Summary
This is a maintenance release that addresses several minor fixes and has a PQS breaking change related to Docker image deployment.
This release will go live Monday, Feb 23 for all validators on DevNet.
What’s New
Canton
There are many improvements in scaling and performance, some of which have already been deployed:
- Validator topology processing scaling and performance have been greatly improved using write through caching. The optimization reduced 100 database transactions needing 200-300 database round trips into effectively 2 database operations (one batch read, one batch write). Similarly, topology read processing has been improved. This enables faster validator onboarding. It has been enabled by default in Splice 0.5.10.
- Optimized an internal crypto cache to reduce the number of database reads.
- Sequencer nodes serving many validator subscriptions have reduced database reads and greater parallelism.
- Replaying of ACS changes for the ACS commitment processor has smaller memory overhead
- New database indices on the ACS commitment tables to improve performance of commitment pruning. This requires a database migration which is transparent and automatically done as part of the patch release.
- Added a mode for the mediator to process events asynchronously. This is enabled by default. In the new asynchronous mode, events for the same request ID are processed sequentially, but events for different request IDs are processed in parallel. The asynchronous mode can be turned off using canton.mediators.<mediator-name>.mediator.asynchronous-processing = false.
- For improved performance, the mediator now batches fetching from and storing of finalized responses.
- New participant config flag canton.participants.<participant>.parameters.commitment-asynchronous-initialization to enable asynchronous initialization of the ACS commitment processor. It was enabled in Splice 0.5.11. This speeds up synchronizer connection if the participant manages active contracts for a large number of different stakeholder groups, at the expense of additional memory and DB load.
- It is now possible to configure a startup log level, that will reset after a timeout, i.e.:
canton.monitoring.logging.startup {
log-level = "DEBUG"
reset-after = "5 minutes"
}
- Added an RPC and corresponding console command on the sequencer's admin API to generate an authentication token for a member for testing: sequencer1.authentication.generate_authentication_token(participant1). Requires the following config: canton.features.enable-testing-commands = yes.
- KMS operations are now retried on HTTP/2 INTERNAL gRPC exceptions.
- Extended the set of characters allowed in user-id in the ledger api to contain brackets: (). This also makes those characters accepted as part of the sub claims in JWT tokens.
- The TCP keep alive default settings for Postgres connections in the participant node have been changed to be consistent across internal databases, allowing quick HA failover in case of stuck DB connections. The old values were:
canton.participants.participant1.replication.connection-pool.connection {
keep-alive-idle = 0
keep-alive-interval = 0
keep-alive-count = 0
}
- Enabled SVs to configure free traffic confirmation responses. A new traffic control parameter has been added: freeConfirmationResponses. When set to true on a synchronizer where traffic control is enabled, confirmation responses will not cost traffic. Defaults to false.
- Update to bouncy castle JAR file to 1.83 which removes the security SVEs of CVE-2024-29857 and CVE-2024-34447.. If you are using Oracle JVM and testing security provider signatures, note that the Canton JAR file embeds the Bouncy Castle provider as a dependency. To enable the JVM to verify the signature, put the bcprov JAR on the classpath before the Canton standalone JAR. For example:
java -cp bcprov-jdk15on-1.70.jar:canton.jar com.digitalasset.canton.CantonEnterpriseApp
PQS
- There is a breaking change forPQS Docker image deployment. It is:
- The PQS Docker image packaging has been simplified. There is now a separate Docker image per release (e.g., this release version is 3.4.1). So a single Docker image no longer supports multiple PQS versions with each version having a different directory in the image. This old structure required specifying the version you wanted to run using the Docker -workdir parameter.
- Please remove the --workdir parameter as it is no longer needed.
- With the new approach, this command line works for PQS version 3.4.1
docker run -it europe-docker.pkg.dev/da-images/public/docker/participant-query-store:3.4.1 --version
- Other PQS related fixes are
- The conditional handling of OAuth configuration parameters now distinguishes between issuer and endpoint based authentication. The changes ensure that when an issuer is provided (without an endpoint), it is properly processed through a dedicated case match instead of falling through to error handling.
- The Docker image base image is now Debian 13 which removes a critical security vulnerability.