Fluxheim 1.7.11
Fluxheim 1.7.11 Release Notes
Fluxheim 1.7.11 delivers the zero-downtime process-upgrade slice after the
stable 1.7 Wasm policy milestones. It combines bounded native drain, strict
listener inheritance, readiness-gated handoff, and tested native and Podman
deployment patterns.
The release also completes the native HTTP/1 parser audit and tightens critical
background-service ownership without changing operator configuration defaults.
Added
- Track accepted native HTTP, HTTPS, HTTP/2, and Unix-listener connections so
shutdown stops new accepts while established connections drain. - Apply
server.process.grace_period_secondsand
server.process.graceful_shutdown_timeout_secondsin the native runtime. - Add live regressions for keep-alive drain behavior and bounded shutdown.
- Add a real-binary
SIGTERMsmoke to the maintained native HTTP/1 gate and
human test launcher. - Document the native binary, systemd socket-activation, and Podman blue/green
handoff boundaries before exposing upgrade automation. - Adopt public HTTP/HTTPS TCP listeners from the standard systemd FD-3
protocol, requiring a matchingLISTEN_PID, bounded descriptor count, and
exact one-for-one launch-plan address match. - Add unit coverage for malformed activation metadata and real-socket adoption,
plus a real-binary smoke that serves through an inherited listener and proves
malformed activation fails closed. - Report systemd readiness only after native listener/background-service startup
completes, fail startup if a configured notification socket is unreachable,
and report bounded-drain status after a shutdown signal. - Exercise an old and new Fluxheim process on one parent-owned listener. The
maintained smoke proves a bad replacement leaves old serving, green readiness
precedes drain, established old traffic completes, and new requests have no
connection-refusal window. - Ship an optional RPM/systemd socket unit for the packaged port-80 listener.
It remains disabled by default so existing direct-binding deployments do not
change behavior during package installation. - Add a real rootless-Podman blue/green smoke. It verifies that direct published
ports cannot be atomically replaced, then proves the supported stable-front
pattern with failed-green rollback and old keep-alive drain. - Wait for every configured background service to reach its explicit ready
point before systemd receivesREADY=1; a service that exits first makes the
replacement fail closed and leaves the old generation serving. - Reject inherited descriptors that are not listening TCP sockets, including a
live regression using a connected stream bound to the expected address. - Defer public/admin accept loops until background readiness succeeds, and add
a live late-failure replacement test proving the old generation serves every
request while the replacement aborts. - Explicitly abort outstanding listener and background tasks at the drain
timeout instead of relying on whole-process teardown. - Remove
listenfdfrom socket activation and receive descriptors through a
focused Fluxheim crate with environment clearing disabled, preserving memory
safety for multithreaded and embedded runtimes. - Claim inherited systemd descriptors exactly once per process and own the
complete set before validating any item. Concurrent calls and retries fail
before touching FD 3, while validation failures close the complete set.
Fixed
- Use one validated HTTP/1 authority for routing, authorization, forwarding,
and cache partitioning. Conflicting absolute-form authority andHost,
malformed ports/IPv6/host syntax, non-HTTP absolute targets, and malformed
absolute URIs now fail before request dispatch. - Reject every HTTP/1.0
Transfer-Encodingmessage before evaluating
keep-alive. Chunked decoding now bounds encoded bytes, line length, extension
bytes, and chunk count, validates extension grammar, streams decoded data into
caller-owned output, and preserves identical parser results across every
fragmented-read boundary, including a split terminal CRLF at the line limit. - Return only a semantically validated public HTTP/1 request-head type. Host and
authority agreement, request-target grammar, body framing, and persistence
are resolved before callers can inspect or route a request. - Enforce the RFC 3986 ASCII path/query grammar and reject malformed raw or
percent-encoded target characters before routing. - Reject origin response status codes outside
100..=599, oversized PROXY v1
lines, and PROXY v2 payloads that exceed policy or differ from the declared
frame length. - Prevent construction of unvalidated protocol headers, share one bounded
Connectionoption parser with hop-by-hop filtering, and add dedicated fuzz
targets for HTTP/1 request/response heads, request targets, chunk bodies, and
PROXY v1/v2 frames. - Route HTTP/2 requests exclusively by
:authority; suppliedHostfields are
replaced and requests without authority fail closed. - Remove all fixed and
Connection-nominated hop-by-hop origin response
headers before delivery or cache admission, and reject malformed options. - Read through at most eight HTTP/1 informational origin responses to the final
response, reject generic status 101, and reject transfer-coding chains that
Fluxheim cannot decode completely. - Prevent oversized embedded HTTP/1 connection limits from reaching Tokio's
panicking semaphore constructor. - Accept only ownership-checked critical task handles in the runtime watchdog.
Attempted noncritical registration returns the original live handle instead
of dropping it and cancelling cache, metrics, certificate, or maintenance
services. - Stop accepting caller-controlled executable and temporary-root paths in the
zero-downtime and Podman blue/green smoke helpers. Their executable and
secure workspace locations are now derived from fixed repository paths and
Python-managed mode-0700temporary directories, resolving the associated
CodeQL command/path alerts. - Poll the final SWR disk-cache assertion for a bounded interval so the smoke
observes the supported asynchronous memory-publish/disk-persistence order
without masking a disk-store failure.
Build And Packaging
- Pin the source, container build images, and RPM build prerequisite to the
Rust 1.97 toolchain line. - Include the disabled-by-default
fluxheim.socketsystemd unit in the RPM
payload alongside the documented activation workflow. - Update the interactive RPM build menu to Fedora 44 and openSUSE Leap 16.0,
removing the end-of-life openSUSE Leap 15 target.
Checksums And Signatures
- Commit:
84540314dc9a7e5cf8612794a522e8b14fccddeb - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
b545fb74282dfb88c92975cfe440595e0594f257168cc123b095f02cc47966ea fluxheim-1.7.11.tar.gz4e9c5c3b40cb5206c60db4e751d12aa791883a7374158f4a625b8e1b7524e456 fluxheim-1.7.11.zip
- Binary checksums:
- x86_64:
2c8113a62cde403c7273109498a11bdca33071d4399a1834c4890ac59aa1b7d8 fluxheim-1.7.11-full-x86_64-linux.tar.gz2edb19f1de60d34a15246c220d17e89279c362ae1a93159d6de6e737612731d6 fluxheim-1.7.11-cache-x86_64-linux.tar.gz117ea4b893780341a2901317226872de7a818eb4e6526db713598115eb4bbd06 fluxheim-1.7.11-proxy-x86_64-linux.tar.gz271d3023e53eb9315a8b1d969ab8f699187214541dfb38b0467e1e3687828586 fluxheim-1.7.11-php-x86_64-linux.tar.gz922b084081c3cab14b88a997d205d7bbb874d6971adec091aa900c3f2d137cab fluxheim-1.7.11-load-balancer-x86_64-linux.tar.gz08e1c9feabab948dcfd1d1e78257e2d3f3f01e4b635c9cfae7f8f37542adf95d fluxheim-1.7.11-config-tester-x86_64-linux.tar.gz
- aarch64:
5539770bbb5ebc019d4449f93162b31a91b867f8708ee2c083138aa5da5f8016 fluxheim-1.7.11-full-aarch64-linux.tar.gz8e50c4e449660e90c883e33dcb881f0e6698c34d2efea360f83c6d3cedadd16e fluxheim-1.7.11-cache-aarch64-linux.tar.gz37dbd18c69539f3d40a23531d35a17e7114f094c370b06d3a9bcc750239c42e3 fluxheim-1.7.11-proxy-aarch64-linux.tar.gz63b5dab23d90d8016f447ce10ccf8796c0054b9ebd027574887d7eeaed2341ac fluxheim-1.7.11-php-aarch64-linux.tar.gz59d093cf525342a2760eec862122acba06b0586c6882dbc76178c053cec1f545 fluxheim-1.7.11-load-balancer-aarch64-linux.tar.gz89ec881a295f9d540fdd25793cc72b46a840122bd0e7fd071ee69dfc44e2a1a1 fluxheim-1.7.11-config-tester-aarch64-linux.tar.gz
- macos:
a0eafba22b32b6b52ea11e92b024d47917ccbc521ab4485ca024843fb7da5979 fluxheim-1.7.11-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
3cc60d910662e8a0b27e7983018f4142be8885c5d351a0ceefee8f9d3e61f808 fluxheim.spdx.jsond5b2602ac67a5a22aea165a83eaa6d1795816bd470153a803081e7fd8e5f4005 fluxheim.cyclonedx.json
- Reproducible build:
67b7a6d2181d3a70eaf2ec57633be0b68b3d3590c7d111b51c9d131de5db25b5x86_6404b411f414e3b483d098105f55297975e8b64b49be6d4580afe6e18d93b1e7edaarch64c7ad1341dfc352983cda3dc7c8248333feff61cb2a389a7a76f48721b1d88d53macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:1341df75e492bb96f7a6fdb55efe5f9666ca12362a53827c83dc61f5150221ec - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:268353ea6d3690c566df0996da011e6f4dad8ca326e10e46142965d666fc58ed - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:9be2dde57c30e1c82921f60ed63a2740870e4124c50e29edff0036f646be7e65 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:17c86052db91cf7ed1d195c30b2bc2ac8593e0a4852b8243cf85ac817d653f90
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2d2b58d42008ebd651acf9fb5b922d46fb1cdf186f3e5ebd48fd848e8c0b3a43 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:108207c04f17eecb5166c22ac5e482e4b8e90d73bf9b3123fb4c619c91570767 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:2d50f5b1c9d3aeca21447e32f8497ff42aafbff32771a19d21b78435fcee529e - Debian:
ghcr.io/valkyoth/fluxheim@sha256:57f08b057a0ad1f50b6e1bf744a196e841f507c30e12b130764477f2dae7ebc0
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:28787686b76d00ac0950fbab42d8782e2a5074f11a769ea2a20973843dbfd1ce - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:51ebac06942b6da626d25d88c97ffa2717b417d7f9a18f8455f7431e14965b4a - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:885908b94d316a1f79484268577b3b209a6a2224c895a347ac2f9cf17029398f - Debian:
ghcr.io/valkyoth/fluxheim@sha256:63e80952bfb3a30c3c5913df03cb6bc7991374c6c2f2d121016e8f69b65773e5
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:37bd7151e784272a857b5ca5c2fbd6c6788be33200a8b01cd73fc1df578f0950 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:6553632b759d1b8ed2cca6c5eff9d4b83c9b8cb1cd126f638366c1bcc8a032b8 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:964c1ce1ab668dc1e58b829da7d304be67e3c8272aa3631ce2219d13cc1cf8e7 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:11c620764c48c8fc9e87427a5ca61c608e67239641827b6a11b340c707fc7c1c
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2fd95e114e676035fdabd280be3bcba3a4ec5e7419fcdc0bdad7d90615f8f6f1 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:225627cfd7c58819f27c63b7a8c6eb13312a9a611f735ec58f5e60e0bc26d3b6 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:1b358c2af501f11ec7b5b75362c230b2452a046d7d6fd502e09d9f1798a53dd9 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:265ba97cf3ef7e06cd00f7e4b670a9f6a0a86a8f822b762e0dd4f68044839cdc
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4