Cisco Metacloud February 2018 Update (Metacloud version 4.7)

This 4.7 release of Cisco Metacloud contains critical security updates to address recently announced security vulnerabilities, a few enhancements and bug fixes.

Feature Updates

Tuning the Nova image cache is now supported.

For customers who have lots of images that are only used for a short period of time changing the nova image cache settings can help with managing local disk storage allocations on hypervisors. Metacloud defaults are generally set to handle most use cases but if you have this use case you can work with Metacloud Support to request a change to these settings. This only applies if your instances are backed by ephemeral disk on the hypervisors.

New VM container info in instance metadata.

As part of our work to address the security updates below we added a feature that inserts the running version of the virtual machine container (i.e. QEMU) to the instance metadata. This allows users to see if the container that the VM is running is the latest version or not. This is important in determining which instances might need to be rebooted in order to pick up critical updates. Users can see the metadata in the dashboard by going to the instanaces section and clicking on a instance. On the Overview tab you can find the Metadata section towards the bottom of the page.

instance container metadata

This information can also be found via a “show instance” nova api call under the “metadata” property.

$ nova show 946cb5e8-9386-4aa6-a985-52ebd7986f2e

| Property                             | Value                                                       |
| metadata                             | {"latest_hv_ver": "2009000", "domain_hv_ver": "2009000"}    |

The metadata will contain two keys, “latest_hv_ver” and “domain_hv_ver”. The “latest_hv_ver” key shows the latest version that is available on the hypervisor and “domain_hv_ver” shows the version that the instance is currently running.

The current latest version shipped with the 4.7.0 release is “2009000”. If the two keys do no match a hard reboot of the instance is recommend to ensure that your instance is running on the latest container.

Note: This metadata is populated every 2 hours. If an instance does not contain this metadata it is reasonable to assume it was recently launched. Please wait the alloted time before reporting any issues with missing metadata data.

Support for remote ID security groups with VPP

VPP now supports creating security groups that can reference another security group when creating a ruleset.

remote secuity groups

Security Updates

Meltdown & Spectre Varient 1

This release includes updates for the security vulnerabilities known as Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753). The fixes for these security issues require updates to many critical components of the operating sytem and core virtualization software, including the kernal, QEMU and KVM.

In order to address these security issues all Meacloud Controllers and Hypervisors will need to be rebooted. However, to fully secure instances customers must apply the appropriate guest operating system patches for the vulnerabilties themselves. Please follow the instructions from your operating system vendor on how to patch your virtual machines.

It is important to note that these fixes may have an impact on performance and resource utilization. The impact is variable depending on the type of workload customers are running. More information on the possible impact can be found in this Red Hat article.

More information on Meltdown and Spectre security issues can be found here.

New Metacloud Default Images

Due to the security issue above, this release also includes a new set of Metacloud default images for customers to use. The following are the list of new base images:

  • Cirros
  • Ubuntu 14.04
  • Ubuntu 16.04
  • Centos 6.x (latest)
  • Centos 7.x (latest)

Each image will be provided in raw format. Please note that we are no longer shipping an Ubuntu 12.04 image since it is end-of-availability.

Previous Metacloud supplied default images can no longer be considered secure and we recommend they be removed once no instances are actively using them.

Other security updates

  • Fix for CVE-2018-0489. This CVE only impacts customers who have SAML authentication enabled.

Bug Fixes

The following bug fixes have been applied in the 4.7 release:

  • Fix for an issue with how IPTables rules were applied after an hypervisor reboot for VPP enbaled availability zones.
  • Fix for backend monitoring to detect the above IPTables condition.
  • Fix for enabling and disabling database dumps on Metacloud Controllers.

Known Issues

  • This release doesn’t specifically address some of the current issues with VPP stabilty. We will continue to work with our VPP customers directly on these issues.
  • This release doesn’t specifcally address Spectre Varient 2. As part of our Spectre Varient 1 work we have layed the groundwork to address it, however we are waiting for server vendors to release firmware updates to address the issue. We are tracking this closely and will provide additional updates as they become available. Information on Cisco UCS firmware updates can be found here.

Supported API Versions

Service API Version
Compute v2.1
Image v2
CloudFormation v1
Volume v2
Orchestration v1
Identity v3
Networking v2
Block Storage v1

Supported OpenStack Projects and Versions

Project Version
Nova Liberty
Cinder Liberty
Keystone Liberty
Glance Liberty
Heat Liberty
Horizon Liberty
Neutron Liberty

Supported Image Types

Image Storage Location Local Storage NFS-backed Storage Ceph-backed Storage
AMI (AWS) x x x
ISO9660 x x x
QCOW2 (KVM, Xen) x x N/A
RAW x x x
VDI (VirtualBox) x x N/A
VHD (Hyper-V) x x N/A
VDMK (VMWare) x x N/A