS and route around them if possible.

With the new monitoring there are also new metrics available and shown in the IP-in-SCION related dashboards. In the dashboards there are now specific panels that are only relevant for releases with version v0.37.0 and newer.

The new metrics are the following:

  • gateway_domain_traffic_redirections_total: indicates the number of traffic redirections per domain and traffic matcher. This metric is shown in the “Traffic redirections” graph on the IP-in-SCION tunneling dashboard. A traffic redirection means that traffic will be routed via a different path or to a different remote endpoint.

  • gateway_domain_paths_total: indicates the number of paths per domain and traffic matcher. This metric is shown in the different “Paths” graphs on the IP-in-SCION tunneling dashboard under the “Domain monitoring >= v0.37” section.

  • gateway_domain_traffic_matcher_sessions_total: indicates the number of sessions per domain and traffic matcher. This is used for alerting. If no session is available for a traffic matcher an alert is triggered as this means potential traffic loss. There is a new alert TunnelingDomainNoAlivePaths that uses this metric.

Various other improvements

  • The appliance API OAuth integration now supports role aliases. Role aliases can be used to map the role name in the OAuth token to a role name in the appliance API. This is useful for mapping different role names from different identity providers to the same role in the appliance. If no aliases are configured for a role the default aliases are appliance.<role>, appliance/<role>, and appliance:<role>. The appliance API currently only supports the reader and writer roles.

  • Add the SCION link type label to the router_interface_up metric.

  • Updating the MAC of an interface with VLAN sub-interfaces does not cause a recreation of the sub-interfaces anymore.

  • The appliance-controller and debugscraper systemd services now have a CPU quota set to 100% to ensure that they do not consume more than one CPU.

  • The appliance now validates that the number of buffers allocated by VPP is sufficiently high in relation to the number of VPP worker threads and the number of VPP interfaces. This validation is performed whether or not the number of buffers is explicitly configured.

  • Add SSH information to the appliance-cli info auth command.

  • Add validations to the appliance which ensure that VFs cannot be created on interfaces with ena, virtio-pci or vmxnet3 drivers.

  • ISD-AS numbers in non-canonical form (e.g. with capital letters) are now rejected by the appliance. Given configurations with such numbers did also previously not work correctly, no migration is done.

  • The appliance takes the installed system version into account when calculating the etag during configuration fetches and updates.

  • The appliance API now does not report an error if the same TRC is pushed multiple times as long as the contents are identical. This is particularly useful if a TRC bundle is pushed multiple times.

  • The appliance API returns the installed system package version as part of the metadata when querying the GET /config endpoint.

  • The appliance now forces the user to explicitly configure the management API without authentication with the /management/api/unprotected field. Configurations that do not have this field set to true and have no API authentication enabled are considered invalid. For appliances that migrate from previous releases, the unprotected flag is automatically set in migration if no authentication is enabled.

  • The number of buffers allocated by VPP can now be explicitly configured in the appliance configuration.

    {
    "system": {
        "vpp": {
            "num_buffer": 32400
        }
    }
}

    The appliance validates that the memory allocated for VPP buffers fits into the configured hugepages memory.