From ea480d68fea504744941a5bfb80c8bec7535ea68 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 14:51:01 -0400 Subject: [PATCH 01/11] enhancement(deps)!: remove openssl legacy provider flag and update documentation --- Cargo.lock | 5 +-- Cargo.toml | 2 -- src/app.rs | 36 ------------------- src/cli.rs | 12 ------- website/cue/reference/components/sinks.cue | 4 ++- website/cue/reference/components/sources.cue | 8 +++-- .../components/sources/opentelemetry.cue | 12 +------ website/cue/reference/urls.cue | 1 + 8 files changed, 13 insertions(+), 67 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 137b0e7358587..c33ce6fb5111f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5859,8 +5859,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "300.1.3+3.1.2" -source = "git+https://github.com/alexcrichton/openssl-src-rs#26dc3c81d8ebee5f7ec40835e29bf9f37e648ab2" +version = "300.1.5+3.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "559068e4c12950d7dcaa1857a61725c0d38d4fc03ff8e070ab31a75d6e316491" dependencies = [ "cc", ] diff --git a/Cargo.toml b/Cargo.toml index dba2b86f724b2..b4475d963b6e3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -385,8 +385,6 @@ nix = { git = "https://github.com/vectordotdev/nix.git", branch = "memfd/gnu/mus # The `heim` crates depend on `ntapi` 0.3.7 on Windows, but that version has an # unaligned access bug fixed in the following revision. ntapi = { git = "https://github.com/MSxDOS/ntapi.git", rev = "24fc1e47677fc9f6e38e5f154e6011dc9b270da6" } -# 300.1.3+3.1.2 + a commit that re-adds force-engine flag. Can be removed after next release of openssl-src. -openssl-src = { git = "https://github.com/alexcrichton/openssl-src-rs", ref = "26dc3c81d8ebee5f7ec40835e29bf9f37e648ab2" } [features] # Default features for *-unknown-linux-gnu and *-apple-darwin diff --git a/src/app.rs b/src/app.rs index e8ac0a6061233..7c82832c558ad 100644 --- a/src/app.rs +++ b/src/app.rs @@ -8,7 +8,6 @@ use futures::StreamExt; #[cfg(feature = "enterprise")] use futures_util::future::BoxFuture; use once_cell::race::OnceNonZeroUsize; -use openssl::provider::Provider; use tokio::{ runtime::{self, Runtime}, sync::mpsc, @@ -62,7 +61,6 @@ pub struct Application { pub require_healthy: Option, pub config: ApplicationConfig, pub signals: SignalPair, - pub openssl_providers: Option>, } impl ApplicationConfig { @@ -196,12 +194,6 @@ impl Application { debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL."); } - let openssl_providers = opts - .root - .openssl_legacy_provider - .then(load_openssl_legacy_providers) - .transpose()?; - let runtime = build_runtime(opts.root.threads, "vector-worker")?; // Signal handler for OS and provider messages. @@ -222,7 +214,6 @@ impl Application { require_healthy: opts.root.require_healthy, config, signals, - openssl_providers, }, )) } @@ -239,7 +230,6 @@ impl Application { require_healthy, config, signals, - openssl_providers, } = self; let topology_controller = SharedTopologyController::new(TopologyController { @@ -257,7 +247,6 @@ impl Application { graceful_crash_receiver: config.graceful_crash_receiver, signals, topology_controller, - openssl_providers, }) } } @@ -267,7 +256,6 @@ pub struct StartedApplication { pub graceful_crash_receiver: mpsc::UnboundedReceiver, pub signals: SignalPair, pub topology_controller: SharedTopologyController, - pub openssl_providers: Option>, } impl StartedApplication { @@ -281,7 +269,6 @@ impl StartedApplication { graceful_crash_receiver, signals, topology_controller, - openssl_providers, } = self; let mut graceful_crash = UnboundedReceiverStream::new(graceful_crash_receiver); @@ -313,7 +300,6 @@ impl StartedApplication { signal, signal_rx, topology_controller, - openssl_providers, } } } @@ -368,7 +354,6 @@ pub struct FinishedApplication { pub signal: SignalTo, pub signal_rx: SignalRx, pub topology_controller: SharedTopologyController, - pub openssl_providers: Option>, } impl FinishedApplication { @@ -377,7 +362,6 @@ impl FinishedApplication { signal, signal_rx, topology_controller, - openssl_providers, } = self; // At this point, we'll have the only reference to the shared topology controller and can @@ -392,7 +376,6 @@ impl FinishedApplication { SignalTo::Quit => Self::quit(), _ => unreachable!(), }; - drop(openssl_providers); status } @@ -562,22 +545,3 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64) ); info!(message = "Log level is enabled.", level = ?level); } - -/// Load the legacy OpenSSL provider. -/// -/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it -/// will be unloaded when it is dropped. -pub fn load_openssl_legacy_providers() -> Result, ExitCode> { - warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use. Set `--openssl-legacy-provider=false` or `VECTOR_OPENSSL_LEGACY_PROVIDER=false` to disable. See https://vector.dev/highlights/2023-08-15-0-32-0-upgrade-guide/#legacy-openssl for details."); - ["legacy", "default"].into_iter().map(|provider_name| { - Provider::try_load(None, provider_name, true) - .map(|provider| { - info!(message = "Loaded openssl provider.", provider = provider_name); - provider - }) - .map_err(|error| { - error!(message = "Failed to load openssl provider.", provider = provider_name, %error); - exitcode::UNAVAILABLE - }) - }).collect() -} diff --git a/src/cli.rs b/src/cli.rs index 2aeb05975fbc5..173a9025c710e 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -198,18 +198,6 @@ pub struct RootOpts { )] pub allocation_tracing_reporting_interval_ms: u64, - /// Load the OpenSSL legacy provider. - #[arg( - long, - env = "VECTOR_OPENSSL_LEGACY_PROVIDER", - default_value = "true", - default_missing_value = "true", - num_args = 0..=1, - require_equals = true, - action = ArgAction::Set - )] - pub openssl_legacy_provider: bool, - /// Disable probing and configuration of root certificate locations on the system for OpenSSL. /// /// The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables diff --git a/website/cue/reference/components/sinks.cue b/website/cue/reference/components/sinks.cue index 2b313dd14a2e4..f0e4c14e070da 100644 --- a/website/cue/reference/components/sinks.cue +++ b/website/cue/reference/components/sinks.cue @@ -644,7 +644,9 @@ components: sinks: [Name=string]: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior using the [`tls.*`](#tls) options. + enable and adjust TLS behavior using the [`tls.*`](#tls) options and/or using the + [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, + particularly `OPENSSL_CONF`. """ } } diff --git a/website/cue/reference/components/sources.cue b/website/cue/reference/components/sources.cue index 87053f76a4d3d..275b8d2a7d308 100644 --- a/website/cue/reference/components/sources.cue +++ b/website/cue/reference/components/sources.cue @@ -356,9 +356,11 @@ components: sources: [Name=string]: { _tls: { title: "Transport Layer Security (TLS)" body: """ - Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols. You can - adjust TLS behavior via the `tls.*` options. - """ + Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can + enable and adjust TLS behavior using the [`tls.*`](#tls) options and/or using the + [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, + particularly `OPENSSL_CONF`. + """ } if features.collect != _|_ { diff --git a/website/cue/reference/components/sources/opentelemetry.cue b/website/cue/reference/components/sources/opentelemetry.cue index 7a9e3b9511b4f..59bbcdd9059b0 100644 --- a/website/cue/reference/components/sources/opentelemetry.cue +++ b/website/cue/reference/components/sources/opentelemetry.cue @@ -32,7 +32,7 @@ components: sources: opentelemetry: { } tls: { // enabled per listener below - enabled: false + enabled: true } } } @@ -193,14 +193,4 @@ components: sources: opentelemetry: { } } } - - how_it_works: { - tls: { - title: "Transport Layer Security (TLS)" - body: """ - Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols. You can - adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options. - """ - } - } } diff --git a/website/cue/reference/urls.cue b/website/cue/reference/urls.cue index 6528af723cfd3..5b77da84656f5 100644 --- a/website/cue/reference/urls.cue +++ b/website/cue/reference/urls.cue @@ -383,6 +383,7 @@ urls: { nixos: "https://nixos.org/" nixpkgs_9682: "\(github)/NixOS/nixpkgs/issues/9682" openssl: "https://www.openssl.org/" + openssl_conf: "https://www.openssl.org/docs/manmaster/man5/config.html" opentelemetry: "https://opentelemetry.io" opentelemetry_protocol: "\(opentelemetry)/docs/reference/specification/protocol/otlp/" order_of_ops: "\(wikipedia)/wiki/Order_of_operations" From b5648e890b1189a577cf5e178f4ecce05067f36b Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:01:03 -0400 Subject: [PATCH 02/11] fix website build --- website/cue/reference/components/sources/opentelemetry.cue | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/website/cue/reference/components/sources/opentelemetry.cue b/website/cue/reference/components/sources/opentelemetry.cue index 59bbcdd9059b0..d6b165ceda568 100644 --- a/website/cue/reference/components/sources/opentelemetry.cue +++ b/website/cue/reference/components/sources/opentelemetry.cue @@ -32,7 +32,9 @@ components: sources: opentelemetry: { } tls: { // enabled per listener below - enabled: true + enabled: true + can_verify_certificate: false + enabled_default: false } } } From bdb9724bf463698a1a03ca9573e12817d62de644 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:06:19 -0400 Subject: [PATCH 03/11] fix website build --- .../components/sources/opentelemetry.cue | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/website/cue/reference/components/sources/opentelemetry.cue b/website/cue/reference/components/sources/opentelemetry.cue index d6b165ceda568..8c739ea2d1c66 100644 --- a/website/cue/reference/components/sources/opentelemetry.cue +++ b/website/cue/reference/components/sources/opentelemetry.cue @@ -32,9 +32,7 @@ components: sources: opentelemetry: { } tls: { // enabled per listener below - enabled: true - can_verify_certificate: false - enabled_default: false + enabled: false } } } @@ -195,4 +193,16 @@ components: sources: opentelemetry: { } } } + + how_it_works: { + tls: { + title: "Transport Layer Security (TLS)" + body: """ + Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can + enable and adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options and/or using the + [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, + particularly `OPENSSL_CONF`. + """ + } + } } From 22d355838de8a70723ef206caf088b5435213531 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:13:14 -0400 Subject: [PATCH 04/11] fix website build --- website/cue/reference/components/sinks.cue | 2 +- website/cue/reference/components/sources.cue | 2 +- website/cue/reference/components/sources/opentelemetry.cue | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/cue/reference/components/sinks.cue b/website/cue/reference/components/sinks.cue index f0e4c14e070da..c937a050a5705 100644 --- a/website/cue/reference/components/sinks.cue +++ b/website/cue/reference/components/sinks.cue @@ -644,7 +644,7 @@ components: sinks: [Name=string]: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior using the [`tls.*`](#tls) options and/or using the + enable and adjust TLS behavior via the [`tls.*`](#tls) options and/or via the [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, particularly `OPENSSL_CONF`. """ diff --git a/website/cue/reference/components/sources.cue b/website/cue/reference/components/sources.cue index 275b8d2a7d308..eed616ec2f851 100644 --- a/website/cue/reference/components/sources.cue +++ b/website/cue/reference/components/sources.cue @@ -357,7 +357,7 @@ components: sources: [Name=string]: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior using the [`tls.*`](#tls) options and/or using the + enable and adjust TLS behavior via the `tls.*` options and/or via the [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, particularly `OPENSSL_CONF`. """ diff --git a/website/cue/reference/components/sources/opentelemetry.cue b/website/cue/reference/components/sources/opentelemetry.cue index 8c739ea2d1c66..ffd20467d7bd4 100644 --- a/website/cue/reference/components/sources/opentelemetry.cue +++ b/website/cue/reference/components/sources/opentelemetry.cue @@ -199,7 +199,7 @@ components: sources: opentelemetry: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options and/or using the + enable and adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options and/or via the [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, particularly `OPENSSL_CONF`. """ From f8dc18ee2f6f458a0134b81470e226b0705aa35d Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:35:38 -0400 Subject: [PATCH 05/11] add back flag and set to false --- src/app.rs | 36 ++++++++++++++++++++++++++++++++++++ src/cli.rs | 12 ++++++++++++ 2 files changed, 48 insertions(+) diff --git a/src/app.rs b/src/app.rs index 7c82832c558ad..106ffa3a50e73 100644 --- a/src/app.rs +++ b/src/app.rs @@ -8,6 +8,7 @@ use futures::StreamExt; #[cfg(feature = "enterprise")] use futures_util::future::BoxFuture; use once_cell::race::OnceNonZeroUsize; +use openssl::provider::Provider; use tokio::{ runtime::{self, Runtime}, sync::mpsc, @@ -61,6 +62,7 @@ pub struct Application { pub require_healthy: Option, pub config: ApplicationConfig, pub signals: SignalPair, + pub openssl_providers: Option>, } impl ApplicationConfig { @@ -194,6 +196,12 @@ impl Application { debug!(message = "Disabled probing and configuration of root certificate locations on the system for OpenSSL."); } + let openssl_providers = opts + .root + .openssl_legacy_provider + .then(load_openssl_legacy_providers) + .transpose()?; + let runtime = build_runtime(opts.root.threads, "vector-worker")?; // Signal handler for OS and provider messages. @@ -214,6 +222,7 @@ impl Application { require_healthy: opts.root.require_healthy, config, signals, + openssl_providers, }, )) } @@ -230,6 +239,7 @@ impl Application { require_healthy, config, signals, + openssl_providers, } = self; let topology_controller = SharedTopologyController::new(TopologyController { @@ -247,6 +257,7 @@ impl Application { graceful_crash_receiver: config.graceful_crash_receiver, signals, topology_controller, + openssl_providers, }) } } @@ -256,6 +267,7 @@ pub struct StartedApplication { pub graceful_crash_receiver: mpsc::UnboundedReceiver, pub signals: SignalPair, pub topology_controller: SharedTopologyController, + pub openssl_providers: Option>, } impl StartedApplication { @@ -269,6 +281,7 @@ impl StartedApplication { graceful_crash_receiver, signals, topology_controller, + openssl_providers, } = self; let mut graceful_crash = UnboundedReceiverStream::new(graceful_crash_receiver); @@ -300,6 +313,7 @@ impl StartedApplication { signal, signal_rx, topology_controller, + openssl_providers, } } } @@ -354,6 +368,7 @@ pub struct FinishedApplication { pub signal: SignalTo, pub signal_rx: SignalRx, pub topology_controller: SharedTopologyController, + pub openssl_providers: Option>, } impl FinishedApplication { @@ -362,6 +377,7 @@ impl FinishedApplication { signal, signal_rx, topology_controller, + openssl_providers, } = self; // At this point, we'll have the only reference to the shared topology controller and can @@ -376,6 +392,7 @@ impl FinishedApplication { SignalTo::Quit => Self::quit(), _ => unreachable!(), }; + drop(openssl_providers); status } @@ -545,3 +562,22 @@ pub fn init_logging(color: bool, format: LogFormat, log_level: &str, rate: u64) ); info!(message = "Log level is enabled.", level = ?level); } + +/// Load the legacy OpenSSL provider. +/// +/// The returned [Provider] must stay in scope for the entire lifetime of the application, as it +/// will be unloaded when it is dropped. +pub fn load_openssl_legacy_providers() -> Result, ExitCode> { + warn!(message = "DEPRECATED The openssl legacy provider provides algorithms and key sizes no longer recommended for use. Set `--openssl-legacy-provider=false` or `VECTOR_OPENSSL_LEGACY_PROVIDER=false` to disable. See https://vector.dev/highlights/2023-08-15-0-32-0-upgrade-guide/#legacy-openssl for details."); + ["legacy", "default"].into_iter().map(|provider_name| { + Provider::try_load(None, provider_name, true) + .map(|provider| { + info!(message = "Loaded openssl provider.", provider = provider_name); + provider + }) + .map_err(|error| { + error!(message = "Failed to load openssl provider.", provider = provider_name, %error); + exitcode::UNAVAILABLE + }) + }).collect() +} \ No newline at end of file diff --git a/src/cli.rs b/src/cli.rs index 173a9025c710e..2aeb05975fbc5 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -198,6 +198,18 @@ pub struct RootOpts { )] pub allocation_tracing_reporting_interval_ms: u64, + /// Load the OpenSSL legacy provider. + #[arg( + long, + env = "VECTOR_OPENSSL_LEGACY_PROVIDER", + default_value = "true", + default_missing_value = "true", + num_args = 0..=1, + require_equals = true, + action = ArgAction::Set + )] + pub openssl_legacy_provider: bool, + /// Disable probing and configuration of root certificate locations on the system for OpenSSL. /// /// The probe functionality manipulates the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables From 3479e865198b9fff28a1606089d5d7d3b54f6039 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:36:42 -0400 Subject: [PATCH 06/11] add back flag and set to false --- src/app.rs | 2 +- src/cli.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/app.rs b/src/app.rs index 106ffa3a50e73..e8ac0a6061233 100644 --- a/src/app.rs +++ b/src/app.rs @@ -580,4 +580,4 @@ pub fn load_openssl_legacy_providers() -> Result, ExitCode> { exitcode::UNAVAILABLE }) }).collect() -} \ No newline at end of file +} diff --git a/src/cli.rs b/src/cli.rs index 2aeb05975fbc5..ff7f35a3116c7 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -202,8 +202,8 @@ pub struct RootOpts { #[arg( long, env = "VECTOR_OPENSSL_LEGACY_PROVIDER", - default_value = "true", - default_missing_value = "true", + default_value = "false", + default_missing_value = "false", num_args = 0..=1, require_equals = true, action = ArgAction::Set From 1e8eb514ef006e6abf33234ada105399321023a6 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:51:17 -0400 Subject: [PATCH 07/11] update upgrade guide --- .../2023-09-06-0-33-0-upgrade-guide.md | 26 ------------------- .../2023-09-26-0-33-0-upgrade-guide.md | 22 +++++++++++++++- website/cue/reference/cli.cue | 2 +- 3 files changed, 22 insertions(+), 28 deletions(-) delete mode 100644 website/content/en/highlights/2023-09-06-0-33-0-upgrade-guide.md diff --git a/website/content/en/highlights/2023-09-06-0-33-0-upgrade-guide.md b/website/content/en/highlights/2023-09-06-0-33-0-upgrade-guide.md deleted file mode 100644 index e1b7009209440..0000000000000 --- a/website/content/en/highlights/2023-09-06-0-33-0-upgrade-guide.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -date: "2023-09-06" -title: "0.33 Upgrade Guide" -description: "An upgrade guide that addresses breaking changes in 0.33.0" -authors: ["pront"] -release: "0.33.0" -hide_on_release_notes: false -badges: - type: breaking change ---- - -Vector's 0.33.0 release includes **deprecations**: - -1. [Default config location change](#default-config-location-change) - -We cover them below to help you upgrade quickly: - -## Upgrade guide - -### Deprecations - -#### Default config location change {#default-config-location-change} - -The default config location `/etc/vector/vector.toml` which is used by Vector `0.32.0` is now deprecated. This location will still be used in `0.33.0`. The new default path is `/etc/vector/vector.yaml`, please migrate to this new default path or specify the config path explicitly. - -Vector `0.33.0` will attempt to load `/etc/vector/vector.toml` first, and if it is not present, it will fallback to `/etc/vector/vector.yaml`. However, Vector release `0.34.0` will automatically load `/etc/vector/vector.yaml` only. diff --git a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md index 3457ab4afaf2b..4ba6cc54db3c1 100644 --- a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md +++ b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md @@ -12,11 +12,17 @@ badges: Vector's 0.33.0 release includes **breaking changes**: 1. [Behavior of the `datadog_logs` sink's `endpoint` setting](#datadog-logs-endpoint) +1. [Disable OpenSSL legacy provider by default](#openssl-legacy-provider) -Vector's 0.33.0 release includes **deprecations**: +and **deprecations**: +1. [Default config location change](#default-config-location-change) 1. [Renaming the `armv7` rpm package](#armv7-rename) +and **potentially impactful changes**: + +1. [Async runtime default number of worker threads](#runtime-worker-threads) + We cover them below to help you upgrade quickly: ## Upgrade guide @@ -34,9 +40,23 @@ with the other Datadog sinks, which use the `endpoint` as a base URL that the AP With this release, the `datadog_logs` sink's behavior is now consistent with the other Datadog sinks for the `endpoint` setting. +#### Disable OpenSSL legacy provider by default {#openssl-legacy-provider} + +Vector upgraded the version of OpenSSL that it statically compiles in to v3.1.x in the 0.32.0 release. +Following our deprecation policy, v0.33.0 now disables the legacy OpenSSL provider by default. It can be +enabled through the [OpenSSL configuration options](https://www.openssl.org/docs/manmaster/man5/config.html) +exposed through environment variables, particularly `OPENSSL_CONF`. + ### Deprecations +#### Default config location change {#default-config-location-change} + +The default config location `/etc/vector/vector.toml` which is used by Vector `0.32.0` is now deprecated. This location will still be used in `0.33.0`. The new default path is `/etc/vector/vector.yaml`, please migrate to this new default path or specify the config path explicitly. + +Vector `0.33.0` will attempt to load `/etc/vector/vector.toml` first, and if it is not present, it will fallback to `/etc/vector/vector.yaml`. However, Vector release `0.34.0` will automatically load `/etc/vector/vector.yaml` only. + + #### Renaming the `armv7` rpm package {#armv7-rename} The `armv7` rpm package, `vector--1.armv7.rpm`, is now published as diff --git a/website/cue/reference/cli.cue b/website/cue/reference/cli.cue index c8b37f629fff0..df5f1d8c8b98a 100644 --- a/website/cue/reference/cli.cue +++ b/website/cue/reference/cli.cue @@ -634,7 +634,7 @@ cli: { } VECTOR_OPENSSL_LEGACY_PROVIDER: { description: "Load the OpenSSL legacy provider." - type: bool: default: true + type: bool: default: false } VECTOR_OPENSSL_NO_PROBE: { description: """ From b5cdfe064d83f83f6060ff8135f3229c5305d344 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Tue, 19 Sep 2023 15:52:16 -0400 Subject: [PATCH 08/11] add authors --- .../content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md index 4ba6cc54db3c1..874639fcaba6b 100644 --- a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md +++ b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md @@ -2,7 +2,7 @@ date: "2023-09-26" title: "0.33 Upgrade Guide" description: "An upgrade guide that addresses breaking changes in 0.33.0" -authors: ["spencergilbert", "neuronull"] +authors: ["spencergilbert", "neuronull", "pront", "dsmith3197"] release: "0.33.0" hide_on_release_notes: false badges: From 0f78f31f46e3fca35ef9eaeb06e07102e5979f04 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Wed, 20 Sep 2023 09:32:31 -0400 Subject: [PATCH 09/11] feedback --- .../content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md | 4 ++-- website/cue/reference/components/sinks.cue | 5 ++--- website/cue/reference/components/sources.cue | 5 ++--- website/cue/reference/components/sources/opentelemetry.cue | 5 ++--- website/cue/reference/urls.cue | 2 +- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md index 874639fcaba6b..597a9988e8ed3 100644 --- a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md +++ b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md @@ -44,8 +44,8 @@ Datadog sinks for the `endpoint` setting. Vector upgraded the version of OpenSSL that it statically compiles in to v3.1.x in the 0.32.0 release. Following our deprecation policy, v0.33.0 now disables the legacy OpenSSL provider by default. It can be -enabled through the [OpenSSL configuration options](https://www.openssl.org/docs/manmaster/man5/config.html) -exposed through environment variables, particularly `OPENSSL_CONF`. +enabled via an [OpenSSL configuration file](https://www.openssl.org/docs/man3.1/man5/config.html) +specified with the `OPENSSL_CONF` environment variable. ### Deprecations diff --git a/website/cue/reference/components/sinks.cue b/website/cue/reference/components/sinks.cue index c937a050a5705..c5a88ac42855c 100644 --- a/website/cue/reference/components/sinks.cue +++ b/website/cue/reference/components/sinks.cue @@ -644,9 +644,8 @@ components: sinks: [Name=string]: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior via the [`tls.*`](#tls) options and/or via the - [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, - particularly `OPENSSL_CONF`. + enable and adjust TLS behavior via the [`tls.*`](#tls) options and/or via an + [OpenSSL configuration file](\(urls.openssl_conf)) specified with the `OPENSSL_CONF` environment variable. """ } } diff --git a/website/cue/reference/components/sources.cue b/website/cue/reference/components/sources.cue index eed616ec2f851..beb28296859f9 100644 --- a/website/cue/reference/components/sources.cue +++ b/website/cue/reference/components/sources.cue @@ -357,9 +357,8 @@ components: sources: [Name=string]: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior via the `tls.*` options and/or via the - [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, - particularly `OPENSSL_CONF`. + enable and adjust TLS behavior via the `tls.*` options and/or via an + [OpenSSL configuration file](\(urls.openssl_conf)) specified with the `OPENSSL_CONF` environment variable. """ } diff --git a/website/cue/reference/components/sources/opentelemetry.cue b/website/cue/reference/components/sources/opentelemetry.cue index ffd20467d7bd4..ab557b924fc7f 100644 --- a/website/cue/reference/components/sources/opentelemetry.cue +++ b/website/cue/reference/components/sources/opentelemetry.cue @@ -199,9 +199,8 @@ components: sources: opentelemetry: { title: "Transport Layer Security (TLS)" body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can - enable and adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options and/or via the - [OpenSSL configuration options](\(urls.openssl_conf)) exposed through environment variables, - particularly `OPENSSL_CONF`. + enable and adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options and/or via an + [OpenSSL configuration file](\(urls.openssl_conf)) specified with the `OPENSSL_CONF` environment variable. """ } } diff --git a/website/cue/reference/urls.cue b/website/cue/reference/urls.cue index 5b77da84656f5..485352e891fd5 100644 --- a/website/cue/reference/urls.cue +++ b/website/cue/reference/urls.cue @@ -383,7 +383,7 @@ urls: { nixos: "https://nixos.org/" nixpkgs_9682: "\(github)/NixOS/nixpkgs/issues/9682" openssl: "https://www.openssl.org/" - openssl_conf: "https://www.openssl.org/docs/manmaster/man5/config.html" + openssl_conf: "https://www.openssl.org/docs/man3.1/man5/config.html" opentelemetry: "https://opentelemetry.io" opentelemetry_protocol: "\(opentelemetry)/docs/reference/specification/protocol/otlp/" order_of_ops: "\(wikipedia)/wiki/Order_of_operations" From ddcce64fc386f0ba5d3b5627f9c67bed76605a06 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Wed, 20 Sep 2023 13:13:50 -0400 Subject: [PATCH 10/11] update deprecations.md --- docs/DEPRECATIONS.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/DEPRECATIONS.md b/docs/DEPRECATIONS.md index 26cbf79cf4036..44e830bde4c29 100644 --- a/docs/DEPRECATIONS.md +++ b/docs/DEPRECATIONS.md @@ -4,6 +4,6 @@ See [DEPRECATION.md](docs/DEPRECATION.md#process) for the process for updating t ## To be migrated -* legacy_openssl_provider v0.33.0 OpenSSL legacy provider flag should default to false - ## To be removed + +* legacy_openssl_provider v0.34.0 OpenSSL legacy provider flag should be removed \ No newline at end of file From 5b6cf86a64eee879d280b940293a519c5409be25 Mon Sep 17 00:00:00 2001 From: Doug Smith Date: Wed, 20 Sep 2023 13:28:46 -0400 Subject: [PATCH 11/11] update docs to mention default file location --- docs/DEPRECATIONS.md | 2 +- .../content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md | 4 ++-- website/cue/reference/components/sinks.cue | 3 ++- website/cue/reference/components/sources.cue | 3 ++- website/cue/reference/components/sources/opentelemetry.cue | 3 ++- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/DEPRECATIONS.md b/docs/DEPRECATIONS.md index 44e830bde4c29..10e4e15dc554a 100644 --- a/docs/DEPRECATIONS.md +++ b/docs/DEPRECATIONS.md @@ -6,4 +6,4 @@ See [DEPRECATION.md](docs/DEPRECATION.md#process) for the process for updating t ## To be removed -* legacy_openssl_provider v0.34.0 OpenSSL legacy provider flag should be removed \ No newline at end of file +* legacy_openssl_provider v0.34.0 OpenSSL legacy provider flag should be removed diff --git a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md index 4d720ebcfd902..1de314122f012 100644 --- a/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md +++ b/website/content/en/highlights/2023-09-26-0-33-0-upgrade-guide.md @@ -45,8 +45,8 @@ Datadog sinks for the `endpoint` setting. Vector upgraded the version of OpenSSL that it statically compiles in to v3.1.x in the 0.32.0 release. Following our deprecation policy, v0.33.0 now disables the legacy OpenSSL provider by default. It can be -enabled via an [OpenSSL configuration file](https://www.openssl.org/docs/man3.1/man5/config.html) -specified with the `OPENSSL_CONF` environment variable. +enabled via an [OpenSSL configuration file](https://www.openssl.org/docs/man3.1/man5/config.html). The file +location defaults to `/usr/local/ssl/openssl.cnf` or can be specified with the `OPENSSL_CONF` environment variable. ### Deprecations diff --git a/website/cue/reference/components/sinks.cue b/website/cue/reference/components/sinks.cue index c5a88ac42855c..32bcd0821e670 100644 --- a/website/cue/reference/components/sinks.cue +++ b/website/cue/reference/components/sinks.cue @@ -645,7 +645,8 @@ components: sinks: [Name=string]: { body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can enable and adjust TLS behavior via the [`tls.*`](#tls) options and/or via an - [OpenSSL configuration file](\(urls.openssl_conf)) specified with the `OPENSSL_CONF` environment variable. + [OpenSSL configuration file](\(urls.openssl_conf)). The file location defaults to + `/usr/local/ssl/openssl.cnf` or can be specified with the `OPENSSL_CONF` environment variable. """ } } diff --git a/website/cue/reference/components/sources.cue b/website/cue/reference/components/sources.cue index beb28296859f9..976b79c46a72a 100644 --- a/website/cue/reference/components/sources.cue +++ b/website/cue/reference/components/sources.cue @@ -358,7 +358,8 @@ components: sources: [Name=string]: { body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can enable and adjust TLS behavior via the `tls.*` options and/or via an - [OpenSSL configuration file](\(urls.openssl_conf)) specified with the `OPENSSL_CONF` environment variable. + [OpenSSL configuration file](\(urls.openssl_conf)). The file location defaults to + `/usr/local/ssl/openssl.cnf` or can be specified with the `OPENSSL_CONF` environment variable. """ } diff --git a/website/cue/reference/components/sources/opentelemetry.cue b/website/cue/reference/components/sources/opentelemetry.cue index ab557b924fc7f..d86d43faf5ad2 100644 --- a/website/cue/reference/components/sources/opentelemetry.cue +++ b/website/cue/reference/components/sources/opentelemetry.cue @@ -200,7 +200,8 @@ components: sources: opentelemetry: { body: """ Vector uses [OpenSSL](\(urls.openssl)) for TLS protocols due to OpenSSL's maturity. You can enable and adjust TLS behavior via the `grpc.tls.*` and `http.tls.*` options and/or via an - [OpenSSL configuration file](\(urls.openssl_conf)) specified with the `OPENSSL_CONF` environment variable. + [OpenSSL configuration file](\(urls.openssl_conf)). The file location defaults to + `/usr/local/ssl/openssl.cnf` or can be specified with the `OPENSSL_CONF` environment variable. """ } }