Supplemental Document : F5OS-C 1.3.2 Fixes and Known Issues

Applies To:

Show Versions Show Versions

F5OS-C

  • 1.3.2
Updated Date: 10/18/2023

F5OS-C Release Information

Version: 1.3.2
Build: 9645

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from F5OS-C v1.3.1 that are included in this release
Cumulative fixes from F5OS-C v1.3.0 that are included in this release
Known Issues in F5OS-C v1.3.x

Functional Change Fixes

None


F5OS-C Fixes

ID Number Severity Links to More Info Description
1077105-1 1-Blocking BT1077105 Chassis Partition/Tenant pods might not start



Cumulative fixes from F5OS-C v1.3.1 that are included in this release


Functional Change Fixes

None


F5OS-C Fixes

ID Number Severity Links to More Info Description
1071805 2-Critical BT1071805 Removing VELOS controller images used for bare metal install can cause Openshift failures after upgrade
1071693 2-Critical BT1071693 KubeVirt pods might fail when upgrading from F5OS-C v1.2.1 to v1.3.0&start;
1071673 2-Critical BT1071673 Tenants do not launch correctly after performing a rolling upgrade to F5OS-C 1.3.0&start;
1073017 3-Major BT1073017 Downgrading VELOS from F5OS-C v1.3.0 can sometimes leave platform services in degraded state
1072597 3-Major BT1072597 OpenShift cluster health can toggle between Ready and Not Ready when cluster health is not good



Cumulative fixes from F5OS-C v1.3.0 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description
       
989461 CVE-2020-29573 K27238230, BT989461 CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern
1004305 CVE-2020-7595 K04460334, BT1004305 libxml2 2.9.10 vulnerability CVE-2020-7595
995645 CVE-2019-9636 K57542514, BT995645 CVE-2019-9636: python vulnerability
989189 CVE-2019-18282 K32380005, BT989189 CVE-2019-18282: Linux kernel vulnerability
1000453 CVE-2019-25013 K68251873, BT1000453 CVE-2019-25013: glibc vulnerability
1004309 CVE-2020-12400
CVE-2020-12401
CVE-2020-12402
CVE-2020-12403
CVE-2020-6829
K61267093, BT1004309 NSS vulnerability CVE-2020-12403
1004189 CVE-2020-12825 K01074825, BT1004189 libcroco vulnerability CVE-2020-12825


Functional Change Fixes

ID Number Severity Links to More Info Description
991917 3-Major   VELOS system controller/chassis partition should support a system hostname


F5OS-C Fixes

ID Number Severity Links to More Info Description
1008433 1-Blocking BT1008433 VQF hot signal asserted warnings
1068517-1 2-Critical BT1068517 VLAN connectivity among VELOS tenants is lost
1059209 2-Critical BT1059209 No tenant config attributes are allowed after 'storage size'.
1055841 2-Critical BT1055841 Chassis component alarm LED shows up on active system controller
1055397 2-Critical BT1055397 Platform registry ports could become mismatched depending on import timing
1055329 2-Critical BT1055329 VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.
1055189-1 2-Critical BT1055189 Optical transceiver tuning values for OPT-0048 updated to reduce errors
1054021 2-Critical BT1054021 Tcpdump on VELOS chassis blade or rSeries appliance cores when line-dma agent layer below it fails
1052941-2 2-Critical BT1052941 Hardware-fault alarm not cleared.
1051269-1 2-Critical BT1051269 Chassis partition ConfD cluster disk usage threshold feature not functioning as expected
1044317 2-Critical BT1044317 dagd core
1042845 2-Critical BT1042845 Unable to remove platform services versions that appear unused
1042253-1 2-Critical BT1042253 System controller upgrade from F5OS-C 1.2.0-10357 to 1.2.1-10301 intermittently fails&start;
1037525 2-Critical BT1037525 Some of the PCie AER severity and types are incorrect in the diagnostic monitoring
1034481 2-Critical BT1034481 When using IPv6 on floating management address and DHCP, it is possible to get different IP addresses on failover
1008549 2-Critical BT1008549 iHealth indicates multiple unhealthy and critical states for empty PSU bays
1005025 2-Critical BT1005025 Orchestration-manager cores on standby system controller during cluster bringup
1004049 2-Critical BT1004049 The "show system mgmt-ip" command displays "Application Timeout" on the active system controller
995769 3-Major   CVE-2018-20060: python vulnerability
995649 3-Major   CVE-2018-16402: libelf vulnerability
995633 3-Major   CVE-2019-10160: Python vulnerability
995597 3-Major   CVE-2018-15688: systemd Vulnerability
991061 3-Major   Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI
979249 3-Major BT979249 Nodes are displayed in the tenant instance IDs table even after removing them from the tenant
951633 3-Major   qkview Hardening
950477 3-Major BT950477 USB device presence causes errors in the blade log
950109 3-Major BT950109 Interface 'in-discards' counter not reset
1065085-1 3-Major BT1065085 MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.
1061757 3-Major BT1061757 VLAN Listener for a VLAN shared between tenants may not upgrade properly.&start;
1061065 3-Major BT1061065 After controller upgrade, tenant might not work correctly due to failed install of KubeVirt pods&start;
1060417 3-Major BT1060417 Tpm-integrity-status is "Unavailable" for standby controller, but tpm-status reports "Valid"
1060405 3-Major BT1060405 Management IP address displays incorrectly in LLDP neighbor information
1058757 3-Major BT1058757 Optical transceiver OPT-0043 reports unknown as media type
1054837 3-Major BT1054837 Vcc-ConfD may fail to start new child process
1050761 3-Major BT1050761 System logs this error at startup: SDK error during device programming
1050677 3-Major BT1050677 Disk I/O stats inaccurate in snmpwalk for chassis partition
1047129 3-Major BT1047129 Partition_tmstat_merged container core on shutdown
1046765 3-Major BT1046765 Tenant Data path will not work correctly on downgrade to controller version 1.1.x&start;
1046217 3-Major BT1046217 Database import fails after database reset
1045253 3-Major BT1045253 Errors related to LCD module show up in logs.
1045177 3-Major BT1045177 Stale interfaces are left behind upon portgroup mode change from 100GB to 40GB
1044557-1 3-Major BT1044557 Output from the image removal command is confusing and reveals extraneous details
1044257 3-Major BT1044257 Removal of old chassis partition images might cause tenant issues after blade reboot&start;
1044249 3-Major BT1044249 On initial installation, blades fail to PXE boot after chassis startup
1044117-2 3-Major BT1044117 KubeVirt pods are not reinstalled after recovering cluster using internal debug setting&start;
1043909 3-Major BT1043909 Inconsistencies in disk threshold limits.&start;
1042785-1 3-Major BT1042785 Configuring spanning tree protocol (STP) while disabled might display incorrect state
1042273 3-Major BT1042273 ETCD-HA Instance might not initialize correctly after PXE booting the system controller
1041381 3-Major BT1041381 Tcpdump capture might not include broadcast and multicast egress (generated by the system and being sent out) when "--dls true" option is used
1039085 3-Major BT1039085 Chassis partition config restore operation might cause the system to stop processing FDB files
1038557-1 3-Major BT1038557 Chassis partition merged stats only reflect one blade when tmstat-rsync service moves to another blade
1037749 3-Major BT1037749 Switch daemon crashes occasionally on shutdown
1037673 3-Major BT1037673 Vcc-lacpd on a system controller can crash and leave a core file while restarting
1035353-1 3-Major BT1035353 Missing controller images in show image controller CLI operation
1034993-1 3-Major BT1034993 Key-migrationd service might crash if server elements are incomplete
1034169 3-Major BT1034169 QKView reports status of "partial file recorded" when out of disk space
1033817 3-Major BT1033817 webUI is affected due to /api/data/f5-cluster:cluster/nodes/node taking more than 25 seconds to complete
1033813 3-Major BT1033813 Chassis partition 'show interfaces' command can be slow
1032697 3-Major BT1032697 Confusing message displays when running "file delete"
1032341 3-Major BT1032341 ConfD Encryption key gets rewritten intermittently
1022729 3-Major BT1022729 Management port issues with instance names containing lacpd, lldpd, stpd, or tmstat-rsync
1022589 3-Major   New blank blades inserted into system can wind up in a reboot loop and possibly be damaged

 

Cumulative fix details for F5OS-C v1.3.2 that are included in this release

995769 : CVE-2018-20060: python vulnerability

Component: F5OS-C

Symptoms:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Conditions:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Impact:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

Workaround:
N/A

Fix:
N/A


995649 : CVE-2018-16402: libelf vulnerability

Component: F5OS-C

Symptoms:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

Conditions:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

Impact:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

Workaround:
N/A


995645 : CVE-2019-9636: python vulnerability

Links to More Info: K57542514, BT995645


995633 : CVE-2019-10160: Python vulnerability

Component: F5OS-C

Symptoms:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Conditions:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Impact:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Workaround:
N/A


995597 : CVE-2018-15688: systemd Vulnerability

Component: F5OS-C

Symptoms:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

Conditions:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

Impact:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

Workaround:
N/A


991917 : VELOS system controller/chassis partition should support a system hostname

Component: F5OS-C

Symptoms:
System hostname is missing in operational data (state data).

For example: Even after configuring the system hostname, it is not visible when you run the "show system state hostname" command.

syscon-2-active# show system state hostname
% No entries found.

Conditions:
1. Configure hostname in config mode using this command: system config hostname <name>
2. Display the configured hostname using this command:
show system state hostname

Impact:
Hostname is not visible in state info.

Workaround:
Check for the configured hostname from the system controller login prompt or by checking the running configuration using the "show running-config system config hostname" command.

Fix:
Hostname now displays when you use the "show system state hostname" command.

Behavior Change:
The "show system state hostname" command now provides a valid response and displays the currently-set hostname.


991061 : Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI

Component: F5OS-C

Symptoms:
Tenant validations are not working when a tenant is created using the CLI and subsequently edited in the GUI.

Conditions:
Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:

-- Scale-up/Scale-down the tenant.
-- Add/Remove VLAN.

Impact:
Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.

Workaround:
Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.


989461 : CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern

Links to More Info: K27238230, BT989461


989189 : CVE-2019-18282: Linux kernel vulnerability

Links to More Info: K32380005, BT989189


979249 : Nodes are displayed in the tenant instance IDs table even after removing them from the tenant

Links to More Info: BT979249

Component: F5OS-C

Symptoms:
When running the following command in confd:

 show running-config tenants tenant dag-tenant config nodes

One of the fields displayed is tenant-instance-ids. The ID is displayed even after deleting the tenant instance.

Conditions:
Add a tenant and then delete it.

Impact:
The tenant instance ID is still displayed. This is cosmetic and there is no functional impact.

Workaround:
None

Fix:
The active tenant list is now displayed properly.


951633 : qkview Hardening

Component: F5OS-C

Symptoms:
Under certain conditions, qkview does not follow current best practices.

Conditions:
Occurs while running qkview.

Impact:
Under certain conditions, qkview does not follow current best practices.

Workaround:
N/A


950477 : USB device presence causes errors in the blade log

Links to More Info: BT950477

Component: F5OS-C

Symptoms:
When a USB device is present in the blade, the velos.log file contains a large number of errors from platform-hal related to the USB device and attempts to detect it.

Conditions:
USB device is present in the blade.

Impact:
Numerous unnecessary messages appear in the log.

Workaround:
These messages are benign, and you can safely ignore them.


950109 : Interface 'in-discards' counter not reset

Links to More Info: BT950109

Component: F5OS-C

Symptoms:
If you issue a reset counters command, the in-discards counter is not reset to 0.

Conditions:
Issue 'reset counters interfaces <interface>' or 'reset counters all' commands.

Impact:
Counter is not reset to 0.

Workaround:
None


1077105-1 : Chassis Partition/Tenant pods might not start

Links to More Info: BT1077105

Component: F5OS-C

Symptoms:
Chassis Partition/Tenant pods might fail to start if the partition namespace key is missing or stale.

Conditions:
Upgrading to F5OS-C v1.3.1 and creating a new partition, or deleting and creating an existing partition, either which is active on the Standby VELOS system controller.

Impact:
Chassis Partition/Tenant pods fail to start on a partition in this condition.

Workaround:
Fail over the active VELOS system controller, which causes the standby controller to generate the correct partition keys. To do this, from the command line on the active system controller type: "system redundancy go-standby"

Fix:
This issue is fixed.


1073017 : Downgrading VELOS from F5OS-C v1.3.0 can sometimes leave platform services in degraded state

Links to More Info: BT1073017

Component: F5OS-C

Symptoms:
After downgrading a VELOS system from F5OS-C v1.3.0 to v1.2.x, various platform services might fail to start.

Conditions:
After upgrading to F5OS-C v1.3.0, then downgrading to an earlier version.

Impact:
Various platform services might fail to start.

Workaround:
It may be necessary to rebuild the OpenShift cluster on the affected VELOS system controllers.

If that does not fix the issue, intervention from F5 might be required.

Fix:
This issue no longer occurs.


1072597 : OpenShift cluster health can toggle between Ready and Not Ready when cluster health is not good

Links to More Info: BT1072597

Component: F5OS-C

Symptoms:
When performing a rolling upgrade from F5OS-C v1.1.0 to 1.2.x, and then to v1.3.0, the cluster status toggles between Ready and Not Ready when VELOS cluster is unhealthy. Other conditions can also cause this issue.

Conditions:
Performing a rolling upgrade from F5OS-C v1.1.0 to v1.2.x, and then to v1.3.0.

Impact:
Cluster status toggles between Ready and Not Ready when VELOS cluster is unhealthy.

Workaround:
None

Fix:
This issue has been fixed.


1071805 : Removing VELOS controller images used for bare metal install can cause Openshift failures after upgrade

Links to More Info: BT1071805

Component: F5OS-C

Symptoms:
VELOS system controller performance is degraded when F5OS-C software versions prior to 1.1.4 are removed and an upgrade to F5OS-C 1.3.0 is initiated.

Conditions:
1. The ISO image versions prior to F5OS-C 1.1.4 used for bare metal install of controllers is removed.
3. The currently-running version of controller software is 1.2.X.
4. An upgrade to F5OS-C 1.3.0 is initiated.

Impact:
VELOS performance is degraded until manual intervention is taken.

Workaround:
Rebuild the Openshift cluster on the affected VELOS system controllers.

Fix:
Removing VELOS system controller images used for bare metal install no longer causes OpenShift failures after upgrade in certain cases.


1071693 : KubeVirt pods might fail when upgrading from F5OS-C v1.2.1 to v1.3.0&start;

Links to More Info: BT1071693

Component: F5OS-C

Symptoms:
During a system controller upgrade from F5OS-C v1.2.1 to v1.3.0, the KubeVirt pods fail to upgrade and produce an error causing the tenant to not operate properly.

Conditions:
Upgrading from F5OS-C v1.2.1 to v1.3.0.

Impact:
The KubeVirt images are not available on the VELOS system controller registry. and the tenant does not operate properly because it relies on KubeVirt pods to be installed correctly.

Workaround:
Follow these steps on the active VELOS system controller:

1. cp /usr/share/omd/kubevirt/omd-kubevirt-velos-install.sh /tmp

2. cd /tmp
vi omd-kubevirt-velos-install.sh

3. Add these lines at line 99 of that file:

else
    echo "Using registry port of $official_port for kubevirt install"
    echo "Update registry port in kubevirt yml files"
    sed -i -e "s@:[0-9][0-9][0-9][0-9]/@:$official_port/@" $WORKDIR/kubevirt-velos.yaml

4. In one Linux shell window:
oc delete -f /usr/share/omd/kubevirt/kubevirt-velos.yaml

5. In another Linux shell window:
/tmp/omd-kubevirt-velos-install.sh /usr/share/omd/kubevirt/

Fix:
This issue is resolved.


1071673 : Tenants do not launch correctly after performing a rolling upgrade to F5OS-C 1.3.0&start;

Links to More Info: BT1071673

Component: F5OS-C

Symptoms:
After performing a rolling upgrade to F5OS-C v1.3.0, tenants do not launch correctly. This can be seen in the output of "oc get pods".

Conditions:
Rolling upgrade to F5OS-C v1.3.0.

Impact:
Tenants do not launch correctly.

Workaround:
On the active system controller:

touch /var/omd/CLUSTER_REINSTALL

This causes the OpenShift cluster to be re-installed using the current image registry.

Fix:
This issue is fixed.


1068517-1 : VLAN connectivity among VELOS tenants is lost

Links to More Info: BT1068517

Component: F5OS-C

Symptoms:
Inbound ARP broadcasts on VLANs shared by tenants on VELOS systems are not received, and shared VLAN connectivity among tenants is lost.

Conditions:
A high volume of DLF packets are handled by the VELOS software rebroadcaster.

Impact:
Loss of connectivity on VLANs shared among tenants.

Workaround:
Restart the sw_rbcast container on the affected blade:

# docker restart partition_sw_rbcast

Fix:
This issue no longer occurs.


1065085-1 : MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.

Links to More Info: BT1065085

Component: F5OS-C

Symptoms:
When a FIPS-enabled license is installed on the system, some MD5 ciphers are allowed on RESTCONF port 8888, when they should not be allowed.

Conditions:
The command "openssl s_client -connect <mgmt-ip>:8888 -cipher MD5" returns a valid certificate.

Impact:
MD5 SSLCipher continues to work on port 8888 on both system controller and chassis partition management IP addresses.

Workaround:
None

Fix:
Removed MD5 SSLCipherSuites from ssl.conf when a FIPS-enabled license is installed on the system.


1061757 : VLAN Listener for a VLAN shared between tenants may not upgrade properly.&start;

Links to More Info: BT1061757

Component: F5OS-C

Symptoms:
After upgrading from F5OS-C 1.1.4 to a 1.2 release when there are tenants configured that share VLANs, the VLAN listener is not properly upgraded.

Conditions:
Tenants sharing VLANs in a configuration that is upgraded from F5OS-C 1.1.4 to 1.2.x.

Impact:
Traffic will not pass correctly.

Workaround:
Remove the VLAN from the interface(s) and then add it back (no changes to the tenant are necessary).

This re-creates the vlan-listener with the correct VTC value.


1061065 : After controller upgrade, tenant might not work correctly due to failed install of KubeVirt pods&start;

Links to More Info: BT1061065

Component: F5OS-C

Symptoms:
After a system controller upgrade, a tenant might not deploy, because upgraded KubeVirt pods might have failed to install correctly.

Conditions:
-- System controllers were recently upgraded.
-- KubeVirt pods not installed correctly

Impact:
Tenant will not deploy correctly.

Workaround:
1. Remove existing KubeVirt pods that are incorrectly installed.
2. Manually edit the kubevirt-velos-install.sh script to point to the correct registry port.
3. Rerun the install script to install the KubeVirt pods
 correctly.

Fix:
The kubevirt-velos-install.sh script is now updated to the correct registry port, which enables KubeVirt pods to be updated correctly.


1060417 : Tpm-integrity-status is "Unavailable" for standby controller, but tpm-status reports "Valid"

Links to More Info: BT1060417

Component: F5OS-C

Symptoms:
The tpm-integrity-status is "Unavailable" for the standby controller, but tpm-status reports "Valid".

Conditions:
This is encountered when checking TPM status:
syscon-2-active# show components component controller-* state tpm-integrity-status TPM
              INTEGRITY
NAME STATUS
---------------------------
controller-1 Unavailable
controller-2 Valid

Impact:
Wrong tpm-status will be displayed on confD.

Workaround:
Restart vcc-chassis-manager container.

From the root prompt of the system controller:
[root@controller-1 ~]# docker restart vcc-chassis-manager

Fix:
Issue is fixed in latest release. We are checking tpm-status in regular interval and updating correct information in confD.


1060405 : Management IP address displays incorrectly in LLDP neighbor information

Links to More Info: BT1060405

Component: F5OS-C

Symptoms:
The 'show lldp' command displays the management address of the neighbor incorrectly.

Conditions:
-- lldp is enabled
-- Run the 'show lldp' command

Impact:
The management address of the neighbor displays incorrectly. This is a display issue, and there is no functional impact.

Workaround:
None


1059209 : No tenant config attributes are allowed after 'storage size'.

Links to More Info: BT1059209

Component: F5OS-C

Symptoms:
While configuring the tenant in the one-line command, you are unable to give any other parameters after the storage size parameter. The storage size should be given at the end of the command only.

Conditions:
Preferring the storage command early while configuring the tenant in one-line command.

Impact:
Commands fail as invalid input if any other parameters are mentioned after storage size.

Workaround:
Place the storage size parameter at the end of command or split the config into multiple lines.

Fix:
N/A


1058757 : Optical transceiver OPT-0043 reports unknown as media type

Links to More Info: BT1058757

Component: F5OS-C

Symptoms:
The "show portgroups" command reports unknown for the media type for an OPT-0043.

Conditions:
OPT-0043 transceiver plugged into a system.

Impact:
Cosmetic - this has no functional impact. The media field is not used by any software, it is reported as information for the user.

Workaround:
None

Fix:
OPT-0043 now reports as a "40G BiDi" media type.


1055841 : Chassis component alarm LED shows up on active system controller

Links to More Info: BT1055841

Component: F5OS-C

Symptoms:
Chassis component alarm LED activates on the active system controller instead of on the LCD module.

Conditions:
If a chassis component, such as a PSU, generates an alarm, the RED alarm LED activates on the active system controller instead of the LCD module.

Impact:
A RED alarm LED could indicate a system controller problem instead of a chassis component problem.

Workaround:
None.

Fix:
Chassis component alarms, such as from a PSU, now activate a RED alarm LED on the chassis instead of on the active system controller.


 

1055397 : Platform registry ports could become mismatched depending on import timing

Links to More Info: BT1055397

Component: F5OS-C

Symptoms:
Under certain conditions, it is possible for the platform registry port configuration to become mismatched between the two system controllers. This can lead to a number of cascading issues with tenant deployments later.

Conditions:
If a platform image import succeeds on one system controller and fails on the other, or a sync of multiple images leads to them being imported in a different order on the standby system controller compared to the active, it is possible to encounter this scenario.

Impact:
Tenants that reference a version of imported software with mismatched ports may attempt to pull images from the wrong registry port, resulting in tenant failure or starting up with the wrong version of platform software images.

Workaround:
It is possible to fix the port mismatch by removing and re-importing the images with mismatched port assignments.

Fix:
Fixed issue where platform registry ports could become mismatched depending on import timing


1055329 : VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.

Links to More Info: BT1055329

Component: F5OS-C

Symptoms:
If two tenants on a VELOS chassis are configured with a shared VLAN, one tenant might not pass traffic if it has a non-default CMP hash configured for that VLAN.

Conditions:
-- VELOS chassis
-- Configure a VLAN shared between two or more tenants
-- In one tenant, configure a non-default CMP hash for the VLAN

Impact:
No connectivity.

Workaround:
After configuring a non-default cmp hash, run
`docker restart partition_sw_rbcast`
on each blade.

Fix:
Fixed operation of shared VLAN when cmp hash is not the default.


1055189-1 : Optical transceiver tuning values for OPT-0048 updated to reduce errors

Links to More Info: BT1055189

Component: F5OS-C

Symptoms:
OPT-0048 might show intermittent errors.

Conditions:
OPT-0048 optical transceiver inserted into r10000 or r5000 appliance.

Impact:
System displays intermittent optical transceiver errors.

Workaround:
None


1054837 : Vcc-ConfD may fail to start new child process

Links to More Info: BT1054837

Component: F5OS-C

Symptoms:
The error message

<err> Oct 13 13:41:40 vcc_install_versions_failed: Vcc-ConfD-RU: popen failed => Resource temporarily unavailable

occasionally appears in the /var/log_controller/cc-confd log.

Conditions:
Running system controller rolling upgrade.

Impact:
Presently the only known impact is the message appearing in the log.

Fix:
Vcc-ConfD processes started by popen are properly terminated with pclose.


1054021 : Tcpdump on VELOS chassis blade or rSeries appliance cores when line-dma agent layer below it fails

Links to More Info: BT1054021

Component: F5OS-C

Symptoms:
Line-dma agent is the underlying layer of tcpdump in the VELOS/rSeries family of chassis and appliance products
When it is not running, or if it cores or is otherwise not available and a client wants a tcpdump capture, tcpdump may core.

Conditions:
-- line-dma-agent is not functional at start, or at some later point in time during the tcpdump capture
-- a client requests a tcpdump capture

Impact:
Packet capture will be affected and will not work

Fix:
Tcpdump does not core anymore, and will retry line-dma-agent connection when clients ask for capture


1052941-2 : Hardware-fault alarm not cleared.

Links to More Info: BT1052941

Component: F5OS-C

Symptoms:
A hardware-fault alarm triggered by RAS unknown type errors is not cleared after the errors are resolved.

Conditions:
This occurs with hardware fault alarms due to RAS unknown type. The alarm is not cleared after the issue is resolved.

Impact:
Hardware-fault alarm with severity warning will be displayed and is not cleared.

Fix:
Fixed the issue that prevents RAS unknown errors from being cleared from the diagnostics report.


1051269-1 : Chassis partition ConfD cluster disk usage threshold feature not functioning as expected

Links to More Info: BT1051269

Component: F5OS-C

Symptoms:
When there is an update in cluster disk usage threshold configuration, the change is not reflected in the state data.

default-1(config)# cluster disk-usage-threshold config critical-limit 91
default-1(config)# commit
default-1# show cluster disk-usage-threshold state critical-limit
cluster disk-usage-threshold state critical-limit 97

Conditions:
When you connect a cluster to ConfD during a firmware update and the disk-usage-threshold is updated at the same time, updates will be missed.

Impact:
Some changes to the chassis partition might not be performed, or they might not be reflected in the state data.

Fix:
Modified the cluster disk threshold subscriber to not use a shared access object in ConfD.


1050761 : System logs this error at startup: SDK error during device programming

Links to More Info: BT1050761

Component: F5OS-C

Symptoms:
During startup of the 'fpgamgr' container, this error is logged in velos.log: "SDK error during device programming." API="f5sw_port_spn_state_get" code=-1 error="parameter error"."

Conditions:
System startup or fpgamgr restart.

Impact:
Error log message with no functional impact.

Workaround:
None

Fix:
Fixed API call to prevent an error.


1050677 : Disk I/O stats inaccurate in snmpwalk for chassis partition

Links to More Info: BT1050677

Component: F5OS-C

Symptoms:
Disk I/O stats is inaccurate in snmpwalk.

Conditions:
This occurs when running snmpwalk on a chassis partition.

Impact:
Inaccurate disk I/O stats info in snmpwalk

Workaround:
None

Fix:
Disk I/O stats is now accurate in snmpwalk.


1047129 : Partition_tmstat_merged container core on shutdown

Links to More Info: BT1047129

Component: F5OS-C

Symptoms:
When the partition_tmstat_merged container is shutting down and it receives a message from the same container on another blade in the partition, it might crash with a core.

Conditions:
Container is shutting down and also receives a message from another blade.

Impact:
Crashes with a core file, with no other impact. You can safely ignore and remove the core file.

Workaround:
Remove core file.

Fix:
Race condition on shutdown fixed so that if message is received on shutdown, it is handled properly.


1046765 : Tenant Data path will not work correctly on downgrade to controller version 1.1.x&start;

Links to More Info: BT1046765

Component: F5OS-C

Symptoms:
After a system controller downgrade to version 1.1.x, the tenant datapath will not operate correctly.

Conditions:
The KubeVirt software version does not downgrade to the correct KubeVirt software version needed in the 1.1.x controller release.

Impact:
The tenant will launch correctly, but the datapath will be broken because of a dma-agent protocol mismatch.

Workaround:
1. In one root command shell window, run this command to delete the current version of KubeVirt software pods.

[root@controller-2 ~]# oc delete -f /tmp/omd/scripts/kubevirt-velos.yaml

2. In another root command shell window, run this command to clear the KubeVirt namespace and install the new version of KubeVirt pods.

[root@controller-2 kubevirt]# /usr/share/omd/kubevirt/omd-kubevirt-velos-install.sh /usr/share/omd/kubevirt/

Fix:
The tenant datapath should now work properly after a downgrade.


1046217 : Database import fails after database reset

Links to More Info: BT1046217

Component: F5OS-C

Symptoms:
An attempt to import database using "file import" in the confd/config folder fails. During a database reset operation, the config folder is deleted, which causes an import to fail

Conditions:
When a database reset is performed before performing an import operation.

Impact:
Database import fails.

Workaround:
None

Fix:
File import operation now creates configs folder, if missing.


1045253 : Errors related to LCD module show up in logs.

Links to More Info: BT1045253

Component: F5OS-C

Symptoms:
The system controller log file can contain errors related to failed communication with the LCD module.

controller-2 platform-monitor[1]: priority="Err" msg="Action Error" name="LCD Sensor Monitor" inputId="1f156c2b-0db1-11ec-bdd4-024264410634" index=0 message="unable to get LCD sensor info" interface="zmq-input"

Conditions:
The error message shows up when the LCD module is restarting due to initial system startup or a firmware update.

Impact:
The error message is not system critical and can be safely ignored.

Workaround:
N/A

Fix:
N/A


1045177 : Stale interfaces are left behind upon portgroup mode change from 100GB to 40GB

Links to More Info: BT1045177

Component: F5OS-C

Symptoms:
In some situations, stale interfaces are left behind in the config cdb when the portgroup mode changes from 100GB to 40GB, 4x25GB, or 4x10GB. This causes the l2-agent on the blade to exit.

Conditions:
-- reset-to-defaults/backup/restore
OR
-- live install

-- change the portgroup mode from 100GB to 40GB
-- commit

Impact:
The interfaces corresponding to portgroups are not present and stale interfaces are left behind.

Workaround:
Steps for mitigation:
1) Verify the issue is caused by the lack of pgindex in cdb:

a) From config mode in a chassis partition, create a backup file
(config)# system database config-backup name test
b) Look for pgindex in the /var/F5/partition{id}/configs/test:
grep pgindex /var/F5/partition{number}/configs/test

c) If no entries are found, this is the issue.

2) Remove the slots corresponding to the impacted chassis partition from the system controller configuration and commit.

3) Re-add the slots corresponding to the impacted chassis partition from the system controller configuration and commit.

4) From the chassis partition CLI, ensure the system redundancy shows the blade is present and operational

5) from the chassis partition CLI, change the portgroup mode from 100GB to 40GB and commit (example below):
(config)# portgroups portgroup 1/1 config mode MODE_40GB; top
(config)# portgroups portgroup 1/2 config mode MODE_40GB; top
(config)# commit

6) Wait for the blades to resync by monitoring 'show system redundancy'.

At this point the interfaces should be republished matching the new 40GB mode.

Fix:
Proper interfaces are now published when portgroup mode is changed.


1044557-1 : Output from the image removal command is confusing and reveals extraneous details

Links to More Info: BT1044557

Component: F5OS-C

Symptoms:
When running commands such as "image <controller|partition> remove iso <version>", the error output contains the following message, among other details:

"Error: unexpected response back from API: 1"

Conditions:
The output occurs after you run a command to remove system controller or chassis partition images that are in use. A typical example is when you are trying to remove an ISO that uses OS/service artifacts.

Impact:
The error message from these commands is unhelpful to the user and reveals internal implementation details.

Workaround:
None

Fix:
The fix is present in F5OS-C version 1.2.2. The error message is replaced by one of the following (or another more helpful message if more specific information is available):

"Error: failed to remove controller image; may be in use"
"Error: failed to remove partition image; may be in use"


1044317 : dagd core

Links to More Info: BT1044317

Component: F5OS-C

Symptoms:
Dagd crashes and leaves a core file.

Conditions:
The exact conditions, especially from a user point of view, are not yet known.

Impact:
Traffic is disrupted while dagd restarts.

Workaround:
None

Fix:
Made dagd more robust against system conditions.


1044257 : Removal of old chassis partition images might cause tenant issues after blade reboot&start;

Links to More Info: BT1044257

Component: F5OS-C

Symptoms:
After upgrading the system to F5OS-C version 1.1.4, when you remove old chassis partition images from the system, tenants might not start up correctly after a reboot of the blade hosting the chassis partition.

Conditions:
This might occur if the tenant was started after the system was upgraded to an interim release (such as F5OS-C 1.1.1, 1.1.2, 1.1.3), after originally running F5OS-C version 1.1.0.

Impact:
Tenants will not start correctly, will not pass traffic, or be accessible on their management interfaces.

Workaround:
To work around this issue:

1. Upgrade the system controller to F5OS-C1.1.4.
2. Wait for the system controller upgrade to complete.
3. Upgrade the chassis partition(s) to F5OS-C 1.1.4.
4. Wait for chassis partition upgrade(s) to complete.
5. Configure all tenants to return to the "Provisioned" state.
6. Wait for all tenants to stop.
7. Configure all tenants back to the "Deployed" state.
8. Remove the old chassis partition and system controller software versions.

Fix:
N/A


1044249 : On initial installation, blades fail to PXE boot after chassis startup

Links to More Info: BT1044249

Component: F5OS-C

Symptoms:
On initial installation, blades fail to PXE boot after the chassis powers on.

Other symptoms:

1. When trying to deploy a tenant on a single blade or when multiple blades are bundled for the same chassis partition in the Chassis Partition webUI (TENANT MANAGEMENT > Tenant Deployments), the "Running Version" remains "Unavailable" indefinitely.

2. Blades are not available for login or other activity from the CLI.

Conditions:
Multiple factory-fresh blades are powered up.

Impact:
Blades fail to PXE boot. This means they failed to load an initial image and cannot join a cluster.

Workaround:
On both system controllers, reboot the system controller or restart the image server container.

Type this command to restart the image server on each system controller:

docker restart vcc-image-server

Fix:
N/A


1044117-2 : KubeVirt pods are not reinstalled after recovering cluster using internal debug setting&start;

Links to More Info: BT1044117

Component: F5OS-C

Symptoms:
While reinstalling the OpenShift cluster by configuring an internal debug flag, the KubeVirt pods were not reinstalled. Without these pods, the tenant will not operate.

Conditions:
When a cluster reinstall was initiated by configuring the internal debug flag, an internal variable was not being reset which prevented the KubeVirt pods to be installed.

Impact:
The tenant will not operate.

Workaround:
In a bash console shell, run this command:
systemctl restart orchestration_manager_container.service

Fix:
Fix is in release F5OS-C v1.2.2.


1043909 : Inconsistencies in disk threshold limits.&start;

Links to More Info: BT1043909

Component: F5OS-C

Symptoms:
Inconsistencies are being observed while configuring disk threshold limits.

default-2# show cluster disk-usage-threshold state
cluster disk-usage-threshold state warning-limit 85
cluster disk-usage-threshold state error-limit 90
cluster disk-usage-threshold state critical-limit 97
cluster disk-usage-threshold state growth-rate-limit 10
cluster disk-usage-threshold state interval 60

No checks are implemented to raise an exception if you attempt to set a critical limit to a value less than error/warning limit.

Conditions:
The problem is seen only while upgrading to F5OS-C 1.3.0 and when you configure the disk threshold limits against the constraints.

Impact:
Upgrade can fail if the constraints introduced in F5OS-C version 1.3.0 are violated.

Workaround:
Configure the critical limit > error and warning limit
error limit > warning limit or set to default values before upgrading to F5OS-C 1.3.0.

From the chassis partition CLI:
-------------------------
default-2(config)# cluster disk-usage-threshold config critical-limit 90
default-2(config)# cluster disk-usage-threshold config error-limit 85
default-2(config)# cluster disk-usage-threshold config warning-limit 80
default-2(config)# commit
Commit complete.


1042845 : Unable to remove platform services versions that appear unused

Links to More Info: BT1042845

Component: F5OS-C

Symptoms:
Under certain circumstances, a version of controller or partition services might appear "not in use" in CLI/webUI tables, but removal of that version is still blocked because other parts of the service package are still in use by other system components.

Conditions:
1. Attempt to remove an (apparently CLI) version of controller or partition services via ConfD or webUI.
2. Other components on the system still silently depend on that version of services, even though CLI/webUI output does not reflect this.

Impact:
Unable to remove versions of software that appear unused, and the cause is unclear.

Workaround:
N/A

Fix:
Removal of platform services that appear "unused" is no longer blocked by hidden higher-level component dependencies.


1042785-1 : Configuring spanning tree protocol (STP) while disabled might display incorrect state

Links to More Info: BT1042785

Component: F5OS-C

Symptoms:
While STP is disabled, configuring a field such as MSTP max-hop causes the the enabled-protocol to display an incorrect value.

Conditions:
Delete the enabled-protocol configuration field.
Delete another STP configuration field such as MSTP max-hop

Impact:
The STP enabled-protocol display is incorrect.

Workaround:
To mitigate, do not configure STP while it is not enabled.

Fix:
Configuring STP while it is disabled will no longer lead to an incorrect display.


1042273 : ETCD-HA Instance might not initialize correctly after PXE booting the system controller

Links to More Info: BT1042273

Component: F5OS-C

Symptoms:
The ETCD-HA instance might not initialize correctly after PXE booting a system controller and re-installing that system controller into the OpenShift cluster. When the instance initializes incorrectly and one of the system controllers is down, the OpenShift API does not operate correctly.

Conditions:
PXE boot of a system controller in a running OpenShift cluster.

Impact:
When the instance initializes incorrectly and one of the system controllers is down, the OpenShift API does not operate correctly.

Workaround:
None

Fix:
The orchestration-manager now correctly re-initializes the ETCD-HA instance when a system controller is PXE booted and then added to the OpenShift cluster.


1042253-1 : System controller upgrade from F5OS-C 1.2.0-10357 to 1.2.1-10301 intermittently fails&start;

Links to More Info: BT1042253

Component: F5OS-C

Symptoms:
The upgrade proceeds to the point where both system controllers boot to the new image, but neither system controller becomes active.

Conditions:
When this issue is observed, the output of the "show full-configuration system redundancy config mode" command is something other than the default (auto).

Impact:
Neither system controller becomes active, and the ability to configure the system controllers is compromised.

Workaround:
Restarting both Vcc-ConfD containers (or a reboot of both system controllers) should clear the problem.

Fix:
Intermittent loss of active system controller when upgrading from F5OS-C 1.2.0-10357 to 1.2.1-10301 is now fixed in F5OS-C 1.2.1.


1041381 : Tcpdump capture might not include broadcast and multicast egress (generated by the system and being sent out) when "--dls true" option is used

Links to More Info: BT1041381

Component: F5OS-C

Symptoms:
When DLS feature is enabled using the "--dls true" option, broadcast and multicast packets generated by the host CPUs of the system and egressing out of the VELOS system will not be part of the capture.

The default mode when no "--dls" option is specified is "--dls false", which functions correctly.

Conditions:
The 'DLS' feature of tcpdump is enabled by explicitly invoking packet capture with the non-default mode "--dls true".

Impact:
Capture will not be complete and will not contain the egressing broadcast and multicast packets.

Workaround:
Use the default mode (no "--dls" option specified) or explicitly turn off dls mode ("--dls false").


1039085 : Chassis partition config restore operation might cause the system to stop processing FDB files

Links to More Info: BT1039085

Component: F5OS-C

Symptoms:
In rare cases, a chassis partition "config-restore" operation might cause a race condition that locks up a platform component. This causes forwarding database (FDB) files to no longer be processed and can affect traffic processing.

Conditions:
Running a "config-restore" operation on the chassis partition CLI. This issue is more likely to occur when the number of tenants increases.

Impact:
FDB files will no longer be processed. Traffic processing can be impacted due to missing FDBs.

Workaround:
1. Restart the network manager on both system controllers:
    - "docker restart partition<partition_number>_network_manager"
2. Redeploy all tenants.


1038557-1 : Chassis partition merged stats only reflect one blade when tmstat-rsync service moves to another blade

Links to More Info: BT1038557

Component: F5OS-C

Symptoms:
A few show stats commands such as 'show qos state' that report stats for all blades in a chassis partition might report only the stats from a single blade when the tmstat-rsync service moves from one blade to another blade.

Conditions:
The tmstat-rsync service has moved to a blade other than the initial blade it was running on, and a show command that combines stats from all the blades in a chassis partition is run.

Impact:
A few show stats commands will only report data from a single blade.

Workaround:
Restart the tmstat-rsync service so it runs back on the initial blade.


1037749 : Switch daemon crashes occasionally on shutdown

Links to More Info: BT1037749

Component: F5OS-C

Symptoms:
Shutting down the system sometimes causes the switch daemon to crash.

Conditions:
This occurs rarely during system shutdown.

Impact:
A core file is saved to /var/shared/core/container/.

Workaround:
None.

Fix:
This has been fixed in F5OS-C 1.2.2 and F5OS-C 1.3.


1037673 : Vcc-lacpd on a system controller can crash and leave a core file while restarting

Links to More Info: BT1037673

Component: F5OS-C

Symptoms:
Vcc-lacpd on a system controller crashes, leaving behind a core file and a system log indicating a crash occurred. After the crash, the daemon recovers within a few seconds.

Conditions:
The crash only occurs during a restart of vcc-lacpd. Most commonly, a restart will occur during a system controller software update, using the "go-standby" command, or from a fatal error.

Impact:
The internal mgmt network to all blades may go down for a few seconds. Traffic running on tenants will be unaffected.

Workaround:
Limit failover scenarios on the system controllers, such as use of the system controller "go-standby" command or system controller software updates.

Fix:
Vcc-lacpd no longer leaves a core file under these conditions.


1037525 : Some of the PCie AER severity and types are incorrect in the diagnostic monitoring

Links to More Info: BT1037525

Component: F5OS-C

Symptoms:
Some AER (Advanced Error Reporting) error type and severity events are displayed incorrectly in the diagnostics monitoring.

Conditions:
If an AER error occurs, the decoding of the error type and severity as reported in the diagnostic might be incorrect.

Impact:
AER errors in diagnostic monitoring could be interpreted incorrectly as a 'Fatal' error.

Workaround:
As there is not a complete mitigation for this, the AER errors are correctly logged in the system logs and can be confirmed by timestamp and device to obtain the correct information

Fix:
Fixed an issue with incorrect diagnostics reporting.


1035353-1 : Missing controller images in show image controller CLI operation

Links to More Info: BT1035353

Component: F5OS-C

Symptoms:
After a software upgrade, the images displayed when running the "show image controller" command shows only active system controller images. The standby controller images are missing in "show image controller" CLI command. This is very occasional and won't happen always.

Conditions:
Using CLI/RESTCONF command operations for show image controller

Impact:
User won't see the standby controller images when running the "show image controller" command.

Workaround:
Reboot the standby controller from the CLI using the "system reboot controllers controller standby" command. This resolves the issue and brings the controller images back into the CLI display.


1034993-1 : Key-migrationd service might crash if server elements are incomplete

Links to More Info: BT1034993

Component: F5OS-C

Symptoms:
The key-migrationd service crashes after defining some server-group information for Radius/LDAP servers.

Conditions:
This might occur after not fully defining system > aaa > server-groups >server-group item, and then attempting to read the item.

Impact:
Core file is created and key-migration malfunctions.

Workaround:
Remove the partially-defined server group or fully define all server-group items.

Fix:
The key-migration now works without crashing.


1034481 : When using IPv6 on floating management address and DHCP, it is possible to get different IP addresses on failover

Links to More Info: BT1034481

Component: F5OS-C

Symptoms:
When running IPv6 and using DHCP to assign the floating management address, a chassis failover event might cause the IP address to be changed.

Conditions:
Running IPv6, using DHCP for floating management address and failing over a system controller. IPv4 and static IPv6 addresses are unaffected.

Impact:
Services will not be available on the floating management address as expected, and the interface will map to an unexpected IPv6 address.

Workaround:
None


1034169 : QKView reports status of "partial file recorded" when out of disk space

Links to More Info: BT1034169

Component: F5OS-C

Symptoms:
When QKView attempts to create a QKView file and there is insufficient disk space, the status recorded is "partial file recorded". The actual cause is low disk space, and no QKView is collected in this case. The recorded status should indicate so.

Conditions:
Run the QKView collection with less than 1 GB of available disk.

Impact:
Cosmetic.

Workaround:
N/A

Fix:
The status now indicates: Out-of-disk. Unable to create QKView file.


1033817 : webUI is affected due to /api/data/f5-cluster:cluster/nodes/node taking more than 25 seconds to complete

Links to More Info: BT1033817

Component: F5OS-C

Symptoms:
The 'show cluster nodes node' command takes more than 25 seconds to complete.

Conditions:
This happens on a chassis that is not fully populated.

Impact:
The get api /api/data/f5-cluster:cluster/ takes more time, resulting in slow page load times in the webUI.

Workaround:
None

Fix:
Modified diag-agent partition to check that the blade is in a ready status before contacting it for disk-usage information. This reduces the timeout.


1033813 : Chassis partition 'show interfaces' command can be slow

Links to More Info: BT1033813

Component: F5OS-C

Symptoms:
A 'show interfaces' command or the corresponding RESTCONF API request that includes 'show interfaces interface state counters' or 'show interfaces interface ethernet state counters' might take a long time to execute.

Conditions:
When a blade was present in the chassis partition, but is either physically removed or powered off, but the slot is not removed from the partition configuration.
When running 'show interfaces interface state counters' command for an aggregate (trunk), a delay will also be observed.

Impact:
The webUI screen refresh is slow (2 to 8 seconds per missing blade), or the CLI 'show' command takes a long time to return.

Workaround:
Use the system controller webUI or CLI to remove the non-existent blade from the chassis partition.

Fix:
Fixed an issue causing the "show interfaces" command to be slow when a blade is removed.


1032697 : Confusing message displays when running "file delete"

Links to More Info: BT1032697

Component: F5OS-C

Symptoms:
When running the "file delete" command, a confusing error message displays:

syscon-1-active# file delete file-name log/host/ansible.log

Only /mnt/var/confd/configs/ /var/shared/ configs/ diags/shared/ paths are allowed for Delete file operation on system controller CLI.

Conditions:
When attempting a file delete operation from a directory that does not have delete permission.

Impact:
The error message lists the actual paths along with the virtual paths on which delete is supported.

Workaround:
N/A

Fix:
When performing a file delete operation, only virtual paths are now listed.


1032341 : ConfD Encryption key gets rewritten intermittently

Links to More Info: BT1032341

Component: F5OS-C

Symptoms:
The key should always return the same value and hash, unless it is changed via key-migration.

The reading of memory (EEPROM) will sometimes return "resource temporarily unavailable," which is treated as an error instead of simply doing a retry.

Conditions:
The EEPROM might be busy because of use by other components.

Impact:
The encryption key changes, thus invalidating all currently-encrypted items, thus requiring re-entry of these.

Workaround:
Re-enter all encrypted items and hope that the "resource temporarily unavailable" does not occur.

Fix:
Fixed an issue where the system no longer considers "resource temporarily unavailable" as an error unless it happens ten times in a row. The system does a retry and if that works, the system avoids setting a new key.


1022729 : Management port issues with instance names containing lacpd, lldpd, stpd, or tmstat-rsync

Links to More Info: BT1022729

Component: F5OS-C

Symptoms:
The management port stops working when instance names contain any of the following: lacpd, lldpd, stpd, or tmstat-rsync.

Conditions:
Instances whose names include any of the following:
 - lacpd
 - lldpd
 - stpd
 - tmstat-rsync

Impact:
Management port no longer works.

Workaround:
Avoid naming instances using any of the following:
 - lacpd
 - lldpd
 - stpd
 - tmstat-rsync

Fix:
You can now successfully name instances using strings containing the following:
 - lacpd
 - lldpd
 - stpd
 - tmstat-rsync


1022589 : New blank blades inserted into system can wind up in a reboot loop and possibly be damaged

Component: F5OS-C

Symptoms:
Blades fresh from manufacturing do not contain an OS image. If not made part of a chassis partition with an os image defined, when inserted, they will wind up in a continuous reboot loop. There is potential that this might cause damage to blade components if allowed to continue for an extensive period of time.

As systems shipped from factory include all slots in the default chassis partition and that partition is set up with a partition image already configured, this condition should only be possible when blades are added in the field, and the site has added chassis partition definitions that do not have OS images set.

Conditions:
Freshly-manufactured blade installed in a system slot that is not part of a chassis partition with a defined ISO image.

Impact:
Potential drive media damage if the reboot loop is allowed to continue for an extended period of time.

Workaround:
Options to mitigate:
1. Install an os image on the new blade.
2. Power down the blade using AOM until ready to load an image.

The simplest method to install an os image is to be sure the installation slot is part of a chassis partition definition that includes a set os image. By default the blade will PXE boot that image.


1008549 : iHealth indicates multiple unhealthy and critical states for empty PSU bays

Links to More Info: BT1008549

Component: F5OS-C

Symptoms:
The component health for empty PSU bays in the VELOS chassis is shown as unhealthy along with an iHealth critical severity.

Conditions:
This issue occurs on a VELOS chassis that has one or more PSUs not populated.

Impact:
The chassis health of empty PSU bays are shown has unhealthy in iHealth.

Fix:
Modified diag-agent service so that it does not mark an unhealthy state for PSUs that are not present in the chassis.


1008433 : VQF hot signal asserted warnings

Links to More Info: BT1008433

Component: F5OS-C

Symptoms:
A PEL log entry occurs indicating an FPGA HOT signal asserted:

Warning | AOM | 5 | Na | VQF hot thermal event

Conditions:
This issue happens at system startup.

Impact:
If the issue occurs during system startup, it is an erroneous error message and can be safely ignored.

Workaround:
N/A

Fix:
Fixed an erroneous FPGA HOT signal that occurs during system startup.


1005025 : Orchestration-manager cores on standby system controller during cluster bringup

Links to More Info: BT1005025

Component: F5OS-C

Symptoms:
A core file from orchestration-manager might be created on the standby system controller during cluster bringup.

Conditions:
This might occur intermittently during cluster bringup.

Impact:
A core file is generated, but orchestration-manager will restart and will not cause any issues with system function.

Workaround:
None


1004309 : NSS vulnerability CVE-2020-12403

Links to More Info: K61267093, BT1004309


1004305 : libxml2 2.9.10 vulnerability CVE-2020-7595

Links to More Info: K04460334, BT1004305


1004189 : libcroco vulnerability CVE-2020-12825

Links to More Info: K01074825, BT1004189


1004049 : The "show system mgmt-ip" command displays "Application Timeout" on the active system controller

Links to More Info: BT1004049

Component: F5OS-C

Symptoms:
On a system where the standby system controller is rebooting, running the 'show system mgmt-ip' command from the CLI might display an "Application Iimeout" error.

Conditions:
-- Standby system controller is rebooting.
-- Run the 'show system mgmt-ip' command from the CLI.

Impact:
This problem is limited to the system controller management IP address only.

Workaround:
The command fails the very first time the command runs while the standby controller is rebooting. After it fails the first time, the command displays output in subsequent retries.

Fix:
The 'show system mgmt-ip' command now works while the standby system controller is rebooting.


1000453 : CVE-2019-25013: glibc vulnerability

Links to More Info: K68251873, BT1000453



Known Issues in F5OS-C v1.3.x


F5OS-C Issues

ID Number Severity Links to More Info Description
1076705-2 2-Critical   Etcd instance might not start correctly after upgrade&start;
1073305 2-Critical   Upgrade to F5OS-C 1.3.0 failed to upgrade chassis partition
1053905 2-Critical   After upgrading system controller to v1.2.2, there could be traffic outage&start;
1050565-2 2-Critical   KubeVirt pods might not be installed after upgrading from F5OS-C v1.2.1 to v1.3.0&start;
1102753-1 3-Major   Removing platform software via restconf returns a proxy error
1100713-1 3-Major   After a partition upgrade, a tenant in Provisioned state may show inconsistent CLI status&start;
1073581-1 3-Major   Removing a 'patch' version of services might remove the associated 'base' version as well
1071209-1 3-Major BT1071209 Files greater then 1000 MiB are truncated in QKView
1056037 3-Major BT1056037 If any tenant is in the 'deployed' state, you cannot downgrade the chassis partition to F5OS-C 1.1.4.
1035589-2 3-Major BT1035589 Source address for TACACS+ server group configuration does not work
1028385-1 3-Major   Link aggregation names with spaces
1056273 4-Minor   Tcpdump log level is set to default {INFO} after upgrading
1045261-1 4-Minor   Vcc-partition-software-manager logs extraneous chassis partition update records

 

Known Issue details for F5OS-C v1.3.x

1102753-1 : Removing platform software via restconf returns a proxy error

Component: F5OS-C

Symptoms:
When removing platform software (controller or partition ISO) via the restconf API, the API returns a '502 Proxy Error'. The image is still removed despite the error message.

Conditions:
Removing the platform software via restconf.

Impact:
A misleading and concerning error message is reported.

Workaround:
The restconf API can still be used, since the removal succeeds despite the error. Alternatively, remove the image via the GUI or ConfD CLI.


1100713-1 : After a partition upgrade, a tenant in Provisioned state may show inconsistent CLI status&start;

Component: F5OS-C

Symptoms:
After a partition upgrade from 1.3.1 to 1.3.2, if the running-state of a tenant is configured in Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to tenant is in progress" state in the partition CLI status.

Conditions:
A race condition exists after an partition upgrade that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.

Impact:
The tenant state constantly changes.

Workaround:
Configure the running-state of the tenant to Deployed.


1076705-2 : Etcd instance might not start correctly after upgrade&start;

Component: F5OS-C

Symptoms:
/etc/etcd/dump_etcd.sh might show that the etcd instance native to system controller #1 or #2 does not come up after an upgrade.

This displays in the output of /etc/etcd/dump_etcd.sh and might occur for the .3.51 or .3.52 node:

failed to check the health of member 25fa6669d235caa6 on https://100.65.3.52:2379: Get https://100.65.3.52:2379/health: dial tcp 100.65.3.52:2379: connect: connection refused
member 25fa6669d235caa6 is unreachable: [https://100.65.3.52:2379] are all unreachable

This can cause a longer OpenShift outage if the system controller containing the healthy instance is rebooted, and complete outage if the system controller containing the healthy instance is lost.

Conditions:
This is caused by a previous mount failure of the drbd file system, which causes a corruption of the etcd instance on the standby system controller. This is seen very infrequently.

Impact:
The local etcd instance on the affected system controller will not work correctly, compromising the high availability (HA) availability of the OpenShift cluster. The cluster will continue to work correctly while both system controllers are up.

Workaround:
Rebuild the OpenShift cluster by running "touch /var/omd/CLUSTER_REINSTALL" from the CLI on the active system controller. This will cause all running tenants to be taken down during the cluster reinstall, which takes 50+ minutes.


1073581-1 : Removing a 'patch' version of services might remove the associated 'base' version as well

Component: F5OS-C

Symptoms:
Removing a 'patch' version (X.Y.Z, Z>0) of a platform ISO or services might, under certain conditions, lead to the unexpected removal of the 'base' version (X.Y.0) associated with that patch.

Conditions:
1. A 'patch' ISO is imported when the 'base' associated with the patch is not already imported (Ex. An F5OS-C 1.2.2 ISO is imported, and F5OS-C1.2.0 is not already imported).
2. Some time later, the F5OS-C 1.2.2 ISO is removed. This also removes the 1.2.0 services.

Impact:
F5OS-C removes software that wasn't explicitly chosen to be removed.

Workaround:
To work around this issue, import the 'base' version ISO (X.Y.0) before importing any patches. If this is done, removal of a 'patch' will not remove the 'base'. If a 'base' was already removed accidentally, re-importing the 'base' ISO will also make it available again.


1073305 : Upgrade to F5OS-C 1.3.0 failed to upgrade chassis partition

Component: F5OS-C

Symptoms:
Upgrading VELOS from F5OS-C 1.2.2 to 1.3.0 caused partition containers to go in crashbackoffloop back. This can be checked by running this command:

oc get pods --all-namespaces |grep -i crash

Conditions:
After upgrading to F5OS-C 1.3.0, tenant datapath interfaces do not come up.

Impact:
Traffic is impacted.

Workaround:
Restarting the chassis partition, that is, disabling and enabling the chassis partition fixes the issue.


1071209-1 : Files greater then 1000 MiB are truncated in QKView

Links to More Info: BT1071209

Component: F5OS-C

Symptoms:
QKView is unable to collect an untrunucated velos.log file that has been rotated.

Conditions:
Rotated copy of the velos.log file is greater than 1000 MiB.

Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.

Workaround:
Collect the log files manually.


1056273 : Tcpdump log level is set to default {INFO} after upgrading

Component: F5OS-C

Symptoms:
Tcpdump log severity level is not retained after upgrading.

Conditions:
Tcpdump log severity is set to something other than INFORMATIONAL prior to upgrading.

Impact:
Severity level changes to INFO after upgrading.

Workaround:
Reset the severity level after upgrade.

controller-1(config)# system logging sw-components sw-component tcpdumpd-manager config severity DEBUG
controller-1(config-sw-component-tcpdumpd-manager)# commit
Commit complete.


1056037 : If any tenant is in the 'deployed' state, you cannot downgrade the chassis partition to F5OS-C 1.1.4.

Links to More Info: BT1056037

Component: F5OS-C

Symptoms:
An attempt to downgrade chassis partition services to versions older than F5OS-C 1.4.0 fails with this error:

"Partition database upgrade compatibility check failed."

The validation logic prior to F5OS-C 1.4.0 does not permit tenants to be in the 'deployed' state during the schema change.

Conditions:
Tenant is in a 'deployed' state.

Impact:
You cannot downgrade partition services for this chassis partition to F5OS-C 1.1.x, 1.2.x, or 1.3.x from any higher version.

Workaround:
1. In the partition manager CLI or webUI, change the running-state for all tenants to 'configured' or 'provisioned'.
2. Perform the downgrade for the chassis partition.
3. When the chassis partition downgrade is complete, return the tenants to the 'deployed' state.


1053905 : After upgrading system controller to v1.2.2, there could be traffic outage&start;

Component: F5OS-C

Symptoms:
After upgrading the system controller to version 1.2.2, a traffic outage occurs.

Conditions:
System controller is upgraded to version 1.2.2 and the partition is not upgraded to version 1.2.2

Impact:
Network traffic through BIG-IP tenants is disrupted.

Workaround:
Upgrade the partition to version 1.2.2.


1050565-2 : KubeVirt pods might not be installed after upgrading from F5OS-C v1.2.1 to v1.3.0&start;

Component: F5OS-C

Symptoms:
After an upgrade from F5OS-C v1.2.1 to v1.3.0 the OpenShift KubeVirt pods might not be installed.

Conditions:
During the upgrade from F5OS-C 1.2.1 to 1.3.0, the script that installs the OpenShift KubeVirt pods might fail to install the pods.

Impact:
The tenants might not operate.

Workaround:
On the active system controller, run this command:

systemctl restart orchestration_manager_container.service


1045261-1 : Vcc-partition-software-manager logs extraneous chassis partition update records

Component: F5OS-C

Symptoms:
Following a fresh F5OS-C software install, the vcc-partition-software-manager repeatedly logs the following extraneous records:

********

<info> Dec 2 21:46:48 publish_image_thread: Controller-2 Images state not changed.
<notice> Dec 2 21:48:25 main: retrying after failed operation
<info> Dec 2 21:48:25 main: configuration updated; num_part: 2
<notice> Dec 2 21:48:26 main: cc.out_of_service_install(false) cc.install_stage(IDLE) ha_mode(HA_MASTER) skip_notify(true) last_failed(true)

********

Conditions:
Installing F5OS-C software.

Impact:
There is no functional impact, as the chassis partition configurations are not actually being changed or updated, but the lof records fill up the velos.log over time with unnecessary noise.

Workaround:
These messages can be safely ignored.


1035589-2 : Source address for TACACS+ server group configuration does not work

Links to More Info: BT1035589

Component: F5OS-C

Symptoms:
Attempting to set the source-address for a TACACS+ server group configuration might fail or does not work as expected.

Conditions:
Attempt to configure source-address for TACACS+ server group.

Impact:
No functional impact, as the source-address isn't used.

Workaround:
The source-address is not used by the TACACS+ client. Do not configure source-address.


1028385-1 : Link aggregation names with spaces

Component: F5OS-C

Symptoms:
BIG-IP Next exhibits erroneous behavior for a LAG when it is created with a name that contains spaces.

Conditions:
The LAG name contains spaces.

Impact:
BIG-IP Next cannot successfully handle a LAG with spaces in the name. The LAG is not recognized.

Workaround:
Refrain from using names with spaces.




&start; This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************