Cisco Metacloud September 2018 Update (Metacloud v4.9)

This 4.9 release of Cisco Metacloud contains security and security related updates as well an update for VPP 17.07.

Security Updates

CPU Side Channel Vulnerabilitiy Updates (aka Spectre)

Since the orginal Spectre class of vulnerabilities were released there have been a number of related vulnerabilities that are now being classified as “CPU Side Channel” vulnerabilities. This release continues on our previous security work by addressing the following related issues:

The fixes for addressing these issues require a new operating system kernel, CPU microcode, libvert and QEMU. All Metacloud Controllers and Hypervisors will need to be rebooted after patches are applied.

For customers to fully secure virtual machines instances they must first apply the relevant patches for the instance’s operating system and they must hard reboot all virtual machines after being upgraded to the 4.9 release. Please refer to your operating system supplier for information on what patches must be applied to address the CVEs addressed above.

Other Notable Security Updates

Other Updates

New cloud build images

As a result of all the security updates this release includes new a set of default images to be used as base images for customer deployments. Previous versions of Metacloud base images should now be considered unsecure. The new versions of base images provided can be found in your image repository (i.e. Glance) as follows:

  • CentOS-6-x86_64-GenericCloud-1805.raw
  • CentOS-7-x86_64-GenericCloud-1805.raw
  • bionic-server-cloudimg-amd64-20180820.raw
  • cirros-0.4.0-x86_64-disk-20180820.raw
  • trusty-server-cloudimg-amd64-disk1-20180820.raw
  • xenial-server-cloudimg-amd64-disk1-20180820.raw

Fix for vpp-agent restarts

Upon releasing VPP 17.07 we ran into some problems with vpp-agent when virtual machines were deleted from the network. If the virtual machine deleted happened to be the last one on the network segment it was assigned to vpp-agent would restart itself but would hang on restart. The fix in this release addresses this issue.

Please note that this fix has also been backported to Metacloud 4.8.

Prerequisites

  • Customers running the Metacloud Storage Service (Ceph) must first upgrade to Metacloud 4.8 and the latest Metacloud Storage release before being elgible to upgrade to Metacloud 4.9.

Known Issues

  • The Pure Storage cinder driver has not been certified for the 4.9 release.

Supported API Versions

Service API Version
Compute v2.1
Image v2
CloudFormation v1
Volume v2
Orchestration v1
Identity v3
Networking v2
Block Storage v1

Supported OpenStack Projects and Versions

Project Version
Nova Liberty
Cinder Liberty
Keystone Liberty
Glance Liberty
Heat Liberty
Horizon Liberty
Neutron Liberty

Supported Image Types

Image Storage Location Local Storage NFS-backed Storage Ceph-backed Storage
AMI (AWS) x x x
ISO9660 x x x
QCOW2 (KVM, Xen) x x N/A
RAW x x x
VDI (VirtualBox) x x N/A
VHD (Hyper-V) x x N/A
VDMK (VMWare) x x N/A