Release Notes for new replica version e00f7

Dear IC Community,

we are happy to announce a new replica version that will get proposed to be elected within the next 48 hours.
The release notes are as follows:

* Consensus: Cache finalized chain
* Consensus: Continue to attempt to validate a block even when an invalid notarization is found
* Consensus: Slow consensus down when the gap between finalization and the last cup gets too large
* Consensus: Use BTreeSet to ensure share signatures are deduplicated when aggregating
* Crypto: Add BIP32 key derivation for Threshold ECDSA
* Crypto: Add ZK proofs of equality, product, and for MEGa
* Crypto: Optimize the Threshold ECDSA protocol
* Crypto: PublicCoefficients::lagrange_coefficients_at_zero should reject duplicate inputs
* Crypto: Use random number generator from CSP instead of OpenSSL for TLS keygen
* Execution: Add invariants checks in scheduler
* Execution: Enable canister sandbox
* Execution: Handle all syscalls in sandbox
* Execution: Register callbacks within sandbox
* Execution: Registering canisters metric at the end of loop based on executed canister list
* Networking: Use dedicated OS threads for peer flows
* Node: Mark orchestrator and replica as permissive domains
* Node: SELinux policy for canister sandbox
* Node: SSH and replica AVC denial fixes
* Orchestration: Implemented node re-assignment
* Various bugfixes and test updates

The rollout of the current version went well as expected and will be finalized today by the upgrade of the NNS subnet.


And off we go!


This rollout is a bit bumpy. Yesterday we had a code yellow incident that we needed to patch today. We could identify issues with all subnets that have a higher load. The sandboxing feature that we tried out last week on a subnet with a mid-level load caused suspicious memory utilisation patterns on subnets with a higher load. We want to analyze that further before running into the next incident and therefore decided to disable sandboxing on the top 5 subnets with a higher load. The corresponding patching is still ongoing.


This rollout was completed successfully by updating the NNS subnet. Some subnets remain without the sandboxing feature enabled until we have identified everything that we saw this week.
The next rollout has started and already addresses some findings.

1 Like