Boundary
Boundary 0.16.0 release notes
GA date: April 30, 2024
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
Change | Description |
---|---|
Role creation | In a future version Boundary will no longer automatically create roles when new scopes are created. This was implemented prior to multi-scope grants to ensure administrators and users had default permissions in new scopes. Since Boundary 0.15, initial roles created for new clusters provide these permissions by default to all scopes using multi-scope grants. |
Docker image no longer contains curl | As of version 0.16.3 and later, the curl binary is no longer included in the published Docker container image for Boundary. The image now includes wget , which you can alternatively use to check the health endpoint for a worker. If your workflow depends on having curl in the image, you can dynamically install it using apk .Learn more: Known issues and breaking changes |
New features
Feature | Update | Description |
---|---|---|
Aliases | GA | A new resource was introduced in this release. Aliases let you associate a string with a Boundary target. You can then establish a session to the target by referencing its alias, instead of having to provide a target ID or target name and scope ID. Learn more: Aliases. |
MinIO support for session recording | GA | You can now configure external MinIO storage to store recorded sessions. MinIO support provides an on-premises storage option for users who do not use AWS. Learn more: Session recording overview. |
Admin UI enhanced search and filtering | GA | Enhanced search and filter support was added to the Boundary CLI and API through a new list pagination feature in release 0.15.0. This functionality has been extended to the Admin UI in release 0.16.0. Learn more: List pagination. |
Local storage state health | GA | Storage state values have been created to monitor the health of any local workers used for session recording. Boundary monitors the worker's available disk space and compares it to the value you configured for recording capacity. If the worker does not have adequate storage, it cannot be used for session recording. Learn more: Local storage for session recording. |
X-Correlation-ID HTTP header | GA | A new HTTP header was added to identify a transaction over a series of requests and responses. You can use the X-Correlation-ID header to correlate events between external systems and products. The initial release of the X-Correlation-ID header supports correlating events between Boundary and Vault. Learn more: HTTP headers. |
Known issues and breaking changes
Version | Issue | Description |
---|---|---|
0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
0.16.0 (Fixed in 0.16.0) | Users cannot log in to Boundary Desktop | A bug caused Boundary Desktop to incorrectly assume the controller was running an unsupported version. It would prevent users from being able to log in to the Desktop client. Learn more: Boundary Desktop issue #4370 This issue is fixed in Boundary version 0.16.0. Upgrade to the latest version of Boundary |
0.16.0 (Fixed in 0.16.1 for Community/Enterprise editions and 0.16.2 for HCP Boundary) | Controller dead lock with database connections stuck in idle in transaction state | If you configured a controller to have the maximum number of open connections and it was under enough load from worker requests, the controller could get stuck. Once the controller consumed all the database connections, it would leave them in an idle in transaction state. In extreme cases, this could cause Boundary clusters to become unresponsive.The cause of this problem was due to a combination of issues. There was no request timeout for worker-to-controller GRPC requests. Also, the session repository attempted to use a separate database connection to retrieve a KMS wrapper after already starting a database transaction. This issue is fixed in release 0.16.1 for the Community and Enterprise editions. It is fixed in release 0.16.2 for HCP Boundary. Boundary now sets a max request duration for GRPC requests based on the cluster's listener configuration. KMS operations now occur outside of the transaction. Upgrade to the latest version of Boundary |
0.16.0 (Fixed in 0.16.2) | TLS handshake error | When you rotated credentials for a worker, sometimes the request succeeded on the controller, but the worker did not receive the response. Because the controller and worker used different sets of credentials, the worker was unable to connect to the controller and you received a TLS handshake error. In release 0.16.2, we added a new NodeIDLoader interface. The worker uses the interface to check its key set and correct its stored credential set to match the controller, if necessary. This issue is now resolved. Upgrade to the latest version of Boundary |
0.16.0 (Fixed in 0.16.2) | OIDC error codes | In releases 0.16.0 and earlier, Boundary used internal error codes for OIDC errors. The internal error codes could cause confusion, since the codes were non-standard HTTP response codes. In release 0.16.2, we updated the OIDC request handlers to return standard gRPC status codes for errors. The 4xx status codes are more descriptive of the error. Upgrade to the latest version of Boundary |
0.16.3+ | Docker image no longer contains curl | As of version 0.16.3 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget . You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wget If your workflow depends on having curl in the image, you can dynamically install it using apk . Refer to the following commands for examples of using apk to install curl :<CONTAINER-ID> apk add curl or kubectl exec -ti <NAME> -- apk add curl |
0.16.0 (Fixed in 0.16.3) | Using an invalid alias results in a 401 message | If you tried to connect to an invalid alias, Boundary returned a message with the 401 status code. The 401 status code could cause users to believe that they did not properly authenticate, rather than realizing the alias resource was invalid. This issue is fixed in Boundary version 0.16.3. If you use an invalid alias, Boundary now properly returns a 404 status code, indicating that it could not find the alias resource. Learn more: Aliases Upgrade to the latest version of Boundary |
0.16.0 (Fixed in 0.16.3) | Session recording fails when you use Secure File Copy (SCP) | If you tried to use SCP during a recorded session, the session recording details may shown the recording state as Failed, and you may not have been able to play back the session. This issue occurs when a recorded session file is too large. It can happen when you use SCP to transfer large files during a recorded session, In Boundary version 0.16.3, we have increased the maximum size for recorded session files to 5 GB. This issue should happen less often now, but be careful when you use SCP during a recorded session, because it can result in large recorded session files. Learn more: Session recording storage considerations Upgrade to the latest version of Boundary |
0.8.0+ (Fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2) | Boundary controller incorrectly handles HTTP requests and stops prematurely (HCSEC-2024-28) | Boundary Community Edition and Boundary Enterprise incorrectly handle HTTP requests while the Boundary controller is starting up, which may cause the controller to stop prematurely. Boundary is only vulnerable to this flaw during the controller's initialization, which usually occurs in milliseconds during Boundary's startup process. This vulnerability, HCSEC-2024-28, is fixed in Boundary Community Edition and Boundary Enterprise versions 0.16.4, 0.17.3, and 0.18.2. Learn more: HCSEC-2024-28: Boundary controller incorrectly handles http requests on initialization which may lead to a denial of service Upgrade to the latest version of Boundary |
Feature deprecations and EOL
EOL | Description |
---|---|
boundary daemon command | The boundary daemon command has been deprecated in favor of the new boundary cache command. The functionality remains the same.Learn more: boundary cache |
include_terminated field removed | The include_terminated field from the list sessions command has been deprecated and will be removed in an upcoming release. Boundary will return terminated sessions in all list session responses, unless they are filtered out using the filter field. For more information, refer to the filter resource documentation.Learn more: sessions list command options and Filter resource listings |
grant_scope_id field removed from roles | The grant_scope_id field, which was deprecated in release 0.15.0, has been removed from roles. You can now manage roles using the add-grant-scopes , remove-grant-scopes , and set-grant-scopes commands.Learn more: add-grant-scopes , remove-grant-scopes , and set-grant-scopes |