Release Notes : F5OS-C for VELOS version 1.1.0 Release Notes

Applies To:

Show Versions Show Versions

F5OS-C

  • 1.1.0
Release Notes
Software Release Date: 03/15/2021
Updated Date: 02/28/2022

Summary:

This release note pertains to the 1.1.0 release of F5OS for VELOS systems.

For information on BIG-IP tenants supported in this release, see K9476: The F5 hardware/software compatibility matrix.

Contents:

Supported hardware

This release supports these platform models:

  • VELOS CX410 chassis (F101)
  • VELOS SX410 system controller
  • VELOS BX110 blade (A118)

If you are unsure which models you have, look on the label at the front of the chassis, blade, or system controller to locate the model number.

User documentation for this release

About installing updates

For information about installing and upgrading software on VELOS platforms, please see VELOS Systems: Software Installation and Upgrade.

Known issues

Known issues

ID Number Title Description Workaround
873497 Message logged during system boot: 18042: No controller found Symptoms:

System messages say it will reboot after the firmware update but the system does not actually reboot.

Note: If you try to reboot while the update is in progress, the reboot fails and logs a message indicating that the system is going down for reboot. It does not reboot, however.

Messages displayed:

-- Failed to start reboot.target: Transaction contains conflicting jobs 'stop' and 'start' for systemd-reboot.service. Probably contradicting requirement dependencies configured.

-- See system logs and 'systemctl status reboot.target' for details.

-- Broadcast message from root@localhost on ttyS0 (Tue 2020-01-28 10:18:33 PST):

The system is going down for reboot NOW!

Conditions:

-- Firmware is being updated.

-- User initiates a system reboot.

Impact:

The system prevents rebooting while the firmware upgrade is in progress, but an erroneous message is logged indicating that a reboot will occur.

Workaround:

Do not attempt to reboot during a firmware update. The message is erroneous and you can safely ignore it.

879325 PCIe correctable errors may be infrequently reported on VELOS BX110 blades Symptoms:
PCIe correctable errors may be infrequently reported on VELOS BX110 blades due to the Train Cold - Run Hot (TCRH) Compensation Feature being triggered in response to platform temperature changes. This feature utilizes a PCIe PHY layer reset to optimizes performance and data integrity as operating conditions change. Examples of the different types of correctable errors that may be reported include following:
  • Bad DLLP
  • Bad TLP
  • Replay timer timeout (RTTO)

Conditions:

-- Train Cold - Run Hot (TCRH) Compensation Feature triggered in response to platform temperature changes.

-- VELOS BX110 blades.

Impact:

The Train Cold - Run Hot (TCRH) Compensation Feature is an expected behavior on the VELOS BX110 blade and these infrequent correctable errors have no system impact.

Workaround:

None needed. This is a benign message that you can safely ignore.

918781 i8042: No controller found Symptoms:

During boot, the system logs a message: i8042: No controller found.

Conditions:

This occurs during system startup of a VELOS System Controller or Blade.

Impact:

The message is benign, and you can safely ignore it.

Workaround:

None

918789 'Error parsing PCC subspaces' message on the console during boot Symptoms:

'Error parsing PCC subspaces' appears on the console when the system boots.

Conditions:

Viewing the console on boot.

Impact:

The message is benign and can be ignored.

Workaround:

None

918793 Message 'Failed to start origin-node.service' occurs during boot Symptoms:

During boot, the system controllers may display the message [FAILED] Failed to start origin-node.service.

Conditions:

The system is booting up.

Impact:

An error is logged, but there are no known negative impacts to system operation. The origin-node service is dependent on the docker daemon and other dependent services. In the background, the origin-node service automatically starts when the dependent services are up and running.

Workaround:
You can verify the status of the service using the following procedure:
  1. Wait 5-to-8 minutes after you see the ssh/login banner.
  2. Run the command in BASH as root:
systemctl status origin-node.service
920317 Hot plug nuisance log error Symptoms:

PWR-0366-XX 3000W AC power supply used in VELOS CX410 series chassis reports a 'PSU <n> other communication fault event' in the log when the power supply is hot plugged (Hot plug: disconnecting/applying power to a PSU connection).

Conditions:

This fault indicates that there is a problem with the communication between the primary and secondary PSU DSP devices inside the PSU. This usually happens when the PSU is connected to 12V bus and the AC power cord has been removed. In this situation, the secondary-side DSP is powered from the 12V bus through a peer supply, while the primary-side is not powered because AC is removed.

Impact:

Eventually, the lack of communication triggers a STATUS_CML.COMM_FAULT and records the message in the log. This is a latching fault that can turn-off 12Vout, meaning that, in PMBus, this fault remains asserted even if internally the fault is already removed.

Workaround:

There is no fix for this issue as the power supply functions as designed.

930053 Issuing 'bigstart stop' makes tenant unreachable Symptoms:

When you issue a 'bigstart stop' command in a tenant running on the VELOS platform, the management port becomes unreachable.

Conditions:

-- Log into the tenant using an ssh connection to the management IP address.

-- Issue the command: bigstart stop.

Impact:

Cannot ssh or ping the tenant management IP address.

Workaround:

Specify tmm with the command: bigstart stop tmm

931753 Tenant management MAC addresses are not from the chassis-wide management pool Symptoms:

The tenant management MAC addresses do not originate from the chassis-wide management pool. They are software-generated MAC addresses. Though unlikely, this randomly allocated MAC address might collide with an existing MAC address in the tenant management network. This can result in unexpected and erratic network behavior for the tenant and for the external entity that has the same MAC address.

Conditions:

-- Start up a tenant.

-- The system assigns a random management port.

-- The random management port has a MAC address that already exists in the network.

Impact:

A tenant or external entity with the same MAC as the tenant could experience intermittent network issues on the management network, including tenant startup failure.

Workaround:

To have the system generate a new MAC address: toggle the tenant's running state to Provisioned and back to Deployed.

Note: If the new MAC address also conflicts with an existing MAC address, you must perform these steps again.

932945 STP references to stale interfaces remain when the port group changes Symptoms:

When you change an existing port group, e.g., from one 100G to 4 25G, STP still reports the old interfaces in 'show stp' from the CLI. Additionally, the new interface does not display in the CLI.

Conditions:

This occurs when making changes to the port group mode, e.g., from one 100G to 4 25G mode.

Impact:

-- The old interfaces still display when running 'show stp' from the CLI.

-- The new interface does not display when running 'show stp' from the CLI.

-- You must manually remove the old interfaces and add the new interface via the CLI.

Workaround:

You must manually remove the old interfaces and add the new interface via the CLI.

939893 CLI does not include firmware version information for sirr or ssd Symptoms:

The show components information does not include the firmware version information for the sirr or ssd.

Conditions:

Running the show components command.

Impact:

The show components command does not report the firmware version information for the sirr or ssd data fields.

Workaround:

None

946473 Incorrect interface status returned when System Controller is removed or ceases to function Symptoms:

The 'show interfaces interface state operstatus' reports 'UP' for interfaces on System Controller when it is permanently down (i.e., powered off or removed).

Conditions:

-- Running the command: 'show interfaces interface state operstatus'.

-- A System Controller is removed or ceases to function.

Impact:

Incorrect status is returned. This occurs because the interfaces operstatus cannot be updated by the down or missing System Controller.

Workaround:

None

950109 Interface 'in-discards' counter not reset Symptoms:

If you issue a reset counters command, the in-discards counter is not reset to 0.

Conditions:

Issue 'reset counters interfaces <interface>' or 'reset counters all' commands.

Impact:

Counter is not reset to 0.

Workaround:

None

950477 USB device presence causes errors in the blade log Symptoms:

When a USB device is present in the blade, the velos.log contains a large number of errors from platform-hal related to the USB device and attempts to detect it.

Conditions:

USB device is present in the blade.

Impact:

Numerous unnecessary messages appear in the log.

Workaround:

These messages are benign, and you can safely ignore them.

950793 BAR 7: failed to assign Symptoms:

During startup, the VELOS system logs a message:

BAR 7: failed to assign.

Conditions:

This occurs when Intel X553 Ethernet is initialized during system startup of a VELOS blade.

Impact:

The messages is benign and you can safely ignore it.

Workaround:

None

950797 ERST and VDO messages during boot Symptoms:

After system startup, dmesg shows the following messages:

[ 1.306207] ERST: Error Record Serialization Table (ERST) support is initialized.

[ 18.503404] uds: kvdo0:dedupeQ: verifyBufferedData got unexpected data: UDS Error: Corrupt saved component (1030)

Conditions:

Viewing messages after system startup.

Impact:

ERST is not an error. It means ERST is initialized and although 'E' stands for 'error', the log message is not an error message. The kvdo0:dedupeQ message occurs when the VDO volume is initialized. Since the volume has only been initialized, there's nothing to corrupt. Both messages can be ignored.

Workaround:

These are not error messages, and you can safely ignore them.

950837 Command 'show system blade-power' does not show current blade power state Symptoms:

The CLI command 'show system blade-power' displays the power requested and allocated to a blade. It does not show the power currently being drawn by the blade.

Conditions:

Blade is powered off via AOM commands.

Impact:

The 'show system blade-power' command output does not change, so it is not a suitable method to determine the power status of blades in the system. There is no impact to the running system itself.

Workaround:
Use AOM to check the blade power state if it is not possible to check blade indications visually.
  1. Enter AOM.
  2. Capture blade console.
  3. Select Display Blade Information.
951405 Disabling appliance mode for a tenant leaves root login and shell access disabled Symptoms:

When appliance mode is enabled, access to the Advanced shell (bash) is removed, and the system root user cannot log in to the device by any means, including the serial console. When appliance mode is then disabled, Advanced shell access and root login are still disabled.

Conditions:

-- Enable appliance mode for a tenant.

-- Disable appliance mode for a tenant.

Impact:

Cannot access the Advanced shell or log in as root user when appliance mode is disabled. This is intended functionality.

Workaround:

Log in via tmsh:

tmsh modify sys db systemauth.disablerootlogin value false tmsh

modify sys db systemauth.disablebash value false

951801 CPU and memory utilization statistics might be unavailable on the CLI Symptoms:
CPU and memory utilization data is blank after bootup for both system controllers when viewed on the CLI, under the following:
  • show components component * cpu state cpu-utilization
  • show components component * state memory

Conditions:

This may happen intermittently if the internal subnet is set to a non-default value.

Impact:

You cannot reliably view CPU and memory utilization through the CLI.

Workaround:

None

954785 CLI component data is not updated to reflect removal of peer system controller Symptoms:

If the standby system controller is removed, the CLI command 'show components component' information is not updated to reflect its removal.

Conditions:

-- Standby system controller is removed.

-- Running the CLI command 'show components component'.

Impact:

No operational impact other than the data is stale. If another controller is installed, the data is updated to reflect the new controller.

Workaround:

To remove the stale data, you must reboot the remaining system controller or replace the removed standby controller.

956909 Status led may be left off after LCD test Symptoms:

Status LED may be left in the off state after an LCD test.

Conditions:

Issue occurs after the LCD test is executed.

Impact:

Status LED may not reflect actual state of the system after an LCD test.

Workaround:

Power-cycling the chassis resolves the Status LED state.

957093 Switch-related events with Notice severity found in confd event log during blade reboot Symptoms:

Several switch-related events sometimes occur when a blade is rebooted. These events are generated if the switch port to which the blade is connected reports an FEC Uncorrected Error, and posts error messages similar to the following:

-- NOTICE 'Switch Port in fault state'.

The errors usually clear soon after the blade boots up.

Conditions:

This occurs upon system start up.

Impact:

The system generates a few unwanted events. If the blade boots successfully and networking is functioning normally, you can safely ignore the 'Switch Port in fault state' events.

Workaround:

None

957129 Qkview collection running on peer does not cancel when main qkview is canceled. Symptoms:

Qkview collection is distributed, and there is a main process for collecting qkview information from peer devices. The main qkview process (running on the active system controller) or the partition manager, spawns processes to collect from its peers. Peers are not aware of whether the main qkview operation has been canceled.

Conditions:

A qkview is canceled, and then immediately restarted.

Impact:

Partial qkview collection. When a qkview is canceled on the main collection system, the peers are not aware of this, and continue to collect. The peer qkviews may not be collected if the peers are still processing the last qkview request.

Workaround:

Wait 5 minutes after canceling, and then run qkview again.

960893 Tenant deployment fails if tenant name exceeds 49 characters Symptoms:

If an admin configures a tenant with a name that is longer than 49 characters, tenant deployment fails.

Conditions:

Partition created and enabled on VELOS hardware for admin to login and create a tenant configuration.

Impact:

Configured tenant fails to schedule on the VELOS cluster due to Red Hat OpenShift name length restrictions, i.e., if the tenant name has more than 49 characters, the server rejects the deployment request

Workaround:

Delete the existing tenant and create a new tenant deployment with a name having 49 or fewer characters.

Note: The system might not prevent you from using more characters, but the recommendation is 49 or fewer.

963941 The authentication method TACACS_ALL is not supported Symptoms:

The CLI includes the TACACS_ALL authentication option, but this option has no functionality.

Conditions:

This is encountered while configuring authentication using the following command:

system aaa authentication config authentication-method

Impact:

TACACS_ALL is presented, but this option does nothing.

Workaround:

Do not use the TACACS_ALL option.

968529 Partition number interfaces are not listed under Network Settings :: Port Groups, Interfaces, or LAGs Symptoms:

No interfaces are listed in the partition management screen under Network Settings :: Port Groups, Interfaces, or LAGs.

Conditions:

Conditions under which this occurs are not entirely known. It has been seen after multiple reset-to-defaults commands are issued.

Impact:

System does not function properly.

Workaround:

Issue a single reset-to-defaults command at a time. Should this condition occur, reboot the entire chassis (both controllers) and the interfaces should repopulate as expected.

968881 Creating a partition using the CLI, 'commit check' fails Symptoms:

When creating a partition using the CLI, and trying to validate the changes with 'commit check', a validation error occurs: partitions 'partition part1 uuid' is not configured.

Conditions:

-- Create a partition using the CLI.

-- Attempt to validate the changes using 'commit check'.

Impact:

The 'commit check' operation rejects this config change. This error is misleading, indicating that you need to specify a uuid value.

Note: Not only is uuid irrelevant, it is not possible for you to specify it.

Workaround:

None

973209 Previously saved system database filename is not tab-expandable Symptoms:

When restoring a previously saved system database, the filename is not tab-expandable. There is no way to get a list of the existing system database backup filenames, other than by using CLI filesystem operations.

Conditions:

-- Run 'system database config-backup name' to restore a previously saved system database using the CLI.

-- Attempt to tab-expand the filename portion of the command.

Impact:

You must exit to the bash shell, or use the file operations to find the backup filename and try the operation again.

Workaround:

To determine the previously saved filenames:

-- For system controller, use:

file list path /var/confd/configs/

-- For partitions, use:

file list path /var/F5/partition/configs/

973217 Qkview generation mishandles filename with space in it Symptoms:

If the qkview filename contains a space, the system uses only the first word for the qkview filename.

Conditions:

Using filenames with spaces in them while generating a qkview.

Impact:

Only the first word is used in the generated qkview filename.

Workaround:

Do not use spaces in qkview filenames.

973449 System date/time not displayed in GUI, cannot be set Symptoms:

The system does not display the current date/time and timezone in the GUI, which can make it difficult to review alerts or logs without knowing/remembering how the system is configured. The system does not provide a mechanism to update the system clock directly, without NTP.

Conditions:

Attempting to view or set system time and date via the GUI.

Impact:

You cannot view or set system time and date through the GUI.

Workaround:

None

973469 The ed25519 certificate and key are not accepted. Symptoms:

The GUI stops working without any warning or error if an ed25519 crt/key is imported.

Conditions:

Import an ed25519 crt/key.

Impact:

GUI stops working. In the system controller log you see errors:

OpenSSL PEM_read_bio_PrivateKey failed read key" file="server.key". -- controller-1 /usr/bin/authd[7]: priority="Err" version=1.0 msgid=0x3901000000000022 msg=OpenSSL X509_PUBKEY_get failed to get key."

Workaround:

Do not use ed25519 crts/keys.

979337 Two different partitions can be assigned the same management IP address Symptoms:

It is possible to assign the same management IP address to multiple partitions.

Conditions:

This is encountered when creating new partitions using the CLI. You can duplicate the management IP address without getting an error.

Impact:

Creating a duplicate management IP address can cause management traffic disruption.

Workaround:

Reconfigure the affected partitions with unique IP addresses.

980129 CLI shows prefix length of 32 after removing IPv4 address Symptoms:

When the CLI is used to clear the configured IPv4 address, the system reports the prefix length as 32 bits

Conditions:

-- Clearing the configured IPv4 address.

-- Viewing the prefix information the system reports.

Impact:

CLI shows prefix length of 32. There is no functional impact. When an IPv4 address and prefix is set again, the proper prefix length is reported.

Workaround:

None

980701 Incorrect standby system controller state reported with show components component Symptoms:

When the standby system controller is removed, the CLI data is not updated to reflect its removal. The empty state field is one of several bits of data that is not correct.

Conditions:

-- After removal of standby system controller.

-- Viewing state information in the CLI.

Impact:

No operational impact; just stale/incorrect CLI data about the state of the removed system controller.

Workaround:

You can correct the data using either of the following:

-- Reboot the remaining system controller.

-- Insert a system controller to replace the standby controller that was removed.

981081 Qkview file is not created if a failover happens during collection Symptoms:

Qkviews are started and collected on the active controller/partition. If a failover happens while a qkview is in progress, that qkview operation is aborted, and the file deleted.

Conditions:

1. Start a qkview on the active device.

2. Failover the active to standby.

Impact:

The qkview collection stops and no file is created.

Workaround:

Do not initiate a failover from active to standby while qkview is in progress.

981605 Qkview truncates lines of top command at 80 characters. Symptoms:

The top command defaults to 80 characters, if run outside of a console, as it is in qkview. When top is executed in this fashion, the -w parameter must be used, in order to specify output width.

Conditions:

Run qkview.

Impact:

Output of top command is truncated at 80 characters. Some contents of the top command may be missing in qkview files.

Workaround:

Run top separately from qkview.

982309 IPv6 configuration options are present in CLI but are not actually supported Symptoms:

The CLI presents configuration options for IPv6, but the IPv6 functionality is not supported in this release and does not function properly.

Conditions:

-- Viewing the CLI configuration options.

-- Attempt to configure the IPv6 options.

Impact:

IPv6 configuration does not work.

Workaround:

None

984073 Slow system controller operations related to images Symptoms:

A number of system controller operations related to images suffer from an approximately 5-second delay. This includes CLI commands such as 'show image partition' and 'show image controller', but there is also a delay when using tab-completion to view suggested completions for such commands. The delay appears to be mostly constant, independent of the number of partitions in the system. The delay is always present for these commands.

Conditions:

Using CLI commands related to images.

Impact:

In addition to the 5-second delays experienced directly on the CLI, there is likely similar impact to related GUI functionality, such as the partition management page. These delays do not appear to negatively impact any functionality.

Workaround:

None

984081 Delete key functions like Backspace in F5OS CLI Symptoms:

Inside the F5OS CLI, the 'delete' key behaves in the same way as the backspace key. Instead of deleting the next character (the character to the right of the cursor), pressing 'Delete' deletes the previous character (the character to the left of the cursor).

Conditions:

Using the F5OS CLI.

Impact:

'Delete' key does not function in expected fashion.

Workaround:

Use the arrow keys to change the cursor location and then use backspace.

984089 Tcpdump captures at the partition level may show packets in the wrong time order Symptoms:

Tcpdump may show the packets in an out-of-order fashion if it is run from a partition that spans multiple blades. The order refers to the timeline of these packets appearing on the network links outside the system, e.g., a TCP SYN may come from the client to the system, and the system may have responded with a SYN-ACK to the outside client. The capture may show the SYN-ACK packet first and then the SYN.

Other than inferring from knowledge of the protocol what these packets represent, there is no real way to mitigate in the multiple-port aggregation scenario.

Note: A tcpdump run from inside a BIG-IP tenant shows the correct order.

Conditions:

-- This may be encountered where there is an LACP-aggregated link that spans two ports on two different blades.

-- It has also been seen less frequently as out-of-order between ingress (outside-to-host) and egress (host-to-outside) packets.

Impact:

Tcpdump captures show the order of the packets differently from when they really happened, leading to possible misinterpretation of events.

Workaround:

None

985009 PSU data missing in show components component Symptoms:

After a system controller failover, the PSU information may not be populated in the command:

show components component.

Conditions:

Active system controller fails over to the standby.

Impact:

PSU data is not listed. There is no operational impact to the system.

Workaround:

A total system reboot is the only option for listing the PSU data in the 'show components component' output.

985269 Error when creating users via the GUI Symptoms:

While using the GUI to create a new user on the System Controller, you click the Save and Close button and the user is created but an error is displayed:

Server Error(s)

Something went wrong. Check the web browser console for more details or contact technical support for assistance.

Conditions:

Using the GUI to create a new user account.

Impact:

The user is created but an error is displayed.

Workaround:

None

986061 Partition config-backup silently overwrites a previous config backup Symptoms:

The partition 'system database config-backup' command overwrites an existing backup file.

Conditions:

Running the partition 'system database config-backup' command.

Impact:

If a config backup exists, the operation silently overwrites it.

Workaround:

Specify a unique filename for each backup operation:

system database config-backup name unique-filename

986769 Archive containing matched F5OS ISO images cannot be imported directly Symptoms:

The top-level software for F5OS comprises two ISO images: one for partition/blades, and one for the system controller. These must both be installed, separately.

You have the option of downloading a .tar file containing both .iso files. However, the .tar archive is not itself directly importable on the running system, and download stalls.

Conditions:

-- Download the F5OS software in a bundled .tar archive.

-- Attempt to import the bundle for use on the system.

Impact:

Import operation does not complete. You must perform manual steps to import F5OS the .tar software file.

Workaround:

-- There are two .iso files that you must download for F5OS software: one for the system controller and one for the partition. These must both be installed, separately. You can download them separately and install them individually.

-- You can also download the .tar file, if you prefer to download both .iso files simultaneously. That way, you can untar the download in a location on an HTTPS server to serve the images to the chassis being rolled out. Once copied over, unpack the archive and import each ISO individually, by copying them to the import directory (/var/import/staging) on the active system controller.

987509 CVE-2020-1971: OpenSSL vulnerability Solution Article:

K42910051: OpenSSL vulnerability CVE-2020-1971

 
987565 Importing F5OS platform software can take a very long time Symptoms:

In many cases, software imports (such as chassis partition or system controller ISO imports) can take up to 30 minutes to complete and synchronize across both system controllers.

Conditions:

This is encountered when importing F5OS platform software for VELOS.

Impact:

It may take a long time for the import to complete and synchronize.

Workaround:

Wait at least 30 minutes for imports to synchronize before assuming the import has failed and trying to fix it.

987581 CVE-2020-25643: Linux Kernel Vulnerability Symptoms:

A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

F5OS status:

Not vulnerable.

988549 CVE-2020-29573: glibc vulnerability Solution Article:

K27238230: glibc vulnerability CVE-2020-29573

 
988669 Interface config tpid leaf is exposed but it is not supported. Symptoms:

Interface config tpid leaf is exposed but it is not supported.

Conditions:

-- In CLI config mode, the system presents tpid as a possible config option.

-- In CLI show mode, tpid is shown as oper data.

Impact:

Interface config tpid leaf is exposed but it is not supported.

Workaround:

Ignore the tpid from interface/config or interface/state.

989181 CVE-2020-14385: Linux Kernel Vulnerability Solution Article:

K84900646: Linux kernel vulnerability CVE-2020-14385

 
989189 CVE-2019-18282: Linux kernel vulnerability Solution Article:

K32380005: Linux kernel vulnerability CVE-2019-18282

 
989425 Multiple dnsmasq vulnerabilities Symptoms:

Multiple dnsmasq vulnerabilities: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Workaround:

N/A

989461 CVE-2020-29573: glibc vulnerability Solution Article:

K27238230: glibc vulnerability CVE-2020-29573

 
990161 Removing the active System Controller occasionally leaves the OpenShift cluster offline Symptoms:

The OpenShift cluster will appear offline to the user.

Conditions:

Occurs occasionally when the active system controller is physically removed.

Impact:

No access to the OpenShift cluster. The OpenShift cluster appears offline.

Workaround:

To have the cluster come back online, re-insert the extracted system controller.

990749 URL field on file import does not validate HTTPS protocol. Symptoms:

A URL that does not specify HTTPS as the protocol is accepted as valid input, but results in a failed file transfer.

Conditions:

-- Importing a file to the device.

-- Enter a URL that does not specify HTTPS as the protocol.

Impact:

The URL field accepts the input, but the file transfer fails. Lack of protocol validation on the URL input does not prevent you from entering a URL that can result in a failed file import.

Workaround:

All file import URLs must be preceded with the HTTPS protocol.

990753 Importing a file can result in errors even when parameters are correct. Symptoms:

Importing a file using File Utilities or the Software Management import utilities for System Controller and Chassis Partition software images can result in an error, even when the URL and other parameters are correct.

Conditions:

-- Importing a file.

-- The first attempt has an invalid URL.

-- Subsequent import attempts contain similarities in the URL paths used on the first attempt.

Impact:

The import fails and the error is ambiguous.

Workaround:

Refresh the screen and initiate a new file import attempt, making sure the URL and all other parameters entered are correct and valid.

990757 File extension validation on URL input field for F5OS File Utilities and Software Management features is not case insensitive. Symptoms:

The input validation on the URL field when you import a file, checks that the URL ends in .iso or .img, but it does not accept mixed case or uppercase entries, for example, .ISO / .IMG / .iMg / .Iso, etc.

Conditions:

-- Importing a file, either with File Utilities or the Software Management import utilities for System Controller and Chassis Partition software images.

-- The URL is appended with a file extension that is not lowercase.

Impact:

The URL field reports a validation warning.

Workaround:

Make sure the file extension appended on the end of the URL is all lowercase.

990897 Tenant operational state has incorrect data when it has no nodes Symptoms:

When the admin removes nodes from tenant configuration and upgrades the system controller software, the tenant status comes up with an error state.

Conditions:

Admin removes nodes from the tenant configuration using either of the following commands:

no tenants tenant <name> config nodes

tenants tenant <name> config nodes [ ]

Impact:

This has no effect on system functionality. The system is simply reporting an incorrect state of the tenant.

Workaround:

To process any traffic through the tenant, you must have a minimum of one node in the tenant config, for example:

show running-config tenants tenant <name> config nodes

tenants tenant example1

config nodes [ 1 ]

!

991029 Primary-Key-Migration set response message references incorrect command Symptoms:

After setting the primary key, the system reports the following message:

-- Response Info: Key migration is initiated. Use 'show system primary-key state status' to get status.

This is the wrong command.

Conditions:

This is encountered when running the following command: system aaa primary key set

Impact:

The prompt for the set command is misleading.

Workaround:

Use the command:

show system aaa primary-key state status

991061 Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI Symptoms:

Tenant validations are not working when a tenant is created using the CLI and subsequently edited in the GUI.

Conditions:

Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:

-- Scale-up/Scale-down the tenant.

-- Add/Remove VLAN.

Impact:

Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.

Workaround:

Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.

991309 'TPM Randomization failed' message in log Symptoms:

When the BIOS on a blade is freshly updated and the blade is booted, there may be a 'TPM Randomization failed' message observed in the log output. This message occurs only once (if at all) and is then followed by a successful boot of the system. This is caused by the TPM randomization step of the boot not being completed. The next boot of the system, initiated by the BIOS when this condition is encountered, allows the TPM randomization to complete. For security purposes, the system does not boot to the OS until TPM randomization has successfully completed.

Conditions:

This particular instance of this message may occur after a fresh BIOS update to the system. If the initial boot after a BIOS install is interrupted, the subsequent boot may display this message in the log. The BIOS then causes the blade to reboot, allowing the TPM randomization step to complete.

Impact:

There is no impact to the functionality of the system. The message is for informational purposes only in this situation. If the TPM randomization step of the BIOS execution is not able to complete successfully, the BIOS causes the blade to reboot until the TPM randomization is successful.

Note: If the system continually fails to boot due to this issue, you may have a hardware issue that requires F5 response to correct.

Workaround:

Allow the blade to continue to boot. Once the BIOS has caused the blade to reboot, the condition clears itself and the message no longer appears as part of the boot process.

992381 Tenant Management MAC address is not correctly displayed in tmsh or iControl interfaces Symptoms:

The F5OS partition CLI correctly displays the tenant management MAC address that matches what the tenant reports via 'ifconfig mgmt'. However, 'tmsh show sys mac-address' shows a different value. vCMP guests also exhibit this behavior.

Conditions:

This is encountered on F5OS tenants and vCMP guests.

Impact:

No functional impact known; just reports incorrect data.

Workaround:

If the tenant MAC address is required, use 'ifconfig mgmt' inside the tenant, or use the value in the partition CLI.

992477 Tenant does not start up with the right config after frequent running-state changes Symptoms:

If you create a tenant and set the running-state to deployed, (do not wait for full startup), immediately change the running-state to provisioned (do not wait for state change), immediately change tenant config such as vCPU/memory/VLANs/etc, and then immediately change back to deployed, the tenant starts up fine but may not come up with the right resources/config.

Conditions:

This occurs when the tenant running-state changes with no wait time in between state changes.

Impact:

The tenant starts up with inaccurate resources (e.g., vCPU/memory/VLANs/mgmt-ip).

Workaround:

Wait a minimum of 30 seconds to 1 minute between when the tenant running-state transitions from one state to another. One way to ensure the clean transition is to verify the following state if the tenant is reached the desired state.

If performing deployments from the CLI:

show tenants tenant <tenant-name> state status

For example:

-- If the tenant running-state is 'deployed':

default-1#

show tenants tenant defaultbip-1 state running-state

state running-state deployed

Verify the transition state if it reached the desired state: 'running' (if running-state is deployed).

default-1#

show tenants tenant defaultbip-1 state status

state status Running

-- If performing deployments from the GUI, verify the tenant status next to the state under Tenant Management :: Tenant Deployments.

993325 System controller does not have remote method to power on after being remotely powered off Symptoms:

If the system controller is powered off from the Linux bash shell using 'shutdown -P' or an equivalent command, there is no method available in Always On Always-On Management (AOM) menu, or any other method, to remotely power back on the system controller.

Once the system controller is powered off, it can be powered on only by either reseating the system controller or performing a full chassis power cycle.

Conditions:

The system controller is powered off using a bash command.

Impact:

You are unable to remotely power on a system controller after it has been powered off.

Workaround:

Reseat the controller or power cycle the chassis.

993985 Image import is not re-attempted if controller reboots while importing Symptoms:

If a system controller reboots in the middle of importing platform software, the import does not automatically restart on the next boot. Additionally, it is not possible to overwrite it via a new file transfer to try again.

Conditions:

-- Valid F5OS software has begun importing on a system controller, but the import is not complete yet.

-- A reboot is issued by either the admin user or the software.

Impact:

The software is not imported.

Workaround:

Follow this procedure:

1. Download the software again, but using a different destination file name.

2. Try the import operation again.

994429 Lost traffic on previously active system controller Symptoms:

Traffic is lost on the previously active system controller, so half of the traffic get lost.

Conditions:

If active system controller does not function, here are some examples:

-- The system controller is physically non-functional (no electrical activity, etc.).

-- System software results in system controller failures for a long time.

Impact:

Traffic is lost on the previously active system controller, so half of the traffic is lost.

Workaround:

Reboot the newly active system controller.

995061 CVE-2019-17006: NSS Vulnerability Symptoms:

A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.

Workaround:

N/A

995145 CVE-2020-12403: NSS Vulnerability Symptoms:

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability

Workaround:

N/A

995297 CVE-2021-3326: glibc Vulnerability Solution Article:

K44945790: glibc vulnerability CVE-2021-3326

 
995305 CVE-2020-8625: BIND Vulnerability Solution Article:

K13591074: BIND vulnerability CVE-2020-8625

 
995597 CVE-2018-15688: systemd Vulnerability Symptoms:

It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

Workaround:

N/A

995613 CVE-2019-10126: Linux kernel vulnerability Solution Article:

K95593121: Linux kernel vulnerability CVE-2019-10126

 
995633 CVE-2019-10160: Python vulnerability Symptoms:

A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Workaround:

N/A

995645 CVE-2019-9636: python vulnerability Solution Article:

K57542514: Python vulnerability CVE-2019-9636

 
995649 CVE-2018-16402: libelf vulnerability Symptoms:

libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

Workaround:

N/A

995657 CVE-2019-17133: Linux kernel vulnerability Solution Article:

K47227224: Linux kernel vulnerability CVE-2019-17133

 
995733 The lacpd process dumps core following physical interface delete Symptoms:

The lacpd process dumps a core following deletion of the physical interface if the interface is a working member of an LACP trunk. Physical interface deletes are commonly caused by either removing an associated blade from the partition or changing the port bifurcation configuration (e.g., from 1x100G to 4x25G).

Conditions:

Delete a physical interface that is a working member of an LACP trunk.

Impact:

Lacpd crashes and writes a core file; traffic disrupted while lacpd restarts.

Workaround:

Delete the aggregate-id for any physical interface before the interface is deleted.

995745 CVE-2018-11236: glibc vulnerability Solution Article:

K95065016: glibc vulnerability CVE-2018-11236

 
995769 CVE-2018-20060: python vulnerability Symptoms:

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Workaround:

N/A

995777 CVE-2016-4448: libxml2 vulnerability Solution Article:

K41103561: libxml2 vulnerability CVE-2016-4448

 
995781 CVE-2019-3861: libssh2 vulnerability Symptoms:

An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.

Workaround:

N/A

995785 CVE-2019-11068: libxlst vulnerability Symptoms:

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

Workaround:

N/A

995789 CVE-2019-12450: glib vulnerability Symptoms:

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

Workaround:

N/A

995793 CVE-2019-5953: wget vulnerability Solution Article:

K14560101: Wget vulnerability CVE-2019-5953

 
995801 CVE-2018-18074: python vulnerability Symptoms:

A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected (302) from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text. A man-in-the-middle attacker could exploit this flaw to obtain a user's valid credentials.

Workaround:

N/A

997085 CVE-2020-8625: BIND Vulnerability Solution Article:

K13591074: BIND vulnerability CVE-2020-8625

 
997237 Changing chassis-id in system network config causes the cluster to not install correctly Symptoms:

If the chassis-id is changed from the default of 1 in the 'system network' configuration on the system controller, the cluster does not reinstall correctly once the change takes effect.

Conditions:

Chassis-id is changed from default of 1 to any other value.

Impact:

Cluster does not re-install correctly, which means tenants cannot be launched on the system.

Workaround:

None

998301 CVE-2021-23839: OpenSSL vulnerability Solution Article:

K61903372: OpenSSL vulnerability CVE-2021-23839

 
998305 CVE-2021-23840: OpenSSL vulnerability Solution Article:

K24624116: OpenSSL vulnerability CVE-2021-23840

 
998309 CVE-2021-23841: OpenSSL vulnerability Solution Article:

K52833764: OpenSSL vulnerability CVE-2021-23841

 
999345 CVE-2020-8284: libcurl vulnerability Solution Article:

K63525058: cURL vulnerability CVE-2020-8284

 
999357 CVE-2020-8285: libcurl vulnerability Solution Article:

K61186963: cURL vulnerability CVE-2020-8285

 
999365 CVE-2020-8286: libcurl vulnerability Solution Article:

K15402727: cURL vulnerability CVE-2020-8286

 
999377 CVE-2020-8286: libcurl vulnerability Solution Article:

K15402727: cURL vulnerability CVE-2020-8286

 
1000449 CVE-2020-12049: dbus Vulnerability Symptoms:

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

Workaround:

N/A

1000453 CVE-2019-25013: glibc vulnerability Solution Article:

K68251873: glibc vulnerability CVE-2019-25013

 
1001145 System controller config backup and restore causes system to not function properly Symptoms:

After restoring a config backup, the system controller software assigns auto-generated IDs for the partitions. These auto-generated IDs are not mapped to blades and OpenShift cluster namespaces. This behavior causes the system to not work properly.

Conditions:

This occurs when resetting the system to factory default settings via the system controller CLI, and then restoring the backup without rebooting the system controllers.

Impact:

System goes into an Inoperative state for tenant deployments.

Workaround:

The steps outlined below walk you through the entire process of taking a backup of the system, and then restoring the system to the factory default settings. The steps also include sample commands.

Note: You must have console access to the system to complete this task. Running the reset-to-default command removes the management network.

Backup

=======
  1. Backup tenant configs by logging into the tenant. Save the config, and then copy the config file backup to a safe, external location:

    tmsh save sys ucs /var/tmp/config.ucs

  2. Backup partition configs by logging into each partition. Backup the database, and then copy the database backup to a safe, external location:

    part2-1(config)#

    system database config-backup name <partition-backup-filename>

    result = Database backup successful.

     

    part2-1(config)#

    scp admin@@partitionIP:configs/<partition-backup-filename> <external-device-ip>

     

  3. Backup the controller config by logging into the system controller using a floating IP address, and then copy the backup config file to a safe, external location:

    syscon-2-active(config)# system database config-backup name <controller-backup-filename>

    response Succeeded.

    syscon-2-active(config)#

    scp root@floatingIP:/var/confd/configs/<controller-backup-filename> <external-machine-ip>

     

    Important: Once you execute the reset-to-default command, the system controller deletes the associated filesystems and backup files. So make sure to backup the system controller, tenant, and partition configs before continuing.

     

  4. Delete partition configs:

    part2-1(config)# system database reset-to-default proceed yes

    result Database reset-to-default successful.

     

    part2-1(config)# System message at 2021-03-11 00:02:21...

    Commit performed by admin via tcp using cli.

     

  5. Put all slots in the none-partition:

    syscon-2-active(config)# slots slot 1 partition none

    syscon-2-active(config)# slots slot 2 partition none

     

    syscon-2-active(config-slot-2)# commit

    Commit complete.

     

  6. Remove the partitions from the system controller:

    syscon-2-active(config)# no partitions partition part2

    syscon-2-active(config)# no partitions partition part3

     

    syscon-2-active(config)# commit

    Commit complete.

     

  7. Using a console connection, reset the controller config to factory defaults from the system controller CLI:

    syscon-2-active(config)# system database config reset-default-config true

     

    syscon-2-active(config)# commit

    Commit complete.

     

  8. Reboot the controllers. Once controllers are fully rebooted, proceed to the restore task.

Restore

=======

  1. Set up the system controller mgmt network using the wizard/CLI.
  2. Import the backup from the external device to the system controller:

    ssh root@floatingip

    mkdir -p /var/confd/configs/

    scp <external-machine>:<backup> /var/confd/configs/

     

  3. Restore the controller config:

     

    syscon-1-active(config)# system database config-restore name <controller-backup>

    response Succeeded.

     

  4. Reboot the blades.
  5. To restore the partition config (including VLANs/tenants/interfaces/etc.), import the partition config to the active partition that is running on the controller (running 'show partitions' from the system controller CLI displays which controller is running the active partition):

    part2-2(config)# system database config-restore name <partition-backup>

    result Database restore successful.

     

    part2-2(config)#

    System message at 2021-03-11 01:10:34...

    Commit performed by admin via tcp using cli.

     

  6. Restore the tenant config once the tenant mgmt-ip is reachable. To do so, copy the config after the partition restores (where config.ucs is your .UCS filename):

    tmsh load sys ucs /var/tmp/config.ucs

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.