Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Upgrade to gcc 12 | Henning Baldersheim | 2023-01-19 | 2 | -2/+2 |
| | |||||
* | Just use Streams.toList as that is unmdifiable. | Henning Baldersheim | 2023-01-18 | 3 | -3/+3 |
| | |||||
* | Revert "Revert "open wireguard port for config servers"" | Andreas Eriksen | 2023-01-16 | 5 | -66/+102 |
| | |||||
* | Revert "open wireguard port for config servers (#25586)" | Henning Baldersheim | 2023-01-16 | 5 | -102/+66 |
| | | | | This reverts commit 2ee6905f0c6535fe95cc0516e4634f3ac37414b2. | ||||
* | open wireguard port for config servers (#25586) | Andreas Eriksen | 2023-01-16 | 5 | -66/+102 |
| | |||||
* | Resolve /proc/cpuinfo with test filesystem | Valerij Fredriksen | 2023-01-10 | 2 | -2/+3 |
| | |||||
* | Remove unused code | Valerij Fredriksen | 2023-01-10 | 2 | -51/+2 |
| | |||||
* | Use Path.of() instead to avoid extra import | Valerij Fredriksen | 2023-01-10 | 5 | -16/+16 |
| | |||||
* | Add http-utils as explicit dependency | Bjørn Christian Seime | 2023-01-09 | 1 | -0/+7 |
| | |||||
* | Ensure that HTTPS clients only use allowed ciphers and protocol versions | Bjørn Christian Seime | 2023-01-09 | 1 | -2/+3 |
| | |||||
* | Revert "Ensure that HTTPS clients only use allowed ciphers and protocol ↵ | Andreas Eriksen | 2023-01-06 | 1 | -3/+2 |
| | | | | versions" (#25436) | ||||
* | Ensure that HTTPS clients only use allowed ciphers and protocol versions | Bjørn Christian Seime | 2023-01-06 | 1 | -2/+3 |
| | |||||
* | Update expected token with new token version | Tor Brede Vekterli | 2023-01-05 | 1 | -1/+1 |
| | |||||
* | Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based crypto | Tor Brede Vekterli | 2023-01-05 | 2 | -2/+2 |
| | | | | | | | | | | | | | | | | | | | | | This is to get around the limitation where AES GCM can only produce a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before its security properties break down. ChaCha20-Poly1305 does not have any practical limitations here. ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits. A HKDF is used to internally expand the key material to 256 bits. To let token based decryption be fully backwards compatible, introduce a token version 2. V1 tokens will be decrypted with AES-GCM 128, while V2 tokens use ChaCha20-Poly1305. As a bonus, cryptographic operations will generally be _faster_ after this cipher change, as we use BouncyCastle ciphers and these do not use any native AES instructions. ChaCha20-Poly1305 is usually considerably faster when running without specialized hardware support. An ad-hoc experiment with a large ciphertext showed a near 70% performance increase over AES-GCM 128. | ||||
* | Merge pull request #25374 from vespa-engine/jonmv/no-metricsp-proxy-logs-to-s3 | Jon Marius Venstad | 2023-01-03 | 2 | -1/+16 |
|\ | | | | | Avoid uploading metrics-proxy access logs | ||||
| * | Avoid regex | Jon Marius Venstad | 2023-01-03 | 1 | -1/+1 |
| | | |||||
| * | Avoid uploading metrics-proxy access logs | jonmv | 2023-01-03 | 2 | -1/+16 |
| | | |||||
* | | OrchestratorException should not increment unhandled_exceptions | Håkon Hallingstad | 2023-01-03 | 1 | -1/+1 |
|/ | |||||
* | Merge pull request #25279 from ↵ | Håkon Hallingstad | 2022-12-21 | 4 | -8/+49 |
|\ | | | | | | | | | vespa-engine/revert-25274-revert-25247-bjormel/yum_--disablerepo Revert "Revert "support for disablerepo in yum command"" | ||||
| * | do not disable other repos by default | bjormel | 2022-12-19 | 2 | -9/+20 |
| | | |||||
| * | test for disable other repos | bjormel | 2022-12-19 | 1 | -0/+6 |
| | | |||||
| * | mimic maybeEscapeArgument() in CommandLine | bjormel | 2022-12-19 | 1 | -1/+5 |
| | | |||||
| * | Revert "Revert "support for disablerepo in yum command"" | Bjørn Meland | 2022-12-16 | 4 | -13/+33 |
| | | |||||
* | | Clean up /opt/vespa/var/tmp in content node too... | bjormel | 2022-12-18 | 1 | -2/+3 |
| | | |||||
* | | Clean up /opt/vespa/var/tmp in container | bjormel | 2022-12-18 | 2 | -2/+8 |
|/ | |||||
* | Revert "support for disablerepo in yum command" | Bjørn Meland | 2022-12-15 | 4 | -33/+13 |
| | |||||
* | default '--disablerepo=*' | bjormel | 2022-12-14 | 2 | -7/+11 |
| | |||||
* | Change order of enable and disable | bjormel | 2022-12-13 | 3 | -20/+20 |
| | |||||
* | yum --disablerepo | bjormel | 2022-12-13 | 3 | -8/+24 |
| | |||||
* | Wg parameter store (#25225) | gjoranv | 2022-12-13 | 6 | -0/+149 |
| | | | | | | | * Remove unused import * Add a parameter store for Wireguard and a model for its parameters Co-authored-by: gjoranv <gv@verizonmedia.com> | ||||
* | Enable container warmup in CD systems | Valerij Fredriksen | 2022-12-08 | 1 | -3/+2 |
| | |||||
* | Reboot in real node repo | Håkon Hallingstad | 2022-12-06 | 2 | -0/+12 |
| | |||||
* | Create file with correct permissions | Håkon Hallingstad | 2022-12-06 | 3 | -16/+26 |
| | |||||
* | Revert "Revert collect(Collectors.toList())" | Henning Baldersheim | 2022-12-04 | 17 | -26/+26 |
| | |||||
* | Revert collect(Collectors.toList()) | Henning Baldersheim | 2022-12-04 | 17 | -26/+26 |
| | |||||
* | collect(Collectors.toList()) -> toList() | Henning Baldersheim | 2022-12-02 | 17 | -26/+26 |
| | |||||
* | Stop using report-cores-via-cfg | Håkon Hallingstad | 2022-12-01 | 5 | -233/+67 |
| | |||||
* | Add GPU fields to node repository client | Martin Polden | 2022-12-01 | 2 | -12/+25 |
| | |||||
* | Revert "Re-create container if wanted create command changes" | Martin Polden | 2022-11-30 | 8 | -52/+20 |
| | |||||
* | Update signature in mock | Martin Polden | 2022-11-28 | 2 | -2/+2 |
| | |||||
* | Pass wanted resources | Martin Polden | 2022-11-25 | 3 | -4/+4 |
| | |||||
* | Re-create container if wanted create command changes | Martin Polden | 2022-11-25 | 8 | -20/+52 |
| | |||||
* | Revert "Re-create container if wanted create command changes" | Valerij Fredriksen | 2022-11-25 | 8 | -52/+20 |
| | |||||
* | Re-create container if wanted create command changes | Martin Polden | 2022-11-24 | 8 | -20/+52 |
| | |||||
* | Merge pull request #24902 from vespa-engine/enclaves-api | gjoranv | 2022-11-17 | 1 | -1/+2 |
|\ | | | | | Enclaves api | ||||
| * | Add test for enclave nodes, and necessary supporting infrastructure | gjoranv | 2022-11-16 | 1 | -1/+2 |
| | | |||||
* | | Use BouncyCastle AES GCM cipher and I/O streams instead of JCA | Tor Brede Vekterli | 2022-11-16 | 1 | -3/+1 |
|/ | | | | | | | | | | | | | | | | | | This resolves two issues: * `javax.crypto.OutputCipherStream` swallows MAC tag mismatch exceptions when the stream is closed, which means that corruptions (intentional or not) are not caught. This is documented behavior, but still very surprising and a rather questionable default. BC's interchangeable `CipherOutputStream` throws as expected. To avoid regressions, add an explicit test that both ciphertext and MAC tag corruptions are propagated. * The default-provided `AES/GCM/NoPadding` `Cipher` instance will not emit decrypted plaintext per `update()` chunk, but buffer everything until `doFinal()` is invoked when the stream is closed. This means that decrypting very large ciphertexts can blow up memory usage since internal output buffers are reallocated and increased per iteration...! Instead use an explicit BC `GCMBlockCipher` which has the expected behavior (and actually lets cipher streams, well, _stream_). Add an `AeadCipher` abstraction to avoid leaking BC APIs outside the security module. | ||||
* | Revert "Revert "Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp ↵ | Eirik Nygaard | 2022-11-07 | 2 | -6/+6 |
| | | | | [run-systemtest]"""" | ||||
* | Revert "Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp ↵ | Eirik Nygaard | 2022-11-07 | 2 | -6/+6 |
| | | | | [run-systemtest]""" | ||||
* | Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp [run-systemtest]"" | Eirik Nygaard | 2022-11-04 | 2 | -6/+6 |
| |