Fluxheim 1.6.4
Fluxheim 1.6.4 Release Notes
Fluxheim 1.6.4 continues the Pingora-exit line by moving shared background
task lifecycle primitives into fluxheim-runtime. Runtime behavior is intended
to remain unchanged; the root crate keeps only the current Pingora
ServiceWithDependents adapter while Fluxheim-owned tasks use Fluxheim-owned
shutdown, readiness, and service handles.
Changed
- Moved
FluxShutdown,FluxBackgroundReady,FluxBackgroundTask,
FluxBackgroundService, andbackground_serviceintofluxheim-runtime. - Replaced the root background implementation with a narrow Pingora
service-registration adapter around the runtime crate primitives. - Replaced the load-balancer crate's duplicate shutdown/readiness/background
service implementation with re-exports fromfluxheim-runtime. - Kept the load-balancer service as a local wrapper so existing root adapter,
status, and discovery code keep the same API while the task lifecycle is now
owned byfluxheim-runtime. - Added typed background task kind metadata to the runtime service handle and
tagged cache metrics, stale purging, ACME renewal, admin watchdog, and
load-balancer refresh services without changing scheduling behavior. - Moved OTLP metrics export from an unmanaged raw thread to the Fluxheim
background task lifecycle, preserving the existing interval/timeout behavior
while adding shutdown awareness and typed task metadata. - Moved the ACME certificate reload control socket from an unmanaged raw thread
to the Fluxheim background task lifecycle. Startup path validation and socket
binding remain fail-fast; the accept loop now honors runtime shutdown and
caps concurrent local reload requests. - Moved admin self-healing snapshot runtime state into
fluxheim-snapshot:
runtime/known-good snapshot IDs, pending validation, validation metrics,
health-signal outcomes, expiry checks, and applied-snapshot state
transitions now live with the snapshot domain instead of the admin HTTP
adapter.
Security Hardening
- Bounded concurrent handling for the local certificate reload control socket
so a same-user local client cannot create unbounded blocking reload tasks. - Added a one-day upper bound for second-based proxy, PHP-FPM, and
load-balancer health-check timeouts that use the shared timeout validator. - Extended HTTP discovery private-backend filtering to reject 6to4 and Teredo
IPv6 literals that embed private, loopback, link-local, documentation, or
otherwise restricted IPv4 addresses.
Tests
- Added direct
fluxheim-runtimeunit coverage for shutdown signaling,
closed-sender shutdown behavior, delayed sleep, one-shot readiness, runtime
task specs, typed background service metadata, policy epochs, facts, and
proofs. - Verified the root proxy/load-balancer/cache/ACME/metrics feature path still
compiles with the Pingora service adapter boundary. - Added OTLP metrics exporter construction tests for disabled and invalid
endpoint configurations. - Added direct
fluxheim-snapshotunit coverage for pending validation,
confirm, error-rate rollback, and expired validation decisions. - Added regression coverage for unbounded timeout rejection and HTTP discovery
IPv6 literals that encode restricted IPv4 addresses.
Checksums And Signatures
- Commit:
937b5586c1db6dfb3b36b34f1e48ca61e2d7c4bc - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
f9fa1a532842576f6915668202fa63396d6f0098d019d095c22b9380117df50e fluxheim-1.6.4.tar.gz0813a54681f4f0e5c900c35bddbcab7504bb73c7510563805ad4eff72d7a9022 fluxheim-1.6.4.zip
- Binary checksums:
- x86_64:
02c56eb59697d3a02be5d85adb6e319061e8fc6515234d71d05fba6bcc77adff fluxheim-1.6.4-full-x86_64-linux.tar.gz8b6e6c00b3d86f1a2730e964eb916349a1a1eb827b0a5c14d523852317a3ec45 fluxheim-1.6.4-cache-x86_64-linux.tar.gzd0637d54bff08f82330ae8583579a9e73d3eebde56964f658041ee99826db959 fluxheim-1.6.4-proxy-x86_64-linux.tar.gzb0c45632bdd83915385737696f8e447de6873aaf230accfadb098f17cbe9641a fluxheim-1.6.4-php-x86_64-linux.tar.gz15e4820938ceb5d5758d9d9e60ac8822f3153a1679d8692c60807d2da76b0aa9 fluxheim-1.6.4-load-balancer-x86_64-linux.tar.gz339f98752594db78ff162505f3e6a6337ed04fb5b982ea7a6d39d66607610e31 fluxheim-1.6.4-config-tester-x86_64-linux.tar.gz
- aarch64:
0be0bd6e4e9c80620e6cdc6d8c4238a498d28ad133a800997954430523a4b4e2 fluxheim-1.6.4-full-aarch64-linux.tar.gza82bfa96551680de57f91c7a8dad5dd7df0be5f4cca49d4ee61ff4cf2365dc7e fluxheim-1.6.4-cache-aarch64-linux.tar.gz02b43530002348657c3cb477672946bc1b6fd3256adb955ef43a356994cb32d6 fluxheim-1.6.4-proxy-aarch64-linux.tar.gz48a70208ef93690b09a687d8310bf259335fc3e429c4c928e02f8ca1b190f56f fluxheim-1.6.4-php-aarch64-linux.tar.gzdb97096fb0b2646ca2a5b1c3cfc5ec21232499b919053216dfd7e387f0c81da2 fluxheim-1.6.4-load-balancer-aarch64-linux.tar.gz47ee92ef1a0082a385571700fb7306e56690d0b3b170a0fb31a1d68c065e84a1 fluxheim-1.6.4-config-tester-aarch64-linux.tar.gz
- macos:
d8d61d4970b754f12b232c2c857454567705198fd30d046378d2ea03857aaee6 fluxheim-1.6.4-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
bab4e0a7549f7c4ae919ba6d6729e339d8f239d98d8ce28cf4c83be245b45e77 fluxheim.spdx.json0887095e632d6e9fcf218c411d75ec88bb8c1c1b0ad0ba77fdfe512868b891d6 fluxheim.cyclonedx.json
- Reproducible build:
b191233576e601a159104ef4e103a592b1bc83a1c18c4ec37d8155191070c566x86_6410dbd8c4f20e93e4f791d700cae656c5efd4e9686de31c8d5fd5925f2ac8b4ccaarch641166d8cec4a1207a1c2399fbb7387dd9b453a521892f3d484840c8b8f50b6570macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:c3994711c756d53bb320f0a4de5a21109af68f56246dcb18dd0b543b8d2a986e - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:216467fe404923999e516b8ba2c157dfbd0c1ffe75f18197c91eb683d6ca07b4 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:e0a5234735c20ef58d9f8b735ca26ffd962a3d9b939d8f6f106e75df58ad9abc - Debian:
ghcr.io/valkyoth/fluxheim@sha256:75c0dc0b2b1c1cc55986e3d636191ac65d390920cc4aa1534db8e17d067f8b92
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:17cb2f34c207a74e2ca1a7792f69bafe64b920f6192d24520c5cf5f58450ac33 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:1834d6602ecdff3ba0dcfbdd1bd32d0c2e5f9e1aa5c2b264f62dd6a7861019d4 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:54139b14c37f219d5f7488582ea39461fe9328dfbc7550d62ca64689c6ed9ec2 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:095ef1bb85e0c743bba83ae5be42f08ce0f49006b55126db0fd97a2cbc8a53f0
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:759a193369a45ad00a7513e85370c4f3e03afb4b4e63ff08d55da3a43aa22e0d - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2a811b416ac4a344e0092ac2508af40c916beacd22b665c7124ca56906968538 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:8c6e341193b538f50b6a37635abc70cdf331e352f6156f6852032c3dbd5224ef - Debian:
ghcr.io/valkyoth/fluxheim@sha256:813ebf08d81430cf5d99ff3fb9e153e68ca29e4bf0b739426f584da7cba6c6dd
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:26e4ab5482e37361a524e4c530368829dfb03654ee3501a1304ef7f89643f46c - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:071d2276911de2f79f3e1394fd90723981be9442a2a012364ba212030bb2d5dd - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:8eeca541d86ec0cd1bc6cc02249cc405c3a8b4e00e7926eb9e09253374ecfa32 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:5c28cb49c814d67980d48e150f9b5acc487b943338008303e2d20d02cd34d181
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:521274d8beba9b88d46bba0ce606a79b24bcbe7811a105dc21a9c8f6eddb51ea - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:03b73dadbeaf9b7cfded353bccd612e75867958b215acc0900f96c8db73b7ff2 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:69cd2a5f73cb7351100eea8d2f6c13d8ff4a7f6a89e9b78fec8c7f9f99de09e9 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:16913405d2ae882990649b05f18ea0d756f0d9115a52f54f0e3f5d60999a127c
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4