Supd
Release notes for the Edge Enforcer and Control Tower daemon called "supd".
25.8.0
-
Fixed issue with custom domains that were subdomains of other custom domains (customer issue 250)
-
Made sure that streaming API clients are disconnected when their token expires or is revoked
-
Other minor bug fixes and improvements
25.6.1
-
Added support for OIDC PKCE authentication between client (us) and identity provider.
-
Other minor bug fixes and improvements
25.6.0
-
The supd container now runs with a
read-onlycontainer layer -
An init-container now has a timeout parameter (to avoid getting stuck) called
execution-timeout(default is 10 minutes) -
Other minor bug fixes and improvements
25.5.3
- Minor bug fixes and improvements
25.5.2
-
Improved support in the REST api for bulk updates across all endpoints, also added etag header to all endpoints
-
Added better info around resource (memory, cpus, cpu-shares, ...) usage in container state, see our tutorial on resource management for a quick intro
-
The "supctl profile switch" command now only changes profile for the current shell session
-
Install script improvements (added handling of custom certificate, check for running nameserver in preflight and other fixes)
-
Other minor bug fixes and improvements
25.5.0
-
Added new property
when-disconnectedto make it possible to control behavior of system when a site is disconnected -
Added support for recovering sites that have been offline for such a long time that their certificates have expired
-
Other minor bug fixes and improvements
25.4.0
-
Improvements to the volga websocket api: pings are now disabled (server-side) if the peer is local, and added query parameters that can control ping behavior
-
Multiple fixes to supctl (for example: table output, json rendering)
-
Fixed issues with (and improved performance when) pushing large images to Control Tower
-
Other minor bug fixes and improvements
25.3.2
- Minor bug fixes
25.3.1
-
More preflight-check script improvements
-
Added a number of parameters to the create-token action (such as:
renewable,num-usesand more) -
The supctl script now generates more spreadsheet friendly CSV output
-
Fixed bug (introduced in 25.3.0) that would cause an issue in the Control Tower UI when listing updated sites in a deployment based on matching labels
-
Other minor bug fixes and improvements
25.3.0
-
New Volga feature: make it possible to select hosts where a topic will be placed using host labels (Customer issue 221)
-
Fixed bug where a site could fail to re-connect to Control Tower if it had fallen back to TCP/TLS (Customer issue 227)
-
Added support for sharing secrets with other tenants, see the How-to guide Sharing secrets between tenants for an example
-
The application upgrade behavior has been changed: an application will now always wait for previous application upgrade to finish before upgrading the next/new version. "Waiting" application upgrades versions will end up in the application queue and can be forced to be upgraded with an action
-
Two new variables (
SYS_CONTAINER_CPUSandSYS_CONTAINER_MEMORY) are now available to a container, see the reference documentation for variables for details -
The install script and the preflight-check script has a number of improvements
-
Other minor bug fixes and improvements
25.2.7
-
Alerts now have a
kindfield which will make it easier to filter out security related alerts -
Improvements to Passkey support in strongbox
-
Added initial support for sites that can automatically update their location
-
Improved volga query-topics (fixes to drop-until-n-remain and count-matches and new option position-sequence-number) which are used by the UI to display logs
-
Fixed an issue that could cause a partitioned network in Control Tower to erroneously think that a site was disconnected even though it wasn't
-
The command line interface
supctlcan now update itself, once you install this version it will automatically update itself to match the version that the Control Tower you are connecting to has available -
Other minor bug fixes and improvements
25.2.5
-
New feature: network resource profiles, allows a site provider to restrict networking for sub-tenants. Read more in the release highlights
-
The deprecated action
tcp-connecthas now been removed (use the connect action instead) -
Added new status field for a hosts cert expiration time and site ca certificate expiration date
-
Other minor bug fixes and improvements
25.2.3
-
Added support for eLxr in the installer script
-
Introduced new memory-metric called "used-hot" in application metrics
-
Backwards incompatible security fix: it is no longer possible to invoke operations using GET
-
Default password policy has been changed to require at least 12 character long passwords
-
Fixed a bug which could cause sites to take longer than necessary to upgrade to a new version
25.1.4
-
Fixed an issue with application upgrade (if an application spec with upgrade method per-service was changed so that only the version and the name of a vault or secret is modified, the application end up in status
upgrading, but no service instances are upgraded). (Customer issue 213) -
Volga connections from a site to Control Tower can now automatically fall back to TCP if the QUIC protocol is blocked for some reason.
-
Login rate limiting is now enabled by default
-
The command line tool
supctlcan now use the new version of the python-websockets library (14.2) -
Other minor bug fixes and improvements
25.1.3
-
Added an option called
hide-fieldsto policy rules which can hide certain fields in an object. The default user policy now has hide-fields "password". -
Backwards incompatible change: listing local and remote images has changed the format of the manifest to more closely match the OCI image manifest specification
-
The registry now tries harder to only fetch the parts of an image that are required for the platform architectures in the edge environment
-
Other minor bug fixes and improvements
25.1.2
-
Added JSON PATCH support to the REST API. See the reference documentation for details.
-
Started using UTC time in generated certificates (instead of "general time")
-
A role-id is no longer required to be system unique
-
Other minor bug fixes and improvements
24.12.0
-
Better verification that a site has the required number of controllers when manually configuring which hosts should be allowed to become controller (customer issue 195)
-
Improved error message for when a CA isn't distributed to a site (customer issue 177)
-
Other minor bug fixes and improvements
24.11.2
- Minor bug fixes and improvements
24.11.1
-
Added support for NVIDIA Tegra (Jetson)
-
Added two built-in policies called
registry-pushandregistry-pullwhich can be used to attach to tokens that are used for pushing and pulling images. -
It is now possible to configure how long a site can be off-line (i.e. how long certificates need to be valid) - the default is still 90 days.
-
Other minor bug fixes and improvements
24.11.0
-
Backwards incompatible change: when using Podman as container runtime the default is now to enable user namespaces when installing Edge Enforcer on a new host
-
Backwards incompatible correction: when configuring maintenance window on an edge site, the configuration "site-local" now actually follows the timezone of the edge site (instead of utc as it did before).
-
Added ca-root and ca-chain to import-ca-cert (so that it is possible to import an intermediate CA certificate as well as its root and chain of trust).
-
Added import-new-ca-cert action which imports a new version of a CA certificate.
-
Password hashes are now hidden (in the strongbox userpass list) for non-root users (customer issue 170)
-
Bug fix: the "image-registry pull" action now behaves as it used to do with respect to un-versioned applications (that it can update/replace an existing image for that application)
24.10.3
-
Added support for disabling the "--init flag" (which is on by default when running container applications) to the application spec. Use:
no-builtin-init: true. (customer issue 174) -
Added status for when a host is safe to remove (as part of the procedure for replacing a host in a site).
-
Make sure that a site that is deleted and then re-created with the same name properly disconnects any hosts that may be up during the deletion of the site (customer issue 172).
-
Fix bug with nameserver not updating SOA records when an NS record for a zone was changed (customer issue 173).
-
Other minor bug fixes and improvements
24.10.0
-
Added support for Intel GPUs. (Some backwards incompatible changes were made in how to configure GPU support).
-
Support for passkeys as a login method was added. (Not yet supported in UI)
-
Fixed an issue with "internal error" when ingress allocation method was changed after an application was already deployed to a site (customer issue 157)
-
Fixed an issue where old versions of an application specification could be removed if too many new versions were added, even if the old version was deployed to a site. Now old versions are retained as long as that version is deployed somewhere.
-
Other minor bug fixes and improvements
24.9.7
- Added better support for running
supctlon Windows (customer issue 147)
24.9.6
- Events are now generated on the
system:eventtopic before and after an upgrade of the Control Tower UI and supd.
24.9.5
-
supctl can now output results in CSV format, see option
--csv -
The Edge Enforcer nameserver now allows recursive DNS queries from any host on the local network (customer issue 137).
-
Fixed issue with a disappearing tag when an image was pushed multiple times to Control Tower
24.9.4
- Minor bug fixes and improvements
24.9.3
-
Improve error reporting when a deployment fails with errors during upgrade
-
Optimized
/v1/state/system/site-status/siteswhen there are many sites
24.9.2
- Fixed race condition when creating auto-cert files when there were multiple containers using the same cert file. Related (customer issue 127).
24.9.1
- Minor bug fixes and improvements