5.2.1 Release Notes
April 12, 2022
Release information
Starting with this release, Enforcer client versions will be backwards compatible for a 9-month period.
New Features
- Support for IPv6 OAM ping. OAM ping now accepts an IPv6 address in the destination IP.
- Default reporting interval is now 30 mins for existing flows and it is configurable. New flows reports are immediate. Refer to our Enforcer profile doc for details.
- Support for Enforcer & Processing Unit alerts. Introducing 3 new alerts
- Host processing unit event: PUs created or removed from a namespace
- Enforcer event: Enforcers created or removed from a namespace
- Audit event: Actions performed on a namespace (delete a ruleset, create a namespace, create an App Credential)
- Enforcer lookup improvements: Enforcers now report FQDNs directly in the flow logs.
- Long-lived connections: Some types of connections can exist for days or months without ever closing (proxies and databases are common examples) and if an Enforcer is deployed after a connection is established, it will remain unmonitored. apoctl netstat command allows users to understand what are the long lived connections they have in their environment, restart those and make sure Enforcers are controlling them.
- Syslog forwarding for telemetry from the enforcer. Refer to our docs on syslog forwarding for more information.
- API server support on Kubernetes. Refer to our docs on kubernetes api server for more information.
- Enforcer support for non-transparent proxies. Refer to docs here for more information.
- Enforcer client versions will be backwards compatible for a 9-month period
Resolved Issues
- CNS-4117: Auto-scale issues seen with Squall service are addressed.
- CNS-4717: SSL errors seen on UI when requests hit rate limits are addressed.
- CNS-3907: Addressed the slowness with tags retrieval with a large number of Enforcers.
- CNS-3835: TUF repo lock error messages will no longer overwhelm Chocobo service logs.
- CNS-4667: Security issue: Ability to add all org tags at any point in the namespace hierarchy.
Known Issues
- CNS-4902: Reports query with complex filters can fail with large data volumes. For such queries users must either reduce the query time window or run the query a lower level namespaces.
- CNS-4881: Loading dependency maps can fail at top level namespaces or large time ranges with high volumes of data. For such queries, user must select smaller time windows.
- CNS-4877: Processing Unit or Enforcer details page fails to load after hitting rate limit errors.
- CNS-4780: Service caitsith may be in a crash loop after upgrade. Refer to upgrade troubleshooting page for steps to resolve this issue.
Upgrade instructions for CNS 5.2
- CNS-4571: Elasticsearch index cleanup may be neededIf you are upgrading a stack in-place which has not received security upgrades from Elasticsearch 5 to Elasticsearch 6, or which has received such an upgrade recently, there may be remaining Elasticsearch indexes created by Jaeger earlier which are incompatible with the Elasticsearch 7.17 version bundled with this CNS 5.2 release. (Elasticsearch maintains compatibility with indexes created by one previous major version, not two.)
- You can remove those indexes by removing Elasticsearch and its volume prior to upgrade:
deploy delete elasticsearch rewind --cleanup data-elasticsearch-0- Or if you discover Elasticsearch pods are unhealthy after an upgrade, such old indexes may be responsible. They can likewise be removed by temporarily removing Elasticsearch, then installing it:deploy delete elasticsearch rewind --cleanup data-elasticsearch-0 deploy install elasticsearchYou may need to (below) restart Jaeger pods after that.
- CNS-4890: Jaeger pods should be restartedDue to the Elasticsearch changes, Jaeger pods should restarted after upgrade:k rollout restart deployment jaeger-collector k rollout restart deployment jaeger-query k rollout restart deployment jaeger-agent
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
