github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/release_notes/v2.2.1.md (about)

     1  v2.2.1 Release Notes - September 30, 2020
     2  =========================================
     3  
     4  What's New in Hyperledger Fabric v2.2.1
     5  ---------------------------------------
     6  
     7  Hyperledger Fabric v2.2.1 provides important improvements and fixes, with a focus on the following areas:
     8  * Management of certificate expirations
     9  * Hardware security module (HSM) efficiency
    10  * Upgrade to v2.x
    11  
    12  
    13  Fixes
    14  -----
    15  
    16  **FAB-18163: orderer certificate expiration - TLSHandshakeTimeShift without separate cluster port**
    17  
    18  If the TLS certificates of the ordering service nodes expire and are not replaced in time,
    19  communication between them cannot be established, making it impossible to send
    20  new transactions to the ordering service. To recover from such a scenario, it is possible
    21  to configure a backwards timeshift that ordering service nodes will utilize for TLS
    22  handshakes so that transactions can be processed.
    23  If the Raft cluster service is sharing the orderer’s main gRPC server port,
    24  configure the new orderer.yaml `General.TLS.TLSHandshakeTimeShift` property.
    25  If using a separate cluster listener port,
    26  configure the orderer.yaml `General.Cluster.TLSHandshakeTimeShift` property.
    27  
    28  **FAB-18205: orderer certificate expiration - Permit peer CLI to communicate with orderers with expired TLS certificates**
    29  
    30  The change allows peer CLI to communicate with ordering service nodes with expired TLS certificates
    31  by setting the `--tlsHandshakeTimeShift` flag to a desired backwards timeshift.
    32  The change applies to the `peer channel fetch` and `peer channel update` commands to allow
    33  fetching configuration blocks and updating the channel configuration for orderers with expired TLS certificates.
    34  
    35  **FAB-18171: orderer certificate expiration - Disregard certificate validity period in intra-orderer communication**
    36  
    37  This change makes the orderer cluster authentication infrastructure
    38  disregard validity periods when comparing certificates, and only regard public keys.
    39  With this change, an expiring Raft TLS certificate can be replaced
    40  with a new certificate that has the same public key, without requiring channel configuration updates.
    41  
    42  **FAB-18188: peer and orderer certificate expiration - Log expiration date upon startup**
    43  
    44  The enrollment, TLS server, and TLS client certificate expiration dates are now logged upon peer and orderer startup.
    45  
    46  **peer and orderer PKCS#11 - Add object handle cache**
    47  
    48  With this change, object handles are cached in the PKCS#11 implementation.
    49  In support of this change, in addition to pooling idle sessions, the
    50  provider tracks active sessions. If some condition occurs that results
    51  in all sessions being closed, cached object handles are no longer valid
    52  so the handle cache is purged.
    53  
    54  **FAB-18250: peer and orderer PKCS#11 - Introduce error checking for evicting invalid PKCS#11 sessions**
    55  
    56  FAB-17722 introduced a call to the pkcs11 GetSessionInfo function for retrieving the current state of
    57  the PKCS11 session. The result of this function was used to determine whether a session was still
    58  valid to perform HSM operations or if it should be evicted from the session pool. Performance tests
    59  showed that the call to GetSessionInfo was computationally prohibitively expensive. FAB-18242 reverted
    60  this change and FAB-18250 introduced a new method for determining if the PKCS11 session is invalid.
    61  Now when an HSM operation fails, we check the resultant error against the known session error codes and
    62  evict the session from the pool if the error was the result of an invalid session.
    63  
    64  **FAB-18208: peer - Do not sign gossip message if membership is empty**
    65  
    66  This change suppresses the signing of gossip messages if the message will not get
    67  sent regardless due to an empty gossip membership. The change reduces CPU consumption
    68  and eliminates unnecessary calls to an HSM.
    69  
    70  **peer and orderer PKCS#11 - Add log message if a key cannot be found**
    71  
    72  A debug message is now provided in the bccsp_p11 logger if a key cannot be found in the HSM.
    73  
    74  **FAB-18194: peer - Fix service discovery for legacy installed chaincodes**
    75  
    76  The service discovery endorsers query may fail with errors
    77  "failed constructing descriptor for chaincodes" and
    78  "required chaincodes are not installed on sufficient peers", even
    79  when a chaincode is installed on a sufficient number of peers.
    80  The peer initialization has been fixed so that chaincodes installed with the legacy chaincode
    81  lifecycle are correctly recognized by service discovery.
    82  
    83  **FAB-18191: peer - Remove contents of leveldb directory instead of the directory when dropping databases**
    84  
    85  The peer `upgrade-dbs`, `rebuild-dbs`, `reset`, and `rollback` commands each drop a peer's
    86  leveldb databases so that they can be rebuilt upon the next peer startup.
    87  The commands now remove all contents of the leveldb directories, rather than dropping the
    88  directory itself. This fix is required if mounting one of the leveldb directories in addition
    89  to the overall peer data directory as specified in core.yaml `peer.fileSystemPath`.
    90  
    91  **FAB-15810: peer - Deprioritize fetching of missing private data**
    92  
    93  The private data reconciler attempts to retrieve missing private data from other
    94  peers in a channel that belong to the same private data collection based on the interval
    95  configured in core.yaml `peer.gossip.pvtData.reconcileSleepInterval`
    96  (by default every one minute). If private data cannot be reconciled, it will be attempted
    97  every interval and may block the reconciliation of other private data. This fix places
    98  private data that can't be reconciled in a depriorized queue so that other private data
    99  can be reconciled. The depriorized entries will be re-attempted less often based on the
   100  interval configured in core.yaml `ledger.pvtdataStore.deprioritizedDataReconcilerInterval`
   101  (by default every 60 minutes).
   102  
   103  **orderer - Check suspect info once per suspect interval when using Raft**
   104  
   105  The Raft-based ordering service node was checking to see if it was evicted too often.
   106  This fix ensures that the ordering service node only checks once per suspect interval,
   107  which is every 10 minutes by default.
   108  
   109  **cryptogen - Duplicate alternate names in multi-domain certificates**
   110  
   111  When using cryptogen to generate certificates, the X509v3 Subject Alternative Name field contained duplicate entries.
   112  The Subject Alternative Name now contains one entry per alternate name.
   113  
   114  **FAB-18245: peer - Large values retrieved from chaincode may be incorrect when using CouchDB**
   115  
   116  Chaincode values larger than 64kb are saved to CouchDB,
   117  but not saved to the peer's CouchDB cache.
   118  However, chaincode still attempted to retrieve from the cache,
   119  and therefore an incorrect value may be retrieved.
   120  The fix ensures that for values larger than 64kb, the data will be retrieved from CouchDB.
   121  
   122  
   123  Deprecations (existing)
   124  -----------------------
   125  
   126  **FAB-15754: The 'Solo' consensus type is deprecated.**
   127  
   128  The 'Solo' consensus type has always been marked non-production and should be in
   129  use only in test environments, however for compatibility it is still available,
   130  but may be removed entirely in a future release.
   131  
   132  **FAB-16408: The 'Kafka' consensus type is deprecated.**
   133  
   134  The 'Raft' consensus type was introduced in v1.4.1 and has become the preferred
   135  production consensus type.  There is a documented and tested migration path from
   136  Kafka to Raft, and existing users should migrate to the newer Raft consensus type.
   137  For compatibility with existing deployments, Kafka is still supported,
   138  but may be removed entirely in a future release.
   139  Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.
   140  
   141  **Fabric CouchDB image is deprecated**
   142  
   143  v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.
   144  If prior versions are utilized, a Warning will appear in peer log.
   145  Note that CouchDB 3.1.0 requires that an admin username and password be set,
   146  while this was optional in CouchDB v2.x. See the
   147  [Fabric CouchDB documentation](https://hyperledger-fabric.readthedocs.io/en/v2.2.0/couchdb_as_state_database.html#couchdb-configuration)
   148  for configuration details.
   149  Also note that CouchDB 3.1.0 default max_document_size is reduced to 8MB. Set a higher value if needed in your environment.
   150  Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.
   151  Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.
   152  
   153  **FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.**
   154  
   155  Utilize the new 'OrdererEndpoints' stanza within the channel configuration of an organization instead.
   156  Configuring orderer endpoints at the organization level accommodates
   157  scenarios where orderers are run by different organizations. Using
   158  this configuration ensures that only the TLS CA certificates of that organization
   159  are used for orderer communications, in contrast to the global channel level endpoints which
   160  would cause an aggregation of all orderer TLS CA certificates across
   161  all orderer organizations to be used for orderer communications.
   162  
   163  **FAB-17428: Support for configtxgen flag `--outputAnchorPeersUpdate` is deprecated.**
   164  
   165  The `--outputAnchorPeersUpdate` mechanism for updating anchor peers has always had
   166  limitations (for instance, it only works the first time anchor peers are updated).
   167  Instead, anchor peer updates should be performed through the normal config update flow.
   168  
   169  **FAB-15406: The fabric-tools docker image is deprecated**
   170  
   171  The fabric-tools docker image will not be published in future Fabric releases.
   172  Instead of using the fabric-tools docker image, users should utilize the
   173  published Fabric binaries. The Fabric binaries can be used to make client calls
   174  to Fabric runtime components, regardless of where the Fabric components are running.
   175  
   176  **FAB-15317: Block dissemination via gossip is deprecated**
   177  
   178  Block dissemination via gossip is deprecated and may be removed in a future release.
   179  Fabric peers can be configured to receive blocks directly from an ordering service
   180  node by using the following configuration:
   181  ```
   182  peer.gossip.orgLeader: true
   183  peer.gossip.useLeaderElection: false
   184  peer.gossip.state.enabled: false
   185  ```
   186  
   187  **FAB-15061: Legacy chaincode lifecycle is deprecated**
   188  
   189  The legacy chaincode lifecycle from v1.x is deprecated and will be removed
   190  in a future release. To prepare for the eventual removal, utilize the v2.x
   191  chaincode lifecycle instead, by enabling V2_0 application capability on all
   192  channels, and redeploying all chaincodes using the v2.x lifecycle. The new
   193  chaincode lifecycle provides a more flexible and robust governance model
   194  for chaincodes. For more details see the
   195  [documentation for enabling the new lifecycle](https://hyperledger-fabric.readthedocs.io/en/release-2.2/enable_cc_lifecycle.html).
   196  
   197  
   198  Change log
   199  ----------
   200  For the full list of changes, refer to the release change log:
   201  https://github.com/osdi23p228/fabric/blob/release-2.2/CHANGELOG.md#v221