Yoga Series Release Notes¶
Fixed a security issue in how
s3apihandles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information.
Constant-time string comparisons are now used when checking S3 API signatures.
Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some
domain_remaprequests to be routed to the wrong object.
Improved compatibility with certain FIPS-mode-enabled systems.
This is the final stable branch that will support Python 2.7.
Fixed s3v4 signature calculation when the client sends an un-encoded path in the request.
Fixed multiple issues in s3api involving Multipart Uploads with non-ASCII names.
The object-updater now defers rate-limited updates to the end of its cycle; these deferred updates will be processed (at the limited rate) until the configured
intervalelapses. A new
max_deferred_updatesoption may be used to bound the deferral queue.
Empty account and container partition directories are now cleaned up immediately after replication, rather than needing to wait for an additional replication cycle.
The object-expirer now only cleans up empty containers. Previously, it would attempt to delete all processed containers, regardless of whether there were entries which were skipped or had errors.
item_size_warning_thresholdoption may be used to monitor for values that are approaching the limit of what can be stored in memcache. See the memcache sample config for more information.
Internal clients now correctly use their configured
User-Agentin backend requests, rather than only using it for logging.
Various other minor bug fixes and improvements.
S3 API improvements
CORS preflights are now allowed for pre-signed URLs.
storage_domainoption now accepts a comma-separated list of storage domains. This allows multiple storage domains to configured for use with virtual-host style addressing.
Reduced the overhead of retrieving bucket and object ACLs.
Replication, reconstruction, and diskfile improvements
The reconstructor now uses the replication network to fetch fragments for reconstruction.
Added the ability to limit how many objects per handoff partition will be reverted in a reconstructor cycle using the new
max_objects_per_revertoption. This may be useful to reduce ssync timeouts and lock contention, ensuring that progress is made during rebalances.
Object updater improvements
Added the ability to ratelimit updates (approximately) per-container using the new
max_objects_per_container_per_secondoption. This may be used to limit requests to already-overloaded containers while still making progress on updates to other containers.
Added timing stats by response code.
Updates are now sent over the replication network.
Added the ability to configure a chance to skip checking memcache when querying shard ranges. This allows some fraction of traffic to go to disk and refresh memcache before the key ages out. Recommended values for the new
container_listing_shard_ranges_skip_cache_pctoptions are in the range of 0.0 to 0.1.
Added stats for shard range cache hits, misses, and skips.
Added object-reconstructor stats to recon.
Added a new
swift.common.registrymodule. This includes helper functions
register_sensitive_paramwhich third party middleware authors may use to flag headers and query parameters for redaction when logging. For more information, see the documentation.
Added the ability to configure project-scope read-only roles for keystoneauth using the new
cname_lookupmiddleware now works with dnspython 2.0 and later.
The internal clients used by the container-reconciler, container-sharder, container-sync, and object-expirer daemons now use a more-descriptive
<daemon>-iclog name, rather than
swift. If you previously configured the
internal-client.conf, you must now use the
set log_name = <value>syntax to configure it, even if no value is set in the
[DEFAULT]section. This may be done prior to upgrading.
Removed translations from most logging.
StatsdClient.set_prefixmethod is now deprecated and may be removed in a future release; by extension, so is the
LogAdapter.set_statsd_prefixmethod. Middleware developers should use the
S3 API fixes
Fixed the types of configured values in
Fixed a server error when trying to copy objects with non-ASCII names.
Fixed a server error when uploading objects with very long names. A
KeyTooLongErroris now returned.
Fixed an error when multi-deleting MPUs when SLO async-deletes are enabled.
Fixed an error that allowed list-uploads and list-parts requests to return incomplete or out-of-order results.
Fixed several bugs when dealing with non-ASCII object names and multipart uploads.
Replication, reconstruction, and diskfile fixes
Ensure that non-durable data and .meta files are purged from handoffs after syncing.
Fixed tracebacks when there’s a race to mark a file durable or delete it.
Improved cooperative multitasking during ssync.
Upon detecting a ring change, the reconstructor now only aborts the jobs for that ring and continues processing jobs for other rings.
Fixed a traceback when logging about a lock timeout in the replicator.
Fixed a security issue where tempurl and s3api signatures were logged in full. This allowed an attacker with access to log data to perform replay attacks, potentially accessing or overwriting cluster data. Now, such signatures are redacted in a manner similar to auth tokens; see the
See CVE-2017-8761 for more information.
Fixed a race condition where swift would attempt to quarantine recently-deleted object updates.
Improved handling of timeouts and other errors when obtaining a connection to memcached.
swift-recontool now queries each object-server IP only once when reporting disk usage. Previously, each port in the ring would be queried; when using servers-per-port, this could dramatically overstate the disk capacity in the cluster.
Fixed a bug that allowed some statsd metrics to be annotated with the wrong backend layer.
Fixed a traceback in the account-server when there’s no account database on disk to receive a container update. The account-server now correctly 404s.
The container-updater will quarantine container databases if all replicas for the account respond 404.
Fixed a proxy-server error when the read-only middleware tried to handle non-Swift paths (such as may be used by third-party middleware).
Some client behaviors that the proxy previously logged at warning have been lowered to info.
Various other minor bug fixes and improvements.