github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/release_notes/v2.2.1.md (about) 1 v2.2.1 Release Notes - September 30, 2020 2 ========================================= 3 4 What's New in Hyperledger Fabric v2.2.1 5 --------------------------------------- 6 7 Hyperledger Fabric v2.2.1 provides important improvements and fixes, with a focus on the following areas: 8 * Management of certificate expirations 9 * Hardware security module (HSM) efficiency 10 * Upgrade to v2.x 11 12 13 Fixes 14 ----- 15 16 **FAB-18163: orderer certificate expiration - TLSHandshakeTimeShift without separate cluster port** 17 18 If the TLS certificates of the ordering service nodes expire and are not replaced in time, 19 communication between them cannot be established, making it impossible to send 20 new transactions to the ordering service. To recover from such a scenario, it is possible 21 to configure a backwards timeshift that ordering service nodes will utilize for TLS 22 handshakes so that transactions can be processed. 23 If the Raft cluster service is sharing the orderer’s main gRPC server port, 24 configure the new orderer.yaml `General.TLS.TLSHandshakeTimeShift` property. 25 If using a separate cluster listener port, 26 configure the orderer.yaml `General.Cluster.TLSHandshakeTimeShift` property. 27 28 **FAB-18205: orderer certificate expiration - Permit peer CLI to communicate with orderers with expired TLS certificates** 29 30 The change allows peer CLI to communicate with ordering service nodes with expired TLS certificates 31 by setting the `--tlsHandshakeTimeShift` flag to a desired backwards timeshift. 32 The change applies to the `peer channel fetch` and `peer channel update` commands to allow 33 fetching configuration blocks and updating the channel configuration for orderers with expired TLS certificates. 34 35 **FAB-18171: orderer certificate expiration - Disregard certificate validity period in intra-orderer communication** 36 37 This change makes the orderer cluster authentication infrastructure 38 disregard validity periods when comparing certificates, and only regard public keys. 39 With this change, an expiring Raft TLS certificate can be replaced 40 with a new certificate that has the same public key, without requiring channel configuration updates. 41 42 **FAB-18188: peer and orderer certificate expiration - Log expiration date upon startup** 43 44 The enrollment, TLS server, and TLS client certificate expiration dates are now logged upon peer and orderer startup. 45 46 **peer and orderer PKCS#11 - Add object handle cache** 47 48 With this change, object handles are cached in the PKCS#11 implementation. 49 In support of this change, in addition to pooling idle sessions, the 50 provider tracks active sessions. If some condition occurs that results 51 in all sessions being closed, cached object handles are no longer valid 52 so the handle cache is purged. 53 54 **FAB-18250: peer and orderer PKCS#11 - Introduce error checking for evicting invalid PKCS#11 sessions** 55 56 FAB-17722 introduced a call to the pkcs11 GetSessionInfo function for retrieving the current state of 57 the PKCS11 session. The result of this function was used to determine whether a session was still 58 valid to perform HSM operations or if it should be evicted from the session pool. Performance tests 59 showed that the call to GetSessionInfo was computationally prohibitively expensive. FAB-18242 reverted 60 this change and FAB-18250 introduced a new method for determining if the PKCS11 session is invalid. 61 Now when an HSM operation fails, we check the resultant error against the known session error codes and 62 evict the session from the pool if the error was the result of an invalid session. 63 64 **FAB-18208: peer - Do not sign gossip message if membership is empty** 65 66 This change suppresses the signing of gossip messages if the message will not get 67 sent regardless due to an empty gossip membership. The change reduces CPU consumption 68 and eliminates unnecessary calls to an HSM. 69 70 **peer and orderer PKCS#11 - Add log message if a key cannot be found** 71 72 A debug message is now provided in the bccsp_p11 logger if a key cannot be found in the HSM. 73 74 **FAB-18194: peer - Fix service discovery for legacy installed chaincodes** 75 76 The service discovery endorsers query may fail with errors 77 "failed constructing descriptor for chaincodes" and 78 "required chaincodes are not installed on sufficient peers", even 79 when a chaincode is installed on a sufficient number of peers. 80 The peer initialization has been fixed so that chaincodes installed with the legacy chaincode 81 lifecycle are correctly recognized by service discovery. 82 83 **FAB-18191: peer - Remove contents of leveldb directory instead of the directory when dropping databases** 84 85 The peer `upgrade-dbs`, `rebuild-dbs`, `reset`, and `rollback` commands each drop a peer's 86 leveldb databases so that they can be rebuilt upon the next peer startup. 87 The commands now remove all contents of the leveldb directories, rather than dropping the 88 directory itself. This fix is required if mounting one of the leveldb directories in addition 89 to the overall peer data directory as specified in core.yaml `peer.fileSystemPath`. 90 91 **FAB-15810: peer - Deprioritize fetching of missing private data** 92 93 The private data reconciler attempts to retrieve missing private data from other 94 peers in a channel that belong to the same private data collection based on the interval 95 configured in core.yaml `peer.gossip.pvtData.reconcileSleepInterval` 96 (by default every one minute). If private data cannot be reconciled, it will be attempted 97 every interval and may block the reconciliation of other private data. This fix places 98 private data that can't be reconciled in a depriorized queue so that other private data 99 can be reconciled. The depriorized entries will be re-attempted less often based on the 100 interval configured in core.yaml `ledger.pvtdataStore.deprioritizedDataReconcilerInterval` 101 (by default every 60 minutes). 102 103 **orderer - Check suspect info once per suspect interval when using Raft** 104 105 The Raft-based ordering service node was checking to see if it was evicted too often. 106 This fix ensures that the ordering service node only checks once per suspect interval, 107 which is every 10 minutes by default. 108 109 **cryptogen - Duplicate alternate names in multi-domain certificates** 110 111 When using cryptogen to generate certificates, the X509v3 Subject Alternative Name field contained duplicate entries. 112 The Subject Alternative Name now contains one entry per alternate name. 113 114 **FAB-18245: peer - Large values retrieved from chaincode may be incorrect when using CouchDB** 115 116 Chaincode values larger than 64kb are saved to CouchDB, 117 but not saved to the peer's CouchDB cache. 118 However, chaincode still attempted to retrieve from the cache, 119 and therefore an incorrect value may be retrieved. 120 The fix ensures that for values larger than 64kb, the data will be retrieved from CouchDB. 121 122 123 Deprecations (existing) 124 ----------------------- 125 126 **FAB-15754: The 'Solo' consensus type is deprecated.** 127 128 The 'Solo' consensus type has always been marked non-production and should be in 129 use only in test environments, however for compatibility it is still available, 130 but may be removed entirely in a future release. 131 132 **FAB-16408: The 'Kafka' consensus type is deprecated.** 133 134 The 'Raft' consensus type was introduced in v1.4.1 and has become the preferred 135 production consensus type. There is a documented and tested migration path from 136 Kafka to Raft, and existing users should migrate to the newer Raft consensus type. 137 For compatibility with existing deployments, Kafka is still supported, 138 but may be removed entirely in a future release. 139 Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published. 140 141 **Fabric CouchDB image is deprecated** 142 143 v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB. 144 If prior versions are utilized, a Warning will appear in peer log. 145 Note that CouchDB 3.1.0 requires that an admin username and password be set, 146 while this was optional in CouchDB v2.x. See the 147 [Fabric CouchDB documentation](https://hyperledger-fabric.readthedocs.io/en/v2.2.0/couchdb_as_state_database.html#couchdb-configuration) 148 for configuration details. 149 Also note that CouchDB 3.1.0 default max_document_size is reduced to 8MB. Set a higher value if needed in your environment. 150 Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published. 151 Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead. 152 153 **FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.** 154 155 Utilize the new 'OrdererEndpoints' stanza within the channel configuration of an organization instead. 156 Configuring orderer endpoints at the organization level accommodates 157 scenarios where orderers are run by different organizations. Using 158 this configuration ensures that only the TLS CA certificates of that organization 159 are used for orderer communications, in contrast to the global channel level endpoints which 160 would cause an aggregation of all orderer TLS CA certificates across 161 all orderer organizations to be used for orderer communications. 162 163 **FAB-17428: Support for configtxgen flag `--outputAnchorPeersUpdate` is deprecated.** 164 165 The `--outputAnchorPeersUpdate` mechanism for updating anchor peers has always had 166 limitations (for instance, it only works the first time anchor peers are updated). 167 Instead, anchor peer updates should be performed through the normal config update flow. 168 169 **FAB-15406: The fabric-tools docker image is deprecated** 170 171 The fabric-tools docker image will not be published in future Fabric releases. 172 Instead of using the fabric-tools docker image, users should utilize the 173 published Fabric binaries. The Fabric binaries can be used to make client calls 174 to Fabric runtime components, regardless of where the Fabric components are running. 175 176 **FAB-15317: Block dissemination via gossip is deprecated** 177 178 Block dissemination via gossip is deprecated and may be removed in a future release. 179 Fabric peers can be configured to receive blocks directly from an ordering service 180 node by using the following configuration: 181 ``` 182 peer.gossip.orgLeader: true 183 peer.gossip.useLeaderElection: false 184 peer.gossip.state.enabled: false 185 ``` 186 187 **FAB-15061: Legacy chaincode lifecycle is deprecated** 188 189 The legacy chaincode lifecycle from v1.x is deprecated and will be removed 190 in a future release. To prepare for the eventual removal, utilize the v2.x 191 chaincode lifecycle instead, by enabling V2_0 application capability on all 192 channels, and redeploying all chaincodes using the v2.x lifecycle. The new 193 chaincode lifecycle provides a more flexible and robust governance model 194 for chaincodes. For more details see the 195 [documentation for enabling the new lifecycle](https://hyperledger-fabric.readthedocs.io/en/release-2.2/enable_cc_lifecycle.html). 196 197 198 Change log 199 ---------- 200 For the full list of changes, refer to the release change log: 201 https://github.com/osdi23p228/fabric/blob/release-2.2/CHANGELOG.md#v221