# MinIO AIStor EDGE.2026-01-14T20-23-54Z Released: January 14, 2026 This release introduces external log targets with webhook and Kafka support for centralized log management of API, error, and audit logs. Tables (Iceberg catalog) performance is significantly improved with namespace sharding delivering 2.4x throughput gains and msgpack storage format. License management is redesigned for non-blocking server startup with async renewal. Critical fixes address EKS authentication failures, ILM expiry blocking with EdgeSyncBeforeExpiry, and pool selection for degraded erasure sets. ## New Features - **External Log Targets** - Configure external log destinations (webhook and Kafka) for API, Error, and Audit logs via `mc admin config`. Supports configurable batching for improved throughput, multiple targets per log type, and persistent queue recovery after restart. New config subsystems: `log_api_webhook:`, `log_error_webhook:`, `log_audit_webhook:`, `log_api_kafka:`, `log_error_kafka:`, `log_audit_kafka:` (#2463) - **24-Hour Metrics Retention** - Persist runtime, memory, process, scanner, OS, and network metrics in 15-minute segments for 24 hours. View historical metrics with `mc admin cluster stats` or the TUI dashboard for troubleshooting without external monitoring (#2705) - **Profile Metrics** - Cluster metrics are now included in support profiles for better diagnostics. New `metrics` profile type captures metrics at start and end of profiling sessions, enabling correlation of performance issues with system state (#2723) - **Silent Data Corruption Metrics** - New Prometheus metrics to detect and alert on silent data corruption events, enabling proactive monitoring of data integrity (#2514) - **Warehouse Bucket Isolation** - Path-based validation ensures S3 operations on warehouse buckets only work on registered table paths. Warehouse buckets are now excluded from site replication and bucket replication to prevent conflicts with Tables replication (#2658) ## Performance Improvements - **Tables Namespace Sharding** - Shard namespace table registry into 16 files, reducing contention and delivering 2.4x throughput improvement (602 to 1,442 requests/second) with 2.5x lower latency for installations with thousands of tables (#2609) - **Tables Msgpack Format** - Switch table catalog from JSON to msgpack format for reduced file size and faster serialization with fewer allocations (#2703) - **Replication Status Optimization** - 3.4x faster replication status string building with 4x fewer allocations (15 to 4 allocations per operation), improving responsiveness for multi-target replication (#2667) - **Inventory Filter Caching** - Cache compiled regex patterns in inventory job filters, eliminating repeated compilation overhead during job execution (#2662) - **MRF Optimization** - Optimized MRF (Missing Replication Failures) reading and parsing for better resource utilization (#2654) - **Memory Allocation Reduction** - Remove unnecessary slice allocations in cleanReservedKeys by deleting map keys directly during iteration, reducing overhead on KMS-encrypted setups (#2651) ## Bug Fixes ### Licensing & Authentication - **Non-Blocking License Startup** - Server startup no longer blocks on SUBNET license renewal. Licenses are renewed asynchronously with exponential backoff retry. Only fully expired licenses cause fatal errors (#2691) - **EKS Authentication** - Add fallback HTTP client with system CA roots for JWKS endpoint calls, fixing authentication failures with Amazon EKS Kubernetes clusters where the internal cluster CA is invalid for external OIDC endpoints (#2671) - **Admin Trace for Free Tier** - Enable admin trace functionality for all license tiers to assist with debugging (16138bf) ### Replication - **ILM Expiry with EdgeSyncBeforeExpiry** - Fixed issue where objects weren't expiring even after replication completed when EdgeSyncBeforeExpiry was enabled. The root cause was CompositeReplicationStatus() returning empty status instead of "COMPLETED" when comparing timestamps with zero ReplicationTimeStamp (#2619) - **Replication Resync Cancel Panic** - Fix panic ("send on closed channel") during replication resync cancellation by moving channel close to the correct location (#2726) - **Bucket Resync Validation** - Allow bucket replication resync cancellation when site resync is not in progress, matching the behavior for resync start (#2713) - **Replication Status Handling** - Set replication status to FAILED (not silently completed) when parsing errors occur for pre-existing data with malformed tags, legal headers, or encryption info (#2677) - **Inline Object Checksums** - Filter invalid checksums for inline objects during replication to prevent failures when replicating objects uploaded with incorrect checksums (#2648) - **Site Replication Init** - Skip root user service accounts during site replication initialization, aligning with the original design decision (#2676) ### Site Replication & IAM - **Site Replication on macOS/Windows** - Fix site replication setup failures on fresh clusters due to case-insensitive key normalization. Default policies like "consoleAdmin" were stored as "consoleadmin" but deleted with original casing, causing all 6 default policies to be incorrectly counted as IAM entities (#2712) ### Pool Management & Decommission - **Pool Selection with Offline Drives** - Avoid selecting pools for writes when offline drives are close to the erasure coding threshold. Pools with offline drives equal to EC are never selected; pools with EC-1 offline drives are deprioritized when other pools are available (#2647) - **Decommission with Inconsistent Metadata** - Verify object readability during decommission to handle objects with inconsistent metadata (RQInconsistentMeta) that can be listed via header-based quorum but fail to read with hash-based quorum (#2699) - **Hot Reload Pool Healing** - New pools are marked as pending and excluded from writes until bucket directories are healed. Bucket healing runs with 32 concurrent workers for faster completion before enabling the pool for writes (#2642) ### Tables & Iceberg - **IAM Policy Namespace Matching** - Fix namespace condition for IAM policies with multi-level namespaces. Policies with StringLike patterns like `plattform.*` now correctly match namespaces like `plattform.abc` by converting the internal separator to dot notation before policy evaluation (#2730) - **Race Condition Errors** - Return Iceberg-spec compliant errors (NoSuchTableException, etc.) when deletes race with other operations, instead of 500 errors or S3-style errors (#2672) - **Dirty Flag Handling** - Only clear dirty flag when save succeeds to prevent data loss on save errors; add write lock during namespace deletion to prevent race conditions (#2719) - **Token Credential Refresh** - Regenerate STS credentials for all tokens when share schemas change, ensuring existing tokens can access newly added tables. Previously, users had to create new tokens after adding tables to a share (#2694) - **Token Management** - Fix GetDeltaSharingProfile using incorrect lookup (tokenID vs tokenHash); add rollback on token index update failure to prevent orphaned tokens (#2711) - **Delta Sharing Protocol Compliance** - Align error responses with Delta Sharing protocol specification for pagination (maxResults), query validation (JSON body), and version parameters (startingVersion, endingVersion) (#2727) - **Warehouse Bucket Detection** - Replace tag-based warehouse bucket detection with dedicated IsWarehouse field in BucketMetadata for faster lookups and protection against tag spoofing (#2668) ### Other Fixes - **RingBuffer Flush() Deadlock** - Fix deadlock when Flush() is called with minimum write enabled and buffer contains less than minWriteTo bytes. Affects `mc admin inspect` functionality (#2709) - **Inventory Job Reliability** - Add retry logic for final metadata save on ETag mismatch in degraded EC environments; generate new InstanceID on job resume to handle old periodicSaver goroutines gracefully (#2568) - **SMART Logging** - Replace excessive SMART permission denied logging with a `collection_error` Prometheus metric to expose failures without flooding logs (#2696) - **Batch Rules Error Message** - Align max rules error message with maxBatchRules constant (100 rules limit) (#2715) --- ## Security & Compliance ### Software Bill of Materials (SBOM) This release includes comprehensive SBOM documentation in multiple formats: - [SPDX JSON](sbom-EDGE.2026-01-14T20-23-54Z.spdx.json) - Standard SBOM format - [CycloneDX JSON](sbom-EDGE.2026-01-14T20-23-54Z.cyclonedx.json) - Security scanner compatible - [Go Modules](go-modules-EDGE.2026-01-14T20-23-54Z.txt) - Human-readable dependency list SBOM files document all direct and transitive dependencies for security auditing and compliance requirements. --- ## Upgrade Instructions For detailed upgrade instructions, please read: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/ Platform-specific upgrade guides: - **Linux/Bare Metal**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-linux/ - **Kubernetes with Helm**: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/upgrade-aistor-kubernetes-helm/ ### New Configuration Options The following new configuration subsystems are available for external log targets: ```bash # External log targets for API logs (webhook) mc admin config set myminio log_api_webhook:primary endpoint=https://your-webhook.example.com # External log targets for Error logs (webhook) mc admin config set myminio log_error_webhook:primary endpoint=https://your-webhook.example.com # External log targets for Audit logs (Kafka) mc admin config set myminio log_audit_kafka:primary brokers=kafka1:9092,kafka2:9092 topic=minio-audit # Internal log recording (disk-based) mc admin config set myminio log_api_internal enable=on mc admin config set myminio log_error_internal enable=on mc admin config set myminio log_audit_internal enable=on ``` ### Support For enterprise support: - SUBNET Support: https://subnet.min.io - Documentation: https://docs.min.io