Release Notes

Release 2.8.1

Fixes a problem introduced in 2.8.0 for machines whose unique ID is in /etc/machine-id #3886
Many thanks to contributor @avestuk for this fix.

Also move Kubernetes API calls out of Weave Net daemon #3885 - this reduces the size of the 'weaver' binary and stops it crashing when run on 32-bit ARM.

Release 2.8.0

This release makes some important changes to trim the "attack surface" of the Kubernetes install, addressing CVE-2020-26278, and improves a couple of reported issues.

• Workaround to fix ipset conflict with iptables #3851, #3882
• Kubernetes: move kernel and CNI setup to init container #3880
  (We also stopped including config for Kubernetes releases 1.6 and 1.7 which are very old.)
• For K8s, stop running in host PID namespace #3876
• NetworkPolicy: avoid logging dropped packets that were not actually dropped #3852
• Build with Go version 1.15.6 #3883

Many thanks to contributors @drigz, @KevDBG and @NeonSludge.

Full list of changes

Release 2.7.0

This release improves resiliency in a number of areas, and extends the Prometheus metrics exported by Weave Net.

Change in behaviour: on Kubernetes, the client source IP is preserved when calling from a pod to a service.
This feature, introduced in version 2.4.0 and previously turned on by setting NO_MASQ_LOCAL=1 is now on by default. #3389, #3756

Features

• Reload router iptables rules if they get cleared, e.g. when firewalld restarts. #3802 (weave-npc rules are not reloaded)
• Add new type and encryption labels to weave_connections metric #3788, #3789
• Weave Net now exports Go metrics for heap size, garbage collection, etc. #3838
• Register container name and its network aliases with weaveDNS #3084, #3090
• Make DNS listen address configurable #1770, #3231

Bug fixes

• weave-npc could crash if you deleted a Kubernetes Namespace containing pods #3833, #3836
• Ensure that weave-npc exits and restarts if it crashes #3764, #3792, #3841
• Avoid weave-kube failing on startup due to iptables lock #3828, #3835

Build and test

• Reduce size of containers (weaveworks/weave goes from 99MB to 83MB) #3624, #3726
• Weave Net is now built with Go 1.14.4, which should improve performance #3838
• CI tests are now run against Docker 19.03.1, Kubernetes 1.14.0 #3687

Many thanks to contributors @berlic, @gobomb, @hairyhenderson, @naemono, @nesc58

Full list of changes

Release 2.6.5

Fixes a bug that would leak memory every time a fast-datapath connection was stopped. #3808
Also avoid a crash when the machine has ipv6 disabled. #3815

Release 2.6.4

Improves the iptables rule added in 2.6.3 to block just the Weave Net control port, and avoid blocking other uses of 127.0.0.1. #3811

Note 2.6.4 was created to relax the iptables blocking rule added in this release, because it turned out to be too strict.

Release 2.6.3

This release has a couple of security improvements, and some other fixes.
Note that we still recommend to remove CAP_NET_RAW access from untrusted containers.

• Block non-local traffic to the Weave control port [CVE-2020-8558] #3805
• Tell Linux not to accept router advisory messages [CVE-2020-11091] #3801
• Network Policy Controller: add a metric to show errors while operating #3804
• Network Policy Controller: don't treat named port as a fatal error #3790

Release 2.6.2

fixes a regression found in 2.6.1 release and fix to prevent CPU spinning

Bug fixes

• Weave Net can not be used in fastdp mode and always falls back to sleeve mode #3781, #3783
• Restrict timeout value passed to pcap library to a value less than 2^31 microseconds to
  prevent CPU spinning in sleeve mode #3782

Note a regression was reported #3781 - we advise waiting for resolution before upgrading

Release 2.6.1

support for iptables 1.8 and a bug-fix

Bug fixes

• removes a possible deadlock which could cause Weave Net on node restart to stop connecting to peers and stops responding to API requests #3762 #3763

Other improvements

• Weave Net Kubernetes images by default uses iptables 1.8 with legacy (netfilter) backend with
  option to choose nftables as iptables backend #3465, #3747

Release 2.6.0

This release reduces CPU and memory usage in larger clusters, by sending notifications to a smaller set of peers and coalescing updates to reduce topology recalculation. #3715, #3732

The default soft limit on connections has been raised from 100 to 200.

Bug fixes

• Fix a race condition in Kubernetes addon when reclaiming IP addresses after node deletion #3724, #3716
• Buffer events so Docker won't drop them, and Weave Net can clean up after dead containers #3432, #3705
• Weave reconnect occasionally fails after network interface disconnect #3666, #3669, #3676
• Ingress NetworkPolicy would accepts all traffic when specifying both IPBlock and port #3653, #3654

Kubernetes improvements

• Support both podSelector and namespaceSelector in NetworkPolicy #3312, #3647
• Only add default-drop egress rule if network policies are in use #3639
• Manifests use 'apps/v1' rather than deprecated 'apps/v1beta1' #3660
• Avoid Weave Net pods being evicted by setting priorityClassName: system-node-critical #3697
• Manifests use recommended DNS policy ClusterFirstWithHostNet #3692
• Weave Net now tolerates 'NoExecute' taint #3655
• Allow extra arguments to NetworkPolicy controller to be set in an environment variable #3683
• Stop reporting a failure to connect to self #3454, #3585
• Minor reduction in log noise when reclaiming IPs #3710

Other improvements

• Avoid isolating nodes which have restarted by automatically repairing inconsistencies in IP allocation data #1962, #3637, #3708
• Build Weave Net for the s390x architecture #3685
• When a IP address is requested that may be in use, make several attempts to claim it before returning an error #3725
• Improve logging for IP allocation updates #3627, #3630
• Improve 'expecting PMTU update' log message on initial connection #3603

Build and test

• Shut down Kubernetes on node when testing node deletion #3716
• Update the base 'Alpine' container image to version 3.8 #3701
• Update Go to version 1.13.3 #3712
• Update gopacket library #3590
• Pin busybox version to 1.28 to avoid CI failure in Python test #3689
• Remove obsolete weave-daemonset.yaml file #3674

Thanks to contributors @christian-2, @hpdvanwyk, @guirish, @kitt1987,
@mmerrill3, @Pensu, @scritchley, @sidharthsurana, @tanishq-dubey

Full list of changes

Release 2.5.2

This release fixes several bugs causing inconsistencies in IPAM and fixes a
panic in daemon that reclaims and forgets deleted nodes in Kubernetes clusters.

Bug fixes

• In Kubernetes cluster, when a pod is deleted and at the same time if weave-net pod is restarting or in rare occasion like when weave-kube container is hung then IP address assigned to the pod is not freed and never released, potentially running out of IP's to allocate to the pod's on the node #3587, #3638
• In Kubernetes cluster a reclaim daemon runs as part of kube-utils that automates weave forget for deleted nodes. Fixes panic that occurs in reclaim daemon resulting in weave to attempt to connect to dead nodes #3613, #3623
• make Weave's IPAM resilient by preventing inconsistent IPAM entries to occur in the ring and resolve the conflict if they occur durning IPAM ring merge #3629, #3635, #3632, #3444

Full list of changes

Release 2.5.1

This release fixes bugs reported for 2.5 release and small improvements.

Bug fixes

• prevent warnings in kernel logs due to use of physdev model for
  non-bridged traffic #3449, #3453
• Check and report the error occurred while getting the list of Kubernetes
  peers #3581, #3582

Full list of changes

Release 2.5.0

This release adds support for Kubernetes hostPort mapping (#3016,#3356) and the ipBlock NetworkPolicy feature (#3168,#3367)

Bug fixes

• Fix a crash at start-up on Docker for Mac #3405, #3408
• Network policy: block ingress traffic when no namespaceSelector or podSelector is specified #3347
• Reclaim IP addresses which are locked by a non-existent peer #3386, #3416
• Fix a crash when blank IP data was loaded #3067, #3415

Other improvements

• If a connection is downgraded to the slower "sleeve" mode, Weave Net will now periodically try to upgrade it to "fast datapath" again. #1737, #3385
• Reclaim removed Kubernetes nodes' IP space and stop trying to connect to them when they are deleted, rather than on next restart #3372, #3399
• Replace Kubernetes livenessProbe with readinessProbe, so the pod is not killed if it runs slowly #3471, #3421
• In Kubernetes NetworkPolicy controller, remove the need to maintain a set of local pod IP addresses #3344, #3423
• Don't crash on Kubernetes named port in NetworkPolicy, just report as unsupported #3375
• Ensure the weave network bridge is accessible on Linux kernels older than 3.14 #3442, #3297, #3239
• Better reporting in the logs if the weave network device is in the Down state #3133, #3381
• Change log-level to debug of calls through the Docker proxy, to reduce noise #3439
• Add --without-masquerade option to weave expose, so external services can see the original container IP address #3388
• Include Kubernetes cluster information in checkpoint call #3324,#3431
• Bump go-odp dependency, so that fastdp works on the 4.19 kernel #3430

Build and Testing

• CI builds on master branch now publish images for all platforms
• Fix golint path and use https for download of libpcap #3435
• Update Kubernetes client-go to v8.0.0, removing code licenced under LGPL3 #3358,#3366
• Migrate CircleCI to V2, which is much faster #3255,#3270

External Contributors

Thanks to the following contributors:

• @Ashiroq
• @leprechau
• @lkpdn

Full list of changes

Release 2.4.1

This release fixes several bugs causing inconsistencies in IPAM for Kubernetes users whose clusters scale up and down over time.

Bug fixes

• Nodes unable to connect after Kubernetes addon erroneously reclaimed node without any IP addresses #3392, #3393
• Kubernetes addon could have run out of free IP addresses after nodes are deleted #3384, #3400
• Kubernetes addon had reduced free IP addresses due to not reclaiming IP addresses when node name is re-used #3397

Other improvements

• Support --label in WEAVE_DOCKER_ARGS when starting Weave #3370,#3371
• Add missing --token argument in help for weave launch #3226, #3379
• Print defunct processes after smoke-tests #3362

Full list of changes

Release 2.4.0

This release introduces a support for Kubernetes Egress Network Policy (#2624, #3313)
and adds a mechanism for preserving the client source IP address to enable
externalTrafficPolicy: Local on Kubernetes (#2924, #3298).

In this release we stop supporting the Kubernetes legacy Network Policy previously controlled with the --use-legacy-netpol flag.

Bug fixes

• Increase the ipset list size which prevents weave-npc from crashing on older
  kernels when more than eight Kubernetes Namespaces are used (#3289, #3305).
• Avoid a possible livelock when reclaiming IP address space in weave-kube (#3317).
• Ensure xtables.lock is mounted as a file so that kube-proxy can take the lock
  if it has started after Weave Net (#3351, #3353).
• Upgrade the CNI plugin symlinks only if the plugin has changed (#3337, #3345).

Other improvements

• Manipulate the Kubernetes node status NetworkUnavailable so that Pods can be
  scheduled on nodes when the GCE cloud provider is in use (#3249, #3307, #3332, #3334).
• Refrain from creating a subprocess for configuring a network interface in
  a container network namespace (#3291).
• Protect against handling the CNI plugin request with the host namespace which
  prevents Weave Net from misconfiguring the host network (#3206, #3346).
• Weave Net can be run on minikube VM (#3124).
• Add org.opencontainers.image.* labels to Dockerfiles to improve association
  of the container images with git revisions (#3299).
• Improve the error message when running weave reset on Kubernetes (#3319).

Build and Testing

• Use dep instead of git submodules for managing external packages (#3268).
• Fix usage of manifest-tool in Makefile (#3320).
• Update Kubernetes to 1.11 for the integration tests (#3340).

External Contributors

Thanks to the following contributors:

• @kitt1987
• @louismunro
• @Nodraak
• @stevenjohnstone

Full list of changes

Release 2.3.0

Security fixes

• By default, do not expose Weave "/status" and "/report" to all (0.0.0.0) when
  running on Kubernetes #3271

Other improvements

• Increase the default connection limit for Weave peers (from 30 to 100) when
  running on Kubernetes, so that more peers could directly connect #3265

Build and test

• Build Weave Net with Go 1.10.1 #3273
• Run integration tests against Kubernetes 1.10.0 #3266

Full list of changes

Release 2.2.1

Bug fixes

• Fix a bug in weave-npc which would allow ingress traffic to Kubernetes Pods selected by a NetworkPolicy in which source and destination selectors were the same #3222,#3237
• Fix a bug in weave-npc which would crash if a previously deleted Kubernetes Namespace has been created again #3247,#3250

Other improvements

• Increase the default connection limit for Weave peers (from 30 to 100), so that more peers could directly connect #3234
• When doing a rolling update of Weave Net on Kubernetes, allow each node five seconds to initialize before rolling next Weave Net Pod, so that issues at startup will halt the rollout and not spread across the whole cluster #3235
• Install common CA certificates from Alpine Linux package instead of copying them manually #3236

Upgrading the Weave Net Kubernetes addon (weave-kube)

Apply the latest DaemonSet manifest, either attached to this release or from the config generator at Weave Cloud:

kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"

External contributors

Thanks to the following contributors:

• @alok87

Full list of changes

Release 2.2.0

This release improves the way Weave Net configures Linux network devices and network filter rules, so that it is more robust in the face of unexpected changes in its environment. #3204,#3224

As a consequence of these changes, the weave attach command will now fail unless the Weave Net daemon is up and running - previously it was possible to run independently as long as you managed all IP addresses
yourself.

Other improvements

• Update library miekg/dns for CVE-2017-15133 (details under embargo) #3223,#3227
• Reduce the volume of logging from weave-npc #3183
• Add ability to set log level for Docker "v2" plugin, and change default log level from DEBUG to INFO #3197
• Downgrade log messages about Discovery and Expiration to DEBUG level #3202,#3203
• Use command-line parameter for WeaveDNS address in Docker proxy #3196

Bug fixes

• Ensure that rules to block traffic for NetworkPolicy are placed ahead of rules that Kubernetes has added to allow other traffic #3209,#3210

Build and test

• Update CI tests to use Kubernetes 1.9.2 #3229
• Remove "daily update" from test VMs that only run for a few minutes #3224

Upgrading the Weave Net Kubernetes addon (weave-kube)

Apply the latest DaemonSet manifest, either attached to this release or from the config generator at Weave Cloud:

kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"

External Contributors

Thanks to the following contributors:
@vetal4444

Full list of changes

Release 2.1.3

This release fixes a race-condition in the IP reclaim code for weave-kube where, if multiple nodes ran the reclaim process at exactly the same time, two nodes could end up fighting over the same space and break connectivity #3190, #3192

Upgrading the Weave Net Kubernetes addon (weave-kube) from pre-version 2.1:

There is an updated DaemonSet manifest for Kubernetes 1.7 and 1.8 that adds an access to networkpolicies from the networking.k8s.io API group used by the 'v1' policies and a new role to create ConfigMaps:

kubectl apply -f https://cloud.weave.works/k8s/v1.7/net

To use old network policies:

kubectl apply -f https://cloud.weave.works/k8s/v1.7/net?use-legacy-netpol=true

Full list of changes

Release 2.1.2

This release fixes a couple of bugs discovered since the release of Weave Net 2.1.0

Bug fixes

• Fix crash seen when starting 10-15 nodes simultaneously #3184,#3186
• Fix NetworkPolicy blocking traffic if updates come out of order from Kubernetes #3177,#3181

Upgrading the Weave Net Kubernetes addon (weave-kube) from pre-version 2.1:

There is an updated DaemonSet manifest for Kubernetes 1.7 and 1.8 that adds an access to networkpolicies from the networking.k8s.io API group used by the 'v1' policies and a new role to create ConfigMaps:

kubectl apply -f https://cloud.weave.works/k8s/v1.7/net

To use old network policies:

kubectl apply -f https://cloud.weave.works/k8s/v1.7/net?use-legacy-netpol=true

External Contributors

Thanks to the following contributors:
@zignig

Full list of changes