Releases: google/trillian
v1.3.2
Patch release to address Go Module issue. Some dependencies use invalid pseudo- versions in their go.mod files that Go 1.13 rejects. We've added replace directives to our go.mod file to fix these invalid pseudo-versions.
v1.3.1
Patch release primarily to address Go Module issue. v1.3.0 declared a dependency on github.com/russross/blackfriday/v2 v2.0.1+incompatible which made downstream dependencies suffer.
v1.3.0
Storage APIs GetSignedLogRoot / SetSignedLogRoot now take pointers
This at the storage layer and does not affect the log server API.
This is part of work to fix proto buffer usages where they are passed
by value or compared by generic code like reflect.DeepEquals(). Passing
them by value creates shallow copies that can share internal state. As the
generated structs contain additional exported XXX_ fields generic
comparisons using all fields can produce incorrect results.
Storage Commit takes context.Context
To support passing a context down to NodeStorage.SetLeaves, and remove various context.TODO()s,
the following functions have been modified to accept a context.Context parameter:
storage/cache.NodeStorage.SetLeavesstorage/cache.SetSubtreesFuncstorage/cache.SubtreeCache.Flushstorage.ReadonlyLogTX.Commit
Go Module Support
Go Module support has been enabled. Please use GO111MODULE=on to build Trillian.
Updating dependencies no longer requires updating the vendor directory.
TrillianMapWrite API
New API service for writing to the Trillian Map. This allows APIs such as
GetLeavesByRevisionNoProof to be removed from the read API, and these methods to
be tuned & provisioned differently for read vs write performance.
GetLeavesByRevisionNoProof API
Allow map clients to forgo fetching inclusion proofs.
This dramatically speeds things up for clients that don't need verifiability.
This situation occurs in some situation where a Trillian personality is
interacting directly with the Trillian Map.
GetMapLeafByRevision API
New GetMapLeafByRevision API for fetching a single map leaf. This allows there
to be a separate API end point for fetching a single leaf vs. the batch
GetMapLeavesByRevision API which is much slower when many leaves are requested.
This supports separate monitoring and alerting for different traffic patterns.
Add Profiling Flags to Binaries
The trillian_log_server, trillian_log_signer and trillian_map_server
binaries now have CPU and heap profiling flags. Profiling is off by default.
For more details see the
Go Blog.
Map performance tweaks
The map mode has had some performance tweaks added:
- A workaround for locking issues which affect the map when it's used in
single-transaction mode.
Introduce BatchInclusionProof function
Added a batch version of the Merkle Tree InclusionProof function.
Updated the map RPC for getLeaves to use the new batch function to improve
efficiency.
Google Cloud Spanner support
Google Cloud Spanner is now a supported storage backend for maps.
The admin API calls to list trees backed by Cloud Spanner trees are fixed.
RPC Server Transaction Leaks Fixed
There were some cases where the Log RPC server could leak storage transactions
in error situations. These have now been fixed. If you have a custom storage
implementation review the fixes made to the MySQL Log storage to see if they
need to be applied to your code (storage/mysql/log_storage.go). The Map
server had similar issues but these were fixed without requiring changes to
storage code.
GetLatestSignedLogRoot With Consistency Proof
GetLatestSignedLogRoot in the LogServer will return a consistency proof if
first_tree_size > 0. This reduces the number of RPC calls from logClient from
2 to 1 in client.getAndVerifyLatestRoot.
Testing
Support has been added for testing against a locally running mysql docker image,
in addition to a locally running mysql instance.
Deprecated Fields Removed From SignedLogRoot Proto
Important Note: For use in Certificate Transparency this version of the
logserver binary won't work properly with an older CTFE. Make sure to update the
CTFE servers to a current version (built from a git checkout after March 20th
2019) before deploying logservers that include this change or deploy them
together with this release. Failure to do this can result in 5XX errors being
returned to clients when the old handler code tries to access fields in
responses that no longer exist.
All the fields marked as deprecated in this proto have been removed. All the
same fields are available via the TLS marshalled log root in the proto. Updating
affected code is straightforward.
Normally, clients will want to verify that the signed root is correctly signed.
This is the preferred way to interact with the root data.
There is a utility function provided that will verify the signature and unpack
the TLS data. It works well in conjunction with a LogVerifier. The public key
of the server is required.
verifier := client.NewLogVerifier(rfc6962.DefaultHasher, pk, crypto.SHA256)
root, err := crypto.VerifySignedLogRoot(verifier.PubKey, verifier.SigHash, resp.SignedLogRoot)
if err != nil {
// Signature verified and unmarshalled correctly. The struct may now
// be used.
if root.TreeSize > 0 {
// Non empty tree.
}
}MySQL changes
Configurable number of connections for MySQL
Two new flags have been added that limit connections to MySQL database servers:
--mysql_max_conns- limits the total number of database connections--mysql_max_idle_conns- limits the number of idle database connections
By default, there is no maximum number of database connections. However, the
database server will likely impose limits on the number of connections. The
default limit on idle connections is controlled by
Go's sql package.
Enfored no concurrent use of MySQL tx
Concurrently using a single MySQL transaction can cause the driver to error
out, so we now attempt to prevent this from happening.
Removal of length limits for a tree's display_name and description
Previously, these were restricted to 20 bytes and 200 bytes respectively. These
limits have been removed. However, the underlying storage implementation may
still impose its own limitations.
Server validation of leaf hashes
The log server now checks that leaf hashes are the correct length and returns
an InvalidArgument error if they are not. Previously, GetLeavesByHash would
simply not return any matching leaves for invalid hashes, and
GetInclusionProofByHash would return a NotFound error.
Map client
A MapClient has been added to simplify interacting with
the map server.
Database Schema
This version includes a change to the MySQL and Postgres database schemas to add
an index on the SequencedLeafData table. This improves performance for
inclusion proof queries.
Deployments
The Trillian Docker images now accept GOFLAGS and GO111MODULE arguments
and set them as environment variables inside the Docker container.
The db_server Docker image
is now based on
the MySQL 5.7 image from the Google Cloud Marketplace,
rather than the official MySQL 5.7 image.
This Dockerfile supercedes Dockerfile.db, which has been removed.
There is now a mysql.cnf file
alongside the Dockerfile that makes it easy to build the image with a custom
configuration, e.g. to allow MySQL to use more memory.
The trillian-log-service and trillian-log-signer Kubernetes services will
now have load balancers configured for them that expose those services outside
of the Kubernetes cluster. This makes it easier to access their APIs. When
deployed on Google Cloud, these will be
Internal Load Balancers.
Note that this change cannot be applied to an existing deployment; delete
the existing Kubernetes services and redeploy them, otherwise you'll see an
error similar to The Service "trillian-log-service" is invalid: spec.clusterIP: Invalid value: "": field is immutable.
A working Docker Compose configuration is
now available and can be used to bring up a local Trillian deployment for
testing and experimental purposes:
docker-compose -f examples/deployment/docker-compose.yml upDocker Compose v3.1 or higher is required.
The Terraform, Kubernetes and Docker configuration files, as well as various
scripts, all now use the same, consistently-named environment variables for
MySQL-related data (e.g. MYSQL_DATABASE). The variable names are based on
those for the
MySQL Docker image.
Docker images have been upgraded from Go 1.9 to 1.11. They now use "Distroless"
base images.
Dropped metrics
Quota metrics with specs of the form users/<user>/read and
users/<user>/write are no longer exported by the Trillian binaries (as they
lead to excessive storage requirements for Trillian metrics).
Resilience improvements in log_signer
Add timeout to sequencing loop
Added a timeout to the context in the sequencing loop, with a default of 60s.
Fix Operation Loop Hang
Resolved a bug that would hide errors and cause the OperationLoop to hang
until process exit if any error occurred.
Linting toolchain migration
gometalinter has been replaced with golangci-lint for improved performance and
Go module support.
Compact Merkle tree data structures
CompactMerkleTree has been removed from github.com/google/trillian/merkle,
and a new package github.com/google/trillian/merkle/compact was introduced. A
new powerful data structure named "compact range" has been added to that
package, and is now used throughou...
Map race fixed. TLS client support. LogClient improvements
Servers
A race condition was fixed that affected sparse Merkle trees as served by the map server.
Utilities / Binaries
The maphammer uses a consistent empty check, fixing spurious failures in some tests.
The createtree etc. set of utilities now support TLS via the -tls-cert-file flag. This support is also available as a client module.
Log Client
GetAndVerifyInclusionAtIndex no longer updates the clients root on every access as this was an unexpected side effect. Clients now have explicit control of when the root is updated by calling UpdateRoot.
A root parameter is now required when log clients are constructed.
Other
The Travis build script has been updated for newer versions of MySQL (5.7 through MySQL 8) and will no longer work with 5.6.
Signer / Quota fixes. Error mapping fix. K8 improvements
The Log Signer now tries to avoid creating roots older than ones that already exist. This issue has been seen occurring on a test system. Important note: If running this code in production allowing clocks to drift out of sync between nodes can cause other problems including for clustering and database replication.
The Log Signer now publishes metrics for the logs that it is actively signing. In a clustered environment responsibility can be expected to move around between signer instances over time.
The Log API now allows personalities to explicitly list a vector of identifiers which should be charged for User quota. This allows a more nuanced application of request rate limiting across multiple dimensions. Some fixes have also been made to quota handling e.g. batch requests were not reserving the appropriate quota. Consult the corresponding PRs for more details.
For the log RPC server APIs GetLeavesByIndex and GetLeavesByRange MySQL storage has been modified to return status codes that match CloudSpanner. Previously some requests with out of range parameters were receiving 5xx error status rather than 4xx when errors were mapped to the HTTP space by CTFE.
The Kubernetes deployment scripts continue to evolve and improve.
CloudSpanner / Tracing / Health Checks
More improvements have been made to the CloudSpanner storage code. CloudSpanner storage has now been tested up to ~3.1 billion log entries.
Explicit health checks have been added to the gRPC Log and Map servers (and the log signer). The HTTP endpoint must be enabled and the checks will serve on /healthz where a non 200 response means the server is unhealthy. The example Kubernetes deployment configuration has been updated to include them. Other improvements have been made to the Kubernetes deployment scripts and docs.
The gRPC Log and Map servers have been instrumented for tracing with OpenCensus. For GCP it just requires the --tracing flag to be added and results will be available in the GCP console under StackDriver -> Trace.
CloudSpanner Improvements & Log Root structure changes etc.
Changes are in progress (e.g. see #1037) to rework the internal signed root format used by the log RPC server to be more useful / interoperable. Currently they are mostly internal API changes to the log and map servers. However, the signature and log_id fields in SignedLogRoot have been deleted and users must unpack the serialized structure to access these now. This change is not backwards compatible.
Changes have been made to log server APIs and CT frontends for when a request hits a server that has an earlier version of the tree than is needed to satisfy the request. In these cases the log server used to return an error but now returns an empty proof along with the current STH it has available. This allows clients to detect these cases and handle them appropriately.
The CloudSpanner schema has changed. If you have a database instance you'll need to recreate it with the new schema. Performance has been noticeably improved since the previous release and we have tested it to approx one billion log entries. Note: This code is still being developed and further changes are possible.
Support for sqlite in unit tests has been removed because of ongoing issues with flaky tests. These were caused by concurrent accesses to the same database, which it doesn't support. The use of sqlite in production has never been supported and it should not be used for this.
Docker Updates / Freezing Logs / CloudSpanner Options
The Docker image files have been updated and the database has been changed to MariaDB 10.1.
A ReadOnlyStaleness option has been added to the experimental CloudSpanner storage. This allows for tuning that might increase performance in some scenarios by issuing read transactions with the exact_staleness option set rather than strong_read. For more details see the CloudSpanner TransactionOptions documentation.
The LogVerifier interface has been removed from the log client, though the functionality is still available. It is unlikely that there were implementations by third-parties.
A new TreeState DRAINING has been added for trees with TreeType LOG. This is to support logs being cleanly frozen. A log tree in this state will not accept new entries via QueueLeaves but will continue to integrate any that were previously queued. When the queue of pending entries has been emptied the tree can be set to the FROZEN state safely. For MySQL storage this requires a schema update to add 'DRAINING' to the enum of valid states.
A command line utility updatetree has been added to allow tree states to be changed. This is also to support cleanly freezing logs.
A 'howto' document has been added that explains how to freeze a log tree using the features added in this release.
Storage API Changes, Schema Tweaks
Note: A large number of storage related API changes have been made in this release. These will probably only affect developers writing their own storage implementations.
A new tree type ORDERED_LOG has been added for upcoming mirror support. This requires a schema change before it can be used. This change can be made when convenient and can be deferred until the functionality is available and needed. The definition of the TreeType column enum should be changed to ENUM('LOG', 'MAP', 'PREORDERED_LOG') NOT NULL
Some storage interfaces were removed in #977 as they only had one implementation. We think this won't cause any impact on third parties and are willing to reconsider this change if it does.
The gRPC Log and Map server APIs have new methods InitLog and InitMap which prepare newly created trees for use. Attempting to use trees that have not been initialized will return the FAILED_PRECONDITION error storage.ErrTreeNeedsInit.
The gRPC Log server API has new methods AddSequencedLeaf and AddSequencedLeaves. These are intended to support mirroring applications and are not yet implemented.
Storage APIs have been added such as ReadWriteTransaction which allows the underlying storage to manage the transaction and optionally retry until success or timeout. This is a more natural fit for some types of storage API such as CloudSpanner and possibly other environments with managed transactions.
The older BeginXXX methods were removed from the APIs. It should be fairly easy to convert a custom storage implementation to the new API format as can be seen from the changes made to the MySQL storage.
The GetOpts options are no longer used by storage. This fixed the strange situation of storage code having to pass manufactured dummy instances to GetTree, which was being called in all the layers involved in request processing. Various internal APIs were modified to take a *trillian.Tree instead of an int64.
A new storage implementation has been added for CloudSpanner. This is currently experimental and does not yet support Map trees. We have also added Docker examples for running Trillian in Google Cloud with CloudSpanner.
The maximum size of a VARBINARY column in MySQL is too small to properly support Map storage. The type has been changed in the schema to MEDIUMBLOB. This can be done in place with an ALTER TABLE command but this could very be slow for large databases as it is a change to the physical row layout. Note: There is no need to make this change to the database if you are only using it for Log storage e.g. for Certificate Transparency servers.
The obsolete programs queue_leaves and fetch_leaves have been deleted.
GetLeavesByRange. 403 Permission Errors. Signer Metrics.
A new log server RPC API has been added to get leaves in a range. This is a more natural fit for CT type applications as it more closely follows the CT HTTP API.
The server now returns 403 for permission denied where it used to return 500 errors. This follows the behaviour of the C++ implementation.
The log signer binary now reports metrics for the number it has signed and the number of errors that have occurred. This is intended to give more insight into the state of the queue and integration processing.