On the certificate rotation front, we are approaching a major milestone,
with
all services becoming capable of rotating their certificates without
service disruption including the rootCA certificate as well.

We also have resolved a few things around the need for the primordial node,
we can not get rid of the need of a special node during the first bootstrap
of
the PKI system, but after that the special node is not needed anymore, and
the
leader SCM will be able to initiate the rotation of CA certificates we have
in
the system.

For us the next big thing is handling the certificate revocation, also to do
some further code cleanup and simplification, it would be nice to have it
released soon after it is ready, but as we do not have it right now either
we can live through another release without it. It is a bit unrealistic to
have it included in a 1.5.0 release if it comes out within the next 1-2
month.

But the finished certificate rotation feature is somewhat mandatory, as
there
are changes in how we store certificates, and even though the startup needs
to
and will handle the old format, we would like to introduce a change and
transform the metadata directory structure during an upgrade finalization.

Pifta

Ritesh Shukla <rit...@cloudera.com.invalid> ezt írta (időpont: 2023. jún.
7., Sze, 18:53):

> We can include the block token work that is in the process of being merged.
> That work considerably impacts performance, and delaying it to 1.5.0 will
> lead to a negative experience with a secure Ozone cluster for
> folks adopting Ozone in 1.4.0
> Regards,
> Ritesh
>
> On Wed, Jun 7, 2023 at 9:49 AM Ethan Rose <er...@cloudera.com.invalid>
> wrote:
>
> > +1 for a 1.4.0 release. We had hoped for a 1.3.1 release but it looks
> like
> > that never gained the momentum it needed. It would be good to hear from
> > devs working on larger features whether or not they would like to target
> > this release. Things like snapshots, cert rotation, hsync, recon
> > improvements etc. From my end I'm planning to have v1of the container
> > scanner done by the end of this month. It would be nice to have in the
> next
> > release but not essential.
> >
> > Also worth noting that doing a major release will lock in protos and disk
> > structures as they are on master for compatibility reasons. We have tried
> > to keep the master branch always releasable, but just an FYI to devs
> > working on larger tasks on master right now.
> >
> > Ethan
> >
> > On Wed, Jun 7, 2023 at 1:44 AM Sammi Chen <sammic...@apache.org> wrote:
> >
> > > Dear Ozone Devs,
> > >
> > > It's been almost 5 month since the last major 1.3.0 release in Dec
> 2022.
> > >
> > > In the past 5 month, there have been a lot of issues fixed and
> > improvements
> > > made, together with new features, like httpFs, scm decommission, Recon
> > new
> > > functions, snapshot, EC balancer support, the the coming symmetric
> block
> > > token and certificate rotation, etc.
> > >
> > > So far, there are already 733 JIRAs resolved on 1.4.0.
> > >
> > >
> >
> https://issues.apache.org/jira/issues/?jql=project+%3D+HDDS+and+fixVersion+%3D+1.4.0
> > >
> > > Usually it will take months to do a major release. So I propose to
> start
> > > the discussion of 1.4.0 now, things like which features should be
> > involved
> > > in this release.
> > >
> > > And this release doesn't have a Release Manager yet.  Welcome
> > > anyone(Comitters or PMCs, for it requires some privileges on Apache
> > > facilities to do the release) to volunteer to be the RM of 1.4.0.
> > >
> > >
> > > Regards,
> > > Sammi
> > >
> >
>


-- 
Pifta

Reply via email to