Cisco Metacloud May 2018 Update (Metacloud v4.8)

This 4.8 release of Cisco Metacloud contains critical security updates for Spectre v2, an upgrade of Vector Packet Processing (VPP) vSwitch software, customer facing bug fixes, and a lot of behind the scenes improvements.

Enhancements & Updates

New version of VPP supported

Metacloud now supports VPP version 17.07. This version includes a significant number of fixes including addressing a number of existing bugs, stability problems, and performance issues. All existing supported functionality is included, including the reliable use of security-groups.

This release also lays the groundwork for being able to support VPP multithreading, allowing packet processing to be spread out over one or more worker threads, but at this time it should be considered a beta feature that is not fully supported.

Please note, that this version upgrade is not intended to be a new feature release so all new features included in the upstream VPP 17.07 version are not supported. However, if interested, release details for the upstream VPP 17.07 release can be found here.

Security Updates

Spectre v2

Building on top of our Meltdown and Spectre v1 fixes released in Metacloud 4.7, this release includes the updates required to address Spectre v2 (CVE-2017-5715). The fixes for addressing Spectre v2 will require a new operating system kernel, and all Metacloud Controllers and Hypervisors will need to be rebooted after patches are applied. There are multiple approaches on how these updates will need to be applied. Please see the “Known Issues” section below get a better understanding of what you can expect when upgrading to this version.

For customers to fully secure their instances they must hard reboot all virtual machines after the infrastructure maintenance is completed.

Instance security considerations for Spectre v2

Customers running CentOS, RHEL or Ubuntu linux instances can verify the update by looking for a CPU model name of Intel Core Processor (Haswell, no TSX, IBRS) and by a specific set CPU flags either: spec_ctrl & ibpb_support or spec_ctrl & retpoline. Only instances running with both of these should be considered fully patched for the Spectre v2 vulnerability. Customers can typically find this information on linux based virtual machines in /proc/cpuinfo. For more information on how to do this please see our “How to verify instances for Spectre v2” knowledge base article.

Customers running Microsoft Windows Server can refer to the following Microsoft support article for help: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.

An alternative way to determine whether your virtual machine is secure is to use a 3rd party tool like https://github.com/speed47/spectre-meltdown-checker. Please note that use of such openly available tools is at done at customer discretion and risk.  Cisco does not own or support these tools. 

Please refer to your virtual machine operating system vendor documentation for additional details if needed.

Performance considerations for Spectre v2

It is important to note that this new kernel, that uses either “Retpoline” optimizations for CPU processors earlier than Intel SkyLake or “IBRS” optimizations for CPU processors running Intel SkyLake or later, may have an impact on performance and resource utilization. The impact is variable depending on the type of workload customers are running. More information on possible impacts can be found in this Red Hat article.

General information and updates on Meltdown and Spectre security issues can be found here.

Bug Fixes

The following bug fixes have been applied in the 4.8 release:

  • Fixed an issue with monitoring VPP to better detect and restart networking under certain failure conditions.
  • Fixed an issue when running in a VPP networking configuration to allow virtual machine creation on a network that has port security disabled. With this fix, you can now disable port security on a network when utilizing VPP.
  • Fixed an issue with LLDP configuration settings that were causing NICs to go offline. LLDP is now disabled by default.
  • Fixed an issue that would cause an OpenStack API error similar to ERROR: pulbicURL endpoint for volume service not found' when running cinder commands using an openrc file downloaded from the dashboard. Customers should download a new openrc file to ensure they do not get this error.

Known Issues

  • Due to changes in the way the Spectre v2 was fixed upstream only some servers will be able to be fully patched without the need of a server firmware update. If you are running a server that does not need a firmware update your server will be fully secured once upgraded to this release. If you are running a server that does need firmware your server will only be fully secured once the new firmware is applied. Metacloud support will coordinate with customers on which servers are covered and which will need firmware updates.

Supported API Versions

Service API Version
Compute v2.1
Image v2
CloudFormation v1
Volume v2
Orchestration v1
Identity v3
Networking v2
Block Storage v1

Supported OpenStack Projects and Versions

Project Version
Nova Liberty
Cinder Liberty
Keystone Liberty
Glance Liberty
Heat Liberty
Horizon Liberty
Neutron Liberty

Supported Image Types

Image Storage Location Local Storage NFS-backed Storage Ceph-backed Storage
AMI (AWS) x x x
ISO9660 x x x
QCOW2 (KVM, Xen) x x N/A
RAW x x x
VDI (VirtualBox) x x N/A
VHD (Hyper-V) x x N/A
VDMK (VMWare) x x N/A