Releases: NLnetLabs/krill
A Flock of Krill
Temp
This release fixes a number of issues found in 0.14.0 through 0.14.2:
- Use rpki-rs 0.18.0 to support builds on more platforms #1166
- Fix aspa migration issues #1163
- Depend on kvx 0.9.2 to ensure temp files are used properly #1160
Most importantly, Krill will now use temp files for all data that it stores to avoid issues with half-written files in case the disk is full, or the server is rebooted in the middle of writing. This issue was introduced in release 0.14.0, and we recommend that all users upgrade to this version to avoid issues.
This release also includes:
- Updated German UI translations NLnetLabs/krill-ui#51
Extra, Extra, Extra!
This release fixes a bug in the migration code, not fully fixed in 0.14.1, where 'surplus' archived data should be skipped (#1147). There is no need to upgrade to this version if you already upgraded to 0.14.0 or 0.14.1.
Release 0.14.0 'ASPA' adds support for the updated ASPA v1 profile (issue #1080). Any existing ASPA objects will be re-issued automatically. Updated documentation can be found here.
In addition, the following small features and fixes were done:
- Show delete ROA button when no BGP preview is available #1139
- Add traditional and simplified Chinese translations #1075
- Let the testbed automatically renew the TA manifest and CRL #1095 (see below)
- Show the delete icon for AS0 ROA when there is another existing announcement #1109
The main effort in this release was spent on less user-visible improvements in how Krill stores its data. This will help improve robustness today and pave the way for introducing support for Krill clustering using a database back-end in a future release.
For now, these issues have been done:
- Improve transactionality of changes (e.g. #1076-1078, #1085, #1108, #1090)
- Remove no longer needed 'always_recover_data' function #1086
- Improve upgrade failed error: tell users to downgrade #1042
- Crash Krill if the task scheduler encounters a fatal error. #1132
You can find the full list of issues here:
Finally, regarding issue #1095. If you were running 0.13.1 as a testbed, you might have symlinked the "signer" directory to "ta_signer" to support a manual workaround for re-signing the trust anchor CRL and manifest. If you did, you may need to delete any surplus files and directories under "data/ta_signer" other than the " ta " directory.
Extra, Extra!
This release fixes a bug in the migration code where 'surplus' directories for archived events should be skipped (#1147).
Release 0.14.0 'ASPA' adds support for the updated ASPA v1 profile (issue #1080). Any existing ASPA objects will be re-issued automatically. Updated documentation can be found here.
In addition, the following small features and fixes were done:
- Show delete ROA button when no BGP preview is available #1139
- Add traditional and simplified Chinese translations #1075
- Let the testbed automatically renew the TA manifest and CRL #1095 (see below)
- Show the delete icon for AS0 ROA when there is another existing announcement #1109
The main effort in this release was spent on less user-visible improvements in how Krill stores its data. This will help improve robustness today and pave the way for introducing support for Krill clustering using a database back-end in a future release.
For now, these issues have been done:
- Improve transactionality of changes (e.g. #1076-1078, #1085, #1108, #1090)
- Remove no longer needed 'always_recover_data' function #1086
- Improve upgrade failed error: tell users to downgrade #1042
- Crash Krill if the task scheduler encounters a fatal error. #1132
You can find the full list of issues here:
Finally, regarding issue #1095. If you were running 0.13.1 as a testbed, you might have symlinked the "signer" directory to "ta_signer" to support a manual workaround for re-signing the trust anchor CRL and manifest. If you did, you may need to delete any surplus files and directories under "data/ta_signer" other than the " ta " directory.
ASPA
This release adds support for the updated ASPA v1 profile (issue #1080). Any existing ASPA objects will be re-issued automatically. Updated documentation can be found here.
In addition, the following small features and fixes were done:
- Show delete ROA button when no BGP preview is available #1139
- Add traditional and simplified Chinese translations #1075
- Let the testbed automatically renew the TA manifest and CRL #1095 (see below)
- Show the delete icon for AS0 ROA when there is another existing announcement #1109
The main effort in this release was spent on less user-visible improvements in how Krill stores its data. This will help improve robustness today and pave the way for introducing support for Krill clustering using a database back-end in a future release.
For now, these issues have been done:
- Improve transactionality of changes (e.g. #1076-1078, #1085, #1108, #1090)
- Remove no longer needed 'always_recover_data' function #1086
- Improve upgrade failed error: tell users to downgrade #1042
- Crash Krill if the task scheduler encounters a fatal error. #1132
You can find the full list of issues here:
Finally, regarding issue #1095. If you were running 0.13.1 as a testbed, you might have symlinked the "signer" directory to "ta_signer" to support a manual workaround for re-signing the trust anchor CRL and manifest. If you did, you may need to delete any surplus files and directories under "data/ta_signer" other than the " ta " directory.
v0.14.0-rc3
This is the third release candidate for the coming 0.14.0 release. We invite all interested users to test this version, but please do not upgrade your production environment until 0.14.0 has been released.
This release adds support for the updated ASPA v1 profile (issue #1080). Existing ASPA objects will be re-issued when migrating from 0.13.1 or lower to this version. NOTE: you cannot upgrade from 0.14.0-rc1 or 0.14.0-rc2 to this release if you have existing ASPA objects.
In addition, this release introduces the following small features and fixes:
- Add traditional and simplified Chinese translations #1075
- Let the testbed automatically renew the TA manifest and CRL #1095
- Show the delete icon for AS0 ROA when there is another existing announcement #1109
- Show delete ROA button when no BGP preview is available #1139 (fixed in 0.14.0-rc2)
But, we spent the main effort in this release on improving how Krill stores its data. This will help improve robustness today and pave the way for introducing support for Krill clustering using a database back-end in a future release. For now, these issues were done:
- Improve transactionality of changes (e.g. #1076-1078, #1085, #1108, #1090)
- Remove no longer needed 'always_recover_data' function #1086
- Improve upgrade failed error: tell users to downgrade #1042
- Crash Krill if the task scheduler encounters a fatal error. #1132
- Add support for importing delegated child CAs #1133
Note that this release still uses the now outdated ASPA object syntax. We plan to make another focused release to address this immediately after 0.14.0 is released. See issue #1080.
Note that if you were running 0.13.1 as a testbed, you may have symlinked the "signer" directory to "ta_signer" to support a manual workaround for re-signing the trust anchor CRL and manifest (issue #1095). If you did, you may need to delete any surplus files and directories under "/var/lib/krill/data/ta_signer" other than the " ta " directory.
v0.14.0-rc2
This is the second release candidate for the coming 0.14.0 release. We invite all interested users to test this version, but please do not upgrade your production environment until 0.14.0 has been released.
This release introduces the following small features and fixes:
- Add traditional and simplified Chinese translations #1075
- Let the testbed automatically renew the TA manifest and CRL #1095
- Show the delete icon for AS0 ROA when there is another existing announcement #1109
- Show delete ROA button when no BGP preview is available #1139 (fixed in 0.14.0-rc2)
But, we spent the main effort in this release on improving how Krill stores its data. This will help improve robustness today and pave the way for introducing support for Krill clustering using a database back-end in a future release. For now, these issues were done:
- Improve transactionality of changes (e.g. #1076-1078, #1085, #1108, #1090)
- Remove no longer needed 'always_recover_data' function #1086
- Improve upgrade failed error: tell users to downgrade #1042
- Crash Krill if the task scheduler encounters a fatal error. #1132
- Add support for importing delegated child CAs #1133
Note that this release still uses the now outdated ASPA object syntax. We plan to make another focused release to address this immediately after 0.14.0 is released. See issue #1080.
Note that if you were running 0.13.1 as a testbed, you may have symlinked the "signer" directory to "ta_signer" to support a manual workaround for re-signing the trust anchor CRL and manifest (issue #1095). If you did, you may need to delete any surplus files and directories under "/var/lib/krill/data/ta_signer" other than the " ta " directory.
Scrollbars!
The Krill UI includes a CA selection dropdown in case you have multiple CAs. This dropdown used to have a scrollbar, which accidentally got lost in the UI overhaul we did in version 0.13.0. This is now fixed (#1071)
DRY
Summary
This release contains an important fix for an issue affecting v0.12.x Publication Servers (see PR #1023). It is recommended that affected installations are upgraded as soon as possible.
The user interface was completely re-implemented in this release resulting in a smaller browser footprint. Functionality is mostly unchanged, except that users can now have an optional comment with each of their ROA configurations. These comments are not part of published ROA objects - they are meant for local bookkeeping only.
ASPA objects are now supported through the CLI by default. We hope to add UI support later this year.
Krill can now be used as a full RPKI Trust Anchor, using a detached (possibly offline) signer for Trust Anchor key operations.
Publication Server
Krill 0.12.x Publication servers suffer from an issue where multiple entries for the same URI, but with different hashes can appear in a single RRDP snapshot.
This problem was solved by removing published objects data duplication in the Krill architecture and ensuring that the URI rather than an object's hash is used as its primary key internally. More information can be found in pull request #1023.
We recommend that existing 0.12.x Publication Server installations are upgraded to this version.
Updated User Interface
A lot of changes were introduced in this release. For most users the following improvements will be most visible and relevant:
The new krill-ui project has its own repository where issues can be tracked:
https://github.com/NLnetLabs/krill-ui
ASPA Support
ASPA support is now enabled in the CLI (#1031). We hope to add UI support later this year.
We added a number of new restrictions:
- Krill MUST NOT create only a single AFI ASPA (#1063)
- ASPA object MUST NOT allow the customer AS in the provider AS list (#1058)
You can read more about ASPA support here:
https://krill.docs.nlnetlabs.nl/en/0.13.0/manage-aspas.html
API Changes
We removed the repository next update time from the stats and metrics output. It was inaccurate (usually 8 hours off), and not very informative. More useful metrics are still provided: last exchange and last successful exchange. If these times differ, then there is an issue that may need attention.
Krill as a Trust Anchor
A lot of work has been done to support using Krill as a Trust Anchor. If you are not an RIR, then you will not need to run your own RPKI TA for normal RPKI operations. That said, some users may want to operate their own TA outside of the TAs provided by the RIRs for testing, study or research reasons. Or perhaps even to manage private use address space.
You can read more about this here:
https://krill.docs.nlnetlabs.nl/en/0.13.0/trust-anchor.html
Implemented issues:
- Support offline TA (#976)
- Support initialising offline TA with existing key (#979)
- Bulk import/configure CAs with ROAs (#968, #969)
- Support migration of existing TAs (#978)
- Use new TA for embedded (test) TA (#977)
Other Changes
Publication Server Improvements:
Miscellaneous improvements and fixes:
- Log for which child / parent / publisher CMS validation failed (#1027)
- Permit setting CKA_PRIVATE to CK_FALSE on PKCS#11 RSA public keys (#1019)
- Ensure that the CSR uses a trailing slash for id-ad-caRepository (#1030)
- Accept id-cert with path len constraints (#966)
- Publication Server should check uri, not hash, in publish elements (#981)
The overview of all issues for this release can be found here:
https://github.com/NLnetLabs/krill/projects/24
Sakura
This release contains a feature that enables Publication Server operators to remove unwanted, surplus, files from their repository. This feature was cherry picked from the upcoming major release branch so that Publication Server operators can use this without delay.
Note that if you do not use Krill to operate a Publication Server, then there is no need to upgrade to this version now.
For more details see: #1022