Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Weave v1.1.0
Compare
Choose a tag to compare
@awh awh released this 08 Sep 08:53
· 4039 commits to master since this release
v1.1.0
64e3cf0

Highlights

  • weave launch now launches all weave components, simplifying
    startup.
  • weave status has been completely revamped, with a much improved
    presentation of the information, and the option to select and output
    data in JSON.
  • weaveDNS has been rewritten and embedded in the router. The new
    implementation simplifies configuration, improves performance, and
    provides fault resilience for services.
  • the weave Docker API proxy now provides an even more seamless user
    experience, and enables easier integration of weave with other
    systems such as kubernetes.
  • many usability improvements
  • a few minor bug fixes, including a couple of security
    vulnerabilities

More details below and in the change log.

Installation & Upgrading

Follow the installation instructions to install this latest release of weave.

If upgrading from weave 1.0.x, note that a cluster can be upgraded incrementally, with some caveats:

  • Any installation using weaveDNS will experience a rolling partition
    of name resolution functionality, i.e. containers only see names
    belonging to containers on weave peers with the same version.

  • weave launch now launches all weave components, including
    weaveDNS and the proxy.
    For weaveDNS, if the existing installation was

    • launching weaveDNS without any options, then no action is
      required, since the weave launch-dns and weave stop-dns
      commands still exist but are no-ops,
    • launching weaveDNS with options, then these need to be moved to
      the weave launch invocation,
    • not launching weaveDNS, then you may want to disable it with the
      --no-dns option to weave launch, though generally this should
      not be necessary.

    For the proxy, if the existing installation was

    • launching the proxy without any options, then remove the weave launch-proxy invocation and instead just invoke weave launch
    • launching the proxy with options, then you need to launch the router and proxy separately, supplying the proxy options to the latter, i.e. weave launch-router && weave launch-proxy <options>,
    • not launching the proxy, then you may want to only launch the router (and embedded weaveDNS) with weave launch-router, though typically running weave launch instead is fine, since launching the proxy is harmless.

  • The default IP address allocation range has changed from
    10.128.0.0/10 to 10.32.0.0/12. If you are using weave's IP
    address allocator, and are not explicitly specifying a range (with
    -iprange), then you need to force weave
    to use the old range by specifying --ipalloc-range=10.128.0.0/10.

  • weave proxy-env|proxy-config are deprecated in favour of weave env|config. The former still work but will display a deprecation
    warning when invoked, so you should update any scripts to use the
    new commands.

  • The proxy now listens on a unix domain socket instead of TCP/IP if that is how the launching environment connects to the Docker daemon. This is reflected in weave env|config, so any local code/scripts using those to configure their connection to the proxy should be unaffected. However, if you have code/scripts that have the proxy's TCP/IP endpoint hard-coded, then you may need to force the proxy to listen on the TCP/IP, as it did previously, by launching it with weave launch-proxy -H tcp://0.0.0.0:12375. Note that this potentially opens a security vulnerability, which is why it is no longer the default behaviour. Consider a) switching to unix domain sockets, if you are connecting to the proxy locally, b) restricting the network interfaces/IP addresses by supplying something other than 0.0.0.0, or c) switching to TLS.

  • weaveDNS has far fewer options than previously. The removed options do not make sense in the new implementation and are unlikely to have been used in many installations, but if they were, simply removing them should be safe in most setups.

  • A number of options have been renamed. The old names still work but
    you should update any scripts to use the new ones.

Changes

Command Line Interface

  • make weave launch launch the router, weaveDNS and the proxy. As a
    result weave startup is simpler than
    ever    . In
    situations where special configuration of the proxy is required, the
    router and proxy can be launched separately with weave launch-router and weave launch-proxy. #382/#962/#1009/#1011/#1012, #1043/#1072
  • completely revamp weave status.
    The main command now shows a much more concise and readable summary,
    which, for example, makes it easier to spot connectivity
    issues. Sub-commands provide additional information, which is better
    presented and more informative than was previously the case. And
    weave report produces a status report in JSON format, with the
    ability to select specific pieces of information with a
    template. #1025/#1141/#1027/#908/#1248, #1315, #1328/#1335, #1185/#1283
  • improve consistency in command line option naming. Long options
    start with two hyphens, the --<option>= notation is supported, and
    multi-word options are hyphenated. Also, all DNS options now start
    with --dns-. All old option names have been retained for backward
    compatibility; their usage results in a deprecation warning in the
    logs. #602/#1084, #1087/#1096
  • log a more helpful error when an invalid flag is specified in weave launch. #1321/#1324
  • output weave usage message on stderr instead stdout, thus preventing
    odd behaviour for the likes of eval $(weave env) when the command
    is mistyped. #1082/#1092
  • add --init-peer-count to usage output, from which it was
    missing. #1041/#1045.
  • make weave --help|help work even when we cannot communicate with
    Docker. #1322/#1325
  • reduce start-up time of weave launch. #992/#993
  • introduce --log-level option for better control over log
    levels. #329/#1057
  • improve Docker version compatibility checking, preventing misleading
    error messages. #576/#1297/#1298/#1326
  • improve download times by re-arranging the layers of the weavexec
    image. #1170

Docker API proxy

  • enable listening on a unix domain socket, and do so automatically if
    the launching environment connects to the Docker daemon that way. This
    simplifies configuration and also prevents weakening of Docker access security. #1003/#1026, #1055/#1099
  • rename --no-default-ipam option to --no-default-ipalloc. The
    former still works but will log a deprecation warning. #1040/#1048
  • remove -D option since it wasn't doing anything useful. #972/#978
  • replace weave proxy-env|proxy-config with weave env|config. The former still work but will display a deprecation
    warning when invoked. #1014/#1080/#1081
  • introduce weave env --restore,
    which restores the environment modified with weave env. This would
    typically be invoked just prior to weave stop|reset. #1288/#1327
  • introduce rewriting of /etc/hosts so that hostname -i returns the weave IP
    instead of Docker IP. hostname -i, and its equivalent system call,
    is invoked by some clustered applications like cassandra and consul;
    this change gets them to operate over the weave
    network by default. The feature can be disabled with the
    --no-rewrite-hosts proxy
    option    . #68/#1079, #1252/#1265, #1373/#1375
  • add --rewrite-inspect
    flag     to
    make docker inspect return the weave network settings (such as the
    container's weave IP address) instead of the Docker settings. This
    is useful for integration of weave with systems such as kubernetes
    that depend on the docker inspect output. #117/#212/#1199/#1222/#1376, #1390/#1391
  • attach containers to the weave network by default unless they were started with
    --net=host or --net=container:.... In particular, containers
    started with --net=none now get attached. #1302/#1303
  • permit (the equivalent of) --net=container:(another container with weave networking) to be specified at container start
    time. Previously this would hang. Note that specifying a network
    mode that way is a backward compatibility feature of the Docker
    Remote API; normally the mode is set during container creation. So
    this did not affect the Docker CLI and most other systems, but did
    cause problems when integrating weave with Kubernetes. #1258/#1314
  • handle chunked responses correctly. Failure to do so was causing
    errors when some Docker API clients, though not the Docker CLI, were
    pointed at the proxy. #1103/#1110/#1112, #1257/#1259
  • do not disable restart policies, or stomp on the --volume-driver
    option, of containers started via the proxy. #1209/#1314, #1378
  • eliminate a very rare race condition that could cause container
    start to hang. #1300/#1314
  • improve logging of errors and warnings. #1056/#1067, #1310

Router

  • prevent repeated connection attempts from peers to themselves, which
    could result in a lot of log noise and some performance
    degradation. #1305/#1318
  • weave attach|detach
    and weave expose|hide
    now output the IP addresses involved. #954/#968
  • eliminate a DoS vector which could allow an attacker to trigger an
    out-of-memory crash by injecting certain mal-formed weave protocol
    packets. This is now no longer possible on encrypted weave networks
    without knowledge of the password. #912/#1098
  • prevent exposure of potentially sensitive information to an attacker
    during the connection establishment on an encrypted weave
    network. Note that no sensitive information is exposed by existing
    versions of the weave protocol, so this is merely guarding against
    potential future vulnerability. #1029/#1098
  • seed the random number generator properly. Lack of that could in
    some rare circumstances cause IP address allocation to take a long
    time. #1004/#1068
  • replace gob with length-prefix encoding in the outermost protocol
    framing. This improves performance of the codec slightly. #1189

Naming and Discovery (weaveDNS)

IP Address Allocator

  • The default IP address allocation range has been changed from
    10.128.0.0/10 to 10.32.0.0/12 to avoid clashes with subnets used
    by some cloud platforms like Digital Ocean and GCE. #1036/#1070
  • The -iprange and -ipsubnet options have been renamed to
    --ipalloc-range and --ipalloc-default-subnet, to make their
    purpose clearer. The old names have been retained for backward
    compatibility; their usage results in a deprecation warning in the
    logs. #1035
  • prevent weave launch from failing when weave expose had
    previously been run with automatic IP address
    allocation. #1076/#1249/#1090, #1320
  • prevent delays of up to 30 seconds when first allocating an IP
    address in a partially connected weave network with intermediate
    peers that have IP allocation disabled. #1118/#1149
  • cope with more situations of restarting weave when there are running
    containers with automatically allocated IP addresses. In particular
    stopping all peers and then restarting them in a different order now
    works. #1150/#1159, #1243/#1268
  • permit manual allocation in the IP allocation
    range    . This
    results in a warning if the chosen address has already been
    allocated. #687/#598/#1200, #1030/#1228/#1380, #1380
  • improve a number of warning and error
    messages. #437/#480/#1053, #1034, #1128/#1174, #1317

Build & Test

Improvements "under the hood"

  • replace homegrown go logging library with
    logrus, and direct all log
    messages to stderr. #664/#1039/#1044
  • make container aliveness check part of the IPAM/DNS APIs rather than
    applying a heuristic. #971/#1073
  • output json status based on 'Accept' header instead of requiring
    separate endpoint. #1063/#1077
  • label weave infrastructure containers with
    works.weave.role=system. #1290
  • apply some refactoring for simplification, extraction of common code
    and better readability. #997, #1016, #1095,#1289, #1101, #1219, #1254
Assets 3
Loading