24.09.007
Released on 27 September, 2024.
Server
Features
- Add the ability to specify next_hop for any site’s range.
- Controllers now emit all user authentication events in their server
logs. When viewing bowtie-server.service logs on the Controller
directly, via Grafana, or aggregated through
opentelemetry-collector, these auditing log events are annotated
with audit_event=true. You may use this field to narrow searches for
user authentication activity in the log event stream.
The types of auditing events include successful authentication, denied authentication (through invalid credentials or disabled users), and initial authentication flow requests. Wherever possible, these events include source IP metadata derived from the best possible source (deferring to IP forward headers and falling back to direct peer network address).
- Controller support bundles now accept an optional contact and problem description field.
- Controllers now make python available in-$PATH for use with tools that require an interpreter like ansible. At time of writing, the bundled python version is 3.11.9.
Enhancements
- Updated the base Controller appliance operating system to reflect the
latest upstream package updates.
The table below lists relevant user-facing packages that may impact custom configuration settings on deployed Controllers:
Package Old Version New Version bash 5.2p26 5.2p32 grafana 10.4.6 10.4.8 linux 6.1.104 6.1.111 prometheus 2.53.1 2.54.1 Vulnerabilities closed due to updated packages or backported patches include:
Vulnerability Package Mitigation CVE-2024-41815 starship Backported patch CVE-2023-42366 busybox Backported patch CVE-2023-42365 busybox Backported patch CVE-2023-42364 busybox Backported patch CVE-2023-42363 busybox Backported patch At the time of writing, a scan of all operating system dependencies yielded no outstanding critical vulnerabilities requiring immediate action.
When upgrading your Controller, please bear the following release notes in mind:
- This update includes an update from Linux kernel version 6.1.104 to 6.1.111. System services should continue to operate normally across kernel updates, but if you require that the system run on the newer kernel, you should follow-up with any update actions with a system reboot to run on the newer kernel, but this step is not required.
Fixes
- Set a cloud-init option that should avoid losing manual address assignments on network interfaces via DHCP.
- Enabled the Controller mgmtd daemon to facilitate multi-hop routing when required.
Client
Features
- To provide enhanced device security, Bowtie has begun storing device-specific secrets in the operating system’s secret storage mechanism instead of privileged files on the operating system. Retrieval and use of those secrets is currently locked behind a feature flag. Set --state-strategy=LoadFromStateDb to prefer the SQLite DB and OS Secret storage mechanism. Future releases will remove existing privileged files and default to OS Secret storage.
- API communications over the Bowtie tunnel are now supported. Previously both TCP443, for API communications and a UDP port for tunnel communications were required. Bowtie will now allow TCP connections over the tunneled connection. This will allow in many scenarios a greatly reduced public surface area of your secure infrastructure. This mode of operations currently requires bootstrapping each device with accessible HTTPS connections either via a privileged connection (like in-office) or temporary access over the tunnel (like allowing a specific device through your firewall for TCP443 for a temporary amount of time). Future iterations may allow easier device bootstrapping through alternate channels. If you are interested in other modes of operation please discuss it with your Bowtie representative. To enable this functionality set controller-api-strategy=prefer-tunnel.
- The software-update-strategy configuration variable gained a new
value: auto-managed-in-range(min_version, max_version)
With this strategy, updates are managed by Bowtie, but only within a specific version range (inclusive). If the current version is within the range, no updates are performed. If the current version is outside the range, an update will be performed to the highest available value within the range. Example configuration file entry: software-update-strategy = "auto-managed-in-range(24.09.006, 24.09.008)".
There are 4 new auto-update configuration variables:
software-update-time-start: The start of the time window within which auto-updates are allowed to be installed. If software-update-time-start is greater than software-update-time-end, the window includes midnight. If software-update-time-start is equal to software-update-time-end, the window is all 24 hours. Default: midnight. Time format: “HH:MM:SS”, where HH is 00-23. Times are specified in local time.
software-update-time-end: The end of the time window within which auto-updates are allowed to be installed. If software-update-time-start is greater than software-update-time-end, the window includes midnight. If software-update-time-start is equal to software-update-time-end, the window is all 24 hours. Default: midnight. Time format: “HH:MM:SS”, where HH is 00-23. Times are specified in local time.
software-update-interval: How long to wait between auto-update checks. May be specified like “10d”, “10h”, “10s”. Quotes are necessary in TOML configuration files. Default: “1d”.
software-update-delay: How long to wait after starting Bowtie before the first auto-update check. May be specified like “10d”, “10h”, “10s”. Quotes are necessary in TOML configuration files. Default: “1h”.
Fixes
- Windows & Linux: downloaded auto-update packages are deleted immediately after use rather than relying on the operating system’s temporary directory cleanup mechanism.
Meta Control Plane
Features
- Vulnerability reports for each Controller artifact are now reported
alongside other download metadata. Consult the vulnerability API
documentation for additional
information.
Scans are performed on a regular basis for current Controller versions.