1.. _0-9-11:
2
30.9.11
4======
5*8/20/2013*
6
7
8**NOTE: Graphite 0.9.11 has a regression which breaks cache queries. Please use** :ref:`0.9.12 <0-9-12>` **instead**
9
10Graphite 0.9.11 is now available for usage. Source bundles are available from GitHub:
11
12* https://github.com/graphite-project/graphite-web/archive/0.9.11.tar.gz
13* https://github.com/graphite-project/carbon/archive/0.9.11.tar.gz
14* https://github.com/graphite-project/whisper/archive/0.9.11.tar.gz
15
16Graphite can also be installed from `Pypi <http://pypi.python.org/>`_ via
17`pip <http://www.pip-installer.org/en/latest/index.html>`_. Pypi bundles are here:
18
19* http://pypi.python.org/pypi/graphite-web/
20* http://pypi.python.org/pypi/carbon/
21* http://pypi.python.org/pypi/whisper/
22
23Upgrading
24---------
25It's recommended to install all three 0.9.11 packages together for the most success, however in this
26case *graphite-web* can be installed separately from carbon if necessary. *Carbon* and *Whisper* must
27be updated together due to the coupling of certain changes.
28
29Graphite 0.9.11 now requires a Django version of at least 1.3. Ensure this dependency is satisfied
30before updating *graphite-web*
31
32As always, comparing the example config files with existing ones is recommended to ensure
33awareness of any new features.
34
35Security Notes
36--------------
37This release contains several security fixes for cross-site scripting (XSS) as well as a fix for
38a remote-execution exploit in graphite-web
39(`CVE-2013-5093 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5093>`_).
40Patches for the past three prior releases are available in these gists:
41
42* `0.9.10 <https://gist.github.com/mleinart/6285953>`_
43* `0.9.9 <https://gist.github.com/mleinart/6285975>`_
44* `0.9.8 <https://gist.github.com/mleinart/6285983>`_
45
46In a pinch, the following url mapping can be removed by hand if the remote-rendering feature is
47not being used::
48
49    diff --git a/webapp/graphite/render/urls.py b/webapp/graphite/render/urls.py
50    index a94a5d1..f934b43 100644
51    --- a/webapp/graphite/render/urls.py
52    +++ b/webapp/graphite/render/urls.py
53    @@ -15,7 +15,6 @@ limitations under the License."""
54     from django.conf.urls.defaults import *
55
56     urlpatterns = patterns('graphite.render.views',
57    -  ('local/?$','renderLocalView'),
58       ('~(?P<username>[^/]+)/(?P<graphName>[^/]+)/?','renderMyGraphView'),
59       ('', 'renderView'),
60     )
61
62
63Finally, The setting of Django's SECRET\_KEY setting is now encouraged and exposed in local\_settings.py as
64well.
65
66New Features
67------------
68
69Graphite-web
70^^^^^^^^^^^^
71* Properly return an HTTP 400 on missing query parameter in metrics/search endpoint (dieterbe)
72* cumulative() is now superceded by consolidateBy() which supports min/max/avg/sum (nleskiw)
73* Make graphlot target host configurable for easier embedding (dieterbe)
74* Allow graphlot graphs to be embedded for use in dashboard apps (dieterbe)
75* When wildcarding, prefer matching metric files to directories with the same name (tmm1)
76* New header design and css cleanups (obfuscurity)
77* New composer button to open the target in graphlot (magec)
78* timeshift() can now shift beyond current time, allowing better current-over-week charts (mgb)
79* Unit scaling added to cactiStyle (drawks)
80* Support RRD files in index.json view (obfuscurity)
81* Support for alternate target[] url syntax (luxflux)
82* New countSeries() function which returns the cardinality of a wildcard (obfuscurity)
83* Bootstrap data for movingAverage and movingMedian (seveas)
84* movingAverage and movingMedian now optionally take time periods to specify window size (danielbeardsley)
85* jsonp support in events/get_data (gingerlime)
86* Ace editor for manually editing dashboard json (jordanlewis)
87* New stddevSeries(), timeStack() functions (windbender)
88* Remove ugly graph image background in dashboard (frejsoya)
89* y-axis divisors for determining y-axis scale are now configurable (wfarr)
90* Allow any characters in axis labels
91* Target grammar now supports scientific notation for numbers
92* New identity() function (dieterbe)
93* Update default color scheme (obfuscurity)
94* Dont blow up on permissions errors while walking directories (log instead)
95* Encourage users to set SECRET_KEY uniquely with a warning
96
97Carbon
98^^^^^^
99* Improvements to setup.py rpm generation and basic init scripts (bmhatfield)
100* Allow alternate update rate at shutdown (Daniel314)
101* Add support for new fallocate() allocation method in Whisper (slackhappy)
102* Improvements to noisy logging (nleskiw, drawks)
103* Protect against writes outside the storage tree
104* Performance fixes to rate limiting, removal of unnecessary locks (drawks)
105* Alternate write strategies for carbon-cache (max size, random) (drawks)
106* carbon-aggregator aware consistent-hashing for carbon-relay (slackhappy)
107* Allow custom umask to be passsed to twisted at startup (egnyte)
108* New options WRITE_BACK_FREQUENCY to control frequency of partially-aggregated output (jdanbrown)
109* Improve consistent-hashing performance when replication factor is 1 (slackhappy)
110* Various code cleanups (sejeff)
111* Allow a timestamp of -1 to be sent to aggregator to set to current time (gwillem)
112* Allow log rotation to be handled by an external process (justinvenus)
113* min/max aggregation methods are now supported (ishiro)
114
115Whisper
116^^^^^^^
117* Better commandline sanity checking and messaging (sejeff)
118* Handle SIGPIPE correctly in commandline utils (sejeff)
119* Option to intelligently aggregate values on whisper-resize (jens-rantil)
120* Use more efficient max() instead of sorted()[-1] (ryepup)
121* Add fallocate() support (slackhappy)
122* Improve handling of exceptional fetch cases (dieterbe)
123* Improve rrd2whisper's handling of rrd files
124* Improve error messaging on retention errors at create time (lambdafu)
125
126Bug fixes
127---------
128
129Graphite-web
130^^^^^^^^^^^^
131* broken nPercentile() and related functions
132* Python 2.4 compatibility in browser endpoint (dcarley)
133* Missing URL parameters in composer load
134* Fix to multiplySeries to return the expected type (nleskiw)
135* Don't blow up when empty series passed to cactiStyle (mattus)
136* Trailing commas in js breaking ie (nleskiw, davecoutts)
137* Remove extra and unnecessary rendering while loading saved graphs (hostedgraphite)
138* Broken entry of timezone in composer menu (hcchu)
139* constantLine() not drawing across the entire graph (mattsn0w)
140* SVG rendering broken when using secondYAxis (obfuscurity)
141* Expect url-encoded octothorpes in colorList (magec)
142* Display relative times properly in dashboard (daveconcannon)
143* cactiStyle() blows up with empty series (eranrund)
144* Remove problemmatic and unnecessary url encoding
145* Several pathExpressions missing which caused trouble in certain function combinations (dieterbe,colby,kovyrin)
146* Use non-linux-specific datetime formatter %I instead of %l (richg)
147* Use os.sep properly for path separation (justinc)
148* Negative numbers not allowed in yAxis input box
149* scale() misreports itself in legend when using small decimals
150* colorList incorrectly cast to an int in some cases (rckclmbr)
151* removeBelow* menu items adding the wrong functions to target list (harveyzh)
152* nPercentile renders it's name incorrectly (TimZehta)
153* CSV rendering does not respect tz parameter
154* Missing max interval in xAxisConfigs causes long-term graphs with few points to render with a 12hr axis config
155* Stacked graphs not filling completely in staircase mode
156* Stacked graphs and many drawAsInfinite() lines do not draw cleanly
157* Graphlot does not handle event timestamps properly (matthew keller)
158* sin() time() and randomWalk() incorrectly using float times (jbrucenet)
159* legend height is incorrect when secondYAxis used (obfuscurity)
160* Expanded wildcards in legends are misordered (dieterbe)
161* Regression in formatPathExpression (jeblair)
162* index.json returns leading periods when WHISPER_DIR does not endin a trailing slash (bitprophet)
163* Regression in areaMode=all causes only the last series to be filled (piotr1212)
164* Default to settings.TIMEZONE if timezone unknown (gingerlime)
165* Negative filled graphs render from bottom rather than 0 (piotr1212)
166* Composer and Dashboard XSS fixes (jwheare, sejeff)
167* Fix persistence of tz aware datetime in non-postgres databases
168* Fix insecure deserialization of pickled objects (CVE-2013-5093)
169* Lots of documentation improvement (jeblair,bclermont,lensen,cbliard,hvnsweeting)
170
171Carbon
172^^^^^^
173* Empty lines match everything in whitelist (gographs)
174* Storage-schemas dont auto reload when they should
175* Carbon-relay per-destination metrics are broken
176* Regression in MAX_CREATES_PER_MINUTE where values >60 were set to 0 (jeblair)
177* Memory leak in carbon-aggregator in certain cases (lbosson)
178* Python2.4 compatibility in AMQP send/receive (justinvenus)
179* Cache/queue sizes are misreported (bitprophet)
180* NaN values shouldn't be passed through from amqp (llaurent)
181
182Whisper
183^^^^^^^
184* Python2.4 compatibility for whisper-dump.py (snore)
185* Correct filtering of duplicate values to ensure last-write-wins
186