Appliance Release v0.38

This page contains the release notes for the v0.38 Anapaya appliance software release. The appliance software release is applicable for the following Anapaya products:

  • Anapaya CORE

  • Anapaya EDGE

  • Anapaya GATE

We recommend always upgrading to the latest available patch release. Please refer to Upgrade Notes (if any) of each release if there are any special steps to be taken when upgrading. For general information on how to upgrade your appliance, please refer to Appliance Update Guide.

Upgrade Notes

Warning

In release v0.37.0 and newer, the IP-in-SCION tunneling always needs access to AS certificates of configured local ISD-ASes. For EDGEs this is naturally given, but for a GATE this might previously not have been set up. If you are upgrading a GATE to v0.37.0 or newer, please make sure to provision the GATE instance with the necessary control plane crypto material (AS certificate and TRC).

See Certificate/TRC Provisioning for more information on how to configure the TRC and AS certificate. To get an AS certificate it’s easiest to request it via a sibling appliance.

A new alert GatewayASCertificateExpiresSoon has been added to indicate if the AS certificate expires soon.

v0.38.0 (2024-11-28)

Breaking

The appliance now enables SCION RSS by default on all SCION interfaces and the IP-in-SCION tunneling endpoint. If an interface connects to another appliance that has an Anapaya version prior to v0.34 or a non Anapaya version that does not support SCION RSS (e.g. the opensource router), SCION RSS must be disabled explicitly.

Features

License management system

In future releases the Anapaya appliance will require a license to operate. A license can enable/disable certain features depending on the license tier. This release already brings all the necessary APIs to manage licenses on the appliance. However the license enforcement is not yet active, this means even if a license is not present or the license is expired the appliance will continue to operate as before.

We recommend to already get familiar with the license management APIs and already install a license on your appliance, to be ready for the future releases, where the license enforcement will be activated.

See Software License for the full documentation.

Customizable service configuration

The appliance configuration now contains a new section to customize the service configuration. This allows operators to provide a custom configuration template for a service.

An example use case is to provide a custom BGP configuration for FRR for advanced configuration options that are not exposed by the appliance configuration natively.

To check how a rendered configuration would look like, without actually installing the template use the new endpoint: POST /config/advanced/service-customization/{service_type}/template/execute

To install the template, put the custom template in the advanced.service_customizations.template field, for the given service type.

Note

This is an advanced feature and should be used with caution. If you use this please also inform the Anapaya customer service about it, so that we can consider adding proper support for your use case.

Improvements

Improved flow exporting

The GATE flow reporting can now handle over 20000 new flows per second. Previously this was limited to less than 100. This was achieved by changing the mechanism used to expose the flows from the dataplane to the gateway process to IPFIX. This change means that a number of metrics and configuration options are now deprecated.

The following options are now deprecated and no longer used:

  • management.telemetry.flow_metrics.cleanup_task_interval

  • management.telemetry.flow_metrics.export_task_interval

  • management.telemetry.flow_metrics.max_active_flows

The following configuration value is currently not used, but might be in the future:

  • management.telemetry.flow_metrics.flow_expiration_interval

The following metrics are now deprecated and no longer reported:

  • gateway_flow_exporter_flows_limit

  • gateway_flow_exporter_flows_total

  • gateway_flow_exporter_flows_exported

  • gateway_flow_exporter_last_cleanup_time

  • gateway_flow_exporter_lost

  • gateway_flow_exporter_export_run_time

The following new metrics have been added:

  • gateway_flow_exporter_last_import_time

  • gateway_flow_exporter_records_imported

  • gateway_flow_exporter_records_exported

  • gateway_flow_exporter_export_errors

  • scion_ipfix_active_flows_total

No special action is required to enable this new feature.

Appliance-CLI

  • The appliance CLI info command focuses on the important information for an operator. If the health status of the appliance is not passing, the info command now states how to check the health data of the appliance for more information. We have also added two sub-commands to display detailed information about software versions (appliance-cli info software) and license information (appliance-cli info license).

  • The appliance-cli sub-commands get, post, put, and delete now have a --fail flag that makes the command exit with exit code 22 if the HTTP status code of the repsonse is greater or equal to 400.

  • The default cost of the bcrypt algorithm in appliance-cli crypto kdf has been increased from 10 to 12. We recommend that you re-create the hashes according to your threat model.

  • The interfaces in the appliance-cli info and appliance-cli info scion command are now sorted.

  • Rename the --timeout flag to --duration in the appliance-cli debug notifications disable to avoid undesired shadowing. Previously, the --timeout flag was shadowed by the global flag for setting HTTP timeouts. As a result, the notifications were always disabled with the default timeout.

  • The applance-cli can now correctly set the log level for the appliance-controller and appliance-installer services. This also requires a appliance-installer v1.3.3 which will be part of the upcoming v2.14.X system-package.

  • The appliance-cli will no longer panic if it is executed in a directory that is not accessible to the user.

Varia

  • The VRRP validation now ensures that the VIP addresses are part of a subnet in the configured interface.

  • The /management/api/listeners section is now required. Previously, the user had the risk of locking themselves out from the API when misconfiguring with an empty management section.

  • If any of IP-in-SCION tunneling input filter checks fail, the packet is dropped. Each drop is accounted for in the metrics gateway_ippkt_bytes_received_filtered_total and gateway_ippkt_received_filtered_total with the label reason set to the reason for the drop.

  • Values for reason label of gateway_ippkts_discarded_total metric are refactored. The new values are:

    • no_route - packet cannot be routed to any routing chain

    • no_traffic_matcher - packet satisfies no defined traffic matcher

    • no_session - there’s no alive session to send the packet to

Deprecations

  • For basic authentication passwords, we will require a minimum bcrypt cost of 8 in a future release. We recommend that you update your passwords hashes already to prepare for this future change and ensure a smooth transition. Choose the cost value according to your threat model, however, we recommend to go at least with a value of 12.

    To generate a new password hash with the recommened cost, you can use the appliance-cli of this release:

    appliance-cli crypto kdf hash
    

    Put the new hashes into the configuration under the management.api.basic_auth.users section.

Change categories

In the following we list the different change categories that are used in the release notes.

  • Features: Describes new features that have been added. Example: The appliance API can now be protected with OIDC/OAuth2.

  • Improvements: Describes improvements to existing features. Example: The routing table implementation is now 30% faster.

  • Fixes: Describes bug fixes, i.e. previously broken behavior that is now fixed. Example: The appliance no longer crashes when adding a new route.