Skip to main content

Morio v0.5.0

· 5 min read
Joost De Cock
Joost De Cock
Morio Maintainer

We have released version 0.5.0 of Morio, a new minor release that bundles a long list of changes and improvements, with a particular focus on making it easy to install and maintain Morio deployments.

Contains Breaking Changes

As Morio is in alpha and the guarantees of semantic versioning do not apply to 0.x releases, this release includes several breaking changes. There is no upgrade path from 0.4 to 0.5.

New in Morio 0.5

mTLS based authorisation for Kafka API access

In the 0.4 release, we added access control on the Kafka API using SASL.
At the time we wrote:

This is a bit of a intermediate solution as we prefer to avoid using SASL as it complicates client configuration. Alas, we hit an issue with using mTLS authorisation where we were unable to extract the user principal from the certificate. An issue for which a fix has so far eluded us.

Once we resolve this, we will switch authorisation back to mTLS and drop SASL.

I'm happy to say that the issue is solved, so we have implemented mTLS authorisation for the Kafka API and dropped SASL.

Morio will automatically configure an ACL that allows clients to push data to the Kafka API. You can manage this ACL through the console.

Optional mTLS for all HTTP-based services

Speaking of mTLS, we now also support optional mTLS for all HTTP access. This is an extra layer of security that is recommended for Morio deployments in adversarial networks such as the Internet.

You enable mTLS with the ENFORCE_HTTP_MTLS feature flag which means that only browsers that can present a client certificate generated by Morio's on-board certificate authority will be allowed to establish a connection.

New Morio client and templates repository

We have ported the Morio client to Go and created a new morio-templates repository where we will curate client modules, settings overlays, and watcher configuration.

The goal here is to allow a communal approach to configuring best practices in observability, yet keep the flexibility to allow everyone fine-grained control over their own configurations.

This is a multi-pronged effort that includes various changes and improvements:

  • The new template hub
  • The ability to preseed client modules from any Git repository
  • Support for bundling preseeded client modules in the built client packages
  • A new Morio client written in Go that handles enabling, disabling, and templating out these modules

We will be dogfooding this ourselves in the upcoming months to build out the template hub with ready-to-use modules.

One-liner installs for both Morio and the Morio client

Installing Morio is now a one-liner:

curl https://install.morio.it/ | bash

This will:

  • Download and install the moriod-repo package, which will setup the apt.repo.morio.it repository and its signing key
  • Install the moriod package from this repository

That's it. The install is fully automated.

tip

We trust that you are not going to pipe just any URL into bash, so head over to install.morio.it first to see for yourself what this does.

While testing out this automated install, we liked it so much that we decided that this should also be possible for client installs. So, your Morio instance will apply the same approach:

  • It will instantiate and host an APT repository
  • It will build both a morio client package, and a morio-repo package to set up this repository on a client system
  • It will host an install script that will make installing the client a similar one-liner

Installing updates (or patching if you prefer that ancient term) is crucial to maintain good cybersecurity posture - so we wanted to make sure that nothing special needed to be done to keep Morio and the Morio client up-to-date. By using this repository-based approach, updates for both Morio and the Morio client will be suggested, as for any other package installed on the system. This way, no extra actions are required to keep Morio up-to-date.

note

For the time being, we are only supporting the apt package format (this means: Debian-based Linux systems only). We will add support for rpm packages in a future release.

Support for blue/green deployments by exporting and preseeding key data

We have added support for exporting key data, the cryptographic DNA of a Morio deployment. As a companion feature, we now also support preseeding of that data.

These two features together allow you to set up two Morio deployments with the same cryptographic keys. This allows for blue/green deployments and for seamless migration of clients between Morio instances.

Software signing key is now signed by CERT-EU

Morio's software signing key is now signed by the CERT-EU key, providing extra legitimacy to our releases.

Container name changes

All running Morio containers will now use the morio- prefix in their name to avoid conflicts with other containers running on the same host OS.

New watcher service

We have added a new watcher service, which runs Elastic Heartbeat. It means that Morio can now run your health checks (which is an integral part of observability) for you.

The service in place will already run health checks for Morio's own internal components. We will add support for your own watchers in a future update.

Upgrades of various services

We've also taken the opportunity to upgrade some of our dependencies:

Other fixes and changes

Apart from what's new, there's a bunch of changes and fixes in this release. For the full list, refer to the change log.