Docker 1.12.1 Occasionally Hangs Issue 828 Docker/for-mac
ERROR: 'name' Traceback (most recent call last): File '/usr/lib/python2.7/dist-packages/nclu/init.py', line 789, in getlldp lldpvalue'name' = value'chassis'0'name'0'value' KeyError: 'name' This issue is fixed in Cumulus Linux 3.6.1. RN-876 (CM-20776) EVPN symmetric IRB with numbered neighbors omits the NEXTHOP attribute when advertising to an external router With EVPN symmetric routing (including type-5 routes) you can only advertise host routes or prefix routes learned through EVPN to a VRF peer if EVPN peering uses BGP unnumbered. If the BGP peering is numbered, the NEXTHOP of MPREACH attribute is not included, which causes the neighbor to reply with a BGP notification. This issue is fixed in Cumulus Linux 3.6.1. RN-887 (CM-20474) VXLAN Encapsulation drops ARP QinQ tunneled packets When an ARP request or response (or IPv6 NS/NA) packet with double VLAN tags (such as 802.1Q over 802.1Q), is sent to a VXLAN overlay, the outer VLAN tag is stripped during VXLAN encapsulation. If the receiving VTEP is a Broadcom Trident II + platform, the post VXLAN decapsulated packet is incorrectly directed to the control plane. As the packet traverses the linux kernel VXLAN interface into the VLAN-aware bridge device, the exposed inner VLAN tag is incorrectly used for VLAN filtering against the outer VLAN set, causing the packet to be discarded.
This issue is fixed in Cumulus Linux 3.6.1. RN-890 (CM-20415) On Maverick QCT LY7, Tomahawk+ AS7312 and DNI AG5648 switches, sysfs tree differences cause portwd startup failure Inserting a 1000 BASE-T RJ-45 SFP adapter into a Maverick QCT LY7, Tomahawk + AS7312 or DNI AG5648 switch causes portwd to fail to start, resulting in the switch being unusable. To work around this issue, do not use 1000BASE-T RJ-45 modules on the impacted switches. This issue is fixed in Cumulus Linux 3.6.1.
RN-897 (CM-20086) FRR doesn't support hostnames starting with a digit NCLU reports an error attempting to configure FRR when the configured hostname begins with a digit. Unknown: bufferflushavailable: write error on fd -1: Bad file descriptor To work around this issue, change the hostname of the switch to begin with an alphabetic character; not a digit. This issue is fixed in Cumulus Linux 3.6.1. RN-904 (CM-20800) NCLU net add and net del commands missing for EVPN type-5 default originate The NCLU net add and net del commands are missing for the default originate EVPN type-five route feature. This issue is fixed in Cumulus Linux 3.6.1. RN-907 (CM-20829) netd fails on start after apt upgrade to 3.6.0 with 'ImportError: No module named time' When you use the apt-get upgrade command to upgrade to Cumulus Linux 3.6.0 and you select to keep the currently-installed version of netd.conf (by typing N at the prompt), netd fails to start after reboot and you see errors in the logs when you try to restart netd.
This issue is fixed in Cumulus Linux 3.6.1. RN-933 (CM-20781) NCLU 'net add bgp neighbor' command with swp1, swp2, or swp1-2 causes TB NameError Issuing the net add bgp neighbor command with swp1, swp2 or swp1-2 causes the following error. TB NameError: global name 'ifnameexpandglob' is not defined. This issue is fixed in Cumulus Linux 3.6.1. RN-935 (CM-20772) ACL rule unable to match interface eth0 when belonging to VRF ACL rules do not block incoming packets when interface eth0 belongs to a VRF. This issue is fixed in Cumulus Linux 3.6.1. RN-936 (CM-20418) ACL to only allow ARP prevents ARP on SVIs ACL rules that only allow ARP packets prevent ARP packets from reaching SVIs.
This issue is fixed in Cumulus Linux 3.6.1. RN-937 (CM-19301) Increase maximum sflow sampling ratio The maximum sflow sampling ratio is too low and might overload the switch CPU. This is fixed in Cumulus Linux 3.6.1. The ratio is increased to 1:100000 in hsflowd. RN-944 (CM-20841) netd fails to start for apt-upgrade from 3.3.2 to 3.6.0 When upgrading from Cumulus Linux 3.3.2 to 3.6.0 using the netd.conf file from version 3.3.2, netd fails to start and displays the error ImportError: No module named frr-reload.
This issue is fixed in Cumulus Linux 3.6.1. RN-945 (CM-20311) Security: DSA-4157-1 for openssl issues CVE-2017-3738 CVE-2018-0739 The following CVEs were announced in Debian Security Advisory DSA-4157-1, and affect the openssl package. This issue is fixed in Cumulus Linux 3.6.1. Debian Security Advisory DSA-4157-1 security@debian.org Salvatore Bonaccorso March 29, 2018 - Package: openssl CVE ID: CVE-2017-3738 CVE-2018-0739 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.
Docker 1.12.1 Occasionally Hangs Issue 828 Docker/for-machine
The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3738 David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. CVE-2018-0739 It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service. Details can be found in the upstream advisory: For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738. For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: RN-946 (CM-20603) Security: DSA-4172-1 for perl issues CVE-2018-6797 CVE-2018-6798 CVE-2018-6913 The following CVEs were announced in Debian Security Advisory DSA-4172-1 and affect the perl package.
This issue is fixed in Cumulus Linux 3.6.1. Debian Security Advisory DSA-4172-1 security@debian.org Salvatore Bonaccorso April 14, 2018 - Package: perl CVE ID: CVE-2018-6797 CVE-2018-6798 CVE-2018-6913 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-6797 Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written. CVE-2018-6798 Nguyen Duc Manh reported that matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure.
CVE-2018-6913 GwanYeong Kim reported that 'pack' could cause a heap buffer write overflow with a large item count. For the oldstable distribution (jessie), these problems have been fixed in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update contains only a fix for CVE-2018-6913. For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u3. We recommend that you upgrade your perl packages. For the detailed security status of perl please refer to its security tracker page at: RN-949 (CM-21038) VRF stops working when /etc/resolv.conf does not exist When upgrading to Cumulus Linux 3.6.0, if the /etc/resolv.conf file does not exist and eth0 is configured with a static IP address, the switch fails to start VRFs after reboot.
This issue is fixed in Cumulus Linux 3.6.1. RN-958 (CM-21095) NCLU 'net add bgp neighbor ' command does not create or enable the interface if it is not previously defined When you run the net add bgp neighbor command, the interface is only added if previously defined. This issue is fixed in Cumulus Linux 3.6.1. RN-962 (CM-21026) DHCP request packets in VXLAN decapsulation do not go to CPU On Broadcom platforms configured with a VXLAN centralized routing gateway, DHCP discover packets are not correctly processed for DHCP relay. This issue is fixed in Cumulus Linux 3.6.1. New Known Issues in Cumulus Linux 3.6.1 The following issues are new to Cumulus Linux and affect the current release. Release Note ID Summary Description RN-875 (CM-20779) On Mellanox switches, withdrawal of one ECMP next-hop results in the neighbor entry for that next hop to be missing from hardware On a Mellanox switch, when you withdraw one ECMP next hop, the neighbor entry for that next hop is missing from the hardware.
To work around this issue, manually delete the ARP entry from kernel with the arp -d command to repopulate it in the hardware. This issue should be fixed in an upcoming release of Cumulus Linux. RN-938 (CM-20979) Removing a VLAN from a bridge configured with VXLAN results in an outage Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command. To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge. This issue is being investigated at this time.
RN-939 (CM-20944) On Maverick switches, random links might not come up on boot when enabling RS FEC with 100G AOC cables On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot. To work around this issue, disable FEC on 100G AOC links. This issue is being investigated at this time. RN-940 (CM-20813) On Mellanox switches, packets are not mirrored on matching '-out-interface bond0' SPAN rules Span rules that match the out-interface as a bond do not mirror packets. This is a regression of an earlier issue and is being investigated at this time. RN-941 (CM-20806) When configuring layer 2 VPN EVPN in vtysh, if the route-target matches the VNI and AS number, the configuration does not display the route target When configuring layer 2 VPN EVPN in vtysh, if a route-target matches both the AS number and the VNI number, the route target does not display in the configuration. This is currently the default behavior.
This issue is being investigated at this time. RN-942 (CM-20693) In NCLU, you can only set the community number in a route map In NCLU, you can only set the community number in a route map. You cannot set other community options such as no-export, no-advertise, or additive. This issue is being investigated at this time.
RN-943 (CM-20639) The neighbor table and EVPN routes are not updated on receiving GARP from an IP address that moved to a new MAC address After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved. This issue is being investigated at this time.
RN-947 (CM-20992) RS FEC configuration cleared and not re-installed on switchd restart, leaving links down During switchd restart, the RS FEC configuration is not re-installed to the interfaces to which it was previously applied. This issue is being investigated at this time. RN-948 (CM-17494) The default arpignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry.
Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arpignore to 2. See for more information. RN-951 (CM-21048) NCLU command fails to delete the VRF static route The NCLU command net del routing route does not delete a static route within a VRF.
To work around this issue, delete the VRF static route using vtysh, either directly in configuration mode or with vtysh -c. This issue is being investigated at this time.
RN-952 (CM-21090) NCLU 'net show bridge macs' command improperly displays the 'never' keyword When you use the net show bridge macs command and a MAC address has just been updated, the never keyword improperly displays in the command output. This issue is being investigated at this time. RN-953 (CM-21082) Virtual device counters not working as expected Virtual device counters are not working as expected.
The TX counter increments but the RX counter does not. This issue is being investigated at this time. RN-954 (CM-21062) Redundant NCLU commands to configure the DHCP relay exits with return code 1 When using the NCLU command to add a redundant DHCP relay, the command exits with an error instead of displaying a message that the DHCP relay server configuration already contains the IP address. This issue is being investigated at this time. RN-955 (CM-21060) NCLU 'net show configuration' output is out of order When you run the net show configuration command after upgrading to Cumulus Linux 3.6, the interfaces display are out of order in the command output. This issue is being investigated at this time. RN-956 (CM-21055) On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros On Mellanox switches, the destination MAC of ERSPAN GRE packets is set to all zeros; therefore, the packets are dropped by the first transient switch.
This issue is being investigated at this time. RN-959 (CM-21167) BGP aggregate created but left inactive in the routing table If you use BGP to generate an aggregate, the aggregate shows up in the BGP table but is listed in zebra as inactive. This issue is being investigated at this time. RN-960 (CM-21154) Deleting an interface with the NCLU command does not remove the interface in frr.conf When you use NCLU to delete an interface, the associated configuration is not removed from the frr.conf file.
This issue is being investigated at this time. RN-963 (CM-21362) Bringing down a bridge member interface sets the interface MTU to 1500 and the bridge MTU to 1500 When you bring down an interface for a bridge member, the MTU for the interface and the MTU for the bridge are both set to 1500.
To work around this issue, run ifdown on the interface, then run the sudo ip link set dev mtu command. For example: sudo ifdown swp3 sudo ip link set dev swp3 mtu 9192 As an alternative, in the /etc/network/interfaces file, add a post-down command to reset the MTU of the interface. For example: auto swp3 iface swp3 alias BNBYLAB-PD01HV-01Port3 bridge-vids 106 109 119 141 150-151 mtu 9192 post-down /sbin/ip link set dev swp3 mtu 9192 RN-964 (CM-21319) When upgrading to Cumulus Linux 3.6, static routes in the default VRF are associated with other VRFs When you upgrade to Cumulus Linux 3.6.x, static routes configured in the frr.conf file become associated with the VRF configured above them. This issue is currently being investigated. RN-965 (CM-21313, CM-15657) Errors occur if comma-separated globs exist in the /etc/network/interfaces file If you edit the /etc/network/interfaces file manually and add bridge VIDs to an interface using the NCLU syntax (comma separated globs), you see an error similar to the following: ERROR: numberstoglob could not extract any IDs from '1,4,1000,1002,1006' To work around this issue, separate globs with spaces when manually editing the /etc/network/interfaces file. This issue is currently being investigated. RN-966 (CM-21297) TACACS authenticated users in 'netshow' or 'netedit' groups cannot issue 'net' commands after upgrade to Cumulus Linux 3.6 When upgrading from a previous release to Cumulus Linux 3.6, TACACS-authenticated users mapped to tacacs0 thru tacacs15 users with the netshow or netedit user groups cannot run net commands and they see the following error: ERROR: You do not have permission to execute that command This behavior is seen when upgrading with simple authentication only and occurs without a restricted shell for command authorization being enabled.
This problem is not present on a binary install of 3.6.0 or 3.6.1 and only happens when upgrading from previous releases. To work around this issue, edit the /etc/netd.conf file, add the tacacs user group to the groupswithshow list, and add the tacacs15 user to the userswithedit list as below: # Control which users/groups are allowed to run 'add', 'del', # 'clear', 'abort', and 'commit' commands. Userswithedit = root, cumulus, vagrant, tacacs15 groupswithedit = netedit # Control which users/groups are allowed to run 'show' commands. Userswithshow = root, cumulus, vagrant groupswithshow = netshow, netedit, tacacs After making this change, restart netd with the sudo systemctl restart netd command. RN-969 (CM-21278) NCLU 'net show lldp' output has PortDescr as Remote Port When you run the net show lldp command, the command output incorrectly displays the remote port as the port description. To work around this issue, run the net show interface command when connected to Cisco equipment.
This issue is currently being investigated. RN-970 (CM-21203) VXLAN and tcamresourceprofile set to acl-heavy, causes the switch to crash Changing tcamresourceprofile to acl-heavy on a switch with VXLAN enabled and attempting to apply the configuration with a switchd restart, causes switchd to fail to restart, netd to crash, the switch to become temporarily unresponsive, and a cl-support to be generated. To work around this issue, remove the acl-heavy profile or the VXLAN configuration. This issue is currently being investigated. RN-971 (CM-20501) cl-ecmpcalc is not supported on Maverick (Broadcom 5676x) ASICs The cl-ecmpcalc tool is not supported on platforms based on ASICs in the Broadcom 5676x (Maverick) family.
This issue should be fixed in an upcoming release of Cumulus Linux. Issues Fixed in Cumulus Linux 3.6.0 The following is a list of issues fixed in Cumulus Linux 3.6.0 from earlier versions of Cumulus Linux. Release Note ID Summary Description RN-406 (CM-9895) Mellanox SN2700 power off issues The Mellanox SN2700 or SN2700B switch appears to be unresponsive for at least three minutes after a PDU power cycle is issued, if any of the following occur:. A shutdown or poweroff command is executed.
A temperature sensor hits a critical value and shuts down the box To fix this, update the system CPLD to version CPLD000085. Contact Mellanox support for assistance. RN-545 (CM-13800) OSPFv3 redistribute connected with route-map broken at reboot (or ospf6d start) This issue only affects OSPFv3 (IPv6). This issue is fixed in Cumulus Linux 3.6.0. RN-608 (CM-16145) Buffer monitoring default port group discardspg only accepts packet collection type The default port group discardspg does not accept packetextended or packetall collection types. This issue is fixed in Cumulus Linux 3.6.0.
RN-704 (CM-18886, CM-20027) ifreload causes MTU to drop on bridge SVIs When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU resets to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a for the second time. This issue is fixed in Cumulus Linux 3.6.0. RN-738 (CM-18709) On Dell S4148 T-ON switches with Maverick ASICs, configuring 1G or 100M speeds on 10G fixed copper ports requires a ports.conf workaround 1G and 100M speeds on SFP ports are not working on the Dell S4148 T-ON.
To enable a speed lower than 10G on a port on the S4148T platform, you must dedicate an entire port group (four interfaces) to a lower speed setting. Within a port group, you can mix 1G and 100M speeds, if needed. You cannot mix 10G and lower speeds. To work around this issue:. In the /etc/cumulus/ports.conf file, add each of the four ports in the port group as 1G interfaces. You must set each of the ports in the port group to be 1G.
Port groups are swp1-4, swp5-8, swp9-12, and so on, and starting with swp31-35 on the right half of the switch. For example, to enable ports swp5-swp8 to autonegotiate to 100M or 1G speeds, add the following to the ports.conf file: 5=1G 6=1G 7=1G 8=1G. Restart switchd: cumulus@switch:$ sudo systemctl reset-failed switchd; sudo systemctl restart switchd After this is done ports swp5-8 will be enabled to autonegotiate with the neighbor devices to 1G or 100M speeds. As of 3.5.1, 1G interfaces are supported when using the ports.conf file workaround as described above. As of 3.6.0, editing the ports.conf file is no longer required. RN-743 (CM-18612) Routes learned through BGP unnumbered become unusable In certain scenarios, the routes learned through BGP unnumbered become unusable.
The BGP neighbor relationships remain but the routes cannot be forwarded due to a failure in layer 2 and layer 3 next hop/MAC address resolution. To work around this issue, restart FRR. This issue is fixed in Cumulus Linux 3.6.0.