ยซ Changelog History


consul v1.4.1 Release Notes

Release Date: 2019-01-23 // about 5 years ago

  • Note: Consul 1.4.1 can break compatibility with older versions of the Consul Go API client. At this time, we recommend that you not upgrade to 1.4.1 if you use the Go API client or other applications that utilize it such as Nomad. Read more: [GH-5270]

    ๐Ÿ”‹ FEATURES:

    • ๐Ÿ‘€ api: The transaction API now supports catalog operations for interacting with nodes, services and checks. See the transacton API page for more information. [GH-4869]

    ๐Ÿ”’ SECURITY:

    • Fixed an issue that caused verify_server_hostname to not implicitly configure verify_outgoing to true. The documentation stated this was implicit. The previous implementation had a bug that resulted in this being partially incorrect and resulted in plaintext communication in agent-to-agent RPC when verify_outgoing was not explicitly set. (CVE-2018-19653) [GH-5069]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • agent: Improve blocking queries for services that do not exist. [GH-4810]
    • api: Added new /v1/agent/health/service/name/<service name> and /v1/agent/health/service/id/<service id> endpoints to allow querying a services status from the agent itself and avoid querying a Consul server. [GH-2488]
    • api: Added a new allow_write_http_from configuration to set which CIDR network ranges can send non GET/HEAD/OPTIONS HTTP requests. Requests originating from other addresses will be denied. [GH-4712]
    • cli: Added a new cli command: consul tls with subcommands ca create and cert create to help bootstrapping a secure agent TLS setup. This includes a new guide for creating certificates.
    • ๐ŸŽ connect: clients are smarter about when they regenerate leaf certificates to improve performance and reliability [GH-5091]
    • ๐ŸŽ gossip: CPU performance improvements to memberlist gossip on very large clusters [GH-5189]
    • ๐Ÿ‘ connect: Added support for prepared query upstream proxy destination type watching. [GH-4969
    • connect: (Consul Enterprise) Now forwards any intention API calls from secondary datacenters to the primary instead of erroring when intention replication is enabled.
    • connect: Now controls rate of Certificate Signing Requests during a CA rotation so the servers aren't overwhelmed. [GH-5228]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  acl: Fixed a concurrent policy resolution issue that would fail to resolve policies for a token [GH-5219]
    • ๐Ÿ›  acl: Fixed a few racey edge cases regarding policy resolution where the RPC request could error out due to the token used for the request being deleted or modified after the token was read but before policy resolution. [GH-5246]
    • ๐Ÿ›  acl: Fixed a bug that would cause legacy ACL tokens of type management to not get full privileges when they also had rules set on them. [GH-5261]
    • agent: Prevent health check status flapping during check re-registration. [GH-4904]
    • ๐Ÿ”€ agent: Consul 1.2.3 added DNS weights but this caused an issue with agent Anti-Entropy that didn't set the same default and so performed a re-sync every 2 minutes despite no changes. [GH-5096]
    • ๐Ÿ”€ agent: Fix an anti-entropy state syncing issue where an invalid token being used for registration of 1 service could cause a failure to register a different service with a valid token. [GH-3676]
    • โ†ช agent: (Consul Enterprise) Snapshot agent now uses S3 API for unversioned objects to workaround an issue when a bucket has versioning enabled.
    • ๐Ÿ›  agent: Fixed a bug where agent cache could return an error older than the last non-error value stored. This mostly affected Connect bootstrapping in integration environments but lead to some very hard to track down "impossible" issues [GH-4480]
    • agent: snapshot verification now works regardless of spacing in meta.json [GH-5193]
    • agent: Fixed a bug where disable_host_node_id = false was not working properly [GH-4914]
    • ๐Ÿ”€ agent: Fixed issue where DNS weights added in 1.2.3 caused unnecessary Anti-Entropy syncs due to implicit vs explicit default weights being considered "different". [GH-5126]
    • ๐Ÿ‘€ api: Fixed an issue where service discovery requests that use both ?cached and multiple repeated tag filters might incorrectly see the cached result for a different query [GH-4987]
    • ๐Ÿ›  api: Fixed an issue causing blocking query wait times to not be used when retrieving leaf certificates. [GH-4462]
    • cli: display messages from serf in cli [GH-5236]
    • ๐Ÿ›  connect: Fixed an issue where a blank CA config could be written to a snapshot when Connect was disabled. [GH-4954]
    • ๐Ÿ›  connect: Fixed a bug with the create and modify indices of leaf certificates not being incremented properly. [GH-4463]
    • ๐Ÿ›  connect: Fixed an issue where certificates could leak and remain in client memory forever [GH-5091]
    • connect: (Consul Enterprise) When requesting to sign intermediates the primary dc is now used
    • connect: added tls config for vault connect ca provider [GH-5125]
    • connect: Fix a panic on 32 bit systems for unaligned 64 bit atomic operations. [GH-5128]
    • ๐Ÿ›  debug: Fixed an issue causing the debug archive to not be gzipped. [GH-5141]
    • dns: Fix an issue causing infinite recursion for some DNS queries when a nodes address had bee misconfigured [GH-4907]
    • watch: Fix a data race during setting up a watch plan. [GH-4357]
    • ๐Ÿ’ป ui: Correctly encode/decode URLs within the KV areas. Also encode/decode slashes in URLS related to service names [GH5206]