Release v2.2.1

Changelog

Go Version

• 1.16.3: Both release executables and Docker images are built with this Go release.

Added

• Ability to set a timeout to NATS resolver (#2057)

Changed

• JetStreamVarz fields from structures to pointers so they can be omitted if empty. This is may affect users that embed the NATS Server in their code (#2009)

Improved

• Error log statement when an account registration fails (#2016)
• JetStream:
  • Durable consumers performance with Replicas > 1 (#2039, #2049)
  • Report error when mirror/sources stream prefix overlaps/collides with stream subjects (#2041)

Fixed

• JetStream:
  • Possible panic when consumers are stopped (#2008)
  • Panic on 32bit systems due to unaligned 64-bit atomic operations. Thanks to @GuangchaoDeng for the report (#2012)
  • Check for filter subject correctness of an upstream stream's mirror or source (#2013)
  • Reduce memory pressure and protect against some nil dereferences (#2015)
  • Mirror streams were not properly retrying after failures to create their internal consumer (#2017)
  • Prevent suppression of idle heartbeats for a filtered consumer on a busy stream (#2018)
  • Some updates for direct consumers (used for mirrors and sources streams) (#2021)
  • Possible double adds under reload or restart scenarios (#2023)
  • In operator mode, JetStream accounts were not all loaded on startup (#2024)
  • Consumer interest dropping and coming back across gateways (#2024)
  • Leaked subscriptions when retrying to create streams' source consumers (#2024)
  • Idle heartbeats were unnecessarily sent when a consumer was known to be active (#2024)
  • Performance degradation for mirrors and sources in presence of gaps (#2025)
  • Reworked sources and mirrors on missed data (#2026)
  • Reduce sliding window for direct consumers and catchup stream windows (#2027)
  • Flow control with multiple sources streams (#2028)
  • Chaining of sources and mirrors with filtered consumers (#2028)
  • General stability improvements (#2033)
  • Possible deadlock (#2034)
  • Panic when WAL was corrupted (#2045)
  • Prevent bad stream updates from deleting the stream (#2045)
  • When a request to get a message fails, returns code 404, instead of 500 (#2053)
  • Possible deadlock caused by an account lookup failure when processing a consumer assignment (#2054)
  • Consumer state (ack floor/pending or number of pending messages) could be skewed after server restarts (#2058)
• LeafNode:
  • verify_and_map was not honored (#2038)
  • When using Websocket connections, in some cases corruption could prevent messages to flow properly between nodes (#2040)
  • Subscriptions leak for subscriptions when hitting the "auto-unsubscribe" limit (#2059)
• MQTT:
  • Fix a possible subscription leak in setup failure conditions (#2061)
• Websocket:
  • Possible empty frames sent to webbrowser clients (#2040)
• Account connection events were not sent when using custom authentication (#2020)
• Disconnect clients for account JWT that has been disabled (#2048)

Complete Changes

v2.2.0...v2.2.1

Release v2.2.0

Changelog

Go Version

• 1.16.2: Both release executables and Docker images are built with this Go release.

Added

• JetStream, our new persistence offering (https://docs.nats.io/jetstream/jetstream)
• Websocket support (https://docs.nats.io/nats-server/configuration/websocket) (#1309)
  • Websocket Leafnode connections (#1858)
  • Cookie JWT authentication for Websocket. Thanks to #pas2k for the contribution (#1477)
• MQTT Support (https://docs.nats.io/nats-server/configuration/mqtt) (#1754)
  • Allow BearerToken as MQTT authentication method. Thanks to @angiglesias for the contribution (#1840)
• Monitoring:
  • New Endpoint: jsz for JetStream (#1881)
  • New Endpoint /accountz (#1611)
  • Value of GOMAXPROCS in /varz endpoint (#1304)
  • Ability to include subscription details in monitoring responses (#1318)
  • Endpoints now available via system services (#1362)
  • Base path for monitoring endpoints. Thanks to @guilherme-santos for the contribution (#1392)
  • Filtering by account for /leafz and exposing this as per account subject (#1612)
  • Support for tags and filter PING monitoring requests by tags (#1832)
  • JWT/IssuerKey/NameTag/Tags to monitoring and event endpoints (#1830)
  • tls_required, tls_verify and tls_timeout to Cluster/Gateway/Leafnode sections under /varz (#1854)
  • Operator JWT to /varz (#1862)
  • system_account to /varz (#1898)
• Options
  • lame_duck_grace_period (#1460)
  • sys_trace or --sys_trace command line to trace the system account (#1295)
  • resolver_tls to specify TLS configuration for account resolver. Thanks to @JnMik for the report (#1272)
  • allowed_connection_types to restrict which type connections (STANDARD, WEBSOCKET, etc..) can authenticate with a specific user (#1594)
  • verify_cert_and_check_known_urls to tie subject ALT name to URL in configuration (#1727)
  • account_token_position to simplify the securing of imports without requiring a token (#1874)
• Support for JWT BearerToken (#1226)
• Accounts default permissions (#1398)
• Printing of the configuration file being used in the startup banner. Thanks to @rmoriz for the report (#1473)
• Checks for CIDR blocks and connect time ranges specified in JWTs (#1567)
• Support for route hostname resolution. Thanks to @israellot for the report (#1590)
• Account name checks for Leafnodes in operator mode (#1739)
• User JWT payload and subscriber limits (#1570)
• Ability to use JWT latency sampling properties "headers" and "share" (#1776)
• Support for wildcard services and import remapping by JWT (#1790)
• Support for JWT export response threshold (#1793)
• Enforcement and usage of scoped signing keys (#1805)
• Support for StrictSigningKeyUsage (#1845)
• Support for JWT based account mappings (#1897)
• Build for mips64le platform. Thanks to @duchuanLX for the contribution (#1885)

Changed

• nats.io resources from HTTP to HTTPS. Thanks to @DavidSimner for the contribution (#1596)
• Default TLS and Authentication timeouts, to 2 seconds and TLS timeout + 1 second respectively (#1633)
• Gateways:
  • Connections now always send PINGs (the server otherwise will sometime suppress PINGs) (#1692)
  • Log statements regarding Interest-only mode switch is now DBG instead of INF (#2002)
• Enforce max_control_line for client connections only. The enforcement was previously happening only in case of handling of a partial protocol (#1850)

Improved

• Better support for distinguishedNameMatch in TLS authentication (#1577)

Updated

• Various dependencies, notably JWT and NKeys (#2004)

Fixed

• Log file size limit not honored after re-open signal (#1438)
• Leafnode issues
  • Unsubscribe may not be propagated correctly (#1455)
  • TLSMap authentication override (#1470)
  • Solicit failure race could leave the connection registered (#1475)
  • Loop detection may prevent early reconnect (#1607)
  • Possible panic when server accepts TLS Leafnode connection (#1652)
  • Duplicate queue messages in complex routing setup (#1725)
  • Reject duplicate remote (#1738)
  • Route parser error. Thanks to @wuddl6 for the report (#1745)
  • Configuration reload for remote TLS configurations (#1771)
  • Connection issues if scheme was not tls:// in some instances (#1846)
• Gateway issues:
  • Implicit reconnection (#1785)
  • Implicit connection not using global username/password. Thanks to @DavidSimner for the report (#1915)
  • System account incorrect tracking of gateways routed replies (#1749)
  • Configuration reload for remote TLS configurations (#1771)
• Connection name in log statement for some IPv6 addresses (#1506)
• Handling of real duplicate subscriptions (same subscription ID sent by clients) (#1507)
• Handling of gossiped URLs (#1517)
• Queue subscriptions not able to receive system events (#1530)
• JWT:
  • Revocation checks (#1632, #1645)
  • Validation of private imports (tokens) did return a warning instead of an error (#2004)
• Detect service import cycles (#1731)
• Syslog warning trace as a "INF" instead of "WRN". Thanks to @paoloteti for the contribution (#1788)
• Monitoring endpoint /connz may report incorrect user. Thanks to @nqd for the report (#1800)

Complete Changes

v2.1.9...v2.2.0

Release v2.1.9

Changelog

Go Version

• 1.14.10: Both release executables and Docker images are built with this Go release.

Fixed

• Possible panic if server receives a maliciously crafted JWT CVE-2020-26521 (#1624)
• User and claims activation revocation checks CVE-2020-26892 (#1632, #1635, #1645)
• Panic on shutdown while accepting TLS client connections (6900905)
• Added defensive code for handling of Leafnode connections (d99d0eb)

Complete Changes

v2.1.8...v2.1.9

Release v2.1.8

Changelog

Go Version

• 1.14.8: Both release executables and Docker images are built with this Go release.

Fixed

• Allow response permissions to work across accounts (#1487)
• Race condition during implicit Gateway reconnection (#1412)
• Possible stall on shutdown with leafnode setup. Thanks to @HeavyHorst for the report (#1414)
• Possible removal of interest on queue subs with leaf nodes (#1424)
• Unsubscribe may not be propagated through a leaf node (#1455)
• LeafNode solicit failure race could leave conn registered (#1475)
• Handling or real duplicate subscription (#1507)
• Log file size limit not honored after re-open signal (#1438)
• Connection name in log statement for some IPv6 addresses (#1506)
• Better support for distinguishedNameMatch in TLS Auth. Thanks to @nagukothapalli for the report (#1577)
• Error when importing an account results in an error (#1578)

Complete Changes

v2.1.7...v2.1.8

Release v2.1.7

Changelog

Go Version

• 1.13.10: Both release executables and Docker images are built with this Go release.

Added

• Monitoring endpoints available via system services (#1362)
• Configuration no_auth_user allows to refer to a configured user/account when no credentials are provided (#1363)
• Support to match domainComponent (DC) in RDNSequence with TLS authentication (#1386)
• Configuration http_base_path for monitoring endpoints. Thanks to @guilherme-santos for the contribution (#1392)

Improved

• Added close reason in the connection close statement (#1348)

Fixed

• Switch gateways to interest-only mode for Leafnode accounts (#1327)
• Leafnode loop detection fixes (#1331, #1338)
• Service reply interest propagation in some Leafnode scenario (#1334)
• Inconsistent subscription propagation behavior across accounts and Leafnodes (#1335)
• Service across account and Leafnodes (#1337)
• Service responses not delivered after Leafnode restart (#1345)
• Update remote gateway URLs when node goes away in cluster (#1352)
• Monitoring endpoint /subsz support for accounts (#1377)
• Validate options on configuration reload (#1381)
• Closed connection early in connect handshake may linger in the server (including monitoring /connz) (#1385)
• Account unnecessarily reloaded in some cases during configuration reload (#1387)
• default_permissions was not applied to NKey users (#1391)

Complete Changes

v2.1.6...v2.1.7

Release v2.1.6

Changelog

Go Version

• 1.13.9: Both release executables and Docker images are built with this Go release.

Added

• Ability to specify TLS configuration for the account resolver. Thanks to @JnMik for the report (#1272):

resolver_tls {
  cert_file: ...
  key_file: ...
  ca_file: ...
}

• Client IP (client_ip) in the server's INFO sent to clients. Client libraries may expose that in the future (#1293)
• Option trace_verbose and command line parameters -VV and -DVV to increase trace and debug verbosity. By default system account messages will not be traced unless this option is enabled (#1295)
• Value of GOMAXPROCS in /varz monitoring output (#1304)
• Option to include subscription details in monitoring endpoints /routez and /connz. For instance /connz?subs=detail will now return not only the subjects of the subscription, but the queue name (if applicable) and some other details (#1318)

Improved

• Recover from panics during configuration parsing and instead issue errors (#1274)
• Parse ping_interval as a duration. If not a duration, falls back to interpret as the number of seconds (#1281)
• Error trace in case protocol exceeds the max control line value (#1286)
• TLS version 1.3 and cipher names in log/monitoring. Thanks to @burner-account for the report (#1316)

Updated

• Include port on the "Connected leafnode" INF notice in the server log (#1303)
• Some dependencies. This covers the golang crypto package CVE. Note that the CVE mentions the ssh package, which NATS Server does not use, so it should not be affected. Thanks to @KauzClay for the contribution (#1320)

Fixed

• Server did not exit after receiving the lame duck mode signal. This is a regression introduced in v2.1.2 (#1276)
• Use configured ping interval for clients that have not yet sent the CONNECT protocol. When the CONNECT protocol is received, a ping will be sent to the client in a short period of time to establish the initial TTL for this client (#1289)
• A configuration producing a warning causes -DV to be ignored (#1291)
• Incorrect buffer reuse in case of partial connection write (#1298)
• Configuration reload of debug/trace option was not applied to existing clients (#1300)
• Loop detection for LeafNodes (#1308)
• Use account resolver URL from the operator JWT if one is specified. Note that if one is explicitly configured with the "resolver" option, it will take precedence (#1318)

Complete Changes

v2.1.4...v2.1.6

Release v2.1.4

Changelog

Go Version

• 1.13.7: Both release executables and Docker images are built with this Go release.

Added

• LogSizeLimit option to automatically rotate logs. Thanks to @xzzh999 for the report (#1202)

Updated

• Handling of slow consumer for non client connections (#1233)

Fixed

• Prevent "Account no-interest" for account that has service reply subscription (#1204)
• Closing of Gateway or Route TLS connection may hang (#1209)
• Messages to queue subscriptions are not distributed evenly. Thanks to @harrisa1 for the report (#1215)
• Allow multiple stream imports on the same subject (#1220)
• Do not check URL account resolver reachability on configuration reload (#1239)
• More than expected switch to Interest-Only mode for given account (#1242)
• Possible panic when handling bad subjects (#1249)
• Display of connections IPv6 addresses (#1260)
• LeafNode TLS issues with mixed IP/Hostnames. Thanks to @rbboulton for the report (#1261, #1264)
• Fail and report if LeafNode attempt to connect to wrong listen port (#1265)

Complete Changes

v2.1.2...v2.1.4

Release v2.1.2

Changelog

Go Version

• 1.12.13: Both release executables and Docker images are built with this Go release.

Added

• QueueSubscribe permissions (#1143)
• Use of single/multiple users for authentication of Leafnodes (#1147, #1168)
• ~ support for Leafnode credentials (#1148)
• Account support in /connz (#1154)
• server_name configuration option to help better identify a server through /varz or system events (#1158, #1166)

Updated

• In monitor home page, the help link now points to the monitoring page in our new documentation website (#1169)
• Handling of replies (including service replies) across Gateways (#1183, #1184, #1190, #1195)
• Server performs actual shutdown procedure (closing client connections, etc..) when signaled to exit (#1186)

Fixed

• Reject duplicate service import "to" subject (#1140)
• String trim in function getting the process name on Windows. Thanks to @beautytiger for the contribution (#1157)
• Panic when incorrectly using a wildcard for a stream import prefix. Thanks to @lucj for the report (#1160)
• Explicit gateway not using discovered URLs (#1165)
• Leafnode loop detection (#1170, #1172)
• Prevent server from sending a PING to measure RTT until the client has finished the connect process (#1175)
• Requestor RTT was often reported as 0 when tracking latency (#1179)
• Leaking of service imports and subscriptions on routes (#1185)
• Possible panic when processing route subscription interest (#1189)
• Some account locking issues and race that could cause clients to not receive messages (#1191)
• Server was fetching unknown account when tracking remote connections (#1192)
• Handling of missing account when processing a remote latency update (#1194)
• Ability to daisy chain Leafnode servers (#1196)
• Handling of split buffers for Leafnodes. Thanks to Bfox for the report (#1198, #1199)

Complete Changes

v2.1.0...v2.1.2

Release v2.1.0

Changelog

Go Version

• 1.12.9: Both release executables and Docker images are built with this Go release.

Added

• RTT in /routez details (#1101)
• New /leafz monitoring endpoint (#1108)
• Latency tracking for exported services (BETA) (#1111, #1112, #1122, #1125, #1130, #1132, #1136, #1137)
• System level services for debugging (BETA). Exported services to the system account for debugging of blackbox systems. Ability to get the number fo subscribers for a given subject and optionally queue group (#1127)

Fixed

• Some typos in code. Thanks to @beautytiger for the contribution (#1105)
• Some Leafnode issues (#1106)
• Issue when there is a circular dependency in account server import (#1119)
• MaxPending configured to more than 2GB. Thanks to @cv711 for the report (#1121)
• Some internal locking issues related to accounts lookup and updates (#1126, #1131)
• Ability to pass to the command line -cluster nets://<host>:-1 for a random port, which is used in some NATS libraries for testing. This was broken due to changes in Golang (#1128)
• Ensure server uses default if ResponsesPermissions's values are set to 0 (#1135)

Improved

Complete Changes

v2.0.4...v2.1.0

Release v2.0.4

Changelog

Go Version

• 1.12.8: Both release executables and Docker images are built with this Go release.

Added

• Use of GoReleaser. Thanks to @caarlos0 for this tool! (#1095)
• Deb and RPM packages (#1095)
• Publish permissions based on reply subjects of received messages (#1081)
• Support for user and activation token revocation (#1086)
• Leafnode connections to /varz (#1088)
• Ability to cross account import services to return streams as well as singletons (#1090)
• Support for service response types (#1091, #1093)

Fixed

• Leafnode user JWT with signer fails to authenticate (#1078)
• Leaked subscriptions from queue group across routes. Thanks to @ripienaar for the report (#1079)
• Shadow subscriptions can be leaked on stream import and connection close (#1090)
• Connection could be closed twice resulting in duplicate reconnect mainly affecting Gateways and Leafnodes (#1092)
• Some typos in code. Thanks to @ethan-daocloud for the contribution (#1098)

Improved

• Reduce memory usage on routes. Thanks to @ripienaar for the report (#1087)

Complete Changes

v2.0.2...v2.0.4