Posts

Apache Karaf runtime 4.3.5 and 4.2.14 are available, status regarding log4shell

You probably heard about security issue concerning log4j. This vulnerability in log4j is called log4shell. Basically, log4shell exploit gives attackers a simple way to execute code on any vulnerable machine. To exploit the vulnerability, an attacker has to cause the application to save a special string of characters in the log. The log4j community quickly fix this issue by releasing corrected version, starting from log4j 2.15.0 up to 2.17.0. In Apache Karaf runtime, we don't directly use log4j (or any logging framework). Karaf leverages Pax Logging which abstract/package the logging framework in a central logging service. Pax Logging API bundle reshape log4j, logback, slf4j, etc packages. The first step to do is to upgrade the log4j packages in Pax Logging and cut new Pax Logging releases. It's what we did: Pax Logging 2.0.12 has been released, upgrading to log4j 2.17.0 (fixing CVE-2021-45105 and CVE-2021-44228) and logback 1.2.9 (fixing CVE-2021-42550) Pax Logg

My first days at Huawei

Image
I joined Huawei couple of weeks ago as OpenSource Operation expert for Europe. I would like to share my first feeling. Warm welcome I was really impressed during the hiring process about the availability and friendly discussions we had with all people I had the chance to meet. It's confirmed when I joined: I received a very warm welcome, very positive mood. This first day I had a meeting with my bosses QinYao and Bryan. They took the time to introduce the overall strategy and key objectives. It was very helpful and I was able to start my ramp up the first evening ;) In the meantime, Pauline (HR) introduced the company in France and HR details. To be honest, it took me couple of days to understand processes, trainings (and corresponding exams) and internal tools. However, the phone application is very convenient: we have almost everything on the phone app. Once tools installed, I was really pleased and impressed to see all warm welcome messages from my teamma

What's new in Apache Karaf Decanter 2.8.0?

Apache Karaf Decanter 2.8.0 has just been released. This release includes several fixes, improvements, and dependency updates. I encourage all Decanter users to update to 2.8.0 release ;) In this blog post, I will highlight some important changes and fixes we did in this release. Prometheus appender The Prometheus appender has been improved to expose more gauges. As reminder, the Decanter Prometheus appender is basically a servlet that expose Prometheus compliant data, that Prometheus instances can poll to get the latest updated metrics. Prometheus appender only looking for numeric data (coming from the Decanter collectors) to create and expose gauges. Unfortunately, in previous Decanter releases, Prometheus appender only looking for numeric value for "first level" properties. It means if a collected data property value was a Map , no inner data was considered by Prometheus appender, even if inner values were numeric. That's the first improvem

What's new in Apache Karaf runtime 4.3.3?

Apache Karaf runtime 4.3.3 has been released. This release contains a bunch of fixes, dependency updates, and improvement. I will share some highlights in this release. You can download Apache Karaf runtime here: http://karaf.apache.org/download.html . The release notes are available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350142 . JDK17 support for build and runtime Karaf 4.3.3 now fully supports JDK17 both at build time and runtime. For JDK17 support, we did: new ASM version new JDK options at runtime new packages exported by Karaf Cleanly close SSH connection We identified an issue with the Karaf SSH connections. The SSH connections were not cleanly close, and we had to wait the timeout to close the socket. It means that we can have this state once the SSH client disconnects: $ netstat | grep 8101 tcp6 0 0 localhost:8101 localhost:47844 CLOSE_WAIT 4.3.3 fixes

Apache ActiveMQ 5.16.3 has been released

Apache ActiveMQ 5.16.3 has been released today. In this blog, I would like to highlights some changes we introduced in this release. Better Camel 3.x support and JMS2 dependency I've rewritten the Karaf features repository in ActiveMQ 5.16.3. Firt, the Karaf features doesn't contain inner repository anymore. The purpose is to let user pickup the version he wants at runtime. Concretely, it means that, in Karaf, ActiveMQ 5.16.3 can already use Spring 5 (fully Spring 5 support including in the ActiveMQ standalone distribution is already done on main branch for ActiveMQ 5.17.x). By the way, I will do similar improvement in Apache CXF and Apache Camel features repositories (removing inner repository to let users pick up at runtime), and Karaf will provides a spec features in a dedicated features repository. I also updated the range to support JMS 2.x dependency, instead of always forcing JMS 1.x. Even if ActiveMQ 5.16.3 doesn't really support JMS 2, you can already

What's new in Apache Karaf runtime 4.3.2 ?

Apache Karaf runtime 4.3.2 has been released and available on https://karaf.apache.org . You can have take a look on the Release Notes . Let's take a quick tour on this new Karaf release. Support R7 configutation factory and fix on json check Karaf 4.3.x introduced both suppport of OSGi Spec R7 and json configuration support (in addition of the "regular" cfg/properties format). We identify an issue in the configuration json format: when the json contains an array, then it was always considered as updated. For instance, the following configuration: { "foo": [ "bar" ] } was considered as always updated. We can see in the log: 2021-05-07T23:01:45,924 | INFO | fileinstall-/[...]/karaf/etc | JsonConfigInstaller | 25 - org.apache.karaf.config.core - 4.3.1 | Updating configuration from my.config.json 2021-05-07T23:03:45,924 | INFO | fileinstall-/[...]/karaf/etc | JsonConfigInstaller | 25 - org.apache.karaf.config.co

What's new in Apache ActiveMQ 5.16.2 ?

Apache ActiveMQ 5.15.15 and 5.16.2 has been released. 5.15.15 is the last planned one on the 5.15.x branch, and contains only bug fixes. If you use ActiveMQ 5.15.x, you should upgrade to 5.16.x. Now, we are focusing on 5.16.x and coming 5.17.x (see later in this blog). ActiveMQ 5.16.2 brings important fixes and improvements. Let's take a quick tour ;) Fix on failover priorityBackup When you have brokers located on different networks, failver priortyBackup allows you to specify a preference to "local" broker. For instance, you can use a broker URL like this: failover:(tcp://local:61616,tcp://remote:61616)?randomize=false&priorityBackup=true With this URL, client will try to connect to tcp://local:61616 and stay connected there. The client will connect to remote only if local is not there. However, client will constantly try to reconnect to local . Once the client can do it (when local is back), he will automatically reconnect. By default, the first U