Ziti Versions Save

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti

v1.1.1

3 weeks ago

Release 1.1.1

What's New

  • HA Alpha-3
  • Bug fixes and minor enhancements

HA Alpha 3

This release can be run in HA mode. The code is still alpha, as we're still finding and fixing bugs.

For more information:

New Contributors

Thanks to new contributors

  • @Vrashabh-Sontakke

Component Updates and Bug Fixes

v1.1.0

1 month ago

Release 1.1.0

What's New

  • HA Alpha2
  • Deployments Alpha
    • Linux packages provide systemd services for controller and router. Both depend on existing package openziti which provides the ziti command line tool.
      • openziti-controller provides ziti-controller.service
      • openziti-router provides ziti-router.service
    • Container images for controller and router now share the bootstrapping logic with the packages, so they support the same configuration options.

HA Alpha2

This release can be run in HA mode. The code is still alpha, so there are still some bugs and missing features, however basic functionality work with the exceptions noted. See the HA Documementation for instructions on setting up an HA cluster.

Known Issues

  • JWT Session exchange isn't working with Go SDK clients
    • This means Go clients will need to be restarted once their sessions expire
  • Service/service policy changes might not be reflected in routers
    • Changes to policy may not yet properly sync to the routers, causing unexpected behavior with ER/Ts running in HA mode

More information can be found on the HA Project Board

Component Updates and Bug Fixes

v1.0.0

1 month ago

Release 1.0.0

About 1.0

What does marking OpenZiti as 1.0 mean?

Backwards Compatibility

We've guaranteed API stability for SDK clients for years and worked hard to ensure that routers and controllers would be backwards and forward compatible. However, we have had a variety of management API changes and CLI changes. For post 1.0 releases we expect to make additions to the APIs and CLI, but won't remove anything until it's been first marked as deprecated and then only with a major version bump.

Stability and Scale

Recent releases have seen additional testing using chaos testing techniques. These tests involve setting up relatively large scale environments, knocking out various components and then verifying that the network is able to return to a stable state. These test are run for hours to try and eliminate race conditions and distributed state machine problems.

OpenZiti is also being used as underlying infrastrcture for the zrok public service. Use of this network has grown quickly and proven that it's possible to build ziti native apps that can scale up.

Backward Incompatible Changes to pre-1.0 releases

Administrators no longer have access to dial/bind all services by default. See below for details.

What's New

  • Administrators no longer have access to dial/bind all services by default.
  • TLS Handshakes can now be rate limited in the controller
  • TLS Handshake timeouts can now be set on the controller when using ALPN
  • Bugfixes

DEFAULT Bind/Dial SERVICE PERMISSIONS FOR Admin IDENTITIES HAVE CHANGED

Admin identities were able to Dial and Bind all services regardless of the effective service policies prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with any addresses in its intercept configuration.

Please create service policies to grant Bind or Dial permissions to Admin identities as needed.

TLS Handshake

A TLS handhshake rate limiter can be enabled. This is useful in cases where there's a flood of TLS requests and the controller can't handle them all. It can get into a state where it can't respond to TLS handshakes quickly enough, so the clients time out. They then retry, adding to the the load. The controller ends up wasting time doing work that isn't use.

This uses the same rate limiting as the auth rate limiter.

Additionally the server side handshake timeout can now be configured.

Configuration:

tls: 
  handshakeTimeout: 15s

  rateLimiter:
    # if disabled, no tls handshake rate limiting with be enforced
    enabled: true
    # the smallest window size for tls handshakes
    minSize: 5
    # the largest allowed window size for tls handshakes
    maxSize: 5000
    # after how long to consider a handshake abandoned if neither success nor failure was reported
    timeout: 30s

New metrics:

  • tls_handshake_limiter.in_process - number of TLS handshakes in progress
  • tls_handshake_limiter.window_size - number of TLS handhshakes allowed concurrently
  • tls_handshake_limiter.work_timer - timer tracking how long TLS handshakes are taking

Component Updates and Bug Fixes

v0.34.2

1 month ago

Release 0.34.2

What's New

  • The circuit id is now available in the SDK on the client and hosting side
    • Requires 0.34.2+ routers
    • Requests SDK support. Currently supported in the Go SDK 0.23.11+
  • Bug fixes

Component Updates and Bug Fixes

v0.34.1

1 month ago

Release 0.34.1

What's New

  • Updates version of go to 1.22.x
    • As usual when updating the go version, this is the only change in this release

v0.34.0

1 month ago

Release 0.34.0

What's New

  • Bug fixes and performance enhancements
  • Version number is bumped as a large chunk of HA was merged up. The next version bump is likely to bring HA to alpha status.

Component Updates and Bug Fixes

v0.33.1

2 months ago

Release 0.33.1

What's New

  • Backward compatibility router <-> controller fix to address metrics parsing panic

Component Updates and Bug Fixes

v0.33.0

2 months ago

Release 0.33.0

What's New

  • SDK Terminator stability improvements
  • Minor feature updates and bug fixes

SDK Terminator stability improvements

This release was focused on creating a chaos test for SDK terminators, running it and fixing any issues found. The test repeatedly and randomly restarts the controller, routers and tunnelers then verifies that terminators end up in the correct state.

The following tools were also used/added to aid in diagnosing and fixing issues:

  • ziti fabric validate router-sdk-terminators
    • Compares the controller state with the router state
  • ziti fabric validate terminators
    • Checks each selected terminator to ensure it's still valid on the router and/or sdk
  • ziti fabric inspect sdk-terminators
    • Allows inspecting each routers terminator state
  • ziti fabric inspect router-messaging
    • Allows inspecting what the controller has queued for router state sync and terminator validations
  • ziti edge validate service-hosting
    • Shows how many terminators each identity which can host a service has

Several changes were made to the terminator code to ensure that terminators are properly created and cleaned up. The routers now use an adaptive rate limiter to control how fast they send terminator related requests to the controller. For this to work properly, the rate limiting on the controller must be enabled, so it can report back to the routers when it's got too much work.

Component Updates and Bug Fixes

  • github.com/openziti/edge-api: v0.26.10 -> v0.26.12
  • github.com/openziti/ziti: v0.32.2 -> v0.33.0
    • Issue #1815 - Panic if api session sync failed handler is called twice in the router
    • Issue #1794 - Add SDK terminator chaos test and fix any bugs found as part of chaos testing
    • Issue #1781 - Improve performance when adding intercepted services
    • Issue #1369 - Allow filtering by policy type when listing identities for service or services for identity
    • Issue #1791 - route dial isn't checking for network timeouts correctly
    • Issue #1204 - ziti cli identity tags related flags misbehaving
    • Issue #987 - "ziti create config router edge" doesn't know about --tunnelerMode proxy
    • Issue #652 - Update CLI script M1 Support when github actions allows

v0.32.2

3 months ago

NOTE: This release has an incompatibility with the latest c-based tunnelers, which will cause hosting services to fail.

Release 0.32.2

What's New

  • Terminator performance improvements
  • API Rate Limiter enabled by default

Component Updates and Bug Fixes

v0.32.1

3 months ago

Do not use, the release contains a deadlock which can be triggered if many SDK terminators are being created at a time.

Release 0.32.1

What's New

  • Bugfixes
  • New router setting to control startup timeout

Router startup timeout

The router now has a configuration setting to control how long it wait on startup to be able to connect to a controller, before it gives up and exits.

ctrl:
  endpoints: 
    - tls:localhost:1280
  startupTimeout: 5m

Component Updates and Bug Fixes