Releases: opensecuritycontroller/osc-core
v0.8.0
What's New in OSC 0.8
Ocata Support
- Added support for Openstack Ocata. OSC continues to support OpenStack Newton and later releases.
- Drop support for deprecated Keystone v2.0 API's. Moving forward OSC 0.8 supports only Keystone v3.
- Renamed tenant -> project and added support for specifying Domain as part of the Virtualization Connector.
Kubernetes(k8s) Support - Beta
- Integrate with K8s platform (v1.8 or later).
- Supports discovering and grouping workloads running on the K8s platform under OSC Security Groups using K8s labels.
- Supports deploying security containers on K8s using Deployment Specification.
- Supports Steering workload traffic to security containers for inspection.
Limitations
- No notification support. Need to manually run sync jobs on Deployment Specification and Security Groups in case of any changes in the K8s environment(new workload created/deleted for example)
- Limited UI support. Full functionaliy is exposed via the API.
Neutron Service Function Chaining - Beta
- Support Neutron Service Function Chaining(SFC) API.
- Supports create, update, delete of SFC.
- Supports binding and unbinding of SFC to security groups.
Limitations
- Deleting of Distributed Appliances and Deployment specifications is not allowed when attached to a SFC which is in use.
- Updating and deleting of SFC is not allowed, when a SFC is in use. i.e SFC is Binded to a Security group
- Limited UI support. Full functionaliy is exposed via the API.
Expose IP/Mac of Security Group Members
- Support exposing IP/Mac information of workloads within a security group
Multi-policy Support
- Supports binding of multiple policies to the workload based on IP/MAC information for the supporting security manager.
Limitations
- Binding with multiple policies is supported via the API only. However, we can still create binding with single policy and delete binding with single or multiple policies through UI.
Open Source Automation
- Our automation scripts will be shared at - https://github.com/opensecuritycontroller/osc-tests/
- The scripts have robot files which run automated tests.
Updated logging framework to SLF4J
- OSC 0.8 uses the SLF4J framework for logging
Fixed Issues
- Deleting and Creating a Deployment Spec (DS) using Distributed Appliance (DA) with a Cirros image, may create 2 images. #436
- Creating a Deployment Specification (DS) with the same name, after a delete, fails if flavor, image, or Openstack Security Group with the same DS instance name already exists #435
- ISM status is always displayed as INSTALL-WAIT on the Plugins page #106
- User can install Manager plugins from SDN plugin pane, and it shows up in Manager plugins State: INSTALL-WAIT. (Now the upload plugin is unified for both SDN Controler plugins and Security Manager plugins) #371
Known Issues
- When SFC is added with no virtual systems, binding SFC to a security group should fail at validation #596
- Error - 'Failed to connect to Rabbit MQ server' should be exposed to the user #590
- Error message to be more appropriate when deleting a DA without deleting the SFC #543
- Trustmanager initialization exception are logged and not propogated #522
- Sync DS job (through API) "succeed" even if the host name incorrect or not exist #511
- Adding VC with invalid credentials/ip does not provide warning #454
- 'Port could not be found' error when editing the DA with a different Service Function Definition - DS is created with a floating IP and SG is binded to the DA #444
- Nuage: Get an error 'NoSuchElementException' when deleting a binded Security Group #428
- SDN Controller Plugin reload issue #383
- Remove job for Virtualization connector #281
- SG (VM) Sync not working appropriately (passes when it should have failed) after deleting Inspection interface from the router on Openstack #416
Release 0.6.0
Known Issues
Issue:
Job Graph is not displayed well if special characters - “{“ and “}” are used in the Manager Connector Name
Work around:
Do not use the special characters “{“ and “}” in the Manager Connector Name
Issue:
Deleting and Creating a Deployment Spec (DS) using Distributed Appliance (DA) with a Cirros image, may create 2 images.
Environment: Newton Openstack
Work around:
Delete the DA and then re-create the DA and DS.
Add the image properties on the new image for accessing Console of Cirros.
openstack image set --property hw_vif_model=virtio --property hw_disk_bus=ide (image-name or id)
Issue:
Creating a Deployment Specification (DS) with the same name, after a delete, fails if flavor, image, or Openstack Security Group with the same DS instance name already exists
Environment: Newton Openstack
Work around:
Delete the Image, Openstack Security Group (SG) and flavor from Newton Openstack. Then you will be able to create the new DS
OR
Delete the Distributed applicance (DA) and re-create the DA. Deleting the DA deletes the image, Openstack SG, and the flavor. Now creating the DS will succeed.
Issue:
Nuage: Creating a Security Group (SG) with no (Virtual Machines) VMs as SG members throws an error - 'A domain was not found for tenant and Security Group'. The empty Security Group cannot be deleted.
Work around:
Force Delete the Security Group. Create another SG with at least one VM as a Security Group Member.
Issue:
Nuage: Deleting a binded Security Group (SG) throws an error 'NoSuchElementException'
Work around:
Force delete the binded SG and clean up the objects (Un-assign and Delete corresponding Policy Groups) on Nuage GUI also
Issue:
Currently we are not identifying the best Distributed Appliance Instance (DAI) to be removed, (i.e.: defective one or least loaded) when the Deployment Specification (DS) count is reduced.
Detailed explanation:
Create a DS with Deployment Count 2 - If you don't have enough resources in your Openstack environment and in case that the result will have one working appliance and one not working appliance (cause the vm instance cannot start)
In such a case adjusting the Deployment Count to 1 - not guaranteed that the non working appliance will be deleted. Hence in some cases the working appliance will be deleted and the non working appliance will stay.
Work around:
Delete the DS and create a new DS with Deployment Count 1
Issue:
ISM - status is always displayed as INSTALL_WAIT on the Plugins page.
Note - No functionality impacted by this failure.
Issue:
Security Group (SG) Bind - SG (VM) Sync not working appropriately (passes when it should have failed) after deleting Inspection interface from the router on Openstack
Work around:
Unbind the SG, Bind again. Now the Job will FAIL as expected
Issue:
Security Group (SG) Bind - SG Sync for 'Network' not working appropriately (passes when it should have failed) after deleting Inspection interface from the router on Openstack
Work around:
Unbind the SG, Bind again. Now the Job will FAIL as expected
Issue:
The 'status' field on 'Appliance Instance Status' page is not visible completely and needs to be scrolled to see the whole wording - The security manager for this appliance instance does not provide appliance status.
Issue:
For ISM Distributed Appliance Instance (DAI), Discovered and Inspection Ready fields blank out periodically. Reappear on refresh after clicking on 'Appliance Instances' and disappear again after sometime
Work around:
Click on Appliance Instance Status button, where it will have values N/A or hard-coded values ‘true’ for Discovered and Inspection Ready fields. Then refresh the DAI page. The correct values will appear now.
NOTE – No functionality impacted
Issue:
Appliance Instance Status not populated with accurate values for certain fields like - Manager IP, DPA PID, DPA Info. Some fields are blank whereas others display ‘null’.
Note – No functionality impacted.
Issue:
OSC Plugins page does not automatically refresh when a plugin is added or deleted.
Note – No functionality impacted
Work around:
Refresh the web page of OSC plugins - and you will be able to see the current plugins.
Issue:
Centos OSC may display inaccurate vmware version with CLI command - show vmware.
Note – No functionality impacted
Issue:
Traffic Policy Mappings display N/A for Failure Policy instead of FAIL_CLOSE.
Note - No functionality impacted
Issue:
No Security Group (SG) Sync Job triggered with network port delete
Issue:
May get IllegalArgumentException when creating a Deployment Spec (DS) on Nuage Environment
Issue:
When creating a Virtualization Connector with a duplicate name, different (inconsistent) error messages are received in API-doc and automation.
Note - No functionality impacted
Issue:
After upload plugins, UI does not do screen refresh to see the result.
Work around:
Manually do a refresh from the browser F5.
Issue:
Adding MC (Manager Connector) with wrong Ip or wrong user name/password throws an inaporopriate error: no route to the host.
Expected Result:
A warning should be displayed suggesting possible reasons for failure, providing an option if the user wants to continue.
Work around:
Make sure values for ip, username and password are accurate.
Issue:
User can install Manager plugins from SDN plugin pane, and it shows up in Manager plugins State: INSTALL_WAIT.
Work around:
Make sure upload SDN plugins in SDN Plugins pane and upload Manager plugins in Manager Plugins pane.
Issue:
Uploading an invalid plugin (e.g. a missing properties plugin) did not display an appropriate error message.
Work around:
Do not upload an invalid plugin file.