This release introduces the dedicated AISTOR console for a management experience tailored to EOS workflows. Security is significantly enhanced with a new, easier-to-use FIPS 140-3 module, STS token revocation, and HTTPS for the console. Performance is also a key focus, with major optimizations for read operations, self-healing, and system startup in large-scale deployments. ### Breaking Changes * **Upgraded FIPS 140-3 Cryptography Module**: Replaced the previous FIPS implementation with Go's native FIPS 140-3 certified module. FIPS mode is now activated via the `GODEBUG="fips140=on"` environment variable, eliminating the need for separate FIPS binaries and extending support to more platforms. Existing deployments using FIPS binaries must update their startup configuration to use the new environment variable. (#508) ### New Features * **Introduces AISTOR Management Console**: Replaces the previous UI with the AISTOR console, a dedicated web-based interface tailored for EOS-specific capabilities and future enhancements. Users should familiarize themselves with the new interface for all management tasks. (#115) * **Adds Support for AWS S3 Express One Zone**: Enables compatibility with S3 Express One Zone for high-throughput, low-latency applications. This mode is activated with the `--express-zone` flag and disables features not supported by this storage class, such as versioning. (#549) * **Enables STS Token Revocation**: Introduces the ability for administrators to revoke active STS tokens for a specific user or by a pre-assigned token type, enhancing control over temporary credentials. Authenticated users can also revoke their own tokens. (#498) * **Secures Administrative Console with HTTPS**: The administrative console now supports HTTPS, ensuring all management traffic is encrypted for improved security. (#578) * **Provides Object Replication Event Notifications**: Adds optional event notifications for replication operations (`s3:Replication:OperationCompletedReplication`). This feature, enabled via an environment variable, allows for better tracking and automation of data synchronization workflows. (#550) * **Automates Performance Anomaly Detection**: The server now automatically monitors goroutine and memory usage, saving diagnostic profiles if significant growth is detected. This provides valuable data for troubleshooting performance issues without manual intervention. (#478) * **Adds Support for XXH3 Bitrot Detection**: Introduces the high-performance XXH3 bitrot detection algorithm, offering faster data integrity checks on compatible low-end CPUs (e.g., ARM Cortex-A). (#496) * **Enables Runtime Configuration of Batch Parameters**: Administrators can now configure batch operation parameters (e.g., size, delay) at runtime, providing greater flexibility for performance tuning without a server restart. (#451) * **Retrieves Additional Checksums via GetObjectAttributes**: The `GetObjectAttributes` operation can now return additional checksum types (CRC32, CRC32C, SHA1, SHA256) if available, simplifying data integrity verification. (#486) * **Expands Batch Replication to Multiple Prefixes**: Batch replication rules now support multiple prefixes, allowing for more granular and flexible control over which datasets are replicated. (#475) * **Allows STS Users to Retrieve Own Account Info**: Users authenticated with temporary STS credentials can now retrieve their own account information via the `TemporaryAccountInfo` API. (#452) ### Improvements * **Provides Read-Only Mode for Expired Licenses**: Deployments with an expired commercial license will enter a 6-month read-only period after the grace period. This allows continued data access and provides an extended window for data migration. (#514) * **Streamlines Diagnostic Health Reports**: Health reports generated by `mc support diag` are now smaller and more informative, including only data partitions, storage tier configurations, and NIC settings to aid in troubleshooting. (#455) * **Enhances Cluster Readiness Checks**: The system readiness probe now uses the `/minio/health/cluster` endpoint, ensuring the entire cluster is fully operational before reporting a ready state, which improves deployment reliability. (#527) * **Adds License Details to Health Reports**: Diagnostic reports now include license information for each server, such as organization and expiration dates, to facilitate proactive license management. (#535) * **Prevents Operations on Unhealthy Clusters**: Decommission and rebalance operations now require the cluster to pass a health check before proceeding, preventing potential issues on unstable clusters. (#544) * **Avoids Writing to Pools with High Inode Usage**: The system now avoids selecting storage pools for new data if inode usage is at 95% or higher, helping to prevent "no space left on device" errors. (#543) * **Upgrades Embedded AIStor Console**: Integrates version 0.0.8 of the AIStor console, providing the latest UI/UX enhancements and fixes for an improved management experience. (#594) * **Enables Daily Callhome by Default for New Clusters**: To enhance proactive monitoring, the daily callhome diagnostic feature is now enabled by default on all new deployments. This can be disabled at any time. (#458) * **Updates Core Dependencies**: Incorporates updates to underlying components, including `minio/pkg`, `madmin-go`, and `aistor`, to introduce new functionality and address known issues. (#487, #520, #558) ### Performance Improvements * **Accelerates Read Operations with Optional Zero-Copy**: Adds optional support for `sendfile()` to nearly double read throughput and reduce CPU usage on high-speed networks. This feature must be manually enabled. (#467) * **Optimizes `GetObject()` Operations**: Significantly improves the speed of `GetObject()` calls by reducing I/O, especially for small objects and in multi-pool or replicated environments. (#515) * **Improves Self-Healing and Deletion Efficiency**: Optimizes the healing scanner and object deletion processes to significantly reduce disk I/O, improving overall system performance during background maintenance. (#484) * **Speeds Up Cached Object and Directory Listings**: Leverages the metadata cache for `List()` operations when caching is enabled, resulting in faster responses for workflows that frequently browse directories. (#556) * **Reduces System Startup Time**: Optimizes the endpoint initialization process, resulting in faster startup times, particularly for large-scale deployments with many hosts and drives. (#524) * **Enhances Distributed Locking for Large-Scale Deployments**: The distributed locking mechanism now uses more nodes for lock sharding, improving performance and scalability in deployments with 8 or more unique nodes. (#529) * **Optimizes Internode Communication Buffers**: Adds new configuration options (`WriteBufferSize`, `ReadBufferSize`) to allow administrators to tune server-to-server communication for enhanced data transfer performance in high-speed networks. (#429) ### Bug Fixes * **Corrects SFTP Authentication Bypass with LDAP**: Fixes a critical vulnerability where SFTP access could be granted without a valid public key in LDAP. Key-based authentication now strictly requires a key to be present in the user's LDAP profile. (#479) * **Resolves Failure in Kubernetes Rolling Restarts**: Ensures rolling restarts in Kubernetes complete successfully by correctly handling injected environment variables that were previously misinterpreted as configuration errors. (#471) * **Fixes Incomplete S3 Object Listings with ILM**: Ensures S3 list operations return complete and accurate results on buckets where ILM policies are actively skipping objects. (#472) * **Prevents Unresponsiveness When Listing Large Prefixes**: Corrects an issue that could cause service degradation when listing prefixes containing a very large number of objects. (#439) * **Ensures Accurate Replication of Large Object Deletions**: Fixes a tracking issue to ensure the replication status for large object deletions is accurately maintained. (#440) * **Preserves Object Tags During Batch Replication**: Corrects an issue where object tags were not being transferred, ensuring tags are now accurately preserved during batch replication jobs. (#432) * **Improves Reliability of Server Decommissioning**: Resolves an issue where the decommissioning process could become unresponsive if a bucket was deleted while the operation was in progress. (#509) * **Allows Non-Root Users to Access Prometheus Metrics**: Fixes an authentication issue, allowing authorized non-root users to successfully retrieve Prometheus metrics. (#499) * **Corrects ILM Rule Evaluation for Versioned Objects**: Fixes the evaluation of ILM rules with the `NewerNoncurrentVersions` condition to ensure lifecycle actions align with AWS S3 behavior. (#464) * **Resolves Checksum Error During Software Updates**: Fixes an issue that could cause software updates to fail with a "wrong checksum" error, leading to a more reliable upgrade process. (#533) * **Prevents Accidental Bucket Recreation During Healing**: Enhances the self-healing logic to prevent data buckets from being inadvertently recreated if they temporarily lose quorum. (#460) * **Improves Memory Management on Linux for Large File Operations**: Reduces excessive memory usage by the disk cache on Linux systems, improving performance when handling numerous large files. (#473) * **Enables Multiple Standalone Instances on a Single Host**: Resolves a port conflict that previously prevented multiple standalone server instances from running concurrently on the same machine. (#470) * **Addresses Various Internal Race Conditions and Nil Pointers**: Includes multiple fixes to resolve internal data race conditions and nil pointer dereferences, improving overall system robustness during concurrent operations, startup, and shutdown. (#449, #459, #505, #553, #562, #583) ### Security Updates * **Addresses Known Vulnerabilities**: Includes updates to internal software components to proactively address known vulnerabilities and strengthen the overall security posture of the application. (#476) * **Patches Go Standard Library Vulnerability**: Incorporates a fix for the security vulnerability identified as GO-2025-352. (#546)