Yoga Series Release Notes


Security Issues

  • Fixed a security issue in how s3api handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information.

  • Constant-time string comparisons are now used when checking S3 API signatures.

Bug Fixes

  • Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some domain_remap requests to be routed to the wrong object.

  • Improved compatibility with certain FIPS-mode-enabled systems.


Deprecation Notes

  • This is the final stable branch that will support Python 2.7.

Bug Fixes

  • Fixed s3v4 signature calculation when the client sends an un-encoded path in the request.

  • Fixed multiple issues in s3api involving Multipart Uploads with non-ASCII names.

  • The object-updater now defers rate-limited updates to the end of its cycle; these deferred updates will be processed (at the limited rate) until the configured interval elapses. A new max_deferred_updates option may be used to bound the deferral queue.

  • Empty account and container partition directories are now cleaned up immediately after replication, rather than needing to wait for an additional replication cycle.

  • The object-expirer now only cleans up empty containers. Previously, it would attempt to delete all processed containers, regardless of whether there were entries which were skipped or had errors.

  • A new item_size_warning_threshold option may be used to monitor for values that are approaching the limit of what can be stored in memcache. See the memcache sample config for more information.

  • Internal clients now correctly use their configured User-Agent in backend requests, rather than only using it for logging.

  • Various other minor bug fixes and improvements.


New Features

  • S3 API improvements

    • CORS preflights are now allowed for pre-signed URLs.

    • The storage_domain option now accepts a comma-separated list of storage domains. This allows multiple storage domains to configured for use with virtual-host style addressing.

    • Reduced the overhead of retrieving bucket and object ACLs.

  • Replication, reconstruction, and diskfile improvements

    • The reconstructor now uses the replication network to fetch fragments for reconstruction.

    • Added the ability to limit how many objects per handoff partition will be reverted in a reconstructor cycle using the new max_objects_per_revert option. This may be useful to reduce ssync timeouts and lock contention, ensuring that progress is made during rebalances.

  • Object updater improvements

    • Added the ability to ratelimit updates (approximately) per-container using the new max_objects_per_container_per_second option. This may be used to limit requests to already-overloaded containers while still making progress on updates to other containers.

    • Added timing stats by response code.

    • Updates are now sent over the replication network.

  • Memcache improvements

    • Added the ability to configure a chance to skip checking memcache when querying shard ranges. This allows some fraction of traffic to go to disk and refresh memcache before the key ages out. Recommended values for the new container_updating_shard_ranges_skip_cache_pct and container_listing_shard_ranges_skip_cache_pct options are in the range of 0.0 to 0.1.

    • Added stats for shard range cache hits, misses, and skips.

  • Added object-reconstructor stats to recon.

  • Added a new swift.common.registry module. This includes helper functions register_sensitive_header and register_sensitive_param which third party middleware authors may use to flag headers and query parameters for redaction when logging. For more information, see the documentation.

  • Added the ability to configure project-scope read-only roles for keystoneauth using the new project_reader_roles option.

  • The cname_lookup middleware now works with dnspython 2.0 and later.

  • The internal clients used by the container-reconciler, container-sharder, container-sync, and object-expirer daemons now use a more-descriptive <daemon>-ic log name, rather than swift. If you previously configured the log_name option in internal-client.conf, you must now use the set log_name = <value> syntax to configure it, even if no value is set in the [DEFAULT] section. This may be done prior to upgrading.

  • Removed translations from most logging.

Deprecation Notes

  • The StatsdClient.set_prefix method is now deprecated and may be removed in a future release; by extension, so is the LogAdapter.set_statsd_prefix method. Middleware developers should use the statsd_tail_prefix argument to get_logger instead.

Bug Fixes

  • S3 API fixes

    • Fixed the types of configured values in /info response.

    • Fixed a server error when trying to copy objects with non-ASCII names.

    • Fixed a server error when uploading objects with very long names. A KeyTooLongError is now returned.

    • Fixed an error when multi-deleting MPUs when SLO async-deletes are enabled.

    • Fixed an error that allowed list-uploads and list-parts requests to return incomplete or out-of-order results.

    • Fixed several bugs when dealing with non-ASCII object names and multipart uploads.

  • Replication, reconstruction, and diskfile fixes

    • Ensure that non-durable data and .meta files are purged from handoffs after syncing.

    • Fixed tracebacks when there’s a race to mark a file durable or delete it.

    • Improved cooperative multitasking during ssync.

    • Upon detecting a ring change, the reconstructor now only aborts the jobs for that ring and continues processing jobs for other rings.

    • Fixed a traceback when logging about a lock timeout in the replicator.

  • Fixed a security issue where tempurl and s3api signatures were logged in full. This allowed an attacker with access to log data to perform replay attacks, potentially accessing or overwriting cluster data. Now, such signatures are redacted in a manner similar to auth tokens; see the reveal_sensitive_prefix option in proxy-server.conf.

    See CVE-2017-8761 for more information.

  • Fixed a race condition where swift would attempt to quarantine recently-deleted object updates.

  • Improved handling of timeouts and other errors when obtaining a connection to memcached.

  • The swift-recon tool now queries each object-server IP only once when reporting disk usage. Previously, each port in the ring would be queried; when using servers-per-port, this could dramatically overstate the disk capacity in the cluster.

  • Fixed a bug that allowed some statsd metrics to be annotated with the wrong backend layer.

  • Fixed a traceback in the account-server when there’s no account database on disk to receive a container update. The account-server now correctly 404s.

  • The container-updater will quarantine container databases if all replicas for the account respond 404.

  • Fixed a proxy-server error when the read-only middleware tried to handle non-Swift paths (such as may be used by third-party middleware).

  • Some client behaviors that the proxy previously logged at warning have been lowered to info.

  • Various other minor bug fixes and improvements.