Supplemental Document : F5OS-C 1.5.0 Fixes and Known Issues Release Notes

Applies To:

Show Versions Show Versions

F5OS-C

  • 1.5.0
Updated Date: 08/09/2022

F5OS-C Release Information

Version: 1.5.0
Build: 8535

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in F5OS-C v1.5.x

Vulnerability Fixes

ID Number CVE Links to More Info Description
1067077 CVE-2021-43527 K54450124 NSS: Memory corruption in decodeECorDsaSignature with DSA


Functional Change Fixes

ID Number Severity Links to More Info Description
1043701 3-Major   Allow configurable partition hostname


F5OS-C Fixes

ID Number Severity Links to More Info Description
1091933 1-Blocking   After a partition upgrade, tenant health and traffic statistics are no longer presented
950901 2-Critical BT950901 Wrong chassis serial number chs599996s populates to VELOS tenants
1125505-1 2-Critical   LOP communication may stop working on a chassis controller after failover
1114861 2-Critical   Local controller etcd instance may become unreachable after a rolling upgrade.
1111549 2-Critical   System import functionality is unstable if PXE install source is not imported
1109021-1 2-Critical   CLI commands are not logged in audit.log
1107433 2-Critical   BIG-IP Next floating IPs do not properly issue GARPs on failover
1105001 2-Critical   Large tar/gz/iso file download via the restconf API fails.
1095977 2-Critical   Tenant disk image not removed from blade on scale-down of tenant deployment
1092913 2-Critical   Tenant CPU pinning can fail when a blade is moved to a new partition and the blade was previously running a deployed tenant
1092257 2-Critical   Downloading files larger 500 megabytes via File Utilities in the webUI can result in a corrupted file.
1091313 2-Critical   Rapid transition of BIG-IP Next tenant from Standby-to-Active-to-Standby can leave floating addresses active
1090521-1 2-Critical   Tenant Deployment may fail if the memory configured is an odd number.
1088565 2-Critical   Various services may stop working on a system controller if the LCD is malfunctioning
1080421-2 2-Critical   LACP does not transmit PDU's when creating a LAG
1078433-1 2-Critical BT1078433 BIG-IP Next Tenant Management IP address is not reachable after a chassis power cycle.
1076705-1 2-Critical   Etcd instance might not start correctly after upgrade
1073777 2-Critical   LACP interface goes down after the partition is disabled/enabled
1073305-1 2-Critical   Upgrade to F5OS-C 1.3.0 failed to upgrade chassis partition
1072209 2-Critical   Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN
1053873 2-Critical   Partition CLI command 'show cluster nodes node' may time out
1039721 2-Critical   The system image displays data for only one VELOS controller
968881 3-Major BT968881 Creating a partition using the CLI, 'commit check' fails
1117561 3-Major   Vcc-terminal-server gets stuck in unsuccessful restart loop
1113233 3-Major   External access for BIG-IP Next pods can be lost after tenant redeployment
1112229-2 3-Major   File download API Changes to support file download from the GUI
1111237 3-Major   Logrotate parameters do not get updated by software upgrade
1110429 3-Major   Duplicate service-instance entries in chassis partition
1106881 3-Major   F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant
1106093 3-Major   After a node is removed from a running tenant, the operational status of that node remains
1104769 3-Major   After a node is removed from a tenant in provisioned mode, the operational status of that node remains
1103105 3-Major   The naming convention of core files has changed
1100861 3-Major   System aaa primary-key state not returning both hash and status
1097833-1 3-Major   Debug messages logged in platform.log
1093301 3-Major   GUI keeps showing "Firmware updates are currently in progress" after upgrade
1091641 3-Major   NTP (chrony) packet authentication is not fully implemented on VELOS
1090145 3-Major BT1090145 VLAN-Listener incorrectly updated on Network Manager component restart
1089037-1 3-Major BT1089037 Dnsmasq configuration blocks resolution of names in .local domains
1084817-2 3-Major   Container api-svc-gateway crashes due to certificate issues partition database
1084581 3-Major   Log files collected by QKView are truncated with the newest entries removed
1083993 3-Major   File import should check the target doesnt exist
1081333 3-Major   Local file path in file transfer-status for remote file import operation does not show appropriately
1080417-1 3-Major   List of running containers are not captured in host qkview
1079809 3-Major   Alert manager status is occasionally reported as unhealthy on startup
1079037 3-Major   Tenant deployment fails when tenant name ends with hyphen
1075693 3-Major   CVE-2021-22543 Linux Kernel Vulnerability
1073581 3-Major   Removing a 'patch' version of services might remove the associated 'base' version as well
1069917 3-Major   Platform registry ports can become de-synchronized, impacting Openshift deployment
1066185 3-Major   MIB files cannot be download or exported using file utilities.
1064225 3-Major BT1064225 HTTP response status codes do not match the result of the file import/export operations
1060097 3-Major   Chassis admin user cannot use SCP to import controller/chassis partition ISO images
1059073 3-Major   QKView upload to iHealth is not supported by web proxy
1051241 3-Major BT1051241 LAG and interface names should not contain special characters such as whitespace, asterisk, slashes, and curly braces.
1040461 3-Major BT1040461 Permissions of some qkview control files do not follow standards
1034093 3-Major   protobuf vulnerability: CVE-2021-3121
1102137 4-Minor   Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names
1085005 4-Minor BT1085005 'cluster nodes node blade-N reboot' failure message is incorrect
1079857 4-Minor   Orchestration-agent logs spurious "Warn" severity messages

 

Cumulative fix details for F5OS-C v1.5.0 that are included in this release

968881 : Creating a partition using the CLI, 'commit check' fails

Links to More Info: BT968881

Component: F5OS-C

Symptoms:
When creating a partition using the CLI, and trying to validate the changes with 'commit check', a validation error occurs:

partitions 'partition part1 uuid' is not configured.

Conditions:
-- Create a partition using the CLI.
-- Attempt to validate the changes using 'commit check'.

Impact:
The 'commit check' operation rejects this config change. This error is misleading, indicating that you need to specify a uuid value.

Note: Not only is uuid irrelevant, it is not possible for you to specify it.

Workaround:
None


950901 : Wrong chassis serial number chs599996s populates to VELOS tenants

Links to More Info: BT950901

Component: F5OS-C

Symptoms:
Under some corner cases, system controllers may have a blank serial number in the /etc/PLATFORM file. If partition software is started during this period, any tenants deployed on that partition will report an incorrect chassis serial number chs599996s.

Conditions:
- Restarting the system controllers
- Removing and adding the blades from the tenant

Impact:
VELOS tenants may report the wrong serial number, visible in "tmsh show sys hardware" or "tmsh list cm device".

If a VELOS tenant spans multiple blades, and the different blades pick up different serial numbers from F5OS, the tenant may fail to properly cluster; multiple tenant blades will function as cluster primary, competing over the cluster management IP.

Workaround:
The correct chassis serial number can be seen in the license file, which can be viewed from a tenant by running "tmsh show sys license".

If a tenant is currently bifurcated (multiple blades functioning as cluster primary), the immediate mitigation is to set the tenant to "provisioned" and then back to "deployed".

If a tenant is reporting the incorrect chassis serial number (chs599996s), then the following should restore the correct serial number:

1. Determine which controller has a blank serial number for the partition, by looking at "grep CHASSIS_SERIAL_NO /var/log/sw-util.log | tail -1" run on each controller, e.g.:

    [root@controller-2 ~]# for i in controller-{1,2}; do echo -n "$i: "; ssh $i grep CHASSIS_SERIAL_NO /var/log/sw-util.log | tail -1; done
    controller-1: ++ CHASSIS_SERIAL_NO=chs700144s
    controller-2: ++ CHASSIS_SERIAL_NO=
    [root@controller-2 ~]#

    In this example, controller-2 is affected.

2. Reboot the affected controller. After it reboots, check whether it has a blank serial number. Repeat this step until it boots, and reports a non-blank serial number.
3. From the partition, set the tenant to "provisioned" and then back to "deployed".
4. After the tenant reboots, confirm the serial numbers is now correct (not chs599996s) in the output of "tmsh show sys hardware"


1125505-1 : LOP communication may stop working on a chassis controller after failover

Component: F5OS-C

Symptoms:
Various services may become unresponsive or not work correctly when communicating with the LOP.

Conditions:
This can happen rarely during failover of a chassis controller.

Impact:
Any functionality that interacts with the LOP could be impacted.

Workaround:
Reboot the affected chassis controller.

Fix:
Resolve a platform-hal LOP communication lockup that can occur due to a race condition.


1117561 : Vcc-terminal-server gets stuck in unsuccessful restart loop

Component: F5OS-C

Symptoms:
Terminal services will fail to function and the vcc-terminal-server-main component container will appear to be stuck with a status of restarting.

Conditions:
When the vcc-terminal-server-main component container is restarted without first recreating the container from scratch, internal filesystem changes persist which prevent it from starting up successfully.

Impact:
This should generally not be seen in normal usage, although error conditions can trigger a basic container reset.

Workaround:
Restarting the system should perform a complete bringup of all component containers, including vcc-terminal-server-main, resulting in normal operation.

Fix:
This fix modifies the internal filesystem operations such that they do not prevent the container from initializing properly after a basic restart.


1114861 : Local controller etcd instance may become unreachable after a rolling upgrade.

Component: F5OS-C

Symptoms:
The local etcd instance on a system controller may be unreachable after a rolling upgrade. This can be seen via the output of /etc/etcd/dump_etcd.sh script on the controller.

Conditions:
This can happen during a rolling upgrade.

Impact:
The local etcd instance will become unreachable. If the local instance on the active controller is unreachable, and the standby controller fails, etcd and the openshift cluster will go offline.

Workaround:
None

Fix:
The unreachable etcd instance will be restored once the rolling update is completed.


1113233 : External access for BIG-IP Next pods can be lost after tenant redeployment

Component: F5OS-C

Symptoms:
Some of the pods for a BIG-IP Next tenant can lose external access after the tenant is redeployed.

Conditions:
Stale iptables rules assigned to the tenant are not being cleared after a tenant redeployment.

Impact:
The tenant loses external access on one or more of its pods.

Fix:
The iptables rules entries are cleared on a tenant redeploy.


1112229-2 : File download API Changes to support file download from the GUI

Component: F5OS-C

Symptoms:
Header information is not effective to download files from the GUI

Conditions:
X-Auth token is required to download from the GUI.

Impact:
Downloading files from the GUI fails.

Workaround:
None


1111549 : System import functionality is unstable if PXE install source is not imported

Component: F5OS-C

Symptoms:
If a VELOS controller is PXE installed with a given ISO, and that ISO is not imported manually on the controller after the installation, future imports may fail or be left in an inconsistent state.

Conditions:
1. PXE install VELOS controller
2. Fail to manually import ISO used for PXE install
3. Import other software

Impact:
Confusing import and upgrade failures under conditions that seem like they shouldn't produce issues.

Workaround:
After PXE installing a VELOS controller, make sure to manually import the ISO used for PXE install before importing any other platform software components.

Fix:
Better handling for case where ISO used for PXE install of VELOS controllers is not imported after install


1111237 : Logrotate parameters do not get updated by software upgrade

Component: F5OS-C

Symptoms:
If the parameters (frequency/size) for log file rotation are updated in a new software release, they are not updated on the target system during upgrade. The result is that the size of retained log messages depends on the upgrade history, not on the software version.

Conditions:
System that is live upgraded from any version to any other version prior to F5OS-C-1.5.0.

Impact:
When logfiles are collected by qkview, differing amounts of data may be gathered, perhaps omitting information that was intended to be collected.

Workaround:
None.

Fix:
The system updates the logrotate parameters during software install, so that the setting correspond to the software version, not the upgrade history.


1110429 : Duplicate service-instance entries in chassis partition

Component: F5OS-C

Symptoms:
In rare circumstances, when viewing the partition service-instance entries, duplicate entries will exist for system level daemons like LACPD, L2FwdSvc, and SwRbcaster. The issue occurs rarely, and user should only notice a cosmetic difference.

Conditions:
Adding blades to and removing blades from a partition may trigger the issue.

Impact:
Display is not correct.

Workaround:
Delete and recreate the affected partition.

Fix:
Duplicate service-instance entries will be removed in cases of a blade rebooting and a blade being added to a partition.


1109021-1 : CLI commands are not logged in audit.log

Component: F5OS-C

Symptoms:
CLI commands from confd are getting logged in audit.log.

Conditions:
Execute commands using the confd CLI.

Impact:
CLI commands which are required for security compliance audit will not get logged in audiit.log file.

Workaround:
None


1107433 : BIG-IP Next floating IPs do not properly issue GARPs on failover

Component: F5OS-C

Symptoms:
The floating management IP of a BIG-IP Next high availability (HA) pair may not function correctly after an high availability (HA) failover when running on F5OS-C-1.4.0.

Conditions:
When the BIG-IP Next active instance changes location, the mapping of IP to MAC address and switch ports needs to be updated in the network, or packets will continue to be routed to the "old" active instance.

Impact:
The floating management IP will not be usable for some period of time after failover. If a client is actively connected and sending packets, this condition can persist forever.

Workaround:
None.

Fix:
The high availability (HA) failover logic now correctly issues unsolicited ARP replies (GARP) in order to flush/update the IP address mappings.


1106881 : F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant

Component: F5OS-C

Symptoms:
This is an intermittent problem where the affected BIG-IP tenant may receive incorrect statistics from the F5OS platorm. This can cause the BIG-IP tenant to drop DNS traffic that should not be dropped.

Typically, the BIG-IP tenant will have periods of time where it receives the correct stats, and periods where it receives incorrect stats.

Conditions:
All of the below must be true:

-- Two or more BIG-IP tenants are deployed either on the same node in a partition or on the same appliance.
-- An AFM license is installed on the F5OS platform.
-- At least one tenant is receiving malformed DNS traffic.

Impact:
Clients that send DNS traffic to the affected BIG-IP tenant will not receive DNS responses when they should.

Workaround:
When AFM is provisioned for the system, deploying tenants on different nodes on a chassis based system or one tenant per appliance avoids the issue.

Fix:
BIG-IP tenants receive the correct platform statistics regardless of the node in which they are deployed.


1106093 : After a node is removed from a running tenant, the operational status of that node remains

Component: F5OS-C

Symptoms:
When a node is removed from the configuration of a running tenant, the node that was removed remains in the CLI operational status of the tenant.

Conditions:
-- A tenant spans multiple nodes and is running.
-- One of the nodes is removed

Impact:
The operational status of the tenant for the node that was removed is incorrect.

Workaround:
None

Fix:
The correct operational status of the tenant is displayed.


1105001 : Large tar/gz/iso file download via the restconf API fails.

Component: F5OS-C

Symptoms:
Downloading large tar/gz/iso files using the restconf API resulting in a corrupted file.

Conditions:
Large tar/gz/iso file download via the restconf API

Impact:
Download fails, the downloaded file is corrupted.

Workaround:
None

Fix:
Fixed the code to download large tar/gz/iso files.


1104769 : After a node is removed from a tenant in provisioned mode, the operational status of that node remains

Component: F5OS-C

Symptoms:
When a node is removed from the configuration of a tenant that is in provisioned mode, the node that was removed remains in the CLI operational status of the tenant.

Conditions:
-- A tenant spans multiple nodes and is in a state of Provisioned.
-- One of the nodes is removed

Impact:
The operational status of the tenant for the node that was removed is incorrect.

Workaround:
None

Fix:
The correct operational status of the tenant is displayed.


1103105 : The naming convention of core files has changed

Component: F5OS-C

Symptoms:
Core files were previously named <app>-1.core.gz or <app>-2.core.gz where <app> was the first 12 characters of the failing executable. New core file are named as follows: core.<app>.<pid>.<timestamp>.core.gz.

Conditions:
A core file is created.

Impact:
The name of the core file is now different.

Workaround:
None

Fix:
The core files will now have a name that is consistent with other F5 formatting for core-files.


1102137 : Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names

Component: F5OS-C

Symptoms:
The confd command

system diagnostics ihealth upload qkview-file ?

Is not tab-expandable, and you are not presented with the list of available qkview files.

Conditions:
Running 'system diagnostics ihealth upload qkview-file <TAB>' to see the list of available qkview files.

Impact:
The available qkview files are not presented using tab autocomplete.

Workaround:
Run "system diagnostics qkview list" to obtain the list of available qkview files, and then manually type the desired qkview file name in when using the 'system diagnostics ihealth upload qkview-file' command.

Fix:
Hitting <TAB> after system diagnostics ihealth upload qkview-file will produce a list of available files. Entering part of the name and <TAB> will auto-complete selecting a valid and available qkview file name.


1100861 : System aaa primary-key state not returning both hash and status

Component: F5OS-C

Symptoms:
Requesting both hash and status by the query command "system aaa primary-key state" fails.

Conditions:
When no key-migration has been performed.

Impact:
Requesting the status fails.

Workaround:
Perform a key migration.

Fix:
The fix allows the query of the system state and there is no failure, returning "NONE" if no key-migration was known to the system.


1097833-1 : Debug messages logged in platform.log

Component: F5OS-C

Symptoms:
When performing an ISO install on the hardware, some services log debug messages to platform.log until confd comes up.

Conditions:
This occurs during an ISO install.

Impact:
Unnecessary debug logs are logged to platform.log.

Workaround:
None


1095977 : Tenant disk image not removed from blade on scale-down of tenant deployment

Component: F5OS-C

Symptoms:
If a tenant is scaled down to run on fewer blades, the tenant disk image will be left behind on the blade that the tenant was scaled down from.

Conditions:
BIG-IP tenant image running on one or more blades where one of the running blades is removed from the tenant configuration.

Impact:
Tenant image file will be left on blade where the tenant is scale down from:

/var/F5/partition<#>/cbip-disks/<tenant_name>.raw

Workaround:
The tenant disk image can be removed directly from the blade via the shell using the rm command. This can be done by the chassis administrator.

Fix:
Bug has been fixed to cause removal of tenant disk image when tenant deployment is scaled down.


1093301 : GUI keeps showing "Firmware updates are currently in progress" after upgrade

Component: F5OS-C

Symptoms:
- GUI keeps showing "Firmware updates are currently in progress"
- Both system controllers report that they are active
- Chassis firmware updates can fail

Conditions:
The active system controller is updating its AOM, and while that update is occurring the peer system controller assumes the active role. When the initially active system controller's AOM boots again it will not report that the arbitration state has changed.

Impact:
There seems to be no operational impact.

Workaround:
Reset the initially active system controller.

Fix:
Fix for GUI continuously showing "Firmware updates are currently in progress" after upgrade


1092913 : Tenant CPU pinning can fail when a blade is moved to a new partition and the blade was previously running a deployed tenant

Component: F5OS-C

Symptoms:
Newly deployed tenants on a blade just moved to a new partition will not perform optimally and confd tenant status may show the cpu allocations to the tenant failed.

Conditions:
A blade is running a deployed tenant

The blade is moved into a new partition

   or

The blade tenant is deleted, and less than about 2 minutes after that, the blade is moved to a new partition

Impact:
It's possible one or more new tenants deployed on the blade in the new partition will fail to be assigned to appropriate cpus. This could affect the performance of those tenants.

Workaround:
The main issue is that before the blade moved to the new partition, it never had the chance to release the cpus assigned to any tenants that had been deployed on the blade.

The first thing is to try and avoid this problem from happening at all be ensuring that tenants are not deployed on a blade before moving it to a new partition. Changing a tenant's deployed state to any other state (provisioned, configured, deleted) is not synchronous, so wait at least 2 minutes before moving the blade to a new partiiton.

But if avoidance fails, it is still possible to clean up the tenant cpu allocator database. The simplest steps are:

1. If any tenants are deployed on the blade in the new partition, set them to provisioned, and wait more than 2 minutes.
2. Manually remove the tenant cpu database file on the blade: "rm /opt/f5/cpumgr/cpu_users"
3. Reboot the blade (this will recreate the above file, but with all tenant records cleared)
4. Redeploy any tenants from step 1.


1092257 : Downloading files larger 500 megabytes via File Utilities in the webUI can result in a corrupted file.

Component: F5OS-C

Symptoms:
When using the File Utilities feature in the webUI, if you select a file that is larger than 500MB and attempt to download it locally the file could become corrupted.

Conditions:
Selecting and attempting to download a file 500MB or greater when using File Utilities in the webUI.

Impact:
The downloaded file is corrupted.

Workaround:
Files 500 megabytes or larger in size can be selected and exported from the device using the "Export" option available in File Utilities that will export the file over HTTPS. Additionally, files can be exported from the device using the Secure Copy Protocol (SCP).

Fix:
Downloading files that are 500 megabytes or larger in size has been temporarily disabled in the webUI. You will receive a warning popup when you select a file that is 500MB or larger and click the Download button. The warning popup advises you to use another supported option to export the file.


1091933 : After a partition upgrade, tenant health and traffic statistics are no longer presented

Component: F5OS-C

Symptoms:
Health and traffic statistics for a tenant are not available after a partition upgrade.

Conditions:
This occurs after upgrading a partition.

Impact:
You are unable to see updated health and traffic statistics for the tenant.

Workaround:
The tenant running-state can be toggled from Running to Configured and then back to Running.


1091641 : NTP (chrony) packet authentication is not fully implemented on VELOS

Component: F5OS-C

Symptoms:
It is not possible to enable NTP packet authentication.

Conditions:
Running a version of F5OS-C earlier than 1.5.0.

Impact:
NTP packet authentication is not available.

Workaround:
None

Fix:
Added support for NTP packet authentication


1091313 : Rapid transition of BIG-IP Next tenant from Standby-to-Active-to-Standby can leave floating addresses active

Component: F5OS-C

Symptoms:
A rapid transition of a BIG-IP Next tenant from Standby-to-Active-to-Standby can leave the floating IP address active even though the tenant is in Standby.

Conditions:
This happens only if the transition to Active and back to Standby happens in under 40 seconds or so.

Impact:
The high availability (HA) floating address remains active on both instances of the BIG-IP Next tenant, causing high availability (HA) issues with the tenant.

Workaround:
If this condition occurs, effect a failover on the BIG-IP Next tenant.

This causes the address to be removed on the previously Active instance.

If failover is unsuccessful, wait for 60 seconds and issue one more failover.


1090521-1 : Tenant Deployment may fail if the memory configured is an odd number.

Component: F5OS-C

Symptoms:
1. Tenant Deployment Fails.
2. System may go into bad state.

Conditions:
When memory configured for a tenant is set to an odd number.

Impact:
Tenant Deployment Fails.

Workaround:
This issue has been fixed in F5OS-A 1.2.0.


1090145 : VLAN-Listener incorrectly updated on Network Manager component restart

Links to More Info: BT1090145

Component: F5OS-C

Symptoms:
When the Network Manager component is restarted, VLAN Listener entries can be incorrectly updated to each tenant's default Service ID.

Conditions:
Network Manager restarts can happen due to system controller restarts, partition upgrades, or a manual restart.

Impact:
Some traffic could incorrectly follow the default Port Hash disaggregation algorithm. For example, if a VLAN has been set to use the IPPORT disaggregation algorithm, this reset can cause some of the traffic to revert to using the default Port Hash algorithm.

Workaround:
Inside the affected tenants, the cmp-hash field can be changed back to default, then changed back to the desired setting.


1089037-1 : Dnsmasq configuration blocks resolution of names in .local domains

Links to More Info: BT1089037

Component: F5OS-C

Symptoms:
DNS resolution of names in .local domains will be blocked by the dnsmasq configuration.

Conditions:
Some domain names are in the .local domain.

Impact:
Name resolution of hostnames in the .local domain will not work correctly.

Workaround:
None

Fix:
Dnsmasq configuration has been updates to remove overly restrictive local=/local/ entry.


1088565 : Various services may stop working on a system controller if the LCD is malfunctioning

Component: F5OS-C

Symptoms:
Various services may become unresponsive or not work correctly.

Conditions:
LCD is not working, or host cannot communicate with the LCD.

Impact:
Any functionality that interacts with platform-hal could be impacted.

Workaround:
Recover or repair the LCD. Rebooting the affected system controller can also help temporarily.

Fix:
Fixed a leak that occurs when platform-hal cannot communicate with the LCD.


1085005 : 'cluster nodes node blade-N reboot' failure message is incorrect

Links to More Info: BT1085005

Component: F5OS-C

Symptoms:
Attempting to reboot a blade that is not assigned to the partition generates a cryptic error message:

default-2(config)# cluster nodes node blade-2 reboot
Error: Node is Not Assigned false

Conditions:
Attempt to reboot a blade that is not assigned to the partition.

Impact:
Inaccurate information provided to the user.

Workaround:
None

Fix:
Fixed the error message:

default-1(config)# cluster nodes node blade-2 reboot
Error: Node is not assigned to this partition.


1084817-2 : Container api-svc-gateway crashes due to certificate issues partition database

Component: F5OS-C

Symptoms:
The api-svc-gateway container crashes when a bad self-signed certificate or key is published to partition database.

Conditions:
A corrupted certificate/key causes the issue

Impact:
The api-svc-gateway service crashes.

Workaround:
Run the following command:

(config) # system database reset-to-default proceed

Fix:
In the scenario this happens, api-svc-gateway now:

 * detects when it cannot set up an SSL connection using these credentials
 * logs an error
 * sets health status to unhealthy with appropriate error and severity
 * tries to start a grpc server with only insecure credentials


1084581 : Log files collected by QKView are truncated with the newest entries removed

Component: F5OS-C

Symptoms:
If log files are exceedingly large, they may be truncated when collected by QKView from the 'bottom-up', meaning that the most recent log entries are clipped.

Conditions:
Log files exceed the maximum file size (default 500 MB) specified during QKView creation.

Impact:
Most recent log entries are clipped, making diagnosis difficult.

Workaround:
Collect the log files manually.

Fix:
QKView log files are now truncated 'top-down', preserving the most recent log entries.


1083993 : File import should check the target doesnt exist

Component: F5OS-C

Symptoms:
File import will fail if the same file name already exists.

Conditions:
Importing a file that already exists on the file system.

Impact:
An error occurs if the file already exists.

Workaround:
None


1081333 : Local file path in file transfer-status for remote file import operation does not show appropriately

Component: F5OS-C

Symptoms:
Local file path does not show appropriately when file import operation is done from a remote URL.

Conditions:
File transfer from a remote URL with query params.

Impact:
Inappropriate file name shown in local file path.

Fix:
Modified file name in utils-agent code to remove unnecessary query params after file name.


1080421-2 : LACP does not transmit PDU's when creating a LAG

Component: F5OS-C

Symptoms:
The LAG interface creation will not be successful and tx packet count in 'show lacp' will be zero.

Conditions:
This issue occurs due to a race condition while creating a LAG interface and is not reproducible every time.

Impact:
Link aggregation of the front panel ports will not work as expected.

Workaround:
1) clear newly added lag configurations
   a) remove lacp interface
      no lacp interfaces interface <lag-name>
   b) remove interfaces from lag
      no interfaces interface <interface> ethernet config aggregate-id
   c) remove lag interface
      no interfaces interface <lag-interface>
2) create Lag interface and add interfaces to the lag

Fix:
Fix code to remove the race condition and read lag-type as LACP


1080417-1 : List of running containers are not captured in host qkview

Component: F5OS-C

Symptoms:
List of running containers are not captured in host qkview

Conditions:
Collect qkview and look for list of containers running on the system from qkview file.

Impact:
Unable to get the list of running containers from qkview

Workaround:
Administrator needs to run 'docker ps' command on the system and share the output with support.

Fix:
Qkview includes list of running containers on the system


1079857 : Orchestration-agent logs spurious "Warn" severity messages

Component: F5OS-C

Symptoms:
Orchestration-agent can issue Warning-level log messages about "unknown tags" in velos.log, similar to this:

2022-02-09T19:57:07.444093+00:00 controller-1(p1) orchestration-agent[1]: priority="Warn" version=1.0 msgid=0x503000000000003 msg="unknown tag in operation" TAG=1013977200 OP=4.

Conditions:
Schema changes can result in new items being added that the code does not care about, but can result in log messages.

Impact:
No functional impact, these warnings an be safely ignored.

Workaround:
None

Fix:
The orchestration-agent no longer logs warnings about unknown tags.


1079809 : Alert manager status is occasionally reported as unhealthy on startup

Component: F5OS-C

Symptoms:
When Alert manager health is reported as unhealthy, it displays system controller health as unhealthy and causes failover

Conditions:
On startup, if any one of the analog sensors reports a sensor fault while reading its initial state, it is causing alert manager go unhealthy.

Impact:
It causes controller health fault/failover

Workaround:
None

Fix:
Added diagnostic tasks to monitor the health of sensors, VFC and VPC periodically and raise alerts.


1079037 : Tenant deployment fails when tenant name ends with hyphen

Component: F5OS-C

Symptoms:
A tenant fails to deploy and reports "Tenant deployment failed - Server is not responding" if the user-configured tenant name ends with a hyphen.

Conditions:
Tenant name ends with a hyphen.

Impact:
Tenant will not deploy.

Workaround:
Delete the tenant and recreate it with a valid name, consisting only of alphanumeric characters with embedded hyphens.

Fix:
The configuration validation code rejects attempts to create a tenant with an invalid name.


1078433-1 : BIG-IP Next Tenant Management IP address is not reachable after a chassis power cycle.

Links to More Info: BT1078433

Component: F5OS-C

Symptoms:
After a chassis is restarted during a system reboot or power cycle, the tenant cannot be reached using the management IP address.

Conditions:
Primarily during a chassis power cycle, tenant IP addresses cannot be reached.

Impact:
Tenant admins will not be able to perform management operations such as network creation/Application configuration.

Workaround:
If the tenant is recovered within a certain time period, toggling its state from Partition will fix it.

CLI:

tenants tenant <name> config running-state configured; commit; exit
tenants tenant <name> config running-state deployed; commit; exit


1076705-1 : Etcd instance might not start correctly after upgrade

Component: F5OS-C

Symptoms:
/etc/etcd/dump_etcd.sh might show that the etcd instance native to system controller #1 or #2 does not come up after an upgrade.

This displays in the output of /etc/etcd/dump_etcd.sh and might occur for the .3.51 or .3.52 node:

failed to check the health of member 25fa6669d235caa6 on https://100.65.3.52:2379: Get https://100.65.3.52:2379/health: dial tcp 100.65.3.52:2379: connect: connection refused
member 25fa6669d235caa6 is unreachable: [https://100.65.3.52:2379] are all unreachable

This can cause a longer OpenShift outage if the system controller containing the healthy instance is rebooted, and complete outage if the system controller containing the healthy instance is lost.

Conditions:
This is caused by a previous mount failure of the drbd file system, which causes a corruption of the etcd instance on the standby system controller. This is seen very infrequently.

Impact:
The local etcd instance on the affected system controller will not work correctly, compromising the high availability (HA) availability of the OpenShift cluster. The cluster will continue to work correctly while both system controllers are up.

Workaround:
Rebuild the OpenShift cluster by running "touch /var/omd/CLUSTER_REINSTALL" from the CLI on the active system controller. This will cause all running tenants to be taken down during the cluster reinstall, which takes 50+ minutes.

Fix:
This is fixed in F5OS-C 1.4.0 and later.


1075693 : CVE-2021-22543 Linux Kernel Vulnerability

Component: F5OS-C

Symptoms:
A flaw was found in the Linux kernel’s KVM implementation, where improper handing of the VM_IO|VM_PFNMAP VMAs in KVM bypasses RO checks and leads to pages being freed, while still accessible by the VMM and guest.

Impact:
This flaw allows users who can start and control a VM to read/write random pages of memory, resulting in local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.

Workaround:
None

Fix:
Updated the kernel version to kernel-3.10.0-1160.45.1.el7.rpm .


1073777 : LACP interface goes down after the partition is disabled/enabled

Component: F5OS-C

Symptoms:
If LACP interfaces are configured and used by the tenant, after the partition is disabled/enabled, the LACP interface may not work properly due to wrong interface LACP state, which is caused by the disable/enable process.

Symptoms: interface state lacp_state is LACP_DEFAULTED
For example: interface 2/1.0 is one of member of an LACP interface, which works fine before the partition is disabled/enabled. After the partition is disabled/enabled, run "show interfaces interface 2/1.0 state" command; the output is lacp_state LACP_DEFAULTED.

lacp_state LACP_DEFAULTED is wrong which will cause vlan-listeners missing on the blade. vlan-listeners missing on the blade will cause tenant interface failure.

Conditions:
1. LACP interface is used.
2. LACP interface is configured correctly and up before the partition is disabled/enabled.
3. Disable/enable the partition.

Impact:
Tenant will not be able to send/receive user traffic and it will not recover automatically.

Workaround:
Remove the ethernet interface from the aggregation and re-attach it to the aggregation. This will recover the interface state and resolve the problem.
Example: commands to recover the interface (interface 2/1.0 belongs to the LACP interface lag1 and 2/1.0 has a wrong lacp_state).
1. In the partition CLI, remove the aggregate-id for the interface.

Entering configuration mode terminal
default-1(config)# no interfaces interface 2/1.0 ethernet config aggregate-id ;commit
Commit complete.
default-1(config)#

2. Re-add the aggregate-id.
default-1(config)# interfaces interface 2/1.0 ethernet config aggregate-id lag1 ;commit

3. Reboot the blade (optional step -- use only if step 1 and 2 did not fix the problem).


1073581 : Removing a 'patch' version of services might remove the associated 'base' version as well

Component: F5OS-C

Symptoms:
Removing a 'patch' version (X.Y.Z, Z>0) of a platform ISO or services might, under certain conditions, lead to the unexpected removal of the 'base' version (X.Y.0) associated with that patch.

Conditions:
1. A 'patch' ISO is imported when the 'base' associated with the patch is not already imported (Ex. An F5OS-C 1.2.2 ISO is imported, and F5OS-C1.2.0 is not already imported).
2. Some time later, the F5OS-C 1.2.2 ISO is removed. This also removes the 1.2.0 services.

Impact:
F5OS-C removes software that wasn't explicitly chosen to be removed.

Workaround:
To work around this issue, import the 'base' version ISO (X.Y.0) before importing any patches. If this is done, removal of a 'patch' will not remove the 'base'. If a 'base' was already removed accidentally, re-importing the 'base' ISO will also make it available again.

Fix:
N/A


1073305-1 : Upgrade to F5OS-C 1.3.0 failed to upgrade chassis partition

Component: F5OS-C

Symptoms:
Upgrading VELOS from F5OS-C 1.2.2 to 1.3.0 caused partition containers to go in crashbackoffloop back. This can be checked by running this command:

oc get pods --all-namespaces |grep -i crash

Conditions:
After upgrading to F5OS-C 1.3.0, tenant datapath interfaces do not come up.

Impact:
Traffic is impacted.

Workaround:
Restarting the chassis partition, that is, disabling and enabling the chassis partition fixes the issue.

Fix:
N/A


1072209 : Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN

Component: F5OS-C

Symptoms:
On the VELOS platform, any packets destined to a masquerade MAC address are dropped when the masquerade MAC is located on a shared VLAN (a VLAN shared between multiple F5OS tenants).

On rSeries hardware platforms, all traffic for this MAC is first handled by the software-rebroadcaster and is replicated to all tenants sharing that VLAN.

Conditions:
-- A masquerade MAC is configured on a shared VLAN.
-- Traffic to the MAC address is initiated, i.e. ping a floating self-ip
-- The packets are dropped on ingress

Impact:
Connectivity issues.

Workaround:
Configure a static fdb entry at the partition level.

Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.


1069917 : Platform registry ports can become de-synchronized, impacting Openshift deployment

Component: F5OS-C

Symptoms:
Under certain circumstances, platform services on the active and standby controllers can end up residing in docker registries that use different port numbers. This can result in Openshift pods failing to start, because they expect these port assignments to be synchronized.

Conditions:
Varied causes, which lead to inconsistent registry port assignments on active and standby controllers.

Impact:
Openshift pods cannot start.

Fix:
Added more checks to ensure platform registry ports are synchronized between controllers.


1067077 : NSS: Memory corruption in decodeECorDsaSignature with DSA

Links to More Info: K54450124


1066185 : MIB files cannot be download or exported using file utilities.

Component: F5OS-C

Symptoms:
MIB directory is not available for download or export file utilities

Conditions:
-- BIG-IP Next system
-- You would like to download the MIB file(s) via the file utilities API

Impact:
You are unable to download the MIBs or export them.

Workaround:
None


1064225 : HTTP response status codes do not match the result of the file import/export operations

Links to More Info: BT1064225

Component: F5OS-C

Symptoms:
HTTP response status codes do not match the result of the file import/export operations.

Conditions:
When the unallowed path is given in file import CLI

Impact:
User experience

Workaround:
None

Fix:
Return the proper HTTP codes in error scenarios as well.


1060097 : Chassis admin user cannot use SCP to import controller/chassis partition ISO images

Component: F5OS-C

Symptoms:
The controller admin user cannot copy ISO images to the chassis for import.

Conditions:
SCP is not allowed for the admin user.

Impact:
User must either use root shell access or a different upload protocol that may not be convenient based on the user network configuration.

Workaround:
None

Fix:
The controller admin use can now use the SCP command on a client machine to upload controller or chassis partition ISOs to the chassis active or floating management IP by specifying a target directory of "IMAGES/" in the same fashion that the partition admin user can use for importing tenant images.

scp F5OS-C-1.5.0-4444.PARTITION.DEV.iso admin@activeccip:IMAGES/


1059073 : QKView upload to iHealth is not supported by web proxy

Component: F5OS-C

Symptoms:
The upload to iHealth feature for sending QKView data to the external F5 service is not supported by web proxy. This means that QKView files must be copied to a local computer on your intranet before the files can be uploaded.

Conditions:
Uploading a QKView file to the iHealth service.

Impact:
Several steps are required to move QKView files around before uploading to iHealth, which is inconvenient.

Workaround:
Copy the QKView file to a computer on the intranet.

Then you can upload the QKView file to the iHealth service from that secondary computer when it has internet access.

Fix:
Web proxy now supports uploading QKView files to iHealth.


1053873 : Partition CLI command 'show cluster nodes node' may time out

Component: F5OS-C

Symptoms:
Running the command 'show cluster nodes node' in the chassis partition CLI may cause a time-out.

Conditions:
Internal problem within the CLI design can trigger this situation where the CLI command fails and times out.

Impact:
User is unable to access the output of this command.

Fix:
CLI command infrastructure was redesigned.


1051241 : LAG and interface names should not contain special characters such as whitespace, asterisk, slashes, and curly braces.

Links to More Info: BT1051241

Component: F5OS-C

Symptoms:
-- LAGs (trunks) not functional in system.
-- LACPD daemon in a restart loop
-- The "LAGs" and "Interfaces" pages in the F5OS partition GUI fail to load and report "Something went wrong. Check the web browser console for more details or contact technical support for assistance."

Conditions:
-- A LAG is defined that has a space in the name.

When a user creates an LAG interface that contains whitespace characters, the LACPD daemon fails to read the interface information, and keeps restarting until the interface is removed or the name is changed to a regular name.

Impact:
All trunks in the partition are down.

Workaround:
Use the the F5OS partition CLI to remove the LAG, for example:

ottersPart-1(config)# no interfaces interface "test lag"
ottersPart-1(config)# no interfaces interface 2/2.0 ethernet config aggregate-id
ottersPart-1(config)# commit and-quit
Commit complete.
ottersPart-1#

Fix:
N/A


1043701 : Allow configurable partition hostname

Component: F5OS-C

Symptoms:
The partition name is set by the chassis administrator at creation time and cannot be changed. Every chassis starts with a partition named "default", so it can be difficult to determine what partition the user is connected to.

Conditions:
Users who have multiple partitions on multiple chassis, and need to easily tell them apart.

Impact:
User confusion, possible unintended configuration changes when connected to the wrong partition.

Workaround:
Create all partitions with unique names, and remove/do not use the "default" partition.

Fix:
The partition now has a configurable hostname under /system/config/hostname. This hostname accepts either a simple label or a fully qualified domain name, following DNS name rules.

The first label is used in the partition prompt in preference to the partition name.

The partition hostname can be set by the chassis administrator, or by partition administrator if not configured at the chassis level.

Behavior Change:
Partition hostname can now be configured, and is used in the partition CLI prompt if present.


1040461 : Permissions of some qkview control files do not follow standards

Links to More Info: BT1040461

Component: F5OS-C

Symptoms:
Permissions of some qkview control files do not follow standard.

Conditions:
Viewing permissions of qkview files.

Impact:
Some do not follow standards.

Workaround:
None

Fix:
Permissions of all qkview control files now follow the standards.


1039721 : The system image displays data for only one VELOS controller

Component: F5OS-C

Symptoms:
The 'show system image' command displays image details for only one VELOS controller, even though there is more than one.

Conditions:
Running the 'show system image' command after uploading VELOS software.

Impact:
No image information is displayed for a VELOS controller on the user interface.

Workaround:
Reboot the VELOS controllers (specifically vcc-partition-software-manager container).

Fix:
This issue has been fixed.


1034093 : protobuf vulnerability: CVE-2021-3121

Component: F5OS-C

Symptoms:
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects.

Conditions:
- Unmarshalling protobuf objects

Impact:
This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.

Workaround:
N/A

Fix:
Protobuf updated to mitigate CVE-2021-3121



Known Issues in F5OS-C v1.5.x


F5OS-C Issues

ID Number Severity Links to More Info Description
1134105-1 2-Critical   BIG-IP tenants might not start correctly after upgrade from 1.2.1 to 1.5.0
1133985-1 2-Critical   Controller upgrade from 1.4.0 to 1.5.0 caused the partition to go into failed state.
1132485-1 2-Critical   Controller sync can enter an erroneous double standby configuration in rare circumstances
1096729 2-Critical   IP Fragments are disaggragated incorrectly
1081281-1 2-Critical   Multi-Node BIG-IP Tenants may fail to cluster after rolling upgrade.
1134157-1 3-Major   When upgrading VELOS from v1.4.0 to v1.5.0, core file dagd is generated
1134117 3-Major   BIG-IP tenant libvirtd process can generate a core file when being shut down
1124061 3-Major   Tenant pods stuck in terminating stage for longer duration than necessary
1102765-1 3-Major   Blade is not in the Ready status in the cluster
1100713 3-Major   After a partition upgrade, a tenant in Provisioned state may show inconsistent CLI status
1084785 3-Major BT1084785 etcd database may be corrupted on upgrade to 1.3.1 release.
1065641 3-Major BT1065641 File import/export operation performed on disallowed paths is not shown in file transfer status

 

Known Issue details for F5OS-C v1.5.x

1134157-1 : When upgrading VELOS from v1.4.0 to v1.5.0, core file dagd is generated

Component: F5OS-C

Symptoms:
When upgrading VELOS from v1.4.0 to v1.5.0, core file dagd is generated.

Conditions:
Upgrading VELOS from v1.4.0 to v1.5.0.

Impact:
The core is generated during the blade shutdown phase of the upgrade; there is no traffic impact.


1134117 : BIG-IP tenant libvirtd process can generate a core file when being shut down

Component: F5OS-C

Symptoms:
Because it happens when the tenant is being shut down, and it happens after the virtual-machine has shut down, it does no harm, other than leaving a core file on the blade host environment where it happened.

This happens occasionally when BIG-IP tenants are shut down. It does not happen with BIG-IP NEXT tenants.

Conditions:
A BIG-IP tenant is shutdown.

Impact:
A core file is generated on a blade in /var/F5/partition1/shared/blade<N>/core/container

Workaround:
The core file may be manually removed.


1134105-1 : BIG-IP tenants might not start correctly after upgrade from 1.2.1 to 1.5.0

Component: F5OS-C

Symptoms:
BIG-IP tenants might not start correctly after upgrading from version 1.2.1 to version 1.5.0.

This can be seen in the "show tenant" output from the chassis partition CLI:

                      INSTANCE
NODE POD NAME ID PHASE CREATION TIME READY TIME STATUS MGMT MAC
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1 bigiptenant1-1 1 Pending 2022-08-05T09:40:52Z 2022-08-05T09:40:52Z Not ready: containers with unready status: [compute] 00:00:00:00:00:00
2 bigiptenant1-2 2 Pending 2022-08-05T09:40:52Z 2022-08-05T09:40:52Z Not ready: containers with unready status: [compute] 00:00:00:00:00:00
3 bigiptenant1-3 3 Pending 2022-08-05T08:35:15Z 2022-08-05T09:34:25Z Node 3 which was running tenant instance bigiptenant1 is unresponsive 5e:ad:6f:14:f0:a5
4 bigiptenant1-4 4 Pending 2022-08-05T08:35:17Z 2022-08-05T09:34:20Z Node 4 which was running tenant instance bigiptenant1 is unresponsive a2:e4:ef:be:9b:2f

Conditions:
This can occur when a v1.2.1 system with existing BIG-IP tenants is upgraded directly to v1.5.0.

Impact:
Tenant instance might not start correctly, which will cause an interruption to dataplane traffic.

Workaround:
The workaround is to configure the tenant to provisioned, and then back to deployed. This causes the tenant instance to restart.


1133985-1 : Controller upgrade from 1.4.0 to 1.5.0 caused the partition to go into failed state.

Component: F5OS-C

Symptoms:
After an upgrade of the system controller, the chassis partition went into a failed state.

syscon-1-active# show partitions partition default
                                                            RUNNING
             BLADE OS SERVICE PARTITION SERVICE STATUS
NAME ID VERSION VERSION CONTROLLER STATUS VERSION AGE
--------------------------------------------------------------------------------
default 1 1.4.0-4112 1.4.0-4112 1 failed - 5m
                                     2 running 1.4.0-4112 15m

Conditions:
Upgrade to v1.5.0 causes the chassis partition to go into a failed state.

Impact:
The partition management software goes into a failed state and the chassis partition cannot be managed.

Workaround:
Rebooting the failed controller after upgrade or restarting "vcc partition software manager" service fixes the issue.

"docker restart vcc-partition-software-manager"


1132485-1 : Controller sync can enter an erroneous double standby configuration in rare circumstances

Component: F5OS-C

Symptoms:
Under rare circumstances, the controller sync daemon (which is responsible for mirroring data between active and standby controllers) can end up in a "double standby" configuration. This results in an interruption in proper controller synchronization, and can result in negative impacts such as controller software import or upgrade failure.

Conditions:
Controller sync daemon on both active and standby controllers is configured to 'standby' mode.

Impact:
Controller sync does not work until corrected, which can result in a number of negative side effects such as import and live upgrade failures.

Workaround:
On the active controller, run:

echo get_state | nc -U /var/ccsync.unix

If output is 'standby', run:

echo stop | nc -U /var/ccsync.unix
echo start_active | nc -U /var/ccsync.unix


1124061 : Tenant pods stuck in terminating stage for longer duration than necessary

Component: F5OS-C

Symptoms:
When the system is rebooted/upgraded, Openshift will bring up new pods and terminate the old ones. During this process, terminating pods may run into a cleanup issue and be stuck in that state for a long period of time.

Conditions:
When the system is upgraded or rebooted

Impact:
No impact on the tenant traffic or performance.

Workaround:
Clean up the pods by running the following openshift command

oc delete pod <pod-name> --grace-period=0 --force -n partition-X

example:

partition-1 tenant2-data-store-7fc9bf578d-526wf 0/1 Terminating

oc delete pod tenant2-data-store-7fc9bf578d-526wf --grace-period=0 --force -n partition-1


1102765-1 : Blade is not in the Ready status in the cluster

Component: F5OS-C

Symptoms:
Blade does not join the cluster.

[root@controller-2 ~]# oc get nodes
NAME STATUS ROLES AGE VERSION
blade-1.chassis.local NotReady compute 3h v1.11.0+d4cacc0
blade-2.chassis.local Ready compute 3h v1.11.0+d4cacc0
controller-1.chassis.local Ready infra,master 3h v1.11.0+d4cacc0
controller-2.chassis.local Ready infra,master 3h v1.11.0+d4cacc0

service failure messages on the blade console

May 11 00:11:28 blade-2.chassis.local platform-deployment[13130]: Job for var-mnt-chassis.mount failed. See "systemctl status var-mnt-chassis.mount" and "journalctl -xe" for details.

Conditions:
It intermittently and rarely happens on up/downgrade.

Impact:
The blade cannot join the cluster and cannot run any tenant.

Workaround:
Reboot the blade through the partition CondfD.
CLI command:
cluster nodes node blade-X reboot
Where X is the slot number of the blade to reboot.


1100713 : After a partition upgrade, a tenant in Provisioned state may show inconsistent CLI status

Component: F5OS-C

Symptoms:
After a partition upgrade, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to tenant is in progress" state in the partition CLI status.

Conditions:
A race condition exists after an partition upgrade that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.

Impact:
The tenant state constantly changes.

Workaround:
Configure the running-state of the tenant to Deployed.


1096729 : IP Fragments are disaggragated incorrectly

Component: F5OS-C

Symptoms:
IP fragments are all sent to TMM0. They should be distributed to all TMMs.

Conditions:
IP fragment traffic.

Impact:
Higher than normal amount of traffic being sent to TMM0.


1084785 : etcd database may be corrupted on upgrade to 1.3.1 release.

Links to More Info: BT1084785

Component: F5OS-C

Symptoms:
etcd instance on one of the CC's may become unresponsive after rolling upgrade to 1.3.1 due to failure to mount drbd partition. System will continue to function, but if the CC with functioning etcd instance goes offline, the openshift cluster will stop responding.

Conditions:
Rolling upgrade to 1.3.1 release from older software release.

Impact:
No immediate impact, but will cause HA failure if CC that is not affected goes offline while the etcd instance on remaining CC has hit this issue.

Workaround:
Workaround is to re-install the openshift cluster by doing a "touch /var/omd/CLUSTER_REINSTALL" on the active CC.


1081281-1 : Multi-Node BIG-IP Tenants may fail to cluster after rolling upgrade.

Component: F5OS-C

Symptoms:
BIG-IP tenant instances may fail to cluster after a rolling upgrade, due to the CHASSIS_SERIAL_NO being set incorrectly in the config-map that is used to deploy the tenant instance.

This can be seen in the "show tmsh sys cluster" output on the tenant showing the slots in a failed state:

root@(localhost)(cfg-sync Standalone)(/S1-green-P::Active)(/Common)(tmos)# show sys cluster
 
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.238.133.200/24
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 07/21/22 01:10:47
 
  -------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed high availability (HA) Clusterd Reason
  -------------------------------------------------------------------------------------------
  | 1 :: :: available enabled true active running Run
  | 2 :: :: offline enabled false unknown shutdown Slot Failed
  | 3 :: :: offline enabled false unknown shutdown Slot Failed
  | 4 :: :: offline enabled false unknown shutdown Slot Failed
  | 5 :: :: offline enabled false unknown shutdown Slot Failed
  | 6 :: :: offline enabled false unknown shutdown Slot Failed
  | 7 :: :: offline enabled false unknown shutdown Slot Failed
  | 8 :: :: offline enabled false unknown shutdown Slot Failed

This condition can verified by display the config map for a tenant instance and verifying that the CHASSIS_SERIAL_NO field is empty.

e.g.

From the system controller shell:

oc get cm -n partition-1 <tenant_name>-<blade_#>-configmap -o json | egrep CHASSIS

Bad Entry:
# oc get cm -n partition-1 bigiptenant1-1-configmap -o json | egrep CHASSIS; done
        "CHASSIS_SERIAL_NO": "",

Good Entry:
oc get cm -n partition-1 bigiptenant1-2-configmap -o json | egrep CHASSIS; done
        "CHASSIS_SERIAL_NO": "chs414616s",

Conditions:
This can happen during a rolling a upgrade if the CHASSIS_SERIAL_NO field is not read correctly and the tenant instance is restarted as part of the rolling upgrade. This is an intermittent issue.

Impact:
If this issue occurs, one more instance of the tenant may not communicate correctly, which can cause some or all of the data plane to not function correctly, causing an outage

Workaround:
1.) Set tenant(s) state to provisioned for BIG-IP, or configured for BIGIP-Next
2.) Once the tenant(s) have stopped, disable the partition
3.) Re-enable the partition
4.) Set tenant(s) state back to deployed


1065641 : File import/export operation performed on disallowed paths is not shown in file transfer status

Links to More Info: BT1065641

Component: F5OS-C

Symptoms:
When file import/export is performed on unallowed paths, the status is not shown in the file transfer status.

Conditions:
Performing import/export is performed on unallowed paths.

Impact:
The rejected transfer status is not visible in the file transfer status.

Workaround:
None




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************