6 days after the last relase, we shipped the latest release, Fluentd v0.14.5. It's a bit quick release from the last one, to fix a problem which affects many people who tries Fluentd with existing configurations.
This release also includes some feature improvements. The biggest one is the update of Fluentd forward protocol and forward input/output plugins, to support authentication and authorization.
Here are major changes (full ChangeLog is available here):
forward plugins: Update protocol to v1
Fluentd forward plugins are to transfer Fluentd's events from one node to another via network. It's widely used by Fluentd processes, Docker logging driver for Fluentd, Fluent logger for programming languages and many others.
Before v0.14.5, Forward plugins/protocol was very simple one, to transfer events, without providing any safety, including network ACL, shared keys or password authentication. It was called as Forward Protocol version 0. Anyone who can connect TCP ports of
in_forward can inject events into Fluentd processes on that version.
At v0.14.5, forward input/output plugins support Fluentd Forward Protocol version 1. This new protocol is perfectly compatible with older version 0, and provides the features below in addition to it.
- Server (
in_forward) authentication using shared key
- Client (
out_forward) authorization using shared key (per client) and pair of username/password
in_forward is configured with
<security> section, the only nodes which are configured with correct
shared_key and username/password can connect to that node.
# more secure area
For now, This version doesn't provide encryption like SSL/TLS. So this authentication/authorization will be done on raw TCP transportation. Forward plugins never send raw shared keys and passwords... but you may have to wait next (or more) released to support SSL/TLS communication if you want more secure configurations (it's in our plan).
One good news: Fluentd forward protocol v1 is just same with the protocol implemented on fluent-plugin-secure-forward (except for TCP or SSL/TLS).
So you can configure the total architecture like below using
in_forward(v0.14.5) and SSL/TLS terminator like AWS ELB.
[out_secure_forward] ---> (SSL/TLS over internet) ---> [AWS ELB] ---> (TCP in AWS VPC) ---> [in_forward]
This configuration works pretty well, because Fluentd doesn't consume its CPU for encryption and decryption.
Major bug fixes
- fix to raise configuration error explicitly for missing
@type in configuration file #1202
- fix bug to fail to launch Fluentd when configuration uses v0.12 MultiOutput plugins #1206