1.31.0rc1
Upgrade Instructions
This feature release requires a database schema upgrade. Please consult the documentation about upgrading your database schema.
The following changes are necessary and are covered by the alembic upgrade head
command:
- Adding
REPLICAS_RSE_ID_TOMBSTONE_IDX
toreplicas
table; CAUTION: If you add this index online, make sure the index is fully built before you deploy 1.31!
Important changes
- This release enables the usage of temporary tables per default. Previously, this was an opt-in, now it is an opt-out. If you notice any issues due to this change, you can turn the usage of temporary tables off via setting the
[core]use_temp_tables=False
setting in the config table.
Helm chart changes
breaking change: Version 1.31.x
of rucio-servers
helm chart is incompatible with old values
What changes?
The rucio-server
helm chart doesn't support anymore to deploy separate api
, auth
and trace
servers. Only a single server deployment can be done by one helm release.
There are two possible cases.
-
If your helm values don't set any of the
authReplicaCount
ortraceReplicaCount
(or set them to0
), the impact of this release will be very limited on you.-
If you have any of the
authService
traceService
authIngress
traceIngress
authServerResources
traceServerResources
authServerResources
sections set in the values. They were already ignored anyway because ofauthReplicaCount
andtraceReplicaCount
not being set. You can safely remove these sections -
After that, you'll have to substitute any of the following constructs:
exposeErrorLogs: server: ... useSSL: server: ... minReadySeconds: server: ... readinessProbe: server: initialDelaySeconds: ... ... livenessProbe: server: initialDelaySeconds: ... ... serverType: server: ... logFormat: server: ...
with
exposeErrorLogs: ... useSSL: ... minReadySeconds: ... readinessProbe: initialDelaySeconds: ... ... livenessProbe: initialDelaySeconds: ... ... serverType: ... logFormat: ...
if any of the sections have an
authServer
ortraceServer
attribute, it can be removed.
-
-
If your values set
authReplicaCount
ortraceReplicaCount
to any positive integer, you'll have to split your helm release into multiple helm releases.For example. An initial helm release with values.yaml like following:
replicaCount: 3 authReplicaCount: 2 traceReplicaCount: 1
service: something authService anotherThing traceService thirdThing
useSSL: server: false authServer: true
Will have to become 3 different helm releases with following values:
-
api servers:
replicaCount: 3 service: something useSSL: false
-
auth servers:
replicaCount: 2 service: anotherThing useSSL: true config: api: endpoints: "ping, auth"
-
trace servers:
replicaCount: 1 service: thirdThing config: api: endpoints: "ping, traces, nongrid_traces"
-
Why this change?
The helm chart was difficult to maintain and had a lot of duplicate code to support an edge case for which a reasonable work-around exists. The behavior of the chart was also not consistent between trace
and auth
servers. Moreover, it didn't allow to set distinct parameters for those servers. Rather than trying to complicate things even further and fix inconsistent behavior, it was decided it's a better way forward to drop support for it.
Highly recommended change: rework of the additionalSecrets
section
What changes?
Support for additionalSecrets
will be dropped in a future major release. To be ready for that change, you can already migrate to the new format, for both rucio-servers
and rucio-daemons
helm charts. The old format will still be supported throughout the whole 1.31, but will be dropped in 1.32.
Substituted all occurrences of:
additionalSecrets: volumename: secretName: ... mountPath: ... subPath: ...
with:
secretMounts:
- secretName: ... mountPath: ... subPath: ... volumeName: volumename # volumeName is optional in most cases and will be inferred from secretName if ommited
Why this change?
Avoiding user-input keys in the yaml object (here: the volume name) is more consistent with the overall kubernetes best practices. User input is always passed via yaml values, not via yaml keys. One of the consequences of this change is improved support for kubernetes kustomize. Secrets can now be referred via the fieldSpecs.path
fields in kustomize.
Renaming additionalSecrets
to secretMount
is a cosmetic change. The new name seems to better reflect the function of this section.
Recommended change: rework of ftsRenewal section
What changes?
The ftsRenewal
sections in both rucio-servers
and rucio-daemons
helm charts suffered a major rework. The old format will still be supported throughout the whole 1.31 release line. There is no plan to drop support of the old format in 1.32, but we may decide to do so if the maintenance burden will be judged too high in the meantime.
In the new format, secrets and env variable have to be specified explicitly, rather than being selected implicitly depending on the 'vo' attribute. See the documentation: https://github.com/rucio/helm-charts/tree/master/charts/rucio-daemons#conveyor and helm values: https://github.com/rucio/helm-charts/blob/master/charts/rucio-daemons/values.yaml#L408 for example of new configuration.
Why this change? Two independent reasons:
- the new format introduced support for multi-vo.
- the source code of ftsRenewal cronjob became full of if/else to support vo-specific configurations. Configuring a new VO, with different requirements, was very difficult and required co-ordinated changes in multiple upstream rucio repositories. The new format is now much more flexible, but this comes at the price of increased verbosity of the configuration
Your opinion is welcomed: deprecation of implicit secrets
What changes? Nothing, yet. But we are evaluating the possibility to deprecate implicit secrets required by helm charts. If the community will not be against removing support for implicit secrets, the support will be gradually removed in future major releases.
If you want to participate and provide your opinion, you'll have to set useDeprecatedImplicitSecrets: false
in helm charts. This way, some secrets will not be automatically mounted into the containers. You'll have to explicitly mount corresponding secrets via helm values:
secretMounts:
- secretFullName: releasename-rucio-x509up mountPath: /opt/proxy
- secretFullName: releasename-rucio-ca-bundle mountPath: /opt/certs/
automatix: extraSecretMounts:
- secretFullName: releasename-rucio-ca-bundle-reaper mountPath: /etc/grid-security/certificates/ reaper: extraSecretMounts:
- secretFullName: releasename-rucio-ca-bundle-reaper mountPath: /etc/grid-security/certificates/ darkReaper: extraSecretMounts:
- secretFullName: releasename-rucio-ca-bundle-reaper mountPath: /etc/grid-security/certificates/
Why this change? We consider that explicit declaration of dependencies in helm charts is a better practice. Requiring secrets with specific names to be created inside the cluster before running the helm chart is very confusing to new users.
This change also allows you to pick a different name for the secrets and share them between multiple helm releases.
General
Features
- Recovery: Allow for file recovery policies based on scope #5928
Enhancements
- Core & Internals: Unicode support along all Core/API/REST API #4045
- Core & Internals: switch ON temporary tables workflows by default #6084
- Documentation: Fix broken Rest API docs view #4992
- Release management: update dependencies for the 1.31 release #6110
- Transfers: Remove full_mode switch from conveyor-receiver #5453
Bugs
- REST & API: create_did_sample broken for DIDs with "/" #5608
- Subscriptions: The transmogrifier updates the subscription history table everytime it runs #6109
Clients
Enhancements
- Clients: Use GFAL’s create_parent transfer parameter #2973