What's New in v24.3

Docker image

Multi-platform images include support for both Intel and ARM. Multi-platform images do not take up additional space on your Docker host.

Within the multi-platform image, both Intel and ARM images are generally available for production use.

To download the Docker image:

docker pull cockroachdb/cockroach-unstable:v24.3.0-alpha.1

Source tag

To view or download the source code for CockroachDB v24.3.0-alpha.1 on Github, visit v24.3.0-alpha.1 source tag.

Security updates

• URLs in the CREATE CHANGEFEED and CREATE SCHEDULE FOR CHANGEFEED SQL statements are now sanitized of any secrets before being written to unredacted logs. #126970
• The LDAP cluster settings server.ldap_authentication.client.tls_certificate and server.ldap_authentication.client.tls_key did not have callbacks installed to reload the settings value for LDAP authManager. This change fixes this by adding the necessary callbacks. #131151
• Cluster settings for host-based authentication configuration (server.host_based_authentication.configuration) and identity map configuration (server.identity_map.configuration) need to be redacted as they can be configured to contain LDAP bind usernames, passwords, and mapping of external identities to SQL users that are sensitive. These cluster settings can be configured for redaction via the server.redact_sensitive_settings.enabled cluster setting. #131150
• Added support for configuring authorization using LDAP. During login, the list of groups that a user belongs to are fetched from the LDAP server. These groups are mapped to SQL roles by extracting the common name (CN) from the group. After authenticating the user, the login flow grants these roles to the user, and revokes any other roles that are not returned by the LDAP server. The groups given by the LDAP server are treated as the sole source of truth for role memberships, so any roles that were manually granted to the user will not remain in place. #131043

• Previously, the host-based authentication (HBA) configuration cluster setting server.host_based_authentication.configuration was unable to handle double quotes in authentication method option values. For example, for the following entry:

  host all all all ldap ldapserver=ldap.example.com ldapport=636 ldapbasedn="ou=users,dc=example,dc=com" ldapbinddn="cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid ldapsearchfilter="(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)"
  

  The HBA parser would fail after incorrectly determining ldapbinddn="cn=readonly,dc=example,dc=com" as 2 separate options (ldapbinddn=and cn=readonly,dc=example,dc=com). Now, the 2 tokens are set as key and value respectively for the same HBA configuration option. #131480

General changes

• CockroachDB will now avoid logging unnecessary stack traces while executing scheduled jobs. #129846
• Upgrading to 24.3 is blocked if no license is installed, or if a trial/free license is installed with telemetry disabled. #130576
• Attempting to install a second Enterprise trial license on the same cluster will now fail. #131422
• Changed the license cockroach is distributed under to the new CockroachDB Software License (CSL). #131690 #131686 #131688 #131687 #131717 #131689 #131693 #131691 #131777 #131778 #131661

Enterprise edition changes

• Added a CompressionLevel field to the changefeed kafka_sink_config option. Changefeeds will use this compression level when emitting events to a Kafka sink. The possible values depend on a compression codec. The CompressionLevel field optimizes for faster or stronger level of compression. #125456
• The updated version of the CockroachDB changefeed Kafka sink implementation now supports specifying compression levels. #127827
• Introduced the cluster setting server.jwt_authentication.client.timeout to capture the HTTP client timeout for external calls made during JWT authentication. #127145
• The JWT authentication cluster settings have been made public. #128170
• Updated certain error messages to refer to the stable docs tree rather than an explicit version. #128842
• Disambiguated metrics and logs for the two buffers used by the KV feed. The affected metrics now have a suffix indicating which buffer they correspond to: changefeed.buffer_entries.*, changefeed.buffer_entries_mem.*, changefeed.buffer_pushback_nanos.*. The previous versions are still supported for backward compatibility, though using the new format is recommended. #128813

• Added support for authorization to a CockroachDB cluster via LDAP, retrieving AD groups membership information for LDAP user. The new HBA configuration cluster setting option ldapgrouplistfilter performs filtered search query on LDAP for matching groups. An example HBA configuration entry to support LDAP authZ configuration:

  # TYPE    DATABASE      USER           ADDRESS             METHOD             OPTIONS
  # Allow all users to connect to using LDAP authentication with search and bind    host    all           all            all                 ldap               ldapserver=ldap.example.com ldapport=636 "ldapbasedn=ou=users,dc=example,dc=com" "ldapbinddn=cn=readonly,dc=example,dc=com" ldapbindpasswd=readonly_password ldapsearchattribute=uid "ldapsearchfilter=(memberof=cn=cockroachdb_users,ou=groups,dc=example,dc=com)" "ldapgrouplistfilter=(objectClass=groupOfNames)"
  # Fallback to password authentication for the root user
  host    all           root           0.0.0.0/0          password
  

  For example, to use for an Azure AD server:

  SET cluster setting server.host_based_authentication.configuration = 'host    all           all            all                 ldap ldapserver=azure.dev ldapport=636 "ldapbasedn=OU=AADDC Users,DC=azure,DC=dev" "ldapbinddn=CN=Some User,OU=AADDC Users,DC=azure,DC=dev" ldapbindpasswd=my_pwd ldapsearchattribute=sAMAccountName "ldapsearchfilter=(memberOf=CN=azure-dev-domain-sync-users,OU=AADDC Users,DC=crlcloud,DC=dev)" "ldapgrouplistfilter=(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=crlcloud,DC=dev)"
  host    all           root           0.0.0.0/0          password';
  

  Post configuration, the CockroachDB cluster should be able to authorize users via LDAP server if:

  1. Users LDAP authentication attempt is successful, and it has the user's DN for the LDAP server.
  2. ldapgrouplistfilter is properly configured, and it successfully syncs groups of the user. #128498

• Added changefeed support for the mvcc_timestamp option when the changefeed is emitting in avro format. If both options are specified, the Avro schema includes an mvcc_timestamp metadata field and emits the row's MVCC timestamp with the row data. #129840

• Updated the cluster setting changefeed.sink_io_workers with all the sinks that support the setting. #129946

• Added a LDAP authentication method to complement password-based login for the DB Console if HBA configuration has an entry for LDAP for the user attempting login, along with other matching criteria (like the requests originating IP address) for authentication to the DB Console. #130418

• Added timers around key parts of the changefeed pipeline to help debug feeds experiencing issues. The changefeed.stage.<stage>.latency metrics now emit latency histograms for each stage. The metric respects the changefeed scope label for debugging specific feeds. #128794

• For enterprise changefeeds, events changefeed_failed and create_changefeed now include a JobId field. #131396

• The new metric seconds_until_license_expiry allows you to monitor the status of a cluster's Enterprise license. #129052.

• Added the changefeed.total_ranges metric, which monitors the number of ranges that are watched by changefeed aggregators. It shares the same polling interval as changefeed.lagging_ranges, which is controlled by the existing lagging_ranges_polling_interval option. #130897

SQL language changes

• Added a session setting, optimizer_use_merged_partial_statistics which defaults to false. When set to true, it enables usage of existing partial statistics merged with full statistics when optimizing a query. #126948
• The enable_create_stats_using_extremes session setting is now true by default. Partial statistics at extremes can be collected using the CREATE STATISTICS <stat_name> ON <column_name> FROM <table_name> USING EXTREMES syntax. #127850
• Added SHOW SCHEMAS WITH COMMENT and SHOW SCHEMAS FROM database_name WITH COMMENT functionality similar to SHOW TABLES and SHOW DATABASES. #127816
• The deadlock_timeout session variable is now supported. The configuration can be used to specify the time to wait on a lock before pushing the lock holder for deadlock detection. It can be set at session granularity. #128506
• Partial statistics at extremes can now be collected on all valid columns of a table using the CREATE STATISTICS <stat_name> FROM <table_name> USING EXTREMES syntax, without an ON <col_name> clause. Valid columns are all single column prefixes of a forward index excluding partial, sharded, and implicitly partitioned indexes. #127836
• Partial statistics can now be automatically collected at the extremes of indexes when a certain fraction and minimum number of rows are stale (by default 5% and 100 respectively). These can be configured with new table storage parameters and cluster settings, and the feature is disabled by default. The new cluster settings and table parameters are:
  • sql.stats.automatic_partial_collection.enabled/sql_stats_automatic_partial_collection_enabled, defaults to false.
  • sql.stats.automatic_partial_collection.min_stale_rows/sql_stats_automatic_partial_collection_min_stale_rows, defaults to 100.
  • sql.stats.automatic_partial_collection.fraction_stale_rows/sql_stats_automatic_partial_collection_fraction_stale_rows, Defaults to 0.05. #93067
• The session variable enforce_home_region_follower_reads_enabled is now deprecated, and will be removed in a future release. The related session variable enforce_home_region is not deprecated. #129024
• Added a new cluster setting to control whether most common values are collected as part of histogram collection for use by the optimizer. The setting is called sql.stats.histogram_buckets.include_most_common_values.enabled. When enabled, the histogram collection logic will ensure that the most common sampled values are represented as histogram bucket upper bounds. Since histograms in CockroachDB track the number of elements equal to the upper bound in addition to the number of elements less, this allows the optimizer to identify the most common values in the histogram and better estimate the rows processed by a query plan. To set the number of most common values to include in a histogram, a second setting sql.stats.histogram_buckets.max_fraction_most_common_values was added. Currently, the default is 0.1, or 10% of the number of buckets. With a 200 bucket histogram, by default, at most 20 buckets may be adjusted to include a most common value as the upper bound. #129378
• Added a new column to crdb_internal.table_spans to indicate whether a table is dropped. Rows for dropped tables will be removed once they are garbage collected. #128788

• Added the cluster setting sql.txn.repeatable_read_isolation.enabled, which defaults tofalse. When set to true, the following statements will configure transactions to run under REPEATABLE READ isolation, rather than being automatically interpreted as SERIALIZABLE:

  • BEGIN TRANSACTION ISOLATION LEVEL REPEATABLE READ
  • SET TRANSACTION ISOLATION LEVEL REPEATABLE READ
  • SET default_transaction_isolation = 'repeatable read'
  • SET SESSION CHARACTERISTICS AS TRANSACTION ISOLATION LEVEL REPEATABLE READ

  This setting was added since REPEATABLE READ transactions is a preview feature, so usage of it is opt-in for v24.3. In a future CockroachDB major version, this setting will change to default to true. #130089

• Previously, SHOW CHANGEFEED JOBS showed the changefeed jobs for the last 14 days by default. Now, it uses the same age filter for SHOW JOBS, which shows jobs from the last 12 hours by default. #127584

• Set the default for session variable large_full_scan_rows to 0. This means that by default, disallow_full_table_scans will disallow all full table scans, even full scans on very small tables. If large_full_scan_rows is set > 0, disallow_full_table_scans will allow full scans estimated to read fewer than large_full_scan_rows. #131040

• It is now possible to create PL/pgSQL trigger functions, which can be executed by a trigger in response to table mutation events. Note that this patch does not add support for triggers, only trigger functions. #126734

• Cluster settings enterprise.license and diagnostics.reporting.enabled now have additional validation. #131097

• The SHOW SESSIONS command was changed to include an authentication_method column in the result. This column will show the method used to authenticate the session, for example, password, cert, LDAP, etc. #131625

Operational changes

• Events DiskSlownessDetected and DiskSlownessCleared are now logged when disk slowness is detected and cleared on a store. #127025
• Several cluster settings allow you to configure rate-limiting traffic to cloud storage over various protocols. These settings begin with cloudstorage. #127207
• The new cluster setting kv.range.range_size_hard_cap allows you to limit how large a range can grow before backpressure is applied. This can help to mitigate against a situation where a range cannot be split, such as when a range is comprised of a single key due to an issue with the schema or workload pattern or a bug in client application code. The default is 8 GiB, which is 16 times the default max range size. If you have changed the max range size, you may need to adjust this cluster setting or reduce the range size. #129450

• The following kvflowcontrol metrics have been renamed. After a cluster is finalized on v24.3, old and new metrics will be populated. The previous metrics under kvasdmission.flow_controller will be removed.

  Old metric names	New metric names
  kvadmission.flow_controller.regular_tokens_available	kvflowcontrol.tokens.eval.regular.available
  kvadmission.flow_controller.elastic_tokens_available	kvflowcontrol.tokens.eval.elastic.available
  kvadmission.flow_controller.regular_tokens_deducted	kvflowcontrol.tokens.eval.regular.deducted
  kvadmission.flow_controller.elastic_tokens_deducted	kvflowcontrol.tokens.eval.elastic.deducted
  kvadmission.flow_controller.regular_tokens_returned	kvflowcontrol.tokens.eval.regular.returned
  kvadmission.flow_controller.elastic_tokens_returned	kvflowcontrol.tokens.eval.elastic.returned
  kvadmission.flow_controller.regular_tokens_unaccounted	kvflowcontrol.tokens.eval.regular.unaccounted
  kvadmission.flow_controller.elastic_tokens_unaccounted	kvflowcontrol.tokens.eval.elastic.unaccounted
  kvadmission.flow_controller.regular_stream_count	kvflowcontrol.streams.eval.regular.total_count
  kvadmission.flow_controller.elastic_stream_count	kvflowcontrol.streams.eval.elastic.total_count
  kvadmission.flow_controller.regular_requests_waiting	kvflowcontrol.eval_wait.regular.requests.waiting
  kvadmission.flow_controller.elastic_requests_waiting	kvflowcontrol.eval_wait.elastic.requests.waiting
  kvadmission.flow_controller.regular_requests_admitted	kvflowcontrol.eval_wait.regular.requests.admitted
  kvadmission.flow_controller.elastic_requests_admitted	kvflowcontrol.eval_wait.elastic.requests.admitted
  kvadmission.flow_controller.regular_requests_errored	kvflowcontrol.eval_wait.regular.requests.errored
  kvadmission.flow_controller.elastic_requests_errored	kvflowcontrol.eval_wait.elastic.requests.errored
  kvadmission.flow_controller.regular_requests_bypassed	kvflowcontrol.eval_wait.regular.requests.bypassed
  kvadmission.flow_controller.elastic_requests_bypassed	kvflowcontrol.eval_wait.elastic.requests.bypassed
  kvadmission.flow_controller.regular_wait_duration	kvflowcontrol.eval_wait.regular.duration
  kvadmission.flow_controller.elastic_wait_duration	kvflowcontrol.eval_wait.elastic.duration

  #130167

• The new ranges.decommissioning metric shows the number of ranges with a replica on a decommissioning node. #130117

• New cluster settings have been added which control the refresh behavior for the cached data in the Databases page of the DB Console:

  • obs.tablemetadatacache.data_valid_duration: the duration for which the data in system.table_metadata is considered valid before a cache reset will occur. Default: 20 minutes.
  • obs.tablemetadatacache.automatic_updates.enabled: whether to automatically update the cache according the validity interval. Default: false.

  #130198

• New gauge metrics security.certificate.expiration.{cert-type} and security.certificate.ttl.{cert-type} show the expiration and TTL for a certificate. #130110

• To set the logging format for stderr, you can now set the format field to any valid format, rather than only crdb-v2-tty. #131529

• The following new metrics show connection latency for each SQL authentication method:

  Authentication method	Metric
  Certificate	auth_cert_conn_latency
  Java Web Token (JWT)	auth_jwt_conn_latency
  Kerberos GSS	auth_gss_conn_latency
  LDAP	auth_ldap_conn_latency
  Password	auth_password_conn_latency
  SCRAM SHA-256	auth_scram_conn_latency

  #131578

• Verbose logging of slow Pebble reads can no longer be enabled via the shorthand flag --vmodule=pebble_logger_and_tracer=2, where pebble_logger_and_tracer contains the CockroachDB implementation of the logger needed by Pebble. Instead, you must list the Pebble files that contain the log statements. For example --vmodule=reader=2,table=2. #127066

• The lowest admission control priority for the storage layer has been renamed from ttl-low-pri to bulk-low-pri. #129564

• New clusters will now have a zone configuration defined for the timeseries range, which specifies gc.ttlseconds and inherits all other attributes from the zone config of the default range. This zone config will also be added to a cluster that is upgraded to v24.3 if it does not already have a zone config defined.#128032

Command-line changes

• cockroach debug tsdump now includes all the available resolutions in the time range supplied by the user. #127186
• Added the flag --tenant-name-scope to the cert create-client command. This allows users to generate tenant-scoped client certificates using tenant names in addition to tenant IDs. #129216

DB Console changes

• If a range is larger than twice the max range size, it will now display in the Problem Ranges page in the DB Console. #129001
• Updated some metric charts on the Overview and Replication dashboards to omit verbose details in the legends for easier browsing. #129149
• Updated the icon for notification alerts to use the new CockroachDB logo. #130333
• The txn.restarts.writetoooldmulti metric was rolled into the txn.restarts.writetooold metric in the v24.1.0-alpha.1 release. txn.restarts.writetoooldmulti has now been removed altogether. #131642
• The grants table in the DB Details page will now show the database level grants. For example, when clicking a database in the databases list. Previously, it showed grants per table in the database. #131250
• Added new database pages that are available from the side navigation Databases link. #131594
• The DB Console will reflect any throttling behavior from the cluster due to an expired license or missing telemetry data. Enterprise licenses are not affected. #131326
• Users can hover over the node/region cell in multi-region deployments to view a list of nodes the database or table is on. #130704
• The Databases pages in the DB console have been updated to read cached metadata about database and table storage statistics. The cache update time is now displayed in the top right-hand corner of the database and tables list pages. Users may trigger a cache refresh with the refresh icon next to the last updated time. The cache will also update automatically when users visit a Databases page and the cache is older than or equal to 20 minutes. #131463

Bug fixes

• Fixed a bug where CockroachDB could incorrectly evaluate an IS NOT NULL filter if it was applied to non-NULL tuples that had NULL elements (like (1, NULL) or (NULL, NULL)). The bug was present since v20.2. #126901
• Fixed a bug related to displaying the names of composite types in the SHOW CREATE TABLES command. The names are now shown as two-part names, which disambiguates the output and makes it more portable to other databases. #127158
• The CONCAT() built-in function now accepts arguments of any data type. #127098
• Fixed a bug that prevented merged statistics from being created after injecting statistics or recreating statement bundles. This would occur when the injected statistics or statement bundle contained related full and partial statistics. #127252
• Fixed a bug where CockroachDB could encounter spurious (error encountered after some results were delivered) ERROR: context canceled errors in rare cases when evaluating some queries. The bug was present since v22.2. The conditions that triggered the bug were queries that:
  • Had to be executed locally.
  • Had a LIMIT.
  • Have at least two UNION clauses.
  • Have some lookup or index joins in the UNION branches. #127076
• Updated the restore job description from RESTORE ... FROM to RESTORE FROM {backup} IN {collectionURI} to reflect the new RESTORE syntax. #127970
• Fixed a bug that could cause a CASE statement with multiple subqueries to produces the side effects of one of the subqueries even if that subquery shouldn't have been evaluated. #120327
• Changed the schema changer’s merge process so that it can detect contention errors and automatically retry with a smaller batch size. This makes the merge process more likely to succeed without needing to manually tune settings. #128201
• SHOW CREATE ALL TYPES now shows corresponding type comments in its output. #128084
• Enforce the statement_timeout session setting when waiting for jobs after a schema change in an implicit transaction. #128474
• Fixed a bug where certain dropdowns in the DB Console appeared to be empty (with no options to select from) for users of the Safari browser. #128996
• Fixed a bug that would cause the hlc_to_timestamp function to return an incorrect timestamp for some input decimals. #129153
• Fixed a memory leak where statement insight objects could leak if the session was closed without the transaction finishing. #128400
• Fixed a bug in the public preview WAL failover feature that could prevent a node from starting if it crashed during a failover. #129331
• Fixed a bug where 'infinity'::TIMESTAMP returned a different result than PostgreSQL. #127141
• Fixed a spurious error log from the replication queue involving the text " needs lease, not adding". #129351
• Using more than one DECLARE statement in the definition of a user-defined function now correctly declares additional variables. #129951
• Fixed a bug in which some SELECT FOR UPDATE or SELECT FOR SHARE queries using NOWAIT could still block on locked rows when using the optimizer_use_lock_op_for_serializable session setting under serializable isolation. This bug was introduced with optimizer_use_lock_op_for_serializable in v23.2.0. #130103
• Fixed a bug in the upgrade pre-condition for repairing descriptor corruption that could lead to finalization being stuck. #130064
• Fixed a bug that caused the optimizer to plan unnecessary post-query uniqueness checks during INSERT, UPSERT, and UPDATE statements on tables with partial, unique, hash-sharded indexes. These unnecessary checks added overhead to execution of these statements, and caused the statements to error when executed under READ COMMITTED isolation. #130366
• Fixed a bug that caused incorrect evaluation of CASE, COALESCE, and IF expressions with branches producing fixed-width string-like types, such as CHAR. In addition, the BPCHAR type no longer incorrectly imposes a length limit of 1. #129007
• Fixed a bug where zone configuration changes issued by the declarative schema changer were not blocked if a table had the schema_locked storage parameter set. #130670
• Fixed a bug that could prevent a CHANGEFEED from being able to resume after being paused for a prolonged period of time. #130622
• Fixed a bug where if a client connection was attempting a schema change while the same schema objects were being dropped, it was possible for the connection to be incorrectly dropped. #130928
• Fixed a bug introduced in v23.1 that could cause incorrect results when:
  1. The query contained a correlated subquery.
  2. The correlated subquery had a GROUP BY or DISTINCT operator with an outer-column reference in its input.
  3. The correlated subquery was in the input of a SELECT or JOIN operator.
  4. The SELECT or JOIN had a filter that set the outer-column reference from (2) equal to a non-outer column in the input of the grouping operator.
  5. The grouping column set did not include the replacement column, and functionally determined the replacement column. #130925
• Fixed a bug which could cause errors with the message "internal error: Non-nullable column ..." when executing statements under READ COMMITTED isolation that involved tables with NOT NULL virtual columns. #130725
• Fixed a bug that could cause a very rare internal error "lists in SetPrivate are not all the same length" when executing queries. #130981
• Fixed a bug that could cause incorrect evaluation of scalar expressions involving NULL values in rare cases. #128123
• SHOW CREATE ALL SCHEMAS now shows corresponding schema comments in its output. #130164
• Fixed a bug, introduced in v23.2.0, where creating a new incremental schedule (using ALTER BACKUP SCHEDULE) on a full backup schedule created on an older version would fail. #131231
• Fixed a bug that could cause an internal error if a table with an implicit (rowid) primary key was locked from within a subquery like SELECT * FROM (SELECT * FROM foo WHERE x = 2) FOR UPDATE;. The error could occur either under READ COMMITTED isolation, or with the optimizer_use_lock_op_for_serializable session setting enabled. #129768
• Fixed a bug where jobs created in a session with non-zero session timezone offsets could hang before starting, or report incorrect creation times when viewed in SHOW JOBS and the DB Console. #123632
• Fixed a bug which could result in changefeeds using CDC queries failing due to a system table being garbage collected. #131027
• ALTER COLUMN TYPE now errors out when there is a partial index that is dependent on the column being altered. #131590

Performance improvements

• Raft log sync callback handling is now parallelized, which can improve write-heavy workload performance on large, single-store nodes. #126523
• Planning time for complex queries has been reduced. #128049
• Reduced the write-amplification impact of rebalances by splitting snapshot SSTable files into smaller ones before ingesting them into Pebble. #127997
• Improved the performance of job-system related queries. #123848
• The query optimizer now plans limited, partial-index scans in more cases. #129901
• The initialization of the execution engine for a query is now more efficient when the query plan contains aggregate functions. #130834
• Enabled multi-level compactions that moderately reduce write amplification within the storage engine. #131378
• Increased the per-vCPU concurrency limits for KV operations. Specifically, increased the kv.dist_sender.concurrency_limit cluster setting to 384/vCPU (up from 64/vCPU) and kv.streamer.concurrency_limit to 96/vCPU (up from 8/vCPU). #131226
• The optimizer now plans more efficient lookup joins in some cases. #131383

Build changes

• Changed the AWS SDK version used for interactions with external storage from v1 to v2. #129938

Was this helpful?