Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled
Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging
s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.
See also: #48202, #48301
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Replace `apt-get upgrade -y gpgv` with proper installation command. The
upgrade command syntax was incorrect and caused build failures with exit
code 100.
---------
Signed-off-by: Zhikun Yao <zhikun.yao@zilliz.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
- Upgrade Go from 1.24.11 to 1.24.12 to fix CVE-2025-61726 (net/url
query parameter DoS) and CVE-2025-61728 (archive/zip CPU exhaustion)
- Upgrade gpgv in Ubuntu Dockerfiles to fix CVE-2025-68973 (GnuPG
out-of-bounds write vulnerability)
Signed-off-by: Li Liu <li.liu@zilliz.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
issue: #46636
## Summary
- Fix spelling error in comment: `Seperate` -> `Separate`
- Location: `build/build_image_gpu.sh` line 38
## Test Plan
- [x] Comment-only change, no functional impact
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## PR Summary: Typo Correction in Build Script Comment
• **Core Assumption**: This change relies on the assumption that
documentation and comments should reflect correct spelling to maintain
code quality and readability for maintainers. The comment is purely
informational describing the conditional logic below it.
• **What Changed**: A single spelling correction in a comment on line 38
of `build/build_image_gpu.sh`, changing "Seperate" to "Separate". No
code logic, control flow, or build behavior is altered—this is a
comment-only edit.
• **No Regression**: This change introduces zero behavioral or
functional impact because the modified content is a comment that does
not execute. The conditional logic immediately following (lines 39-42)
and the docker build command remain completely unchanged. Build output,
image creation, dependency installation, and all runtime behavior are
identical before and after this change.
• **Rationale**: Correcting obvious spelling errors in comments improves
code maintainability and reduces potential confusion for developers
reading the build script, while incurring zero risk to the system.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Signed-off-by: majiayu000 <1835304752@qq.com>
This pull request updates dependencies for Milvus deployments, focusing
on the images used for etcd and Kafka in both Helm and Docker Compose
configurations. The main goal is to align the deployment with newer or
organization-specific images for improved compatibility and maintenance.
**Helm deployment image updates:**
* Switched the etcd image repository from `bitnami/etcd` to
`milvusdb/etcd` and updated the etcd image tag from
`3.5.0-debian-10-r24` to `3.5.5-r2` in both standalone and cluster Helm
installation commands in `DeployTest.groovy`.
**Docker Compose image updates:**
* Changed the Kafka image from `bitnami/kafka:3.1.0` to
`bitnamilegacy/kafka:3.1.0` in `docker-compose.yml`.
issue: #44978
Signed-off-by: AlintaLu <yiqing.lu@zilliz.com>
relate: https://github.com/milvus-io/milvus/issues/41035
This PR adds support for a gRPC-based tokenizer.
- The protobuf definition was added in
[milvus-proto#445](https://github.com/milvus-io/milvus-proto/pull/445).
- Based on this, the corresponding Rust client code was generated and
added under `tantivi-binding`.
- The generated file is `milvus.proto.tokenizer.rs`.
I'm not very experienced with Rust, so there might be parts of the code
that could be improved.
I’d appreciate any suggestions or improvements.
---------
Signed-off-by: park.sanghee <park.sanghee@navercorp.com>
issue: #40730
also see: https://github.com/milvus-io/cgosymbolizer/pull/2
After these PR, at linux:
- the milvus will always enable jemalloc by default.
- jemalloc will always compiled with --enable-prof options.
- all image will always enable the jemalloc prof by default.
- a pprof http service for jemalloc at `/debug/jemalloc/` will be
registered into restful.
- `jeprof` can remote profile the memory of milvus.
Signed-off-by: chyezh <chyezh@outlook.com>
Default llvm toolchain version in Ubuntu 20.04 is 10, while Ubuntu 22.04
does not have `clang-tidy-10` or `clang-format-10` by default.
issue: #33142
Signed-off-by: Patrick Weizhi Xu <weizhi.xu@zilliz.com>
Signed-off-by: Yinzuo Jiang <jiangyinzuo@foxmail.com>
Signed-off-by: shaoting-huang [shaoting-huang@zilliz.com]
issue: https://github.com/milvus-io/milvus/issues/32982
Go 1.21 introduces several improvements and changes over Go 1.20, which
is quite stable now. This PR is mainly for upgrading images Golang
version from 1.20 to 1.21.
Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
Signed-off-by: shaoting-huang [shaoting-huang@zilliz.com]
issue: https://github.com/milvus-io/milvus/issues/32982
Go 1.21 introduces several improvements and changes over Go 1.20, which
is quite stable now. This PR is mainly for upgrading images Golang
version from 1.20 to 1.21.
Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
Install openblas using apt or yum in scripts/install_deps.sh, update
documentations and fix some typos related to build and installation.
issue: #33056, #33066
Signed-off-by: Yinzuo Jiang <jiangyinzuo@foxmail.com>
XuanYang-cn
Xiaofan
zhikunyao
Li Liu
lif
congqixia
zhenshan.cao
Yiqing Lu
sangheee
sthuang
aoiasd
WAR10CK
Zhen Ye
shaoyue
Bingyi Sun
yellow-shine
pingliu
GenkenWei
Yinzuo Jiang
PowderLi