• 8
    • False
    • None
    • False
    • NEW
    • NEW
    • This enhancement updates vector to match upstream vector tag v0.37.1
    • Enhancement
    • Log Collection - Sprint 252, Log Collection - Sprint 253

      Description

      Upgrade vector to v0.37.x

      Acceptance Criteria

      • Defined sub-tasks to support the new version
        • Upstream CI
        • Midstream pipelines
        • Operator updates
        • Patches we carry to bring forward from earlier releases
        • CLO updates to address vector config changes

      Notes

      • Review change log so we understand how this may impact Cluster Logging

      The following is known functionality that must be carried into this release:

      • syslog support
      • multi-line exception handling
      • kubernetes source rotate_wait
      • kubernetes source include_path
      • openssl integration? (removal of ring for FIPS)

            [LOG-5296] Update vector to v0.37.x

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Logging for Red Hat OpenShift - 6.0.0), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHBA-2024:6693

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Logging for Red Hat OpenShift - 6.0.0), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:6693

            AWS SDK upstream seems to be getting serious about adding FIPS support:
            https://github.com/smithy-lang/smithy-rs/issues/3563

            It appears the story is now that rustls added FIPS support in https://github.com/rustls/rustls/releases/tag/v%2F0.23.0 on top of Amazon's https://crates.io/crates/aws-lc-rs , which is a Ring-compatible API with different backends. That in turn sits on top of https://crates.io/crates/aws-lc-fips-sys, which is Rust binding for Amazon's fork of BoringSSL/OpenSSL.

            In particular, "This crate provides bindings to AWS-LC-FIPS 2.x, which has completed FIPS validation testing by an accredited lab and has been submitted to NIST for certification. The static build of AWS-LC-FIPS is used."

            AWS-LC-FIPS 2.x is https://github.com/aws/aws-lc/tree/fips-2022-11-02,
            "AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. It іs based on code from the Google BoringSSL project and the OpenSSL project."
            They seem to support x64 and aarch64, but not power or s390x.

            Sergey Yedrikov added a comment - AWS SDK upstream seems to be getting serious about adding FIPS support: https://github.com/smithy-lang/smithy-rs/issues/3563 It appears the story is now that rustls added FIPS support in https://github.com/rustls/rustls/releases/tag/v%2F0.23.0 on top of Amazon's https://crates.io/crates/aws-lc-rs , which is a Ring-compatible API with different backends. That in turn sits on top of https://crates.io/crates/aws-lc-fips-sys, which is Rust binding for Amazon's fork of BoringSSL/OpenSSL. In particular, "This crate provides bindings to AWS-LC-FIPS 2.x , which has completed FIPS validation testing by an accredited lab and has been submitted to NIST for certification. The static build of AWS-LC-FIPS is used." AWS-LC-FIPS 2.x is https://github.com/aws/aws-lc/tree/fips-2022-11-02, "AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. It іs based on code from the Google BoringSSL project and the OpenSSL project." They seem to support x64 and aarch64, but not power or s390x.

            jcantril@redhat.com Here's the branch https://github.com/syedriko/vector/tree/syedriko-merge-upstream-v0.37.0. This is a branch off the tip of release-5.9 with the v0.37.0 upstream tag merged into it. Plus I added a couple of patches that we carry, in openssl and hyper. One thing is remaining: "cargo deny" flags ring as a dependency, but I'm not seeing any ring code linked into the vector executable. Let's talk this over whenever it's a good time.

            Sergey Yedrikov added a comment - jcantril@redhat.com Here's the branch https://github.com/syedriko/vector/tree/syedriko-merge-upstream-v0.37.0 . This is a branch off the tip of release-5.9 with the v0.37.0 upstream tag merged into it. Plus I added a couple of patches that we carry, in openssl and hyper. One thing is remaining: "cargo deny" flags ring as a dependency, but I'm not seeing any ring code linked into the vector executable. Let's talk this over whenever it's a good time.

            jcantril@redhat.com Sure thing. Let me go through the moves and refresh my memory.

            Sergey Yedrikov added a comment - jcantril@redhat.com Sure thing. Let me go through the moves and refresh my memory.

            syedriko_sub@redhat.com Can you please meet with our team to discuss your strategy for bumping the vector version

            Jeffrey Cantrill added a comment - syedriko_sub@redhat.com Can you please meet with our team to discuss your strategy for bumping the vector version

              rh-ee-calee Calvin Lee
              jcantril@redhat.com Jeffrey Cantrill
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: