25.08.001 changelog

25.08.001

Released on 1 August, 2025.

Server

Fixes

  • Fixed an issue that could prevent the Bowtie server process from coming online if it failed to find wireguard peers.
  • Handle some edge cases to improve resiliency around provisioning new Controller certificates.
  • Ensures that timestamps are correct when emitting logs from the Bowtie server daemon to OTLP endpoints.
  • Improved the reliability for remote hostname and TLS checks during initial setup, particularly for deployments that only open port 443.
  • Fixed an issue that caused nfqueue metrics collection to occur when no metrics were present.
  • Fixed an issue that could cause updates to Bowtie server to fail to take effect when upgrading Controllers.

Features

  • A new mechanism has been developed for automatic partition recovery. All controllers will retry all connections without intervention from the user.

    Two additional metrics of note are available in prometheus and opentelemetry:

    • bowtie_server_tcp_sync_manager_peers_we_have_count with label total should always match the number of active controllers.
    • bowtie_server_tcp_sync_manager_document_operations will grow over time, and will aid in observing the database size vs speed of other operations.
  • Optionally send exceptions in the controller to Sentry for analysis. This feature defaults to OFF. If SENTRY_DSN is set then bowtie-server failures will be automatically emitted to your Sentry install. Additionally SENTRY_SAMPLE_RATE and SENTRY_TRACES_SAMPLE_RATE can be set to values between 0 and 10000 (100%) to emit additional metrics. Those also default to 0.
  • Network plane activity now records user identifiers, device identifiers, and device hostnames when policy decision auditing is enabled.
  • Some default behaviors of bowtie-server.service on Controllers have changed:
    • The OTLP_GRPC_ENDPOINT is now set to the local OTLP listener by default. This change serves to more tightly integrate the Bowtie daemon with observability tooling.
    • Audit-related events (such as packet flows, user authentication, and more) are now not emitted to standard output (and the system journal) by default. Due to their volume and potentially sensitive nature, they are now only omitted to OTLP endpoints and available over the logs signal.

    Operators currently relying on journal parsing to retrieve audit events should instead refer to the logs pipeline of opentelemetry-collector to optionally tap into the stream for other systems. By default, Controllers connect the OTLP log receiver to Loki, so audit events are still available for review but solely within Grafana and Loki rather than journald.

  • Network plane activity now records source and destination ports when policy decision auditing is enabled.
  • Policy verdict tracking may now be individually controlled between metrics and logs depending on Controller preferences.
  • When policy metrics tracking is enabled for a Controller, these network policy decision events are now logged. To filter for these events, journal logs for bowtie-server should look for output with fields that match audit_event=true and audit_type=packet_queue.
  • Network plane activity now records translated NAT64 addresses (if present) when policy decision auditing is enabled.
  • Changes to the user-configurable opentelemetry-collector configuration file (/etc/otel.yaml) now trigger the opentelemetry-collector.service to restart.
  • The otlp receiver for opentelemetry-collector.service has been added to the default services.pipelines.logs.receivers setting.
  • Custom prometheus scrape configuration files may now be managed from the Control Plane interface.
  • Certificates necessary for Controller SSO configuration files may now be uploaded from the Control Plane web interface.
  • Improved the “validate hostname” step of the Controller guided setup process to more reliably complete.

Enhancements

  • The default prometheus.service on Controllers now honors the user-controlled directory at /etc/scrape_config_files.d/*.yml to permit custom scraping endpoints.
  • Third-party telemetry reporting for Grafana Loki has been disabled.