Cumulus RMP 3.3.1 Release Notes

Follow

Overview

These release notes support Cumulus RMP 3.3.1 and describe currently available features and known issues.

Cumulus RMP 3.3.1 supports these features and is available on the Penguin Computing Arctica 4804IP-RMP out-of-band switch.

Stay up to Date 

  • Please sign in and click Follow above so you can receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus RMP 3.3.1

Cumulus RMP 3.3.1 includes the following improvements:

  • Various security fixes (see below)

Installing Version 3.3.1

If you are upgrading from version 3.0.0 or later, use apt-get to update the software.

  1. Run apt-get update.
  2. Run apt-get upgrade.
  3. Reboot the switch.

New Install or Upgrading from Versions Older than 3.0.0

If you are upgrading from a version older than 3.0.0, or installing Cumulus RMP for the first time, download the Cumulus RMP 3.3.1 installer for Broadcom switches from the Cumulus Networks website, then use ONIE to perform a complete install, following the instructions in the user guide.

Note: This method is destructive; any configuration files on the switch will not be saved, so please copy them to a different server before upgrading via ONIE.

Important! After you install, run apt-get update, then apt-get upgrade on your switch to make sure you update Cumulus RMP to include any important or other package updates.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus RMP 3.3.1

The following is a list of issues fixed in Cumulus RMP 3.3.1 from earlier versions of Cumulus RMP.

Release Note ID Summary Description

RN-581 (CM-16142)
Update for security issue: libfreetype6 font vulnerability - DSA-3839 CVE-2016-10244 CVE-2017-8105 CVE-2017-8287  

Cumulus Networks does not include freetype in the Cumulus Linux repository; however, the repository does mirror libfreetype6, which comes from the freetype source package. The fixed package version for Jessie is 2.5.2-3+deb8u2.

This issue is tracked by Debian in the following security issue and bugs:

And also in the following CVEs:

Here is the content of Debian security advisory:

Debian Security Advisory DSA-3839-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 28, 2017 https://www.debian.org/security/faq

*-------------------------------------------------------------------------

Package : freetype
CVE ID : CVE-2016-10244 CVE-2017-8105 CVE-2017-8287
Debian Bug : 856971 861220 861308

Several vulnerabilities were discovered in Freetype. Opening malformed
fonts may result in denial of service or the execution of arbitrary
code.

For the stable distribution (jessie), these problems have been fixed in
version 2.5.2-3+deb8u2.

We recommend that you upgrade your freetype packages.


RN-609 (CM-16297)
Update for security issue: quagga_sudoers suggested entry allows unbounded quagga commands without password  

/etc/sudoers.d/quagga_sudoers has the following line, which is commented out:

Cmnd_Alias  VTY_SHOW   = /usr/bin/vtysh -c show *
# %quagga ALL = (root) NOPASSWD:NOEXEC: VTY_SHOW

vtysh allows multiple -c commands on a single command line, and sudoers cannot parse the line so as to filter out extra commands. So if an administrator uncomments the line, any user can create any Quagga configuration that is possible with a -c argument.

Cumulus Networks recommends you edit the /etc/sudoers.d/quagga_sudoers file and delete the two lines mentioned above along with the preceding block comment.

This issue is fixed in Cumulus RMP 3.3.1.


RN-610 (CM-16341)
ifupdown2 does not apply `link-down yes` for bridge ports or bond slaves  

If link-down yes is configured for a swp interface, it does not take effect when ifreload is run if the switch port is already in an up state and part of bridge or bond.

This issue has been fixed in Cumulus RMP 3.3.1.


RN-611 (CM-15813)
Bridge with `bridge-igmp-querier-src` configured still sources queries from 0.0.0.0  

When a bridge is configured with a VLAN interface (such as bridge1.10 below), and that interface has bridge-igmp-querier-src configured, IGMP queries generated from the bridge still source from 0.0.0.0:

auto bridge1
iface bridge1
 bridge-vlan-aware yes
 bridge-pvid 10
 bridge-ports swp52 swp49
 bridge-mcsnoop 1
 bridge-mcquerier 1
 bridge-mcqifaddr 1

auto bridge1.10
iface bridge1.10
 address 192.168.85.1/24
 bridge-igmp-querier-src 192.168.85.1

This issue is fixed in Cumulus RMP 3.3.1.


RN-612 (CM-15950)
cl_drop_cntrs_pp.py error with subinterfaces configured, causes high CPU utilization  

In Cumulus RMP, cl_drop_cntrs_pp.py has been updated to ignore interface names that include the @ character.

This prevents the following error from being reported when a subinterface was configured on the switch, causing high CPU utilization:

2017-04-18T02:28:45.178409+00:00 leaf-103-01 cl_drop_cntrs_pp.py: Error: ethtool EXCEPTION=Command '['/sbin/ethtool', '-S', 'swp6.2@swp6']' returned non-zero exit status 96

This issue is fixed in Cumulus RMP 3.3.1.


RN-615 (CM-16309)
switchd dumps core in sub_intf hash table when sw_sub_int_key_ht is NULL during neighbor sync

Syncing VRFs triggered a route sync without setting up all the needed hash tables.

This issue has been fixed in Cumulus RMP 3.3.1.

 

RN-617 (CM-16413)
Complete loss of traffic on bond subinterface when member goes down

On a switch where a bond and a subinterface of that bond are configured, when a member of that bond goes down, all unicast IP traffic destined to the switch is not terminated.

This issue has been fixed in Cumulus RMP 3.3.1.

Known Issues in Cumulus RMP 3.3.1

Issues are categorized for easy review. Some issues are fixed but will be available in a later release.

Release Note ID Summary Description

RN-56 (CM-343)
IPv4/IPv6 forwarding disabled mode not recognized

If either of the following is configured:

net.ipv4.ip_forward == 0 

or:

net.ipv6.conf.all.forwarding == 0 

The hardware still forwards packets if there is a neighbor table entry pointing to the destination.


RN-120 (CM-477)
ethtool LED blinking does not work with switch ports Linux uses ethtool -p to identify the physical port backing an interface, or to identify the switch itself. Usually this identification is by blinking the port LED until ethtool -p is stopped.

This feature does not apply to switch ports (swpX) in Cumulus RMP.

RN-121 (CM-2123)
ptmd: When a physical interface is in a PTM FAIL state, its subinterface still exchanges information Issue:
When ptmd is incorrectly in a failure state and the Zebra interface is enabled, PIF BGP sessions are not establishing the route, but the subinterface on top of it does establish routes.

If the subinterface is configured on the physical interface and the physical interface is incorrectly marked as being in a PTM FAIL state, routes on the physical interface are not processed in Quagga, but the subinterface is working.

Steps to reproduce:
cumulus@switch:$ sudo vtysh -c 'show int swp8' 
Interface swp8 is up, line protocol is up 
PTM status: fail
index 10 metric 1 mtu 1500 
 flags: <UP,BROADCAST,RUNNING,MULTICAST>
 HWaddr: 44:38:39:00:03:88 
 inet 12.0.0.225/30 broadcast 12.0.0.227 
 inet6 2001:cafe:0:38::1/64 
 inet6 fe80::4638:39ff:fe00:388/64 
cumulus@switch:$ ip addr show | grep swp8 
 10: swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc pfifo_fast state UP qlen 500 
  inet 12.0.0.225/30 brd 12.0.0.227 scope global swp8 
 104: swp8.2049@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.229/30 brd 12.0.0.231 scope global swp8.2049 
 105: swp8.2050@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.233/30 brd 12.0.0.235 scope global swp8.2050 
 106: swp8.2051@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.237/30 brd 12.0.0.239 scope global swp8.2051 
 107: swp8.2052@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.241/30 brd 12.0.0.243 scope global swp8.2052 
 108: swp8.2053@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP>
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.245/30 brd 12.0.0.247 scope global swp8.2053 
 109: swp8.2054@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP> 
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.249/30 brd 12.0.0.251 scope global swp8.2054
 110: swp8.2055@swp8: <BROADCAST,MULTICAST,UP,LOWER_UP>
  mtu 1500 qdisc noqueue state UP 
  inet 12.0.0.253/30 brd 12.0.0.255 scope global swp8.2055
cumulus@switch:$ bgp sessions: 
 12.0.0.226 ,4 ,64057 , 958 , 1036 , 0 , 0 , 0 ,15:55:42, 0, 10472 
 12.0.0.230 ,4 ,64058 , 958 , 1016 , 0 , 0 , 0 ,15:55:46, 187, 10285
 12.0.0.234 ,4 ,64059 , 958 , 1049 , 0 , 0 , 0 ,15:55:40, 187, 10285 
 12.0.0.238 ,4 ,64060 , 958 , 1039 , 0 , 0 , 0 ,15:55:45, 187, 10285 
 12.0.0.242 ,4 ,64061 , 958 , 1014 , 0 , 0 , 0 ,15:55:46, 187, 10285 
 12.0.0.246 ,4 ,64062 , 958 , 1016 , 0 , 0 , 0 ,15:55:46, 187, 10285 
 12.0.0.250 ,4 ,64063 , 958 , 1029 , 0 , 0 , 0 ,15:55:43, 187, 10285 
 12.0.0.254 ,4 ,64064 , 958 , 1036 , 0 , 0 , 0 ,15:55:44, 187, 10285 

RN-398 (CM-10379)
While upgrading Cumulus RMP, a prompt to configure grub-pc appears

While upgrading to the latest version of Cumulus RMP from version 2.5.5 or earlier, a prompt appears, asking you to choose onto which partitions to install the GRUB boot loader. 

... 

  1. /dev/mmcblk0 (3783 MB; ???)       3. /dev/dm-2 (1610 MB; CUMULUS-SYSROOT1)
  2. - /dev/mmcblk0p3 (268 MB; /boot)  4. none of the above

(Enter the items you want to select, separated by spaces.)

GRUB install devices:

...

This prompt should not appear, and the issue will be fixed in a future release.

In the meantime, to work around this issue, choose option 1, /dev/mmcblk0 and continue the upgrade.


RN-597 (CM-15705)
sFlow doesn't generate flow samples to sflowd on Tomahawk-based switches At this time, sFlow is not supported on switches with Tomahawk ASICs. This is a known issue. 

RN-599 (CM-15949)
DHCRELAY automatically binds to eth0 when not specified in the configuration dhcrelay listens for all interfaces that have an IP, even if not configured to listen for that interface. This causes dhcrelay to bind to unspecified ports.

This behavior is expected, due to upstream configuration. The packet is dropped later in the process, as it is not coming from a configured port.


RN-602 (CM-)
sFlow ifSpeed incorrect in counter samples

Counter samples for an 80G bond (2 x 40G) exported from the switch show an interface speed (ifSpeed) of 14.464Gbps.

This issue is currently being investigated.


RN-605 (CM-15515)
Unable to change the bond-modes using ifup or ifreload When the bond mode is changed from 802.3ad to balance-xor or vice versa using ifup bondx or ifreload -a, the bond-mode does not change, and the following error is produced:
2017-03-23 21:39:37,495:  DEBUG:      autolib.netobjects: [cumulus@127.0.0.1:1042] sudo: ('ifup bond1',)
2017-03-23 21:39:37,926:  DEBUG:      autolib.netobjects: warning: error writing to file /sys/class/net/bond1/bonding/mode([Errno 39] Directory not empty)

This issue is being addressed in a later release.

Have more questions? Submit a request

Comments

Powered by Zendesk