swift (2.32.0, OpenStack Bobcat) * Python 3 fixes: * Python 3 object servers can now read unencrypted non-ASCII metadata that was written under Python 2. * Ssync no longer corrupts unencrypted non-ASCII metadata during transfers. * Fixed an encoding issue when writing non-ASCII object names to sharded containers and shard range caching is not enabled. * Fixed an encoding issue when handling non-ASCII account names. * Fixed a `generator already executing` error on client disconnect. * Suppressed `RemoteDisconnected` tracebacks. * Metrics improvements: * Metrics are now emitted for a variety of S3 error responses, in the form `s3api..[.]` * Fixed an issue that prevented proxy servers from emitting metrics and logs for backend requests made when getting account or container info. * Account and container info metrics now include the response status code when backend requests are made. * Added timing metrics to the container sharder for various operations. * Python 3.11 is now supported. * Added the ability for reseller admins to set per-policy account quotas by posting metadata of the form `X-Account-Quota-Bytes-Policy-`. * Added a `keepalive_timeout` option to the proxy server to limit how long to wait for a client to initiate a request, separate from the general `client_timeout` option. Note that this requires eventlet 0.33.4 (currently unreleased) or later. * Added a `keep_cache_slo_manifest` option to the object server to better control whether SLO manifests are dropped from the page cache. * WSGI servers now accept a `--test-config` option that may be used to validate configuration changes before reloading/restarting the server. * The structure of cached shard ranges has changed, improving performance when listing or writing to sharded containers. Note that immediately after upgrade, the new structures will all be cache misses, which may lead to a thundering herd problem. To avoid this, upgrade just a few nodes first, let them service some fraction of traffic to populate the cache, then upgrade the rest of the cluster. * A variety of performance improvements have been made for sharded container databases. * Various logging and metrics improvements when talking to memcache. * Fixed ssync's handling of timestamp offsets. Previously, this could cause ssync to fail with a 409 Conflict, causing the transfer to fail and preventing handoffs from clearing. * Fixed an issue where an erasure-coded PUT could prevent other requests from being processed when network calls rarely or never blocked. * Fixed an issue when downloading an SLO manifest would hit a recoverable error and attempt to resume from another node. This would manifest as either a pyeclib decode error or an unexpected empty response. * The proxy server now applies error-limiting to the correct node when handling a recoverable node error. * Account, container, and object log fields are now correctly identified when returning `BadDigest` responses to S3 requests. * Previously, under some circumstances, a non-standard config option such as `RECLAIM_AGE` might get parsed as `reclaim_age` for some processes but ignored by others. Now, all config parsing is case-sensitive; non-standard names will always be ignored. * Reduced the backend load of making `?versions` requests to a container that has never had object versioning enabled. * Improved formatting of meta and sysmeta for `swift-account-info` and `swift-container-info`. * The standard-library `logging` module is no longer monkey-patched when importing `swift.common.utils`, making it easier to re-use swift code in other contexts. * Removed the hard dependency on netifaces; it may still be used if the `getifaddrs` C function is not available. This fallback support may be removed in a future release. * Various other minor bug fixes and improvements. swift (2.31.1, OpenStack Antelope) * Sharding fixes * Shards no longer report stats to the root database when they are in the CREATED state. * Sharding metadata is no longer cleared when databases are deleted. This could previously cause deleted shards that still had rows to become stuck and never move them to the correct database. * Fixed a performance regression in the handling of misplaced objects. * Swift path and on-disk path are now included with all sharder logging. * `s3token` no longer mangles request paths that include the Access Key ID. * User metadata is now exposed via CORS when encryption is enabled, matching the behavior when encryption is not enabled. * Fewer backend requests are now required when account or container information is missing from memcache. * Fixed logging of IP and port in the proxy-server; in particular, internal clients now correctly log about the replication IP/port. * Fixed a bug in the object replicator that would cause an under-reporting of failures. * Various other minor bug fixes. swift (2.31.0) * S3 API improvements * Fixed a security issue in how `s3api` handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information. * Fixed a server error when handling malformed CompleteMultipartUpload requests. * Improved error reporting when attempting to set invalid `X-Delete-At` or `X-Delete-After` values via the S3 API. * Sharding improvements * Sync more shard ranges from the root database to the shards. This helps ensure shard range repairs effected at the root make their way to shards that would otherwise be stuck trying to further divide into sub-shards. * Added a `merge` subcommand to `swift-manage-shard-ranges` to merge arbitrary shard ranges into a container DB. Minimal safety checks are performed; it should only be used for emergency shard range manipulation by expert users. * Improved performance of `delimiter` listings for sharded containers. * Added more safety checks to the `repair` subcommand of `swift-manage-shard-ranges`. * Better handle `EOFError` and `KeyboardInterrupt` when prompting for input in `swift-manage-shard-ranges`. * Warnings are now emitted when sharding appears to have become stuck. Use the new `container_sharding_timeout` option to configure the "stuck" threshold; the default is 48 hours. * Stop warning about transient overlaps when auditing shard ranges. * Metrics improvements * Added timing stats for memcached operations. * Renamed and improved the granularity of shard range cache and backend stats. Metrics dashboards may need to be updated. * Emit stats when backend nodes are error-limited. * Added support for Python 3.10. * Added an optional `backend_ratelimit` middleware for backend servers. See the backend server sample configuration files for more information. * Added the ability to configure a chance to skip checking memcache when querying account and container information. This allows some fraction of traffic to go to disk and refresh memcache before the key ages out. Recommended values for the new `account_existence_skip_cache_pct` and `container_existence_skip_cache_pct` options are in the range of 0.0 to 0.01. * Static large object segments may now be deleted asynchronously by default. Operators may return to the old behavior by disabling the `allow_async_delete` option in the `[filter:slo]` section in their proxy-server.conf. * Absolute-form request targets are now accepted. This enables access for certain clients and SDKs (including some older versions of rclone that were using an old version of aws-sdk-go). * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some `domain_remap` requests to be routed to the wrong object. * Fixed a server error when attempting to access data in a deleted container that had an erasure-coded storage policy. * Improved error messages to clients that encounter errors using the `formpost` middleware. * Removed some inappropriate error-suppression when locking account and container databases. * Improved server start-up time when using multiple workers. * Removed some unnecessary locking when logging. * Added some basic object-metadata validation; invalid diskfiles will be quarantined via the auditor or reconstructor. * Enhanced logging when error-limiting a backend node. * Various other minor bug fixes and improvements. swift (2.30.1, zed stable backports) * Fixed a security issue in how `s3api` handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information. * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some `domain_remap` requests to be routed to the wrong object. swift (2.30.0, OpenStack Zed) * Sharding improvements * The `swift-manage-shard-ranges` tool has a new mode to repair gaps in the namespace. * Misplaced tombstone records are now properly cleaved. * Fixed a bug where the sharder could fail to find a device to use for cleaving. * Databases marked deleted are now processed by the sharder. * More information is now synced to the fresh database when sharding. Previously, a database could lose the fact that it had been marked as deleted. * Shard ranges with no rows to cleave could previously be left in the CREATED state after cleaving. Now, they are advanced to CLEAVED. * Metrics are now emitted for whether databases used for cleaving were created or already existed, allowing a better understanding of the reason for handoffs in the cluster. * Misplaced-record stats are now also emitted to statsd. Previously, these were only available in logs. * S3 API improvements * Constant-time string comparisons are now used when checking signatures. * Fixed cross-policy object copies. Previously, copied data would always be written using the source container's policy. Now, the destination container's policy will be used, avoiding availability issues and unnecessary container-reconciler work. * More headers are now copied from multi-part upload markers to their completed objects, including `Content-Encoding`. * When running with `s3_acl` disabled, `bucket-owner-full-control` and `bucket-owner-read` canned ACLs will be translated to the same Swift ACLs as `private`. * The S3 ACL and Delete Multiple APIs are now less case-sensitive. * Improved the error message when deleting a bucket that's ever had versioning enabled and still has versions in it. * `LastModified` timestamps in listings are now rounded up to whole seconds, like they are in responses from AWS. * Proxy logging for Complete Multipart Upload requests is now more consistent when requests have been retried. * Logging improvements * Signal handling is more consistently logged at notice level. Previously, signal handling would sometimes be logged at info or error levels. * The message template for proxy logging may now include a `{domain}` field for the client-provided `Host` header. * The object-replicator now logs successful rsync transfers at debug instead of info. * Added a `log_rsync_transfers` option to the object-replicator. Set it to false to disable logging rsync "send" lines; during large rebalances, such logging can overwhelm log aggregation while providing little useful information. * Transaction IDs are now only included in daemon log lines in a request/response context. * Fixed a socket leak when clients try to delete a non-SLO as though it were a Static Large Object. * The formpost digest algorithm is now configurable via the new `allowed_digests` option, and support is added for both SHA-256 and SHA-512. Supported formpost digests are exposed to clients in `/info`. Additionally, formpost signatures can now be base64 encoded. * Added metrics to the formpost and tempurl middlewares to monitor digest usage in signatures. * SHA-1 signatures are now deprecated for the formpost and tempurl middlewares. At some point in the future, SHA-1 will no longer be enabled by default; eventually, support for it will be removed entirely. * Improved compatibility with certain FIPS-mode-enabled systems. * Added a `ring_ip` option for various object services. This may be used to find own devices in the ring in a containerized environment where the `bind_ip` may not appear in the ring at all. * Account and container replicators can now be configured with a `handoff_delete` option, similar to object replicators and reconstructors. See the sample config for more information. * Developers using Swift's memcache client may now opt in to having a `MemcacheConnectionError` be raised when no connection succeeded using a new `raise_on_error` keyword argument to `get`/`set`. * The tempurl middleware has been updated to return a 503 if storing a token in memcache fails. Third party authentication middlewares are encouraged to also use the new `raise_on_error` keyword argument when storing ephemeral tokens in memcache. * Pickle support has been removed from Swift's memcache client. Support had been deprecated since Swift 1.7.0. * Device names are now included in new database IDs. This provides more context when examining incoming/outgoing sync tables or sharding CleaveContexts. * Database replication connections are now closed following an error or timeout. This prevents a traceback in some cases when the replicator tries to reuse the connection. * `ENOENT` and `ENODATA` errors are better handled in the object replicator and auditor. * Improved object update throughput by shifting some shard range filtering from Python to SQL. * Include `Vary: Origin` header when CORS responses vary by origin. * The staticweb middleware now allows empty listings at the root of a container. Previously, this would result in a 404 response. * Ring builder output tables better display weights over 1000. * Various other minor bug fixes and improvements. swift (2.29.2, yoga stable backports) * Fixed a security issue in how `s3api` handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information. * Constant-time string comparisons are now used when checking S3 API signatures. * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some `domain_remap` requests to be routed to the wrong object. * Improved compatibility with certain FIPS-mode-enabled systems. swift (2.29.1, OpenStack Yoga) * This is the final stable branch that will support Python 2.7. * Fixed s3v4 signature calculation when the client sends an un-encoded path in the request. * Fixed multiple issues in s3api involving Multipart Uploads with non-ASCII names. * The object-updater now defers rate-limited updates to the end of its cycle; these deferred updates will be processed (at the limited rate) until the configured `interval` elapses. A new `max_deferred_updates` option may be used to bound the deferral queue. * Empty account and container partition directories are now cleaned up immediately after replication, rather than needing to wait for an additional replication cycle. * The object-expirer now only cleans up empty containers. Previously, it would attempt to delete all processed containers, regardless of whether there were entries which were skipped or had errors. * A new `item_size_warning_threshold` option may be used to monitor for values that are approaching the limit of what can be stored in memcache. See the memcache sample config for more information. * Internal clients now correctly use their configured User-Agent in backend requests, rather than only using it for logging. * Various other minor bug fixes and improvements. swift (2.29.0) * S3 API improvements * CORS preflights are now allowed for pre-signed URLs. * The `storage_domain` option now accepts a comma-separated list of storage domains. This allows multiple storage domains to configured for use with virtual-host style addressing. * Fixed the types of configured values in /info response. * Fixed a server error when trying to copy objects with non-ASCII names. * Fixed a server error when uploading objects with very long names. A KeyTooLongError is now returned. * Fixed an error when multi-deleting MPUs when SLO async-deletes are enabled. * Fixed an error that allowed list-uploads and list-parts requests to return incomplete or out-of-order results. * Fixed several bugs when dealing with non-ASCII object names and multipart uploads. * Reduced the overhead of retrieving bucket and object ACLs. * Replication, reconstruction, and diskfile improvements * The reconstructor now uses the replication network to fetch fragments for reconstruction. * Added the ability to limit how many objects per handoff partition will be reverted in a reconstructor cycle using the new `max_objects_per_revert` option. This may be useful to reduce ssync timeouts and lock contention, ensuring that progress is made during rebalances. * Ensure that non-durable data and .meta files are purged from handoffs after syncing. * Fixed tracebacks when there's a race to mark a file durable or delete it. * Improved cooperative multitasking during ssync. * Upon detecting a ring change, the reconstructor now only aborts the jobs for that ring and continues processing jobs for other rings. * Fixed a traceback when logging about a lock timeout in the replicator. * Object updater improvements * Added the ability to ratelimit updates (approximately) per-container using the new `max_objects_per_container_per_second` option. This may be used to limit requests to already-overloaded containers while still making progress on updates to other containers. * Added timing stats by response code. * Updates are now sent over the replication network. * Fixed a race condition where swift would attempt to quarantine recently-deleted updates. * Memcache improvements * Added the ability to configure a chance to skip checking memcache when querying shard ranges. This allows some fraction of traffic to go to disk and refresh memcache before the key ages out. Recommended values for the new `container_updating_shard_ranges_skip_cache_pct` and `container_listing_shard_ranges_skip_cache_pct` options are in the range of 0.0 to 0.1. * Added stats for shard range cache hits, misses, and skips. * Improved handling of timeouts and other errors when obtaining a connection to memcached. * Recon improvements * Added object-reconstructor stats to recon. * Each object-server IP is now queried only once when reporting disk usage. Previously, each port in the ring would be queried; when using servers-per-port, this could dramatically overstate the disk capacity in the cluster. * Fixed a security issue where tempurl and s3api signatures were logged in full. This allowed an attacker with access to log data to perform replay attacks, potentially accessing or overwriting cluster data. Now, such signatures are redacted in a manner similar to auth tokens; see the `reveal_sensitive_prefix` option in `proxy-server.conf`. See CVE-2017-8761 for more information. * Added a new `swift.common.registry` module. This includes helper functions `register_sensitive_header` and `register_sensitive_param` which third party middleware authors may use to flag headers and query parameters for redaction when logging. For more information, see https://docs.openstack.org/swift/latest/misc.html#module-swift.common.registry * Added the ability to configure project-scope read-only roles for keystoneauth using the new `project_reader_roles` option. * The cname_lookup middleware now works with dnspython 2.0 and later. * The internal clients used by the container-reconciler, container-sharder, container-sync, and object-expirer daemons now use a more-descriptive `-ic` log name, rather than `swift`. If you previously configured the `log_name` option in `internal-client.conf`, you must now use the `set log_name = ` syntax to configure it, even if no value is set in the `[DEFAULT]` section. This may be done prior to upgrading. * Fixed a bug that allowed some statsd metrics to be annotated with the wrong backend layer. * The `StatsdClient.set_prefix` method is now deprecated and may be removed in a future release; by extension, so is the `LogAdapter.set_statsd_prefix` method. Middleware developers should use the `statsd_tail_prefix` argument to `get_logger` instead. * Fixed a traceback in the account-server when there's no account database on disk to receive a container update. The account-server now correctly 404s. * The container-updater will quarantine container databases if all replicas for the account respond 404. * Fixed a proxy-server error when the read-only middleware tried to handle non-Swift paths (such as may be used by third-party middleware). * Some client behaviors that the proxy previously logged at warning have been lowered to info. * Removed translations from most logging. * Various other minor bug fixes and improvements. swift (2.28.1, xena stable backports) * Fixed a security issue in how `s3api` handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information. * Constant-time string comparisons are now used when checking S3 API signatures. * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some `domain_remap` requests to be routed to the wrong object. * Improved compatibility with certain FIPS-mode-enabled systems. * Ensure that non-durable data and .meta files are purged from handoffs after syncing. swift (2.28.0, OpenStack Xena) * Sharding improvements: * When building a listing from shards, any failure to retrieve listings will result in a 503 response. Previously, failures fetching a partiucular shard would result in a gap in listings. * Container-server logs now include the shard path in the referer field when receiving stat updates. * Added a new config option, `rows_per_shard`, to specify how many objects should be in each shard when scanning for ranges. The default is `shard_container_threshold / 2`, preserving existing behavior. * Added a new config option, `minimum_shard_size`. When scanning for shard ranges, if the final shard would otherwise contain fewer than this many objects, the previous shard will instead be expanded to the end of the namespace (and so may contain up to `rows_per_shard + minimum_shard_size` objects). This reduces the number of small shards generated. The default value is `rows_per_shard / 5`. * Added a new config option, `shrink_threshold`, to specify the absolute size below which a shard will be considered for shrinking. This overrides the `shard_shrink_point` configuration option, which expressed this as a percentage of `shard_container_threshold`. `shard_shrink_point` is now deprecated. * Similar to above, `expansion_limit` was added as an absolute-size replacement for the now-deprecated `shard_shrink_merge_point` configuration option. * The sharder now correctly identifies and fails audits for shard ranges that overlap exactly. * The sharder and swift-manage-shard-ranges now consider total row count (instead of just object count) when deciding whether a shard is a candidate for shrinking. * If the sharder encounters shard range gaps while cleaving, it will now log an error and halt sharding progress. Previously, rows may not have been moved properly, leading to data loss. * Sharding cycle time and last-completion time are now available via swift-recon. * Fixed an issue where resolving overlapping shard ranges via shrinking could prematurely mark created or cleaved shards as active. * `swift-manage-shard-ranges` improvements: * Exit codes are now applied more consistently: - 0 for success - 1 for an unexpected outcome - 2 for invalid options - 3 for user exit As a result, some errors that previously resulted in exit code 2 will now exit with code 1. * Added a new 'repair' command to automatically identify and optionally resolve overlapping shard ranges. * Added a new 'analyze' command to automatically identify overlapping shard ranges and recommend a resolution based on a JSON listing of shard ranges such as produced by the 'show' command. * Added a `--includes` option for the 'show' command to only output shard ranges that may include a given object name. * Added a `--dry-run` option for the 'compact' command. * The 'compact' command now outputs the total number of compactible sequences. * S3 API improvements: * Added an option, `ratelimit_as_client_error`, to return 429s for rate-limited responses. Several clients/SDKs have seem to support retries with backoffs on 429, and having it as a client error cleans up logging and metrics. By default, Swift will respond 503, matching AWS documentation. * Fixed a server error in bucket listings when `s3_acl` is enabled and staticweb is configured for the container. * Fixed a server error when a client exceeds `client_timeout` during an upload. Now, a `RequestTimeout` error is correctly returned. * Fixed a server error when downloading multipart uploads/static large objects that have missing or inaccessible segments. This is a state that cannot arise in AWS, so a new `BrokenMPU` error is returned, indicating that retrying the request is unlikely to succeed. * Fixed several issues with the prefix, marker, and delimiter parameters that would be mirrored back to clients when listing buckets. * Partition power increase improvements: * The relinker now spawns multiple subprocesses to process disks in parallel. By default, one worker is spawned per disk; use the new `--workers` option to control how many subprocesses are used. Use `--workers=0` to maintain the previous behavior. * The relinker now performs eventlet-hub selection the same way as other daemons. In particular, `epolls` will no longer be selected, as it seemed to cause occassional hangs. * The relinker can now target specific storage policies or partitions by using the new `--policy` and `--partition` options. * Partitions that encountered errors during relinking are no longer marked as completed in the relinker state file. This ensures that a subsequent relink will retry the failed partitions. * Partition cleanup is more robust, decreasing the likelihood of leaving behind mostly-empty partitions from the old partition power. * Improved relinker progress logging, and started collecting progress information for swift-recon. * Cleanup is more robust to files and directories being deleted by another process. * The relinker better handles data found from earlier partition power increases. * The relinker better handles tombstones found for the same object but with different inodes. * The reconciler now defers working on policies that have a partition power increase in progress to avoid issues with concurrent writes. * Erasure coding fixes: * Added the ability to quarantine EC fragments that have no (or few) other fragments in the cluster. A new configuration option, `quarantine_threshold`, in the reconstructor controls the point at the fragment will be quarantined; the default (0) will never quarantine. Only fragments older than `quarantine_age` (default: `reclaim_age`) may be quarantined. Before quarantining, the reconstructor will attempt to fetch fragments from handoff nodes in addition to the usual primary nodes; a new `request_node_count` option (default `2 * replicas`) limits the total number of nodes to contact. * Added a delay before deleting non-durable data. A new configuration option, `commit_window` in the `[DEFAULT]` section of object-server.conf, adjusts this delay; the default is 60 seconds. This improves the durability of both back-dated PUTs (from the reconciler or container-sync, for example) and fresh writes to handoffs by preventing the reconstructor from deleting data that the object-server was still writing. * Improved proxy-server and object-reconstructor logging when data cannot be reconstructed. * Fixed an issue where some but not all fragments having metadata applied could prevent reconstruction of missing fragments. * Server-side copying of erasure-coded data to a replicated policy no longer copies EC sysmeta. The previous behavior had no material effect, but could confuse operators examining data on disk. * Python 3 fixes: * Fixed a server error when performing a PUT authorized via tempurl with some proxy pipelines. * Fixed a server error during GET of a symlink with some proxy pipelines. * Fixed an issue with logging setup when /dev/log doesn't exist or is not a UNIX socket. * The container-reconciler now scales out better with new `processes`, `process`, and `concurrency` options, similar to the object-expirer. * The dark-data audit watcher now skips objects younger than a new configurable `grace_age` period. This avoids issues where data could be flagged, quarantined, or deleted because of listing consistency issues. The default is one week. * The dark-data audit watcher now requires that all primary locations for an object's container agree that the data does not appear in listings to consider data "dark". Previously, a network partition that left an object node isolated could cause it to quarantine or delete all of its data. * More daemons now support systemd notify sockets. * `EPIPE` errors no longer log tracebacks. * The account and container auditors now log and update recon before going to sleep. * The object-expirer logs fewer client disconnects. * `swift-recon-cron` now includes the last time it was run in the recon information. * `EIO` errors during read now cause object diskfiles to be quarantined. * The formpost middleware now properly supports uploading multiple files with different content-types. * Various other minor bug fixes and improvements. swift (2.27.0, OpenStack Wallaby) * Added "audit watcher" hooks to allow operators to run arbitrary code against every diskfile in a cluster. For more information, see https://docs.openstack.org/swift/latest/development_watchers.html * Added support for system-scoped "reader" roles when authenticating using Keystone. Operators may configure this using the `system_reader_roles` option in the `[filter:keystoneauth]` section of their proxy-server.conf. A comparable group, `.reseller_reader`, is now available for development purposes when authenticating using tempauth. * Allow static large object segments to be deleted asynchronously. Operators may opt into this new behavior by enabling the new `allow_async_delete` option in the `[filter:slo]` section in their proxy-server.conf. For more information, see https://docs.openstack.org/swift/latest/overview_large_objects.html#deleting-a-large-object * Added the ability to connect to memcached over TLS. See the `tls_*` options in etc/memcache.conf-sample * The proxy-server now caches 'listing' shards, improving listing performance for sharded containers. A new config option, `recheck_listing_shard_ranges`, controls the cache time and defaults to 10 minutes; set it to 0 to disable caching (the previous behavior). * Added a new optional proxy-logging field `{wire_status_int}` for the status code returned to the client. For more information, see https://docs.openstack.org/swift/latest/logs.html#proxy-logs * Errors downloading a Static Large Object that cause a shorter-than-expected response are now logged as 500s. * Memcache client error-limiting is now configurable. See the `error_suppression_*` options in etc/memcache.conf-sample * Added `tasks_per_second` option to rate-limit the object-expirer. * Added `usedforsecurity` annotations for use on FIPS-compliant systems. * Added an option to write EC fragments with legacy CRC to ensure a smooth upgrade from liberasurecode<=1.5.0 to >=1.6.2. For more information, see https://bugs.launchpad.net/liberasurecode/+bug/1886088 * **Known Issue**: Operators should verify that encryption is not enabled in their reconciler pipelines; having it enabled there may harm data durability. For more information, see https://launchpad.net/bugs/1910804 * S3 API improvements: * Fixed a bug that prevented the s3api pipeline validation described in proxy-server.conf-sample from being performed. As documented, operators can disable this via the `auth_pipeline_check` option if proxy startup fails with validation errors. * Make allowable clock skew configurable, with a default value of 15 minutes to match AWS. Note that this was previously hardcoded at 5 minutes; operators may want to preserve the prior behavior by setting `allowable_clock_skew = 300` in the `[filter:s3api]` section of their proxy-server.conf. * Fixed an issue where SHA mismatches in client XML payloads would cause a server error. Swift now correctly responds with a client error about the bad digest. * Fixed an issue where non-base64 signatures would cause a server error. Swift now correctly responds with a client error about the invalid digest. * Container ACLs are now cloned to the `+segments` container when it is created. * The correct storage policy is now logged for S3 requests. * Added the ability to configure auth region in s3token middleware. * CORS-related headers are now passed through appropriately when using the S3 API. Note that allowed origins and other container metadata must still be configured through the Swift API as documented at https://docs.openstack.org/swift/latest/cors.html Preflight requests do not contain enough information to map a bucket to an account/container pair; a new cluster-wide option `cors_preflight_allow_origin` may be configured for such OPTIONS requests. The default (blank) rejects all S3 preflight requests. * Sharding improvements: * Prevent shard databases from losing track of their root database when deleted. * Prevent sharded root databases from being reclaimed to ensure that shards can detect that they have been deleted. * A `--no-auto-shard` option has been added to `swift-container-sharder`. * The sharder daemon has been enhanced to better support the shrinking of shards that are no longer required. Shard containers will now discover from their root container if they should be shrinking. They will also discover the shards into which they should shrink, which may include the root container itself. * A 'compact' command has been added to `swift-manage-shard-ranges` that enables sequences of contiguous shards with low object counts to be compacted into another existing shard, or into the root container. * `swift-manage-shard-ranges` can now accept a config file; this may be used to ensure consistency of threshold values with the container-sharder config. * Overlapping shrinking shards no longer generate audit warnings; these are expected to sometimes overlap. * The sharding progress reports in recon cache now continue to be included for a period of time after sharding has completed. The time period may be configured using the `recon_sharded_timeout` option in the `[container-sharder]` section of container-server.conf, and defaults to 12 hours. * Add root containers with compactible ranges to recon cache. * Expose sharding statistics in the backend recon middleware. * Replication improvements: * Fixed a race condition in ssync that could lead to a loss of data durability (or even loss of data, for two-replica policies) when some object servers have outdated rings. Replication via rsync is likely still affected by a similar bug. * Non-durable fragments can now be reverted from handoffs. * The post-rsync REPLICATE call no longer recalculates hashes immediately. * Hashes are no longer invalidated after a successful ssync; they were already invalidated during the data transfer. * Reduced log noise for common ssync errors. * Python 3 fixes: * Added support for Python 3.9. * Staticweb correctly handles listings when paths include non-ASCII characters. * S3 API now allows multipart uploads with non-ASCII characters in the object name. * Fixed an import-ordering issue in `swift-dispersion-populate`. * Partition power increase improvements: * Fixed a bug where stale state files would cause misplaced data during multiple partition power increases. * Removed a race condition that could cause newly-written data to not be linked into the new partition for the new partition power. * Improved safety during cleanup to ensure files have been relinked appropriately before unlinking. * Added an option to drop privileges when running the relinker as root. * Added an option to rate-limit how quickly data files are relinked or cleaned up. This may be used to reduce I/O load during partition power increases, improving end-user performance. * Rehash partitions during the partition power increase. Previously, we relied on the replication engine to perform the rehash, which could cause an unexpected I/O spike after a partition power increase. * Warn when relinking/cleaning up and any disks are unmounted. * Log progress per partition when relinking/cleaning up. * During clean-up, stop warning about tombstones that got reaped from the new location but not the old. * Added the ability to read options from object-server.conf, similar to background daemons. * Turned off thread-logging when monkey-patching with eventlet. This addresses a potential hang in the proxy-server while logging client disconnects. * Fixed a bug that could cause EC GET responses to return a server error. * Fixed an issue with `swift-drive-audit` when run around New Year's. * Server errors encountered when validating the first segment of a Static or Dynamic Large Object now return a 503 to the client, rather than a 409. * Errors when setting keys in memcached are now logged. This helps operators detect when shard ranges for caching have gotten too large to be stored, for example. * Various other minor bug fixes and improvements. swift (2.26.0, OpenStack Victoria) * Extend concurrent reads to erasure coded policies. Previously, the options `concurrent_gets` and `concurrency_timeout` only applied to replicated policies. * Add a new `concurrent_ec_extra_requests` option to allow the proxy to make some extra backend requests immediately. The proxy will respond as soon as there are enough responses available to reconstruct. * The concurrent read options (`concurrent_gets`, `concurrency_timeout`, and `concurrent_ec_extra_requests`) may now be configured per storage-policy. * Replication servers can now handle all request methods. This allows ssync to work with a separate replication network. * All background daemons now use the replication network. This allows better isolation between external, client-facing traffic and internal, background traffic. Note that during a rolling upgrade, replication servers may respond with `405 Method Not Allowed`. To avoid this, operators should remove the config option `replication_server = true` from their replication servers; this will allow them to handle all request methods before upgrading. * S3 API improvements: * Fixed some SignatureDoesNotMatch errors when using the AWS .NET SDK. * Add basic read support for object tagging. This improves compatibility with AWS CLI version 2. Write support is not yet implemented, so the tag set will always be empty. * CompleteMultipartUpload requests may now be safely retried. * Improved quota-exceeded error messages. * Improved logging and statsd metrics. Be aware that this will cause an increase in the proxy-logging statsd metrics emited for S3 responses. However, this should more accurately reflect the state of the system. * S3 requests are now less demanding on the container layer. * Python 3 bug fixes: * Fixed an error when reading encrypted data that was written while running Python 2 for a path that includes non-ASCII characters. This was caused by a difference in string types that resulted in ambiguity when decrypting. To prevent the ambiguity for new data, set `meta_version_to_write = 3` in your keymaster configuration after upgrading all proxy servers. If upgrading from Swift 2.20.0 or Swift 2.19.1 or earlier, set `meta_version_to_write = 1` in your keymaster configuration prior to upgrading. * Object expiration respects the `expiring_objects_container_divisor` config option. * `fallocate_reserve` may be specified as a percentage in more places. * The ETag-quoting middleware no longer raises TypeErrors. * Sharding improvements: * Prevent object updates from auto-creating shard containers. This ensures more consistent listings for sharded containers during rebalances. * Deleted shard containers are no longer considered root containers. This prevents unnecessary sharding audit failures and allows the deleted shard database to actually be unlinked. * `swift-container-info` now summarizes shard range information. Pass `-v`/`--verbose` if you want to see all of them. * Improved container-sharder stat reporting to reduce load on root container databases. * Don't inject shard ranges when user quits. * Servers now open one listen socket per worker, ensuring each worker serves roughly the same number of concurrent connections. * Server workers may now be gracefully terminated via `SIGHUP` or `SIGUSR1`. The parent process will then spawn a fresh worker. * During rebalances, clients should no longer get 404s for data that exists but whose replicas are overloaded. * Improved cache management for account and container responses. * Allow proxy-logging middlewares to be configured more independently. * Allow operators to pass either raw or URL-quoted paths to swift-get-nodes. Notably, this allows swift-get-nodes to work with the reserved namespace used for object versioning. * Container read ACLs now work with object versioning. This only allows access to the most-recent version via an unversioned URL. * Improved how containers reclaim deleted rows to reduce locking and object update throughput. * Large object reads log fewer client disconnects. * Allow ratelimit to be placed multiple times in a proxy pipeline, such as both before s3api and auth (to handle swift requests without needing to make an auth decision) and after (to limit S3 requests). * Shuffle object-updater work. This somewhat reduces the impact a single overloaded database has on other containers' listings. * Fix a proxy-server error when retrieving erasure coded data when there are durable fragments but not enough to reconstruct. * Fix an error in the proxy server when finalizing data. * Improve performance when increasing partition power. * Various other minor bug fixes and improvements. swift (2.25.1, ussuri stable backports) * Python 3 bug fixes: * Fixed an error when reading encrypted data that was written while running Python 2 for a path that includes non-ASCII characters. This was caused by a difference in string types that resulted in ambiguity when decrypting. To prevent the ambiguity for new data, set `meta_version_to_write = 3` in your keymaster configuration after upgrading all proxy servers. If upgrading from Swift 2.20.0 or Swift 2.19.1 or earlier, set `meta_version_to_write = 1` in your keymaster configuration prior to upgrading. * Object expiration respects the `expiring_objects_container_divisor` config option. * `fallocate_reserve` may be specified as a percentage in more places. * The ETag-quoting middleware no longer raises TypeErrors. * Improved how containers reclaim deleted rows to reduce locking and object update throughput. * Fix a proxy-server error when retrieving erasure coded data when there are durable fragments but not enough to reconstruct. * Fixed some SignatureDoesNotMatch errors when using the AWS .NET SDK. * Region name config option is now respected when configuring S3 credential caching. swift (2.25.0, OpenStack Ussuri) * WSGI server processes can now notify systemd when they are ready. * Added `ttfb` (Time to First Byte) and `pid` (Process ID) to the set of available proxy-server log fields. For more information, see https://docs.openstack.org/swift/latest/logs.html * Improved proxy-server performance by reducing unnecessary locking, memory copies, and eventlet scheduling. * Reduced object-replicator and object-reconstructor CPU usage by only checking that the device list is current when rings change. * Improved performance of sharded container listings when performing prefix listings. * Improved container-sync performance when data has already been deleted or overwritten. * Account quotas are now enforced even on empty accounts. * Getting an SLO manifest with `?format=raw` now responds with an ETag that matches the MD5 of the generated body rather than the MD5 of the manifest stored on disk. * Provide useful status codes in logs for some versioning and symlink subrequests that were previously logged as 499. * Fixed 500 from cname_lookup middleware. Previously, if the looked-up domain was used by domain_remap to update the request path, the server would respond Internal Error. * On Python 3, fixed an issue when reading or writing objects with a content-type like `message/*`. Previously, Swift would fail to respond. * On Python 3, fixed a RecursionError in swift-dispersion-report when using TLS. * Fixed a bug in the new object versioning API that would cause more than `limit` results to be returned when listing. * Various other minor bug fixes and improvements. swift (2.24.0) * Added a new object versioning mode, with APIs for querying and accessing old versions. For more information, see the documentation at https://docs.openstack.org/swift/latest/middleware.html#module-swift.common.middleware.versioned_writes.object_versioning * Added support for S3 versioning using the above new mode. * Added a new middleware to allow accounts and containers to opt-in to RFC-compliant ETags. This may be useful when using Swift as an origin for some content delivery networks. For more information, see the documentation at https://docs.openstack.org/swift/latest/middleware.html#module-swift.common.middleware.etag_quoter Clients should be aware of the fact that ETags may be quoted for RFC compliance; this may become the default behavior in some future release. * Proxy, account, container, and object servers now support "seamless reloads" via `SIGUSR1`. This is similar to the existing graceful restarts but keeps the server socket open the whole time, reducing service downtime. * New buckets created via the S3 API will now store multi-part upload data in the same storage policy as other data rather than the cluster's default storage policy. * Device region and zone can now be changed via `swift-ring-builder`. Note that this may cause a lot of data movement on the next rebalance as the builder tries to reach full dispersion. * Added support for Python 3.8. * The container sharder can now handle containers with special characters in their names. * Internal client no longer logs object DELETEs as status 499. * Objects with an `X-Delete-At` value in the far future no longer cause backend server errors. * The bulk extract middleware once again allows clients to specify metadata (including expiration timestamps) for all objects in the archive. * Container sync now synchronizes static symlinks in a way similar to static large objects. * `swift_source` is set for more sub-requests in the proxy-server. See https://docs.openstack.org/swift/latest/logs.html#swift-source * Errors encountered while validating static symlink targets no longer cause BadResponseLength errors in the proxy-server. * On Python 3, the KMS keymaster now works with secrets stored in Barbican with a text/plain payload-content-type. * On Python 3, the formpost middleware now works with unicode file names. * Several utility scripts now work better on Python 3: * swift-account-audit * swift-dispersion-populate * swift-drive-recon * swift-recon * On Python 3, certain S3 API headers are now lower case as they would be coming from AWS. * Per-service `auto_create_account_prefix` settings are now deprecated and may be ignored in a future release; if you need to use this, please set it in the `[swift-constraints]` section of /etc/swift/swift.conf. * Various other minor bug fixes and improvements. swift (2.23.3, train stable backports) * Sharding improvements: * Prevent object updates from auto-creating shard containers. This ensures more consistent listings for sharded containers during rebalances. * Deleted shard containers are no longer considered root containers. This prevents unnecessary sharding audit failures and allows the deleted shard database to actually be unlinked. * The sharder daemon has been enhanced to better support the shrinking of shards that are no longer required. Shard containers will now discover from their root container if they should be shrinking. They will also discover the shards into which they should shrink, which may include the root container itself. * Improved performance of sharded container listings when performing prefix listings. * Improved container-sharder stat reporting to reduce load on root container databases. * The container sharder can now handle containers with special characters in their names. * `swift-container-info` now summarizes shard range information. Pass `-v`/`--verbose` if you want to see all of them. * Don't inject shard ranges when user quits. * Various other minor bug fixes and improvements. * Python 3 bug fixes: * Fixed a potential server error when uploading data via a tempurl. * Fixed a potential server error when getting symlink details. * Added the ability to connect to memcached over TLS. See the `tls_*` options in etc/memcache.conf-sample swift (2.23.2, train stable backports) * Python 3 bug fixes: * Fixed an error when reading encrypted data that was written while running Python 2 for a path that includes non-ASCII characters. This was caused by a difference in string types that resulted in ambiguity when decrypting. To prevent the ambiguity for new data, set `meta_version_to_write = 3` in your keymaster configuration after upgrading all proxy servers. If upgrading from Swift 2.20.0 or Swift 2.19.1 or earlier, set `meta_version_to_write = 1` in your keymaster configuration prior to upgrading. * Fixed an issue when reading or writing objects with a content-type like `message/*`. Previously, Swift would fail to respond. * Object expiration respects the `expiring_objects_container_divisor` config option. * `fallocate_reserve` may be specified as a percentage in more places. * The formpost middleware now works with unicode file names. * Certain S3 API headers are now lower case as they would be coming from AWS. * Improved how containers reclaim deleted rows to reduce locking and object update throughput. * Fix a proxy-server error when retrieving erasure coded data when there are durable fragments but not enough to reconstruct. * Fixed 500 from cname_lookup middleware. Previously, if the looked-up domain was used by domain_remap to update the request path, the server would respond Internal Error. * The bulk extract middleware once again allows clients to specify metadata (including expiration timestamps) for all objects in the archive. * Errors encountered while validating static symlink targets no longer cause BadResponseLength errors in the proxy-server. * Fixed some SignatureDoesNotMatch errors when using the AWS .NET SDK. * Various other minor bug fixes and improvements. swift (2.23.1, train stable backports) * On Python 3, the KMS keymaster now works with secrets stored in Barbican with a text/plain payload-content-type. * Several utility scripts now work better on Python 3: * swift-account-audit * swift-dispersion-populate * swift-drive-recon * swift-recon swift (2.23.0, OpenStack Train) * Python 3.6 and 3.7 are now fully supported. Several py3-related fixes are included: * Removed a request-smuggling vector when running a mixed py2/py3 cluster. * Allow fallocate_reserve to be specified as a percentage. * Fixed listings for sharded containers. * Fixed non-ASCII account metadata handling. * Fixed rsync output parsing. * Fixed some title-casing of headers. If you've been testing Swift on Python 3, upgrade at your earliest convenience. * Added "static symlinks", which perform some validation as they follow redirects and include more information about their target in container listings. * Multi-character strings may now be used as delimiters in account and container listings. * Sharding improvements * Container metadata related to sharding are now removed when no longer needed. * Empty container databases (such as might be created on handoffs) now shard much more quickly. * The proxy-server now ignores 404 responses from handoffs that have no data when deciding on the correct response for object requests, similar to what it already does for account and container requests. * Static Large Object sizes in listings for versioned containers are now more accurate. * When refetching Static Large Object manifests, non-manifest responses are now handled better. * S3 API now translates 503 Service Unavailable responses to a more S3-like response instead of raising an error. * Improved proxy-to-backend requests to be more RFC-compliant. * Dependency update: eventlet must be at least 0.25.0. This also dragged forward minimum-supported versions of dnspython (1.15.0), greenlet (0.3.2), and six (1.10.0). * Various other minor bug fixes and improvements. swift (2.22.0) * Experimental support for Python 3.6 and 3.7 is now available. Note that this requires eventlet>=0.25.0. All unit tests pass, and running functional tests under Python 2 will pass against services running under Python 3. Expect full support in the next minor release. * Log formats are now more configurable and include support for anonymization. See the log_msg_template option in proxy-server.conf and https://docs.openstack.org/swift/latest/logs.html#proxy-logs for more information. * Added an operator tool, swift-container-deleter, to asynchronously delete some or all objects in a container using the object expirers. * Swift-all-in-one Docker images are now built and published to https://hub.docker.com/r/openstackswift/saio. These are intended for use as development targets, but will hopefully be useful as a starting point for other work involving containerizing Swift. * The object-expirer may now be configured in object-server.conf. This is in anticipation of a future change to allow the object-expirer to be deployed on all nodes that run object-servers. * Correctness improvements * The proxy-server now ignores 404 responses from handoffs without databases when deciding on the correct response for account and container requests. * Object writes to a container whose existence cannot be verified now 503 instead of 404. * Sharding improvements * The container-replicator now only attempts to fetch shard ranges if the remote indicates that it has shard ranges. Further, it does so with a timeout to prevent the process from hanging in certain cases. * The proxy-server now caches 'updating' shards, improving write performance for sharded containers. A new config option, `recheck_updating_shard_ranges`, controls the cache time; set it to 0 to disable caching. * The container-replicator now correctly enqueues container-reconciler work for sharded containers. * S3 API improvements * Unsigned payloads work with v4 signatures once more. * Multipart upload parts may now be copied from other multipart uploads. * CompleteMultipartUpload requests with a Content-MD5 now work. * Content-Type can now be updated when copying an object. * Fixed v1 listings that end with a non-ASCII object name. * Background corruption-detection improvements * Detect and remove invalid entries from hashes.pkl * When object path is not a directory, just quarantine it, rather than the whole suffix. * Dependency updates: we've increased our minimum supported version of cryptography to 2.0.2 and netifaces to 0.8. This is largely due to the difficulty of continuing to test with the old versions. If running Swift under Python 3, eventlet must be at least 0.25.0. * Various other minor bug fixes and improvements. swift (2.21.1, stein stable backports) * Sharding improvements * The container-replicator now only attempts to fetch shard ranges if the remote indicates that it has shard ranges. Further, it does so with a timeout to prevent the process from hanging in certain cases. * The container-replicator now correctly enqueues container-reconciler work for sharded containers. * Container metadata related to sharding are now removed when no longer needed. * S3 API improvements * Unsigned payloads work with v4 signatures once more. * Multipart upload parts may now be copied from other multipart uploads. * CompleteMultipartUpload requests with a Content-MD5 now work. * Content-Type can now be updated when copying an object. * Fixed v1 listings that end with a non-ASCII object name. * Background corruption-detection improvements * Detect and remove invalid entries from hashes.pkl * When object path is not a directory, just quarantine it, rather than the whole suffix. * Static Large Object sizes in listings for versioned containers are now more accurate. * When refetching Static Large Object manifests, non-manifest responses are now handled better. * Cross-account symlinks now store correct account information in container listings. This was previously fixed in 2.22.0. * Requesting multiple ranges from a Dynamic Large Object now returns the entire object instead of incorrect data. This was previously fixed in 2.23.0. * When making backend requests, the proxy-server now ensures query parameters are always properly quoted. Previously, the proxy would encounter an error on Python 2.7.17 if the client included non-ASCII query parameters in object requests. This was previously fixed in 2.23.0. swift (2.21.0, OpenStack Stein) * Change the behavior of the EC reconstructor to perform a fragment rebuild to a handoff node when a primary peer responds with 507 to the REPLICATE request. This changes EC to match the existing behavior of replication when drives fail. After a rebalance of EC rings (potentially removing unmounted/failed devices), it's most IO efficient to run in handoffs_only mode to avoid unnecessary rebuilds. * O_TMPFILE support is now detected by attempting to use it instead of looking at the kernel version. This allows older kernels with backported patches to take advantage of the O_TMPFILE functionality. * Add slo_manifest_hook callback to allow other middlewares to impose additional constraints on or make edits to SLO manifests before being written. For example, a middleware could enforce minimum segment size or insert data segments. * Fixed an issue with multi-region EC policies that caused the EC reconstructor to constantly attempt cross-region rebuild traffic. * Fixed an issue where S3 API v4 signatures would not be validated against the body of the request, allowing a replay attack if request headers were captured by a malicious third party. * Display crypto data/metadata details in swift-object-info. * formpost can now accept a content-encoding parameter. * Fixed an issue where multipart uploads with the S3 API would sometimes report an error despite all segments being upload successfully. * Multipart object segments are now actually deleted when the multipart object is deleted via the S3 API. * Swift now returns a 503 (instead of a 500) when an account auto-create fails. * Fixed a bug where encryption would store the incorrect key metadata if the object name starts with a slash. * Fixed an issue where an object server failure during a client download could leave an open socket between the proxy and client. * Fixed an issue where deleted EC objects didn't have their on-disk directories cleaned up. This would cause extra resource usage on the object servers. * Fixed issue where bulk requests using xml and expect 100-continue would return a malformed HTTP response. * Various other minor bug fixes and improvements. swift (2.20.0) * S3 API compatibility updates * Swift can now cache the S3 secret from Keystone to use for subsequent requests. This functionality is disabled by default but can be enabled by setting the `secret_cache_duration` in the s3token section of the proxy server config to a number greater than 0. * s3api now mimics the AWS S3 behavior of periodically sending whitespace characters on a Complete Multipart Upload request to keep the connection from timing out. Note that since a request could fail after the initial 200 OK response has been sent, it is important to check the response body to determine if the request succeeded. * s3api now properly handles x-amz-metadata-directive headers on COPY operations. * s3api now uses concurrency (default 2) to handle multi-delete requests. This allows multi-delete requests to be processed much more quickly. * s3api now mimics some forms of AWS server-side encryption based on whether Swift's at-rest encryption functionality is enabled. Note that S3 API users are now able to know more about how the cluster is configured than they were previously, ie knowledge of encryption at-rest functionality being enabled or not. * s3api responses now include a '-' in multipart ETags. For new multipart-uploads via the S3 API, the ETag that is stored will be calculated in the same way that AWS uses. This ETag will be used in GET/HEAD responses, bucket listings, and conditional requests via the S3 API. Accessing the same object via the Swift API will use the SLO Etag; however, in JSON container listings the multipart upload etag will be exposed in a new "s3_etag" key. Previously, some S3 clients would complain about download corruption when the ETag did not have a '-'. * S3 ETag for SLOs now include a '-'. Ordinary objects in S3 use the MD5 of the object as the ETag, just like Swift. Multipart Uploads follow a different format, notably including a dash followed by the number of segments. To that end (and for S3 API requests *only*), SLO responses via the S3 API have a literal '-N' added on the end of the ETag. * The default location is now set to "us-east-1". This is more likely to be the default region that a client will try when using v4 signatures. Deployers with clusters that relied on the old implicit default location of "US" should explicitly set `location = US` in the `[filter:s3api]` section of proxy-server.conf before upgrading. * Add basic support for ?versions bucket listings. We still do not have support for toggling S3 bucket versioning, but we can at least support getting the latest versions of all objects. * Fixed an issue with SSYNC requests to ensure that only one request can be running on a partition at a time. * Data encryption updates * The kmip_keymaster middleware can now be configured directly in the proxy-server config file. The existing behavior of using an external config file is still supported. * Multiple keymaster middlewares are now supported. This allows migration from one key provider to another. Note that secret_id values must remain unique across all keymasters in a given pipeline. If they are not unique, the right-most keymaster will take precedence. When looking for the active root secret, only the right-most keymaster is used. * Prevent PyKMIP's kmip_protocol logger from logging at DEBUG. Previously, some versions of PyKMIP would include all wire data when the root logger was configured to log at DEBUG; this could expose key material in logs. Only the kmip_keymaster was affected. * Fixed an issue where a failed drive could prevent the container sharder from making progress. * Storage policy definitions in swift.conf can now define the diskfile to use to access objects. See the included swift.conf-sample file for a description of usage. * The EC reconstructor will now attempt to remove empty directories immediately, while the inodes are still cached, rather than waiting until the next run. * Added a keep_idle config option to configure KEEPIDLE time for TCP sockets. The default value is the old constant of 600. * Add databases_per_second to the account-replicator, container-replicator, and container-sharder. This prevents them from using a full CPU core when they are not IO limited. * Allow direct_client users to overwrite the X-Timestamp header. * Various other minor bug fixes and improvements. swift (2.19.2, rocky stable backports) * Sharding improvements * The container-replicator now only attempts to fetch shard ranges if the remote indicates that it has shard ranges. Further, it does so with a timeout to prevent the process from hanging in certain cases. * The container-replicator now correctly enqueues container-reconciler work for sharded containers. * S3 API improvements * Fixed an issue where v4 signatures would not be validated against the body of the request, allowing a replay attack if request headers were captured by a malicious third party. Note that unsigned payloads still function normally. * CompleteMultipartUpload requests with a Content-MD5 now work. * Fixed v1 listings that end with a non-ASCII object name. * Multipart object segments are now actually deleted when the multipart object is deleted via the S3 API. * Fixed an issue that caused Delete Multiple Objects requests with large bodies to 400. This was previously fixed in 2.20.0. * Fixed an issue where non-ASCII Keystone EC2 credentials would not get mapped to the correct account. This was previously fixed in 2.20.0. * Background corruption-detection improvements * Detect and remove invalid entries from hashes.pkl * When object path is not a directory, just quarantine it, rather than the whole suffix. * Fixed a bug where encryption would store the incorrect key metadata if the object name starts with a slash. * Fixed an issue where an object server failure during a client download could leave an open socket between the proxy and client. * Static Large Object sizes in listings for versioned containers are now more accurate. * When refetching Static Large Object manifests, non-manifest responses are now handled better. * Cross-account symlinks now store correct account information in container listings. This was previously fixed in 2.22.0. * Requesting multiple ranges from a Dynamic Large Object now returns the entire object instead of incorrect data. This was previously fixed in 2.23.0. * When making backend requests, the proxy-server now ensures query parameters are always properly quoted. Previously, the proxy would encounter an error on Python 2.7.17 if the client included non-ASCII query parameters in object requests. This was previously fixed in 2.23.0. swift (2.19.1, rocky stable backports) * Prevent PyKMIP's kmip_protocol logger from logging at DEBUG. Previously, some versions of PyKMIP would include all wire data when the root logger was configured to log at DEBUG; this could expose key material in logs. Only the kmip_keymaster was affected. * Fixed an issue where a failed drive could prevent the container sharder from making progress. * Fixed a bug in how Swift uses eventlet that was exposed under high concurrency. swift (2.19.0, OpenStack Rocky) * TempURLs now support IP range restrictions. Please see https://docs.openstack.org/swift/latest/middleware.html#client-usage for more information on how to use this additional restriction. * Add support for multiple root encryption secrets for the trivial and KMIP keymasters. This allows operators to rotate encryption keys over time without needing to re-encrypt all existing data in the cluster. Please see the included sample config files for instructions on how to multiple encryption keys. * The object updater now supports two configuration settings: "concurrency" and "updater_workers". The latter controls how many worker processes are spawned, while the former controls how many concurrent container updates are performed by each worker process. This should speed the processing of async_pendings. On upgrade, a node configured with concurrency=N will still handle async updates N-at-a-time, but will do so using only one process instead of N. If you have a config file like this: [object-updater] concurrency = and you want to take advantage of faster updates, then do this: [object-updater] concurrency = 8 # the default; you can omit this line updater_workers = If you want updates to be processed exactly as before, do this: [object-updater] concurrency = 1 updater_workers = * When listing objects in a container in json format, static large objects (SLOs) will now include an additional new "slo_etag" key that matches the etag returned when requesting the SLO. The existing "hash" key remains unchanged as the MD5 of the SLO manifest. Text and XML listings are unaffected by this change. * Log deprecation warnings for `run_pause`. This setting was deprecated in Swift 2.4.0 and is replaced by `interval`. It may be removed in a future release. * Object reconstructor logs are now prefixed with information about the specific worker process logging the message. This makes reading the logs and understanding the messages much simpler. * Lower bounds of dependencies have been updated to reflect what is actually tested. * SSYNC replication mode now removes as much of the directory structure as possible as soon at it observes that the directory is empty. This reduces the work needed for subsequent replication passes. * The container-updater now reports zero objects and bytes used for child DBs in sharded containers. This prevents double-counting in utilization reports. * Add fallocate_reserve to account and container servers. This allows disks shared between account/container and object rings to avoid getting 100% full. The default value of 1% matches the existing default on object servers. * Added an experimental `swift-ring-composer` CLI tool to build composite rings. * Added an optional `read_only` middleware to make an entire cluster or individual accounts read only. * Fixed a bug where zero-byte PUTs would not work properly with "If-None-Match: *" conditional requests. * ACLs now work with unicode in user/account names. * COPY now works with unicode account names. * Improved S3 API compatibility. * Lock timeouts in the container updater are now logged at INFO level, not ERROR. * Various other minor bug fixes and improvements. swift (2.18.0) * Added container sharding, an operator controlled feature that may be used to shard very large container databases into a number of smaller shard containers. This mitigates the issues with one large DB by distributing the data across multiple smaller databases throughout the cluster. Please read the full overview at https://docs.openstack.org/swift/latest/overview_container_sharding.html * Provide an S3 API compatibility layer. The external "swift3" project has been imported into Swift's codebase as the "s3api" middleware. * Added "emergency mode" hooks in the account and container replicators. These options may be used to prioritize moving handoff partitions to primary locations more quickly. This helps when adding capacity to a ring. - Added `-d ` and `-p ` command line options. - Added a handoffs-only mode. * Add a multiprocess mode to the object replicator. Setting the "replicator_workers" setting to a positive value N will result in the replicator using up to N worker processes to perform replication tasks. At most one worker per disk will be spawned. Worker process logs will have a bit of information prepended so operators can tell which messages came from which worker. The prefix is "[worker M/N pid=P] ", where M is the worker's index, N is the total number of workers, and P is the process ID. Every message from the replicator's logger will have the prefix * The object reconstructor will now fork all available worker processes when operating on a subset of local devices. * Add support for PROXY protocol v1 to the proxy server. This allows the Swift proxy server to log accurate client IP addresses when there is a proxy or SSL-terminator between the client and the Swift proxy server. Example servers supporting this PROXY protocol include stunnel, haproxy, hitch, and varnish. See the sample proxy server config file for the appropriate config setting to enable or disable this functionality. * In the ratelimit middleware, account whitelist and blacklist settings have been deprecated and may be removed in a future release. When found, a deprecation message will be logged. Instead of these config file values, set X-Account-Sysmeta- Global-Write-Ratelimit:WHITELIST and X-Account-Sysmeta-Global- Write-Ratelimit:BLACKLIST on the particular accounts that need to be whitelisted or blacklisted. System metadata cannot be added or modified by standard clients. Use the internal client to set sysmeta. * Add a --drop-prefixes flag to swift-account-info, swift-container-info, and swift-object-info. This makes the output between the three more consistent. * statsd error messages correspond to 5xx responses only. This makes monitoring more useful because actual errors (5xx) will not be hidden by common user requests (4xx). Previously, some 4xx responses would be included in timing information in the statsd error messages. * Truncate error logs to prevent log handler from running out of buffer. * Updated requirements.txt to match global exclusions and formatting. * tempauth user names now support unicode characters. * Various other minor bug fixes and improvements. swift (2.17.1, queens stable backports) * Fix SLO delete for accounts with non-ASCII names. * Fixed an issue in COPY where concurrent requests may have copied the wrong data. * Fixed a bug in how Swift uses eventlet that was exposed under high concurrency. swift (2.17.0, OpenStack Queens) * Added symlink objects support. Symlink objects reference one other object. They are created by creating an empty object with an X-Symlink-Target header. The value of the header is of the format /, and the target does not need to exist at the time of symlink creation. Cross-account symlinks can be created by including the X-Symlink-Target-Account header. GET and HEAD requests to a symlink will operate on the referenced object and require appropriate permission in the target container. DELETE and PUT requests will operate on the symlink object itself. POST requests are not forwarded to the referenced object. POST requests sent to a symlink will result in a 307 Temporary Redirect response. * Added support for inline data segments in SLO manifests. Upgrade impact: during a rolling upgrade, an updated proxy server may write a manifest that an out-of-date proxy server will not be able to read. This will resolve itself once the upgrade completes on all nodes. * The tempurl digest algorithm is now configurable, and Swift added support for both SHA-256 and SHA-512. Supported tempurl digests are exposed to clients in `/info`. Additionally, tempurl signatures can now be base64 encoded. * Object expiry improvements - Disallow X-Delete-At header values equal to the X-Timestamp header. - X-Delete-At computation now uses X-Timestamp instead of system time. This prevents clock skew causing inconsistent expiry data. - Deleting an expiring object will now cause less work in the system. The number of async pending files written has been reduced for all objects and greatly reduced for erasure-coded objects. This dramatically reduces the burden on container servers. - Stopped logging tracebacks when receiving an unexpected response. - Allow the expirer to gracefully move past updating stale work items. * When the object auditor examines an object, it will now add any missing metadata checksums. * `swift-ring-builder` improvements - Save the ring when dispersion improves, even if balance doesn't improve. - Improved the granularity of the ring dispersion metric so that small improvements after a rebalance can show changes in the dispersion number. Dispersion in existing and new rings can be recalculated using the new '--recalculate' option to `swift-ring-builder`. - Display more info on empty rings. * Fixed rare socket leak on range requests to erasure-coded objects. * The number of container updates on object PUTs (ie to update listings) has been recomputed to be far more efficient while maintaining durability guarantees. Specifically, object PUTs to erasure-coded policies will now normally result in far fewer container updates. * Moved Zuul v3 tox jobs into the Swift code repo. * Changed where liberasurecode-devel for CentOS 7 is referenced and installed as a dependency. * Added container/object listing with prefix to InternalClient. * Added '--swift-versions' to `swift-recon` CLI to compare installed versions in the cluster. * Stop logging tracebacks in the `object-replicator` when it runs out of handoff locations. * Send ETag header in 206 Partial Content responses to SLO reads. * Now `swift-recon-cron` works with conf.d configs. * Improved `object-updater` stats logging. It now tells you all of its stats (successes, failures, quarantines due to bad pickles, unlinks, and errors), and it tells you incremental progress every five minutes. The logging at the end of a pass remains and has been expanded to also include all stats. * If a proxy server is configured to autocreate accounts and the account create fails, it will now return a server error (500) instead of Not Found (404). * Fractional replicas are no longer allowed for erasure code policies. * Various other minor bug fixes and improvements. swift (2.16.0) * Add checksum to object extended attributes. * Let clients request heartbeats during SLO PUTs by including the query parameter `heartbeat=on`. With heartbeating turned on, the proxy will start its response immediately with 202 Accepted then send a single whitespace character periodically until the request completes. At that point, a final summary chunk will be sent which includes a "Response Status" key indicating success or failure and (if successful) an "Etag" key indicating the Etag of the resulting SLO. * Added support for retrieving the encryption root secret from an external key management system. In practice, this is currently limited to Barbican. * Move listing formatting out to a new proxy middleware named `listing_formats`. `listing_formats` should be just right of the first proxy-logging middleware, and left of most other middlewares. If it is not already present, it will be automatically inserted for you. Note: if you have a custom middleware that makes account or container listings, it will only receive listings in JSON format. * Log deprecation warning for `allow_versions` in the container server config. Configure the `versioned_writes` middleware in the proxy server instead. This option will be ignored in a future release. * Replaced `replication_one_per_device` by custom count defined by `replication_concurrency_per_device`. The original config value is deprecated, but continues to function for now. If both values are defined, the old `replication_one_per_device` is ignored. * Fixed a rare issue where multiple backend timeouts could result in bad data being returned to the client. * Cleaned up logged tracebacks when talking to memcached servers. * Account and container replication stats logs now include `remote_merges`, the number of times a whole database was sent to another node. * Respond 400 Bad Request when Accept headers fail to parse instead of returning 406 Not Acceptable. * The `domain_remap` middleware now supports the `mangle_client_paths` option. Its default "false" value changes `domain_remap` parsing to stop stripping the `path_root` value from URL paths. If users depend on this path mangling, operators should set `mangle_client_paths` to "True" before upgrading. * Remove `swift-temp-url` script. The functionality has been in swiftclient for a long time and this script has been deprecated since 2.10.0. * Removed all `post_as_copy` related code and configs. The option has been deprecated since 2.13.0. * Fixed XML responses (eg on bulk extractions and SLO upload failures) to be more correct. The enclosing "delete" tag was removed where it doesn't make sense and replaced with "extract" or "upload" depending on the context. * Static Large Object (SLO) manifest may now (again) have zero-byte last segments. * Fixed an issue where background consistency daemon child processes would deadlock waiting on the same file descriptor. * Removed a race condition where a POST to an SLO could modify the X-Static-Large-Object metadata. * Accept a trade off of dispersion for balance in the ring builder that will result in getting to balanced rings much more quickly in some cases. * Fixed using `swift-ring-builder set_weight` with more than one device. * When requesting objects, return 404 if a tombstone is found and is newer than any data found. Previous behavior was to return stale data. * Various other minor bug fixes and improvements. swift (2.15.2, pike stable backports) * Fixed a cache invalidation issue related to GET and PUT requests to containers that would occasionally cause object PUTs to a container to 404 after the container had been successfully created. * Removed a race condition where a POST to an SLO could modify the X-Static-Large-Object metadata. * Fixed rare socket leak on range requests to erasure-coded objects. * Fix SLO delete for accounts with non-ASCII names. * Fixed an issue in COPY where concurrent requests may have copied the wrong data. * Fixed time skew when using X-Delete-After. * Send ETag header in 206 Partial Content responses to SLO reads. swift (2.15.1, OpenStack Pike) * Fixed a bug introduced in 2.15.0 where the object reconstructor would exit with a traceback if no EC policy was configured. * Fixed deadlock when logging from a tpool thread. The object server runs certain IO-intensive methods outside the main pthread for performance. Previously, if one of those methods tried to log, this can cause a crash that eventually leads to an object server with hundreds or thousands of greenthreads, all deadlocked. The fix is to use a mutex that works across different greenlets and different pthreads. * The object reconstructor can now rebuild an EC fragment for an expired object. * Various other minor bug fixes and improvements. swift (2.15.0) * Add Composite Ring Functionality A composite ring comprises two or more component rings that are combined to form a single ring with a replica count equal to the sum of the component rings. The component rings are built independently, using distinct devices in distinct regions, which means that the dispersion of replicas between the components can be guaranteed. Composite rings can be used for explicit replica placement and "replicated EC" for global erasure codes policies. Composite rings support 'cooperative' rebalance which means that during rebalance all component rings will be consulted before a partition is moved in any component ring. This avoids the same partition being simultaneously moved in multiple components. We do not yet have CLI tools for creating composite rings, but the functionality has been enabled in the ring modules to support this advanced functionality. CLI tools will be delivered in a subsequent release. For further information see the docs at * The EC reconstructor process has been dramatically improved by adding support for multiple concurrent workers. Multiple processes are required to get high concurrency, and this change results in much faster rebalance times on servers with many drives. Currently the default is still only one process, and no workers. Set `reconstructor_workers` in the `[object-reconstructor]` section to some whole number <= the number of devices on a node to get that many reconstructor workers. * Add support to increase object ring partition power transparently to end users and with no cluster downtime. Increasing the ring partition power allows for incremental adjustment to the upper bound of the cluster size. Please review the full docs at . * Added support for per-policy proxy config options. This allows per-policy affinity options to be set for use with duplicated EC policies and composite rings. Certain options found in per-policy conf sections will override their equivalents that may be set in the [app:proxy-server] section. Currently the options handled that way are sorting_method, read_affinity, write_affinity, write_affinity_node_count, and write_affinity_handoff_delete_count. * Enabled versioned writes on Dynamic Large Objects (DLOs). * Write-affinity aware object deletion Previously, when deleting objects in multi-region swift deployment with write affinity configured, users always get 404 when deleting object before it's replicated to appropriate nodes. Now Swift will use `write_affinity_handoff_delete_count` to define how many local handoff nodes should swift send request to get more candidates for the final response. The default value "auto" means Swift will calculate the number automatically based on the number of replicas and current cluster topology. * Require that known-bad EC schemes be deprecated Erasure-coded storage policies using isa_l_rs_vand and nparity >= 5 must be configured as deprecated, preventing any new containers from being created with such a policy. This configuration is known to harm data durability. Any data in such policies should be migrated to a new policy. See https://bugs.launchpad.net/swift/+bug/1639691 for more information * Optimize the Erasure Code reconstructor protocol to reduce IO load on servers. * Fixed a bug where SSYNC would fail to replicate unexpired object. * Fixed a bug in domain_remap when obj starts/ends with slash. * Fixed a socket leak in copy middleware when a large object was copied. * Fixed a few areas where the `swiftdir` option was not respected. * `swift-recon` now respects storage policy aliases. * cname_lookup middleware now accepts a `nameservers` config variable that, if defined, will be used for DNS lookups instead of the system default. * Make mount_check option usable in containerized environments by adding a check for an ".ismount" file at the root directory of a device. * Remove deprecated `vm_test_mode` option. * The object and container server config option `slowdown` has been deprecated in favor of the new `objects_per_second` and `containers_per_second` options. * The output of devices from `swift-ring-builder` has been reordered by region, zone, ip, and device. * Imported docs content from openstack-manuals project. * Various other minor bug fixes and improvements. swift (2.14.0) * Fixed error where a container drive error resulted in double space usage on rest drives. When drive with container or account database is unmounted, the bug would create handoff replicas on all remaining drives, increasing the drive space used and filling the cluster. * Fixed UnicodeDecodeError in the object reconstructor that would prevent objects with non-ascii names from being reconstructed and caused the reconstructor process to hang. * EC Fragment Duplication - Foundational Global EC Cluster Support. * Fixed encoding issue in ssync where a mix of ascii and non-ascii metadata values would cause an error. * `name_check` and `cname_lookup` keys have been added to `/info`. * Add Vary: headers for CORS responses. * Always set Swift processes to use UTC. * Prevent logged traceback in object-server on client disconnect for chunked transfers to replicated policies. * Removed per-device reconstruction stats. Now that the reconstructor is shuffling parts before going through them, those stats no longer make sense. * Log correct status code for conditional requests. * Drop support for auth-server from common/manager.py and `swift-init`. * Include received fragment index in reconstructor log warnings. * Fixed a race condition in updating hashes.pkl where a partition suffix invalidation may have been skipped. * `domain_remap` now accepts a list of domains in "storage_domain". * Do not follow CNAME when host is in storage_domain. * Enable cluster-wide CORS Expose-Headers setting via "cors_expose_headers". * Cache all answers from nameservers in cname_lookup. * Log the correct request type of a subrequest downstream of copy. * Various other minor bug fixes and improvements. swift (2.13.0, OpenStack Ocata) * Improvements in key parts of the consistency engine - Improved performance by eliminating an unneeded directory structure hash. - Optimized the common case for hashing filesystem trees, thus eliminating a lot of extraneous disk I/O. - Updated the `hashes.pkl` file format to include timestamp information for race detection. Also simplified hashing logic to prevent race conditions and optimize for the common case. - The erasure code reconstructor will now shuffle work jobs across all disks instead of going disk-by-disk. This eliminates single-disk I/O contention and allows continued scaling as concurrency is increased. - Erasure code reconstruction handles moving data from handoff nodes better. Instead of moving the data to another handoff, it waits until it can be moved to a primary node. Upgrade Impact: If you upgrade and roll back, you must delete all `hashes.pkl` files. * If using erasure coding with ISA-L in rs_vand mode and 5 or more parity fragments, Swift will emit a warning. This is a configuration that is known to harm data durability. In a future release, this warning will be upgraded to an error unless the policy is marked as deprecated. All data in an erasure code storage policy using isa_l_rs_vand with 5 or more parity should be migrated as soon as possible. Please see https://bugs.launchpad.net/swift/+bug/1639691 for more information. * The erasure code reconstructor `handoffs_first` option has been deprecated in favor of `handoffs_only`. `handoffs_only` is far more useful, and just like `handoffs_first` mode in the replicator, it gives the operator the option of forcing the consistency engine to focus solely on revert (handoff) jobs, thus improving the speed of rebalances. The `handoffs_only` behavior is somewhat consistent with the replicator's `handoffs_first` option (any error on any handoff in the replicator will make it essentially handoff only forever) but the `handoff_only` option does what you want and is named correctly in the reconstructor. * The default for `object_post_as_copy` has been changed to False. The option is now deprecated and will be removed in a future release. If your cluster is still running with post-as-copy enabled, please update it to use the "fast-post" method. Future versions of Swift will not support post-as-copy, and future features will not be supported under post-as-copy. ("Fast-post" is where `object_post_as_copy` is false). * Temporary URLs now support one common form of ISO 8601 timestamps in addition to Unix seconds-since-epoch timestamps. The ISO 8601 format accepted is '%Y-%m-%dT%H:%M:%SZ'. This makes TempURLs more user-friendly to produce and consume. * Listing containers in accounts with json or xml now includes a `last_modified` time. This does not change any on-disk data, but simply exposes the value to offer consistency with the object listings on containers. * Fixed a bug where the ring builder would not allow removal of a device when min_part_seconds_left was greater than zero. * PUT subrequests generated from a client-side COPY will now properly log the SSC (server-side copy) Swift source field. See https://docs.openstack.org/swift/latest/logs.html#swift-source for more information. * Fixed a bug where an SLO download with a range request may have resulted in a 5xx series response. * SLO manifest PUT requests can now be properly validated by sending an ETag header of the md5 sum of the concatenated md5 sums of the referenced segments. * Fixed the stats calculation in the erasure code reconstructor. * Rings with min_part_hours set to zero will now only move one partition replica per rebalance, thus matching behavior when min_part_hours is greater than zero. * I/O priority is now supported on AArch64 architecture. * Various other minor bug fixes and improvements. swift (2.12.0) * Ring files now include byteorder information about the endian of the machine used to generate the file, and the values are appropriately byteswapped if deserialized on a machine with a different endianness. Newly created ring files will be byteorder agnostic, but previously generated ring files will still fail on different endian architectures. Regenerating older ring files will cause them to become byteorder agnostic. The regeneration of the ring files will not cause any new data movement. Newer ring files will still be usable by older versions of Swift (on machines with the same endianness--this maintains existing behavior). * All 416 responses will now include a Content-Range header with an unsatisfied-range value. This allows the caller to know the valid range request value for an object. * TempURLs now support a validation against a common prefix. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. * Correctly handle deleted files with if-none-match requests. * Correctly send 412 Precondition Failed if a user sends an invalid copy destination. Previously Swift would send a 500 Internal Server Error. * In SLO manifests, the `etag` and `size_bytes` keys are now fully optional and not required. Previously, the keys needed to exist but the values were optional. The only required key is `path`. * Fixed a rare infinite loop in `swift-ring-builder` while placing parts. * Ensure update of the container by object-updater, removing a rare possibility that objects would never be added to a container listing. * Fixed non-deterministic suffix updates in hashes.pkl where a partition may be updated much less often than expected. * Fixed regression in consolidate_hashes that occurred when a new file was stored to new suffix to a non-empty partition. This bug was introduced in 2.7.0 and could cause an increase in rsync replication stats during and after upgrade, due to inconsistent hashing of partition suffixes. * Account and container databases will now be quarantined if the database schema has been corrupted. * Removed "in-process-" from func env tox name to work with upstream CI. * Respect server type for --md5 check in swift-recon. * Remove empty db hash and suffix directories if a db gets quarantined. * Various other minor bug fixes and improvements. swift (2.11.0) * We have made significant improvements and changes to the erasure code implementation. - Instead of using a separate .durable file to indicate the durable status of an EC fragment archive, we rename the .data to include a durable marker in the filename. This saves one inode for every EC .data file. Existing .durable files will not be removed, and they will continue to work just fine. Note that after writing EC data with Swift 2.11.0 or later, that data will not be accessible to earlier versions of Swift. - Closed a bug where ssync may have written bad fragment data in some circumstances. A check was added to ensure the correct number of bytes is written for a fragment before finalizing the write. Also, erasure coded fragment metadata will now be validated on read requests and, if bad data is found, the fragment will be quarantined. - The improvements to EC reads made in Swift 2.10.0 have also been applied to the reconstructor. This allows fragments to be rebuilt in more circumstances, resulting in faster recovery from failures. - WARNING: If you are using the ISA-L library for erasure codes, please upgrade to liberasurecode 1.3.1 (or later) as soon as possible. If you are using isa_l_rs_vand with more than 4 parity, please read https://bugs.launchpad.net/swift/+bug/1639691 and take necessary action. - Updated the PyECLib dependency to 1.3.1. * Added a configurable URL base to staticweb. * Support multi-range GETs for static large objects. * TempURLs using the "inline" parameter can now also set the "filename" parameter. Both are used in the Content-Disposition response header. * Mirror X-Trans-Id to X-Openstack-Request-Id. * SLO will now concurrently HEAD segments, resulting in much faster manifest validation and object creation. By default, two HEAD requests will be done at a time, but this can be changed by the operator via the new `concurrency` setting in the "[filter:slo]" section of the proxy server config. * Suppressed the KeyError message when auditor finds an expired object. * Daemons using InternalClient can now be properly killed with SIGTERM. * Added a "user" option to the drive-audit config file. Its value is used to set the owner of the drive-audit recon cache. * Throttle update_auditor_status calls so it updates no more than once per minute. * Suppress unexpected-file warnings for rsync temp files. * Various other minor bug fixes and improvements. swift (2.10.0, OpenStack Newton) * Object versioning now supports a "history" mode in addition to the older "stack" mode. The difference is in how DELETE requests are handled. For full details, please read https://docs.openstack.org/swift/latest/overview_object_versioning.html. * New config variables to change the schedule priority and I/O scheduling class. Servers and daemons now understand `nice_priority`, `ionice_class`, and `ionice_priority` to schedule their relative importance. Please read https://docs.openstack.org/swift/latest/admin_guide.html for full config details. * On newer kernels (3.15+ when using xfs), Swift will use the O_TMPFILE flag when opening a file instead of creating a temporary file and renaming it on commit. This makes the data path simpler and allows the filesystem to more efficiently optimize the files on disk, resulting in better performance. * Erasure code GET performance has been significantly improved in clusters that are not completely healthy. * Significant improvements to the api-ref doc available at https://docs.openstack.org/api-ref/object-store/. * A PUT or POST to a container will now update the container's Last-Modified time, and that value will be included in a GET/HEAD response. * Include object sysmeta in POST responses. Sysmeta is still stripped from the response before being sent to the client, but this allows middleware to make use of the information. * Fixed a bug where a container listing delimiter wouldn't work with encryption. * Fixed a bug where some headers weren't being copied correctly in a COPY request. * Container sync can now copy SLOs more efficiently by allowing the manifest to be synced before all of the referenced segments. This fixes a bug where container sync would not copy SLO manifests. * Fixed a bug where some tombstone files might never be reclaimed. * Update dnspython dependency to 1.14, removing the need to have separate dnspython dependencies for Py2 and Py3. * Deprecate swift-temp-url and call python-swiftclient's implementation instead. This adds python-swiftclient as an optional dependency of Swift. * Moved other-requirements.txt to bindep.txt. bindep.txt lists non-python dependencies of Swift. * Various other minor bug fixes and improvements. swift (2.9.0) * Swift now supports at-rest encryption. This feature encrypts all object data and user-set object metadata as it is sent to the cluster. This feature is designed to prevent information leaks if a hard drive leaves the cluster. The encryption is transparent to the end-user. At-rest encryption in Swift is enabled on the proxy server by adding two middlewares to the pipeline. The `keymaster` middleware is responsible for managing the encryption keys and the `encryption` middleware does the actual encryption and decryption. Existing clusters will continue to work without enabling encryption. Although enabling this feature on existing clusters is supported, best practice is to enable this feature on new clusters when the cluster is created. For more information on the details of the at-rest encryption feature, please see the docs at https://docs.openstack.org/swift/latest/overview_encryption.html. * `swift-recon` can now be called with more than one server type. * Fixed a bug where non-ascii names could cause an error in logging and cause a 5xx response to the client. * The install guide and API reference have been moved into Swift's source code repository. * Various other minor bug fixes and improvements. swift (2.8.0) * Allow concurrent bulk deletes for server-side deletes of static large objects. Previously this would be single-threaded and each DELETE executed serially. The new `delete_concurrency` value (default value is 2) in the `[filter:slo]` and `[filter:bulk]` sections of the proxy server config controls the concurrency used to perform the DELETE requests for referenced segments. The default value is recommended, but setting the value to 1 restores previous behavior. * Refactor server-side copy as middleware The COPY verb is now implemented in the `copy` middleware instead of in the proxy server code. If not explicitly added, the server side copy middleware is auto-inserted to the left of `dlo`, `slo` and `versioned_writes` middlewares in the proxy server pipeline. As a result, dlo and slo `copy_hooks` are no longer required. SLO manifests are now validated when copied so when copying a manifest to another account the referenced segments must be readable in that account for the manifest copy to succeed (previously this validation was not made, meaning the manifest was copied but could be unusable if the segments were not readable). With this change, there should be no change in functionality or existing behavior. * `fallocate_reserve` can now be a percentage (a value ending in "%"), and the default has been adjusted to "1%". * Now properly require account/container metadata be valid UTF-8 * TempURL responses now include an `Expires` header with the expiration time embedded in the URL. * Non-Python dependencies are now listed in other-requirements.txt. * `swift-ring-builder` now supports a `--yes` option to assume a yes response to all questions. This is useful for scripts. * Write requests to a replicated storage policy with an even number of replicas now have a quorum size of half the replica count instead of half-plus-one. * Container sync now logs per-container stat information so operators can track progress. This is logged at INFO level. * `swift-dispersion-*` now allows region to be specified when there are multiple Swift regions served by the same Keystone instance * Fix infinite recursion during logging when syslog is down. * Fixed a bug where a backend failure during a read could result in a missing byte in the response body. * Stop `staticweb` revealing container existence to unauth'd requests. * Reclaim isolated .meta files if they are older than the `reclaim_age`. * Make `rsync` ignore its own temporary files instead of spreading them around the cluster, wasting space. * The object auditor now ignores files in the devices directory when auditing objects. * The deprecated `threads_per_disk` setting has been removed. Deployers are encouraged to use `servers_per_port` instead. * Fixed an issue where a single-replica configuration for account or container DBs could result in the DB being inadvertently deleted if it was placed on a handoff node. * `disable_fallocate` now also correctly disables `fallocate_reserve`. * Fixed a bug where the account-reaper did not delete all containers in a reaped account. * Correctly handle delimiter queries where results start with the delimiter and no prefix is given. * Changed the recommended ports for Swift services from ports 6000-6002 to unused ports 6200-6202 so they do not conflict with X-Windows or other services. Since these config values must be explicitly set in the config file, this doesn't impact existing deployments. * Fixed an instance where REPLICATE requests would not use `replication_ip`. * Various other minor bug fixes and improvements. swift (2.7.0, OpenStack Mitaka) * Bump PyECLib requirement to >= 1.2.0 * Update container on fast-POST "Fast-POST" is the mode where `object_post_as_copy` is set to `False` in the proxy server config. This mode now allows for fast, efficient updates of metadata without needing to fully recopy the contents of the object. While the default still is `object_post_as_copy` as True, the plan is to change the default to False and then deprecate post-as-copy functionality in later releases. Fast-POST now supports container-sync functionality. * Add concurrent reads option to proxy. This change adds 2 new parameters to enable and control concurrent GETs in Swift, these are `concurrent_gets` and `concurrency_timeout`. `concurrent_gets` allows you to turn on or off concurrent GETs; when on, it will set the GET/HEAD concurrency to the replica count. And in the case of EC HEADs it will set it to ndata. The proxy will then serve only the first valid source to respond. This applies to all account, container, and replicated object GETs and HEADs. For EC only HEAD requests are affected. The default for `concurrent_gets` is off. `concurrency_timeout` is related to `concurrent_gets` and is the amount of time to wait before firing the next thread. A value of 0 will fire at the same time (fully concurrent), but setting another value will stagger the firing allowing you the ability to give a node a short chance to respond before firing the next. This value is a float and should be somewhere between 0 and `node_timeout`. The default is `conn_timeout`, meaning by default it will stagger the firing. * Added an operational procedures guide to the docs. It can be found at https://docs.openstack.org/swift/latest/ops_runbook/index.html and includes information on detecting and handling day-to-day operational issues in a Swift cluster. * Make `handoffs_first` a more useful mode for the object replicator. The `handoffs_first` replication mode is used during periods of problematic cluster behavior (e.g. full disks) when replication needs to quickly drain partitions from a handoff node and move them to a primary node. Previously, `handoffs_first` would sort that handoff work before "normal" replication jobs, but the normal replication work could take quite some time and result in handoffs not being drained quickly enough. In order to focus on getting handoff partitions off the node `handoffs_first` mode will now abort the current replication sweep before attempting any primary suffix syncing if any of the handoff partitions were not removed for any reason - and start over with replication of handoffs jobs as the highest priority. Note that `handoffs_first` being enabled will emit a warning on start up, even if no handoff jobs fail, because of the negative impact it can have during normal operations by dog-piling on a node that was temporarily unavailable. * By default, inbound `X-Timestamp` headers are now disallowed (except when in an authorized container-sync request). This header is useful for allowing data migration from other storage systems to Swift and keeping the original timestamp of the data. If you have this migration use case (or any other requirement on allowing the clients to set an object's timestamp), set the `shunt_inbound_x_timestamp` config variable to False in the gatekeeper middleware config section of the proxy server config. * Requesting a SLO manifest file with the query parameters "?multipart-manifest=get&format=raw" will return the contents of the manifest in the format as was originally sent by the client. The "format=raw" is new. * Static web page listings can now be rendered with a custom label. By default listings are rendered with a label of: "Listing of /v1///". This change adds a new custom metadata key/value pair `X-Container-Meta-Web-Listings-Label: My Label` that when set, will cause the following: "Listing of My Label/" to be rendered instead. * Previously, static large objects (SLOs) had a minimum segment size (default to 1MiB). This limit has been removed, but small segments will be ratelimited. The config parameter `rate_limit_under_size` controls the definition of "small" segments (1MiB by default), and `rate_limit_segments_per_sec` controls how many segments per second can be served (default is 1). With the default values, the effective behavior is identical to the previous behavior when serving SLOs. * Container sync has been improved to perform a HEAD on the remote side of the sync for each object being synced. If the object exists on the remote side, container-sync will no longer transfer the object, thus significantly lowering the network requirements to use the feature. * The object auditor will now clean up any old, stale rsync temp files that it finds. These rsync temp files are left if the rsync process fails without completing a full transfer of an object. Since these files can be large, the temp files may end up filling a disk. The new auditor functionality will reap these rsync temp files if they are old. The new object-auditor config variable `rsync_tempfile_timeout` is the number of seconds old a tempfile must be before it is reaped. By default, this variable is set to "auto" or the rsync_timeout plus 900 seconds (falling back to a value of 1 day). * The Erasure Code reconstruction process has been made more efficient by not syncing data files when only the durable commit file is missing. * Fixed a bug where 304 and 416 response may not have the right Etag and Accept-Ranges headers when the object is stored in an Erasure Coded policy. * Versioned writes now correctly stores the date of previous versions using GMT instead of local time. * The deprecated Keystone middleware option is_admin has been removed. * Fixed log format in object auditor. * The zero-byte mode (ZBF) of the object auditor will now properly observe the `--once` option. * Swift keeps track, internally, of "dirty" parts of the partition keyspace with a "hashes.pkl" file. Operations on this file no longer require a read-modify-write cycle and use a new "hashes.invalid" file to track dirty partitions. This change will improve end-user performance for PUT and DELETE operations. * The object replicator's succeeded and failed counts are now logged. * `swift-recon` can now query hosts by storage policy. * The log_statsd_host value can now be an IPv6 address or a hostname which only resolves to an IPv6 address. * Erasure coded fragments now properly call fallocate to reserve disk space before being written. * Various other minor bug fixes and improvements. swift (2.6.0) * Dependency changes - Updated minimum version of eventlet to 0.17.4 to support IPv6. - Updated the minimum version of PyECLib to 1.0.7. * The ring rebalancing algorithm was updated to better handle edge cases and to give better (more balanced) rings in the general case. New rings will have better initial placement, capacity adjustments will move less data for better balance, and existing rings that were imbalanced should start to become better balanced as they go through rebalance cycles. * Added container and account reverse listings. A GET request to an account or container resource with a "reverse=true" query parameter will return the listing in reverse order. When iterating over pages of reverse listings, the relative order of marker and end_marker are swapped. * Storage policies now support having more than one name. This allows operators to fix a typo without breaking existing clients, or, alternatively, have "short names" for policies. This is implemented with the "aliases" config key in the storage policy config in swift.conf. The aliases value is a list of names that the storage policy may also be identified by. The storage policy "name" is used to report the policy to users (eg in container headers). The aliases have the same naming restrictions as the policy's primary name. * The object auditor learned the "interval" config value to control the time between each audit pass. * `swift-recon --all` now includes the config checksum check. * `swift-init` learned the --kill-after-timeout option to force a service to quit (SIGKILL) after a designated time. * `swift-recon` now correctly shows timestamps in UTC instead of local time. * Fixed bug where `swift-ring-builder` couldn't select device id 0. * Documented the previously undocumented `swift-ring-builder pretend_min_part_hours_passed` command. * The "node_timeout" config value now accepts decimal values. * `swift-ring-builder` now properly removes devices with zero weight. * `swift-init` return codes are updated via "--strict" and "--non-strict" options. Please see the usage string for more information. * `swift-ring-builder` now reports the min_part_hours lockout time remaining * Container sync has been improved to more quickly find and iterate over the containers to be synced. This reduced server load and lowers the time required to see data propagate between two clusters. Please see https://docs.openstack.org/swift/latest/overview_container_sync.html for more details about the new on-disk structure for tracking synchronized containers. * A container POST will now update that container's put-timestamp value. * TempURL header restrictions are now exposed in /info. * Error messages on static large object manifest responses have been greatly improved. * Closed a bug where an unfinished read of a large object would leak a socket file descriptor and a small amount of memory. (CVE-2016-0738) * Fixed an issue where a zero-byte object PUT with an incorrect Etag would return a 503. * Fixed an error when a static large object manifest references the same object more than once. * Improved performance of finding handoff nodes if a zone is empty. * Fixed duplication of headers in Access-Control-Expose-Headers on CORS requests. * Fixed handling of IPv6 connections to memcache pools. * Continued work towards python 3 compatibility. * Various other minor bug fixes and improvements. swift (2.5.0, OpenStack Liberty) * Added the ability to specify ranges for Static Large Object (SLO) segments. * Replicator configs now support an "rsync_module" value to allow for per-device rsync modules. This setting gives operators the ability to fine-tune replication traffic in a Swift cluster and isolate replication disk IO to a particular device. Please see the docs and sample config files for more information and examples. * Significant work has gone in to testing, fixing, and validating Swift's erasure code support at different scales. * Swift now emits StatsD metrics on a per-policy basis. * Fixed an issue with Keystone integration where a COPY request to a service account may have succeeded even if a service token was not included in the request. * Ring validation now warns if a placement partition gets assigned to the same device multiple times. This happens when devices in the ring are unbalanced (e.g. two servers where one server has significantly more available capacity). * Various other minor bug fixes and improvements. swift (2.4.0) * Dependency changes - Added six requirement. This is part of an ongoing effort to add support for Python 3. - Dropped support for Python 2.6. * Config changes - Recent versions of Python restrict the number of headers allowed in a request to 100. This number may be too low for custom middleware. The new "extra_header_count" config value in swift.conf can be used to increase the number of headers allowed. - Renamed "run_pause" setting to "interval" (current configs with run_pause still work). Future versions of Swift may remove the run_pause setting. * Versioned writes middleware The versioned writes feature has been refactored and reimplemented as middleware. You should explicitly add the versioned_writes middleware to your proxy pipeline, but do not remove or disable the existing container server config setting ("allow_versions"), if it is currently enabled. The existing container server config setting enables existing containers to continue being versioned. Please see https://docs.openstack.org/swift/latest/middleware.html#how-to-enable-object-versioning-in-a-swift-cluster for further upgrade notes. * Allow 1+ object-servers-per-disk deployment Enabled by a new > 0 integer config value, "servers_per_port" in the [DEFAULT] config section for object-server and/or replication server configs. The setting's integer value determines how many different object-server workers handle requests for any single unique local port in the ring. In this mode, the parent swift-object-server process continues to run as the original user (i.e. root if low-port binding is required), binds to all ports as defined in the ring, and forks off the specified number of workers per listen socket. The child, per-port servers drop privileges and behave pretty much how object-server workers always have, except that because the ring has unique ports per disk, the object-servers will only be handling requests for a single disk. The parent process detects dead servers and restarts them (with the correct listen socket), starts missing servers when an updated ring file is found with a device on the server with a new port, and kills extraneous servers when their port is found to no longer be in the ring. The ring files are stat'ed at most every "ring_check_interval" seconds, as configured in the object-server config (same default of 15s). In testing, this deployment configuration (with a value of 3) lowers request latency, improves requests per second, and isolates slow disk IO as compared to the existing "workers" setting. To use this, each device must be added to the ring using a different port. * Do container listing updates in another (green)thread The object server has learned the "container_update_timeout" setting (with a default of 1 second). This value is the number of seconds that the object server will wait for the container server to update the listing before returning the status of the object PUT operation. Previously, the object server would wait up to 3 seconds for the container server response. The new behavior dramatically lowers object PUT latency when container servers in the cluster are busy (e.g. when the container is very large). Setting the value too low may result in a client PUT'ing an object and not being able to immediately find it in listings. Setting it too high will increase latency for clients when container servers are busy. * TempURL fixes (closes CVE-2015-5223) Do not allow PUT tempurls to create pointers to other data. Specifically, disallow the creation of DLO object manifests via a PUT tempurl. This prevents discoverability attacks which can use any PUT tempurl to probe for private data by creating a DLO object manifest and then using the PUT tempurl to head the object. * Ring changes - Partition placement no longer uses the port number to place partitions. This improves dispersion in small clusters running one object server per drive, and it does not affect dispersion in clusters running one object server per server. - Added ring-builder-analyzer tool to more easily test and analyze a series of ring management operations. - Stop moving partitions unnecessarily when overload is on. * Significant improvements and bug fixes have been made to erasure code support. This feature is suitable for beta testing, but it is not yet ready for broad production usage. * Bulk upload now treats user xattrs on files in the given archive as object metadata on the resulting created objects. * Emit warning log in object replicator if "handoffs_first" or "handoff_delete" is set. * Enable object replicator's failure count in swift-recon. * Added storage policy support to dispersion tools. * Support keystone v3 domains in swift-dispersion. * Added domain_remap information to the /info endpoint. * Added support for a "default_reseller_prefix" in domain_remap middleware config. * Allow SLO PUTs to forgo per-segment integrity checks. Previously, each segment referenced in the manifest also needed the correct etag and bytes setting. These fields now allow the "null" value to skip those particular checks on the given segment. * Allow rsync to use compression via a "rsync_compress" config. If set to true, compression is only enabled for an rsync to a device in a different region. In some cases, this can speed up cross-region replication data transfer. * Added time synchronization check in swift-recon (the --time option). * The account reaper now runs faster on large accounts. * Various other minor bug fixes and improvements. swift (2.3.0, OpenStack Kilo) * Erasure Code support (beta) Swift now supports an erasure-code (EC) storage policy type. This allows deployers to achieve very high durability with less raw capacity as used in replicated storage. However, EC requires more CPU and network resources, so it is not good for every use case. EC is great for storing large, infrequently accessed data in a single region. Swift's implementation of erasure codes is meant to be transparent to end users. There is no API difference between replicated storage and EC storage. To support erasure codes, Swift now depends on PyECLib and liberasurecode. liberasurecode is a pluggable library that allows for the actual EC algorithm to be implemented in a library of your choosing. As a beta release, EC support is nearly fully feature complete, but it is lacking support for some features (like multi-range reads) and has not had a full performance characterization. This feature relies on ssync for durability. Deployers are urged to do extensive testing and not deploy production data using an erasure code storage policy. Full docs are at https://docs.openstack.org/swift/latest/overview_erasure_code.html * Add support for container TempURL Keys. * Make more memcache options configurable. connection_timeout, pool_timeout, tries, and io_timeout are all now configurable. * Swift now supports composite tokens. This allows another service to act on behalf of a user, but only with that user's consent. See https://docs.openstack.org/swift/latest/overview_auth.html for more details. * Multi-region replication was improved. When replicating data to a different region, only one replica will be pushed per replication cycle. This gives the remote region a chance to replicate the data locally instead of pushing more data over the inter-region network. * Internal requests from the ratelimit middleware now properly log a swift_source. See https://docs.openstack.org/swift/latest/logs.html for details. * Improved storage policy support for quarantine stats in swift-recon. * The proxy log line now includes the request's storage policy index. * Ring checker has been added to swift-recon to validate if rings are built correctly. As part of this feature, storage servers have learned the OPTIONS verb. * Add support of x-remove- headers for container-sync. * Rings now support hostnames instead of just IP addresses. * Swift now enforces that the API version on a request is valid. Valid versions are configured via the valid_api_versions setting in swift.conf * Various other minor bug fixes and improvements. swift (2.2.2) * Data placement changes This release has several major changes to data placement in Swift in order to better handle different deployment patterns. First, with an unbalance-able ring, less partitions will move if the movement doesn't result in any better dispersion across failure domains. Also, empty (partition weight of zero) devices will no longer keep partitions after rebalancing when there is an unbalance-able ring. Second, the notion of "overload" has been added to Swift's rings. This allows devices to take some extra partitions (more than would normally be allowed by the device weight) so that smaller and unbalanced clusters will have less data movement between servers, zones, or regions if there is a failure in the cluster. Finally, rings have a new metric called "dispersion". This is the percentage of partitions in the ring that have too many replicas in a particular failure domain. For example, if you have three servers in a cluster but two replicas for a partition get placed onto the same server, that partition will count towards the dispersion metric. A lower value is better, and the value can be used to find the proper value for "overload". The overload and dispersion metrics have been exposed in the swift-ring-build CLI tools. See https://docs.openstack.org/swift/latest/overview_ring.html for more info on how data placement works now. * Improve replication of large out-of-sync, out-of-date containers. * Added console logging to swift-drive-audit with a new log_to_console config option (default False). * Optimize replication when a device and/or partition is specified. * Fix dynamic large object manifests getting versioned. This was not intended and did not work. Now it is properly prevented. * Fix the GET's response code when there is a missing segment in a large object manifest. * Change black/white listing in ratelimit middleware to use sysmeta. Instead of using the config option, operators can set "X-Account-Sysmeta-Global-Write-Ratelimit: WHITELIST" or "X-Account-Sysmeta-Global-Write-Ratelimit: BLACKLIST" on an account to whitelist or blacklist it for ratelimiting. Note: the existing config options continue to work. * Use TCP_NODELAY on outgoing connections. * Improve object-replicator startup time. * Implement OPTIONS verb for storage nodes. * Various other minor bug fixes and improvements. swift (2.2.1) * Swift now rejects object names with Unicode surrogates. * Return 403 (instead of 413) on unauthorized upload when over account quota. * Fix a rare condition when a rebalance could cause swift-ring-builder to crash. This would only happen on old ring files when "rebalance" was the first command run. * Storage node error limits now survive a ring reload. * Speed up reading and writing xattrs for object metadata by using larger xattr value sizes. The change is moving from 254 byte values to 64KiB values. There is no migration issue with this. * Deleted containers beyond the reclaim age are now properly reclaimed. * Full Simplified Chinese translation (zh_CN locale) for errors and logs. * Container quota is now properly enforced during cross-account COPY. * ssync replication now properly uses the configured replication_ip. * Fixed issue were ssync did not replicate custom object headers. * swift-drive-audit now has the 'unmount_failed_device' config option (default to True) that controls if the process will unmount failed drives or not. * swift-drive-audit will now dump drive error rates to a recon file. The file location is controlled by the 'recon_cache_path' config value and it includes each drive and its associated number of errors. * When a filesystem does't support xattr, the object server now returns a 507 Insufficient Storage error to the proxy server. * Clean up empty account and container partitions directories if they are empty. This keeps the system healthy and prevents a large number of empty directories from slowing down the replication process. * Show the sum of every policy's amount of async pendings in swift-recon. * Various other minor bug fixes and improvements. swift (2.2.0, OpenStack Juno) * Added support for Keystone v3 auth. Keystone v3 introduced the concept of "domains" and user names are no longer unique across domains. Swift's Keystone integration now requires that ACLs be set on IDs, which are unique across domains, and further restricts setting new ACLs to only use IDs. Please see https://docs.openstack.org/swift/latest/overview_auth.html for more information on configuring Swift and Keystone together. * Swift now supports server-side account-to-account copy. Server- side copy in Swift requires the X-Copy-From header (on a PUT) or the Destination header (on a COPY). To initiate an account-to- account copy, the existing header value remains the same, but the X-Copy-From-Account header (on a PUT) or the Destination-Account (on a COPY) are used to indicate the proper account. * Limit partition movement when adding a new placement tier. When adding a new placement tier (server, zone, or region), Swift previously attempted to move all placement partitions, regardless of the space available on the new tier, to ensure the best possible durability. Unfortunately, this could result in too many partitions being moved all at once to a new tier. Swift's ring-builder now ensures that only the correct number of placement partitions are rebalanced, and thus makes adding capacity to the cluster more efficient. * Per storage policy container counts are now reported in an account response headers. * Swift will now reject, with a 4xx series response, GET requests with more than 50 ranges, more than 3 overlapping ranges, or more than 8 non-increasing ranges. * The bind_port config setting is now required to be explicitly set. * The object server can now use splice() for a zero-copy GET response. This feature is enabled with the "splice" config variable in the object server config and defaults to off. Also, this feature only works on recent Linux kernels (AF_ALG sockets must be supported). A zero-copy GET response can significantly reduce CPU requirements for object servers. * Added "--no-overlap" option to swift-dispersion populate so that multiple runs of the tool can add coverage without overlapping existing monitored partitions. * swift-recon now supports filtering by region. * Various other minor bug fixes and improvements. swift (2.1.0) * swift-ring-builder placement was improved to allow gradual addition of new regions without causing a massive migration of data to the new region. The change was to prefer device weight first, then look at failure domains. * Logging updates - Eliminated "Handoff requested (N)" log spam. - Added process pid to the end of storage node log lines. - Container auditor now logs a warning if the devices path contains a non-directory. - Object daemons now send a user-agent string with their full name. * 412 and 416 responses are no longer tracked as errors in the StatsD messages from the backend servers. * Parallel object auditor The object auditor can now be controlled with a "concurrency" config value that allows multiple auditor processes to run at once. Using multiple parallel auditor processes can speed up the overall auditor cycle time. * The object updater will now concurrently update each necessary node in a new greenthread. * TempURL updates - The default allowed methods have changed to also allow POST and DELETE. The new default list is "GET HEAD PUT POST DELETE". - TempURLs for POST now also allow HEAD, matching existing GET and PUT functionality. - Added filename*= support to TempURL Content-Disposition response header. * X-Delete-At/After can now be used with the FormPost middleware. * Make swift-form-signature output a sample form. * Add v2 API to list endpoints middleware The new API adds better support for storage policies and changes the response from a list of backend urls to a dictionary with the keys "endpoints" and "headers". The endpoints key contains a list of the backend urls, and the headers key is a dictionary of headers to send along with the backend request. * Added allow_account_management and account_autocreate values to /info responses. * Enable object system metadata on PUTs (Note: POST support is ongoing). * Various other minor bug fixes and improvements. swift (2.0.0) * Storage policies Storage policies allow deployers to configure multiple object rings and expose them to end users on a per-container basis. Deployers can create policies based on hardware performance, regions, or other criteria and independently choose different replication factors on them. A policy is set on a Swift container at container creation time and cannot be changed. Full docs are at https://docs.openstack.org/swift/latest/overview_policies.html * Add profiling middleware in Swift The profile middleware provides a tool to profile Swift code on the fly and collects statistical data for performance analysis. A native simple Web UI is also provided to help query and visualize the data. * Add --quoted option to swift-temp-url * swift-recon now supports checking the md5sum of swift.conf, which helps deployers verify configurations are consistent across a cluster. * Users can now set the transaction id suffix by passing in a value in the X-Trans-Id-Extra header. * New log_max_line_length option caps the maximum length of a log line. * Support If-[Un]Modified-Since for object HEAD * Added missing constraints and ratelimit parameters to /info * Add ability to remove subsections from /info * Unify logging for account, container, and object server processes to provide a consistent message format. This change reorders the fields logged for the account server. * Add targeted config loading to swift-init. This allows an easier and more explicit way to tell swift-init to run specific server process configurations. * Properly quote www-authenticate (CVE-2014-3497) * Fix logging issue when services stop on py26. * Change the default logged length of the auth token to 16. * Explicitly set permissions on generated ring files to 0644 * Fix file uploads larger than 2GiB in the formpost feature * Fixed issue where large objects would fail to download if the auth token expired partway through the download * Various other minor bug fixes and improvements swift (1.13.1, OpenStack Icehouse) * Change the behavior of CORS responses to better match the spec A new proxy config variable (strict_cors_mode, default to True) has been added. Setting it to False keeps the old behavior. For an overview of old versus new behavior, please see https://review.opendev.org/#/c/69419/ * Invert the responsibility of the two instances of proxy-logging in the proxy pipeline The first proxy_logging middleware instance to receive a request in the pipeline marks that request as handling it. So now, the left most proxy_logging middleware handles logging for all client requests, and the right most proxy_logging middleware handles all other requests initiated from within the pipeline to its left. This fixes logging related to large object requests not properly recording bandwidth. * Added swift-container-info and swift-account-info tools * Allow specification of object devices for audit * Dynamic large object COPY requests with ?multipart-manifest=get now work as expected * When a client is downloading a large object and one of the segment reads gets bad data, Swift will now immediately abort the request. * Fix ring-builder crash when a ring partition was assigned to a deleted device, zero-weighted device, and normal device * Make probetests work with conf.d configs * Various other minor bug fixes and improvements. swift (1.13.0) * Account-level ACLs and ACL format v2 Accounts now have a new privileged header to represent ACLs or any other form of account-level access control. The value of the header is a JSON dictionary string to be interpreted by the auth system. A reference implementation is given in TempAuth. Please see the full docs at https://docs.openstack.org/swift/latest/overview_auth.html * Added a WSGI environment flag to stop swob from always using absolute location. This is useful if middleware needs to use out-of-spec Location headers in a response. * Container sync proxies now support simple load balancing * Config option to lower the timeout for recoverable object GETs * Add a way to ratelimit all writes to an account * Allow multiple storage_domain values in cname_lookup middleware * Moved all DLO functionality into middleware The proxy will automatically insert the dlo middleware at an appropriate place in the pipeline the same way it does with the gatekeeper middleware. Clusters will still support DLOs after upgrade even with an old config file that doesn't mention dlo at all. * Remove python-swiftclient dependency * Add secondary groups to process user during privilege escalation * When logging request headers, it is now possible to specify specifically which headers should be logged * Added log_requests config parameter to account and container servers to match the parameter in the object server. This allows a deployer to turn off log messages for these processes. * Ensure swift.source is set for DLO/SLO requests * Fixed an issue where overwriting segments in a dynamic manifest could cause issues on pipelined requests. * Properly handle COPY verb in container quota middleware * Improved StaticWeb 404 error message on web-listings and index * Various other minor bug fixes and improvements. swift (1.12.0) * Several important pieces of information have been added to /info: - Configured constraints are included and allow a client to discover the limits on names and object sizes that the cluster supports. - The supported tempurl methods are now included. - Static large object constraints are now included. * The Last-Modified header value returned will now be the object's timestamp rounded up to the next second. This allows subsequent requests with If-[un]modified-Since to use the Last-Modified value as expected. * Non-integer values for if-delete-at headers will now properly report a 400 error instead of a 503. * Fix object versioning with non-ASCII container names. * Bulk delete with POST now works properly. * Generic means for persisting system metadata Swift now supports system-level metadata on accounts and containers. System metadata provides a means to store internal custom metadata with associated Swift resources in a safe and secure fashion without actually having to plumb custom metadata through the core swift servers. The new gatekeeper middleware prevents this system metadata from leaking into the request or being set by a client. * catch_errors and gatekeeper middleware are now forced into the proxy pipeline if not explicitly referenced. * New container sync configuration option, separating the end user from knowing the required end point and adding more secure signed requests. See https://docs.openstack.org/swift/latest/overview_container_sync.html for full information. * bulk middleware now can be configured to retry deleting containers. * The default yield_frequency used to keep client connections alive during slow bulk requests was reduced from 60 seconds to 10 seconds. While this is a change to a default, it should not affect deployments and there is no migration process needed. * Swift processes will attempt to set RLIMIT_NPROC to 8192. * Server processes will now exit with a non-zero error code on config errors. * Warn if read_affinity is configured but not enabled. * Fix checkmount error parsing in swift-recon. * Log at warn level when an object is quarantined. * Fixed CVE-2014-0006 to avoid a potential timing attack with tempurl. * Various other minor bug fixes and improvements. swift (1.11.0) * Added discoverable capabilities A Swift proxy server now by default (although it can be turned off) will respond to requests to /info. The response to these requests include information about the cluster and can be used by clients to determine which features are supported in the cluster. * Object replication ssync (an rsync alternative) A Swift storage node can now be configured to use Swift primitives for replication transport instead of rsync. This is an experimental feature that is not yet considered production ready. * If a source times out on an object server read, try another one of them with a modified range. * The proxy now responds to many types of requests as soon as it has a quorum. This can help speed up responses (without changing the results), especially when one node is acting up. There is a post_quorum_timeout config value that can tune how long to wait for requests to finish after a quorum has been established. * Add accurate timestamps in proxy log lines for the start and end of a request. These are added as new fields on the end of the existing log lines, and therefore should not break existing, well-behaved log processors. * Add an "inline" query parameter to tempurl By default, temporary URLs add a "Content-Disposition" header that forces many clients to download the object. Now, temporary URLs support an optional "inline" query parameter that will force a "Content-Disposition: inline" header to be added to the response, overriding the default. * Use TCP_NODELAY for created sockets. This can dramatically lower latency for small object workloads. * DiskFile API, with reference implementation The DiskFile abstraction for talking to data on disk has been refactored to allow alternate implementations to be developed. Included in the codebase is an in-memory reference implementation. For full documentation, please see the developer documentation. The DiskFile API is still a work in progress and is not yet finalized. * Removal of swift-bench The included benchmarking tool swift-bench has been extracted from the codebase and is now in its own repository at https://github.com/openstack/swift-bench. New swift-bench binaries and packages may be found on PyPI at https://pypi.org/project/swift-bench * Bulk delete now also supports the POST verb, in addition to DELETE * Added functionality to the swift-ring-builder to support limited recreation of ring builder files from the ring file itself. * HEAD on account now returns 410 if account was deleted and not yet reaped. The old behavior was to return a 404. * Fixed a bug introduced since the 1.10.0 release that prevented expired objects from being removed from the system. This resulted in orphaned expired objects taking up space on the system but inaccessible to the API. This regression and fix are only important if you have deployed code since the 1.10.0 release. For a full discussion, including a script that can be used to clean up orphaned objects, see https://bugs.launchpad.net/swift/+bug/1257330 * Tie socket write buffer size to server chunk size parameter. This pairs the underlying network buffer size with the size of data that Swift attempts to read from the connection, thereby improving efficiency and throughput on connections. * Fix 500 from account-quota middleware. If a user had set X-Account-Meta-Quota-Bytes to something non-integer prior to the installation of the account-quota middleware, then the quota check would choke on it. Now a non-integer value is treated as "no quota". * Quarantine objects with busted metadata. Before, if you encountered an object with corrupt or missing xattrs, the object server would return a 500 on GET, and wouldn't quarantine anything. Now the object server returns a 404 for that GET and the corrupted file is quarantined, thus giving replication a chance to fix it. * Fix quarantine and error counts in audit logs * Report transaction ID in failure exception logs * Make pbr a build-time only dependency * Worked around a bug in eventlet 0.9.16 where the size of the memcache connection pools would grow unbounded. * Tempurl keys are now properly stored as utf8 * Fixed an issue where concurrent PUT requests to accounts or containers may result in errors due to locked databases. * Handle copy requests in account and container quota middleware * Now ensure that a WWW-Authenticate header is on all 401 responses * Various other bug fixes and improvements swift (1.10.0, OpenStack Havana) * Added support for pooling memcache connections * Added support to replicating handoff partitions first in object replication. Can also configure how many remote nodes a storage node must talk to before removing a local handoff partition. * Fixed bug where memcache entries would not expire * Much faster calculation for choosing handoff nodes * Added container listing ratelimiting * Fixed issue where the proxy would continue to read from a storage server even after a client had disconnected * Added support for headers that are only visible to the owner of a Swift account * Fixed ranged GET with If-None-Match * Fixed an issue where rings may not be balanced after initial creation * Fixed internationalization support * Return the correct etag for a static large object on the PUT response * Allow users to extract archives to containers with ACLs set * Fix support for range requests against static large objects * Now logs x-copy-from header in a useful place * Reverted back to old XML output of account and container listings to ensure older clients do not break * Account quotas now appropriately handle copy requests * Fix issue with UTF-8 handling in versioned writes * Various other bug fixes and improvements, including support for running Swift under Pypy and continuing work to support storage policies swift (1.9.1) * Disallow PUT, POST, and DELETE requests from creating older tombstone files, preventing the possibility of filling up the disk and removing unnecessary container updates. * Set default wsgi workers to cpu_count Change the default value of wsgi workers from 1 to auto. The new default value for workers in the proxy, container, account & object wsgi servers will spawn as many workers per process as you have cpu cores. This will not be ideal for some configurations, but it's much more likely to produce a successful out of the box deployment. * Added reveal_sensitive_prefix config setting to filter the auth token logged by the proxy server. * Ensure Keystone's reseller prefix ends with an underscore. Previously this was a recommendation--now it is enforced. * Added log_file_pattern config to swift-drive-audit for drive errors * Add support for telling Swift to detect a content type on a request. * Additional object stats are now logged in the object auditor * Moved the DiskFile interface into its own module * Ensure the SQLite cursors are closed when creating functions * Better support for valid Accept headers * In Keystone, don't allow users to delete their own account * Return a UTC timezone designator in container listings * Ensure that users can't remove their account quotas * Allow floating point value for dispersion coverage * Fix incorrect error page handling in staticweb * Add utf-8 charset to multipart-manifest=get response. * Allow dispersion tools to use keystone server with insecure certificate * Ensure that files are always closed in tests * Use OpenStack's "Hacking" guidelines for code formatting * Various other minor bug fixes and improvements swift (1.9.0) * Global clusters support The "region" concept introduced in Swift 1.8.0 has been augmented with support for using a separate replication network and configuring read and write affinity. These features combine to offer support for a single Swift cluster spanning wide geographic area. * Disk performance The object server now can be configured to use threadpools to increase performance and smooth out latency throughout the system. Also, many disk operations were reordered to increase reliability and improve performance. * Added config file conf.d support Allow Swift daemons and servers to optionally accept a directory as the configuration parameter. This allows different parts of the config file to be managed separately, eg each middleware could use a separate file for its particular config settings. * Allow two TempURL keys per account By adding a second key, a user can safely rotate keys and prevent URLs already in use from becoming invalid. TempURL middlware has also been updated to allow a configuable set of allowed methods and to prevent a bugrelated to content-disposition names. * Added crossdomain.xml middleware. See https://docs.openstack.org/swift/latest/crossdomain.html for details * Added rsync bandwidth limit setting for object replicator * Transaction ID updated to include the time and an optional suffix * Added x-remove-versions-location header to disable versioned writes * Improvements to support for Keystone ACLs * Added parallelism to object expirer daemon * Added support for ring hash prefix in addition to the existing suffix * Allow all headers requested for CORS * Stop getting useless bytes on manifest Range requests * Improved container-sync resiliency * Added example Apache config files. See https://docs.openstack.org/swift/latest/apache_deployment_guide.html for more info * If an account is marked as deleted but hasn't been reaped and is still on disk, responses will include an "X-Account-Status" header * Fix 503 on account/container HEAD with invalid format * Added extra safety on account-level DELETE when using bulk deletes * Made colons quote-safe in logs (mainly for IPv6) * Fixed bug with bulk delete max items * Fixed static large object manifest range requests * Prevent static large objects from containing other static large objects * Fixed issue with use of delimiter in container queries where some objects would not be listed * Various other minor bug fixes and improvements swift (1.8.0, OpenStack Grizzly) * Make rings' replica count adjustable * Added a region tier to the ring above zones * Added timing-based sorting of object servers on read requests * Added support for auto-extract archive uploads * Added support for bulk delete requests * Added support for large objects with static manifests * Added list_endpoints middleware to provide an API for determining where the ring places data * proxy-logging middleware can now handle logging for other middleware proxy-logging should be used twice in the proxy pipeline. The first handles middleware logs for requests that never made it all the way to the server. The last handles requests that do make it to the server. This is a change that may require an update to your proxy server config file or custom middleware that you may be using. See the full docs at https://docs.openstack.org/swift/latest/misc.html. * Changed the default sample rate for a few high-traffic requests. Added log_statsd_sample_rate_factor to globally tune the StatsD sample rate. This tunable can be used to reduce StatsD traffic proportionally for all metrics and is intended to replace log_statsd_default_sample_rate, which is left alone for backward-compatibility, should anyone be using it. * Added swift_hash_path_prefix option to swift.conf New deployments are advised to set this value to a random secret to protect against hash collisions * Added user-managed container quotas * Added support for account-level quotas managed by an auth reseller * Added --run-dir option to swift-init * Added more options to swift-bench * Added support for CORS "actual requests" * Added fallocate_reserve option to protect against full drives * Allow ring rebalance to take a seed * Ring serialization will now produce the same gzip file (Py2.7) * Added support to swift-drive-audit for handling rotated logs * Added first-byte latency timings for GET requests * Added per disk PUT timing monitoring support * Added speed limit options for DB auditor * Force log entries to be one line * Ensure that fsync is used and not just fdatasync * Improved handoff node selection * Deprecated keystone is_admin feature * Fix large objects with unicode in the segment names * Update Swift's MemcacheRing to provide API compatibility with standard Python memcache libraries * Various other minor bug fixes and improvements swift (1.7.6) * Better tempauth storage URL guessing * Added --top option to swift-recon -d * Allow optional, temporary healthcheck failure * keystoneauth middleware now supports cross-tenant ACLs * Add dispersion report flags to limit reports * Add config option to turn eventlet debug on/off * Added override option for swift-init's KILL_WAIT * Added oldest and most recent replication pass to swift-recon * Fixed 500 error response when GETing a many-segment manifest * Memcached keys now use a delta timeout when possible * Refactor DiskFile to hide temp file names and exts * Remove IP-based container-sync ACLs from auth middlewares * Fixed bug in deleting memcached account info data * Fixed lazy-listing of object manifest segments * Fixed bug where a ? in the object name caused an error * Swift now returns 406 if it can't satisfy Accept * Fix infinite recursion bug in object replicator * Swift will now reject names with NULL characters * Fixed object-auditor logging to use a minimum of unix sockets * Various other minor bug fixes and improvements swift (1.7.5) * Support OPTIONS verb, including CORS preflight requests * Added support for custom log handlers * Range support is extended to support GET requests with multiple ranges. Multi-range GETs are not yet supported against large-object manifests. * Cluster constraints are now settable by config * Replicators can now run against specific devices or partitions * swift-bench now supports running on multiple cores and multiple servers * Added partition option to swift-get-nodes * Allow underscores in account and user in tempauth via base64 encodings * New option to the dispersion report to output the missing partitions * Changed storage server StatsD metrics to report timings instead of counts for errors. See the admin guide for the updated metric names. * Removed a dependency on WebOb and replaced it with an internal module * Fixed config parsing in swift-bench -x * Fixed sample_rate in StatsD logging * Track unlinks of async_pendings with StatsD * Remove double GET on range requests * Allow unsetting of X-Container-Sync-To and ACL headers * DB reclamation now removes empty suffix directories * Fix non-standard 100-continue behavior * Allow object-expirer to delete the last copy of a versioned object * Only set TCP_KEEPIDLE on systems where it is supported * Fix stdin flush and fdatasync issues on BSD platforms * Allow object-expirer to delete the last version of an object * Various other minor bug fixes and improvements swift (1.7.4, OpenStack Folsom) * Fix issue where early client disconnects may have caused a memory leak swift (1.7.2) * Fix issue where memcache serialization was not properly loading the config value swift (1.7.0) * Use custom encoding for ring data instead of pickle Serialize RingData in a versioned, custom format which is a combination of a JSON-encoded header and .tostring() dumps of the replica2part2dev_id arrays. This format deserializes hundreds of times faster than rings serialized with Python 2.7's pickle (a significant performance regression for ring loading between Python 2.6 and Python 2.7). Fixes bug 1031954. The new implementation is backward-compatible; if a ring does not begin with a new-style magic string, it is assumed to be an old-style pickle-dumped ring and is handled as before. So new Swift code can read old rings, but old Swift code will not be able to read newly-serialized rings. * Do not use pickle for serialization in memcache, but JSON To avoid issues on upgrades (unability to read pickled values, and cache poisoning for old servers not understanding JSON), we add a memcache_serialization_support configuration option, with the following values: 0 = older, insecure pickle serialization 1 = json serialization but pickles can still be read (still insecure) 2 = json serialization only (secure and the default) To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. Support for 0 and 1 will be removed in future versions. * Update proxy-server StatsD logging. This is a significant change to the existing StatsD intigration. Docs for this feature can be found in doc/source/admin_guide.rst. * Improved swift-bench to allow random object sizes and better usability * Updated probe tests * Replicator removal metrics are now generated on a per-device basis * Made object replicator locking more optimistic * Split proxy-server code into separate modules * Fixed bug where swift-recon would not report all unmounted drives * Fixed issue where a LockTimeout may have caused a file descriptor to not be closed properly * Fixed a bug where an error may have caused the proxy to stop returning data to a client * Fixed bug where expirer would get confused by odd deletion times * Fixed a bug where auto-creating accounts would return an error if they were recreated after being deleted * Fix when rate_limit_after_segment kicks in * fallocate() failures properly return HTTPInsufficientStorage from object-server before reading from wsgi.input, allowing the proxy server to quickly error_limit that node * Fixed error with large object manifests and x-newest headers on GET * Various other minor bug fixes and improvements swift (1.6.0) * Removed bin/swift and swift/common/client.py from the swift repo. These tools are now managed in the python-swiftclient project. The python-swiftclient project is a second deliverable of the openstack swift project. * Moved swift_auth (openstack keystone) middleware from keystone project into swift project * Made dispersion report work with any replica count other than 3. This substantially affects the JSON output of the dispersion report, and any tools written to consume this output will need to be updated. * Added Solaris (Illumos) compatibility * Added -a option to swift-get-nodes to show all handoffs * Add UDP protocol support for logger * Added config options for rate limiting of large object downloads. * Added config option `log_handoffs` (defaults to True) to proxy server to log and update statsd with information about when a handoff node is used. This is helpful to track the health of the cluster. * swift-bench can now use auth 2.0 * Support forbidding substrings based on a regexp in name_filter middleware * Hardened internal server processes so only authorized methods can be called. * Made ranged requests on large objects work correctly when size of manifest file is not 0 byte * Added option to dispersion report to print 404s to stdout * Fix object replication on older rsync versions when using ipv4 * Fixed bug with container reclaim/report race * Make object server's caching more configurable. * Check disk failure before syncing for each partition * Allow special characters to be referenced by manifest objects * Validate devices and partitions to avoid directory traversals * Support WebOb 1.2 * Ensure that accessing the ring devs reloads the ring if necessary. Specifically, this allows replication to work when it has been started with an empty ring. * Various other minor bug fixes and improvements swift (1.5.0) * New option to toggle SQLite database preallocation with account and container servers. IMPORTANT: The default for database preallocation is now off when before it was always on. This will affect performance on clusters that use standard drives with shared account, container, object servers. Such deployments will need to update their configurations to turn database preallocation back on (see account-server.conf-sample and container-server.conf.sample files). If you are using dedicated account and container servers with SSDs, you should defragment your file systems after upgrade and should notice dramatically less disk usage. * swift3 middleware removed and moved to http://github.com/fujita/swift3. This will require a config change in the proxy server and adds a new dependency for deployers using this middleware. * Moved proxy server logging to middleware. This requires a config change in the proxy server. * Added object versioning feature. (See docs for full description) * Add statsd logging throughout the system (beta, some event names may change) * Expanded swift-recon middleware support * The ring builder now supports as-unique-as-possible partition placement, unified balancing methods, and can work on more than one device at a time. * Numerous bug fixes to StaticWeb (previously unusable at scale). * Bug fixes to all middleware to allow passthrough requests under various conditions and to share pre-authed request code (which previously had differing behaviors and interaction bugs). * Bug fix to object expirer that could cause infinite looping. * Added optional delay to account reaping. * Async-pending write optimization. * Dispersion tools now support multiple auth versions * Updated man pages * Proxy server can now deny requests to particular hostnames * Updated docs for domain remap middleware * Updated docs for cname lookup middleware * Made swift CLI binary easier to wrap * Proxy will now also return X-Timestamp header * Added associated projects doc as a place to track ecosystem projects * end_marker made consistent across both object and container listings * Various other minor bug fixes and improvements swift (1.4.8, OpenStack Essex) * Added optional max_containers_per_account restriction * Added alternate metadata header removal method * Added optional name_check middleware filter * Added support for venv-based test runs with tox * StaticWeb behavior change with X-Web-Mode: true and non-StaticWeb-enabled containers (immediately 404s instead of passing the request on down the WSGI pipeline). * Fixed typo in swift-dispersion-report JSON output. * Swift-Recon-related fix to create temporary files on the same disk as their final destinations. * Updated return codes in swift3 middleware * Fixed swift3 middleware to allow Content-Range header in response * Updated swift.common.client and swift CLI tool with auth 2.0 changes * Swift CLI tool now supports common openstack auth args * Body of HTTP responses now included in error messages of swift CLI tool * Refactored some ring building functions for clarity and simplicity swift (1.4.7) * Improvements to account and container replication. * Fix for account servers allowing .pending to exist before .db. * Fixed possible key-guessing exploit in formpost. * Fixed bug in ring builder when removing a large percentage of devices. * Swift CLI tool now supports openstack-standard CLI flags. * New JSON output option for swift-dispersion-report. * Removed old stats tools. * Other bug fixes and documentation updates. swift (1.4.6) * TempURL and FormPost middleware added * Added memcache.conf option * Dropped eval-based json parser fallback * Properly lose all groups when dropping privileges * Fix permissions when creating files * Fixed bug regarding negative Content-Length in requests * Consistent formatting on Last-Modified response header * Added timeout option to swift-recon * Allow arguments to be passed to nosetest * Removed tools/rfc.sh * Other minor bug fixes swift (1.4.5) * New swift-orphans and swift-oldies command line tools to detect orphaned Swift processes and long running processes. * Command line tool "swift" now supports marker queries. * StaticWeb middleware improved to save an extra request when possible. * Updated swift-init to support swift-object-expirer. * Fixed object replicator timeout handling [bug 814263]. * Fixed accept header 503 vs. 400 [bug 891247]. * More exception handling for auditors. * Doc updates for PPA [bug 905608]. * Doc updates to explain replication more clearly [bug 906976]. * Updated SAIO instructions to no longer mention ~/swift/trunk. * Fixed docstrings in the ring code. * PEP8 Updates. swift (1.4.4) * Fixes to prevent socket hoarding (memory leak) * Add sockstat info to recon. * Fixed leak from SegmentedIterable. * Fixed bufferedhttp to deref socks and fps. * Add support for OS Auth API version 2. * Make Eventlet's WSGI server log differently. * Updated TimeoutError and except Exception refs. * Fixed time-sensitive tests. * Fixed object manifest etags. * Fixes for swift-recon disk usage distribution graph. * Adding new manpages for configuration files. * Change bzr to swift in getting_started doc. * Fixes the HTTPConflict import. * Expiring Objects Support. * Fixing bug with x-trans-id. * Requote the source when doing a COPY. * Add documentation for Swift Recon. * Make drive audit regexes detect 4-letter drives. * Adding what acc/cont/obj into the ratelimit error messages. * Query only specific zone via swift-recon. swift (1.4.3, OpenStack Diablo) * Additional quarantine catching code. * Added client_ip to all proxy log lines not otherwise containing it. * Content-Type is now application/xml for "GET services/bucket" swift3 middleware requests. * Alpha release of the Swift Recon Experiment * Fix last modified date for swift3 middleware. * Fix to clear account/container metadata on account/container deletion. * Fix for corner case regarding X-Newest. * Fix for object auditor running out of file descriptors. * Fix to return all proper headers for manifest objects. * Fix to the swift tool to strip any leading slashes on file names when uploading. swift (1.4.2) * Removed stats/logging code from Swift [now in separate slogging project]. * Container Synchronization Feature - First Edition * Fix swift3 authentication bug about the Date and X-Amz-Date handling. * Changing ratelimiting so that it only limits PUTs/DELETEs. * Object POSTs are implemented as COPYs now by default (you can revert to previous implementation with conf object_post_as_copy = false) * You can specify X-Newest: true on GETs and HEADs to indicate you want Swift to query all backend copies and return the newest version retrieved. * Object COPY requests now always copy the newest object they can find. * Account and container GETs and HEADs now shuffle the nodes they use to balance load. * Fixed the infinite charset: utf-8 bug * This fixes the bug that drop_buffer_cache() doesn't work on systems where off_t isn't 64 bits. swift (1.4.1) * st renamed to swift * swauth was separated froms swift. It is now its own project and can be found at https://github.com/gholt/swauth. * tempauth middleware added as an extremely limited auth system for dev work. * Account and container listings now properly labeled UTF-8 (previously the label was "utf8"). * Accounts are auto-created if an auth token is valid when the account_autocreate proxy config parameter is set to true. swift (1.4.0) * swift-bench now cleans up containers it creates. * WSGI servers now load WSGI filters and applications after forking for better plugin support. * swauth-cleanup-tokens now handles 404s on token containers and tokens better. * Proxy logs the remote IP address as the client IP in the absence of X-Forwarded-For and X-Cluster-Client-IP headers instead of - like it did before. * Swift3 WSGI middleware added support for param-signed URLs. * swauth- scripts now exit with proper exit codes. * Fixed a bug where allowed_headers weren't honored for HEAD requests. * Double quarantining of corrupted sqlite3 databases now works. * Fix for Object replicator breaking when running object replicator with no objects on the server. * Added the Accept-Ranges header to GET and HEAD requests. * When a single object has multiple async pending updates on a single device, only latest async pending is now sent. * Fixed issue of Swift3 WSGI middleware not working correctly with '/' in object names. * Renamed swift-stats-* to swift-dispersion-* to avoid confusion with log stats stuff. * Added X-Trans-Id transaction id header to every response. * Fixed a Python 2.7 compatibility problem. * Now using bracketed notation for ip literals in rsync calls, so compressed ipv6 literals work. * Added a container stats collector and refactoring some of the stats code. * Changed subdir nodes in XML formatted object listings to align with object nodes. Now: foo Before: . * Fixed bug in Swauth to support for multiple swauth instances. * swift-ring-builder: Added list_parts command which shows common partitions for a given list of devices. * Object auditor now shows better statistics updates in the logs. * Stats uploaders now allow overrides for source_filename_pattern and new_log_cutoff values. ---- Changelog entries for previous versions are incomplete swift (1.3.0, OpenStack Cactus) swift (1.2.0, OpenStack Bexar) swift (1.1.0, OpenStack Austin) swift (1.0.0, Initial Release)