From a4df85330d93ff3a5d1f7be746b38fc1b12929b7 Mon Sep 17 00:00:00 2001 From: Krishna Vasudevan Date: Sat, 29 Jul 2023 05:29:33 +0530 Subject: [PATCH 001/204] Ansible deployment guide --- .../Automation-with-Ansible.md | 62 ++ .../Deploying-Ansible.md | 66 ++ .../Overview.md | 93 ++ .../Sample-Playbooks.md | 852 ++++++++++++++++++ .../_index.md | 15 + .../Automation-with-Cumulus-Linux.md | 9 +- 6 files changed, 1093 insertions(+), 4 deletions(-) create mode 100644 content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md create mode 100644 content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md create mode 100644 content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md create mode 100644 content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md create mode 100644 content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md new file mode 100644 index 0000000000..3ab5ba5e00 --- /dev/null +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md @@ -0,0 +1,62 @@ +--- +title: Automation with Ansible +author: NVIDIA +weight: 30 +product: Technical Guides +imgData: guides +--- +To automate the network infrastructure in your datacenter using Ansible, NVIDIA provides the following options: +- Ansible Modules +- Production Ready Automation + +## Ansible Modules + +{{}} includes Ansible modules to help you interact with NVIDIA devices managed by NVUE. The modules are developed and validated using Ansible 2.11 and Python 3.6, and are supported on Cumulus Linux 5.x. +The collection includes high-level wrapper modules and object specific modules as listed below: + +**High-level modules** + - nvidia.nvue.command - A wrapper around the NVUE command line tool with added templating and automated dialog prompting. + - nvidia.nvue.api – A wrapper around the NVUE REST API to send and retrieve NVUE configuration. + +**Object specific modules** + - nvidia.nvue.bridge - Bridge configuration with the REST API. + - nvidia.nvue.config – Revisions with the REST API + - nvidia.nvue.evpn - EVPN configuration with the REST API. + - nvidia.nvue.interface - Interface configuration with the REST API. + - nvidia.nvue.mlag - MLAG configuration with the REST API. + - nvidia.nvue.router - Router configuration with the REST API. + - nvidia.nvue.service - Service configuration with the REST API. + - nvidia.nvue.system – System configuration with the REST API. + - nvidia.nvue.vrf - VRF configuration with the REST API. + - nvidia.nvue.vxlan - VXLAN configuration with the REST API. + +For REST API endpoints that are not covered by the object-specific modules or for sub-paths within the object specific modules (for example, `/interface//qos/roce/counters`), you can leverage the `nvidia.nvue.api` module and specify the endpoint in the `path` parameter. + +## Production Ready Automation (PRA) + +The Production Ready Automation package from NVIDIA uses Ansible roles to provide several examples of a fully operationalized, automated data center in the form of playbooks and includes: + - A standard reference topology for all examples. + - A variety of golden standard EVPN-VXLAN architecture reference configurations for the following examples: + - EVPN centralized + - EVPN layer 2 only + - EVPN symmetric + - EVPN multihoming + - A full Vagrant and libvirt simulation of the NVIDIA reference topology (cldemo2) that provides the foundational physical infrastructure and bootstrap configuration to support and demonstrate Cumulus Linux features and technologies. + - Best practice Ansible automation and infrastructure as code (IaC). + - Working examples of Continuous Integration and Continuous Deployment (CI/CD) using GitLab. + - CI/CD testing powered by NetQ Cloud. + +You can use this Production Ready Automation package as a learning resource and as a starting template to implement these features, technologies, and operational workflows in your Cumulus Linux network environments. + +Production Ready Automation generates the jinja2 template for the startup configuration (`startup.yaml`) that NVUE uses. + +You can find more information {{}}. + +## Recommendations + +|Configuration|Cumulus Linux Version | Recommendations| +|-------------|----------------------|----------------| +|Day 0 | Prior to 5.0 | Use the **PRA** package to automate `startup.yaml` file generation.| +| |5.x and above |Use the **Ansible modules** to set up the configuration as desired and run it across all the switches.| +|Day 1 |5.x and above | Use the **Ansible modules** that are available to make configuration changes on the go.| + diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md new file mode 100644 index 0000000000..e98bbb2efd --- /dev/null +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md @@ -0,0 +1,66 @@ +--- +title: Deploying Ansible Modules +author: NVIDIA +weight: 40 +product: Technical Guides +imgData: guides +--- +The NVUE ansible modules have been certified by RedHat and are available on Ansible Galaxy {{}} and the Automation Hub {{}} (requires login). + +## Important points to remember + +- The modules have been tested with ansible core 2.11, 2.12 and 2.13. +- The modules support Python 3.6 and later. +- The modules have been validated against Cumulus Linux 5.4 and 5.5. + +## Installing the modules + +### Installing from Ansible Galaxy + +You can install the NVIDIA NVUE collection with the Ansible Galaxy CLI: +``` +cumulus@oob-management:~$ ansible-galaxy collection install nvidia.nvue +``` + +You can also include the NVIDIA NVUE collection in a `requirements.yml` file and install it with `ansible-galaxy collection install -r requirements.yml`, using the format: +``` +--- +collections: + - name: nvidia.nvue +``` + +### Installing from git +You can install the NVIDIA NVUE collection using the git URL: +``` +cumulus@oob-management:~$ ansible-galaxy collection install git+https://gitlab.com/nvidia-networking/systems-engineering/nvue.git +``` + +## Verifying the installation +You can verify the installation using the following ansible-galaxy command: +``` +cumulus@oob-management:~$ ansible-galaxy collection list + +Sample Output: +# /home/ubuntu/.ansible/collections/ansible_collections +Collection Version +----------------- ------- +ansible.netcommon 5.1.2 +ansible.utils 2.10.3 +nvidia.nvue 1.0.1 + +# /usr/lib/python3/dist-packages/ansible_collections +Collection Version +----------------------------- ------- +amazon.aws 5.2.0 +ansible.netcommon 4.1.0 +ansible.posix 1.5.1 +ansible.utils 2.9.0 +ansible.windows 1.13.0 +arista.eos 6.0.0 +awx.awx 21.12.0 +azure.azcollection 1.14.0 +check_point.mgmt 4.0.0 +chocolatey.chocolatey 1.4.0 +... +``` + diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md new file mode 100644 index 0000000000..8682cde6f1 --- /dev/null +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md @@ -0,0 +1,93 @@ +--- +title: Overview +author: NVIDIA +weight: 20 +product: Technical Guides +imgData: guides +--- +As data centers evolve from physical on-premises to digitized cloud infrastructures, traditional networks also evolve and need to grow based on business demand. This places an increased burden on network operations teams to manage, maintain, and continually adapt to a changing environment with complex and precise configurations. To combat the limitations that come from managing network operations manually, the data center must be automatedso that it can be more agile. + +## Automation + +Today, businesses operate at high speeds with massive growth in data, making manual monitoring, troubleshooting, and remediation too slow, which can put businesses at risk. Automation can simplify day-zero and day-one setups and make day-two operations almost autonomous. +Automation brings together the data center infrastructure, allowing for centralized access to most data center resources. This access enables the automation of storage, servers, network, and other data center management tasks. + +## NVIDIA User Experience + +NVIDIA User Experience (NVUE) is an object-oriented, schema driven model of a complete Cumulus Linux system (hardware and software) providing a robust API that allows for multiple interfaces to both view (show) and configure (set and unset) any element within a system running the NVUE software. +NVUE follows a declarative model, removing context-specific commands and settings. It is structured as a big tree that represents the entire state of a Cumulus Linux instance. At the base of the tree are high level branches representing objects, such as router and interface. Under each of these branches are additional branches. As you navigate through the tree, you gain a more specific context. At the leaves of the tree are actual attributes, represented as key-value pairs. The path through the tree is similar to a filesystem path. +You can use the NVUE object model in the following ways: +- With the **NVUE CLI**, where you configure, monitor, and manage the Cumulus Linux network elements. The CLI commands translate to their equivalent REST APIs, which Cumulus Linux then runs on the NVUE object model. +- With the **NVUE REST API**, where you run the GET, PATCH, DELETE, and other REST APIs on the NVUE object model endpoints to configure, monitor, and manage the switch. Because of the large user community and maturity of Open API Specifications (OAS) upon which NVUE is based, you can use several popular tools and libraries to create client-side bindings to use the NVUE REST API. The documentation for the NVUE REST API uses Swagger;you can find it here. +The CLI and the REST API are equivalent in functionality; you can run all management operations from the REST API or the CLI. The NVUE object model drives both the REST API and the CLI management operations. All operations are consistent; for example, the CLI nv show commands reflect any PATCH operation (create) you run through the REST API. + +## Ansible + +Ansible® is an open-source IT automation tool that automates provisioning, configuration management, application deployment, orchestration, and many other manual IT processes. Ansible works by connecting to your automation target and pushing programs that execute instructions that you typically do manually. These programs utilize Ansible modules written based on the specific expectations of endpoint connectivity, interface, and commands. +An Ansible playbook is a blueprint of automation tasks, which are complex IT actions executed with no need for human involvement. You write Ansible playbooks in human-readable {{}} format and execute them on a set, group, or classification of hosts, which together make up an Ansible inventory. + +### Terminology + +**Ansible Galaxy** + +An online distribution server for finding and sharing Ansible community content, sometimes referred to as community Galaxy. Also, the command-line utility that lets you install individual Ansible collections, for example `ansible-galaxy collection install nvidia.nvue`. + +**Collections** + +A packaging format for bundling and distributing Ansible content, including plugins, roles, modules, and more. Collections are release independent of other collections or ansible-core so features can be available sooner. Some collections are packaged with Ansible (version 2.10 or later). You can install other collections (or other versions of collections) with `ansible-galaxy collection install `. + +**Collection name** + +The second part of a Fully Qualified Collection Name. The collection name divides the collection namespace and usually reflects the function of the collection content. For example, the `nvidia` namespace contains `nvidia.nvue` with content for managing the different NVUE devices maintained by NVIDIA. + +**Group** + +A group consists of several hosts assigned to a pool that can be conveniently targeted together, as well as given variables that they share in common. + +**Group Vars** + +The `group_vars` files live in a directory alongside an inventory file, with an optional filename named after each group. This is a convenient place to put variables that are provided to a given group, especially complex data structures, so that these variables do not have to be embedded in the file or playbook. + +**Host** + +A host is a remote machine that Ansible manages. You can assign individual variables to a host and can also organize them in groups. All hosts have a name, which is either an IP address or a domain name and, optionally, a port number in case access is not allowed on the default SSH port. + +**Inventory** + +A file (by default, Ansible uses a simple INI format) that describes {{}} and {{}} in Ansible. You can also provide inventory through an {{}} (sometimes called an External Inventory Script). + +**Inventory Script** + +A very simple program (or a complicated one) that looks up {{}}, {{}} membership for hosts, and variable information from an external resource – an SQL database, a CMDB solution, or a solution similar to LDAP. This concept is adapted from Puppet (where it is called an External Nodes Classifier) and works in more or less the same way. + +**Jinja2** + +Jinja2 is the preferred templating language of the Ansible template module. It is a very simple Python template language that is generally readable and easy to write. + +**Modules** + +Modules are the units of work that Ansible ships out to remote machines. Modules are kicked off by either `/usr/bin/ansible` or `/usr/bin/ansible-playbook` (where multiple tasks use lots of different modules). You can implement modules in any language, including Perl, Bash, or Ruby you can take advantage of some useful communal library code if written in Python. Modules just have to return {{}}. After you execute modules on remote machines, they are removed, so that no long running daemons are used. Ansible refers to the collection of available modules as a {{}}. + +**Playbooks** + +Playbooks are the language by which Ansible orchestrates, configures, administers, or deploys systems. They are called playbooks partially to use a sports analogy as it is supposed to be fun using them. They are not workbooks. + +**Plays** + +A {{}} is a list of plays. A play is minimally a mapping between a set of {{}} selected by a host specifier (usually chosen by {{}} but sometimes by hostname {{}}) and the {{}} that run on those hosts to define the role that those systems perform. There can be one or many plays in a playbook. + +**Roles** + +Roles are units of organization in Ansible. Assigning a role to a group of {{}} (or a set of {{}}, or {{}}, and so on) implies that they should implement a specific behavior. A role might include applying certain variable values, certain {{}}, and certain {{}} – or just one or more of these things. Because of the file structure associated with a role, roles become redistributable units that enable you to share behavior among {{}} – or even with other users. + +**Task** + +{{}} exist to run tasks. Tasks combine an {{}} (a module and its arguments) with a name and, optionally, some other keywords (like {{}}). {{}} are also tasks, but they are a special kind of task that do not run unless they are notified by name when a task reports an underlying change on a remote system. + +**Templates** + +Ansible can easily transfer files to remote systems but often, it is desirable to substitute variables in other files. Variables can come from the {{}} file, {{}}, {{}}, or {{}}. Templates use the {{}} template engine and can also include logical constructs like loops and if statements + +**YAML** + +Ansible does not want to force people to write programming language code to automate infrastructure, so Ansible uses YAML to define {{}} configuration languages and also variable files. YAML has minimal syntax and is very clean and easy for you to skim. It is a good data format for configuration files and humans, and is also machine readable. Ansible’s usage of YAML stemmed from Michael DeHaan’s first use of it inside of Cobbler around 2006. YAML is fairly popular in the dynamic language community and the format has libraries available for serialization in many languages (Python, Perl, Ruby, and so on). diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md new file mode 100644 index 0000000000..cb9992af62 --- /dev/null +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md @@ -0,0 +1,852 @@ +--- +title: Running the Playbooks +author: NVIDIA +weight: 50 +product: Technical Guides +imgData: guides +--- + +## Enable the NVUE API + +Cumulus Linux 5.5 and later disables the NVUE REST API by default. If you want to use any of the object specific modules or the `api` module, you need to enable the NVUE REST API with the following commands on the switch: +``` +cumulus@switch:~$ sudo ln -s /etc/nginx/sites-{available,enabled}/nvue.conf + +cumulus@switch:~$ sudo sed -i 's/listen localhost:8765 ssl;/listen \[::\]:8765 ipv6only=off ssl;/g' /etc/nginx/sites-available/nvue.conf + +cumulus@switch:~$ sudo systemctl restart nginx +``` + +You can find a sample playbook that enables the NVUE REST API across all of the switches {{}}. Download the file and run it against the switches. +``` +cumulus@oob-management:~$ curl -o enable-nvue-api.yml https://gitlab.com/nvidia-networking/systems-engineering/nvue/-/raw/main/examples/playbooks/enable-nvue-api.yml + +cumulus@oob-management:~$ curl -o hosts https://gitlab.com/nvidia-networking/systems-engineering/nvue/-/raw/main/examples/hosts + +cumulus@oob-management:~$ ansible-playbook enable-nvue-api.yml -i hosts +``` + +## Sample Playbooks +You can find additional example playbooks and host files in the `/nvidia/nvue/examples` directory or in the git repository {{}}. + +``` +cumulus@oob-management:~$ ls ~/.ansible/collections/ansible_collections/nvidia/nvue/examples/ + +collections host_vars hosts playbooks +``` + +You can run any of the sample playbooks in the `playbooks` directory. + +``` +cumulus@oob-management:~$ ls ~/.ansible/collections/ansible_collections/nvidia/nvue/examples/playbooks + +api.yml gather-config-multiple.yml +bridge.yml gather-config.yml +command.yml interface.yml +evpn-multihoming-leaf01.yml revision.yml +evpn-symmetric-leaf01.yml static-vxlan-leaf01.yml +``` + +The `gather-config.yml` uses the high-level `api` module to fetch the root configuration and the object-level `interface` module to fetch interface configuration. + +``` +cumulus@oob-management:~$ cd ~/.ansible/collections/ansible_collections/nvidia/nvue/examples/ +cumulus@oob-management:~$ cat playbooks/gather-config.yml + +- name: NVUE API + hosts: cumulus + connection: ansible.netcommon.httpapi + gather_facts: false + vars: + ansible_network_os: nvidia.nvue.httpapi + ansible_httpapi_port: 8765 + ansible_httpapi_use_ssl: true + ansible_httpapi_validate_certs: false + + tasks: + - name: Get the current config + nvidia.nvue.api: + operation: get + register: output + + - name: Print current config + ansible.builtin.debug: + msg: "{{ output }}" + + - name: Get the current interface config + nvidia.nvue.interface: + state: gathered + register: interface + + - name: Print current interface + ansible.builtin.debug: + msg: "{{ interface }}" +``` + +Run the playbook. Optionally, you can add the `-v` parameter to increase verbosity of the playbook execution. + +
+ +``` +cumulus@oob-management:~$ ansible-playbook playbooks/gather-config.yml -i hosts + +Sample Output: +[WARNING]: running playbook inside collection nvidia.nvue + +PLAY [NVUE API] ***************************************************************** + +TASK [Get the current config] ***************************************************************** +ok: [cumulus] + +TASK [Print current config] ***************************************************************** +ok: [cumulus] => { + "msg": { + "changed": false, + "failed": false, + "message": { + "acl": {}, + "bridge": { + "domain": { + "br_default": { + "ageing": 1800, + "encap": "802.1Q", + "mac-address": "auto", + "multicast": { + "snooping": { + "enable": "on", + "querier": { + "enable": "off" + } + } + }, + "stp": { + "priority": 32768, + "state": { + "up": {} + } + }, + "type": "vlan-aware", + "untagged": 1, + "vlan": { + "10": { + "multicast": { + "snooping": { + "querier": { + "source-ip": "0.0.0.0" + } + } + }, + "ptp": { + "enable": "off" + }, + "vni": { + "10": { + "flooding": { + "enable": "auto" + }, + "mac-learning": "auto" + } + } + } + }, + "vlan-vni-offset": 0 + } + } + }, + "evpn": { + "enable": "off" + }, + "header": { + "model": "VX", + "nvue-api-version": "nvue_v1", + "rev-id": 1.0, + "version": "Cumulus Linux 5.5.0" + }, + "interface": { + "eth0": { + "acl": {}, + "ip": { + "address": { + "dhcp": {} + }, + "gateway": {}, + "ipv4": { + "forward": "off" + }, + "ipv6": { + "enable": "on", + "forward": "off" + }, + "vrf": "mgmt" + }, + "link": { + "auto-negotiate": "on", + "duplex": "full", + "fec": "auto", + "mtu": 9216, + "speed": "auto", + "state": { + "up": {} + } + }, + "type": "eth" + }, + "lo": { + "ip": { + "address": {}, + "igmp": { + "enable": "off" + }, + "ipv4": { + "forward": "on" + }, + "ipv6": { + "enable": "on", + "forward": "on" + }, + "vrf": "default" + }, + "router": { + "adaptive-routing": { + "enable": "off" + }, + "ospf": { + "enable": "off" + }, + "ospf6": { + "enable": "off" + }, + "pim": { + "enable": "off" + } + }, + "type": "loopback" + } + }, + "mlag": { + "enable": "off" + }, + "nve": { + "vxlan": { + "enable": "off" + } + }, + "qos": { + "advance-buffer-config": { + "default-global": { + "egress-lossy-buffer": { + "multicast-switch-priority": { + "0": { + "service-pool": "0" + }, + "1": { + "service-pool": "0" + }, + "2": { + "service-pool": "0" + }, + "3": { + "service-pool": "0" + }, + "4": { + "service-pool": "0" + }, + "5": { + "service-pool": "0" + }, + "6": { + "service-pool": "0" + }, + "7": { + "service-pool": "0" + } + }, + "traffic-class": { + "0": { + "service-pool": "0" + }, + "1": { + "service-pool": "0" + }, + "2": { + "service-pool": "0" + }, + "3": { + "service-pool": "0" + }, + "4": { + "service-pool": "0" + }, + "5": { + "service-pool": "0" + }, + "6": { + "service-pool": "0" + }, + "7": { + "service-pool": "0" + } + } + }, + "egress-pool": { + "0": { + "memory-percent": 100, + "mode": "dynamic" + } + }, + "ingress-lossy-buffer": { + "priority-group": { + "bulk": { + "service-pool": "0", + "switch-priority": { + "0": {}, + "1": {}, + "2": {}, + "3": {}, + "4": {}, + "5": {}, + "6": {}, + "7": {} + } + } + } + }, + "ingress-pool": { + "0": { + "memory-percent": 100, + "mode": "dynamic" + } + } + } + }, + "congestion-control": { + "default-global": { + "traffic-class": { + "0": { + "ecn": "enable", + "max-threshold": 1500000, + "min-threshold": 150000, + "probability": 100, + "red": "disable" + } + } + } + }, + "egress-queue-mapping": { + "default-global": { + "switch-priority": { + "0": { + "traffic-class": 0 + }, + "1": { + "traffic-class": 1 + }, + "2": { + "traffic-class": 2 + }, + "3": { + "traffic-class": 3 + }, + "4": { + "traffic-class": 4 + }, + "5": { + "traffic-class": 5 + }, + "6": { + "traffic-class": 6 + }, + "7": { + "traffic-class": 7 + } + } + } + }, + "egress-scheduler": { + "default-global": { + "traffic-class": { + "0": { + "bw-percent": 12, + "mode": "dwrr" + }, + "1": { + "bw-percent": 13, + "mode": "dwrr" + }, + "2": { + "bw-percent": 12, + "mode": "dwrr" + }, + "3": { + "bw-percent": 13, + "mode": "dwrr" + }, + "4": { + "bw-percent": 12, + "mode": "dwrr" + }, + "5": { + "bw-percent": 13, + "mode": "dwrr" + }, + "6": { + "bw-percent": 12, + "mode": "dwrr" + }, + "7": { + "bw-percent": 13, + "mode": "dwrr" + } + } + } + }, + "egress-shaper": {}, + "link-pause": {}, + "mapping": { + "default-global": { + "pcp": { + "0": { + "switch-priority": 0 + }, + "1": { + "switch-priority": 1 + }, + "2": { + "switch-priority": 2 + }, + "3": { + "switch-priority": 3 + }, + "4": { + "switch-priority": 4 + }, + "5": { + "switch-priority": 5 + }, + "6": { + "switch-priority": 6 + }, + "7": { + "switch-priority": 7 + } + }, + "port-default-sp": 0, + "trust": "l2" + } + }, + "pfc": {}, + "remark": { + "default-global": {} + }, + "roce": { + "enable": "off" + }, + "traffic-pool": { + "default-lossy": { + "memory-percent": 100, + "switch-priority": { + "0": {}, + "1": {}, + "2": {}, + "3": {}, + "4": {}, + "5": {}, + "6": {}, + "7": {} + } + } + } + }, + "router": { + "adaptive-routing": { + "enable": "off" + }, + "bgp": { + "enable": "off" + }, + "igmp": { + "enable": "off" + }, + "nexthop": { + "group": {} + }, + "ospf": { + "enable": "off" + }, + "ospf6": { + "enable": "off" + }, + "pbr": { + "enable": "off" + }, + "pim": { + "enable": "off" + }, + "policy": { + "as-path-list": {}, + "community-list": {}, + "ext-community-list": {}, + "large-community-list": {}, + "prefix-list": {}, + "route-map": {} + }, + "ptm": { + "enable": "off" + }, + "vrr": { + "enable": "off" + }, + "vrrp": { + "enable": "off" + } + }, + "service": { + "dhcp-relay": {}, + "dhcp-relay6": {}, + "dhcp-server": {}, + "dhcp-server6": {}, + "dns": {}, + "lldp": { + "dot1-tlv": "off", + "lldp-med-inventory-tlv": "off", + "mode": "default", + "tx-hold-multiplier": 4, + "tx-interval": 30 + }, + "ntp": {}, + "ptp": { + "1": { + "acceptable-master": {}, + "domain": 0, + "enable": "off", + "ip-dscp": 46, + "logging-level": "info", + "monitor": { + "max-offset-threshold": 50, + "max-timestamp-entries": 100, + "max-violation-log-entries": 4, + "max-violation-log-sets": 2, + "min-offset-threshold": -50, + "path-delay-threshold": 200, + "violation-log-interval": 1 + }, + "priority1": 128, + "priority2": 128, + "profile": { + "default-1588": { + "announce-interval": 1, + "announce-timeout": 3, + "delay-mechanism": "end-to-end", + "delay-req-interval": 0, + "domain": 0, + "priority1": 128, + "priority2": 128, + "profile-type": "ieee-1588", + "sync-interval": 0, + "transport": "ipv4" + }, + "default-itu-8275-1": { + "announce-interval": -3, + "announce-timeout": 3, + "delay-mechanism": "end-to-end", + "delay-req-interval": -4, + "domain": 24, + "local-priority": 128, + "priority1": 128, + "priority2": 128, + "profile-type": "itu-g-8275-1", + "sync-interval": -4, + "transport": "802.3" + }, + "default-itu-8275-2": { + "announce-interval": 0, + "announce-timeout": 3, + "delay-mechanism": "end-to-end", + "delay-req-interval": -6, + "domain": 44, + "local-priority": 128, + "priority1": 128, + "priority2": 128, + "profile-type": "itu-g-8275-2", + "sync-interval": -6, + "transport": "ipv4" + } + }, + "unicast-master": {} + } + }, + "snmp-server": { + "enable": "off" + }, + "synce": { + "enable": "off" + }, + "syslog": {} + }, + "system": { + "aaa": { + "authentication-order": {}, + "tacacs": { + "enable": "off" + }, + "user": {} + }, + "acl": { + "mode": "atomic" + }, + "config": { + "apply": { + "ignore": {}, + "overwrite": "all" + }, + "auto-save": { + "enable": "off" + }, + "snippet": {} + }, + "control-plane": { + "acl": {}, + "policer": {}, + "trap": {} + }, + "counter": { + "polling-interval": { + "logical-interface": 5, + "physical-interface": 2 + } + }, + "forwarding": { + "ecmp-hash": { + "destination-ip": "on", + "destination-port": "on", + "gtp-teid": "off", + "ingress-interface": "off", + "inner-destination-ip": "off", + "inner-destination-port": "off", + "inner-ip-protocol": "off", + "inner-ipv6-label": "off", + "inner-source-ip": "off", + "inner-source-port": "off", + "ip-protocol": "on", + "ipv6-label": "on", + "source-ip": "on", + "source-port": "on" + }, + "host-route-preference": "route", + "lag-hash": { + "destination-ip": "on", + "destination-mac": "on", + "destination-port": "on", + "ether-type": "on", + "gtp-teid": "off", + "ip-protocol": "on", + "source-ip": "on", + "source-mac": "on", + "source-port": "on", + "vlan": "on" + }, + "programming": { + "log-level": "info" + } + }, + "global": { + "anycast-id": "none", + "anycast-mac": "none", + "fabric-id": 1, + "fabric-mac": "none", + "l3svd": { + "enable": "off" + }, + "reserved": { + "routing-table": { + "pbr": { + "begin": 10000, + "end": 4294966272 + } + }, + "vlan": { + "internal": { + "range": "3725-3999" + }, + "l3-vni-vlan": { + "begin": 4000, + "end": 4064 + } + } + }, + "system-mac": "auto" + }, + "hostname": "cumulus", + "port-mirror": { + "session": {} + }, + "reboot": { + "mode": "cold" + }, + "wjh": { + "enable": "off" + } + }, + "vrf": { + "default": { + "evpn": { + "enable": "off" + }, + "loopback": { + "ip": { + "address": { + "127.0.0.1/8": {}, + "::1/128": {} + } + } + }, + "ptp": { + "enable": "on" + }, + "router": { + "bgp": { + "enable": "off" + }, + "nexthop-tracking": {}, + "ospf": { + "enable": "off" + }, + "ospf6": { + "enable": "off" + }, + "pim": { + "enable": "off" + }, + "rib": {}, + "static": {} + }, + "table": "auto" + }, + "mgmt": { + "evpn": { + "enable": "off" + }, + "loopback": { + "ip": { + "address": { + "127.0.0.1/8": {}, + "::1/128": {} + } + } + }, + "ptp": { + "enable": "on" + }, + "router": { + "bgp": { + "enable": "off" + }, + "nexthop-tracking": {}, + "ospf": { + "enable": "off" + }, + "ospf6": { + "enable": "off" + }, + "rib": {}, + "static": {} + }, + "table": "auto" + } + } + } + } +} + +TASK [Get the current interface config] ***************************************************************** +ok: [cumulus] + +TASK [Print current interface] ***************************************************************** +ok: [cumulus] => { + "msg": { + "changed": false, + "failed": false, + "message": { + "eth0": { + "acl": {}, + "ip": { + "address": { + "dhcp": {} + }, + "gateway": {}, + "ipv4": { + "forward": "off" + }, + "ipv6": { + "enable": "on", + "forward": "off" + }, + "vrf": "mgmt" + }, + "link": { + "auto-negotiate": "on", + "duplex": "full", + "fec": "auto", + "mtu": 9216, + "speed": "auto", + "state": { + "up": {} + } + }, + "type": "eth" + }, + "lo": { + "ip": { + "address": {}, + "igmp": { + "enable": "off" + }, + "ipv4": { + "forward": "on" + }, + "ipv6": { + "enable": "on", + "forward": "on" + }, + "vrf": "default" + }, + "router": { + "adaptive-routing": { + "enable": "off" + }, + "ospf": { + "enable": "off" + }, + "ospf6": { + "enable": "off" + }, + "pim": { + "enable": "off" + } + }, + "type": "loopback" + } + } + } +} + +PLAY RECAP ***************************************************************** +cumulus : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + +``` + +
+ +## Resources + +- {{}} +- {{}} +- {{}} +- {{}} +- {{}} +- {{}} \ No newline at end of file diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md new file mode 100644 index 0000000000..a170ec1314 --- /dev/null +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md @@ -0,0 +1,15 @@ +--- +title: Data Center Network Automation with Ansible Deployment Guide +author: NVIDIA +weight: 10 +product: Technical Guides +imgData: guides +--- + +Use this guide to get familiar with Ansible and to understand how to use Ansible to interact with NVIDIA Cumulus Linux switches. + +The Deployment guide contains the following sections: +- {{}} +- {{}} +- {{}} +- {{}} diff --git a/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Automation-with-Cumulus-Linux.md b/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Automation-with-Cumulus-Linux.md index 01ee187694..84a54ad6a0 100644 --- a/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Automation-with-Cumulus-Linux.md +++ b/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Automation-with-Cumulus-Linux.md @@ -182,13 +182,14 @@ You can find more information {{}} (`nvidia.nvue`) includes Ansible modules to help you interact with NVIDIA devices managed by NVUE. The modules are developed and validated using Ansible 2.11 and Python 3.6, and are supported on Cumulus Linux 5.x. {{%notice note%}} -Ansible modules are in Beta as of the publication of this guide. The various modules available as of the publication of this guide are: -- The **CLI** is a wrapper around the `nv` command line tool with added templating and automated dialog prompting. You can find more information {{}}. +The various modules available as of the publication of this guide are: +- The **CLI** is a wrapper around the `nv` command line tool with added templating and automated dialog prompting. - The **REST API** enables you to send and retrieve NVUE configuration. -- **Object specific modules** are designed to work with the individual network objects and support various parameters that allow you to interact with them as required. The various modules supported include bridge, router, interface, evpn, mlag, system, vrf, and vxlan. These are available for download {{}}, with instructions for usage {{}}. +- **Object specific modules** are designed to work with the individual network objects and support various parameters that allow you to interact with them as required. The various modules supported include bridge, router, interface, evpn, mlag, system, vrf, and vxlan. +You can find more details {{}}. {{%/notice%}} ## NVUE Migration Tool From e45ab72dd9af4baa69b88c3ec1bf724fee2e406b Mon Sep 17 00:00:00 2001 From: Krishna Vasudevan Date: Sat, 29 Jul 2023 08:10:43 +0530 Subject: [PATCH 002/204] Fixed bugs --- .../Deploying-Ansible.md | 9 +++++++-- .../Sample-Playbooks.md | 5 ++++- .../_index.md | 8 +------- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md index e98bbb2efd..376fc00b9a 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md @@ -18,11 +18,13 @@ The NVUE ansible modules have been certified by RedHat and are available on Ansi ### Installing from Ansible Galaxy You can install the NVIDIA NVUE collection with the Ansible Galaxy CLI: + ``` cumulus@oob-management:~$ ansible-galaxy collection install nvidia.nvue ``` You can also include the NVIDIA NVUE collection in a `requirements.yml` file and install it with `ansible-galaxy collection install -r requirements.yml`, using the format: + ``` --- collections: @@ -30,13 +32,17 @@ collections: ``` ### Installing from git + You can install the NVIDIA NVUE collection using the git URL: + ``` cumulus@oob-management:~$ ansible-galaxy collection install git+https://gitlab.com/nvidia-networking/systems-engineering/nvue.git ``` ## Verifying the installation + You can verify the installation using the following ansible-galaxy command: + ``` cumulus@oob-management:~$ ansible-galaxy collection list @@ -62,5 +68,4 @@ azure.azcollection 1.14.0 check_point.mgmt 4.0.0 chocolatey.chocolatey 1.4.0 ... -``` - +``` \ No newline at end of file diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md index cb9992af62..d91d38701b 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md @@ -11,9 +11,11 @@ imgData: guides overflow-y: auto; } + ## Enable the NVUE API Cumulus Linux 5.5 and later disables the NVUE REST API by default. If you want to use any of the object specific modules or the `api` module, you need to enable the NVUE REST API with the following commands on the switch: + ``` cumulus@switch:~$ sudo ln -s /etc/nginx/sites-{available,enabled}/nvue.conf @@ -22,7 +24,8 @@ cumulus@switch:~$ sudo sed -i 's/listen localhost:8765 ssl;/listen \[::\]:8765 i cumulus@switch:~$ sudo systemctl restart nginx ``` -You can find a sample playbook that enables the NVUE REST API across all of the switches {{}}. Download the file and run it against the switches. +You can find a sample playbook that enables the NVUE REST API across all of the switches {{}}. Download the file and run it against the switches. + ``` cumulus@oob-management:~$ curl -o enable-nvue-api.yml https://gitlab.com/nvidia-networking/systems-engineering/nvue/-/raw/main/examples/playbooks/enable-nvue-api.yml diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md index a170ec1314..ca51f56e4d 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md @@ -1,5 +1,5 @@ --- -title: Data Center Network Automation with Ansible Deployment Guide +title: Data Center Network Automation with Ansible author: NVIDIA weight: 10 product: Technical Guides @@ -7,9 +7,3 @@ imgData: guides --- Use this guide to get familiar with Ansible and to understand how to use Ansible to interact with NVIDIA Cumulus Linux switches. - -The Deployment guide contains the following sections: -- {{}} -- {{}} -- {{}} -- {{}} From 02af35d7ccb92defd50c0fe1f07ee0ff3c457194 Mon Sep 17 00:00:00 2001 From: Krishna Vasudevan Date: Mon, 31 Jul 2023 22:33:19 +0530 Subject: [PATCH 003/204] Updated Index --- .../{Deploying-Ansible.md => Deploying-Ansible-Modules.md} | 0 .../{Sample-Playbooks.md => Running-the-Playbooks.md} | 0 .../_index.md | 7 +++++++ 3 files changed, 7 insertions(+) rename content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/{Deploying-Ansible.md => Deploying-Ansible-Modules.md} (100%) rename content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/{Sample-Playbooks.md => Running-the-Playbooks.md} (100%) diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible-Modules.md similarity index 100% rename from content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible.md rename to content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Deploying-Ansible-Modules.md diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Running-the-Playbooks.md similarity index 100% rename from content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Sample-Playbooks.md rename to content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Running-the-Playbooks.md diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md index ca51f56e4d..641907b2cd 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md @@ -7,3 +7,10 @@ imgData: guides --- Use this guide to get familiar with Ansible and to understand how to use Ansible to interact with NVIDIA Cumulus Linux switches. + +This deployment guide discusses the following topics: + +- {{}} +- {{}} +- {{}} +- {{}} From 834b19d8f4dbb61af60b21552107ba018814117a Mon Sep 17 00:00:00 2001 From: Krishna Vasudevan Date: Mon, 31 Jul 2023 23:01:08 +0530 Subject: [PATCH 004/204] Link updates --- ...{Overview.md => Introduction-to-Automation-and-Ansible.md} | 2 +- ...mation-with-Ansible.md => NVUE-Automation-with-Ansible.md} | 2 +- .../_index.md | 4 ++-- .../Use-Cases-and-Recommendations.md | 3 ++- 4 files changed, 6 insertions(+), 5 deletions(-) rename content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/{Overview.md => Introduction-to-Automation-and-Ansible.md} (99%) rename content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/{Automation-with-Ansible.md => NVUE-Automation-with-Ansible.md} (99%) diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Introduction-to-Automation-and-Ansible.md similarity index 99% rename from content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md rename to content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Introduction-to-Automation-and-Ansible.md index 8682cde6f1..f3c9c034dd 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Overview.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Introduction-to-Automation-and-Ansible.md @@ -1,5 +1,5 @@ --- -title: Overview +title: Introduction to Automation and Ansible author: NVIDIA weight: 20 product: Technical Guides diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/NVUE-Automation-with-Ansible.md similarity index 99% rename from content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md rename to content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/NVUE-Automation-with-Ansible.md index 3ab5ba5e00..d67ec5d92b 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/Automation-with-Ansible.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/NVUE-Automation-with-Ansible.md @@ -1,5 +1,5 @@ --- -title: Automation with Ansible +title: NVUE Automation with Ansible author: NVIDIA weight: 30 product: Technical Guides diff --git a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md index 641907b2cd..420db4ec42 100644 --- a/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md +++ b/content/guides/Data-Center-Network-Automation-Ansible-Deployment-Guide/_index.md @@ -10,7 +10,7 @@ Use this guide to get familiar with Ansible and to understand how to use Ansible This deployment guide discusses the following topics: -- {{}} -- {{}} +- {{}} +- {{}} - {{}} - {{}} diff --git a/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Use-Cases-and-Recommendations.md b/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Use-Cases-and-Recommendations.md index cc84bd7a1a..260151ecd3 100644 --- a/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Use-Cases-and-Recommendations.md +++ b/content/guides/Data-Center-Network-Automation-Quick-Start-Guide/Use-Cases-and-Recommendations.md @@ -535,6 +535,7 @@ cumulus@switch:~$ nv set bridge domain br_default untagged 1 ## Resources -- {{}} +- {{}} - {{}} +- {{}} - {{}} \ No newline at end of file From cc39b92ee27d20d9d48ec641c9a5fdf3ef5130cd Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 14 Aug 2023 16:40:48 -0700 Subject: [PATCH 005/204] update FRR version --- content/cumulus-linux-56/Layer-3/FRRouting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-56/Layer-3/FRRouting.md b/content/cumulus-linux-56/Layer-3/FRRouting.md index d4af93dd97..4edcad0e99 100644 --- a/content/cumulus-linux-56/Layer-3/FRRouting.md +++ b/content/cumulus-linux-56/Layer-3/FRRouting.md @@ -116,7 +116,7 @@ FRR provides a command-line interface (CLI) called vtysh for configuring and dis ``` cumulus@switch:~$ sudo vtysh -Hello, this is FRRouting (version 0.99.23.1+cl3u2). +Hello, this is FRRouting (version 8.4.3). Copyright 1996-2005 Kunihiro Ishiguro, et al. switch# From 30f256a703f2aa5320cdcd0620e3b810ed15e044 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 30 Aug 2023 16:42:43 -0700 Subject: [PATCH 006/204] update rns for ania-stage --- content/cumulus-linux-56/Whats-New/rn.md | 218 ++++++++++++----------- 1 file changed, 114 insertions(+), 104 deletions(-) diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index 32017cb9ec..6086e65a0e 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -8,116 +8,126 @@ toc: 1 type: rn pdfhidden: True --- -{{}} +{{}} ## 5.6.0 Release Notes ### Open Issues in 5.6.0 | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3466703](#3466703)
| In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a "NetlinkThread: Netlink overflow" log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. | 5.2.0-5.5.0 | | -| [3459696](#3459696)
| If you run the NVUE nv show vrf router bgp peer-group command when the BGP instance is not enabled, you see an NVUE traceback error. | 5.4.0-5.5.0 | | -| [3455078](#3455078)
| When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:
ERR bridge destroy for vlan  bridge_id  vfid  failed: Resource is in use
The errors are temporary and have no impact on functionality or traffic. | 5.5.0 | | -| [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_mapcumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_mapcumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map
| 5.5.0 | | -| [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0 | | -| [3452688](#3452688)
| When you use NVUE to configure a named extended community list with a route target, Cumulus Linux defines it as expanded instead of standard. As a result, routes do not match the expected community list. | 5.5.0 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see the following error:
cumulus@switch:~$ nv show system aaa tacacs authorization 1Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND
| 5.5.0 | | -| [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0 | | -| [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.0 | | -| [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.5.0 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0 | | -| [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.0 | | -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.5.0 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.0 | | -| [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0 | | -| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.5.0 | | -| [3368217](#3368217)
None | When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.5.0 | | -| [3362113](#3362113)
| If you restore an NVUE startup.yaml file after upgrade that includes breakout ports with QoS configuration or you run the nv config patch command to update a configuration with a yaml file that includes breakout ports with QoS configuration, the NVUE configuration fails to apply and subsequent attempts to run nv config apply fail with the following message: 
cumulus@switch:~$ nv config applyInvalid config [rev_id: 11]
 qos config is not supported on following invalid interface: swp1s0. Supported on swp and bond interface types
To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.5.0 | | -| [3350027](#3350027)
| If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules. | 5.4.0-5.5.0 | | -| [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.5.0 | | -| [3345054](#3345054)
| The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command. | 5.4.0-5.5.0 | | -| [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.5.0 | | -| [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.0 | | -| [3331929](#3331929)
| In a fairly high scale BGP EVPN route environment, running the NVUE nv show vrf router bgp address-family l2vpn-evpn loc-rib command to obtain data leads to high resource usage. In some cases, there is an out of memory error, which leads to multiple daemon crashes. | 5.4.0-5.5.0 | | -| [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.5.0 | | -| [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.5.0 | | -| [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.5.0 | | -| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.5.0 | | -| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.5.0 | | -| [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.5.0 | | -| [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch, you might see the error message Failed to start Hostname Service when you run the nv config apply command after setting the hostname with nv set system hostname. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.5.0 | | -| [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.5.0 | | -| [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.5.0 | | -| [3221628](#3221628)
| Cumulus Linux 5.2.0 and 5.2.1 VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.5.0 | | -| [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.0 | | -| [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.5.0 | | -| [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.5.0 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.5.0 | | -| [3145224](#3145224)
| If you disable the NVUE service, the /etc/cumulus/datapath/nvue_traffic.conf file does not delete automatically, which prevents ECMP and LAG hash settings in the /etc/cumulus/datapath/traffic.conf file from taking effect. To work around this issue, delete the nvue_traffic.conf file with the sudo rm /etc/cumulus/datapath/nvue_traffic.conf command. | 5.2.0-5.5.0 | | -| [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.5.0 | | -| [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.5.0 | | -| [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.5.0 | | -| [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.5.0 | | -| [3084476](#3084476)
| QOS traffic shaping doesn’t restore the default configuration after you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.5.0 | 4.4.4-4.4.5| -| [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.5.0 | | -| [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.5.0 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.0 | | -| [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.5.0 | | -| [3053094](#3053094)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.5.0 | | -| [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.5.0 | | -| [2964279](#2964279)
| When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.5.0 | 3.7.16| -| [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.5.0 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.5.0 | | -| [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.5.0 | 4.4.2-4.4.5| -| [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.5.0 | 4.4.2-4.4.5| -| [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.5.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.5.0 | | -| [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.5.0 | | -| [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.5.0 | | -| [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.5.0 | | -| [2705056](#2705056)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0, 5.0.0-5.5.0 | 4.3.1-4.4.5| -| [2701000](#2701000)
| A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF. To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command. | 4.3.0, 5.0.0-5.5.0 | 4.3.1-4.4.5| -| [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.5.0 | | -| [2543915](#2543915)
CM-26301 | systemctl issues a warning similar to the following when you enable a service in the management VRF:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
| 4.0.0-4.4.5, 5.0.0-5.5.0 | | +| [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | | +| [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | +| [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | +| [3565254](#3565254)
| Spectrum-4 switches do not support adaptive routing on 800Gbps links. Spectrum-3 switches do not support adaptive routing on 400Gbps links. | 5.6.0 | | +| [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.6.0 | | +| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the Slave state and one of the ports might remain in an Uncalibrated state. To work around this issue, toggle the port that is in the Uncalibrated state up and down to recover the PTP state so that one of the ports is selected as the Slave. | 5.6.0 | | +| [3517739](#3517739)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | +| [3463827](#3463827)
| In an EVPN configuration with PIM-SM for BUM handling, the host behind the DUT does not receive the expected number of BUM packets. Cumulus Linux 5.6 only supports Head-End Replication (HREP) for handling BUM traffic in an EVPN configuration. BUM handling using a PIM-SM Multicast tree is not supported. | 5.6.0 | | +| [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | | +| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see the following error:
cumulus@switch:~$ nv show system aaa tacacs authorization 1Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND
| 5.5.0-5.6.0 | | +| [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | | +| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.6.0 | | +| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | +| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | +| [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | | +| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.6.0 | | +| [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | +| [3362113](#3362113)
| If you restore an NVUE startup.yaml file after upgrade that includes breakout ports with QoS configuration or you run the nv config patch command to update a configuration with a yaml file that includes breakout ports with QoS configuration, the NVUE configuration fails to apply and subsequent attempts to run nv config apply fail with the following message: 
cumulus@switch:~$ nv config applyInvalid config [rev_id: 11]
 qos config is not supported on following invalid interface: swp1s0. Supported on swp and bond interface types
To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.6.0 | | +| [3350027](#3350027)
| If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules. | 5.4.0-5.6.0 | | +| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | | +| [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.6.0 | | +| [3345054](#3345054)
| The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command. | 5.4.0-5.6.0 | | +| [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | +| [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | +| [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | +| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | +| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.6.0 | | +| [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | +| [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch, you might see the error message Failed to start Hostname Service when you run the nv config apply command after setting the hostname with nv set system hostname. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.6.0 | | +| [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | | +| [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.6.0 | | +| [3221628](#3221628)
| Cumulus Linux 5.2.0 and 5.2.1 VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | | +| [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.6.0 | | +| [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.6.0 | | +| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.6.0 | | +| [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | +| [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | +| [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | +| [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | +| [3084476](#3084476)
| The default QOS traffic shaping configuration does not restore after you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.6.0 | 4.4.4-4.4.5| +| [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.6.0 | | +| [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.6.0 | | +| [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.6.0 | | +| [3053094](#3053094)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.6.0 | | +| [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.6.0 | | +| [2964279](#2964279)
| When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.6.0 | 3.7.16| +| [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.6.0 | | +| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | +| [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| +| [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| +| [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | +| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | +| [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | +| [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | +| [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | +| [2705056](#2705056)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0, 5.0.0-5.6.0 | 4.3.1-4.4.5| +| [2701000](#2701000)
| A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF. To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command. | 4.3.0, 5.0.0-5.6.0 | 4.3.1-4.4.5| +| [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | +| [2671652](#2671652)
| In VXLAN routing environments, you might experience sub-optimal route convergence delays (greater than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.6.0 | | +| [2543915](#2543915)
CM-26301 | When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | ### Fixed Issues in 5.6.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [3446455](#3446455)
| The vtysh show version command shows an incorrect version number; for example, instead of Cumulus Linux 5.4, the command output shows Cumulus Linux 5.3. | 5.4.0 | | -| [3437980](#3437980)
| If the number of bonds and its bond members exceeds the total number of physical ports on the switch
 and LACP bypass is enabled, switchd might crash when frequent link flaps occur or switchd restarts. To work around this issue, disable LACP bypass. | 5.4.0 | | -| [3434791](#3434791)
| Changing the ebgp-multihop setting for a BGP peer always resets the peer, even if the configured TTL value matches the existing TTL value of the peer. | 5.3.1-5.4.0 | | -| [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | | -| [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | | -| [3418103](#3418103)
| On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | | -| [3410303](#3410303)
| The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. | 5.4.0 | | -| [3409223](#3409223)
| NGNIX might be listening on port 80 through its default configuration in /etc/nginx/sites-enabled/default. To work around this issue, run the following commands:
 cumulus@switch:~$ sudo rm -f /etc/nginx/sites-enabled/defaultcumulus@switch:~$ systemctl is-active nginx && sudo invoke-rc.d nginx restart
| 5.4.0 | | -| [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | | -| [3397649](#3397649)
| When an ECMP route is present in a non-default VRF, resilient hashing does not work as expected and flows might get remapped to a new next hop when the set of nexthops changes. | 5.4.0 | | -| [3395247](#3395247)
| The NVUE nv show system forwarding profile-option command reports an incorrect Max ipv4 mcast routes value. To work around this issue, validate values with cl-resource-query. | 5.4.0 | | -| [3393866](#3393866)
| On a VX, NVUE commands with an argument parameter that can be multiple types (such as IPv4 and IPv6) do not provide auto complete or additional options when you use a question mark. | 5.4.0 | | -| [3393306](#3393306)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | | -| [3390758](#3390758)
| The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch. | 5.3.1-5.4.0 | | -| [3389198](#3389198)
| The NVUE nv unset command does not completely remove IPv6 DNS server configuration
| 5.3.1-5.4.0 | | -| [3388201](#3388201)
| Cumulus Linux does not let you add an interface to the bond interface when the bridge-allow-untagged no option is present. | 5.4.0 | | -| [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | | -| [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | | -| [3378838](#3378838)
| When configuring PTP, NVUE does not use the PTP priority2 setting but uses the priority1 setting instead. | 5.4.0 | | -| [3375047](#3375047)
| If you run the NVUE nv set service snmp-server readonly-community command to set an SNMP V2 trap community string that includes fewer than eight characters, the configuration fails. The SNMP V2 trap community string must include eight or more characters. | 5.4.0 | | -| [3361904](#3361904)
| The NVUE PTP shaping commands are available in the NVUE command list; however, these commands are disabled and do not configure PTP shaping. PTP shaping is not supported in Cumulus Linux 5.4. | 5.4.0 | | -| [3351941](#3351941)
| Cumulus Linux 5.4 package upgrade (apt-upgrade) does not support warm restart to complete the upgrade; performing an unsupported upgrade can result in unexpected or undesirable behavior, such as a traffic outage. | 5.4.0 | | -| [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | | -| [3350061](#3350061)
| If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. | 5.4.0 | | -| [3349533](#3349533)
| On the Spectrum-2 and Spectrum-3 switch with ports operating at 1G speed, there is loss of frames that have an odd or random frame size. In the frame size range of 75 to 1000 bytes, there is frame loss of less than approximately one percent for all odd or random frame sizes in the range. In the frame size range greater than 1000 bytes, there is no loss observed. | 5.4.0 | | -| [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | | -| [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | | -| [3339278](#3339278)
| When you use the NVUE REST API with a TACACS+ user account, you see authentication failures. To work around this issue, replace the /etc/pam.d/nvueapi file with the following content:
@include common-auth@include common-account@include common-session-noninteractive
After you replace the content, run these two commands:
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map
| 5.4.0 | | -| [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | | -| [3293560](#3293560)
| If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. | 5.4.0 | | -| [3234814](#3234814)
| With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID.
| 5.3.0-5.4.0 | | -| [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | | -| [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | | -| [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | | -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | | -| [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | | -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | | - +| [3572580](#3572580)
| You cannot set a VLAN match and a MAC protocol IPv4 match in a MAC type ACL rule. To apply ACLs with a VLAN match and layer 3 header matches ( IPV4/IPV6), you need to use type ipv4 or ipv6 ACLs with the VLAN match specified. | 5.5.1 | | +| [3572566](#3572566)
| The NVUE nv action commands are missing from nv list-commands output. | 5.5.1 | | +| [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.5.1 | | +| [3549138](#3549138)
| In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | | +| [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | | +| [3541518](#3541518)
| When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 5.5.0-5.5.1 | | +| [3538497](#3538497)
| In an EVPN symmetric routing configuration, after rebooting a switch that uses VLAN 1 for a layer 3 VNI, traffic forwarding for VLAN 1 fails. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.5.0-5.5.1 | | +| [3528359](#3528359)
| A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. | 5.5.0-5.5.1 | | +| [3526004](#3526004)
| For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. | 5.5.0-5.5.1 | | +| [3520511](#3520511)
| If you apply EVPN multihoming configuration such as es-df-pref, es-id and es-sys-mac with vtysh after you remove a bond interface that is part of a bridge and run ifreload -a, FRR crashes. To work around this issue, do not remove a bond from a bridge before you configure EVPN multihoming with vtysh. | 5.5.1 | | +| [3517376](#3517376)
| When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or --cable --ddm flags. | 5.5.0-5.5.1 | | +| [3509445](#3509445)
| If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | | +| [3498939](#3498939)
| In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. | 5.4.0-5.5.1 | | +| [3496931](#3496931)
| When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times. | 5.3.1-5.5.1 | | +| [3496889](#3496889)
| When PTP is not enabled on the switch, NVUE nv show ptp commands freeze. This might cause other NVUE commands to fail and the NVUE service to restart. | 5.3.1-5.5.1 | | +| [3495630](#3495630)
| The NVUE nv show service ptp current command output shows an incorrect value. To work around this issue, run the nv show service ptp monitor timestamp-log command or the Linux pmc utility. | 5.3.1-5.5.1 | | +| [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | | +| [3486102](#3486102)
| SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | | +| [3482006](#3482006)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | | +| [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | | +| [3474427](#3474427)
| On rare occasions, LLDP and other CPU originated IP packets that egress a port might get replicated in the data plane and forwarded out of another port as well. The peer node might discard the unicast packets on the wrong port because of the destination MAC address; however, there might be problems with multicast packets, such as LLDP, which uses a multicast MAC address as the destination MAC address. To work around this issue, reboot the switch. | | | +| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | | +| [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | | +| [3471052](#3471052)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | 5.4.0-5.5.1 | | +| [3470941](#3470941)
None | On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 | | +| [3467890](#3467890)
| BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don't learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | | +| [3466703](#3466703)
| In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a "NetlinkThread: Netlink overflow" log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. | 5.2.0-5.5.1 | | +| [3459696](#3459696)
| If you run the NVUE nv show vrf router bgp peer-group command when the BGP instance is not enabled, you see an NVUE traceback error. | 5.4.0-5.5.1 | | +| [3459460](#3459460)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | | | +| [3455078](#3455078)
| When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:
ERR bridge destroy for vlan  bridge_id  vfid  failed: Resource is in use
The errors are temporary and have no impact on functionality or traffic. | 5.5.0-5.5.1 | | +| [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_mapcumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_mapcumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map
| 5.5.0-5.5.1 | | +| [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0-5.5.1 | | +| [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.1 | | +| [3444668](#3444668)
| If the SDK becomes stuck and not able to process API calls, the systemd watchdog stops switchd and Cumulus Linux generates a cl-support file. switchd restarts after the watchdog timeout and then runs without issues
| | | +| [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.1 | | +| [3436305](#3436305)
| Auto-negotiation and link-training is not supported at 25G between the NVIDIA SN5600 switch and non-NVIDIA devices. | | | +| [3436296](#3436296)
| On the NVIDIA SN5600 switch, the 8x port breakout is not supported with the MCP4Y10-N00A cable
| | | +| [3436291](#3436291)
| The NVIDIA SN5600 switch does not support connecting to a Spectrum-2 or Spectrum-3 switch with an MCP7Y70-H001 4X breakout cable. | | | +| [3436287](#3436287)
| The NVIDIA SN5600 switch does not support connecting to a Spectrum-1 switch using a 2x breakout with the MCP7Y60-H001 copper cable at 25G. | | | +| [3436229](#3436229)
| On the NVIDIA SN5600 switch, when you connect a Service port to non-NVIDIA devices, auto-negotiation is not supported for 25G links. | | | +| [3436215](#3436215)
| On the NVIDIA SN5600 switch, the thermal control service crashes when you remove a fan tray. | | | +| [3433944](#3433944)
| The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. | 5.4.0-5.5.1 | | +| [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | | +| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | | +| [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | | +| [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | | +| [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | | +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.5.1 | | +| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | | +| [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | | +| [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | | +| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | | From 1ef6b4a70bdfa9e6a2b83012d3ede006f8e39ad8 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Sep 2023 12:24:55 -0700 Subject: [PATCH 007/204] updated rn for ania-stage --- content/cumulus-linux-56/Whats-New/rn.md | 222 ++++++++++++----------- 1 file changed, 118 insertions(+), 104 deletions(-) diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index 32017cb9ec..7d3e692201 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -8,116 +8,130 @@ toc: 1 type: rn pdfhidden: True --- -{{}} +{{}} ## 5.6.0 Release Notes ### Open Issues in 5.6.0 | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3466703](#3466703)
| In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a "NetlinkThread: Netlink overflow" log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. | 5.2.0-5.5.0 | | -| [3459696](#3459696)
| If you run the NVUE nv show vrf router bgp peer-group command when the BGP instance is not enabled, you see an NVUE traceback error. | 5.4.0-5.5.0 | | -| [3455078](#3455078)
| When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:
ERR bridge destroy for vlan  bridge_id  vfid  failed: Resource is in use
The errors are temporary and have no impact on functionality or traffic. | 5.5.0 | | -| [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_mapcumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_mapcumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map
| 5.5.0 | | -| [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0 | | -| [3452688](#3452688)
| When you use NVUE to configure a named extended community list with a route target, Cumulus Linux defines it as expanded instead of standard. As a result, routes do not match the expected community list. | 5.5.0 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see the following error:
cumulus@switch:~$ nv show system aaa tacacs authorization 1Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND
| 5.5.0 | | -| [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0 | | -| [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.0 | | -| [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.5.0 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0 | | -| [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.0 | | -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.5.0 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.0 | | -| [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0 | | -| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.5.0 | | -| [3368217](#3368217)
None | When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.5.0 | | -| [3362113](#3362113)
| If you restore an NVUE startup.yaml file after upgrade that includes breakout ports with QoS configuration or you run the nv config patch command to update a configuration with a yaml file that includes breakout ports with QoS configuration, the NVUE configuration fails to apply and subsequent attempts to run nv config apply fail with the following message: 
cumulus@switch:~$ nv config applyInvalid config [rev_id: 11]
 qos config is not supported on following invalid interface: swp1s0. Supported on swp and bond interface types
To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.5.0 | | -| [3350027](#3350027)
| If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules. | 5.4.0-5.5.0 | | -| [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.5.0 | | -| [3345054](#3345054)
| The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command. | 5.4.0-5.5.0 | | -| [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.5.0 | | -| [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.0 | | -| [3331929](#3331929)
| In a fairly high scale BGP EVPN route environment, running the NVUE nv show vrf router bgp address-family l2vpn-evpn loc-rib command to obtain data leads to high resource usage. In some cases, there is an out of memory error, which leads to multiple daemon crashes. | 5.4.0-5.5.0 | | -| [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.5.0 | | -| [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.5.0 | | -| [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.5.0 | | -| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.5.0 | | -| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.5.0 | | -| [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.5.0 | | -| [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch, you might see the error message Failed to start Hostname Service when you run the nv config apply command after setting the hostname with nv set system hostname. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.5.0 | | -| [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.5.0 | | -| [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.5.0 | | -| [3221628](#3221628)
| Cumulus Linux 5.2.0 and 5.2.1 VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.5.0 | | -| [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.0 | | -| [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.5.0 | | -| [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.5.0 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.5.0 | | -| [3145224](#3145224)
| If you disable the NVUE service, the /etc/cumulus/datapath/nvue_traffic.conf file does not delete automatically, which prevents ECMP and LAG hash settings in the /etc/cumulus/datapath/traffic.conf file from taking effect. To work around this issue, delete the nvue_traffic.conf file with the sudo rm /etc/cumulus/datapath/nvue_traffic.conf command. | 5.2.0-5.5.0 | | -| [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.5.0 | | -| [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.5.0 | | -| [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.5.0 | | -| [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.5.0 | | -| [3084476](#3084476)
| QOS traffic shaping doesn’t restore the default configuration after you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.5.0 | 4.4.4-4.4.5| -| [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.5.0 | | -| [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.5.0 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.0 | | -| [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.5.0 | | -| [3053094](#3053094)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.5.0 | | -| [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.5.0 | | -| [2964279](#2964279)
| When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.5.0 | 3.7.16| -| [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.5.0 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.5.0 | | -| [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.5.0 | 4.4.2-4.4.5| -| [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.5.0 | 4.4.2-4.4.5| -| [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.5.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.5.0 | | -| [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.5.0 | | -| [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.5.0 | | -| [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.5.0 | | -| [2705056](#2705056)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0, 5.0.0-5.5.0 | 4.3.1-4.4.5| -| [2701000](#2701000)
| A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF. To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command. | 4.3.0, 5.0.0-5.5.0 | 4.3.1-4.4.5| -| [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.5.0 | | -| [2543915](#2543915)
CM-26301 | systemctl issues a warning similar to the following when you enable a service in the management VRF:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
| 4.0.0-4.4.5, 5.0.0-5.5.0 | | +| [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | | +| [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | +| [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | +| [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | +| [3565254](#3565254)
| Spectrum-4 switches do not support adaptive routing on 800Gbps links. Spectrum-3 switches do not support adaptive routing on 400Gbps links. | 5.6.0 | | +| [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.6.0 | | +| [3549798](#3549798)
| If you add a VRF, then SSH into that VRF, which is a generated service (for example, sshd@vrfname.service), the service fails as the VRF is not created in time. To work around this issue, configure the VRF first, apply the configuration, then enable the SSH service on the VRF. | 5.6.0 | | +| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the Slave state and one of the ports might remain in an Uncalibrated state. To work around this issue, toggle the port that is in the Uncalibrated state up and down to recover the PTP state so that one of the ports is selected as the Slave. | 5.6.0 | | +| [3534718](#3534718)
| The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | | +| [3517739](#3517739)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | +| [3463827](#3463827)
| In an EVPN configuration with PIM-SM for BUM handling, the host behind the DUT does not receive the expected number of BUM packets. Cumulus Linux 5.6 only supports Head-End Replication (HREP) for handling BUM traffic in an EVPN configuration. BUM handling using a PIM-SM Multicast tree is not supported. | 5.6.0 | | +| [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | | +| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see the following error:
cumulus@switch:~$ nv show system aaa tacacs authorization 1Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND
| 5.5.0-5.6.0 | | +| [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | | +| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.6.0 | | +| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | +| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | +| [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | | +| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.6.0 | | +| [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | +| [3362113](#3362113)
| If you restore an NVUE startup.yaml file after upgrade that includes breakout ports with QoS configuration or you run the nv config patch command to update a configuration with a yaml file that includes breakout ports with QoS configuration, the NVUE configuration fails to apply and subsequent attempts to run nv config apply fail with the following message: 
cumulus@switch:~$ nv config applyInvalid config [rev_id: 11]
 qos config is not supported on following invalid interface: swp1s0. Supported on swp and bond interface types
To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.6.0 | | +| [3350027](#3350027)
| If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules. | 5.4.0-5.6.0 | | +| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | | +| [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.6.0 | | +| [3345054](#3345054)
| The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command. | 5.4.0-5.6.0 | | +| [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | +| [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | +| [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | +| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | +| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.6.0 | | +| [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | +| [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch, you might see the error message Failed to start Hostname Service when you run the nv config apply command after setting the hostname with nv set system hostname. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.6.0 | | +| [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | | +| [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.6.0 | | +| [3221628](#3221628)
| Cumulus Linux 5.2.0 and 5.2.1 VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | | +| [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.6.0 | | +| [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.6.0 | | +| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.6.0 | | +| [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | +| [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | +| [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | +| [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | +| [3084476](#3084476)
| The default QOS traffic shaping configuration does not restore after you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.6.0 | 4.4.4-4.4.5| +| [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.6.0 | | +| [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.6.0 | | +| [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.6.0 | | +| [3053094](#3053094)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.6.0 | | +| [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.6.0 | | +| [2964279](#2964279)
| When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.6.0 | 3.7.16| +| [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.6.0 | | +| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | +| [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| +| [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| +| [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | +| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | +| [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | +| [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | +| [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | +| [2705056](#2705056)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0, 5.0.0-5.6.0 | 4.3.1-4.4.5| +| [2701000](#2701000)
| A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF. To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command. | 4.3.0, 5.0.0-5.6.0 | 4.3.1-4.4.5| +| [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | +| [2671652](#2671652)
| In VXLAN routing environments, you might experience sub-optimal route convergence delays (greater than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.6.0 | | +| [2543915](#2543915)
CM-26301 | When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | ### Fixed Issues in 5.6.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [3446455](#3446455)
| The vtysh show version command shows an incorrect version number; for example, instead of Cumulus Linux 5.4, the command output shows Cumulus Linux 5.3. | 5.4.0 | | -| [3437980](#3437980)
| If the number of bonds and its bond members exceeds the total number of physical ports on the switch
 and LACP bypass is enabled, switchd might crash when frequent link flaps occur or switchd restarts. To work around this issue, disable LACP bypass. | 5.4.0 | | -| [3434791](#3434791)
| Changing the ebgp-multihop setting for a BGP peer always resets the peer, even if the configured TTL value matches the existing TTL value of the peer. | 5.3.1-5.4.0 | | -| [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | | -| [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | | -| [3418103](#3418103)
| On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | | -| [3410303](#3410303)
| The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. | 5.4.0 | | -| [3409223](#3409223)
| NGNIX might be listening on port 80 through its default configuration in /etc/nginx/sites-enabled/default. To work around this issue, run the following commands:
 cumulus@switch:~$ sudo rm -f /etc/nginx/sites-enabled/defaultcumulus@switch:~$ systemctl is-active nginx && sudo invoke-rc.d nginx restart
| 5.4.0 | | -| [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | | -| [3397649](#3397649)
| When an ECMP route is present in a non-default VRF, resilient hashing does not work as expected and flows might get remapped to a new next hop when the set of nexthops changes. | 5.4.0 | | -| [3395247](#3395247)
| The NVUE nv show system forwarding profile-option command reports an incorrect Max ipv4 mcast routes value. To work around this issue, validate values with cl-resource-query. | 5.4.0 | | -| [3393866](#3393866)
| On a VX, NVUE commands with an argument parameter that can be multiple types (such as IPv4 and IPv6) do not provide auto complete or additional options when you use a question mark. | 5.4.0 | | -| [3393306](#3393306)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | | -| [3390758](#3390758)
| The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch. | 5.3.1-5.4.0 | | -| [3389198](#3389198)
| The NVUE nv unset command does not completely remove IPv6 DNS server configuration
| 5.3.1-5.4.0 | | -| [3388201](#3388201)
| Cumulus Linux does not let you add an interface to the bond interface when the bridge-allow-untagged no option is present. | 5.4.0 | | -| [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | | -| [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | | -| [3378838](#3378838)
| When configuring PTP, NVUE does not use the PTP priority2 setting but uses the priority1 setting instead. | 5.4.0 | | -| [3375047](#3375047)
| If you run the NVUE nv set service snmp-server readonly-community command to set an SNMP V2 trap community string that includes fewer than eight characters, the configuration fails. The SNMP V2 trap community string must include eight or more characters. | 5.4.0 | | -| [3361904](#3361904)
| The NVUE PTP shaping commands are available in the NVUE command list; however, these commands are disabled and do not configure PTP shaping. PTP shaping is not supported in Cumulus Linux 5.4. | 5.4.0 | | -| [3351941](#3351941)
| Cumulus Linux 5.4 package upgrade (apt-upgrade) does not support warm restart to complete the upgrade; performing an unsupported upgrade can result in unexpected or undesirable behavior, such as a traffic outage. | 5.4.0 | | -| [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | | -| [3350061](#3350061)
| If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. | 5.4.0 | | -| [3349533](#3349533)
| On the Spectrum-2 and Spectrum-3 switch with ports operating at 1G speed, there is loss of frames that have an odd or random frame size. In the frame size range of 75 to 1000 bytes, there is frame loss of less than approximately one percent for all odd or random frame sizes in the range. In the frame size range greater than 1000 bytes, there is no loss observed. | 5.4.0 | | -| [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | | -| [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | | -| [3339278](#3339278)
| When you use the NVUE REST API with a TACACS+ user account, you see authentication failures. To work around this issue, replace the /etc/pam.d/nvueapi file with the following content:
@include common-auth@include common-account@include common-session-noninteractive
After you replace the content, run these two commands:
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map
| 5.4.0 | | -| [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | | -| [3293560](#3293560)
| If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. | 5.4.0 | | -| [3234814](#3234814)
| With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID.
| 5.3.0-5.4.0 | | -| [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | | -| [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | | -| [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | | -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | | -| [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | | -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | | - +| [3572580](#3572580)
| You cannot set a VLAN match and a MAC protocol IPv4 match in a MAC type ACL rule. To apply ACLs with a VLAN match and layer 3 header matches ( IPV4/IPV6), you need to use type ipv4 or ipv6 ACLs with the VLAN match specified. | 5.5.1 | | +| [3572566](#3572566)
| The NVUE nv action commands are missing from nv list-commands output. | 5.5.1 | | +| [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.5.1 | | +| [3549138](#3549138)
| In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | | +| [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | | +| [3541518](#3541518)
| When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 5.5.0-5.5.1 | | +| [3538497](#3538497)
| In an EVPN symmetric routing configuration, after rebooting a switch that uses VLAN 1 for a layer 3 VNI, traffic forwarding for VLAN 1 fails. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.5.0-5.5.1 | | +| [3528359](#3528359)
| A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. | 5.5.0-5.5.1 | | +| [3526004](#3526004)
| For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. | 5.5.0-5.5.1 | | +| [3520511](#3520511)
| If you apply EVPN multihoming configuration such as es-df-pref, es-id and es-sys-mac with vtysh after you remove a bond interface that is part of a bridge and run ifreload -a, FRR crashes. To work around this issue, do not remove a bond from a bridge before you configure EVPN multihoming with vtysh. | 5.5.1 | | +| [3517376](#3517376)
| When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or --cable --ddm flags. | 5.5.0-5.5.1 | | +| [3509445](#3509445)
| If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | | +| [3498939](#3498939)
| In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. | 5.4.0-5.5.1 | | +| [3496931](#3496931)
| When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times. | 5.3.1-5.5.1 | | +| [3496889](#3496889)
| When PTP is not enabled on the switch, NVUE nv show ptp commands freeze. This might cause other NVUE commands to fail and the NVUE service to restart. | 5.3.1-5.5.1 | | +| [3495630](#3495630)
| The NVUE nv show service ptp current command output shows an incorrect value. To work around this issue, run the nv show service ptp monitor timestamp-log command or the Linux pmc utility. | 5.3.1-5.5.1 | | +| [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | | +| [3486102](#3486102)
| SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | | +| [3482006](#3482006)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | | +| [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | | +| [3474427](#3474427)
| On rare occasions, LLDP and other CPU originated IP packets that egress a port might get replicated in the data plane and forwarded out of another port as well. The peer node might discard the unicast packets on the wrong port because of the destination MAC address; however, there might be problems with multicast packets, such as LLDP, which uses a multicast MAC address as the destination MAC address. To work around this issue, reboot the switch. | | | +| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | | +| [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | | +| [3471052](#3471052)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | 5.4.0-5.5.1 | | +| [3470941](#3470941)
None | On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 | | +| [3467890](#3467890)
| BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don't learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | | +| [3466703](#3466703)
| In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a "NetlinkThread: Netlink overflow" log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. | 5.2.0-5.5.1 | | +| [3459696](#3459696)
| If you run the NVUE nv show vrf router bgp peer-group command when the BGP instance is not enabled, you see an NVUE traceback error. | 5.4.0-5.5.1 | | +| [3459460](#3459460)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | | | +| [3455078](#3455078)
| When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:
ERR bridge destroy for vlan  bridge_id  vfid  failed: Resource is in use
The errors are temporary and have no impact on functionality or traffic. | 5.5.0-5.5.1 | | +| [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_mapcumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_mapcumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map
| 5.5.0-5.5.1 | | +| [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0-5.5.1 | | +| [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.1 | | +| [3444668](#3444668)
| If the SDK becomes stuck and not able to process API calls, the systemd watchdog stops switchd and Cumulus Linux generates a cl-support file. switchd restarts after the watchdog timeout and then runs without issues
| | | +| [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.1 | | +| [3436305](#3436305)
| Auto-negotiation and link-training is not supported at 25G between the NVIDIA SN5600 switch and non-NVIDIA devices. | | | +| [3436296](#3436296)
| On the NVIDIA SN5600 switch, the 8x port breakout is not supported with the MCP4Y10-N00A cable
| | | +| [3436291](#3436291)
| The NVIDIA SN5600 switch does not support connecting to a Spectrum-2 or Spectrum-3 switch with an MCP7Y70-H001 4X breakout cable. | | | +| [3436287](#3436287)
| The NVIDIA SN5600 switch does not support connecting to a Spectrum-1 switch using a 2x breakout with the MCP7Y60-H001 copper cable at 25G. | | | +| [3436229](#3436229)
| On the NVIDIA SN5600 switch, when you connect a Service port to non-NVIDIA devices, auto-negotiation is not supported for 25G links. | | | +| [3436215](#3436215)
| On the NVIDIA SN5600 switch, the thermal control service crashes when you remove a fan tray. | | | +| [3433944](#3433944)
| The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. | 5.4.0-5.5.1 | | +| [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | | +| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | | +| [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | | +| [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | | +| [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | | +| [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | | +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.5.1 | | +| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | | +| [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | | +| [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | | +| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | | From 9202243dc96b036615a38efd3efdcc9b4dc3d08d Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 16 Oct 2023 10:16:11 +0100 Subject: [PATCH 008/204] remove changes the local IP address of the VXLAN --- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- .../Network-Virtualization/VXLAN-Active-Active-Mode.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/content/cumulus-linux-43/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-43/Network-Virtualization/VXLAN-Active-Active-Mode.md index fe201d932f..0035c0edc2 100644 --- a/content/cumulus-linux-43/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-43/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -48,7 +48,7 @@ For the anycast address to activate, you must configure a VXLAN interface on eac |
Scenario | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO\_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO\_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` is stopped. | All VXLAN interfaces are put in a PROTO\_DOWN state. The anycast IP address is removed from the loopback interface and the local IP addresses of the VXLAN interfaces are changed from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering could not be established between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-44/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-44/Network-Virtualization/VXLAN-Active-Active-Mode.md index 308743b6ea..fb6d6fb40f 100644 --- a/content/cumulus-linux-44/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-44/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -41,7 +41,7 @@ For the anycast address to activate, you must configure a VXLAN interface on eac |
Scenario | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-50/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-50/Network-Virtualization/VXLAN-Active-Active-Mode.md index ed408c5159..734634d1ea 100644 --- a/content/cumulus-linux-50/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-50/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -102,7 +102,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-51/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-51/Network-Virtualization/VXLAN-Active-Active-Mode.md index a8e5351b61..a512be1798 100644 --- a/content/cumulus-linux-51/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-51/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -103,7 +103,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-52/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-52/Network-Virtualization/VXLAN-Active-Active-Mode.md index f4c7154fe1..86b07b96f8 100644 --- a/content/cumulus-linux-52/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-52/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -103,7 +103,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-53/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-53/Network-Virtualization/VXLAN-Active-Active-Mode.md index 2c86d6a02d..ff4c3fbbfd 100644 --- a/content/cumulus-linux-53/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-53/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -103,7 +103,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-54/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-54/Network-Virtualization/VXLAN-Active-Active-Mode.md index fa207a4449..7c55288c94 100644 --- a/content/cumulus-linux-54/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-54/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -103,7 +103,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-55/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-55/Network-Virtualization/VXLAN-Active-Active-Mode.md index 9eb76b8189..7e28e14dd8 100644 --- a/content/cumulus-linux-55/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-55/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -107,7 +107,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-56/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-56/Network-Virtualization/VXLAN-Active-Active-Mode.md index a55dadc238..ee59b4dd45 100644 --- a/content/cumulus-linux-56/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-56/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -107,7 +107,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | diff --git a/content/cumulus-linux-57/Network-Virtualization/VXLAN-Active-Active-Mode.md b/content/cumulus-linux-57/Network-Virtualization/VXLAN-Active-Active-Mode.md index a55dadc238..ee59b4dd45 100644 --- a/content/cumulus-linux-57/Network-Virtualization/VXLAN-Active-Active-Mode.md +++ b/content/cumulus-linux-57/Network-Virtualization/VXLAN-Active-Active-Mode.md @@ -107,7 +107,7 @@ This section describes VXLAN active-active failure conditions and provides troub |
Failure Condition | Behavior | | --------------------------------- | ---------| -| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface and changes the local IP address of the VXLAN interface to the configured unique IP address. | +| The peer link goes down. | The primary MLAG switch continues to keep all VXLAN interfaces up with the anycast IP address while the secondary switch brings down all VXLAN interfaces and places them in a PROTO_DOWN state. The secondary MLAG switch removes the anycast IP address from the loopback interface. | | One of the switches goes down. | The other operational switch continues to use the anycast IP address. | | `clagd` stops. | All VXLAN interfaces go in a PROTO_DOWN state. The switch removes the anycast IP address from the loopback interface and the local IP addresses of the VXLAN interfaces change from the anycast IP address to unique non-virtual IP addresses. | | MLAG peering does not establish between the switches. | `clagd` brings up all the VXLAN interfaces after the reload timer expires with the configured anycast IP address. This allows the VXLAN interface to be up and running on both switches even though peering is not established. | From 35aba95b769f6a5371e19e1a5f83bc6a4d5d2ea7 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 16 Oct 2023 10:18:53 +0100 Subject: [PATCH 009/204] Revert "Merge branch 'ania-stage' into 3347677-mlag-fix" This reverts commit 5a838edb36b8c5a9f67fa1bb0b7c49d98b7cc109, reversing changes made to 9202243dc96b036615a38efd3efdcc9b4dc3d08d. --- content/cumulus-linux-56/Whats-New/rn.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index 34640ad105..ee76d87b6e 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -141,3 +141,4 @@ pdfhidden: True | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | | | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | | | [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | | + From 4d8e40b0423b5d6a4dbf71941ec9154b78e30f04 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 18 Oct 2023 12:59:20 +0100 Subject: [PATCH 010/204] curl and python --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 1a4400fdec..ec250cf010 100644 --- a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -126,6 +126,67 @@ This section shows how to: - Set the NVUE REST API port. If you do not set a port, Cumulus Linux uses the default port 8765. - Specify the NVUE REST API listening address; you can specify an IPv4 address, IPv6 address, or `localhost`. If you do not specify a listening address, NGINX listens on all addresses for the target port. +{{< tabs "TabID129 ">}} +{{< tab "Curl Command ">}} + +The following example uses NVUE REST API port 8888 and listening address localhost: + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/... +... +``` + +You can listen on multiple interfaces by specifying different listening addresses. + +If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/... +... +``` + +{{< /tab >}} +{{< tab "Python Code ">}} + +The following example uses NVUE REST API port 8888 and listening address localhost: + +``` +#!/usr/bin/env python3 + +import requests +from requests.auth import HTTPBasicAuth +import json +import time + +auth = HTTPBasicAuth(username="cumulus", password="password") +nvue_end_point = "https://localhost:8888/nvue_v1" +mime_header = {"Content-Type": "application/json"} +... +``` + +You can listen on multiple interfaces by specifying different listening addresses. + +If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: + +``` +#!/usr/bin/env python3 + +import requests +from requests.auth import HTTPBasicAuth +import json +import time + +auth = HTTPBasicAuth(username="cumulus", password="password") +nvue_end_point = "https://172.0.24.0:8765/nvue_v1" +mime_header = {"Content-Type": "application/json"} +... +``` + +{{}} +{{< tab "NVUE CLI ">}} + +The following example sets the NVUE REST API port to 8888 and the listening address to localhost: + ``` cumulus@switch:~$ nv set system api port 8888 cumulus@switch:~$ nv set system api listening-address localhost @@ -158,6 +219,9 @@ cumulus@switch:~$ nv set system api listening-address 172.0.24.0 cumulus@switch:~$ nv config apply ``` +{{< /tab >}} +{{< /tabs >}} + ### Show NVUE REST API Information To show REST API port configuration, state (enabled or disabled), and connection information, run the `nv show system api` command: From ae312076a1654f1050fe215c1c37108ad45eb881 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 18 Oct 2023 13:02:10 +0100 Subject: [PATCH 011/204] updates for curl and python --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 4 +- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 64 +++++++++++++++++++ 2 files changed, 66 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index ec250cf010..e819246185 100644 --- a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -132,7 +132,7 @@ This section shows how to: The following example uses NVUE REST API port 8888 and listening address localhost: ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/... +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/ ... ``` @@ -141,7 +141,7 @@ You can listen on multiple interfaces by specifying different listening addresse If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/... +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/ ... ``` diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 202922dcac..e7e742820f 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -126,6 +126,67 @@ This section shows how to: - Set the NVUE REST API port. If you do not set a port, Cumulus Linux uses the default port 8765. - Specify the NVUE REST API listening address; you can specify an IPv4 address, IPv6 address, or `localhost`. If you do not specify a listening address, NGINX listens on all addresses for the target port. +{{< tabs "TabID129 ">}} +{{< tab "Curl Command ">}} + +The following example uses NVUE REST API port 8888 and listening address localhost: + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/ +... +``` + +You can listen on multiple interfaces by specifying different listening addresses. + +If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/ +... +``` + +{{< /tab >}} +{{< tab "Python Code ">}} + +The following example uses NVUE REST API port 8888 and listening address localhost: + +``` +#!/usr/bin/env python3 + +import requests +from requests.auth import HTTPBasicAuth +import json +import time + +auth = HTTPBasicAuth(username="cumulus", password="password") +nvue_end_point = "https://localhost:8888/nvue_v1" +mime_header = {"Content-Type": "application/json"} +... +``` + +You can listen on multiple interfaces by specifying different listening addresses. + +If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: + +``` +#!/usr/bin/env python3 + +import requests +from requests.auth import HTTPBasicAuth +import json +import time + +auth = HTTPBasicAuth(username="cumulus", password="password") +nvue_end_point = "https://172.0.24.0:8765/nvue_v1" +mime_header = {"Content-Type": "application/json"} +... +``` + +{{}} +{{< tab "NVUE CLI ">}} + +The following example sets the NVUE REST API port to 8888 and the listening address to localhost: + ``` cumulus@switch:~$ nv set system api port 8888 cumulus@switch:~$ nv set system api listening-address localhost @@ -158,6 +219,9 @@ cumulus@switch:~$ nv set system api listening-address 172.0.24.0 cumulus@switch:~$ nv config apply ``` +{{< /tab >}} +{{< /tabs >}} + ### Show NVUE REST API Information To show REST API port configuration, state (enabled or disabled), and connection information, run the `nv show system api` command: From 7bdd1fef7ac3b2e6cb9b077709b6d268b893ad00 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 18 Oct 2023 13:02:26 +0100 Subject: [PATCH 012/204] Revert "updates for curl and python" This reverts commit ae312076a1654f1050fe215c1c37108ad45eb881. --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 4 +- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 64 ------------------- 2 files changed, 2 insertions(+), 66 deletions(-) diff --git a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index e819246185..ec250cf010 100644 --- a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -132,7 +132,7 @@ This section shows how to: The following example uses NVUE REST API port 8888 and listening address localhost: ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/ +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/... ... ``` @@ -141,7 +141,7 @@ You can listen on multiple interfaces by specifying different listening addresse If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/ +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/... ... ``` diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index e7e742820f..202922dcac 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -126,67 +126,6 @@ This section shows how to: - Set the NVUE REST API port. If you do not set a port, Cumulus Linux uses the default port 8765. - Specify the NVUE REST API listening address; you can specify an IPv4 address, IPv6 address, or `localhost`. If you do not specify a listening address, NGINX listens on all addresses for the target port. -{{< tabs "TabID129 ">}} -{{< tab "Curl Command ">}} - -The following example uses NVUE REST API port 8888 and listening address localhost: - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/ -... -``` - -You can listen on multiple interfaces by specifying different listening addresses. - -If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/ -... -``` - -{{< /tab >}} -{{< tab "Python Code ">}} - -The following example uses NVUE REST API port 8888 and listening address localhost: - -``` -#!/usr/bin/env python3 - -import requests -from requests.auth import HTTPBasicAuth -import json -import time - -auth = HTTPBasicAuth(username="cumulus", password="password") -nvue_end_point = "https://localhost:8888/nvue_v1" -mime_header = {"Content-Type": "application/json"} -... -``` - -You can listen on multiple interfaces by specifying different listening addresses. - -If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: - -``` -#!/usr/bin/env python3 - -import requests -from requests.auth import HTTPBasicAuth -import json -import time - -auth = HTTPBasicAuth(username="cumulus", password="password") -nvue_end_point = "https://172.0.24.0:8765/nvue_v1" -mime_header = {"Content-Type": "application/json"} -... -``` - -{{}} -{{< tab "NVUE CLI ">}} - -The following example sets the NVUE REST API port to 8888 and the listening address to localhost: - ``` cumulus@switch:~$ nv set system api port 8888 cumulus@switch:~$ nv set system api listening-address localhost @@ -219,9 +158,6 @@ cumulus@switch:~$ nv set system api listening-address 172.0.24.0 cumulus@switch:~$ nv config apply ``` -{{< /tab >}} -{{< /tabs >}} - ### Show NVUE REST API Information To show REST API port configuration, state (enabled or disabled), and connection information, run the `nv show system api` command: From 80aa3c78eec70fa99426f62559c5f5cb69444994 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 18 Oct 2023 13:05:23 +0100 Subject: [PATCH 013/204] updates for curl and python --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 4 +- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 64 +++++++++++++++++++ 2 files changed, 66 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index ec250cf010..e819246185 100644 --- a/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-56/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -132,7 +132,7 @@ This section shows how to: The following example uses NVUE REST API port 8888 and listening address localhost: ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/... +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/ ... ``` @@ -141,7 +141,7 @@ You can listen on multiple interfaces by specifying different listening addresse If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/... +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/ ... ``` diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 202922dcac..e7e742820f 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -126,6 +126,67 @@ This section shows how to: - Set the NVUE REST API port. If you do not set a port, Cumulus Linux uses the default port 8765. - Specify the NVUE REST API listening address; you can specify an IPv4 address, IPv6 address, or `localhost`. If you do not specify a listening address, NGINX listens on all addresses for the target port. +{{< tabs "TabID129 ">}} +{{< tab "Curl Command ">}} + +The following example uses NVUE REST API port 8888 and listening address localhost: + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://localhost:8888/nvue_v1/ +... +``` + +You can listen on multiple interfaces by specifying different listening addresses. + +If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' --insecure https://172.0.24.0:8765/nvue_v1/ +... +``` + +{{< /tab >}} +{{< tab "Python Code ">}} + +The following example uses NVUE REST API port 8888 and listening address localhost: + +``` +#!/usr/bin/env python3 + +import requests +from requests.auth import HTTPBasicAuth +import json +import time + +auth = HTTPBasicAuth(username="cumulus", password="password") +nvue_end_point = "https://localhost:8888/nvue_v1" +mime_header = {"Content-Type": "application/json"} +... +``` + +You can listen on multiple interfaces by specifying different listening addresses. + +If you configure a VRF for an interface, NGINX listens on the VRF configured for that interface. The following example uses the default NVUE REST API port 8765 on eth0, which has IP address 172.0.24.0 and uses the management VRF by default: + +``` +#!/usr/bin/env python3 + +import requests +from requests.auth import HTTPBasicAuth +import json +import time + +auth = HTTPBasicAuth(username="cumulus", password="password") +nvue_end_point = "https://172.0.24.0:8765/nvue_v1" +mime_header = {"Content-Type": "application/json"} +... +``` + +{{}} +{{< tab "NVUE CLI ">}} + +The following example sets the NVUE REST API port to 8888 and the listening address to localhost: + ``` cumulus@switch:~$ nv set system api port 8888 cumulus@switch:~$ nv set system api listening-address localhost @@ -158,6 +219,9 @@ cumulus@switch:~$ nv set system api listening-address 172.0.24.0 cumulus@switch:~$ nv config apply ``` +{{< /tab >}} +{{< /tabs >}} + ### Show NVUE REST API Information To show REST API port configuration, state (enabled or disabled), and connection information, run the `nv show system api` command: From 9a9c4d302ec70c248f25656dd6a0b66a9ac5fd95 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 6 Nov 2023 08:36:13 -0800 Subject: [PATCH 014/204] dhcp snooping for 5.x - flat file config --- .../DHCP/DHCP-Snooping.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md diff --git a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..28d39ebbbc --- /dev/null +++ b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,89 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` From 9d476666cb50890d94284be54637608fd7f800da Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 6 Nov 2023 08:57:31 -0800 Subject: [PATCH 015/204] updates to dhcp snooping config examples --- .../Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md index 28d39ebbbc..c3131c22c9 100644 --- a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md +++ b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -29,6 +29,7 @@ Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configura The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: ``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json { "bridge": [ { From ad0adc2aa84e364998412029a2bceb649e5719b4 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 6 Nov 2023 08:58:02 -0800 Subject: [PATCH 016/204] updates --- .../Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md index c3131c22c9..18e8465d75 100644 --- a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md +++ b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -53,6 +53,7 @@ cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: ``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json { "bridge": [ { From 12adda6fa5211be8d94a6170b18d7c9da0e938d4 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 6 Nov 2023 10:34:03 -0800 Subject: [PATCH 017/204] 4.3.2 what's new --- .../Installation-Management/Upgrading-Cumulus-Linux.md | 2 +- content/cumulus-linux-43/Whats-New/_index.md | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/content/cumulus-linux-43/Installation-Management/Upgrading-Cumulus-Linux.md b/content/cumulus-linux-43/Installation-Management/Upgrading-Cumulus-Linux.md index b4393c4104..046c679c00 100644 --- a/content/cumulus-linux-43/Installation-Management/Upgrading-Cumulus-Linux.md +++ b/content/cumulus-linux-43/Installation-Management/Upgrading-Cumulus-Linux.md @@ -273,7 +273,7 @@ Cumulus Linux 4.3.1 is supported on Broadcom switches only and requires a differ 6. Verify correct operation with the old configurations on the new version. {{< /tab >}} -{{< tab "Upgrade to Cumulus Linux 4.3.1 ">}} +{{< tab "Upgrade to Cumulus Linux 4.3.1 and later ">}} To ensure that 4.3.1 package update is available only for Broadcom switches, you must either run `apt update` and `apt upgrade` twice *or* manually edit the `sources.list` file, then run `apt update` and `apt upgrade` once. Both procedures are below. diff --git a/content/cumulus-linux-43/Whats-New/_index.md b/content/cumulus-linux-43/Whats-New/_index.md index 416a02c0ce..c4254365f5 100644 --- a/content/cumulus-linux-43/Whats-New/_index.md +++ b/content/cumulus-linux-43/Whats-New/_index.md @@ -10,6 +10,16 @@ This document supports the Cumulus Linux 4.3 release, and lists new platforms an - For a list of open and fixed issues in Cumulus Linux 4.3, see the {{}}. - To upgrade to Cumulus Linux 4.3, follow the steps in {{}}. +## What's New in Cumulus Linux 4.3.2 + +Cumulus Linux 4.3.2 provides bug fixes. + +{{%notice note%}} +Cumulus Linux 4.3.2 is supported on Broadcom switches only. You cannot upgrade to Cumulus Linux 4.3.2 on a Mellanox switch. +- NVIDIA does not provide a Cumulus Linux 4.3.2 image for Mellanox switches. +- To upgrade a Broadcom switch to Cumulus Linux 4.3.2 with `apt upgrade`, see {{}}. +{{%/notice%}} + ## What's New in Cumulus Linux 4.3.1 Cumulus Linux 4.3.1 provides bug fixes. From dc5b9741406e276c7b44a15f0cfd60983b71691e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 6 Nov 2023 10:42:30 -0800 Subject: [PATCH 018/204] updates --- content/cumulus-linux-43/Whats-New/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-43/Whats-New/_index.md b/content/cumulus-linux-43/Whats-New/_index.md index c4254365f5..1646a7769f 100644 --- a/content/cumulus-linux-43/Whats-New/_index.md +++ b/content/cumulus-linux-43/Whats-New/_index.md @@ -27,7 +27,7 @@ Cumulus Linux 4.3.1 provides bug fixes. {{%notice note%}} Cumulus Linux 4.3.1 is supported on Broadcom switches only. You cannot upgrade to Cumulus Linux 4.3.1 on a Mellanox switch. - NVIDIA does not provide a Cumulus Linux 4.3.1 image for Mellanox switches. -- To upgrade a Broadcom switch to Cumulus Linux 4.3.1 with `apt upgrade`, see {{}}. +- To upgrade a Broadcom switch to Cumulus Linux 4.3.1 with `apt upgrade`, see {{}}. {{%/notice%}} ## What's New in Cumulus Linux 4.3.0 From 66186042a7c1ab5ecb5fe992ab7753408a0e6752 Mon Sep 17 00:00:00 2001 From: anilcumulus <37850124+anilcumulus@users.noreply.github.com> Date: Mon, 13 Nov 2023 16:08:12 -0800 Subject: [PATCH 019/204] Update Grafana plugin for Cloud --- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 89db3793d3..7cf05a6d1c 100644 --- a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -89,7 +89,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 4. Enter *Net-Q* into the **Name** field. 5. Enter the URL used to access the database: - - Cloud: *plugin.netq.nvidia.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *http://\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.nvidia.com* From 45c7150ff8e430b556504d9d235e3eb45e4d5584 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 14 Nov 2023 07:22:29 -0800 Subject: [PATCH 020/204] add DHCP snooping to 5.x --- .../DHCP/DHCP-Snooping.md | 4 +- .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- .../DHCP/DHCP-Snooping.md | 91 +++++++++++++++++++ .../Layer-1-and-Switch-Ports/DHCP/_index.md | 5 +- 16 files changed, 671 insertions(+), 10 deletions(-) create mode 100644 content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md create mode 100644 content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md create mode 100644 content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md create mode 100644 content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md create mode 100644 content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md create mode 100644 content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md create mode 100644 content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md diff --git a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md index 18e8465d75..8454c280ef 100644 --- a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md +++ b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -26,7 +26,7 @@ NVUE does not provide commands to configure DHCP Snooping. Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. -The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: ``` cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json @@ -41,7 +41,7 @@ cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json "rate_limit": 50, "ip_version": 4, "trusted_interface": [ - "swp6" + "swp3" ], } ] diff --git a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/_index.md index f494b0f7c1..fd3f513c3c 100644 --- a/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-50/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/_index.md index f494b0f7c1..fd3f513c3c 100644 --- a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/_index.md index f494b0f7c1..fd3f513c3c 100644 --- a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/_index.md index 37ea4226ab..fd3f513c3c 100644 --- a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/_index.md index 37ea4226ab..fd3f513c3c 100644 --- a/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-54/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/_index.md index 37ea4226ab..fd3f513c3c 100644 --- a/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-55/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/_index.md index 37ea4226ab..fd3f513c3c 100644 --- a/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-56/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md new file mode 100644 index 0000000000..8454c280ef --- /dev/null +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/DHCP-Snooping.md @@ -0,0 +1,91 @@ +--- +title: DHCP Snooping +author: NVIDIA +weight: 355 +toc: 3 +--- +DHCP snooping enables Cumulus Linux to act as a middle layer between the DHCP infrastructure and DHCP clients by scanning DHCP control packets and building an IP-MAC database. Cumulus Linux accepts DHCP offers from only trusted interfaces and can rate limit packets. + +{{%notice note%}} +DHCP option 82 processing is not supported. +{{%/notice%}} + +## Configure DHCP Snooping + +To configure DHCP snooping, you need to: + +- Enable DHCP snooping on a VLAN. +- Add a trusted interface. Cumulus Linux allows DHCP offers from only trusted interfaces to prevent malicious DHCP servers from assigning IP addresses inside the network. The interface must be a member of the bridge specified. +- Set the rate limit for DHCP requests to avoid DoS attacks. The default value is 100 packets per second. + +The following example shows you how to configure DHCP snooping for IPv4 and IPv6. + +{{%notice note%}} +NVUE does not provide commands to configure DHCP Snooping. +{{%/notice%}} + +Create the `/etc/dhcpsnoop/dhcp_snoop.json` file and add DHCP snooping configuration under the bridge. + +The following example enables DHCP snooping for IPv4 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp3. swp3 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 4, + "trusted_interface": [ + "swp3" + ], + } + ] + } + ] +} +``` + +The following example enables DHCP snooping for IPv6 on VLAN 10, sets the rate limit to 50 and the trusted interface to swp6. swp6 is a member of the bridge `br_default`: + +``` +cumulus@leaf01:~$ sudo nano /etc/dhcpsnoop/dhcp_snoop.json +{ + "bridge": [ + { + "bridge_id": "br_default", + "vlan": [ + { + "vlan_id": 10, + "snooping": 1, + "rate_limit": 50, + "ip_version": 6, + "trusted_interface": [ + "swp6" + ], + } + ] + } + ] +} +``` + +When DHCP snooping detects a violation, the packet is dropped and a message is logged to the `/var/log/dhcpsnoop.log` file. + +## Show the DHCP Binding Table + +To show the DHCP binding table, run the `net show dhcp-snoop table` command for IPv4 or the `net show dhcp-snoop6 table` command for IPv6. The following example command shows the DHCP binding table for IPv4: + +``` +cumulus@leaf01:~$ net show dhcp-snoop table +Port VLAN IP MAC Lease State Bridge +---- ---- --------- ----------------- ----- ----- ------ + +swp5 1002 10.0.0.3 00:02:00:00:00:04 7200 ACK br0 + +swp5 1000 10.0.1.3 00:02:00:00:00:04 7200 ACK br0 +``` diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/_index.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/_index.md index 37ea4226ab..fd3f513c3c 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/_index.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/DHCP/_index.md @@ -4,4 +4,7 @@ author: NVIDIA weight: 338 toc: 3 --- -This section describes how to configure [DHCP](## "Dynamic Host Configuration Protocol") relays and [DHCP](## "Dynamic Host Configuration Protocol") servers. +This section describes how to configure: +- {{}} +- {{}} +- {{}} From 9d356ad79e43cec3305929e29cc2cda65432849c Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 14 Nov 2023 08:36:55 -0800 Subject: [PATCH 021/204] updates to radius --- .../RADIUS-AAA.md | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index 718da2946b..4d57bf1da9 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -23,11 +23,13 @@ The `nvshow` group includes the `radius_user` account, and the `nvset` and `nvap ## Required RADIUS Client Configuration -After you install the required RADIUS packages, configure the following required settings on the switch (the RADIUS client). +After you install the required RADIUS packages, configure the following required settings on the switch (the RADIUS client): - Set the IP address or hostname of at least one RADIUS server. You can specify a port for the server (optional). The default port number is 1812. - Set the secret key shared between the RADIUS server and client. If you include special characters in the key (such as $), you must enclose the key in single quotes ('). -- Set the priority at which Cumulus Linux contacts a RADIUS server for load balancing. You can set a value between 1 and 100. The lower value is the higher priority. -- If you use NVUE commands to configure RADIUS, you must also set the priority for the authentication order for local and RADIUS users, and enable RADIUS. +- If you use NVUE commands to configure RADIUS, you must also: + - Set the priority at which Cumulus Linux contacts a RADIUS server for load balancing. You can set a value between 1 and 100. The lower value is the higher priority. + - Set the priority for the authentication order for local and RADIUS users. + - Enable RADIUS. {{< tabs "TabID41 ">}} {{< tab "NVUE Commands ">}} @@ -74,9 +76,12 @@ The server port number is optional. The system looks up the port in the `/etc/se ## Optional RADIUS Configuration -You can configure the following optional settings global RADIUS settings and server specific settings: +You can configure the following optional settings global RADIUS settings and server specific settings. -| Option | Description | +{{< tabs "TabID34 ">}} +{{< tab "NVUE Commands ">}} + +| Setting | Description | | ------ | ----------- | | `vrf` | The VRF you want to use to communicate with the RADIUS servers. This is typically the management VRF (`mgmt`), which is the default VRF on the switch. You cannot specify more than one VRF. | | `privilege-level` | The minimum privilege level that determines if users can configure the switch with NVUE commands and sudo, or have read-only rights. The default privilege level is 15, which provides full administrator access. This is a global option only; you cannot set the minimum privilege level for specific RADIUS servers.| @@ -85,9 +90,6 @@ You can configure the following optional settings global RADIUS settings and ser | `source-ipv4`
`source-ipv6`
| A specific interface to reach the RADIUS server. If you configure multiple RADIUS servers, you can configure a specific interface to reach all RADIUS servers. | | `debug` | The debug option for troubleshooting. The debugging messages write to `/var/log/syslog`. When the RADIUS client is working correctly, you can disable the debug option. If you configure multiple RADIUS servers, you can enable the debug option globally for all the servers.| -{{< tabs "TabID34 ">}} -{{< tab "NVUE Commands ">}} - The following example configures global RADIUS settings: ``` @@ -112,6 +114,14 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} +| Setting | Description | +| ------ | ----------- | +| `vrf` | The VRF you want to use to communicate with the RADIUS servers. This is typically the management VRF (`mgmt`), which is the default VRF on the switch. You cannot specify more than one VRF. | +| `shell:priv-lvl` | Determines the privilege level for the user on the switch.| +| `timeout` | The timeout value when a server is slow or latencies are high. You can set a value between 1 and 60. The default timeout is 3 seconds. If you configure multiple RADIUS servers, you can set a global timeout for all servers. | +| `source-ip`
| A specific IPv4 or IPv6 interface to reach the RADIUS server. If you configure multiple RADIUS servers, you can configure a specific interface to reach all RADIUS servers. | +| `debug` | The debug option for troubleshooting. The debugging messages write to `/var/log/syslog`. When the RADIUS client is working correctly, you can disable the debug option. If you configure multiple RADIUS servers, you can enable the debug option globally for all the servers.| + Edit the `/etc/pam_radius_auth.conf` file. An example is shown below. ``` From a56ad806722f99052f4462d3d8243ac09e9c6779 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Tue, 14 Nov 2023 14:26:19 -0500 Subject: [PATCH 022/204] updated grafana url across 4.x docs --- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- .../Configure-Integrations/Integrate-with-Grafana.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/cumulus-netq-40/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-40/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md index 96c0673b37..c6a67e3de2 100644 --- a/content/cumulus-netq-40/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-40/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md @@ -95,7 +95,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 5. Enter *Net-Q* into the **Name** field. 6. Enter the URL used to access the database: - - Cloud: *plugin.netq.cumulusnetworks.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.cumulusnetworks.com* diff --git a/content/cumulus-netq-41/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-41/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md index 96c0673b37..c6a67e3de2 100644 --- a/content/cumulus-netq-41/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-41/Manage-Deployment/Configure-Integrations/Integrate-with-Grafana.md @@ -95,7 +95,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 5. Enter *Net-Q* into the **Name** field. 6. Enter the URL used to access the database: - - Cloud: *plugin.netq.cumulusnetworks.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.cumulusnetworks.com* diff --git a/content/cumulus-netq-42/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-42/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 96c0673b37..c6a67e3de2 100644 --- a/content/cumulus-netq-42/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-42/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -95,7 +95,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 5. Enter *Net-Q* into the **Name** field. 6. Enter the URL used to access the database: - - Cloud: *plugin.netq.cumulusnetworks.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.cumulusnetworks.com* diff --git a/content/cumulus-netq-43/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-43/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 13975a11cc..7ad9781caf 100644 --- a/content/cumulus-netq-43/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-43/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -89,7 +89,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 4. Enter *Net-Q* into the **Name** field. 5. Enter the URL used to access the database: - - Cloud: *plugin.netq.nvidia.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *http://\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.nvidia.com* diff --git a/content/cumulus-netq-44/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-44/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 302f9dae24..9c9c048c19 100644 --- a/content/cumulus-netq-44/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-44/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -89,7 +89,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 4. Enter *Net-Q* into the **Name** field. 5. Enter the URL used to access the database: - - Cloud: *plugin.netq.nvidia.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *http://\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.nvidia.com* diff --git a/content/cumulus-netq-45/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-45/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 302f9dae24..9c9c048c19 100644 --- a/content/cumulus-netq-45/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-45/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -89,7 +89,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 4. Enter *Net-Q* into the **Name** field. 5. Enter the URL used to access the database: - - Cloud: *plugin.netq.nvidia.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *http://\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.nvidia.com* diff --git a/content/cumulus-netq-46/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-46/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 89db3793d3..7cf05a6d1c 100644 --- a/content/cumulus-netq-46/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-46/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -89,7 +89,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 4. Enter *Net-Q* into the **Name** field. 5. Enter the URL used to access the database: - - Cloud: *plugin.netq.nvidia.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *http://\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.nvidia.com* diff --git a/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md b/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md index 89db3793d3..7cf05a6d1c 100644 --- a/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md +++ b/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Integrate-with-Grafana.md @@ -89,7 +89,7 @@ Now that you have the plugin installed, you need to configure access to the NetQ 4. Enter *Net-Q* into the **Name** field. 5. Enter the URL used to access the database: - - Cloud: *plugin.netq.nvidia.com* + - Cloud: *https://plugin.prod.netq.nvidia.com* - On-premises: *http://\/plugin* - Cumulus in the Cloud (CITC): *plugin.air.netq.nvidia.com* From 4dc0124e15e3543f44f1c33431c9bd4daff9abe4 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 14 Nov 2023 14:10:57 -0800 Subject: [PATCH 023/204] updates to whats new and PIM --- .../Protocol-Independent-Multicast-PIM.md | 14 ++--- .../RADIUS-AAA.md | 4 +- content/cumulus-linux-57/Whats-New/_index.md | 4 +- .../Set-and-Unset-Commands/PIM.md | 60 ++++++++++++++++--- 4 files changed, 63 insertions(+), 19 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md index ca7ffcacad..e32c99a83c 100644 --- a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -858,18 +858,18 @@ Cumulus Linux provides the following PIM timers: | `hello-interval` | The interval in seconds at which the PIM router sends hello messages to discover PIM neighbors and maintain PIM neighbor relationships. You can specify a value between 1 and 180. The default setting is 30 seconds. With vtysh, you set the hello interval for a specific PIM enabled interface. With NVUE, you can set the hello interval globally for all PIM enabled interfaces or for a specific PIM enabled interface. | | `holdtime` | The number of seconds during which the neighbor must be in a reachable state. `auto` (the default setting) uses three and half times the `hello-interval`. You can specify a value between 1 and 180. With vtysh, you set the holdtime for a specific PIM enabled interface. With NVUE, you can set the holdtime globally for all PIM enabled interfaces or for a specific PIM enabled interface.| | `join-prune-interval` | The interval in seconds at which a PIM router sends join/prune messages to its upstream neighbors for a state update. You can specify a value between 60 and 600. The default setting is 60 seconds. You set the `join-prune-interval` globally for all PIM enabled interfaces. NVUE also provides the option of setting the `join-prune-interval` for a specific VRF.| -| `keep-alive` | The timeout value for the S,G stream in seconds. You can specify a value between 31 and 60000. The default setting is 210 seconds. You can set the `keep-alive` timer globally or all PIM enabled interfaces or for a specific VRF.| -| `register-suppress` | The number of seconds during which to stop sending register messages to the RP. You can specify a value between 5 and 60000. The default setting is 60 seconds. You can set the `keep-alive` timer globally for all PIM enabled interfaces or for a specific VRF. | -| `rp-keep-alive` | NVUE only. The timeout value for the RP in seconds. You can specify a value between 31 and 60000. The default setting is 185 seconds. You set the `register-suppress-time` timer globally for all PIM enabled interfacesor for a specific VRF.| +| `keepalive` | The timeout value for the S,G stream in seconds. You can specify a value between 31 and 60000. The default setting is 210 seconds. You can set the `keepalive` timer globally or all PIM enabled interfaces or for a specific VRF.
In vtysh, the timer is `keep-alive`. | +| `register-suppress` | The number of seconds during which to stop sending register messages to the RP. You can specify a value between 5 and 60000. The default setting is 60 seconds. You can set the `keepalive` timer globally for all PIM enabled interfaces or for a specific VRF. | +| `rp-keepalive` | NVUE only. The timeout value for the RP in seconds. You can specify a value between 31 and 60000. The default setting is 185 seconds. You set the `register-suppress-time` timer globally for all PIM enabled interfacesor for a specific VRF.
In vtysh, the timer is `rp-keep-alive`.| {{< tabs "TabID1037 ">}} {{< tab "NVUE Commands ">}} -The following example commands set the `join-prune-interval` to 100 seconds, the `keep-alive` timer to 10000 seconds, and the `register-suppress` time to 20000 seconds globally for all PIM enabled interfaces: +The following example commands set the `join-prune-interval` to 100 seconds, the `keepalive` timer to 10000 seconds, and the `register-suppress` time to 20000 seconds globally for all PIM enabled interfaces: ``` cumulus@switch:~$ nv set router pim timers join-prune-interval 100 -cumulus@switch:~$ nv set router pim timers keep-alive 10000 +cumulus@switch:~$ nv set router pim timers keepalive 10000 cumulus@switch:~$ nv set router pim timers register-suppress 20000 cumulus@switch:~$ nv config apply ``` @@ -881,10 +881,10 @@ cumulus@switch:~$ nv set interface swp51 router pim timers hello-interval 60 cumulus@switch:~$ nv config apply ``` -The following example commands set the `rp-keep-alive` to 10000 for VRF RED: +The following example commands set the `rp-keepalive` to 10000 for VRF RED: ``` -cumulus@switch:~$ nv set vrf RED router pim timers rp-keep-alive 10000 +cumulus@switch:~$ nv set vrf RED router pim timers rp-keepalive 10000 cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index 4d57bf1da9..1bd9937997 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -28,7 +28,7 @@ After you install the required RADIUS packages, configure the following required - Set the secret key shared between the RADIUS server and client. If you include special characters in the key (such as $), you must enclose the key in single quotes ('). - If you use NVUE commands to configure RADIUS, you must also: - Set the priority at which Cumulus Linux contacts a RADIUS server for load balancing. You can set a value between 1 and 100. The lower value is the higher priority. - - Set the priority for the authentication order for local and RADIUS users. + - Set the priority for the authentication order for local and RADIUS users. You can set a value between 1 and 100. The lower value is the higher priority. - Enable RADIUS. {{< tabs "TabID41 ">}} @@ -38,7 +38,7 @@ The following example commmands set: - The IP address of the RADIUS server to 192.168.0.254 and the port to 42. - The secret to `'myradius$key'`. - The priority at which Cumulus Linux contacts the RADIUS server to 10. -- The authentication order so that RADIUS authentication has priority over local (the lower number has priority). +- The authentication order to 10 for Radiuso that RADIUS authentication has priority over local. - The RADIUS option to `enable`. ``` diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 522c8c2244..873a73279c 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -18,11 +18,11 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im ### New Features and Enhancements -- {{}} - {{}} -- {{}} forwarding profile - {{}} +- {{}} - {{}} to optimize and share resources, and avoid resource exhaustion +- {{}} forwarding profile - PTP PPS In or Out Support - NVUE enhancements include: - {{}} diff --git a/content/nvue-reference/Set-and-Unset-Commands/PIM.md b/content/nvue-reference/Set-and-Unset-Commands/PIM.md index 532e78fd71..2dab9b1caa 100644 --- a/content/nvue-reference/Set-and-Unset-Commands/PIM.md +++ b/content/nvue-reference/Set-and-Unset-Commands/PIM.md @@ -391,9 +391,15 @@ cumulus@switch:~$ nv set router pim timers join-prune-interval 100
## nv set router pim timers keep-alive - + Configures the timeout value for the S,G stream in seconds. You can specify a value between 31 and 60000. The default setting is 210 seconds. - + ### Version History Introduced in Cumulus Linux 5.0.0 @@ -403,7 +409,11 @@ Introduced in Cumulus Linux 5.0.0 ``` cumulus@switch:~$ nv set router pim timers keep-alive 10000 ``` - +
## nv set router pim timers register-suppress @@ -423,9 +433,16 @@ cumulus@switch:~$ nv set router pim timers register-suppress 20000
## nv set router pim timers rp-keep-alive - + Configures the timeout value for the RP in seconds. You can specify a value between 31 and 60000. The default setting is 185 seconds. + ### Version History Introduced in Cumulus Linux 5.0.0 @@ -435,7 +452,11 @@ Introduced in Cumulus Linux 5.0.0 ``` cumulus@switch:~$ nv set router pim timers rp-keep-alive 10000 ``` - +
## nv set vrf \ router pim @@ -755,9 +776,16 @@ Configures PIM timers on the specified VRF.
## nv set vrf \ router pim timers keep-alive - + Configures the timeout value for the S,G stream in seconds for the specified VRF. You can set a value between 31 and 60000. The default setting is 210 seconds. + ### Version History Introduced in Cumulus Linux 5.0.0 @@ -767,13 +795,24 @@ Introduced in Cumulus Linux 5.0.0 ``` cumulus@switch:~$ nv set vrf default router pim timers keep-alive 10000 ``` +
## nv set vrf \ router pim timers rp-keep-alive - + Configures the timeout value for the RP in seconds on the specified VRF. You can specify a value between 31 and 60000. The default setting is 185 seconds. - + ### Command Syntax | Syntax | Description | @@ -789,3 +828,8 @@ Introduced in Cumulus Linux 5.0.0 ``` cumulus@switch:~$ nv set vrf default router pim timers rp-keep-alive 1000 ``` + From 92243e29eabaf5b74e45543b9fbe4d5c677aa6e1 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 14 Nov 2023 16:04:32 -0800 Subject: [PATCH 024/204] update dot1x --- .../802.1X-Interfaces.md | 326 ++++-------------- .../ASIC-Monitoring.md | 16 +- 2 files changed, 66 insertions(+), 276 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index b47084970c..085b484601 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -56,7 +56,7 @@ To configure an 802.1X interface: - Optional: Change the default 802.1X RADIUS accounting port. The default port is 1813. - Optional: Change the default 802.1X RADIUS authentication port. The default port is 1812. - Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, re-authentication is disabled with a reauthentication period of 0. You can set a value between 0-86640. -- **Required**: Enable 802.1X on the interface. +- **Required**: Enable 802.1X on an interface. {{%notice note%}} Changing the 802.1X interface settings do *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, or accounting port restarts `hostapd`, which forces existing, authorized users to re-authenticate. @@ -67,14 +67,12 @@ Changing the 802.1X interface settings do *not* reset existing authorized user p The following example: -- Sets the 802.1X RADIUS server IP address to 127.0.0.1. -- Sets the 802.1X RADIUS shared secret to mysecret. -- Enables 802.1X on swp1 through swp4. +- Sets the 802.1X RADIUS server IP address to 127.0.0.1 and the shared secret to `mysecret`. +- Enables 802.1X on swp1 through swp3. ``` -cumulus@switch:~$ nv set system dot1x radius server-ip 127.0.0.1 -cumulus@switch:~$ nv set system dot1x radius server-ip 127.0.0.1 shared-secret mysecret -cumulus@switch:~$ nv set interface swp1-swp4 dot1x enabled +cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret +cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled cumulus@switch:~$ nv config apply ``` @@ -85,25 +83,25 @@ The following example: - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. - Sets re-authentication for [EAP](## "Extensible Authentication Protocol"), by setting the reauthentication period to 60. -- Enables 802.1X on swp1 through swp4. +- Enables 802.1X on swp1 through swp3. ``` -cumulus@switch:~$ nv set system dot1x radius server-ip 127.0.0.1 vrf turtle -cumulus@switch:~$ nv set system dot1x radius server-ip 127.0.0.1 shared-secret mysecret -cumulus@switch:~$ nv set system dot1x radius server-ip 127.0.0.1 authentication-port 2812 -cumulus@switch:~$ nv set system dot1x radius server-ip 127.0.0.1 accounting-port 2813 -cumulus@switch:~$ nv set system dot1x eap-reauth-period 60 -cumulus@switch:~$ nv set interface swp1-swp4 dot1x enabled +cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 vrf turtle +cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret +cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 authentication-port 2812 +cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 accounting-port 2813 +cumulus@switch:~$ nv set system dot1x reauthentication-interval 60 +cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled cumulus@switch:~$ nv config apply ``` - + {{%notice note%}} When you enable or disable 802.1X on a port, `hostapd` reloads; however, existing authorized sessions do not reset. {{%/notice%}} @@ -116,12 +114,12 @@ Edit the `/etc/hostapd.conf` file to configure 802.1X settings, then restart the The following example: - Sets the 802.1X RADIUS server IP address to 127.0.0.1. - Sets the 802.1X RADIUS shared secret to mysecret. -- Enables 802.1X on swp1 through swp4. +- Enables 802.1X on swp1 through swp3. ``` cumulus@switch:~$ sudo nano /etc/hostapd.conf ... -interfaces=swp1,swp2,swp3,swp4 +interfaces=swp1,swp2,swp3 mab_interfaces= parking_vlan_interfaces= parking_vlan_id= @@ -303,8 +301,8 @@ The following example sets the parking VLAN ID to 777 and enables parking VLAN o {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set system dot1x parking-vlan-id 777 -cumulus@switch:~$ nv set interface swp1 dot1x parking-vlan enabled +cumulus@switch:~$ nv set system dot1x auth-fail-vlan 777 +cumulus@switch:~$ nv set interface swp1 dot1x auth-fail-vlan enabled cumulus@switch:~$ nv config apply ``` @@ -336,34 +334,6 @@ swp1 00:02:00:00:00:08 Status Flags [PARKED_VLAN] RADIUS Auth Session ID C2FED91A39D8D605 ``` - {{< /tab >}} {{< tab "Linux Commands ">}} @@ -392,14 +362,14 @@ To enable dynamic VLAN assignment globally, where VLAN attributes from the RADIU {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set system dot1x dynamic-vlan default +cumulus@switch:~$ nv set system dot1x dynamic-vlan optional cumulus@switch:~$ nv config apply ``` You can specify the `require` option in the command so that VLAN attributes are required. If VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN (if you have configured parking VLAN). ``` -cumulus@switch:~$ nv set system dot1x dynamic-vlan require +cumulus@switch:~$ nv set system dot1x dynamic-vlan required cumulus@switch:~$ nv config apply ``` @@ -418,8 +388,7 @@ vlan100client Cleartext-Password := "client1password" Verify the configuration (notice the `[AUTHORIZED]` status in the output): ``` -cumulus@switch:~$ nv show interface –view=dot1x-summary - +cumulus@switch:~$ nv show interface dot1x-summary Interface MAC Address Attribute Value --------- ----------------- ---------------------------- -------------------------- swp1 00:02:00:00:00:08 Status Flags [DYNAMIC_VLAN][AUTHORIZED] @@ -443,42 +412,6 @@ swp1 00:02:00:00:00:08 Status Flags [DYNAMIC_VLAN][AUTHO RADIUS Auth Session ID 939B1A53B624FC56 ``` -``` -cumulus@switch:~$ nv show dot1x interface summary - -Interface MAC Address Username State Authentication Type MAB VLAN ---------- ----------------- ------------ ------------ ------------------- --- ---- -swp1 00:02:00:00:00:08 000200000008 AUTHORIZED unknown NO 888 -``` - {{< /tab >}} {{< tab "Linux Commands ">}} @@ -543,10 +476,10 @@ vlan100client Cleartext-Password := "client1password" To disable dynamic VLAN assignment, where VLAN attributes sent from the RADIUS server are ignored and users are authenticated based on existing credentials: {{< tabs "TabID755 ">}} -{{< tab "NCLU Commands ">}} +{{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set system dot1x dynamic-vlan none +cumulus@switch:~$ nv set system dot1x dynamic-vlan disabled cumulus@switch:~$ nv config apply ``` @@ -604,14 +537,14 @@ In high-security campus environments where 802.1X interfaces are in use, you can Since DACLs restrict access to network resources at the user level, multiple users on the same VLAN can access different resources based on the policy provided by the RADIUS server. DACLs utilize {{}}, so you can configure them in your RADIUS server configuration and not on each switch. -The DACLs are also dynamically modified to fit the specific authenticating supplicant. For example, specific MAC addresses may be restricted to talk only to certain L3/L4 destinations. +The DACLs are also dynamically modified to fit the specific authenticating supplicant. For example, specific MAC addresses can be restricted to talk only to certain layer 3 or layer 4 destinations. DACLs work with Voice VLAN for phones (MDA). {{%notice note%}} - You can configure DACLs for {{}} only. - Port security (MAC address restrictions) cannot be used at the same time as DACLs. -- Cumulus Linux does not support configuring both Dynamic VLAN and DACLs on a given switch port at the same time. +- Cumulus Linux does not support configuring both Dynamic VLAN and DACLs at the same time on a switch port. - The source MAC address of the user gaining authorization in the `ebtables` filter replaces the `from any` source IPv4 address. - Only a single destination port integer is supported; port ranges are not supported. - Any IPv4 protocol is supported either by name or number as supported in the Cumulus Linux `ebtables` implementation. @@ -619,8 +552,8 @@ DACLs work with Voice VLAN for phones (MDA). ### How It Works -1. A supplicant sends packets over a network port. A {{}} executes. You can manually create your own pre-auth ACL filter or just use the Cumulus Linux default ({{}}). There are no NCLU commands for creating the filter itself. -1. When `dot1x dynamic-acl` is {{}}, Cumulus Linux installs the pre-auth ACL defaults for the port (once you execute `net commit`). +1. A supplicant sends packets over a network port. A {{}} executes. You can manually create your own pre-auth ACL filter or just use the Cumulus Linux default ({{}}). There are no NVUE commands for creating the filter itself. +1. When `dot1x dynamic-acl` is {{}}, Cumulus Linux installs the pre-auth ACL defaults for the port. 1. When a supplicant on the port tries to get 802.1X authorized, the RADIUS server may (or may not) send along some {{}} in the Access-Accept message. 1. If any filters are sent from the RADIUS server, Cumulus Linux applies them before the default pre-auth ACL. 1. If no filters are sent, Cumulus Linux leaves the defaults in place, and no special access is granted to the user. @@ -642,7 +575,7 @@ The syntax for NAS-Filter-Rule attributes configured in the RADIUS server varies The rules for the appropriate direction are evaluated in order, with the first matched rule terminating the evaluation. Each packet is evaluated once. If no rule matches, the packet is dropped if the last rule was a deny. -If these rules are invalid — for example, they contain contain port ranges or IPv6 addresses — the port does not get authorized and a log message is written to `/var/log/syslog`. +If these rules are invalid — for example, they contain port ranges or IPv6 addresses — the port does not get authorized and a log message is written to `/var/log/syslog`. ### Get Started @@ -658,7 +591,7 @@ You configure DACLs on the RADIUS server on your network using the methods provi #### Configure the RADIUS Server -On the RADIUS server, set the password for the RADIUS client (that is, the Cumulus Linux switch) in the `/etc/freeradius/3.0/clients.conf` file as follows, using the src IP address of the switch: +On the RADIUS server, set the password for the RADIUS client (the Cumulus Linux switch) in the `/etc/freeradius/3.0/clients.conf` file as follows, using the src IP address of the switch: ``` client leaf01 { @@ -688,7 +621,7 @@ leaf01 Cleartext-Password := "CumulusLinux!" NAS-Filter-Rule = "deny in ip from any to any" ``` -`ebtables` converts this to a temporary file on the switch called something like `/etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002.rules` (the filename is always prefaced with _150\__; default rules filenames are prefaced with _200\__). It looks like the following: +`ebtables` converts this to a temporary file on the switch with a name similar to `/etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002.rules` (the filename is always prefaced with _150\__; default rule filenames are prefaced with _200\__). It looks like the following: ``` cumulus@switch:~$ cat /etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002.rules @@ -730,27 +663,6 @@ In the above rules file, the `--set-mark 2` option ensures that the nearly ident The Cumulus Linux switch is the RADIUS client. -{{< tabs "TabID951 ">}} -{{< tab "NCLU Commands ">}} - -Configure the Cumulus Linux switch as a RADIUS client using the `net add dot1x radius` command, and include your RADIUS server's IP address and secret: - -``` -cumulus@leaf01:~$ net add dot1x radius server-ip 10.0.0.1 -cumulus@leaf01:~$ net add dot1x radius shared-secret mysecret -``` - -Enable one or more switch ports for DACLs by running the `net add dot1x interface dot1x dynamic-acl` command. You can also enable {{}} by including the `mab` option at the end of the command. - -``` -cumulus@leaf01:~$ net add interface swp1 dot1x dynamic-acl [mab] -cumulus@leaf01:~$ net pending -cumulus@leaf01:~$ net commit -``` - -{{< /tab >}} -{{< tab "Linux Commands ">}} - 1. Edit the `/etc/hostapd.conf` file to configure the RADIUS client and the DACL interface. The example below sets the IP address of the 802.1X RADIUS server to 10.0.0.1 (`auth_server_addr=10.0.0.1`), the shared secret to mysecret (`auth_server_shared_secret=mysecret`), 802.1X on swp1 and swp2 (`interfaces=swp1,swp2`), and swp2 as a DACL interface (`dynamic_acl_interfaces=swp2`). cumulus@switch:~$ sudo nano /etc/hostapd.conf @@ -784,11 +696,10 @@ cumulus@leaf01:~$ net commit 2. Enable then restart the `hostapd` service so that the configuration persists between reboots: - cumulus@switch:~$ sudo systemctl enable hostapd - cumulus@switch:~$ sudo systemctl restart hostapd - -{{< /tab >}} -{{< /tabs >}} + ``` + cumulus@switch:~$ sudo systemctl enable hostapd + cumulus@switch:~$ sudo systemctl restart hostapd + ``` ### Pre-auth ACLs @@ -809,35 +720,16 @@ The pre-auth ACL is always applied to dynamic ACL-enabled 802.1X ports, even aft If you don't use the default pre-auth ACL and don't create your own, all traffic gets denied. {{%/notice%}} -To create your own pre-auth ACL file, complete the following steps. - -{{< tabs "TabID1035 ">}} - -{{< tab "NCLU Commands ">}} - -Create the pre-auth ACL file as shown in **Linux Commands** below, then run the `net add dot1x default-dacl-preauth-filename ` command. +Create your own pre-auth ACL file in the `/etc/cumulus/acl/policy.d/dot1x_preauth_dacl/` directory. For example, the following file allows for DHCP, DNS and PXE to operate before authorizing the supplicant: ``` -cumulus@switch:~$ net add dot1x default-dacl-preauth-filename my_preauth_dacl.rules -cumulus@switch:~$ net pending -cumulus@switch:~$ net commit +cumulus@switch:~$ sudo nano /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/my_preauth_dacl.rules +[ebtables] +-A FORWARD -p IPV4 --ip-dst 8.8.8.8/32 --ip-protocol UDP --ip-dport 53 -j ACCEPT # DNS +-A FORWARD -p IPV4 --ip-protocol UDP --ip-dport 67 --ip-sport 68 -j ACCEPT # DHCP +-A FORWARD -p IPV4 --ip-dst 192.168.1.1/32 -j ACCEPT # PXE ``` -{{< /tab >}} - -{{< tab "Linux Commands ">}} - -Create your own pre-auth ACL file in the `/etc/cumulus/acl/policy.d/dot1x_preauth_dacl/` directory. For example, the following file allows for DHCP, DNS and PXE to operate before authorizing the supplicant: - - cumulus@switch:~$ sudo nano /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/my_preauth_dacl.rules - [ebtables] - -A FORWARD -p IPV4 --ip-dst 8.8.8.8/32 --ip-protocol UDP --ip-dport 53 -j ACCEPT # DNS - -A FORWARD -p IPV4 --ip-protocol UDP --ip-dport 67 --ip-sport 68 -j ACCEPT # DHCP - -A FORWARD -p IPV4 --ip-dst 192.168.1.1/32 -j ACCEPT # PXE - -{{< /tab >}} -{{< /tabs >}} - ## Multi Domain Authentication (MDA) Cumulus Linux supports Multi Domain Authentication (MDA), where 802.1X is extended to allow authorization of multiple devices (a data and a voice device) on a single port and assign different VLANs to the devices based on authorization. @@ -852,7 +744,7 @@ MDA is enabled by default; however, you need to assign a tagged VLAN for voice d To show which interfaces are enabled for 802.1X, run the `nv show interface dot1x` command. The `Interfaces` line shows all 802.1X-enabled interfaces while the `Dynamic ACL Interfaces` line shows only 802.1X interfaces enabled for DACLs: ``` -cumulus@switch:~$ nv show interface dot1x +cumulus@switch:~$ nv show interface swp1 dot1x Hostapd IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator Daemon Attribute Value @@ -868,7 +760,7 @@ Dynamic VLAN Status Disabled 8021x ACL Rules 10 used/256 max ``` -To see which interfaces have attempted authorization for DACLs, run `nv show interface –view=dot1x-summary`: +To see which interfaces have attempted authorization for DACLs, run `nv show interface dot1x-summary`: ``` cumulus@switch:~$ nv show interface –view=dot1x-summary @@ -879,7 +771,7 @@ swp1 00:02:00:00:00:01 host1 AUTHORIZED MD5 NO swp2 00:02:00:00:00:02 host2 AUTHORIZED MD5 NO YES ``` -To determine the name of the DACL rules file for an interface after authorization and after receiving DACL rules, run `nv show interface dot1x `. Look for the DACL Filename line: +To determine the name of the DACL rules file for an interface after authorization and after receiving DACL rules, run `nv show interface dot1x `. Look for the `DACL Filename` line: ``` cumulus@switch:~$ nv show interface swp1 dot1x @@ -902,7 +794,7 @@ swp1 00:02:00:00:00:01 Status Flags [AUTHORIZED] To see which ACLs are applied to a given interface, run `cl-acltool -L eb | grep `. ``` -cumulus@switch:~$ net show dot1x interface swp2 applied-acls +cumulus@switch:~$ cl-acltool -L eb | grep swp2 swp2 EBTABLES ACLs ======================== @@ -948,7 +840,7 @@ swp2 EBTABLES ACLs ## Configure MAC Addresses per Port -You can specify the maximum number of authenticated MAC addresses allowed on a port. You can specify any number between 0 and 255. The default value is 4. +You can specify the maximum number of authenticated MAC addresses allowed on a port. You can specify any number between 0 and 255. The default value is 6. The following example sets the maximum number of authenticated MAC addresses to 10. @@ -1001,11 +893,12 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} + ## RADIUS Change of Authorization and Disconnect Requests @@ -1025,66 +919,10 @@ Extensions to the RADIUS protocol (RFC 5176) enable the Cumulus Linux switch to ### Configure DAS -To configure DAS, provide the UDP port (3799 is the default port), the IP address, and the secret key for the DAS client. - -{{< tabs "TabID1257 ">}} - -{{< tab "NCLU Commands ">}} - -The following example commands set the UDP port to the default port, the IP address of the DAS client to 10.0.2.228, and the secret key to myclientsecret: - -``` -cumulus@switch:~$ net add dot1x radius das-port default -cumulus@switch:~$ net add dot1x radius das-client-ip 10.0.2.228 das-client-secret mysecret123 -cumulus@switch:~$ net commit -``` - -You can specify a VRF so that incoming RADIUS disconnect and CoA commands are received and acknowledged on the correct interface when VRF is configured. The following example specifies VRF turtle: - -``` -cumulus@switch:~$ net add dot1x radius das-port default -cumulus@switch:~$ net add dot1x radius das-client-ip 10.0.2.228 vrf turtle das-client-secret mysecret123 -cumulus@switch:~$ net commit -``` - -You can configure up to four DAS clients to be authorized to send CoA commands. For example: - -``` -cumulus@switch:~$ net add dot1x radius das-port default -cumulus@switch:~$ net add dot1x radius das-client-ip 10.20.250.53 das-client-secret mysecret1 -cumulus@switch:~$ net add dot1x radius das-client-ip 10.0.1.7 das-client-secret mysecret2 -cumulus@switch:~$ net add dot1x radius das-client-ip 10.20.250.99 das-client-secret mysecret3 -cumulus@switch:~$ net add dot1x radius das-client-ip 10.10.0.0.2 das-client-secret mysecret4 -cumulus@switch:~$ net pending -cumulus@switch:~$ net commit -``` - -To see DAS configuration information, run the `net show configuration dot1x` command. For example: - -``` -cumulus@switch:~$ net show configuration dot1x - -dot1x - mab-activation-delay 5 - eap-reauth-period 0 - parking-vlan-id 100 - dynamic-vlan +Edit the `/etc/hostapd.conf` file to add the following options to configure the UDP port (3799 is the default port), the IP address and secret key for the DAS client: - radius - accounting-port 1813 - das-client-ip 10.0.2.228 das-client-secret mysecret123 - authentication-port 1812 - das-port 3799 -``` - -{{< /tab >}} - -{{< tab "Linux Commands ">}} - -Edit the `/etc/hostapd.conf` file to add the following options to configure the UDP port, the IP address and secret key for the DAS client: - -- radius\_das\_port -- radius\_das\_client +- `radius_das_port` +- `radius_das_client` The following example sets the UDP port to the default port, the IP address of the DAS client to 10.0.2.228, and the secret key to mysecret123: @@ -1122,29 +960,7 @@ Restart the `hostapd` service: cumulus@switch:~$ sudo systemctl restart hostapd ``` -{{< /tab >}} - -{{< /tabs >}} - -You can disable DAS in Cumulus Linux at any time by running the -following commands: - -{{< tabs "TabID1359 ">}} - -{{< tab "NCLU Commands ">}} - -``` -cumulus@switch:~$ net del dot1x radius das-port -cumulus@switch:~$ net del dot1x radius das-client-ip -cumulus@switch:~$ net pending -cumulus@switch:~$ net commit -``` - -{{< /tab >}} - -{{< tab "Linux Commands ">}} - -Edit the `/etc/hostapd.conf` file to remove the following options: +To disable DAS, edit the `/etc/hostapd.conf` file to remove the following options: - `radius_das_port` - `radius_das_client` @@ -1155,10 +971,6 @@ Restart the `hostapd` service: cumulus@switch:~$ sudo systemctl restart hostapd ``` -{{< /tab >}} - -{{< /tabs >}} - ### Terminate a User Session From the DAC, users can create a disconnect message using the `radclient` utility (included in the Debian `freeradius-utils` package) on the RADIUS server or other authorized client. A disconnect message is sent as an unsolicited RADIUS Disconnect-Request packet to the switch to terminate a user session and discard all associated session context. The Disconnect-Request packet is used when the RADIUS server wants to disconnect the user after the session has been accepted by the RADIUS Access-Accept packet. @@ -1257,23 +1069,7 @@ Cisco-AVPair: subscriber:command=bounce-host-port You can send the NAS IPv4 or IPv6 address in access request and accounting packets. You can only configure one NAS IP address on the switch, which is used for all interface authorizations. -To configure the NAS IP address, run the following commands: - -{{< tabs "TabID1489 ">}} - -{{< tab "NCLU Commands ">}} - -The following command example sets the NAS IP address to 10.0.0.1: - -``` -cumulus@switch:~$ net add dot1x radius nas-ip-address 10.0.0.1 -``` - -{{< /tab >}} - -{{< tab "Linux Commands ">}} - -Edit the `/etc/hostapd.conf` file and configure the `own_ip_addr` setting with the NAS IP address: +To configure the NAS IP address, edit the `/etc/hostapd.conf` file and configure the `own_ip_addr` setting with the NAS IP address: ``` cumulus@switch:~$ sudo nano /etc/hostapd.conf @@ -1296,12 +1092,6 @@ cumulus@switch:~$ sudo systemctl enable hostapd cumulus@switch:~$ sudo systemctl restart hostapd ``` -{{< /tab >}} - -{{< /tabs >}} - -To delete the NAS IP address, either run the NCLU `net del dot1x radius nas-ip-address` command or edit the `/etc/hostapd.conf` file. - ## Troubleshooting To check connectivity between two supplicants, ping one host from the other: @@ -1433,13 +1223,13 @@ cumulus@switch:~$ sudo journalctl -f -u hostapd # continuous tail of To check ACL rules in `/etc/cumulus/acl/policy.d/100_dot1x_swpX.rules` before and after a supplicant attempts to authenticate: ``` -cumulus@switch:~$ sudo cl-acltool -L eb | grep swpXX -cumulus@switch:~$ sudo cl-netstat | grep swpXX # look at interface counters +cumulus@switch:~$ sudo cl-acltool -L eb | grep swp1 +cumulus@switch:~$ sudo cl-netstat | grep swp1 # look at interface counters ``` To check `tc` rules in `/var/lib/hostapd/acl/tc_swpX.rules` with: ``` -cumulus@switch:~$ sudo tc -s filter show dev swpXX parent 1: -cumulus@switch:~$ sudo tc -s filter show dev swpXX parent ffff: +cumulus@switch:~$ sudo tc -s filter show dev swp1 parent 1: +cumulus@switch:~$ sudo tc -s filter show dev swp1 parent ffff: ``` diff --git a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md index a6fd31e5a8..c7ddc124bc 100644 --- a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md +++ b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md @@ -10,10 +10,10 @@ Cumulus Linux provides an ASIC monitoring tool that collects and distributes dat - Packet buffer congestion that might lead to packet drops - Network problems with a particular switch, port, or traffic class -Cumulus Linux provides several histograms: -- The *egress queue length* histogram provides information about egress buffer utilization over time. -- The *ingress queue lengths* histogram provides information about ingress buffer utilization over time. -- The *counter* histogram provides information about bandwidth utilization for a port over time. +Cumulus Linux provides: +- The *egress queue length* histogram, which provides information about egress buffer utilization over time. +- The *ingress queue lengths* histogram, which provides information about ingress buffer utilization over time. +- The *counter* histogram, which provides information about bandwidth utilization for a port over time. ## Histogram Collection Example @@ -343,7 +343,7 @@ The following example creates the `/var/lib/cumulus/histogram_stats` snapshot ev ``` cumulus@switch:~$ nv set service telemetry snapshot-file name /var/lib/cumulus/histogram_stats cumulus@switch:~$ nv set service telemetry snapshot-file count 30 -cumulus@switch:~$ nv set service telemetry snapshot-interval 5s +cumulus@switch:~$ nv set service telemetry snapshot-interval 5 cumulus@switch:~$ nv config apply ``` @@ -354,7 +354,7 @@ Edit the `snapshot.file` settings in the `/etc/cumulus/datapath/monitor.conf` fi | Setting| Description| |------- |----------- | -| `.action_list` | Specifies one or more actions that occur when data collects:
`snapshot` writes a snapshot of the data collection results to a file. If you specify this action, you must also specify a snapshot file (described below). You can also specify a threshold that initiates the snapshot action.

Example:
monitor.histogram_pg.action_list = [snapshot]
`monitor.histogram_pg.snapshot.file = /var/lib/cumulus/histogram_stats`
`collect` gathers additional data. If you specify this action, you must also specify the port groups for the additional data you want to collect.

Example:
monitor.histogram_pg.action_list = [collect
monitor.histogram_pg.collect.port_group_list = [buffers_pg,all_packet_pg]
`log` sends a message to the `/var/log/syslog` file. If you specify this action, you must also specify a threshold that initiates the log action.
Example:
monitor.histogram_pg.action_list = [log]
monitor.histogram_pg.log.queue_bytes = 500
You can use all three of these actions in one monitoring step. For example
monitor.histogram_pg.action_list = [snapshot,collect,log]
**Note**: If an action appears in the action list but does not have the required settings (such as a threshold for the log action), the ASIC monitor stops and reports an error. | +| `.action_list` | Specifies one or more actions that occur when data collects:
`snapshot` writes a snapshot of the data collection results to a file. If you specify this action, you must also specify a snapshot file (described below). You can also specify a threshold that initiates the snapshot action.

Example:
monitor.histogram_pg.action_list = [snapshot]
`collect` gathers additional data. If you specify this action, you must also specify the port groups for the additional data you want to collect.

Example:
monitor.histogram_pg.action_list = [collect
monitor.histogram_pg.collect.port_group_list = [buffers_pg,all_packet_pg]
`log` sends a message to the `/var/log/syslog` file. If you specify this action, you must also specify a threshold that initiates the log action.
Example:
monitor.histogram_pg.action_list = [log]
monitor.histogram_pg.log.queue_bytes = 500
You can use all three of these actions in one monitoring step. For example
monitor.histogram_pg.action_list = [snapshot,collect,log]
**Note**: If an action appears in the action list but does not have the required settings (such as a threshold for the log action), the ASIC monitor stops and reports an error. | | `.snapshot.file` | Specifies the name for the snapshot file. All snapshots use this name, with a sequential number appended to it. See the `snapshot.file_count` setting.

Example:
monitor.histogram_pg.snapshot.file = /var/lib/cumulus/histogram_stats
| | `.snapshot.file_count` | Specifies the number of snapshots that can be created before the first snapshot file is overwritten. In the following example, because the snapshot file count is set to 64, the first snapshot file is named histogram_stats_0 and the 64th snapshot is named histogram_stats_63. When the 65th snapshot is taken, the original snapshot file (histogram_stats_0) is overwritten and the sequence restarts.

Example:
monitor.histogram_pg.snapshot.file_count = 64
**Note**: While more snapshots provide you with more data, they can occupy a lot of disk space on the switch. | @@ -460,10 +460,10 @@ When collecting data, the switch uses both the CPU and SDK process, which can af ## Show Histogram Information -To show a list of the interfaces on which histograms are enabled, run the `nv show service telemetry histogram interfaces` command: +To show a list of the interfaces on which histograms are enabled, run the `nv show service telemetry histogram interface` command: ``` -cumulus@switch:~$ nv show service telemetry histogram interfaces +cumulus@switch:~$ nv show service telemetry histogram interface Interface ingress-buffer egress-buffer counter --------------------------------------------------------------------------------------- swp1 0,1,2 - tx-byte,rx-byte From 93084db17b00b9c9266340d2efd5f2e36e1c0152 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Wed, 15 Nov 2023 09:58:27 -0500 Subject: [PATCH 025/204] 3670258 fixed AR command --- .../Monitor-Operations/Monitor-Adaptive-Routing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/cumulus-netq-48/Monitor-Operations/Monitor-Adaptive-Routing.md b/content/cumulus-netq-48/Monitor-Operations/Monitor-Adaptive-Routing.md index b577a4fe9e..0366e913f9 100644 --- a/content/cumulus-netq-48/Monitor-Operations/Monitor-Adaptive-Routing.md +++ b/content/cumulus-netq-48/Monitor-Operations/Monitor-Adaptive-Routing.md @@ -19,11 +19,11 @@ To display adaptive routing data, you must have adaptive routing configured on t ## Adaptive Routing Commands -Monitor adaptive routing with the {{}} command. +Monitor adaptive routing with the {{}} command. ``` -netq show adaptive routing config global -netq show adaptive routing config interface +netq show adaptive-routing config global +netq show adaptive-routing config interface ``` ## Access the Adaptive Routing Dashboard From dd11eb013f22a5befef79d6627fc8c9477b39275 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Wed, 15 Nov 2023 12:34:16 -0500 Subject: [PATCH 026/204] hid nvlink docs --- content/cumulus-netq-48/NVLink4/Debugging-Files.md | 1 + content/cumulus-netq-48/NVLink4/Edit-GFM-Variables.md | 1 + content/cumulus-netq-48/NVLink4/NVLink-Quick-Start-Guide.md | 1 + content/cumulus-netq-48/NVLink4/NVLink4-Domains.md | 1 + content/cumulus-netq-48/NVLink4/NVLink4-Events.md | 1 + content/cumulus-netq-48/NVLink4/NVLink4-Inventory.md | 1 + content/cumulus-netq-48/NVLink4/NVLink4-fluentd.md | 1 + content/cumulus-netq-48/NVLink4/NVOS-Management.md | 1 + content/cumulus-netq-48/NVLink4/_index.md | 1 + 9 files changed, 9 insertions(+) diff --git a/content/cumulus-netq-48/NVLink4/Debugging-Files.md b/content/cumulus-netq-48/NVLink4/Debugging-Files.md index dceaa532f0..9584ed15da 100644 --- a/content/cumulus-netq-48/NVLink4/Debugging-Files.md +++ b/content/cumulus-netq-48/NVLink4/Debugging-Files.md @@ -3,6 +3,7 @@ title: Debugging Files author: NVIDIA weight: 1153 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/Edit-GFM-Variables.md b/content/cumulus-netq-48/NVLink4/Edit-GFM-Variables.md index 7f5d3be540..2870c0d463 100644 --- a/content/cumulus-netq-48/NVLink4/Edit-GFM-Variables.md +++ b/content/cumulus-netq-48/NVLink4/Edit-GFM-Variables.md @@ -3,6 +3,7 @@ title: Edit GFM Variables author: NVIDIA weight: 1153 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/NVLink-Quick-Start-Guide.md b/content/cumulus-netq-48/NVLink4/NVLink-Quick-Start-Guide.md index f59ef834fe..0a24c1ccf4 100644 --- a/content/cumulus-netq-48/NVLink4/NVLink-Quick-Start-Guide.md +++ b/content/cumulus-netq-48/NVLink4/NVLink-Quick-Start-Guide.md @@ -3,6 +3,7 @@ title: NVLink Quick Start Guide author: NVIDIA weight: 1000 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/NVLink4-Domains.md b/content/cumulus-netq-48/NVLink4/NVLink4-Domains.md index 46a9aef111..4c196e126b 100644 --- a/content/cumulus-netq-48/NVLink4/NVLink4-Domains.md +++ b/content/cumulus-netq-48/NVLink4/NVLink4-Domains.md @@ -3,6 +3,7 @@ title: Domain Management author: NVIDIA weight: 1100 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/NVLink4-Events.md b/content/cumulus-netq-48/NVLink4/NVLink4-Events.md index 0f5cf82766..6434023597 100644 --- a/content/cumulus-netq-48/NVLink4/NVLink4-Events.md +++ b/content/cumulus-netq-48/NVLink4/NVLink4-Events.md @@ -3,6 +3,7 @@ title: NVLink4 Events author: NVIDIA weight: 1150 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/NVLink4-Inventory.md b/content/cumulus-netq-48/NVLink4/NVLink4-Inventory.md index 41cc5485ea..a29ae13628 100644 --- a/content/cumulus-netq-48/NVLink4/NVLink4-Inventory.md +++ b/content/cumulus-netq-48/NVLink4/NVLink4-Inventory.md @@ -3,6 +3,7 @@ title: NVLink4 Inventory author: NVIDIA weight: 1150 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/NVLink4-fluentd.md b/content/cumulus-netq-48/NVLink4/NVLink4-fluentd.md index 1bc9815d4a..e93f0a75d6 100644 --- a/content/cumulus-netq-48/NVLink4/NVLink4-fluentd.md +++ b/content/cumulus-netq-48/NVLink4/NVLink4-fluentd.md @@ -3,6 +3,7 @@ title: Fluentd Reference author: NVIDIA weight: 1154 toc: 3 +bookhidden: true --- diff --git a/content/cumulus-netq-48/NVLink4/NVOS-Management.md b/content/cumulus-netq-48/NVLink4/NVOS-Management.md index d4c2bbab40..27fee6f013 100644 --- a/content/cumulus-netq-48/NVLink4/NVOS-Management.md +++ b/content/cumulus-netq-48/NVLink4/NVOS-Management.md @@ -3,6 +3,7 @@ title: NVOS Management author: NVIDIA weight: 1152 toc: 4 +bookhidden: true --- NVOS images are managed with lifecycle management in the NetQ UI. This section details how to check for missing images, upload images, and specify default images. You can download NVOS images from the {{}}. diff --git a/content/cumulus-netq-48/NVLink4/_index.md b/content/cumulus-netq-48/NVLink4/_index.md index 67871adf96..2cde458e54 100644 --- a/content/cumulus-netq-48/NVLink4/_index.md +++ b/content/cumulus-netq-48/NVLink4/_index.md @@ -2,6 +2,7 @@ title: NVLink4 author: NVIDIA weight: 1090 +draft: true --- With NetQ, you can monitor the performance of your NVLink devices, manage NVOS upgrades, create NVLink domains, and troubleshoot issues. This section describes the NetQ integration with NVLink4. From bb4aa2410c85606a986362d8096af40f786b8725 Mon Sep 17 00:00:00 2001 From: Stu Clark Date: Wed, 15 Nov 2023 15:19:33 -0500 Subject: [PATCH 027/204] run 4.3.2 FOSS processing --- content/cumulus-linux-43/Whats-New/foss.md | 695 ++++----- .../Whats-New/licenses/bind9.txt | 159 ++ .../Whats-New/licenses/curl-dbgsym.txt | 1 + .../grub-efi-amd64-signed-template.txt | 37 +- .../Whats-New/licenses/grub2-common.txt | 377 ++++- .../Whats-New/licenses/libbind-dev.txt | 159 ++ .../Whats-New/licenses/libcbor0.txt | 54 + .../licenses/libcurl3-nss-dbgsym.txt | 1 + .../Whats-New/licenses/libcurl3-nss.txt | 241 +++ .../Whats-New/licenses/libcurl4-doc.txt | 241 +++ .../Whats-New/licenses/libfido2-1.txt | 91 ++ .../Whats-New/licenses/libkrb5-dbg.txt | 1338 +++++++++++++++++ .../Whats-New/licenses/libncursesw6-dbg.txt | 1 + .../Whats-New/licenses/libnginx-mod-rtmp.txt | 201 +++ .../Whats-New/licenses/libssl-doc.txt | 135 ++ .../Whats-New/licenses/libssl1.1-dbgsym.txt | 1 + .../Whats-New/licenses/libsystemd-dev.txt | 119 +- .../Whats-New/licenses/libsystemd0.txt | 119 +- .../Whats-New/licenses/libudev-dev.txt | 119 +- .../Whats-New/licenses/libudev1.txt | 119 +- .../Whats-New/licenses/libxpm-dev.txt | 71 + .../Whats-New/licenses/libzstd-dev.txt | 133 ++ .../Whats-New/licenses/libzstd1.txt | 2 +- .../Whats-New/licenses/openssl-dbgsym.txt | 1 + .../Whats-New/licenses/python3-pip.txt | 111 ++ .../Whats-New/licenses/python3-pycurl.txt | 42 + .../Whats-New/licenses/python3-scapy.txt | 27 + .../Whats-New/licenses/python3-systemd.txt | 33 + .../Whats-New/licenses/python3-texttable.txt | 50 + .../licenses/python3-typing-extensions.txt | 57 + .../Whats-New/licenses/python3.7-doc.txt | 995 ++++++++++++ .../Whats-New/licenses/smartmontools.txt | 137 +- .../Whats-New/licenses/ssh.txt | 247 +++ .../Whats-New/licenses/systemd-timesyncd.txt | 262 ++++ .../Whats-New/licenses/systemd.txt | 119 +- .../Whats-New/licenses/time.txt | 54 + .../Whats-New/licenses/udev.txt | 119 +- .../Whats-New/licenses/zsh-common.txt | 163 ++ .../Whats-New/licenses/zsh.txt | 163 ++ utils/build_foss_licenses.py | 2 +- 40 files changed, 6474 insertions(+), 522 deletions(-) create mode 100644 content/cumulus-linux-43/Whats-New/licenses/bind9.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/curl-dbgsym.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libbind-dev.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libcbor0.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss-dbgsym.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libcurl4-doc.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libfido2-1.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libkrb5-dbg.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libncursesw6-dbg.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libnginx-mod-rtmp.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libssl-doc.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libssl1.1-dbgsym.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libxpm-dev.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/libzstd-dev.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/openssl-dbgsym.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3-pip.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3-pycurl.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3-scapy.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3-systemd.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3-texttable.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3-typing-extensions.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/python3.7-doc.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/ssh.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/systemd-timesyncd.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/time.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/zsh-common.txt create mode 100644 content/cumulus-linux-43/Whats-New/licenses/zsh.txt diff --git a/content/cumulus-linux-43/Whats-New/foss.md b/content/cumulus-linux-43/Whats-New/foss.md index 9a7e88c914..f875cc6f0c 100644 --- a/content/cumulus-linux-43/Whats-New/foss.md +++ b/content/cumulus-linux-43/Whats-New/foss.md @@ -7,7 +7,7 @@ version: "4.3" toc: 1 pdfhidden: True --- -## 4.3.1 Open Source Software Licenses +## 4.3.2 Open Source Software Licenses | Package | Version | License(s) | |--- |--- |--- | | {{}} | 1.7-1.1 | GPL | @@ -36,18 +36,19 @@ pdfhidden: True | {{}} | 0.19.8.1-9 | GFDL; GPL; LGPL | | {{}} | 20180224.1 | GPL | | {{}} | 1.5.6-2+deb10u1 | GPL; GPL-2; GPL-3; GPL-3+; LGPL-2.1; MIT | -| {{}} | 10.3+deb10u12 | GPL | +| {{}} | 10.3+deb10u13 | GPL | | {{}} | 3.5.46 | GPL-2(update-passwd.c | | {{}} | 5.0-4 | GPL; GPL-3 | | {{}} | 2.8-6 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 1.07.1-2+b1 | GPL-2.0+(* ); permissive(doc/dc.info); permissive'(doc/bc.texi); GPL-2.0+ with Texinfo exception(doc/texinfo.tex); X11 and public-domain(install-sh); GPL-2.0+(debian/* ); GPL-2.0+(debian/* ) | -| {{}} | 6.5.14-cl4u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 6.5.14-cl4u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 6.5.14-cl4u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 6.5.14-cl4u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 6.5.14-cl4u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 6.5.14-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 6.5.14-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 6.5.14-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 6.5.14-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 6.5.14-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | | {{}} | 2.2.0-2 | GPL-3+(* ) | | {{}} | 2.31.1-16 | GFDL; GPL; LGPL | | {{}} | 2.31.1-16 | GFDL; GPL; LGPL | @@ -71,7 +72,7 @@ pdfhidden: True | {{}} | 0.41-8.1 | LGPL-2.1(* ); BSD-3-clause or GPL-2 | | {{}} | 0.41-8.1 | LGPL-2.1(* ); BSD-3-clause or GPL-2 | | {{}} | 0.16-2+b1 | GPL | -| {{}} | 1.4.0-cl4.3.1u10 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* ); GPL-2(debian/* ) | +| {{}} | 1.4.0-cl4.3.2u11 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* ); GPL-2(debian/* ) | | {{}} | 7.0-47 | GPL | | {{}} | 7.0.1-8+deb10u2 | U-OF-I-BSD-LIKE(* ); LLVM(* /install-sh); Expat(clang/lib/Headers/* ); Expat(clang/lib/Headers/iso646.h); Expat(clang/lib/Headers/limits.h); Expat(clang/lib/Headers/stdarg.h); Expat(clang/lib/Headers/stdbool.h); Expat(clang/lib/Headers/stddef.h); Expat(clang/lib/Headers/stdint.h); Expat(clang/lib/Headers/tgmath.h); U-OF-I-BSD-LIKE or MIT(compiler-rt/* ); MIT(compiler-rt/lib/BlocksRuntime/Block.h); MIT(compiler-rt/lib/BlocksRuntime/Block_private.h); MIT(compiler-rt/lib/BlocksRuntime/data.c); MIT(compiler-rt/lib/BlocksRuntime/runtime.c); U-OF-I-BSD-LIKE(include/llvm/Support/* ); BSD-3-clause(lib/Support/reg* ); solar-public-domain(lib/Support/MD5.cpp llvm/include/llvm/Support/MD5.h); ARM(lib/Target/ARM/* ); NCSA(lldb/* ); Expat(lldb/test/pexpect-2.4/* ); Expat(lldb/test/pexpect-2.4/* ); Python(lldb/test/unittest2/* ); Polly(polly/* ); public-domain(polly/lib/JSON/* ); U-OF-I-BSD-LIKE or MIT(polly/tools/GPURuntime/* ); MIT(test/YAMLParser/* ); Apple(lldb/tools/debugserver/source/MacOSX/stack_logging.h); BSD-3-Clause(utils/unittest/googletest/* ); BSD-3-Clause(libcxx/* ); NCSA or MIT(libcxx* /* ); U-OF-I-BSD-LIKE(openmp/* ); U-OF-I-BSD-LIKE(openmp/* ); MIT(openmp/* ) | | {{}} | 4.0-cl4.3.1u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | @@ -83,7 +84,7 @@ pdfhidden: True | {{}} | 5.5 | GPL-2+(* ); Expat(displace.sh.in); Expat(examples/* ); Expat(examples/* ) | | {{}} | 1.4.5-2 | GPL-2+(* ); GPL-2+(src/cache.c src/cache-ct.c src/cache-exp.c src/external_cache.c src/external_inject.c src/internal_bypass.c src/internal_cache.c src/main.c src/netlink.c src/network.c src/parse.c src/run.c src/stats-mode.c src/sync-alarm.c src/sync-ftfw.c src/sync-mode.c src/sync-notrack.c); GPL-2+(src/filter.c); GPL-2+(src/rbtree.c); GPL-2+(src/utils.c); GPL-2+(src/conntrack.c); GPL-2+(src/systemd.c conntrackd.conf.5); GPL-2+(src/systemd.c conntrackd.conf.5) | | {{}} | 1.193~deb10u1 | NO COPYRIGHT FILE | -| {{}} | 1.6.8-1 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ) | +| {{}} | 1.6.24-1 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ) | | {{}} | 1.1.0-13+b1 | LGPL-2.1(debian/* ); GPL-2+(conf* * am * in ac* lt* missing); MIT/X(install-sh); LGPL-2.1(install-sh) | | {{}} | 8.30-3 | GPL; GPL-3 | | {{}} | 2.12+dfsg-9 | GPL; GPL-3 | @@ -95,47 +96,48 @@ pdfhidden: True | {{}} | 7.2.8-1+cl4u1 | NO COPYRIGHT FILE | | {{}} | 3.0pl1-133-cl4.3.1u4 | Paul-Vixie's-license(* ); Paul-Vixie's-license and GPL-2+ and ISC(database.c); GPL-2+(debian/examples/cron-stats.pl); GPL-2+(debian/examples/cron-tasks-review.sh); Artistic(debian/examples/crontab2english.pl); Paul-Vixie's-license(debian/examples/crontab2english.pl); GPL-2+(debian/examples/crontab2english.pl); Artistic(debian/examples/crontab2english.pl); ISC(debian/examples/crontab2english.pl) | | {{}} | 3.0pl1-133-cl4.3.1u4 | NO COPYRIGHT FILE | -| {{}} | 1.0-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 1.0-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 1.0-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 1.0-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 1.5-1+b2 | LGPL-2-with-linking-exception(* ); GPL-2+(debian/* ) | | {{}} | 4-cl4.3.1u2 | Cumulus Networks Proprietary | -| {{}} | 4.3.1 | GPL-2(* ) | +| {{}} | 4.3.2 | GPL-2(* ) | | {{}} | 1.0-cl4.3.1u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 0.1-cl4.3.1u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 4.0-cl4.3.0u1 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | | {{}} | 4.0-cl4.3.1u4 | GPL-2(* ) | | {{}} | 4.0-cl4.3.1u2 | LGPL-2.1(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); GPL-2(debian/* ) | | {{}} | 1.0.0-cl4.3.1u16 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 1-cl4.3.1u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 1.0.0-cl4.3.1u9 | GPL-3.0+(* ); GPL-3.0+(debian/* ); GPL-3.0+(debian/* ) | -| {{}} | 1.0.0-cl4.3.1u9 | GPL-3.0+(* ); GPL-3.0+(debian/* ); GPL-3.0+(debian/* ) | -| {{}} | 1.0.0-cl4.3.1u9 | GPL-3.0+(* ); GPL-3.0+(debian/* ); GPL-3.0+(debian/* ) | +| {{}} | 1-cl4.3.2u4 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 1.0.0-cl4.3.1u14 | GPL-3.0+(* ); GPL-3.0+(debian/* ); GPL-3.0+(debian/* ) | +| {{}} | 1.0.0-cl4.3.1u14 | GPL-3.0+(* ); GPL-3.0+(debian/* ); GPL-3.0+(debian/* ) | +| {{}} | 1.0.0-cl4.3.1u14 | GPL-3.0+(* ); GPL-3.0+(debian/* ); GPL-3.0+(debian/* ) | | {{}} | 0.12-cl4.3.0u1 | GPL-2+(* ) | | {{}} | 0.12-cl4.3.0u1 | GPL-2+(* ) | -| {{}} | 4.0-cl4.3.1u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 4.0-cl4.3.1u4 | Cumulus Networks Proprietary(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); Elagin(dist-packages/cumulus/sdnotify.py); MIT(dist-packages/ordereddict.py); GPL-2(debian/* ) | -| {{}} | 4.0-cl4.3.1u2 | Cumulus Networks Proprietary(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); Elagin(dist-packages/cumulus/sdnotify.py); MIT(dist-packages/ordereddict.py); GPL-2(debian/* ) | +| {{}} | 4.0-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 4.0-cl4.3.2u2 | Cumulus Networks Proprietary(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); Elagin(dist-packages/cumulus/sdnotify.py); MIT(dist-packages/ordereddict.py); GPL-2(debian/* ) | +| {{}} | 4.0-cl4.3.2u1 | Cumulus Networks Proprietary(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); Elagin(dist-packages/cumulus/sdnotify.py); MIT(dist-packages/ordereddict.py); GPL-2(debian/* ) | | {{}} | 4.0-cl4.3.0u1 | NO COPYRIGHT FILE | -| {{}} | 4.0-cl4.3.1u2 | Cumulus Networks Proprietary(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); Elagin(dist-packages/cumulus/sdnotify.py); MIT(dist-packages/ordereddict.py); GPL-2(debian/* ) | -| {{}} | 4.0-cl4.3.1u2 | NO COPYRIGHT FILE | +| {{}} | 4.0-cl4.3.2u1 | Cumulus Networks Proprietary(* ); LGPL-2.1(dist-packages/eeprom_ipmi_fru.py); Elagin(dist-packages/cumulus/sdnotify.py); MIT(dist-packages/ordereddict.py); GPL-2(debian/* ) | +| {{}} | 4.0-cl4.3.2u1 | NO COPYRIGHT FILE | | {{}} | 4.0-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 4.0-cl4u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 4.0-cl4u5 | NO COPYRIGHT FILE | -| {{}} | 4.0-cl4.3.1u6 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .8 debian/* .service) | -| {{}} | 4.0-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .8 debian/* .service) | -| {{}} | 4.0-cl4.3.1u1 | NO COPYRIGHT FILE | -| {{}} | 7.64.0-4+deb10u2 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | +| {{}} | 4.0-cl4.3.2u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .8 debian/* .service) | +| {{}} | 4.0-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .8 debian/* .service) | +| {{}} | 4.0-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 7.64.0-4+deb10u7 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | +| {{}} | 7.64.0-4+deb10u6 | NO COPYRIGHT FILE | | {{}} | 0.29.2-2 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ) | | {{}} | 0.29.2-2 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ) | | {{}} | 0.5.10.2-5 | GPL | -| {{}} | 1.12.20-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | -| {{}} | 1.12.20-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | +| {{}} | 1.12.24-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | +| {{}} | 1.12.24-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | | {{}} | 1.5.71+deb10u1 | BSD-2-clause(* ); BSD-2-clause(Debconf/FrontEnd/Passthrough.pm); BSD-2-clause(Debconf/FrontEnd/Qt* Debconf/Element/Qt* ); BSD-2-clause(Debconf/FrontEnd/Kde.pm); BSD-2-clause(Debconf/FrontEnd/Gnome.pm); BSD-2-clause(Debconf/DbDriver/LDAP.pm); BSD-2-clause(debconf.py); BSD-2-clause(debconf-show); BSD-2-clause(debconf-get-selections debconf-set-selections); BSD-2-clause(Test/* ); BSD-2-clause(debconf-apt-progress); BSD-2-clause(debconf-apt-progress) | | {{}} | 1.5.71+deb10u1 | NO COPYRIGHT FILE | | {{}} | 12.1.1 | GPL-2+(* ); public-domain(examples/* autoscripts/* ); GPL-2+(dh_perl); GPL-2+(dh_installcatalogs); GPL-2+(dh_usrlocal); GPL-2+(dh_installlogcheck); GPL-2+(dh_installudev); GPL-2+(dh_lintian); GPL-2+(dh_md5sums); GPL-2+(dh_bugfiles); GPL-3+(dh_installinit); GPL-2+(dh_installgsettings); GPL-2+(dh_ucf); BSD-3-clause(dh_systemd_enable dh_systemd_start); GPL-2+(lib/Debian/Debhelper/Buildsystem* lib/Debian/Debhelper/Dh_Buildsystems.pm); GPL-2+(lib/Debian/Debhelper/Buildsystem/qmake.pm); GPL-2+(man/po4a/po/fr.po); GPL-2+(man/po4a/po/es.po); GPL-2+(man/po4a/po/de.po); GPL-2+(man/po4a/po/de.po); GPL-3+(man/po4a/po/de.po); BSD-3-clause(man/po4a/po/de.po) | | {{}} | 2019.1+deb10u1 | GPL | | {{}} | 4.8.6.1 | GPL; public domain | -| {{}} | 1.0.114 | BSD | +| {{}} | 1.0.114+deb10u1 | BSD | | {{}} | 2.2.3 | GPL(* ); GPL-2+(rdebsums) | | {{}} | 1.0.5 | GPL-2+(debian/* ); GPL-2+(doc/* ); GPL-2+(doc/* ) | | {{}} | 1.6.2-1 | GPL; GPL-2; GPL-2+; GPL-3; MIT | @@ -155,13 +157,13 @@ pdfhidden: True | {{}} | 2.2.12-1+deb10u2 | GPL-3+(* ); GPL-3+(agent/command.c); permissive(autogen.sh); permissive(common/gc-opt-flags.h); LGPL-2.1+(common/localename.c); Expat(dirmngr/dns.c); GPL-3+(doc/yat2m.c); GPL-3+ or BSD-3-clause(scd/ccid-driver.h); LGPL-3+(tools/rfc822parse.c); GPL-3+(tools/sockprox.c); RFC-Reference(doc/OpenPGP); TinySCHEME(tests/gpgscm/* ); GPL-3+(debian/* ); CC0-1.0(debian/org.gnupg.scdaemon.metainfo.xml); TinySCHEME(debian/org.gnupg.scdaemon.metainfo.xml); permissive(debian/org.gnupg.scdaemon.metainfo.xml); RFC-Reference(debian/org.gnupg.scdaemon.metainfo.xml); GPL-3+(debian/org.gnupg.scdaemon.metainfo.xml); LGPL-3+(debian/org.gnupg.scdaemon.metainfo.xml); LGPL-2.1+(debian/org.gnupg.scdaemon.metainfo.xml); BSD-3-clause(debian/org.gnupg.scdaemon.metainfo.xml); Expat(debian/org.gnupg.scdaemon.metainfo.xml); CC0-1.0(debian/org.gnupg.scdaemon.metainfo.xml) | | {{}} | 2.1.2-8 | GPL | | {{}} | 2.2013.01.11 | public domain | -| {{}} | 0.41+deb10u4 | ISC(* ) | +| {{}} | 0.41+deb10u5 | ISC(* ) | | {{}} | 1.02.155-3 | GPL-2.0(* ); LGPL-2.1(Files:); BSD-2-Clause(Files:); GPL-2.0+(debian/* ) | | {{}} | 3.0-cl3u4 | GPL-2(* ); GPL-2(debian/* ) | | {{}} | 1.02.155-3 | GPL-2.0(* ); LGPL-2.1(Files:); BSD-2-Clause(Files:); GPL-2.0+(debian/* ) | | {{}} | 2.80-1+deb10u1 | NO COPYRIGHT FILE | | {{}} | 2.80-1+deb10u1 | GPL; GPL-2; GPL-3 | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | | {{}} | 4.5-6 | GPL; GPL-2 | | {{}} | 1.79-9.1 | GPL; GPL-2 | | {{}} | 2.0.0-42 | MIT(* ); GPL-2+(debian/* ) | @@ -191,10 +193,10 @@ pdfhidden: True | {{}} | 15-1 | GPL-2.0+(* ); GPL-2.0+(debian/* ); GPL-2.0+(debian/* ) | | {{}} | 37-2+deb10u1 | LGPL-2.0+(* ); GPL-2.0+(debian/* ); LGPL-2.0+(debian/* ); GPL-2.0+(debian/* ) | | {{}} | 2.1.5+deb1+cvs20081104-13.2 | GPL; GPL-2 | -| {{}} | 26.1+1-3.2+deb10u2 | GPL-3+(* ); License:(Files:); License:(build-aux/install-sh); GPL plus Ian(debian/rules); manpage license(doc/man/ebrowse.1); manpage license(doc/man/emacs.1); manpage license(doc/man/etags.1); efaq.texi license(doc/misc/efaq.texi); efaq-w32.texi license(doc/misc/efaq-w32.texi); LGPL-2+(Files:); GPL-2+(Files:); same as corresponding file in /etc/images(etc/images/low-color/* ); GPL-2+(Files:); GPL-2+(Files:); MPL-2.0(etc/publicsuffix.txt); License:(Files:); meese.el license(Files:); gnulib-comp.m4 license(Files:); pkg.m4 license(Files:); m4 license(Files:); sedadmin.inp license(Files:); nt/inc/dirent.h license(Files:); License:(Files:); License:(Files:); License:(Files:); MPL-2.0(Files:); manpage license(Files:) | +| {{}} | 26.1+1-3.2+deb10u4 | GPL-3+(* ); License:(Files:); License:(build-aux/install-sh); GPL plus Ian(debian/rules); manpage license(doc/man/ebrowse.1); manpage license(doc/man/emacs.1); manpage license(doc/man/etags.1); efaq.texi license(doc/misc/efaq.texi); efaq-w32.texi license(doc/misc/efaq-w32.texi); LGPL-2+(Files:); GPL-2+(Files:); same as corresponding file in /etc/images(etc/images/low-color/* ); GPL-2+(Files:); GPL-2+(Files:); MPL-2.0(etc/publicsuffix.txt); License:(Files:); meese.el license(Files:); gnulib-comp.m4 license(Files:); pkg.m4 license(Files:); m4 license(Files:); sedadmin.inp license(Files:); nt/inc/dirent.h license(Files:); License:(Files:); License:(Files:); License:(Files:); MPL-2.0(Files:); manpage license(Files:) | | {{}} | 26.1+1-3.2+deb10u2 | GPL-3+(* ); License:(Files:); License:(build-aux/install-sh); GPL plus Ian(debian/rules); manpage license(doc/man/ebrowse.1); manpage license(doc/man/emacs.1); manpage license(doc/man/etags.1); efaq.texi license(doc/misc/efaq.texi); efaq-w32.texi license(doc/misc/efaq-w32.texi); LGPL-2+(Files:); GPL-2+(Files:); same as corresponding file in /etc/images(etc/images/low-color/* ); GPL-2+(Files:); GPL-2+(Files:); MPL-2.0(etc/publicsuffix.txt); License:(Files:); meese.el license(Files:); gnulib-comp.m4 license(Files:); pkg.m4 license(Files:); m4 license(Files:); sedadmin.inp license(Files:); nt/inc/dirent.h license(Files:); License:(Files:); License:(Files:); License:(Files:); MPL-2.0(Files:); manpage license(Files:) | | {{}} | 3.0.4 | GPL | -| {{}} | 26.1+1-3.2+deb10u2 | NO COPYRIGHT FILE | +| {{}} | 26.1+1-3.2+deb10u4 | NO COPYRIGHT FILE | | {{}} | 2.2.0 | GPL-2+(* ) | | {{}} | 1.18.10-1 | GPL-2+(* ); BSD-2-clause(pkgng/* ) | | {{}} | 4.19.0-cl4.3.1u4 | GPL; GPL-2 | @@ -214,15 +216,15 @@ pdfhidden: True | {{}} | 2.004.5-6 | GPL; GPL-2; public domain | | {{}} | 1.100263+20170512-1 | Apache-2.0( * ) | | {{}} | 1.6.3-1.1 | GPL-3+(* ); LGPL-3+(common/src/portability/freeipmi-argp* ); LGPL-3+(debian/* ); LGPL-3+(debian/* ) | -| {{}} | 2.9.1-3+deb10u2 | GPL-2+ or FTL(* ); FTL and Catharon-OSL and MIT(vms_make.com); FTL(builds/amiga/* builds/amiga/include/config/* ); FTL(builds/amiga/src/base/* ); BSD-3-Clause(builds/cmake/FindHarfBuzz.cmake); FTL(builds/mac/ftmac.c); FTL(builds/mac/README); FSFULLR and GPL-2+(builds/unix/aclocal.m4); FSFUL and GPL-2+(builds/unix/configure); Permissive and GPL-3+(builds/unix/config.guess builds/unix/config.sub); MIT(builds/unix/install-sh); GPL-2+ and GPL-3+(builds/unix/ltmain.sh); GPL-2+(builds/unix/pkg.m4); GPL-2+(debian/* ); FTL(docs/INSTALL.CROSS); MIT or GPL-2+(ft2docs/docs/js/jquery.ba-resize.min.js); MIT(ft2docs/docs/js/jquery-1.11.0.min.js); Public-Domain(ft2docs/docs/tutorial/example2.cpp); MIT(ft2docs/docs/tutorial/example5.cpp); FTL(ft2demos/Jamfile); FTL(ft2demos/graph/beos/grbeos.cpp); FTL(ft2demos/graph/mac/grmac.c); FTL(ft2demos/graph/win32/grwin32.c ft2demos/graph/win32/grwin32.h); FTL(ft2demos/graph/graph.h); Public-Domain(ft2demos/graph/grswizzle.c); FTL(ft2demos/mac/ftoldmac.c); MIT(ft2demos/mac/getargv.c); Public-Domain(ft2demos/src/mlgetopt.c ft2demos/src/mlgetopt.h); FTL(ft2demos/src/ftinspect/* ); FTL(include/freetype/ftbzip2.h); FTL(include/freetype/ftcid.h); FTL(include/freetype/ftgxval.h); MIT(include/freetype/internal/fthash.h); FTL(include/freetype/internal/ftrfork.h); FTL(include/freetype/internal/ftpic.h); FTL(include/freetype/internal/services/svttglyf.h); FTL(src/autofit/afindic.c src/autofit/afindic.h); FTL(src/base/ftbase.h); Public-Domain(src/base/md5.c src/base/md5.h); MIT(src/bdf/bdf.c); MIT(src/bdf/bdf.h src/bdf/bdflib.c); FTL(src/gxvalid/* ); FTL(src/gxvalid/Jamfile); Zlib(src/gzip/adler32.c); Zlib(src/gzip/ftzconf.h); Zlib(src/gzip/zlib.h); FTL(src/lzw/ftlzw.c src/lzw/rules.mk); OpenGroup-BSD-like(src/pcf/pcfutil.c); FTL(src/psaux/psarrst.c src/psaux/psarrst.h); FTL(src/sfnt/pngshim.c src/sfnt/pngshim.h); FTL(src/sfnt/ttsbit.c); Public-Domain(src/tools/apinames.c src/tools/chktrcmp.py); FTL(src/tools/update-copyright-year); BSD-3-Clause(src/tools/ftrandom/ftrandom.c); FTL(src/truetype/ttgxvar.c src/truetype/ttgxvar.h); FTL(src/type42/t42drivr.c src/type42/t42drivr.h); FTL(src/winfonts/winfnt.c); FTL(src/winfonts/winfnt.h); BSD-3-Clause(src/winfonts/winfnt.h); Catharon-OSL(src/winfonts/winfnt.h); FSFUL(src/winfonts/winfnt.h); FSFULLR(src/winfonts/winfnt.h); FTL(src/winfonts/winfnt.h); GPL-2+(src/winfonts/winfnt.h); GPL-3+(src/winfonts/winfnt.h); MIT(src/winfonts/winfnt.h); OpenGroup-BSD-like(src/winfonts/winfnt.h); Permissive(src/winfonts/winfnt.h); Zlib(src/winfonts/winfnt.h) | -| {{}} | 7.5+cl4.3.1u14 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | -| {{}} | 7.5+cl4.3.1u14 | NO COPYRIGHT FILE | -| {{}} | 7.5+cl4.3.1u14 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | -| {{}} | 7.5+cl4.3.1u14 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | -| {{}} | 7.5+cl4.3.1u14 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | -| {{}} | 7.5+cl4.3.1u14 | NO COPYRIGHT FILE | -| {{}} | 7.5+cl4.3.1u14 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | -| {{}} | 7.5+cl4.3.1u14 | NO COPYRIGHT FILE | +| {{}} | 2.9.1-3+deb10u3 | GPL-2+ or FTL(* ); FTL and Catharon-OSL and MIT(vms_make.com); FTL(builds/amiga/* builds/amiga/include/config/* ); FTL(builds/amiga/src/base/* ); BSD-3-Clause(builds/cmake/FindHarfBuzz.cmake); FTL(builds/mac/ftmac.c); FTL(builds/mac/README); FSFULLR and GPL-2+(builds/unix/aclocal.m4); FSFUL and GPL-2+(builds/unix/configure); Permissive and GPL-3+(builds/unix/config.guess builds/unix/config.sub); MIT(builds/unix/install-sh); GPL-2+ and GPL-3+(builds/unix/ltmain.sh); GPL-2+(builds/unix/pkg.m4); GPL-2+(debian/* ); FTL(docs/INSTALL.CROSS); MIT or GPL-2+(ft2docs/docs/js/jquery.ba-resize.min.js); MIT(ft2docs/docs/js/jquery-1.11.0.min.js); Public-Domain(ft2docs/docs/tutorial/example2.cpp); MIT(ft2docs/docs/tutorial/example5.cpp); FTL(ft2demos/Jamfile); FTL(ft2demos/graph/beos/grbeos.cpp); FTL(ft2demos/graph/mac/grmac.c); FTL(ft2demos/graph/win32/grwin32.c ft2demos/graph/win32/grwin32.h); FTL(ft2demos/graph/graph.h); Public-Domain(ft2demos/graph/grswizzle.c); FTL(ft2demos/mac/ftoldmac.c); MIT(ft2demos/mac/getargv.c); Public-Domain(ft2demos/src/mlgetopt.c ft2demos/src/mlgetopt.h); FTL(ft2demos/src/ftinspect/* ); FTL(include/freetype/ftbzip2.h); FTL(include/freetype/ftcid.h); FTL(include/freetype/ftgxval.h); MIT(include/freetype/internal/fthash.h); FTL(include/freetype/internal/ftrfork.h); FTL(include/freetype/internal/ftpic.h); FTL(include/freetype/internal/services/svttglyf.h); FTL(src/autofit/afindic.c src/autofit/afindic.h); FTL(src/base/ftbase.h); Public-Domain(src/base/md5.c src/base/md5.h); MIT(src/bdf/bdf.c); MIT(src/bdf/bdf.h src/bdf/bdflib.c); FTL(src/gxvalid/* ); FTL(src/gxvalid/Jamfile); Zlib(src/gzip/adler32.c); Zlib(src/gzip/ftzconf.h); Zlib(src/gzip/zlib.h); FTL(src/lzw/ftlzw.c src/lzw/rules.mk); OpenGroup-BSD-like(src/pcf/pcfutil.c); FTL(src/psaux/psarrst.c src/psaux/psarrst.h); FTL(src/sfnt/pngshim.c src/sfnt/pngshim.h); FTL(src/sfnt/ttsbit.c); Public-Domain(src/tools/apinames.c src/tools/chktrcmp.py); FTL(src/tools/update-copyright-year); BSD-3-Clause(src/tools/ftrandom/ftrandom.c); FTL(src/truetype/ttgxvar.c src/truetype/ttgxvar.h); FTL(src/type42/t42drivr.c src/type42/t42drivr.h); FTL(src/winfonts/winfnt.c); FTL(src/winfonts/winfnt.h); BSD-3-Clause(src/winfonts/winfnt.h); Catharon-OSL(src/winfonts/winfnt.h); FSFUL(src/winfonts/winfnt.h); FSFULLR(src/winfonts/winfnt.h); FTL(src/winfonts/winfnt.h); GPL-2+(src/winfonts/winfnt.h); GPL-3+(src/winfonts/winfnt.h); MIT(src/winfonts/winfnt.h); OpenGroup-BSD-like(src/winfonts/winfnt.h); Permissive(src/winfonts/winfnt.h); Zlib(src/winfonts/winfnt.h) | +| {{}} | 7.5+cl4.3.2u4 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | +| {{}} | 7.5+cl4.3.2u4 | NO COPYRIGHT FILE | +| {{}} | 7.5+cl4.3.2u4 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | +| {{}} | 7.5+cl4.3.2u4 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | +| {{}} | 7.5+cl4.3.2u4 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | +| {{}} | 7.5+cl4.3.2u4 | NO COPYRIGHT FILE | +| {{}} | 7.5+cl4.3.2u4 | GPL-2+(* ); LGPL-2.1+(lib/strl* .c); BSD-0-clause(lib/skiplist.* ); BSD-2-clause(lib/sha256.* ); ISC(lib/qobj.h lib/monotime.h lib/memory.* lib/hook.* lib/frratomic.h lib/ferr.* lib/compiler.h lib/module.* ); MIT(nhrpd/nhrp_protocol.h); MIT(babeld/* ); GPL-2+(babeld/babel_errors.* ); ISC(ldpd/* ); GPL-2+(ldpd/ldp_debug.* ldpd/ldp_vty* ldpd/ldp_zebra.c); FRR-docs(doc/user/* .rst doc/figures/fig* ); BSD-3-clause(lib/freebsd-queue.h lib/openbsd-queue.h lib/md5.* ); BSD-2-clause(lib/openbsd-tree.* ); ISC(lib/imsg* ); ISC(qpb/qpb.proto fpm/fpm.proto); ISC(doc/extra/frrlexer.py); MIT(tests/helpers/python/frrsix.py); GPL-2+(tests/helpers/python/frrsix.py); LGPL-2.1+(tests/helpers/python/frrsix.py); BSD-0-clause(tests/helpers/python/frrsix.py); BSD-2-clause(tests/helpers/python/frrsix.py); BSD-3-clause(tests/helpers/python/frrsix.py); ISC(tests/helpers/python/frrsix.py); MIT(tests/helpers/python/frrsix.py) | +| {{}} | 7.5+cl4.3.2u4 | NO COPYRIGHT FILE | | {{}} | 8.3.0-1 | NO COPYRIGHT FILE | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 4.2.1+dfsg-1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/* ) | @@ -238,8 +240,8 @@ pdfhidden: True | {{}} | 1.0.3-1.1 | LGPL-2.0+(* ); LGPL-2.0+(debian/* ); LGPL-2.0+(crc32.cc crc32.h); LGPL-2.0+(crc32.cc crc32.h) | | {{}} | 0.19.8.1-9 | GFDL; GPL; LGPL | | {{}} | 0.19.8.1-9 | GFDL; GPL; LGPL | -| {{}} | 2.20.1-2+deb10u3 | GPL-2(* ); LGPL-2.1+(xdiff/* ); EDL-1.0(xdiff/xhistogram.c); GPL-2+(ewah/* ); Expat(sha1dc/* ); GPL-2+(gitk-git/* ); GPL-2(gitk-git/po/bg.po); GPL-2+(git-gui/* ); GPL-2(git-gui/po/bg.po git-gui/po/de.po git-gui/po/fr.po git-gui/po/glossary/* ); GPL-2+(git-gui/po/glossary/el.po git-gui/po/glossary/pt_br.po); GPL-2+(gitweb/static/js/* ); Expat(git-p4); GPL-2+(git-svn.perl); BSD-2-clause(vcs-svn/* ); GPL-2+(imap-send.c); GPL-2+(perl/Git.pm); GPL-1+ or Artistic-1(perl/private-Error.pm); GPL-2+(kwset.c kwset.h); Expat(khash.h); GPL-2+(trace.c); GPL-2+(sh-i18n--envsubst.c); GPL-2+(t/test-lib.sh); ISC(compat/inet_ntop.c compat/inet_pton.c); GPL-2+(compat/poll/poll.c compat/poll/poll.h); mingw-runtime(compat/vcbuild/include/sys/utime.h); Boost(compat/nedmalloc/* ); dlmalloc(compat/nedmalloc/malloc.c.h); LGPL-2.1+(compat/regex/* ); LGPL-2.1+(compat/obstack.c compat/obstack.h); Apache-2.0(contrib/persistent-https/* ); GPL-2+(contrib/credential/gnome-keyring/git-credential-gnome-keyring.c); GPL-2+(contrib/hg-to-git/hg-to-git.py); GPL-2+(contrib/mw-to-git/git-* .perl contrib/mw-to-git/t/t* ); GPL-2(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); Apache-2.0(debian/* ); BSD-2-clause(debian/* ); ISC(debian/* ); Expat(debian/* ); EDL-1.0(debian/* ); mingw-runtime(debian/* ); Boost(debian/* ); dlmalloc(debian/* ) | -| {{}} | 2.20.1-2+deb10u3 | GPL-2(* ); LGPL-2.1+(xdiff/* ); EDL-1.0(xdiff/xhistogram.c); GPL-2+(ewah/* ); Expat(sha1dc/* ); GPL-2+(gitk-git/* ); GPL-2(gitk-git/po/bg.po); GPL-2+(git-gui/* ); GPL-2(git-gui/po/bg.po git-gui/po/de.po git-gui/po/fr.po git-gui/po/glossary/* ); GPL-2+(git-gui/po/glossary/el.po git-gui/po/glossary/pt_br.po); GPL-2+(gitweb/static/js/* ); Expat(git-p4); GPL-2+(git-svn.perl); BSD-2-clause(vcs-svn/* ); GPL-2+(imap-send.c); GPL-2+(perl/Git.pm); GPL-1+ or Artistic-1(perl/private-Error.pm); GPL-2+(kwset.c kwset.h); Expat(khash.h); GPL-2+(trace.c); GPL-2+(sh-i18n--envsubst.c); GPL-2+(t/test-lib.sh); ISC(compat/inet_ntop.c compat/inet_pton.c); GPL-2+(compat/poll/poll.c compat/poll/poll.h); mingw-runtime(compat/vcbuild/include/sys/utime.h); Boost(compat/nedmalloc/* ); dlmalloc(compat/nedmalloc/malloc.c.h); LGPL-2.1+(compat/regex/* ); LGPL-2.1+(compat/obstack.c compat/obstack.h); Apache-2.0(contrib/persistent-https/* ); GPL-2+(contrib/credential/gnome-keyring/git-credential-gnome-keyring.c); GPL-2+(contrib/hg-to-git/hg-to-git.py); GPL-2+(contrib/mw-to-git/git-* .perl contrib/mw-to-git/t/t* ); GPL-2(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); Apache-2.0(debian/* ); BSD-2-clause(debian/* ); ISC(debian/* ); Expat(debian/* ); EDL-1.0(debian/* ); mingw-runtime(debian/* ); Boost(debian/* ); dlmalloc(debian/* ) | +| {{}} | 2.20.1-2+deb10u8 | GPL-2(* ); LGPL-2.1+(xdiff/* ); EDL-1.0(xdiff/xhistogram.c); GPL-2+(ewah/* ); Expat(sha1dc/* ); GPL-2+(gitk-git/* ); GPL-2(gitk-git/po/bg.po); GPL-2+(git-gui/* ); GPL-2(git-gui/po/bg.po git-gui/po/de.po git-gui/po/fr.po git-gui/po/glossary/* ); GPL-2+(git-gui/po/glossary/el.po git-gui/po/glossary/pt_br.po); GPL-2+(gitweb/static/js/* ); Expat(git-p4); GPL-2+(git-svn.perl); BSD-2-clause(vcs-svn/* ); GPL-2+(imap-send.c); GPL-2+(perl/Git.pm); GPL-1+ or Artistic-1(perl/private-Error.pm); GPL-2+(kwset.c kwset.h); Expat(khash.h); GPL-2+(trace.c); GPL-2+(sh-i18n--envsubst.c); GPL-2+(t/test-lib.sh); ISC(compat/inet_ntop.c compat/inet_pton.c); GPL-2+(compat/poll/poll.c compat/poll/poll.h); mingw-runtime(compat/vcbuild/include/sys/utime.h); Boost(compat/nedmalloc/* ); dlmalloc(compat/nedmalloc/malloc.c.h); LGPL-2.1+(compat/regex/* ); LGPL-2.1+(compat/obstack.c compat/obstack.h); Apache-2.0(contrib/persistent-https/* ); GPL-2+(contrib/credential/gnome-keyring/git-credential-gnome-keyring.c); GPL-2+(contrib/hg-to-git/hg-to-git.py); GPL-2+(contrib/mw-to-git/git-* .perl contrib/mw-to-git/t/t* ); GPL-2(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); Apache-2.0(debian/* ); BSD-2-clause(debian/* ); ISC(debian/* ); Expat(debian/* ); EDL-1.0(debian/* ); mingw-runtime(debian/* ); Boost(debian/* ); dlmalloc(debian/* ) | +| {{}} | 2.20.1-2+deb10u8 | GPL-2(* ); LGPL-2.1+(xdiff/* ); EDL-1.0(xdiff/xhistogram.c); GPL-2+(ewah/* ); Expat(sha1dc/* ); GPL-2+(gitk-git/* ); GPL-2(gitk-git/po/bg.po); GPL-2+(git-gui/* ); GPL-2(git-gui/po/bg.po git-gui/po/de.po git-gui/po/fr.po git-gui/po/glossary/* ); GPL-2+(git-gui/po/glossary/el.po git-gui/po/glossary/pt_br.po); GPL-2+(gitweb/static/js/* ); Expat(git-p4); GPL-2+(git-svn.perl); BSD-2-clause(vcs-svn/* ); GPL-2+(imap-send.c); GPL-2+(perl/Git.pm); GPL-1+ or Artistic-1(perl/private-Error.pm); GPL-2+(kwset.c kwset.h); Expat(khash.h); GPL-2+(trace.c); GPL-2+(sh-i18n--envsubst.c); GPL-2+(t/test-lib.sh); ISC(compat/inet_ntop.c compat/inet_pton.c); GPL-2+(compat/poll/poll.c compat/poll/poll.h); mingw-runtime(compat/vcbuild/include/sys/utime.h); Boost(compat/nedmalloc/* ); dlmalloc(compat/nedmalloc/malloc.c.h); LGPL-2.1+(compat/regex/* ); LGPL-2.1+(compat/obstack.c compat/obstack.h); Apache-2.0(contrib/persistent-https/* ); GPL-2+(contrib/credential/gnome-keyring/git-credential-gnome-keyring.c); GPL-2+(contrib/hg-to-git/hg-to-git.py); GPL-2+(contrib/mw-to-git/git-* .perl contrib/mw-to-git/t/t* ); GPL-2(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); Apache-2.0(debian/* ); BSD-2-clause(debian/* ); ISC(debian/* ); Expat(debian/* ); EDL-1.0(debian/* ); mingw-runtime(debian/* ); Boost(debian/* ); dlmalloc(debian/* ) | | {{}} | 3.0.9-1 | BSD-3-clause-HP(* ); BSD-2-clause-Intel(inc/* lib/* ); BSD-3-clause-HP(lib/Makefile lib/x86_64/callwrap.c); Expat(inc/efipoint.h); BSD-4-clause-Intel(inc/protocol/efidbg.h inc/protocol/ia64/eficontext.h); BSD-2-clause-Linaro or GPL-2+(inc/aarch64/efibind.h inc/arm/efibind.h); BSD-2-clause-Linaro(inc/aarch64/efibind.h inc/arm/efibind.h); BSD-3-clause-HP(inc/aarch64/efibind.h inc/arm/efibind.h); BSD-2-clause-Intel(inc/aarch64/efibind.h inc/arm/efibind.h); BSD-4-clause-Intel(inc/aarch64/efibind.h inc/arm/efibind.h); Expat(inc/aarch64/efibind.h inc/arm/efibind.h); GPL-2+(inc/aarch64/efibind.h inc/arm/efibind.h) | | {{}} | 2.2.12-1+deb10u2 | GPL-3+(* ); GPL-3+(agent/command.c); permissive(autogen.sh); permissive(common/gc-opt-flags.h); LGPL-2.1+(common/localename.c); Expat(dirmngr/dns.c); GPL-3+(doc/yat2m.c); GPL-3+ or BSD-3-clause(scd/ccid-driver.h); LGPL-3+(tools/rfc822parse.c); GPL-3+(tools/sockprox.c); RFC-Reference(doc/OpenPGP); TinySCHEME(tests/gpgscm/* ); GPL-3+(debian/* ); CC0-1.0(debian/org.gnupg.scdaemon.metainfo.xml); TinySCHEME(debian/org.gnupg.scdaemon.metainfo.xml); permissive(debian/org.gnupg.scdaemon.metainfo.xml); RFC-Reference(debian/org.gnupg.scdaemon.metainfo.xml); GPL-3+(debian/org.gnupg.scdaemon.metainfo.xml); LGPL-3+(debian/org.gnupg.scdaemon.metainfo.xml); LGPL-2.1+(debian/org.gnupg.scdaemon.metainfo.xml); BSD-3-clause(debian/org.gnupg.scdaemon.metainfo.xml); Expat(debian/org.gnupg.scdaemon.metainfo.xml); CC0-1.0(debian/org.gnupg.scdaemon.metainfo.xml) | | {{}} | 2.2.12-1+deb10u2 | GPL-3+(* ); GPL-3+(agent/command.c); permissive(autogen.sh); permissive(common/gc-opt-flags.h); LGPL-2.1+(common/localename.c); Expat(dirmngr/dns.c); GPL-3+(doc/yat2m.c); GPL-3+ or BSD-3-clause(scd/ccid-driver.h); LGPL-3+(tools/rfc822parse.c); GPL-3+(tools/sockprox.c); RFC-Reference(doc/OpenPGP); TinySCHEME(tests/gpgscm/* ); GPL-3+(debian/* ); CC0-1.0(debian/org.gnupg.scdaemon.metainfo.xml); TinySCHEME(debian/org.gnupg.scdaemon.metainfo.xml); permissive(debian/org.gnupg.scdaemon.metainfo.xml); RFC-Reference(debian/org.gnupg.scdaemon.metainfo.xml); GPL-3+(debian/org.gnupg.scdaemon.metainfo.xml); LGPL-3+(debian/org.gnupg.scdaemon.metainfo.xml); LGPL-2.1+(debian/org.gnupg.scdaemon.metainfo.xml); BSD-3-clause(debian/org.gnupg.scdaemon.metainfo.xml); Expat(debian/org.gnupg.scdaemon.metainfo.xml); CC0-1.0(debian/org.gnupg.scdaemon.metainfo.xml) | @@ -259,20 +261,20 @@ pdfhidden: True | {{}} | 3.3-1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/* ) | | {{}} | 1.22.4-3+deb10u1 | NO COPYRIGHT FILE | | {{}} | 1.22.4-3+deb10u1 | BSD; GFDL-1; GPL; GPL-3; MIT; public domain | -| {{}} | 2.02+dfsg1-20+deb10u4 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | NO COPYRIGHT FILE | +| {{}} | 2.06-3~deb10u4 | NO COPYRIGHT FILE | +| {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | +| {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | +| {{}} | 2.06-3~deb10u4 | NO COPYRIGHT FILE | +| {{}} | 2.06-3~deb10u4 | NO COPYRIGHT FILE | +| {{}} | 2.06-3~deb10u4 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | NO COPYRIGHT FILE | -| {{}} | 2.02+dfsg1-20+deb10u4 | NO COPYRIGHT FILE | +| {{}} | 2.06-3~deb10u4 | NO COPYRIGHT FILE | +| {{}} | 2.06-3~deb10u4 | NO COPYRIGHT FILE | | {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | | {{}} | 2.02+dfsg1-cl4.2.1u1 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/grub-extras/* ); CC-BY-SA-3.0(themes/starfield/* ); Expat(themes/starfield/theme.txt); GPL-3+(themes/starfield/theme.txt); CC-BY-SA-3.0(themes/starfield/theme.txt); selected by Licensor and indicated in the title of this License:(themes/starfield/theme.txt); Expat(themes/starfield/theme.txt) | @@ -295,7 +297,7 @@ pdfhidden: True | {{}} | 63.1-6+deb10u3 | BSD | | {{}} | 20180805.1 | WTFPL-2(* ); other(iab.* mam.* oui36.* oui.* oui.* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 0.28-19.4 | GPL; GPL-2 | -| {{}} | 3.2.0-cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | +| {{}} | 3.2.0-cl4.3.1u3 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | | {{}} | 1.56+nmu1 | BSD-3-clause(* ); BSD-3-clause(debian/* ); GPL-2+(script/service man8/service.rst); GPL-2+(script/invoke-rc.d man8/invoke-rc.d.rst); GPL-2+(script/update-rc.d man8/update-rc.d.rst); GPL-2+(script/update-rc.d man8/update-rc.d.rst); BSD-3-clause(script/update-rc.d man8/update-rc.d.rst) | | {{}} | 0.133+deb10u1 | GPL; GPL-2 | | {{}} | 0.133+deb10u1 | GPL; GPL-2 | @@ -306,14 +308,14 @@ pdfhidden: True | {{}} | 0.35.0+20060710.5 | GPL-2(* ); GPL-2+(intltool-bin/intltool-extract); GPL-2+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ) | | {{}} | 0.6-24-g733f3f8-1 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 2.0.12+dfsg1-2 | BSD-3-clause(* ); BSD-3-clause(include/checksums.h include/histogram.h include/isochronous.hpp include/pdfs.h src/checkisoch.cpp src/checkpdfs.c src/checksums.c src/histogram.c src/ioctls.c src/isochronous.cpp src/pdfs.c); GPL-2+(aclocal.m4 * Makefile.in configure config.guess config.sub depcomp missing); MIT(install-sh); ISC(compat/inet_ntop.* ); LGPL-2+(include/gnu_getopt.h src/gnu_getopt.c src/gnu_getopt_long.c); GPL-2+(debian/* ); GPL-2+(debian/* ); BSD-3-clause(debian/* ) | -| {{}} | 3.6-2 | BSD-3-clause(* ); NCSA(src/units.c); BSD-2-clause(src/dscp.c); MIT/X11(src/cjson.* ); GPL-2+(aclocal.m4 * Makefile.in config/* configure); GPL-3(config/config.* ); BSD-3-clause(docs/_esnet/* ); MIT(config/install-sh); permissive(config/ax_check_openssl.m4); public-domain(config/mkinstalldirs); public-domain(src/portable_endian.h); GPL-2+(debian/* ); GPL-2+(debian/* ); GPL-3(debian/* ); NCSA(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | +| {{}} | 3.6-2+deb10u1 | BSD-3-clause(* ); NCSA(src/units.c); BSD-2-clause(src/dscp.c); MIT/X11(src/cjson.* ); GPL-2+(aclocal.m4 * Makefile.in config/* configure); GPL-3(config/config.* ); BSD-3-clause(docs/_esnet/* ); MIT(config/install-sh); permissive(config/ax_check_openssl.m4); public-domain(config/mkinstalldirs); public-domain(src/portable_endian.h); GPL-2+(debian/* ); GPL-2+(debian/* ); GPL-3(debian/* ); NCSA(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.8.18-6+deb10u1 | BSD; BSD-3-clause | | {{}} | 4.19.0-cl4.3.0u1 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | | {{}} | 4.19.0-cl4.3.0u1 | NO COPYRIGHT FILE | | {{}} | 4.19.0-cl4.3.1u14 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 1.8.2-3-cl4.3.1u7 | NO COPYRIGHT FILE | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | | {{}} | 1.1.4-6+b1 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | | {{}} | 20180629-2+cl4.3.1u4 | BSD; GPL | | {{}} | 20180629-2+cl4.3.1u4 | NO COPYRIGHT FILE | @@ -350,8 +352,8 @@ pdfhidden: True | {{}} | 1.193~deb10u1 | GPL; GPL-2; public domain | | {{}} | 2.0.6-1+deb10u1 | NO COPYRIGHT FILE | | {{}} | 26-1 | NO COPYRIGHT FILE | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u4 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | | {{}} | 4.0-cl4.3.1u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 2.4.47+dfsg-3+deb10u7 | ISC; MIT | | {{}} | 487-0.1+b1 | GPL; GPL-3 | @@ -371,7 +373,7 @@ pdfhidden: True | {{}} | 1.8.2.3 | GPL; GPL-2; GPLv2+ | | {{}} | 1.8.2.3 | GPL; GPL-2; GPLv2+ | | {{}} | 0.1.34+b1 | GPL | -| {{}} | 3.3.3-4+deb10u1 | BSD-2-clause(* ); BSD-2-clause(cat/* ); Apache-2.0(contrib/android/* ); BSD-4-clause-UCB(contrib/shar/shar.1); BSD-2-clause(contrib/shar/shar.c); BSD-2-clause and BSD-1-clause-UCB(cpio/cpio_windows.c); BSD-2-clause(cpio/cpio_windows.h); BSD-2-clause(cpio/test/* ); Expat(doc/mdoc2man.awk); BSD-2-clause(libarchive/* ); BSD-2-clause and BSD-124-clause-UCB(libarchive/archive_entry.c); PD(libarchive/archive_ppmd7.c); BSD-2-clause and Expat(libarchive/archive_random.c); BSD-2-clause and BSD-1-clause-UCB(libarchive/archive_windows.c); BSD-2-clause and BSD-3-clause-UCB(libarchive/archive_write_add_filter_compress.c); BSD-124-clause-UCB(libarchive/mtree.5); BSD-2-clause(libarchive_fe/err.h); BSD-2-clause(libarchive_fe/line_reader.c); BSD-2-clause and Expat(libarchive_fe/passphrase.c); BSD-2-clause(test_utils/test_utils.c); BSD-2-clause(debian/* ); BSD-2-clause(debian/* ); Apache-2.0(debian/* ); BSD-1-clause-UCB(debian/* ); BSD-124-clause-UCB(debian/* ); BSD-3-clause-UCB(debian/* ); BSD-4-clause-UCB(debian/* ); Expat(debian/* ) | +| {{}} | 3.3.3-4+deb10u3 | BSD-2-clause(* ); BSD-2-clause(cat/* ); Apache-2.0(contrib/android/* ); BSD-4-clause-UCB(contrib/shar/shar.1); BSD-2-clause(contrib/shar/shar.c); BSD-2-clause and BSD-1-clause-UCB(cpio/cpio_windows.c); BSD-2-clause(cpio/cpio_windows.h); BSD-2-clause(cpio/test/* ); Expat(doc/mdoc2man.awk); BSD-2-clause(libarchive/* ); BSD-2-clause and BSD-124-clause-UCB(libarchive/archive_entry.c); PD(libarchive/archive_ppmd7.c); BSD-2-clause and Expat(libarchive/archive_random.c); BSD-2-clause and BSD-1-clause-UCB(libarchive/archive_windows.c); BSD-2-clause and BSD-3-clause-UCB(libarchive/archive_write_add_filter_compress.c); BSD-124-clause-UCB(libarchive/mtree.5); BSD-2-clause(libarchive_fe/err.h); BSD-2-clause(libarchive_fe/line_reader.c); BSD-2-clause and Expat(libarchive_fe/passphrase.c); BSD-2-clause(test_utils/test_utils.c); BSD-2-clause(debian/* ); BSD-2-clause(debian/* ); Apache-2.0(debian/* ); BSD-1-clause-UCB(debian/* ); BSD-124-clause-UCB(debian/* ); BSD-3-clause-UCB(debian/* ); BSD-4-clause-UCB(debian/* ); Expat(debian/* ) | | {{}} | 1.64-1 | Artistic or GPL-1+(* ); Artistic and Info-ZIP(lib/Archive/Zip/Member.pm); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ); Info-ZIP(debian/* ) | | {{}} | 0~20171227-0.2 | CC0 or Apache-2.0(* ); CC0 or Apache-2.0(src/blake2/* ); CC0 or Apache-2.0(src/encoding.c); CC0(debian/* ); CC0(debian/argon2.1); CC0(debian/argon2.1); Apache-2.0(debian/argon2.1) | | {{}} | 7.4.0-6 | NO COPYRIGHT FILE | @@ -402,14 +404,15 @@ pdfhidden: True | {{}} | 1.5.6-2+deb10u1 | GPL; GPL-2; GPL-3; GPL-3+; LGPL-2.1; MIT | | {{}} | 1.5.6-2+deb10u1 | GPL; GPL-2; GPL-3; GPL-3+; LGPL-2.1; MIT | | {{}} | 0.22-1+b1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | | {{}} | 2.31.1-16 | NO COPYRIGHT FILE | | {{}} | 3.3.2.dfsg-1 | GPL-3+(* ); GPL-2+(debian/* ) | | {{}} | 3.8.0-2 | BSD-3-clause(* ); BSD-3-clause(CMAKE/FindGcov.cmake); BSD-3-clause-intel(LAPACKE/* ); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | -| {{}} | 5.50-1.2~deb10u2 | GPL-2+(* ); LGPL-2.1+(android/* ); Apache-2.0(android/audio_utils/* ); GPL-2+(android/avctp.c); GPL-2+(android/avctp.h); GPL-2+(android/avdtptest.c); Apache-2.0(android/bluetoothd-wrapper.c); Apache-2.0(android/client/* ); GPL-2+(android/compat/* ); LGPL-2.1+(android/compat/wordexp.h); Apache-2.0(android/hal-audio-aptx.c); Apache-2.0(android/hardware/* ); LGPL-2.1+(android/health.c); GPL-2+(android/log.c); Apache-2.0(android/system/* ); GPL-2+(attrib/* ); GPL-2+(attrib/att-database.h); GPL-2+(attrib/gatttool.h); GPL-2+(btio/* ); LGPL-2.1+(emulator/* ); GPL-2+(emulator/b1ee.c); LGPL-2.1+(emulator/hciemu.c); LGPL-2.1+(emulator/smp.c); GPL-2+(gdbus/* ); GPL-2+(lib/* ); GPL-2+(lib/a2mp.h); GPL-2(lib/amp.h); GPL-2+(lib/bnep.h); GPL-2+(lib/cmtp.h); GPL-2+(lib/l2cap.h); GPL-2+(lib/mgmt.h); GPL-2+(lib/sdp.c); LGPL-2.1+(monitor/* ); LGPL-2.1+(monitor/a2dp.c); LGPL-2.1+(monitor/tty.h); GPL-2+(obexd/* ); GPL-2+(obexd/client/bluetooth.c); GPL-2(obexd/client/dbus.c); GPL-2+(obexd/client/map-event.c); GPL-2+(obexd/client/map.c); GPL-2+(obexd/client/pbap.c); GPL-2+(obexd/client/session.c); GPL-2+(obexd/plugins/* ); GPL-2+(obexd/plugins/filesystem.c); GPL-2+(obexd/plugins/filesystem.h); GPL-2+(obexd/plugins/irmc.c); GPL-2+(obexd/plugins/mas.c); GPL-2+(obexd/plugins/vcard.c); GPL-2+(obexd/src/manager.h); GPL-2+(obexd/src/obex-priv.h); LGPL-2.1+(peripheral/* ); GPL-2+(plugins/autopair.c); GPL-2+(plugins/external-dummy.c); GPL-2+(plugins/gatt-example.c); GPL-2+(plugins/hostname.c); GPL-2+(plugins/neard.c); GPL-2+(plugins/sixaxis.c); GPL-2+(plugins/wiimote.c); GPL-2+(profiles/* ); GPL-2+(profiles/audio/* ); LGPL-2.1+(profiles/audio/a2dp-codecs.h); GPL-2+(profiles/audio/a2dp.c); GPL-2+(profiles/audio/avctp.c); GPL-2+(profiles/audio/player.c); GPL-2+(profiles/audio/source.c); LGPL-2.1+(profiles/battery/* ); LGPL-2.1+(profiles/deviceinfo/* ); GPL-2+(profiles/deviceinfo/deviceinfo.c); GPL-2+(profiles/deviceinfo/dis.c); GPL-2+(profiles/gap/* ); GPL-2+(profiles/health/* ); GPL-2+(profiles/health/mcap.c); GPL-2+(profiles/input/device.c); GPL-2+(profiles/input/hog-lib.c); LGPL-2.1+(profiles/input/hog-lib.h); GPL-2+(profiles/input/hog.c); GPL-2+(profiles/input/suspend-dummy.c); GPL-2+(profiles/input/uhid_copy.h); GPL-2+(profiles/sap/* ); GPL-2+(profiles/sap/sap-dummy.c); GPL-2(profiles/sap/sap-u8500.c); GPL-2+(profiles/sap/sap.h); GPL-2+(profiles/sap/server.c); GPL-2+(profiles/sap/server.h); GPL-2+(profiles/scanparam/* ); LGPL-2.1+(profiles/scanparam/scpp.h); GPL-2+(profiles/thermometer/* ); GPL-2+(profiles/time/* ); GPL-2+(src/* ); GPL-2+(src/adapter.c); GPL-2+(src/advertising.c); GPL-2+(src/dbus-common.c); GPL-2+(src/error.c); GPL-2+(src/hcid.h); GPL-2+(src/profile.c); GPL-2+(src/sdpd-database.c); GPL-2+(src/service.c); LGPL-2.1+(src/shared/* ); LGPL-2.1+(src/shared/ad.c); BSD-2-clause(src/shared/ecc.c); LGPL-2.1+(src/shared/hci-crypto.c); LGPL-2.1+(src/shared/mainloop.c); GPL-2+(test/* ); GPL-2+(tools/amptest.c); GPL-2+(tools/avinfo.c); GPL-2+(tools/bccmd.c); GPL-2+(tools/bneptest.c); GPL-2+(tools/btgatt-client.c); GPL-2+(tools/gatt-service.c); GPL-2+(tools/hciattach.c); GPL-2+(tools/hciattach_ath3k.c); GPL-2+(tools/hciattach_qualcomm.c); GPL-2+(tools/hciattach_ti.c); GPL-2+(tools/hcidump.c); GPL-2+(tools/hid2hci.c); GPL-2(tools/obex-client-tool.c); GPL-2+(tools/parser/* ); GPL-2+(tools/parser/amp.c); GPL-2+(tools/parser/att.c); GPL-2+(tools/parser/bnep.c); GPL-2+(tools/parser/hci.c); GPL-2+(tools/parser/rfcomm.c); GPL-2+(tools/parser/sap.c); GPL-2+(tools/parser/sdp.c); GPL-2+(tools/sdptool.c); LGPL-2.1+(tools/test-runner.c); Expat(tools/ubcsp.c); GPL-2+(unit/test-crc.c); BSD-2-clause(unit/test-ecc.c); GPL-2+(unit/test-gattrib.c); GPL-2+(unit/test-lib.c); GPL-2+(unit/test-textfile.c); GPL-2(unit/util.c); GPL-2+(debian/* ); Apache-2.0(debian/* ); BSD-2-clause(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ) | +| {{}} | 5.50-1.2~deb10u3 | GPL-2+(* ); LGPL-2.1+(android/* ); Apache-2.0(android/audio_utils/* ); GPL-2+(android/avctp.c); GPL-2+(android/avctp.h); GPL-2+(android/avdtptest.c); Apache-2.0(android/bluetoothd-wrapper.c); Apache-2.0(android/client/* ); GPL-2+(android/compat/* ); LGPL-2.1+(android/compat/wordexp.h); Apache-2.0(android/hal-audio-aptx.c); Apache-2.0(android/hardware/* ); LGPL-2.1+(android/health.c); GPL-2+(android/log.c); Apache-2.0(android/system/* ); GPL-2+(attrib/* ); GPL-2+(attrib/att-database.h); GPL-2+(attrib/gatttool.h); GPL-2+(btio/* ); LGPL-2.1+(emulator/* ); GPL-2+(emulator/b1ee.c); LGPL-2.1+(emulator/hciemu.c); LGPL-2.1+(emulator/smp.c); GPL-2+(gdbus/* ); GPL-2+(lib/* ); GPL-2+(lib/a2mp.h); GPL-2(lib/amp.h); GPL-2+(lib/bnep.h); GPL-2+(lib/cmtp.h); GPL-2+(lib/l2cap.h); GPL-2+(lib/mgmt.h); GPL-2+(lib/sdp.c); LGPL-2.1+(monitor/* ); LGPL-2.1+(monitor/a2dp.c); LGPL-2.1+(monitor/tty.h); GPL-2+(obexd/* ); GPL-2+(obexd/client/bluetooth.c); GPL-2(obexd/client/dbus.c); GPL-2+(obexd/client/map-event.c); GPL-2+(obexd/client/map.c); GPL-2+(obexd/client/pbap.c); GPL-2+(obexd/client/session.c); GPL-2+(obexd/plugins/* ); GPL-2+(obexd/plugins/filesystem.c); GPL-2+(obexd/plugins/filesystem.h); GPL-2+(obexd/plugins/irmc.c); GPL-2+(obexd/plugins/mas.c); GPL-2+(obexd/plugins/vcard.c); GPL-2+(obexd/src/manager.h); GPL-2+(obexd/src/obex-priv.h); LGPL-2.1+(peripheral/* ); GPL-2+(plugins/autopair.c); GPL-2+(plugins/external-dummy.c); GPL-2+(plugins/gatt-example.c); GPL-2+(plugins/hostname.c); GPL-2+(plugins/neard.c); GPL-2+(plugins/sixaxis.c); GPL-2+(plugins/wiimote.c); GPL-2+(profiles/* ); GPL-2+(profiles/audio/* ); LGPL-2.1+(profiles/audio/a2dp-codecs.h); GPL-2+(profiles/audio/a2dp.c); GPL-2+(profiles/audio/avctp.c); GPL-2+(profiles/audio/player.c); GPL-2+(profiles/audio/source.c); LGPL-2.1+(profiles/battery/* ); LGPL-2.1+(profiles/deviceinfo/* ); GPL-2+(profiles/deviceinfo/deviceinfo.c); GPL-2+(profiles/deviceinfo/dis.c); GPL-2+(profiles/gap/* ); GPL-2+(profiles/health/* ); GPL-2+(profiles/health/mcap.c); GPL-2+(profiles/input/device.c); GPL-2+(profiles/input/hog-lib.c); LGPL-2.1+(profiles/input/hog-lib.h); GPL-2+(profiles/input/hog.c); GPL-2+(profiles/input/suspend-dummy.c); GPL-2+(profiles/input/uhid_copy.h); GPL-2+(profiles/sap/* ); GPL-2+(profiles/sap/sap-dummy.c); GPL-2(profiles/sap/sap-u8500.c); GPL-2+(profiles/sap/sap.h); GPL-2+(profiles/sap/server.c); GPL-2+(profiles/sap/server.h); GPL-2+(profiles/scanparam/* ); LGPL-2.1+(profiles/scanparam/scpp.h); GPL-2+(profiles/thermometer/* ); GPL-2+(profiles/time/* ); GPL-2+(src/* ); GPL-2+(src/adapter.c); GPL-2+(src/advertising.c); GPL-2+(src/dbus-common.c); GPL-2+(src/error.c); GPL-2+(src/hcid.h); GPL-2+(src/profile.c); GPL-2+(src/sdpd-database.c); GPL-2+(src/service.c); LGPL-2.1+(src/shared/* ); LGPL-2.1+(src/shared/ad.c); BSD-2-clause(src/shared/ecc.c); LGPL-2.1+(src/shared/hci-crypto.c); LGPL-2.1+(src/shared/mainloop.c); GPL-2+(test/* ); GPL-2+(tools/amptest.c); GPL-2+(tools/avinfo.c); GPL-2+(tools/bccmd.c); GPL-2+(tools/bneptest.c); GPL-2+(tools/btgatt-client.c); GPL-2+(tools/gatt-service.c); GPL-2+(tools/hciattach.c); GPL-2+(tools/hciattach_ath3k.c); GPL-2+(tools/hciattach_qualcomm.c); GPL-2+(tools/hciattach_ti.c); GPL-2+(tools/hcidump.c); GPL-2+(tools/hid2hci.c); GPL-2(tools/obex-client-tool.c); GPL-2+(tools/parser/* ); GPL-2+(tools/parser/amp.c); GPL-2+(tools/parser/att.c); GPL-2+(tools/parser/bnep.c); GPL-2+(tools/parser/hci.c); GPL-2+(tools/parser/rfcomm.c); GPL-2+(tools/parser/sap.c); GPL-2+(tools/parser/sdp.c); GPL-2+(tools/sdptool.c); LGPL-2.1+(tools/test-runner.c); Expat(tools/ubcsp.c); GPL-2+(unit/test-crc.c); BSD-2-clause(unit/test-ecc.c); GPL-2+(unit/test-gattrib.c); GPL-2+(unit/test-lib.c); GPL-2+(unit/test-textfile.c); GPL-2(unit/util.c); GPL-2+(debian/* ); Apache-2.0(debian/* ); BSD-2-clause(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 1.67.0-13+deb10u1 | BSL-1.0(* ); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); Zlib(Files:); boehm_gc(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and OldBoost1(Files:); BSL-1.0 and OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost2(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); Perforce(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0(Files:); BSL-1.0 and Perforce(Files:); BSL-1.0 and Perforce(Files:); Perforce(Files:); Perforce(Files:); Perforce(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and OldBoost4(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost2(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0 and SGI(Files:); SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and OldBoost1(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost3 and SGI(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); PSF(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0 and SGI(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); Perforce(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSDRegex(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); OldBoost1(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSL-1.0(Files:); BSDRegex(Files:); BSL-1.0(Files:); OldBoost1(Files:); OldBoost2(Files:); OldBoost3(Files:); OldBoost4(Files:); Perforce(Files:); PSF(Files:); SGI(Files:) | | {{}} | 1.67.0.1 | BSD | | {{}} | 5.6-10+deb10u1 | LGPL-2 | @@ -422,10 +425,10 @@ pdfhidden: True | {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | | {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | | {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | -| {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | -| {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | -| {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | -| {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | +| {{}} | 2.28-10+deb10u2 | BSD; GPL; GPL-2; ISC; LGPL-2 | +| {{}} | 2.28-10+deb10u2 | BSD; GPL; GPL-2; ISC; LGPL-2 | +| {{}} | 2.28-10+deb10u2 | BSD; GPL; GPL-2; ISC; LGPL-2 | +| {{}} | 2.28-10+deb10u2 | BSD; GPL; GPL-2; ISC; LGPL-2 | | {{}} | 0.99.beta19-2.1 | LGPL | | {{}} | 0.99.beta19-2.1 | LGPL | | {{}} | 2.6.1-1 | LGPL-2.1+( * ); auto-permissive( m4/* ); GPL-3.0+ with autoconf exception( m4/ax_append_compile_flags.m4); GPL-2.0+( src/glib-compat.h); LGPL-2.1+( m4/ax_code_coverage.m4); GPL-2+(debian/* ); LGPL-2.1+(debian/* ) | @@ -437,9 +440,10 @@ pdfhidden: True | {{}} | 0.7.9-2 | GPL; GPL-2; GPL-3; LGPL-2 | | {{}} | 4.0.1+really+3.0.5-1 | BSD-3-clause(* ); BSD_LLVM(arch/AArch64/AArch64BaseInfo.c); GPL-2+(debian/* ); BSD-3-clause(debian/* ); BSD_LLVM(debian/* ) | | {{}} | 0.48-1 | Apache-2.0(* ); Apache-2.0 or Artistic or GPL-1+(debian/* ); Apache-2.0(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 1.14.0-1+deb10u1 | GPL; MIT | -| {{}} | 1.14.0-1+deb10u1 | GPL; MIT | +| {{}} | 1.14.0-1+deb10u4 | GPL; MIT | +| {{}} | 1.14.0-1+deb10u4 | GPL; MIT | | {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | +| {{}} | 0.5.0+dfsg-2 | Expat(* ); Expat(src/cbor/internal/unicode.c); Apache-2.0(docs/stylesheets/github-light.css); Expat(debian/* ); Expat(debian/* ) | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 1.4.30-1 | LGPL-2 | | {{}} | 2.28-10+deb10u1 | BSD; GPL; GPL-2; ISC; LGPL-2 | @@ -463,10 +467,13 @@ pdfhidden: True | {{}} | 2.9.6-2 | LGPL-2.1(* ); LGPL-2.1(debian/* ); LGPL-2.1(debian/* ) | | {{}} | 0.6.12-3 | LGPL | | {{}} | 2.1.0-5+deb10u2 | GPL-2+ with OpenSSL exception(* ); GPL-2+(debian/* ); GPL-2+(debian/askpass.c debian/scripts/passdev.c); GPL-2+(debian/initramfs/cryptroot-unlock); GPL-2+(debian/README.opensc); GPL-2+(debian/scripts/cryptdisks_start); GPL-2+(debian/scripts/luksformat); GPL-2+(debian/scripts/decrypt_gnupg-sc debian/README.gnupg-sc debian/initramfs/hooks/cryptgnupg-sc debian/initramfs/scripts/local-bottom/cryptgnupg-sc); LGPL-2.1+(docs/examples/* ); GPL-2+(lib/base64.c); LGPL-2.1+(lib/crypto_backend/* lib/loopaes/* lib/tcrypt/* lib/verity/* ); LGPL-2.1+ with OpenSSL exception(lib/crypto_backend/crypto_openssl.c); CC0 or Apache-2.0(lib/crypto_backend/argon2/* ); CC0 or Apache-2.0(lib/crypto_backend/argon2/encoding.c); public-domain(lib/crypto_backend/crc32.c); GPL-2+(lib/crypto_backend/crc32.c); GPL-2+ with OpenSSL exception(lib/crypto_backend/crc32.c); LGPL-2.1+(lib/crypto_backend/crc32.c); LGPL-2.1+ with OpenSSL exception(lib/crypto_backend/crc32.c); CC0(lib/crypto_backend/crc32.c); Apache-2.0(lib/crypto_backend/crc32.c) | -| {{}} | 2.2.10-6+deb10u6 | GPL-2.0 with AOSDL exception(* ); LGPL-2.0 with AOSDL exception(cups/* filter/* ); Zlib(cups/md5-private.h); BSD-2-clause(scheduler/colorman.c); GPL-2.0 with AOSDL exception(scheduler/colorman.c); LGPL-2.0 with AOSDL exception(scheduler/colorman.c); Zlib(scheduler/colorman.c) | -| {{}} | 2.2.10-6+deb10u6 | GPL-2.0 with AOSDL exception(* ); LGPL-2.0 with AOSDL exception(cups/* filter/* ); Zlib(cups/md5-private.h); BSD-2-clause(scheduler/colorman.c); GPL-2.0 with AOSDL exception(scheduler/colorman.c); LGPL-2.0 with AOSDL exception(scheduler/colorman.c); Zlib(scheduler/colorman.c) | -| {{}} | 7.64.0-4+deb10u2 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | -| {{}} | 7.64.0-4+deb10u2 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | +| {{}} | 2.2.10-6+deb10u8 | GPL-2.0 with AOSDL exception(* ); LGPL-2.0 with AOSDL exception(cups/* filter/* ); Zlib(cups/md5-private.h); BSD-2-clause(scheduler/colorman.c); GPL-2.0 with AOSDL exception(scheduler/colorman.c); LGPL-2.0 with AOSDL exception(scheduler/colorman.c); Zlib(scheduler/colorman.c) | +| {{}} | 2.2.10-6+deb10u8 | GPL-2.0 with AOSDL exception(* ); LGPL-2.0 with AOSDL exception(cups/* filter/* ); Zlib(cups/md5-private.h); BSD-2-clause(scheduler/colorman.c); GPL-2.0 with AOSDL exception(scheduler/colorman.c); LGPL-2.0 with AOSDL exception(scheduler/colorman.c); Zlib(scheduler/colorman.c) | +| {{}} | 7.64.0-4+deb10u7 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | +| {{}} | 7.64.0-4+deb10u6 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | +| {{}} | 7.64.0-4+deb10u6 | NO COPYRIGHT FILE | +| {{}} | 7.64.0-4+deb10u7 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | +| {{}} | 7.64.0-4+deb10u6 | curl(* ); curl(lib/vtls/darwinssl.* ); curl(lib/curl_rtmp.* ); curl(lib/vtls/schannel.* ); ISC(lib/inet_pton.c); BSD-3-Clause(lib/krb5.c); public-domain(lib/md4.c); curl(lib/openldap.* ); curl(lib/vtls/polarssl.* ); curl(lib/socks_gssapi.c); curl(tests/certs/scripts/genroot.sh); BSD-4-Clause(tests/server/tftpd.c); curl(tests/server/fake_ntlm.c); BSD-3-Clause(docs/examples/fopen.c); BSD-3-Clause(docs/examples/rtsp.c); curl(docs/examples/curlgtk.c); other(docs/examples/curlx.c); other(src/macos/src/macos_main.cpp); curl(debian/* ); curl(debian/* ); BSD-3-Clause(debian/* ); BSD-4-Clause(debian/* ); ISC(debian/* ) | | {{}} | 4.2.0-2 | MPL-2.0(* ); BSD-3-clause(src/foreign/sha1/* ); Beerware(src/foreign/slre/* ); MPL-2.0(debian/* ); BSD-3-clause(debian/* ); Beerware(debian/* ); MPL-2.0(debian/* ) | | {{}} | 4.2.0-2 | MPL-2.0(* ); BSD-3-clause(src/foreign/sha1/* ); Beerware(src/foreign/slre/* ); MPL-2.0(debian/* ); BSD-3-clause(debian/* ); Beerware(debian/* ); MPL-2.0(debian/* ) | | {{}} | 0.14-7 | GPL; GPL-2; LGPL | @@ -474,8 +481,8 @@ pdfhidden: True | {{}} | 5.3.28+dfsg1-0.5 | BSD | | {{}} | 1.62-3 | Artistic or GPL-1+(* ); public-domain(dbdimp.* sqlite3* ); public-domain(fts3_tokenizer.h); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(inc/Test/NoWarnings.pm); Artistic or GPL-1+(lib/DBD/SQLite/Fulltext_search.pod); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.642-1+deb10u2 | Artistic or GPL-1+(* ); Artistic or GPL-1+(Driver.xst); Artistic or GPL-1+(dbd_xsh.h); Artistic or GPL-1+(dbipport.h); Artistic or GPL-1+(dbiprof.PL); Artistic or GPL-1+(dbiproxy.PL); Artistic or GPL-1+(lib/DBI/DBD.pm); Artistic or GPL-1+(lib/DBD/DBM.pm); Artistic or GPL-1+(lib/DBD/Mem.pm); Artistic or GPL-1+(lib/DBI/SQL/Nano.pm); Artistic or GPL-1+(lib/DBI/ProfileData.pm); Artistic or GPL-1+(lib/DBI/DBD/Metadata.pm); Artistic or GPL-1+(lib/DBI/DBD/SqlEngine.pm); Artistic or GPL-1+(lib/DBD/File.pm); Artistic or GPL-1+(lib/DBD/Proxy.pm); Artistic or GPL-1+(lib/DBD/File/HowTo.pod); Artistic or GPL-1+(lib/DBI/DBD/SqlEngine/Developers.pod); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 1.12.20-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | -| {{}} | 1.12.20-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | +| {{}} | 1.12.24-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | +| {{}} | 1.12.24-0+deb10u1 | GPL-2+ or AFL-2.1(* ); GPL-2+(Files:); Expat(Files:); BSD-3-clause(tools/strto* ll.c); BSD-3-clause-generic(Files:); GPL-2+ or AFL-2.1 | | {{}} | 0.249 | public domain | | {{}} | 0.249 | public domain | | {{}} | 0.008-1 | Artistic or GPL-1+(* ); GPL-3+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ); GPL-3+(debian/* ) | @@ -488,8 +495,8 @@ pdfhidden: True | {{}} | 2.1.2-8 | GPL | | {{}} | 2.65+b1 | LGPL | | {{}} | 2.65+b1 | LGPL | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | | {{}} | 1.19.8 | GPL-2+(* ); GPL-2+(Files:); GPL-2(Files:); BSD-2-clause(Files:); public-domain-s-s-d(Files:); public-domain-md5(lib/compat/md5.* ); GPL-2+(lib/compat/md5.* ); GPL-2(lib/compat/md5.* ); BSD-2-clause(lib/compat/md5.* ) | | {{}} | 2.4.97-1 | BSD | | {{}} | 2.4.97-1 | BSD | @@ -502,8 +509,8 @@ pdfhidden: True | {{}} | 2.4.97-1 | BSD | | {{}} | 2.4.97-1 | BSD | | {{}} | 1.12-8 | BSD | -| {{}} | 0.176-1.1 | GPL; GPL-2; GPL-3; LGPL- | -| {{}} | 0.176-1.1 | GPL; GPL-2; GPL-3; LGPL- | +| {{}} | 0.176-1.1+deb10u1 | GPL; GPL-2; GPL-3; LGPL- | +| {{}} | 0.176-1.1+deb10u1 | GPL; GPL-2; GPL-3; LGPL- | | {{}} | 0.003-1 | Artistic or GPL-1+(* ); GPL-3+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ); GPL-3+(debian/* ) | | {{}} | 105-7 | GPL-3+(* ); GPL-3+(debian/* ); GPL-3+(debian/* ) | | {{}} | 3.1-20181209-1 | BSD-3-clause(Files:) | @@ -514,8 +521,8 @@ pdfhidden: True | {{}} | 37-2+deb10u1 | LGPL-2.0+(* ); GPL-2.0+(debian/* ); LGPL-2.0+(debian/* ); GPL-2.0+(debian/* ) | | {{}} | 1.1.0-1 | MIT(* ); MIT(include/c99_compat.h); MIT(include/glvnd_list.h); MIT(Files: include/KHR/khrplatform.h); MIT(Files: include/compiler.h); MIT(Files: include/GL/glx.h); public-domain(m4/ax_check_enable_debug.m4); GPL-3+(m4/ax_check_link_flag.m4); GPL-3+(m4/ax_pthread.m4); MIT(Files: src/generate/gen_gldispatch_mapi.py); MIT(Files: src/GLdispatch/vnd-glapi/entry.h); MIT(Files: src/GLdispatch/vnd-glapi/u_current_tsd.c); MIT(Files: src/GLdispatch/vnd-glapi/mapi_glapi.c); MIT(Files: src/util/cJSON* ); BSD-1-clause(Files: src/util/uthash/* ); MIT(debian/* ); MIT(debian/* ); BSD-1-clause(debian/* ); GPL-3+(debian/* ) | | {{}} | 18.3.6-2+deb10u1 | MIT(* ); BSD-3-clause(include/EGL/eglextchromium.h:); Khronos(include/GL/glcorearb.h); Apache-2.0(include/GLES/egl.h); BSL(include/c11/* ); MLAA(src/gallium/auxiliary/postprocess/pp_mlaa* ); SGI(src/glx/clientattrib.c); BSD-2-clause(src/getopt); BSD-3-clause(src/gtest/include src/gtest/src); GPL(debian); MIT(debian); Khronos(debian); SGI(debian); Apache-2.0(debian); BSL(debian); MLAA(debian); GPL(debian); BSD-3-clause(debian); BSD-2-clause(debian) | -| {{}} | 0.176-1.1 | GPL; GPL-2; GPL-3; LGPL- | -| {{}} | 0.176-1.1 | GPL; GPL-2; GPL-3; LGPL- | +| {{}} | 0.176-1.1+deb10u1 | GPL; GPL-2; GPL-3; LGPL- | +| {{}} | 0.176-1.1+deb10u1 | GPL; GPL-2; GPL-3; LGPL- | | {{}} | 1.202-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.05-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.5.3-0.1 | Expat(* ); Expat(registry/* ); Expat(registry/* ) | @@ -527,30 +534,31 @@ pdfhidden: True | {{}} | 2.1.8-stable-4 | BSD | | {{}} | 2.1.8-stable-4 | BSD | | {{}} | 2.1.8-stable-4 | BSD | -| {{}} | 2.2.6-2+deb10u4 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | -| {{}} | 2.2.6-2+deb10u4 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | +| {{}} | 2.2.6-2+deb10u6 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | +| {{}} | 2.2.6-2+deb10u6 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | | {{}} | 1.002001-1 | Artistic or GPL-1+(* ); License:(* ); GPL-3+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ); GPL-3+(debian/* ) | | {{}} | 1.44.5-1+deb10u3 | BSD; GPL; GPL-2; LGPL-2; MIT | | {{}} | 1.44.5-1+deb10u3 | BSD; GPL; GPL-2; LGPL-2; MIT | | {{}} | 1.23-1 | Artistic; GPL; GPL-3 | -| {{}} | 0.99.8-2 | Expat(* ); Apache-2.0(atomic.h); Expat(atomic.h); Apache-2.0(atomic.h) | +| {{}} | 0.99.8-2+deb10u1 | Expat(* ); Apache-2.0(atomic.h); Expat(atomic.h); Apache-2.0(atomic.h) | | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | | {{}} | 1.4.7-4 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+ or BSD-2-clause(libfdt/* ); LGPL-2.1+(tests/* ); GPL-2+(tests/dumptrees.c); GPL-2+(tests/dumptrees.c); LGPL-2.1+(tests/dumptrees.c); BSD-2-clause(tests/dumptrees.c) | | {{}} | 3.2.1-9 | GPL | | {{}} | 3.2.1-9 | NO COPYRIGHT FILE | +| {{}} | 1.5.0-2~bpo10+1 | BSD-2-clause(* ); BSD-2-clause(debian/* ); ISC(openbsd-compat/strlcpy.c openbsd-compat/strlcat.c); ISC(openbsd-compat/timingsafe_bcmp.c); public-domain(Files:); ISC(openbsd-compat/recallocarray.c); ISC(openbsd-compat/readpassphrase.h); ISC(openbsd-compat/readpassphrase.c); BSD-2-clause(openbsd-compat/getopt.h); ISC and BSD-2-clause(openbsd-compat/getopt_long.c); BSD-2-clause(openbsd-compat/getopt_long.c); public-domain(openbsd-compat/getopt_long.c); ISC(openbsd-compat/getopt_long.c) | | {{}} | 0.02-2+b6 | Artistic or GPL-1+(* ); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.004-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 6.04-1 | Artistic; GPL; GPL-1; GPL-1+ | | {{}} | 1.1.2-1 | GPL-3+(* ); GPL-3+(* ) | | {{}} | 1.23-1 | GPL-1+ or Artistic(* ); GPL-1+ or Artistic(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 2.6.4-6.2 | FLEX(* ); GPL-3+(debian/* ); FLEX(m4/* ); FSFAP(m4/ax_prog_cc_for_build.m4); GPL(m4/libtool.m4); FLEX(m4/ltoptions.m4); FLEX(m4/nls.m4); GPL(po/Makefile.in.in); FLEX(po/Makevars); FLEX(src/* ); FLEX(src/Makefile.am); LGPL-2+(src/gettext.h); GPL-3+(src/parse.c); GPL-2+(tools/git2cl); GPL-3+(tools/git2cl) | -| {{}} | 1.3.2-3+deb10u1 | GPL-2+ or LGPL-2.1+(* ); GFDL-1.1+(doc/* ); GPL-2+(examples/* ); BSD-3-clause(include/FLAC++/* ); LGPL-2.1+(include/share/grabbag.h); LGPL-2+(include/share/getopt.h); Public-domain(src/libFLAC/include/private/md5.h); ISC(src/flac/local_string_utils.c); GPL-2+(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ) | +| {{}} | 1.3.2-3+deb10u2 | GPL-2+ or LGPL-2.1+(* ); GFDL-1.1+(doc/* ); GPL-2+(examples/* ); BSD-3-clause(include/FLAC++/* ); LGPL-2.1+(include/share/grabbag.h); LGPL-2+(include/share/getopt.h); Public-domain(src/libFLAC/include/private/md5.h); ISC(src/flac/local_string_utils.c); GPL-2+(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 2.13.1-2 | BSD-like | | {{}} | 1.1.3-1+b2 | BSD | | {{}} | 1.6.3-1.1 | NO COPYRIGHT FILE | -| {{}} | 2.9.1-3+deb10u2 | GPL-2+ or FTL(* ); FTL and Catharon-OSL and MIT(vms_make.com); FTL(builds/amiga/* builds/amiga/include/config/* ); FTL(builds/amiga/src/base/* ); BSD-3-Clause(builds/cmake/FindHarfBuzz.cmake); FTL(builds/mac/ftmac.c); FTL(builds/mac/README); FSFULLR and GPL-2+(builds/unix/aclocal.m4); FSFUL and GPL-2+(builds/unix/configure); Permissive and GPL-3+(builds/unix/config.guess builds/unix/config.sub); MIT(builds/unix/install-sh); GPL-2+ and GPL-3+(builds/unix/ltmain.sh); GPL-2+(builds/unix/pkg.m4); GPL-2+(debian/* ); FTL(docs/INSTALL.CROSS); MIT or GPL-2+(ft2docs/docs/js/jquery.ba-resize.min.js); MIT(ft2docs/docs/js/jquery-1.11.0.min.js); Public-Domain(ft2docs/docs/tutorial/example2.cpp); MIT(ft2docs/docs/tutorial/example5.cpp); FTL(ft2demos/Jamfile); FTL(ft2demos/graph/beos/grbeos.cpp); FTL(ft2demos/graph/mac/grmac.c); FTL(ft2demos/graph/win32/grwin32.c ft2demos/graph/win32/grwin32.h); FTL(ft2demos/graph/graph.h); Public-Domain(ft2demos/graph/grswizzle.c); FTL(ft2demos/mac/ftoldmac.c); MIT(ft2demos/mac/getargv.c); Public-Domain(ft2demos/src/mlgetopt.c ft2demos/src/mlgetopt.h); FTL(ft2demos/src/ftinspect/* ); FTL(include/freetype/ftbzip2.h); FTL(include/freetype/ftcid.h); FTL(include/freetype/ftgxval.h); MIT(include/freetype/internal/fthash.h); FTL(include/freetype/internal/ftrfork.h); FTL(include/freetype/internal/ftpic.h); FTL(include/freetype/internal/services/svttglyf.h); FTL(src/autofit/afindic.c src/autofit/afindic.h); FTL(src/base/ftbase.h); Public-Domain(src/base/md5.c src/base/md5.h); MIT(src/bdf/bdf.c); MIT(src/bdf/bdf.h src/bdf/bdflib.c); FTL(src/gxvalid/* ); FTL(src/gxvalid/Jamfile); Zlib(src/gzip/adler32.c); Zlib(src/gzip/ftzconf.h); Zlib(src/gzip/zlib.h); FTL(src/lzw/ftlzw.c src/lzw/rules.mk); OpenGroup-BSD-like(src/pcf/pcfutil.c); FTL(src/psaux/psarrst.c src/psaux/psarrst.h); FTL(src/sfnt/pngshim.c src/sfnt/pngshim.h); FTL(src/sfnt/ttsbit.c); Public-Domain(src/tools/apinames.c src/tools/chktrcmp.py); FTL(src/tools/update-copyright-year); BSD-3-Clause(src/tools/ftrandom/ftrandom.c); FTL(src/truetype/ttgxvar.c src/truetype/ttgxvar.h); FTL(src/type42/t42drivr.c src/type42/t42drivr.h); FTL(src/winfonts/winfnt.c); FTL(src/winfonts/winfnt.h); BSD-3-Clause(src/winfonts/winfnt.h); Catharon-OSL(src/winfonts/winfnt.h); FSFUL(src/winfonts/winfnt.h); FSFULLR(src/winfonts/winfnt.h); FTL(src/winfonts/winfnt.h); GPL-2+(src/winfonts/winfnt.h); GPL-3+(src/winfonts/winfnt.h); MIT(src/winfonts/winfnt.h); OpenGroup-BSD-like(src/winfonts/winfnt.h); Permissive(src/winfonts/winfnt.h); Zlib(src/winfonts/winfnt.h) | -| {{}} | 2.9.1-3+deb10u2 | GPL-2+ or FTL(* ); FTL and Catharon-OSL and MIT(vms_make.com); FTL(builds/amiga/* builds/amiga/include/config/* ); FTL(builds/amiga/src/base/* ); BSD-3-Clause(builds/cmake/FindHarfBuzz.cmake); FTL(builds/mac/ftmac.c); FTL(builds/mac/README); FSFULLR and GPL-2+(builds/unix/aclocal.m4); FSFUL and GPL-2+(builds/unix/configure); Permissive and GPL-3+(builds/unix/config.guess builds/unix/config.sub); MIT(builds/unix/install-sh); GPL-2+ and GPL-3+(builds/unix/ltmain.sh); GPL-2+(builds/unix/pkg.m4); GPL-2+(debian/* ); FTL(docs/INSTALL.CROSS); MIT or GPL-2+(ft2docs/docs/js/jquery.ba-resize.min.js); MIT(ft2docs/docs/js/jquery-1.11.0.min.js); Public-Domain(ft2docs/docs/tutorial/example2.cpp); MIT(ft2docs/docs/tutorial/example5.cpp); FTL(ft2demos/Jamfile); FTL(ft2demos/graph/beos/grbeos.cpp); FTL(ft2demos/graph/mac/grmac.c); FTL(ft2demos/graph/win32/grwin32.c ft2demos/graph/win32/grwin32.h); FTL(ft2demos/graph/graph.h); Public-Domain(ft2demos/graph/grswizzle.c); FTL(ft2demos/mac/ftoldmac.c); MIT(ft2demos/mac/getargv.c); Public-Domain(ft2demos/src/mlgetopt.c ft2demos/src/mlgetopt.h); FTL(ft2demos/src/ftinspect/* ); FTL(include/freetype/ftbzip2.h); FTL(include/freetype/ftcid.h); FTL(include/freetype/ftgxval.h); MIT(include/freetype/internal/fthash.h); FTL(include/freetype/internal/ftrfork.h); FTL(include/freetype/internal/ftpic.h); FTL(include/freetype/internal/services/svttglyf.h); FTL(src/autofit/afindic.c src/autofit/afindic.h); FTL(src/base/ftbase.h); Public-Domain(src/base/md5.c src/base/md5.h); MIT(src/bdf/bdf.c); MIT(src/bdf/bdf.h src/bdf/bdflib.c); FTL(src/gxvalid/* ); FTL(src/gxvalid/Jamfile); Zlib(src/gzip/adler32.c); Zlib(src/gzip/ftzconf.h); Zlib(src/gzip/zlib.h); FTL(src/lzw/ftlzw.c src/lzw/rules.mk); OpenGroup-BSD-like(src/pcf/pcfutil.c); FTL(src/psaux/psarrst.c src/psaux/psarrst.h); FTL(src/sfnt/pngshim.c src/sfnt/pngshim.h); FTL(src/sfnt/ttsbit.c); Public-Domain(src/tools/apinames.c src/tools/chktrcmp.py); FTL(src/tools/update-copyright-year); BSD-3-Clause(src/tools/ftrandom/ftrandom.c); FTL(src/truetype/ttgxvar.c src/truetype/ttgxvar.h); FTL(src/type42/t42drivr.c src/type42/t42drivr.h); FTL(src/winfonts/winfnt.c); FTL(src/winfonts/winfnt.h); BSD-3-Clause(src/winfonts/winfnt.h); Catharon-OSL(src/winfonts/winfnt.h); FSFUL(src/winfonts/winfnt.h); FSFULLR(src/winfonts/winfnt.h); FTL(src/winfonts/winfnt.h); GPL-2+(src/winfonts/winfnt.h); GPL-3+(src/winfonts/winfnt.h); MIT(src/winfonts/winfnt.h); OpenGroup-BSD-like(src/winfonts/winfnt.h); Permissive(src/winfonts/winfnt.h); Zlib(src/winfonts/winfnt.h) | -| {{}} | 1.0.5-3.1+deb10u1 | LGPL-2.1+(* ); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ) | +| {{}} | 2.9.1-3+deb10u3 | GPL-2+ or FTL(* ); FTL and Catharon-OSL and MIT(vms_make.com); FTL(builds/amiga/* builds/amiga/include/config/* ); FTL(builds/amiga/src/base/* ); BSD-3-Clause(builds/cmake/FindHarfBuzz.cmake); FTL(builds/mac/ftmac.c); FTL(builds/mac/README); FSFULLR and GPL-2+(builds/unix/aclocal.m4); FSFUL and GPL-2+(builds/unix/configure); Permissive and GPL-3+(builds/unix/config.guess builds/unix/config.sub); MIT(builds/unix/install-sh); GPL-2+ and GPL-3+(builds/unix/ltmain.sh); GPL-2+(builds/unix/pkg.m4); GPL-2+(debian/* ); FTL(docs/INSTALL.CROSS); MIT or GPL-2+(ft2docs/docs/js/jquery.ba-resize.min.js); MIT(ft2docs/docs/js/jquery-1.11.0.min.js); Public-Domain(ft2docs/docs/tutorial/example2.cpp); MIT(ft2docs/docs/tutorial/example5.cpp); FTL(ft2demos/Jamfile); FTL(ft2demos/graph/beos/grbeos.cpp); FTL(ft2demos/graph/mac/grmac.c); FTL(ft2demos/graph/win32/grwin32.c ft2demos/graph/win32/grwin32.h); FTL(ft2demos/graph/graph.h); Public-Domain(ft2demos/graph/grswizzle.c); FTL(ft2demos/mac/ftoldmac.c); MIT(ft2demos/mac/getargv.c); Public-Domain(ft2demos/src/mlgetopt.c ft2demos/src/mlgetopt.h); FTL(ft2demos/src/ftinspect/* ); FTL(include/freetype/ftbzip2.h); FTL(include/freetype/ftcid.h); FTL(include/freetype/ftgxval.h); MIT(include/freetype/internal/fthash.h); FTL(include/freetype/internal/ftrfork.h); FTL(include/freetype/internal/ftpic.h); FTL(include/freetype/internal/services/svttglyf.h); FTL(src/autofit/afindic.c src/autofit/afindic.h); FTL(src/base/ftbase.h); Public-Domain(src/base/md5.c src/base/md5.h); MIT(src/bdf/bdf.c); MIT(src/bdf/bdf.h src/bdf/bdflib.c); FTL(src/gxvalid/* ); FTL(src/gxvalid/Jamfile); Zlib(src/gzip/adler32.c); Zlib(src/gzip/ftzconf.h); Zlib(src/gzip/zlib.h); FTL(src/lzw/ftlzw.c src/lzw/rules.mk); OpenGroup-BSD-like(src/pcf/pcfutil.c); FTL(src/psaux/psarrst.c src/psaux/psarrst.h); FTL(src/sfnt/pngshim.c src/sfnt/pngshim.h); FTL(src/sfnt/ttsbit.c); Public-Domain(src/tools/apinames.c src/tools/chktrcmp.py); FTL(src/tools/update-copyright-year); BSD-3-Clause(src/tools/ftrandom/ftrandom.c); FTL(src/truetype/ttgxvar.c src/truetype/ttgxvar.h); FTL(src/type42/t42drivr.c src/type42/t42drivr.h); FTL(src/winfonts/winfnt.c); FTL(src/winfonts/winfnt.h); BSD-3-Clause(src/winfonts/winfnt.h); Catharon-OSL(src/winfonts/winfnt.h); FSFUL(src/winfonts/winfnt.h); FSFULLR(src/winfonts/winfnt.h); FTL(src/winfonts/winfnt.h); GPL-2+(src/winfonts/winfnt.h); GPL-3+(src/winfonts/winfnt.h); MIT(src/winfonts/winfnt.h); OpenGroup-BSD-like(src/winfonts/winfnt.h); Permissive(src/winfonts/winfnt.h); Zlib(src/winfonts/winfnt.h) | +| {{}} | 2.9.1-3+deb10u3 | GPL-2+ or FTL(* ); FTL and Catharon-OSL and MIT(vms_make.com); FTL(builds/amiga/* builds/amiga/include/config/* ); FTL(builds/amiga/src/base/* ); BSD-3-Clause(builds/cmake/FindHarfBuzz.cmake); FTL(builds/mac/ftmac.c); FTL(builds/mac/README); FSFULLR and GPL-2+(builds/unix/aclocal.m4); FSFUL and GPL-2+(builds/unix/configure); Permissive and GPL-3+(builds/unix/config.guess builds/unix/config.sub); MIT(builds/unix/install-sh); GPL-2+ and GPL-3+(builds/unix/ltmain.sh); GPL-2+(builds/unix/pkg.m4); GPL-2+(debian/* ); FTL(docs/INSTALL.CROSS); MIT or GPL-2+(ft2docs/docs/js/jquery.ba-resize.min.js); MIT(ft2docs/docs/js/jquery-1.11.0.min.js); Public-Domain(ft2docs/docs/tutorial/example2.cpp); MIT(ft2docs/docs/tutorial/example5.cpp); FTL(ft2demos/Jamfile); FTL(ft2demos/graph/beos/grbeos.cpp); FTL(ft2demos/graph/mac/grmac.c); FTL(ft2demos/graph/win32/grwin32.c ft2demos/graph/win32/grwin32.h); FTL(ft2demos/graph/graph.h); Public-Domain(ft2demos/graph/grswizzle.c); FTL(ft2demos/mac/ftoldmac.c); MIT(ft2demos/mac/getargv.c); Public-Domain(ft2demos/src/mlgetopt.c ft2demos/src/mlgetopt.h); FTL(ft2demos/src/ftinspect/* ); FTL(include/freetype/ftbzip2.h); FTL(include/freetype/ftcid.h); FTL(include/freetype/ftgxval.h); MIT(include/freetype/internal/fthash.h); FTL(include/freetype/internal/ftrfork.h); FTL(include/freetype/internal/ftpic.h); FTL(include/freetype/internal/services/svttglyf.h); FTL(src/autofit/afindic.c src/autofit/afindic.h); FTL(src/base/ftbase.h); Public-Domain(src/base/md5.c src/base/md5.h); MIT(src/bdf/bdf.c); MIT(src/bdf/bdf.h src/bdf/bdflib.c); FTL(src/gxvalid/* ); FTL(src/gxvalid/Jamfile); Zlib(src/gzip/adler32.c); Zlib(src/gzip/ftzconf.h); Zlib(src/gzip/zlib.h); FTL(src/lzw/ftlzw.c src/lzw/rules.mk); OpenGroup-BSD-like(src/pcf/pcfutil.c); FTL(src/psaux/psarrst.c src/psaux/psarrst.h); FTL(src/sfnt/pngshim.c src/sfnt/pngshim.h); FTL(src/sfnt/ttsbit.c); Public-Domain(src/tools/apinames.c src/tools/chktrcmp.py); FTL(src/tools/update-copyright-year); BSD-3-Clause(src/tools/ftrandom/ftrandom.c); FTL(src/truetype/ttgxvar.c src/truetype/ttgxvar.h); FTL(src/type42/t42drivr.c src/type42/t42drivr.h); FTL(src/winfonts/winfnt.c); FTL(src/winfonts/winfnt.h); BSD-3-Clause(src/winfonts/winfnt.h); Catharon-OSL(src/winfonts/winfnt.h); FSFUL(src/winfonts/winfnt.h); FSFULLR(src/winfonts/winfnt.h); FTL(src/winfonts/winfnt.h); GPL-2+(src/winfonts/winfnt.h); GPL-3+(src/winfonts/winfnt.h); MIT(src/winfonts/winfnt.h); OpenGroup-BSD-like(src/winfonts/winfnt.h); Permissive(src/winfonts/winfnt.h); Zlib(src/winfonts/winfnt.h) | +| {{}} | 1.0.5-3.1+deb10u2 | LGPL-2.1+(* ); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 0.4.0-1 | Apache-2.0(* ); Gray-Watson(libmy/argv.c libmy/argv.h libmy/argv_loc.h); Apache-2.0(libmy/argv.c libmy/argv.h libmy/argv_loc.h); Gray-Watson(libmy/argv.c libmy/argv.h libmy/argv_loc.h) | | {{}} | 2.9.9-1+deb10u1 | GPL-2(* ); LGPL-2(lib/* ); GPL-2+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2(debian/* ) | | {{}} | 2.9.9-1+deb10u1 | GPL-2(* ); LGPL-2(lib/* ); GPL-2+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2(debian/* ) | @@ -590,11 +598,11 @@ pdfhidden: True | {{}} | 6.1.2+dfsg-4+deb10u1 | GPL; GPL-2; GPL-3; LGPL-3 | | {{}} | 6.1.2+dfsg-4+deb10u1 | GPL; GPL-2; GPL-3; LGPL-3 | | {{}} | 6.1.2+dfsg-4+deb10u1 | GPL; GPL-2; GPL-3; LGPL-3 | -| {{}} | 3.6.7-4+deb10u7 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | -| {{}} | 3.6.7-4+deb10u7 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | -| {{}} | 3.6.7-4+deb10u7 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | -| {{}} | 3.6.7-4+deb10u7 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | -| {{}} | 3.6.7-4+deb10u7 | NO COPYRIGHT FILE | +| {{}} | 3.6.7-4+deb10u10 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | +| {{}} | 3.6.7-4+deb10u10 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | +| {{}} | 3.6.7-4+deb10u10 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | +| {{}} | 3.6.7-4+deb10u10 | Apache-2; CC0 license; GFDL-1; GPL; GPL-3); GPLv3+; LGPL; LGPL-3; LGPLv3+_or_GPLv2+; MIT; The main library is licensed under GNU Lesser; The MIT License (MIT) | +| {{}} | 3.6.7-4+deb10u10 | NO COPYRIGHT FILE | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 2.7-1 | BSD-3-clause(* ); GPL-2+(debian/* ) | | {{}} | 1.35-1 | LGPL-2.1+(* ); LGPL-2.1+(src/b64dec.c); LGPL-2.1+ or BSD-3-clause(src/estream-printf.h src/estream-printf.c src/estream.c); LGPL-2.1+(src/w32-estream.c); LGPL-2.1+(src/gettext.h); g10-permissive(src/gpg-error-config.in); g10-permissive(src/mkheader.c); LGPL-2.1+(src/posix-lock.c); LGPL-2.1+(src/w32-gettext.c); GPL-3+(doc/yat2m.c); g10-permissive(potomo); g10-permissive(potomo); LGPL-2.1+(potomo); GPL-3+(potomo); BSD-3-clause(potomo) | @@ -607,10 +615,10 @@ pdfhidden: True | {{}} | 1.16.1-1 | Apache-2.0(* ); GPL-2+(debian/* ); Zlib(third_party/nanopb/* ); Expat(third_party/rake-compiler-dock/* ); Apache-2.0(src/php/tests/bootstrap.php); BSD-3-clause(third_party/address_sorting/* ); Apache-2.0(third_party/address_sorting/* ) | | {{}} | 1.16.1-1 | Apache-2.0(* ); GPL-2+(debian/* ); Zlib(third_party/nanopb/* ); Expat(third_party/rake-compiler-dock/* ); Apache-2.0(src/php/tests/bootstrap.php); BSD-3-clause(third_party/address_sorting/* ); Apache-2.0(third_party/address_sorting/* ) | | {{}} | 1.16.1-1 | Apache-2.0(* ); GPL-2+(debian/* ); Zlib(third_party/nanopb/* ); Expat(third_party/rake-compiler-dock/* ); Apache-2.0(src/php/tests/bootstrap.php); BSD-3-clause(third_party/address_sorting/* ); Apache-2.0(third_party/address_sorting/* ) | -| {{}} | 9.27~dfsg-2+deb10u5 | AGPL-3+(Files:); BSD-3-Clause~Adobe(Resource/CMap/* ); AGPL-3+(Resource/CMap/Identity-UTF16-H); LGPL-2.1(contrib/pcl3/* ); FTL(Files:); GPL(contrib/gdevlx7.c); GPL(contrib/japanese/* ); AGPL-3+ with font exception(Resource/Font/* ); GPL(contrib/lips4/* ); GPL(Files:); GAP~configure(configure); GPL-2+(Files:); GPL(cups/gdevcups.c); GPL-2+(contrib/gdevbjc[_a].[ch]); ZLIB(Files:); BSD-3-Clause(Files:); BSD-3-Clause(Files:); Expat~SunSoft with SunSoft exception(Files:); Expat(Files:); public-domain(doc/Hershey.htm); Apache-2.0(Files:); Apache-2.0(Resource/CIDFSubst/DroidSansFallback.ttf); AGPL-3+(Files:); ISC(base/gsstrl.c); GPL-2+(cups/cups.mak); GPL-2+(contrib/gdevdj9.c); GPL-2+(contrib/gdevcd8.c); GPL-2+(contrib/opvp/gdevopvp.c); GPL-2+(contrib/gdevlx32.c); GPL-2+(lib/afmdiff.awk); Expat~Ghostgum(lib/ghostpdf.ppd); NTP~Open(contrib/opvp/opvp.h); other(Resource/Init/pdf_sec.ps); GPL(contrib/eplaser/gdevescv.[ch]); NTP~Lucent(devices/gdevifno.c); NTP~WSU(devices/gdev4693.c); ZLIB(lib/fixmswrd.pl); GPL-3+(debian/* ); GPL(debian/update-gsfontmap); AGPL-3(debian/update-gsfontmap); GPL-3+(debian/update-gsfontmap); GPL-2+(debian/update-gsfontmap); GPL-2(debian/update-gsfontmap); GPL(debian/update-gsfontmap); LGPL-2.1(debian/update-gsfontmap); Apache-2.0(debian/update-gsfontmap); GAP~configure(debian/update-gsfontmap); Expat(debian/update-gsfontmap); Expat~SunSoft(debian/update-gsfontmap); Expat~Ghostgum(debian/update-gsfontmap); NTP~Open(debian/update-gsfontmap); NTP~WSU(debian/update-gsfontmap); NTP~Lucent(debian/update-gsfontmap); BSD-3-Clause(debian/update-gsfontmap); BSD-3-Clause~Adobe(debian/update-gsfontmap); FTL(debian/update-gsfontmap); ZLIB(debian/update-gsfontmap); ISC(debian/update-gsfontmap) | +| {{}} | 9.27~dfsg-2+deb10u8 | AGPL-3+(Files:); BSD-3-Clause~Adobe(Resource/CMap/* ); AGPL-3+(Resource/CMap/Identity-UTF16-H); LGPL-2.1(contrib/pcl3/* ); FTL(Files:); GPL(contrib/gdevlx7.c); GPL(contrib/japanese/* ); AGPL-3+ with font exception(Resource/Font/* ); GPL(contrib/lips4/* ); GPL(Files:); GAP~configure(configure); GPL-2+(Files:); GPL(cups/gdevcups.c); GPL-2+(contrib/gdevbjc[_a].[ch]); ZLIB(Files:); BSD-3-Clause(Files:); BSD-3-Clause(Files:); Expat~SunSoft with SunSoft exception(Files:); Expat(Files:); public-domain(doc/Hershey.htm); Apache-2.0(Files:); Apache-2.0(Resource/CIDFSubst/DroidSansFallback.ttf); AGPL-3+(Files:); ISC(base/gsstrl.c); GPL-2+(cups/cups.mak); GPL-2+(contrib/gdevdj9.c); GPL-2+(contrib/gdevcd8.c); GPL-2+(contrib/opvp/gdevopvp.c); GPL-2+(contrib/gdevlx32.c); GPL-2+(lib/afmdiff.awk); Expat~Ghostgum(lib/ghostpdf.ppd); NTP~Open(contrib/opvp/opvp.h); other(Resource/Init/pdf_sec.ps); GPL(contrib/eplaser/gdevescv.[ch]); NTP~Lucent(devices/gdevifno.c); NTP~WSU(devices/gdev4693.c); ZLIB(lib/fixmswrd.pl); GPL-3+(debian/* ); GPL(debian/update-gsfontmap); AGPL-3(debian/update-gsfontmap); GPL-3+(debian/update-gsfontmap); GPL-2+(debian/update-gsfontmap); GPL-2(debian/update-gsfontmap); GPL(debian/update-gsfontmap); LGPL-2.1(debian/update-gsfontmap); Apache-2.0(debian/update-gsfontmap); GAP~configure(debian/update-gsfontmap); Expat(debian/update-gsfontmap); Expat~SunSoft(debian/update-gsfontmap); Expat~Ghostgum(debian/update-gsfontmap); NTP~Open(debian/update-gsfontmap); NTP~WSU(debian/update-gsfontmap); NTP~Lucent(debian/update-gsfontmap); BSD-3-Clause(debian/update-gsfontmap); BSD-3-Clause~Adobe(debian/update-gsfontmap); FTL(debian/update-gsfontmap); ZLIB(debian/update-gsfontmap); ISC(debian/update-gsfontmap) | | {{}} | 9.27~dfsg-2+deb10u5 | AGPL-3+(Files:); BSD-3-Clause~Adobe(Resource/CMap/* ); AGPL-3+(Resource/CMap/Identity-UTF16-H); LGPL-2.1(contrib/pcl3/* ); FTL(Files:); GPL(contrib/gdevlx7.c); GPL(contrib/japanese/* ); AGPL-3+ with font exception(Resource/Font/* ); GPL(contrib/lips4/* ); GPL(Files:); GAP~configure(configure); GPL-2+(Files:); GPL(cups/gdevcups.c); GPL-2+(contrib/gdevbjc[_a].[ch]); ZLIB(Files:); BSD-3-Clause(Files:); BSD-3-Clause(Files:); Expat~SunSoft with SunSoft exception(Files:); Expat(Files:); public-domain(doc/Hershey.htm); Apache-2.0(Files:); Apache-2.0(Resource/CIDFSubst/DroidSansFallback.ttf); AGPL-3+(Files:); ISC(base/gsstrl.c); GPL-2+(cups/cups.mak); GPL-2+(contrib/gdevdj9.c); GPL-2+(contrib/gdevcd8.c); GPL-2+(contrib/opvp/gdevopvp.c); GPL-2+(contrib/gdevlx32.c); GPL-2+(lib/afmdiff.awk); Expat~Ghostgum(lib/ghostpdf.ppd); NTP~Open(contrib/opvp/opvp.h); other(Resource/Init/pdf_sec.ps); GPL(contrib/eplaser/gdevescv.[ch]); NTP~Lucent(devices/gdevifno.c); NTP~WSU(devices/gdev4693.c); ZLIB(lib/fixmswrd.pl); GPL-3+(debian/* ); GPL(debian/update-gsfontmap); AGPL-3(debian/update-gsfontmap); GPL-3+(debian/update-gsfontmap); GPL-2+(debian/update-gsfontmap); GPL-2(debian/update-gsfontmap); GPL(debian/update-gsfontmap); LGPL-2.1(debian/update-gsfontmap); Apache-2.0(debian/update-gsfontmap); GAP~configure(debian/update-gsfontmap); Expat(debian/update-gsfontmap); Expat~SunSoft(debian/update-gsfontmap); Expat~Ghostgum(debian/update-gsfontmap); NTP~Open(debian/update-gsfontmap); NTP~WSU(debian/update-gsfontmap); NTP~Lucent(debian/update-gsfontmap); BSD-3-Clause(debian/update-gsfontmap); BSD-3-Clause~Adobe(debian/update-gsfontmap); FTL(debian/update-gsfontmap); ZLIB(debian/update-gsfontmap); ISC(debian/update-gsfontmap) | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | | {{}} | 1.14.4-1 | LGPL-2+(gst/gst.c); LGPL-2.1+(libs/gst/check/libcheck/check.c); LGPL-2+(gst/gstparamspecs.c); LGPL-2+(gst/gsttaglist.c); LGPL-2+(debian/gst-codec-info.c); LGPL-2+(gst/gstchildproxy.c); LGPL-2+(tests/check/elements/fakesink.c); LGPL-2+(libs/gst/net/gstnet.h); LGPL-2+(gst/gstbufferpool.c); LGPL-2+(gst/gstbus.c); LGPL-2+(gst/gsttoc.c); LGPL-2+(gst/gstcontrolsource.c); LGPL-2+(gst/gstcontrolbinding.c); LGPL-2+(gst/gsterror.h); LGPL-2+(gst/gstcaps.c); LGPL-2+(libs/gst/base/gstadapter.c); LGPL-2+(gst/gst-i18n-app.h); GPL-2+(common/coverage/coverage-report-entry.pl); LGPL-2+(gst/gstmacros.h); LGPL-2+(tests/check/generic/sinks.c); LGPL-2+(gst/gsttaskpool.h); LGPL-2+(gst/gstbufferlist.c); LGPL-2+(gst/gstcaps.h); LGPL-2+(gst/glib-compat-private.h); LGPL-2+(plugins/elements/gstdataqueue.c); LGPL-2+(gst/gstpluginloader.c); LGPL-2+(plugins/elements/gstoutputselector.c); LGPL-2+(gst/gstmemory.c); LGPL-2+(tests/check/gst/gstcontroller.c); LGPL-2+(tests/check/libs/bitreader.c); LGPL-2+(libs/gst/net/gstnetaddressmeta.c); LGPL-2+(tests/check/gst/gstclock.c); LGPL-2+(libs/gst/check/gstbufferstraw.c); LGPL-2+(plugins/elements/gstvalve.c); LGPL-2+(libs/gst/net/gstnetclientclock.c); LGPL-2+(gst/gstatomicqueue.c); LGPL-2+(gst/gstinfo.c); LGPL-2+(libs/gst/base/gsttypefindhelper.c); LGPL-2+(tests/check/gst/gstevent.c); LGPL-2+(gst/gstquark.c); LGPL-2+(gst/gstregistrybinary.c); LGPL-2+(gst/gstregistrybinary.h); LGPL-2+(libs/gst/base/gstbytereader.c); LGPL-2+(gst/gstiterator.c); LGPL-2+(gst/gstdatetime.c); LGPL-2.1+(plugins/elements/gstfunnel.c); GPL-2+(ltmain.sh); GPL-3+(gst/parse/grammar.tab.h); LGPL-2+(tests/check/gst/gstquery.c); LGPL-2+(tests/benchmarks/gstpollstress.c); LGPL-2+(tests/check/gst/gstvalue.c); LGPL-2+(tests/check/gst/gstobject.c); LGPL-2+(libs/gst/check/gstcheck.h); LGPL-2+(tests/check/elements/fdsrc.c); LGPL-2+(tests/examples/typefind/typefind.c); LGPL-2+(tests/check/gst/gstminiobject.c); LGPL-2+(tests/check/gst/gstutils.c); LGPL-2+(tests/check/pipelines/parse-launch.c); LGPL-2+(tests/check/gst/gstcaps.c); LGPL-2+(tests/check/elements/queue.c); LGPL-2+(tests/check/gst/gstpoll.c); LGPL-2+(tests/check/elements/tee.c); LGPL-2+(tests/check/elements/capsfilter.c); LGPL-2+(tests/benchmarks/gstbufferstress.c); LGPL-2+(tests/check/libs/bytewriter.c); LGPL-2+(tests/benchmarks/gstclockstress.c); LGPL-2+(tests/check/gst/gstatomicqueue.c); LGPL-2+(tests/check/gst/gstmemory.c); LGPL-2+(tests/check/libs/collectpads2.c); LGPL-2+(tests/benchmarks/complexity.c); LGPL-2+(libs/gst/net/gstnettimeprovider.h); LGPL-2+(libs/gst/net/gstnettimepacket.c); LGPL-2+(plugins/elements/gstinputselector.c); LGPL-2+(tests/check/gst/gstbus.c); LGPL-2+(tests/check/gst/gstdatetime.c); LGPL-2+(tests/check/pipelines/seek.c); LGPL-2+(tests/check/elements/valve.c); LGPL-2+(tests/check/gst/gstplugin.c); LGPL-2+(libs/gst/check/gstconsistencychecker.c); LGPL-2+(gst/gstatomicqueue.h); LGPL-2+(plugins/elements/gstmultiqueue.c); LGPL-2+(gst/gstpoll.c); LGPL-2+(gst/gstpoll.h); LGPL-2+(gst/gettext.h); LGPL-2+(libs/gst/base/gstbaseparse.c); LGPL-2+(plugins/elements/gstinputselector.h); LGPL-2+(tests/check/pipelines/queue-error.c); LGPL-2+(libs/gst/base/gstcollectpads2.c); LGPL-2+(libs/gst/base/gstcollectpads2.h); LGPL-2+(tests/check/gst/gstpreset.c); LGPL-2+(libs/gst/base/gstbaseparse.h); LGPL-2+(gst/glib-compat.h); LGPL-2+(libs/gst/base/gstindex.c); LGPL-2+(tests/benchmarks/init.c); LGPL-2+(libs/gst/check/gstcheck.c); LGPL-2+(tests/check/elements/filesink.c); LGPL-2+(tests/check/gst/gstbin.c); LGPL-2.1+(tests/check/elements/funnel.c) | | {{}} | 1.14.4-2+deb10u1 | LGPL-2+(ext/alsa/gstalsa.c); LGPL-2+(ext/cdparanoia/gstcdparanoiasrc.c); LGPL-2+(gst-libs/gst/audio/mixer.c); LGPL-2+(ext/pango/gsttextoverlay.h); LGPL-2+(ext/alsa/gstalsasink.h); LGPL-2+(ext/cdparanoia/gstcdparanoiasrc.h); BSD (2 clause)(gst-libs/gst/fft/_kiss_fft_guts_f32.h); LGPL-2+(gst/gdp/gstgdp.c); MIT/X11 (BSD like) LGPL-2+(gst-libs/gst/rtsp/gstrtspdefs.c); LGPL-2+(gst-libs/gst/rtsp/gstrtsp.h); LGPL-2+(gst-libs/gst/fft/gstfft.c); LGPL-2+(gst-libs/gst/rtp/gstrtppayloads.c); LGPL-2+(gst-libs/gst/pbutils/encoding-profile.c); LGPL-2+(sys/ximage/ximagepool.c); LGPL-2+(ext/alsa/gstalsamixer.c); LGPL-2+(gst/gdp/dp-private.h); LGPL-2+(gst-libs/gst/audio/gstaudiometa.c); LGPL-2+(ext/theora/gsttheora.c); LGPL-2+(gst/gio/gstgio.c); LGPL-2+(gst/gio/gstgio.h); LGPL-2+(gst-libs/gst/tag/gstexiftag.c); BSD (2 clause)(gst/videoscale/vs_4tap.h); LGPL-2+(tests/check/elements/adder.c); LGPL-2+(ext/ogg/gstoggstream.h); BSD (3 clause)(gst/audioresample/arch.h); LGPL-2+(gst/tcp/gstmultihandlesink.h); LGPL-2+(gst-libs/gst/pbutils/gstdiscoverer.c); LGPL-2+(ext/pango/gstclockoverlay.c); LGPL-2+(gst/playback/gstplaysinkaudioconvert.c); LGPL-2+(gst/audioconvert/plugin.c); LGPL-2+(ext/vorbis/gstvorbisdeclib.c); LGPL-2+(gst/audioconvert/gstaudioquantize.c); LGPL-2+(gst/audiotestsrc/gstaudiotestsrc.c); GPL-2+(common/coverage/coverage-report-entry.pl); LGPL-2+(gst/subparse/gstsubparse.h); LGPL-2+(ext/theora/gsttheoraparse.c); LGPL-2+(tests/examples/dynamic/sprinkle.c); LGPL-2+(ext/alsa/gstalsa.h); BSD (2 clause)(gst/videoscale/vs_fill_borders.c); LGPL-2+(gst/tcp/gstmultihandlesink.c); LGPL-2+(sys/ximage/ximage.c); LGPL-2+(gst-libs/gst/video/gstvideosink.c); LGPL-2+(ext/vorbis/gstvorbisparse.h); LGPL-2+(gst-libs/gst/rtp/gstrtpbasedepayload.h); LGPL-2+(gst-libs/gst/rtp/gstrtpbasepayload.c); LGPL-2+(gst-libs/gst/rtp/gstrtpbaseaudiopayload.c); LGPL-2+(gst-libs/gst/rtp/gstrtcpbuffer.c); LGPL-2+(tests/icles/test-colorkey.c); LGPL-2+(tests/check/elements/encodebin.c); LGPL-2+(tests/examples/overlay/qtgv-videooverlay.cpp); LGPL-2+(tests/examples/encoding/gstcapslist.c); LGPL-2+(tests/examples/overlay/gtk-videooverlay.c); LGPL-2+(gst-libs/gst/pbutils/codec-utils.c); LGPL-2+(gst-libs/gst/app/gstappsink.c); LGPL-2+(gst-libs/gst/audio/gstaudiodecoder.c); LGPL-2+(gst-libs/gst/audio/gstaudioiec61937.c); LGPL-2+(gst-libs/gst/tag/gsttagdemux.c); LGPL-2+(tests/check/libs/mixer.c); LGPL-2+(gst/subparse/mpl2parse.c); LGPL-2+(ext/ogg/gstogmparse.c); LGPL-2+(gst-libs/gst/pbutils/install-plugins.c); LGPL-2+(tests/check/elements/playbin-compressed.c); LGPL-2+(ext/ogg/gstoggmux.c); LGPL-2+(gst/audioconvert/audioconvert.c); BSD (2 clause)(gst/videoscale/vs_4tap.c); BSD (3 clause)(gst/audioresample/fixed_bfin.h); BSD (3 clause)(ext/ogg/vorbis_parse.c); BSD (3 clause)(gst/audioresample/resample_sse.h); BSD (3 clause)(gst/audioresample/speex_resampler.h); BSD (3 clause)(gst/audioresample/resample.c); GPL-2+(ltmain.sh); LGPL-2+(gst/playback/gstplaysink.c); LGPL-2+(gst-libs/gst/video/gstvideofilter.c); LGPL-2+(ext/pango/gstbasetextoverlay.c); LGPL-2+(ext/pango/gsttextoverlay.c); LGPL-2+(gst-libs/gst/audio/gstaudiofilter.c); LGPL-2+(ext/pango/gsttextrender.c); LGPL-2+(gst/tcp/gstmultifdsink.c); LGPL-2+(gst/audioresample/gstaudioresample.h); LGPL-2+(tests/icles/playback/test.c); LGPL-2+(gst-libs/gst/video/video.c); LGPL-2+(gst/videoscale/gstvideoscale.c); LGPL-2+(gst/videoconvert/gstvideoconvert.c); LGPL-2+(gst/videoconvert/gstvideoconvert.h); LGPL-2+(gst/subparse/gstsubparse.c); LGPL-2+(gst/volume/gstvolume.h); LGPL-2+(gst/gdp/dataprotocol.c); LGPL-2+(gst/videotestsrc/videotestsrc.h); LGPL-2+(tests/check/libs/video.c); LGPL-2+(gst-libs/gst/rtp/gstrtpbasedepayload.c); LGPL-2+(gst-libs/gst/rtp/gstrtpbuffer.c); LGPL-2+(tests/check/elements/audioresample.c); LGPL-2+(tests/check/elements/videotestsrc.c); LGPL-2+(tests/check/elements/audioconvert.c); LGPL-2+(tests/check/libs/audiocdsrc.c); LGPL-2+(tests/check/generic/clock-selection.c); LGPL-2+(gst/playback/gstdecodebin2.c); LGPL-2+(ext/vorbis/gstvorbistag.h); LGPL-2+(tests/examples/dynamic/addstream.c); LGPL-2+(gst/playback/gstplaybin2.c); LGPL-2+(tests/examples/dynamic/codec-select.c); LGPL-2+(tests/check/elements/videoscale.c); LGPL-2+(gst/playback/gstrawcaps.h); LGPL-2+(gst/encoding/gstsmartencoder.h); LGPL-2+(gst/encoding/gstsmartencoder.c); LGPL-2+(gst/playback/gstplaysinkconvertbin.h); LGPL-2+(gst/playback/gstplaysinkconvertbin.c); LGPL-2+(ext/alsa/gstalsadeviceprobe.c); LGPL-2+(tests/check/libs/rtsp.c); LGPL-2+(tests/check/pipelines/simple-launch-lines.c); LGPL-2+(gst/volume/gstvolume.c); LGPL-2+(tests/check/elements/appsink.c); LGPL-2+(gst/typefind/gsttypefindfunctions.c); LGPL-2+(gst/audioconvert/gstaudioconvert.c); LGPL-2+(gst-libs/gst/tag/tag.h); LGPL-2+(ext/libvisual/visual.c); LGPL-2+(gst-libs/gst/video/convertframe.c); LGPL-2+(gst-libs/gst/tag/gsttagmux.c); LGPL-2+(gst-libs/gst/tag/gsttagmux.h); LGPL-2+(gst-libs/gst/pbutils/gstdiscoverer-types.c); LGPL-2+(gst/audioresample/gstaudioresample.c); LGPL-2+(gst-libs/gst/interfaces/navigation.h); LGPL-2+(gst/videoconvert/videoconvert.c); LGPL-2+(ext/ogg/gstoggstream.c); LGPL-2+(gst/gdp/dataprotocol.h); LGPL-2+(gst-libs/gst/gettext.h); LGPL-2+(tests/check/elements/decodebin.c); LGPL-2+(tests/check/pipelines/oggmux.c); LGPL-2+(ext/vorbis/gstvorbistag.c); LGPL-2+(gst-libs/gst/tag/id3v2.h); LGPL-2+(gst-libs/gst/tag/id3v2.c); LGPL-2+(gst-libs/gst/tag/id3v2frames.c); LGPL-2+(gst-libs/gst/interfaces/navigation.c); LGPL-2+(tests/icles/input-selector-test.c); LGPL-2+(gst-libs/gst/video/videooverlay.h); LGPL-2+(tests/check/pipelines/basetime.c); LGPL-2+(ext/ogg/gstoggparse.c); LGPL-2+(gst-libs/gst/video/videoorientation.h); LGPL-2+(gst-libs/gst/video/videoorientation.c); LGPL-2+(gst/audioconvert/gstchannelmix.c); LGPL-2+(gst-libs/gst/video/videooverlay.c); LGPL-2+(gst-libs/gst/tag/tags.c); LGPL-2+(gst-libs/gst/tag/gstxmptag.c); LGPL-2+(tests/examples/audio/audiomix.c); LGPL-2+(gst/subparse/qttextparse.h); LGPL-2+(gst/subparse/qttextparse.c); LGPL-2+(gst-libs/gst/gst-i18n-plugin.h); LGPL-2+(tests/check/elements/libvisual.c); LGPL-2+(ext/alsa/gstalsasink.c); LGPL-2+(tests/examples/playrec/playrec.c); LGPL-2+(gst/subparse/samiparse.c); LGPL-2+(gst/subparse/samiparse.h); MIT/X11 (BSD like) LGPL-2+(gst-libs/gst/rtsp/gstrtspconnection.h); MIT/X11 (BSD like) LGPL-2+(gst-libs/gst/rtsp/gstrtsptransport.c); MIT/X11 (BSD like) LGPL-2+(gst-libs/gst/rtsp/gstrtspconnection.c) | | {{}} | 2.24.32-3 | LGPL-2; other | @@ -648,26 +656,26 @@ pdfhidden: True | {{}} | 1.08-1.1+b5 | Artistic; GPL | | {{}} | 2.060-3 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.08-3 | Artistic; GPL; GPL-1 | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 1.8.2-3-cl4.3.1u7 | NO COPYRIGHT FILE | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 1.8.2-3-cl4.3.1u7 | NO COPYRIGHT FILE | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | | {{}} | 20180523.0-1 | Artistic or GPL-1+(* ); Artistic or GPL-2(lib/IPC/Run/Win32* .pm); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ); GPL-2(debian/* ) | -| {{}} | 3.6-2 | BSD-3-clause(* ); NCSA(src/units.c); BSD-2-clause(src/dscp.c); MIT/X11(src/cjson.* ); GPL-2+(aclocal.m4 * Makefile.in config/* configure); GPL-3(config/config.* ); BSD-3-clause(docs/_esnet/* ); MIT(config/install-sh); permissive(config/ax_check_openssl.m4); public-domain(config/mkinstalldirs); public-domain(src/portable_endian.h); GPL-2+(debian/* ); GPL-2+(debian/* ); GPL-3(debian/* ); NCSA(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | +| {{}} | 3.6-2+deb10u1 | BSD-3-clause(* ); NCSA(src/units.c); BSD-2-clause(src/dscp.c); MIT/X11(src/cjson.* ); GPL-2+(aclocal.m4 * Makefile.in config/* configure); GPL-3(config/config.* ); BSD-3-clause(docs/_esnet/* ); MIT(config/install-sh); permissive(config/ax_check_openssl.m4); public-domain(config/mkinstalldirs); public-domain(src/portable_endian.h); GPL-2+(debian/* ); GPL-2+(debian/* ); GPL-3(debian/* ); NCSA(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 2.0-2 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 1.8.2-3-cl4.3.1u7 | NO COPYRIGHT FILE | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | | {{}} | 0.20-2 | BSD; BSD-2-clause; LGPL-2; LGPL-2.1+; MIT | | {{}} | 1.5.0-1 | GPL-2+(* ); GPL-2+(INSTALL); GPL-2+(aclocal.m4); GPL-3(texinfo.tex); FSFUL(configure); BSD-2-clause(frontend/xorriso-tcltk); GPL-2(debian/* ); GPL-2+(releng/* ); GPL-2(releng/* ); GPL-2+(releng/* ); GPL-3(releng/* ); BSD-2-clause(releng/* ); FSFUL(releng/* ) | | {{}} | 1.5.0-1 | GPL-2+(* ); GPL-2+(COPYRIGHT); GPL-2+(INSTALL); GPL-2+(compile); FSFUL(configure); GPL-2(debian/* ); GPL-2+(demo/* ); GPL-2+(libisofs/* ); GPL-2+(libisofs/aaip-os-dummy.c); GPL-2+(libisofs/buffer.c); GPL-2+(libisofs/ecma119.c); GPL-2+(libisofs/filters/* ); GPL-2+(libisofs/hfsplus.c); GPL-2+(libisofs/hfsplus.h); GPL-2+(libisofs/hfsplus_case.c); GPL-2+(libisofs/make_isohybrid_mbr.c); GPL-2+(libisofs/hfsplus_classes.c); GPL-2+(libisofs/hfsplus_decompose.c); GPL-2+(libisofs/joliet.h); GPL-2+(libisofs/libiso_msgs.c); GPL-2+(libisofs/libisofs.h); GPL-2+(libtool.m4); GPL-2+(ltoptions.m4); GPL-2(ltoptions.m4); GPL-2+(ltoptions.m4); FSFUL(ltoptions.m4) | @@ -690,18 +698,19 @@ pdfhidden: True | {{}} | 1.8.4-1 | BSD-2-clause(* ); BSD-2-clause(debian/dh-sphinxdoc/dh_sphinxdoc); BSD-2-clause(sphinx/ext/apidoc.py); BSD-2-clause(sphinx/ext/napoleon/docstring.py); Expat(sphinx/themes/basic/static/jquery* .js); Expat(sphinx/themes/basic/static/underscore* .js); BSD-3-clause(sphinx/util/smartypants.py); public-domain(sphinx/util/stemmer/porter.py); BSD-2-clause(sphinx/util/stemmer/porter.py); BSD-3-clause(sphinx/util/stemmer/porter.py); Expat(sphinx/util/stemmer/porter.py) | | {{}} | 1.9.1~dfsg-1+deb10u1 | Expat(* ); BSD-3-clause(docs/docco.css); GPL-3+(debian/* ); Expat(debian/* ); BSD-3-clause(debian/* ); GPL-3+(debian/* ) | | {{}} | 1.21-1 | GPL; GPL-2; LGPL-2 | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | | {{}} | 1.6-6 | GPL-2+(* ); LGPL-2+(keyutils.* ); LGPL-2+(debian/* ); GPL-2+(debian/* ); LGPL-2+(debian/* ) | | {{}} | 2.0.6-1+deb10u1 | BSD; GPL; GPL-2 | | {{}} | 26-1 | GPL; GPL-2; LGPL-2 | -| {{}} | 2018.20181218.49446-1 | BSD; Common Public License; GPL; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.17-3+deb10u3 | BSD; GPL; GPL-2; MIT | -| {{}} | 1.3.5-2 | GPL; GPL-3 | +| {{}} | 2018.20181218.49446-1+deb10u2 | BSD; Common Public License; GPL; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.17-3+deb10u5 | BSD; GPL; GPL-2; MIT | +| {{}} | 1.3.5-2+deb10u2 | GPL; GPL-3 | | {{}} | 2.40.1-6+deb10u1 | EPL-1.0(* ); MIT(cmd/smyrna/arcball.[ch]); zlib-style(cmd/smyrna/md5.[ch]); X/MIT(cmd/smyrna/trackball.[ch]); EPL-1.0(debian/* ); EPL-1.0(debian/* ) | | {{}} | 2.9-3 | MIT(* ); GPL-2+(debian/* ) | | {{}} | 2.4.47+dfsg-3+deb10u7 | ISC; MIT | @@ -729,7 +738,7 @@ pdfhidden: True | {{}} | 2.03.02-3 | GPL-2.0(* ); LGPL-2.1(Files:); BSD-2-Clause(Files:); GPL-2.0+(debian/* ) | | {{}} | 6.02-1 | Artistic; GPL; GPL-1; GPL-1+ | | {{}} | 6.07-2 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 9.11.5.P4+dfsg-5.1+deb10u7 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | +| {{}} | 9.11.5.P4+dfsg-5.1+deb10u9 | ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause(* ); MPL-2.0 or ISC(bin/tests/system/chain/); BSD-2-clause(unit/atf-src/); BSD-4-clause(contrib/idn/); ISC or MPL-2.0(debian/); ISC(debian/); BSD-2-clause(debian/); BSD-3-clause(debian/); BSD-4-clause(debian/); MPL-2.0(debian/) | | {{}} | 1.8.3-1+deb10u1 | BSD-2-clause(* ); BSD-2-clause(lib/* ); BSD-2-clause(lib/liblz4.pc.in); BSD-2-clause(lib/lz4frame.c); GPL-2+(programs/* ); GPL-2+(programs/lz4io.c); GPL-2+(programs/platform.h); GPL-2+(programs/util.h); GPL-2(./examples/printVersion.c); GPL-2(./examples/blockStreaming_lineByLine.c); GPL-2(./examples/HCStreaming_ringBuffer.c); BSD-2-clause(./examples/compress_functions.c); GPL-2+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); BSD-2-clause(debian/* ) | | {{}} | 5.2.4-1+deb10u1 | PD(* ); probably-PD(INSTALL NEWS PACKAGERS); GPL-2+(src/scripts/* lib/* extra/scanlzma/scanlzma.c); PD(src/scripts/Makefile.am src/scripts/xzless.1); PD(doc/examples/xz_pipe_comp.c doc/examples/xz_pipe_decomp.c); LGPL-2.1+(lib/getopt.c lib/getopt1.c lib/getopt.in.h); permissive-fsf(m4/getopt.m4 m4/posix-shell.m4); Autoconf(m4/acx_pthread.m4); permissive-nowarranty(m4/acx_pthread.m4); GPL-2(Doxyfile.in); none(src/liblzma/check/crc32_table_?e.h); none(.gitignore m4/.gitignore po/.gitignore po/LINGUAS po/POTFILES.in); PD(tests/compress_prepared_bcj_* ); PD(po/cs.po po/de.po po/fr.po); PD(po/it.po po/pl.po); permissive-nowarranty(INSTALL.generic); config-h(dos/config.h); LGPL-2.1+(po/Makevars); noderivs(COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1); PD-debian(debian/* ); LGPL-2.1+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); Autoconf(debian/* ); permissive-fsf(debian/* ); permissive-nowarranty(debian/* ) | | {{}} | 5.2.4-1+deb10u1 | PD(* ); probably-PD(INSTALL NEWS PACKAGERS); GPL-2+(src/scripts/* lib/* extra/scanlzma/scanlzma.c); PD(src/scripts/Makefile.am src/scripts/xzless.1); PD(doc/examples/xz_pipe_comp.c doc/examples/xz_pipe_decomp.c); LGPL-2.1+(lib/getopt.c lib/getopt1.c lib/getopt.in.h); permissive-fsf(m4/getopt.m4 m4/posix-shell.m4); Autoconf(m4/acx_pthread.m4); permissive-nowarranty(m4/acx_pthread.m4); GPL-2(Doxyfile.in); none(src/liblzma/check/crc32_table_?e.h); none(.gitignore m4/.gitignore po/.gitignore po/LINGUAS po/POTFILES.in); PD(tests/compress_prepared_bcj_* ); PD(po/cs.po po/de.po po/fr.po); PD(po/it.po po/pl.po); permissive-nowarranty(INSTALL.generic); config-h(dos/config.h); LGPL-2.1+(po/Makevars); noderivs(COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1); PD-debian(debian/* ); LGPL-2.1+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); Autoconf(debian/* ); permissive-fsf(debian/* ); permissive-nowarranty(debian/* ) | @@ -753,9 +762,10 @@ pdfhidden: True | {{}} | 4.0.2-1 | GFDL-1; LGPL-3 | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 0.10.1-1 | LGPL-2.1(* ); LGPL-2.1(mspack/qtm* mspack/lzx* ); LGPL-2.1(mspack/qtm* mspack/lzx* ) | -| {{}} | 6.1+20181013-2+deb10u2 | NO COPYRIGHT FILE | -| {{}} | 6.1+20181013-2+deb10u2 | NO COPYRIGHT FILE | -| {{}} | 6.1+20181013-2+deb10u2 | NO COPYRIGHT FILE | +| {{}} | 6.1+20181013-2+deb10u4 | NO COPYRIGHT FILE | +| {{}} | 6.1+20181013-2+deb10u4 | NO COPYRIGHT FILE | +| {{}} | 6.1+20181013-2+deb10u4 | NO COPYRIGHT FILE | +| {{}} | 6.1+20181013-2+deb10u4 | NO COPYRIGHT FILE | | {{}} | 1.1.6+dfsg-3.1 | BSD-2(debian/* ); BSD-4(include/bpf.h); BSD-3(include/ifaddrlist.h); BSD-2 or other(include/libnet/libnet-asn1.h); BSD-2(sample/bgp4* ); BSD-2(sample/icmp_redirect.c); BSD-2(sample/icmp_timeexceed.c); BSD-2(sample/ospf* ); BSD-2(sample/ping_of_death.c); BSD-3 or other(srct/libnet_asn1.c); BSD-2(src/libnet_build_fddi.c); BSD-2(src/libnet_build_ipsec.c); BSD-2(src/libnet_build_link.c); BSD-2(src/libnet_dll.c); BSD-3(src/libnet_link_dlpi.c); BSD-3(src/libnet_link_nit.c); BSD-3(src/libnet_link_snit.c); BSD-2(src/libnet_link_win32.c); BSD-2(* ); BSD-2(* ); BSD-3(* ); BSD-4(* ); other(* ) | | {{}} | 1.1.6+dfsg-3.1 | BSD-2(debian/* ); BSD-4(include/bpf.h); BSD-3(include/ifaddrlist.h); BSD-2 or other(include/libnet/libnet-asn1.h); BSD-2(sample/bgp4* ); BSD-2(sample/icmp_redirect.c); BSD-2(sample/icmp_timeexceed.c); BSD-2(sample/ospf* ); BSD-2(sample/ping_of_death.c); BSD-3 or other(srct/libnet_asn1.c); BSD-2(src/libnet_build_fddi.c); BSD-2(src/libnet_build_ipsec.c); BSD-2(src/libnet_build_link.c); BSD-2(src/libnet_dll.c); BSD-3(src/libnet_link_dlpi.c); BSD-3(src/libnet_link_nit.c); BSD-3(src/libnet_link_snit.c); BSD-2(src/libnet_link_win32.c); BSD-2(* ); BSD-2(* ); BSD-3(* ); BSD-4(* ); other(* ) | | {{}} | 1.19-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | @@ -766,7 +776,7 @@ pdfhidden: True | {{}} | 6.18-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.26-2 | Artistic or GPL-1+(* ); Expat(ipcount); Expat(IP.pm); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); Expat(debian/* ); GPL-1+(debian/* ) | | {{}} | 0.12.ds-3+b1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 1.85-2+b1 | Artistic-2.0(* ); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(inc/Module/* ); Artistic or GPL-1+(debian/* ); Artistic-2.0(Files:); Artistic(Files:); GPL-1+(Files:); Artistic-2.0(Files:) | +| {{}} | 1.85-2+deb10u1 | Artistic-2.0(* ); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(inc/Module/* ); Artistic or GPL-1+(debian/* ); Artistic-2.0(Files:); Artistic(Files:); GPL-1+(Files:); Artistic-2.0(Files:) | | {{}} | 3.4.1-1+deb10u1 | LGPL-2.1+(* ); LGPL-2.1+(aes-set-* ); LGPL-2.1+(arctwo* ); LGPL-2.1+(base64.h base64-meta.c); LGPL-2.1+(blowfish.c); LGPL-2.1+(blowfish.h); LGPL-2.1+(camellia-table.c camellia-crypt-internal.c); LGPL-2.1+(der2dsa.c); LGPL-2+(desCode.h descode.README desdata.c desinfo.c); LGPL-2.1+(des.c des.h); LGPL-2.1+(gcm.c gcm.h); LGPL-2.1+(md2.c); LGPL-2.1+(md4.c); LGPL-2.1+(md5.c md5-compress.c); LGPL-2.1+(memxor.c); LGPL-2.1+(ripemd160.c ripemd160-compress.c); LGPL-2.1+(ripemd160-meta.c ripemd160.h); LGPL-2.1+(serpent-encrypt.c serpent-decrypt.c serpent-set-key.c); LGPL-2.1+(sha* ); LGPL-2.1+(twofish* ); LGPL-2.1+(dsa2sexp.c); other(testsuite/des-compat-test.c); LGPL-2.1+(tools/pkcs1-conv.c); LGPL-2.1+(x86* /aes-* -internal.asm); GPL-2+(tools/getopt* ); GPL-2+ with Autoconf exception(config.guess config.sub); public-domain(debian/* ); GPL-2(debian/sexp-conv.1); GAP(debian/pkcs1-conv.1 debian/nettle-lfib-stream.1); LGPL-2.1+(debian/pkcs1-conv.1 debian/nettle-lfib-stream.1); GPL-2+(debian/pkcs1-conv.1 debian/nettle-lfib-stream.1) | | {{}} | 0.52.20-8 | LGPL-2 | | {{}} | 0.52.20-8 | LGPL-2 | @@ -775,46 +785,45 @@ pdfhidden: True | {{}} | 1.1.2-2 | GPL-2+(* ); GPL-2+(tests/nft-chain-test.c tests/nft-expr_* -test.c tests/nft-rule-test.c tests/nft-set-test.c tests/nft-table-test.c); GPL-2+(debian/* ); GPL-2+(src/ruleset.c); GPL-2+(src/utils.c); GPL-2+(src/jansson.c); GPL-2+(src/expr/masq.c src/expr/redir.c); GPL-2+(src/expr/queue.c); GPL-2+(src/expr/nat.c); GPL-2+(examples/nft-chain-parse-add.c examples/nft-rule-parse-add.c examples/nft-table-parse-add.c examples/nft-set-parse-add.c); GPL-2(examples/nft-ruleset-get.c); GPL-2+(examples/nft-ruleset-get.c); GPL-2(examples/nft-ruleset-get.c) | | {{}} | 1.1.2-2 | GPL-2+(* ); GPL-2+(tests/nft-chain-test.c tests/nft-expr_* -test.c tests/nft-rule-test.c tests/nft-set-test.c tests/nft-table-test.c); GPL-2+(debian/* ); GPL-2+(src/ruleset.c); GPL-2+(src/utils.c); GPL-2+(src/jansson.c); GPL-2+(src/expr/masq.c src/expr/redir.c); GPL-2+(src/expr/queue.c); GPL-2+(src/expr/nat.c); GPL-2+(examples/nft-chain-parse-add.c examples/nft-rule-parse-add.c examples/nft-table-parse-add.c examples/nft-set-parse-add.c); GPL-2(examples/nft-ruleset-get.c); GPL-2+(examples/nft-ruleset-get.c); GPL-2(examples/nft-ruleset-get.c) | | {{}} | 1.36.0-2+deb10u1 | Expat(* ); Expat(third-party/http-parser/http_parser.h); MIT(third-party/http-parser/http_parser.c); MIT(third-party/mruby/* ); Expat(tests/nghttp2_npn_test.* ); all-permissive(m4/ax_cxx_compile_stdcxx_11.m4); GPL-3+ with autoconf exception(m4/ax_python_devel.m4); MIT(doc/_themes/sphinx_rtd_theme/* ); BSD-2-clause(doc/_themes/sphinx_rtd_theme/layout_old.html doc/_themes/sphinx_rtd_theme/search.html); SIL-OFL-1.1(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf); Expat(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf); MIT(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf); GPL-3+ with autoconf exception(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf); all-permissive(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf); BSD-2-clause(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf); SIL-OFL-1.1(doc/_themes/sphinx_rtd_theme/static/fonts/FontAwesome.otf) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | NO COPYRIGHT FILE | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | NO COPYRIGHT FILE | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | -| {{}} | 3.2.27-cl4.3.1u16 | GPL; GPL-2; LGPL-2 | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | +| {{}} | 3.2.27-cl4.3.2u2 | GPL; GPL-2; LGPL-2 | | {{}} | 1.5.8+dfsg2-1 | NRL-2-clause(* ); NRL-2-clause(src/sim/opnet/11.5/norm_protolib.pr.cpp); NRL-3-clause(src/unix/unixPostProcess.cpp); NRL-3-clause(include/galois.h); BSD-2-clause(src/common/normEncoderRS16.cpp); BSD-4-clause-UC(protolib/src/sim/ns/ns233/* ); BSD-3-clause(waf); BSD-3-clause(debian/* ); NRL-2-clause(debian/* ); NRL-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.5.8+dfsg2-1 | NRL-2-clause(* ); NRL-2-clause(src/sim/opnet/11.5/norm_protolib.pr.cpp); NRL-3-clause(src/unix/unixPostProcess.cpp); NRL-3-clause(include/galois.h); BSD-2-clause(src/common/normEncoderRS16.cpp); BSD-4-clause-UC(protolib/src/sim/ns/ns233/* ); BSD-3-clause(waf); BSD-3-clause(debian/* ); NRL-2-clause(debian/* ); NRL-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.6-1 | LGPL-2.1+(* ); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 4.20-1 | MPL-2.0(* ) | -| {{}} | 3.42.1-1+deb10u5 | MPL-2.0(* ); Zlib(nss/lib/zlib/* ); BSD-3(nss/lib/dbm/* ); public-domain(nss/lib/sqlite/sqlite3.c | -| {{}} | 3.42.1-1+deb10u5 | MPL-2.0(* ); Zlib(nss/lib/zlib/* ); BSD-3(nss/lib/dbm/* ); public-domain(nss/lib/sqlite/sqlite3.c | +| {{}} | 3.42.1-1+deb10u6 | MPL-2.0(* ); Zlib(nss/lib/zlib/* ); BSD-3(nss/lib/dbm/* ); public-domain(nss/lib/sqlite/sqlite3.c | +| {{}} | 3.42.1-1+deb10u6 | MPL-2.0(* ); Zlib(nss/lib/zlib/* ); BSD-3(nss/lib/dbm/* ); public-domain(nss/lib/sqlite/sqlite3.c | | {{}} | 0.9.10-2 | GPL; LGPL-2 | | {{}} | 1.1.0-cl4u1 | GPL-2+(* ) | | {{}} | 1.1.0-cl4u1 | NO COPYRIGHT FILE | @@ -884,36 +893,36 @@ pdfhidden: True | {{}} | 5.2.122~dfsg-3 | LGPL-2.1(* ); LGPL-2.1(debian/* ); LGPL-2.1(debian/* ); LGPL-2+(openpgm/pgm/md5.c* ); BSD-3-clause and ISC(openpgm/pgm/include/impl/ip.h); BSD-3-clause(openpgm/pgm/include/impl/ip.h); ISC(openpgm/pgm/include/impl/ip.h) | | {{}} | 5.2.122~dfsg-3 | LGPL-2.1(* ); LGPL-2.1(debian/* ); LGPL-2.1(debian/* ); LGPL-2+(openpgm/pgm/md5.c* ); BSD-3-clause and ISC(openpgm/pgm/include/impl/ip.h); BSD-3-clause(openpgm/pgm/include/impl/ip.h); ISC(openpgm/pgm/include/impl/ip.h) | | {{}} | 1.5.1-2 | GPL-2+(* ); GPL-3+(gnulib/* ); GPL-2+(lib/appendstr.c); GPL-2+(lib/debug.c); GPL-2+(lib/pipeline* ); GPL-2+(lib/pipeline* ); GPL-3+(lib/pipeline* ) | -| {{}} | 0.36.0-1 | MIT | +| {{}} | 0.36.0-1+deb10u1 | MIT | | {{}} | 1.6.36-6 | libpng(* ); libpng(arm/arm_init.c); expat(contrib/pngminus/* ); libpng(contrib/tools/* ); libpng(pngwutil.c pngstruct.h pngwrite.c pnginfo.h pngrio.c png.h); GPL-2+ or BSD-like-with-advertising-clause(contrib/gregbook/rpng-win.c contrib/gregbook/rpng2-x.c contrib/gregbook/rpng-x.c); GPL-2+ or BSD-like-with-advertising-clause(contrib/gregbook/writepng.h contrib/gregbook/readppm.c); libpng(contrib/visupng/PngFile.c contrib/visupng/PngFile.h); libpng(contrib/libtests/tarith.c); libpng OR Apache-2.0 OR BSD-3-clause(contrib/oss-fuzz/* ); Apache-2.0(contrib/oss-fuzz/Dockerfile); GPL-2+(debian/* ); expat(debian/* ); GPL-2+(debian/* ); BSD-like-with-advertising-clause(debian/* ); libpng(debian/* ); Apache-2.0(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.6.36-6 | libpng(* ); libpng(arm/arm_init.c); expat(contrib/pngminus/* ); libpng(contrib/tools/* ); libpng(pngwutil.c pngstruct.h pngwrite.c pnginfo.h pngrio.c png.h); GPL-2+ or BSD-like-with-advertising-clause(contrib/gregbook/rpng-win.c contrib/gregbook/rpng2-x.c contrib/gregbook/rpng-x.c); GPL-2+ or BSD-like-with-advertising-clause(contrib/gregbook/writepng.h contrib/gregbook/readppm.c); libpng(contrib/visupng/PngFile.c contrib/visupng/PngFile.h); libpng(contrib/libtests/tarith.c); libpng OR Apache-2.0 OR BSD-3-clause(contrib/oss-fuzz/* ); Apache-2.0(contrib/oss-fuzz/Dockerfile); GPL-2+(debian/* ); expat(debian/* ); GPL-2+(debian/* ); BSD-like-with-advertising-clause(debian/* ); libpng(debian/* ); Apache-2.0(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.16-12 | X-Consortium(* ); GPL-2+(debian/* ) | | {{}} | 1.15-1 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 3.3.15-2 | LGPL-2.1+(* ); LGPL-2.0+(top/* ); GPL-2.0+(pgrep.* ); GPL-2.0+(pidof.* ); GPL-2.0+(free.* ); GPL-2.0+(sysctl.* ); GPL-2.0+(debian/* ); GPL-2.0+(debian/* ); LGPL-2.0+(debian/* ); LGPL-2.1+(debian/* ) | -| {{}} | 3.6.1.3-2 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | +| {{}} | 3.6.1.3-2+deb10u1 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | | {{}} | 1.3.1-1+b1 | BSD-2-Clause(* ); BSD-3-Clause(protoc-c/* ); permissive(debian/* ) | | {{}} | 1.3.1-1+b1 | BSD-2-Clause(* ); BSD-3-Clause(protoc-c/* ); permissive(debian/* ) | -| {{}} | 3.6.1.3-2 | NO COPYRIGHT FILE | -| {{}} | 3.6.1.3-2 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | -| {{}} | 3.6.1.3-2 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | +| {{}} | 3.6.1.3-2+deb10u1 | NO COPYRIGHT FILE | +| {{}} | 3.6.1.3-2+deb10u1 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | +| {{}} | 3.6.1.3-2+deb10u1 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | | {{}} | 0.20.2-2 | MIT(* ); MIT(debian/* ); Chromium(src/psl-make-dafsa src/lookup_string_in_fixed_set.c); MIT(src/psl-make-dafsa src/lookup_string_in_fixed_set.c); Chromium(src/psl-make-dafsa src/lookup_string_in_fixed_set.c) | -| {{}} | 2018.20181218.49446-1 | BSD; Common Public License; GPL; MIT | +| {{}} | 2018.20181218.49446-1+deb10u2 | BSD; Common Public License; GPL; MIT | | {{}} | 0.4-1 | BSD | -| {{}} | 4.0-cl4.3.1u4 | EPL-1(* ); GPL-2(debian/* ) | +| {{}} | 4.0-cl4.3.2u2 | EPL-1(* ); GPL-2(debian/* ) | | {{}} | 12.2-4+deb10u1 | GPL; GPL-2; GPL-2+; LGPL-2; LGPL-2+; LGPL-2.1+ | | {{}} | 12.2-4+deb10u1 | GPL; GPL-2; GPL-2+; LGPL-2; LGPL-2+; LGPL-2.1+ | | {{}} | 12.2-4+deb10u1 | GPL; GPL-2; GPL-2+; LGPL-2; LGPL-2+; LGPL-2.1+ | -| {{}} | 2.7.16-2+deb10u1 | NO COPYRIGHT FILE | -| {{}} | 2.7.16-2+deb10u1 | NO COPYRIGHT FILE | -| {{}} | 2.7.16-2+deb10u1 | Apache-2; BEOPEN; BSD; CNRI; GPL; GPL-2; ISC; OpenSSL; Python; SSLeay; zlib | -| {{}} | 2.7.16-2+deb10u1 | NO COPYRIGHT FILE | +| {{}} | 2.7.16-2+deb10u3 | NO COPYRIGHT FILE | +| {{}} | 2.7.16-2+deb10u3 | NO COPYRIGHT FILE | +| {{}} | 2.7.16-2+deb10u3 | Apache-2; BEOPEN; BSD; CNRI; GPL; GPL-2; ISC; OpenSSL; Python; SSLeay; zlib | +| {{}} | 2.7.16-2+deb10u3 | NO COPYRIGHT FILE | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | -| {{}} | 3.7.3-2+deb10u3 | NO COPYRIGHT FILE | -| {{}} | 3.7.3-2+deb10u3 | NO COPYRIGHT FILE | -| {{}} | 3.7.3-2+deb10u3 | NO COPYRIGHT FILE | -| {{}} | 3.7.3-2+deb10u3 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | -| {{}} | 3.7.3-2+deb10u3 | NO COPYRIGHT FILE | +| {{}} | 3.7.3-2+deb10u6 | NO COPYRIGHT FILE | +| {{}} | 3.7.3-2+deb10u6 | NO COPYRIGHT FILE | +| {{}} | 3.7.3-2+deb10u6 | NO COPYRIGHT FILE | +| {{}} | 3.7.3-2+deb10u6 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | +| {{}} | 3.7.3-2+deb10u6 | NO COPYRIGHT FILE | | {{}} | 3.7.3-1 | NO COPYRIGHT FILE | | {{}} | 3.7.3-1 | NO COPYRIGHT FILE | | {{}} | 3.7.3-1 | BEOPEN; CNRI; GPL; Python | @@ -921,22 +930,22 @@ pdfhidden: True | {{}} | 3.7.3-1 | BEOPEN; CNRI; GPL; Python | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | | {{}} | 4.6.3-7+b1 | GPL; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 22.1-1 | BSD-MIT or GPL-2(* ); GPL-2+(debian/* ); BSD-MIT or GPL-2(CMakeLists.txt); BSD-MIT or GPL-2(buildlib/* ); BSD-2-clause(buildlib/fixup-include/stdatomic.h); CC0(ccan/* ); MIT(ccan/list.* ); BSD-MIT(ibacm/* ); BSD-2-clause(ibacm/man/* ); BSD-MIT or GPL-2(ibacm/CMakeLists.txt); BSD-MIT or GPL-2(iwpmd/* ); GPL-2 or BSD-2-clause(kernel-headers/* ); GPL-2(kernel-headers/rdma/rdma_netlink.h); GPL-2 or BSD-3-clause(kernel-headers/rdma/hfi/* ); BSD-MIT or GPL-2(libibumad/* ); BSD-2-clause(libibumad/man/* ); BSD-MIT or GPL-2(libibverbs/* ); BSD-2-clause(libibverbs/man/* ); BSD-MIT or GPL-2(librdmacm/* ); BSD-MIT(librdmacm/examples/cmtime.c); BSD-2-clause(librdmacm/docs/rsocket); BSD-2-clause(librdmacm/man/* ); BSD-2-clause or GPL-2(providers/bnxt_re/* ); BSD-MIT or GPL-2(providers/cxgb3/* ); BSD-3-clause or GPL-2(providers/hfi1verbs/* ); BSD-MIT or GPL-2(providers/hns/* ); BSD-MIT or GPL-2(providers/i40iw/* ); BSD-MIT or GPL-2(providers/ipathverbs/* ); BSD-MIT or GPL-2(providers/mlx4/* ); BSD-MIT or GPL-2(providers/mlx5/* ); BSD-MIT(providers/mlx5/man/* .3); BSD-MIT or GPL-2(providers/mthca/* ); BSD-MIT or GPL-2(providers/nes/* ); BSD-2-clause or GPL-2(providers/ocrdma/* ); BSD-MIT or GPL-2(providers/qedr/* ); BSD-MIT or GPL-2(providers/rxe/* ); BSD-2-clause or GPL-2(providers/vmw_pvrdma/* ); BSD-MIT or GPL-2(rdma-ndd/* ); GPL-2(redhat/* ); BSD-MIT or GPL-2(srp_daemon/* ); CPL-1.0 or BSD-2-clause or GPL-2(srp_daemon/srp_daemon.1.in); BSD-2-clause(srp_daemon/srpd.in); BSD-MIT or GPL-2(util/udma_barrier.h); BSD-MIT(util/udma_barrier.h); BSD-2-clause(util/udma_barrier.h); BSD-3-clause(util/udma_barrier.h); GPL-2(util/udma_barrier.h); CC0(util/udma_barrier.h); MIT(util/udma_barrier.h); CPL-1.0(util/udma_barrier.h) | | {{}} | 5.2+dfsg-3+b13 | GPL; GPL-2 | @@ -944,12 +953,12 @@ pdfhidden: True | {{}} | 7.0-5 | NO COPYRIGHT FILE | | {{}} | 1.3.8-1 | RHash(* ); RHash(bindings/* ); RHash(bindings/* ) | | {{}} | 2.000006-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 2.44.10-2.1 | LGPL-2+(* ); BSD-3-clause(Files:); Expat or Unlicense(Files:); Apache-2.0 or Expat(Files:); Apache-2.0(Files:); MPL-2.0(Files:); Expat(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Apache-2.0 or Boost-1.0(Files:); LGPL-2+(Files:); Apache-2.0(Files:); Expat(Files:); MPL-2.0(Files:); Unlicense(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Boost-1.0(Files:) | -| {{}} | 2.44.10-2.1 | LGPL-2+(* ); BSD-3-clause(Files:); Expat or Unlicense(Files:); Apache-2.0 or Expat(Files:); Apache-2.0(Files:); MPL-2.0(Files:); Expat(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Apache-2.0 or Boost-1.0(Files:); LGPL-2+(Files:); Apache-2.0(Files:); Expat(Files:); MPL-2.0(Files:); Unlicense(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Boost-1.0(Files:) | +| {{}} | 2.44.10-2.1+deb10u3 | LGPL-2+(* ); BSD-3-clause(Files:); Expat or Unlicense(Files:); Apache-2.0 or Expat(Files:); Apache-2.0(Files:); MPL-2.0(Files:); Expat(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Apache-2.0 or Boost-1.0(Files:); LGPL-2+(Files:); Apache-2.0(Files:); Expat(Files:); MPL-2.0(Files:); Unlicense(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Boost-1.0(Files:) | +| {{}} | 2.44.10-2.1+deb10u3 | LGPL-2+(* ); BSD-3-clause(Files:); Expat or Unlicense(Files:); Apache-2.0 or Expat(Files:); Apache-2.0(Files:); MPL-2.0(Files:); Expat(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Apache-2.0 or Boost-1.0(Files:); LGPL-2+(Files:); Apache-2.0(Files:); Expat(Files:); MPL-2.0(Files:); Unlicense(Files:); BSD-2-clause(Files:); BSD-3-clause(Files:); Sun-permissive(Files:); Boost-1.0(Files:) | | {{}} | 2.4+20151223.gitfa8646d.1-2 | GPL; GPL-2; LGPL-2 | | {{}} | 0.6.3-1 | Expat(* ); Expat(debian/* ); BSD-2-clause(rtrlib/spki/hashtable/tommyds-1.8/* ); GPL-2(scripts/checkpatch.pl scripts/spelling.txt); GPL-3+(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); Expat(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); BSD-2-clause(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); GPL-2(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); GPL-3+(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake) | | {{}} | 0.6.3-1 | Expat(* ); Expat(debian/* ); BSD-2-clause(rtrlib/spki/hashtable/tommyds-1.8/* ); GPL-2(scripts/checkpatch.pl scripts/spelling.txt); GPL-3+(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); Expat(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); BSD-2-clause(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); GPL-2(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake); GPL-3+(cmake/modules/FindGcov.cmake cmake/modules/FindLcov.cmake) | -| {{}} | 2.5.5-3+deb10u4 | BSD-2-clause or Ruby(* ); BSD-2-clause(Files:); Expat(Files:); BSD-2-clause(enc/* .c); BSD-2-clause(enc/ascii.c enc/euc_jp.c enc/shift_jis.c enc/windows_31j.c); BSD-2-clause(enc/gb18030.c); BSD-2-clause(enc/encdb.c); BSD-2-clause(enc/windows_1250.c enc/windows_1252.c); BSD-2-clause(enc/windows_1251.c); GPL-3+(misc/ruby-mode.el); BSD-2-clause(lib/rdoc/generator/darkfish.rb lib/rdoc/generator/template/darkfish/* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/SourceCodePro* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/Lato* ); CC-BY-3.0-famfamfam(lib/rdoc/generator/template/darkfish/images/* ); Expat(lib/rdoc/generator/json_index.rb lib/rdoc/generator/template/json_index/* ); Expat or Ruby(lib/rubygems.rb lib/rubygems/* ); PreserveNotice(util.c); BSD-2-clause(random.c); 3C-BSD(vsnprintf.c); PublicDomain(Files:); 3C-BSD(missing/crypt.c); 3C-BSD(missing/setproctitle.c); BSD-3-clause(missing/strlcat.c missing/strlcpy.c); AllPermissions(missing/langinfo.c); PartialGplArtisticAndRuby(win32/win32.* ); zlib/libpng(ext/digest/md5/md5.c ext/digest/md5/md5.h); BSD-3-clause(ext/digest/rmd160/rmd160.c ext/digest/rmd160/rmd160.h); BSD-3-clause(ext/digest/sha2/sha2.c ext/digest/sha2/sha2.h); zlib/libpng(ext/nkf/nkf-utf8/config.h ext/nkf/nkf-utf8/nkf.c ext/nkf/nkf-utf8/utf8tbl.c); BSD-3-clause(ext/socket/addrinfo.h ext/socket/getaddrinfo.c ext/socket/getnameinfo.c); GPL-1+ or Artistic(ext/win32ole/win32ole.c); Expat(ccan/list/list.h); CC0(Files:); Unicode(Files:); Permissive(Files:); Permissive(Files:); BSD-2-clause or Ruby(debian/* ); Artistic(debian/* ); BSD-2-clause(debian/* ); 3C-BSD(debian/* ); BSD-3-clause(debian/* ); Expat(debian/* ); GPL-1+(debian/* ); Ruby(debian/* ); SIL-1.1(debian/* ); zlib/libpng(debian/* ); CC0(debian/* ); Unicode(debian/* ); Permissive(debian/* ); GPL-3+(debian/* ); CC-BY-3.0-famfamfam(debian/* ) | +| {{}} | 2.5.5-3+deb10u6 | BSD-2-clause or Ruby(* ); BSD-2-clause(Files:); Expat(Files:); BSD-2-clause(enc/* .c); BSD-2-clause(enc/ascii.c enc/euc_jp.c enc/shift_jis.c enc/windows_31j.c); BSD-2-clause(enc/gb18030.c); BSD-2-clause(enc/encdb.c); BSD-2-clause(enc/windows_1250.c enc/windows_1252.c); BSD-2-clause(enc/windows_1251.c); GPL-3+(misc/ruby-mode.el); BSD-2-clause(lib/rdoc/generator/darkfish.rb lib/rdoc/generator/template/darkfish/* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/SourceCodePro* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/Lato* ); CC-BY-3.0-famfamfam(lib/rdoc/generator/template/darkfish/images/* ); Expat(lib/rdoc/generator/json_index.rb lib/rdoc/generator/template/json_index/* ); Expat or Ruby(lib/rubygems.rb lib/rubygems/* ); PreserveNotice(util.c); BSD-2-clause(random.c); 3C-BSD(vsnprintf.c); PublicDomain(Files:); 3C-BSD(missing/crypt.c); 3C-BSD(missing/setproctitle.c); BSD-3-clause(missing/strlcat.c missing/strlcpy.c); AllPermissions(missing/langinfo.c); PartialGplArtisticAndRuby(win32/win32.* ); zlib/libpng(ext/digest/md5/md5.c ext/digest/md5/md5.h); BSD-3-clause(ext/digest/rmd160/rmd160.c ext/digest/rmd160/rmd160.h); BSD-3-clause(ext/digest/sha2/sha2.c ext/digest/sha2/sha2.h); zlib/libpng(ext/nkf/nkf-utf8/config.h ext/nkf/nkf-utf8/nkf.c ext/nkf/nkf-utf8/utf8tbl.c); BSD-3-clause(ext/socket/addrinfo.h ext/socket/getaddrinfo.c ext/socket/getnameinfo.c); GPL-1+ or Artistic(ext/win32ole/win32ole.c); Expat(ccan/list/list.h); CC0(Files:); Unicode(Files:); Permissive(Files:); Permissive(Files:); BSD-2-clause or Ruby(debian/* ); Artistic(debian/* ); BSD-2-clause(debian/* ); 3C-BSD(debian/* ); BSD-3-clause(debian/* ); Expat(debian/* ); GPL-1+(debian/* ); Ruby(debian/* ); SIL-1.1(debian/* ); zlib/libpng(debian/* ); CC0(debian/* ); Unicode(debian/* ); Permissive(debian/* ); GPL-3+(debian/* ); CC-BY-3.0-famfamfam(debian/* ) | | {{}} | 2.1.27+dfsg-1+deb10u2 | BSD-4-clause(* ); GPL-3+(debian/* ); GPL-3+(debian/saslfinger/* ); GPL-3+(debian/gen-auth/* ); GPL-3+(debian/gen-auth/* ); BSD-4-clause(debian/gen-auth/* ) | | {{}} | 2.1.27+dfsg-1+deb10u2 | BSD-4-clause(* ); GPL-3+(debian/* ); GPL-3+(debian/saslfinger/* ); GPL-3+(debian/gen-auth/* ); GPL-3+(debian/gen-auth/* ); BSD-4-clause(debian/gen-auth/* ) | | {{}} | 2.1.27+dfsg-1+deb10u2 | BSD-4-clause(* ); GPL-3+(debian/* ); GPL-3+(debian/saslfinger/* ); GPL-3+(debian/gen-auth/* ); GPL-3+(debian/gen-auth/* ); BSD-4-clause(debian/gen-auth/* ) | @@ -976,7 +985,7 @@ pdfhidden: True | {{}} | 0.4.8+dfsg2-16 | BSD | | {{}} | 1.1.7-1 | Google | | {{}} | 1.1.7-1 | Google | -| {{}} | 1.0.28-6+deb10u1 | LGPL-2.1+(* ); LGPL-2.1+(src/* ); gsm(src/GSM610/* ); Apache-2.0(src/ALAC/* ); LGPL-2.1+(src/ALAC/shift.h); sun(src/G72x/* ); GPL-2+(src/G72x/g72x_test.c); LGPL-2+(src/* ima_oki* ); LGPL-2.1+(src/aiff.c); BSD-3-clause(src/* .py); BSD-3-clause(src/sndfile.hh); BSD-3-clause and LGPL-2.1+(src/ogg_vorbis.c); LGPL-2.1+(src/ogg.c); LGPL-2.1+(src/flac.c); LGPL-2.1+(src/cart.c); LGPL-2.1+(src/chunk.c); LGPL-2.1+(src/sd2.c); LGPL-2.1+(src/broadcast.c); LGPL-2.1+(src/wve.c); LGPL-2.1+(src/file_io.c); LGPL-2.1+(src/rf64.c); BSD-3-clause(programs/* ); BSD-3-clause(programs/common.c); BSD-3-clause(programs/sndfile-cmp.c); GPL-2+(programs/sndfile-play-beos.cpp); BSD-3-clause(examples/* ); GPL-2+(examples/sndfilehandle.cc); GPL-2+(Octave/sndfile_load.m); GPL-2+(tests/* ); BSD-3-clause(tests/* .sh.in); GPL-2+(regtest/* ); BSD-3-clause(Scripts/android-configure.sh); BSD-3-clause(M4/stack_protect.m4); FSFAP(M4/ax_add_fortify_source.m4); GPL-2+(M4/extra_pkg.m4); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ); LGPL-2+(debian/* ); GPL-2+(debian/* ); BSD-3-clause(debian/* ); Apache-2.0(debian/* ) | +| {{}} | 1.0.28-6+deb10u2 | LGPL-2.1+(* ); LGPL-2.1+(src/* ); gsm(src/GSM610/* ); Apache-2.0(src/ALAC/* ); LGPL-2.1+(src/ALAC/shift.h); sun(src/G72x/* ); GPL-2+(src/G72x/g72x_test.c); LGPL-2+(src/* ima_oki* ); LGPL-2.1+(src/aiff.c); BSD-3-clause(src/* .py); BSD-3-clause(src/sndfile.hh); BSD-3-clause and LGPL-2.1+(src/ogg_vorbis.c); LGPL-2.1+(src/ogg.c); LGPL-2.1+(src/flac.c); LGPL-2.1+(src/cart.c); LGPL-2.1+(src/chunk.c); LGPL-2.1+(src/sd2.c); LGPL-2.1+(src/broadcast.c); LGPL-2.1+(src/wve.c); LGPL-2.1+(src/file_io.c); LGPL-2.1+(src/rf64.c); BSD-3-clause(programs/* ); BSD-3-clause(programs/common.c); BSD-3-clause(programs/sndfile-cmp.c); GPL-2+(programs/sndfile-play-beos.cpp); BSD-3-clause(examples/* ); GPL-2+(examples/sndfilehandle.cc); GPL-2+(Octave/sndfile_load.m); GPL-2+(tests/* ); BSD-3-clause(tests/* .sh.in); GPL-2+(regtest/* ); BSD-3-clause(Scripts/android-configure.sh); BSD-3-clause(M4/stack_protect.m4); FSFAP(M4/ax_add_fortify_source.m4); GPL-2+(M4/extra_pkg.m4); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ); LGPL-2+(debian/* ); GPL-2+(debian/* ); BSD-3-clause(debian/* ); Apache-2.0(debian/* ) | | {{}} | 5.7.3+dfsg-5+deb10u2 | BSD-LIKE and BSD-3-clause(* ); BSD-3-clause(debian/* ); GPL-2+ or Artistic-1.0(perl/* ); BSD-3-clause(python/* ); BSD-3-clause(snmplib/winpipe.c); BSD-3-clause(snmplib/sd-daemon.c); BSD-3-clause(apps/snmppcap.c); BSD-LIKE(apps/snmppcap.c); BSD-3-clause(apps/snmppcap.c); Artistic-1.0(apps/snmppcap.c); GPL-2.0+(apps/snmppcap.c) | | {{}} | 5.8.0-cl4.3.0u1 | BSD | | {{}} | 5.8.0-cl4.3.0u1 | NO COPYRIGHT FILE | @@ -995,8 +1004,10 @@ pdfhidden: True | {{}} | 0.8.7-1+deb10u1 | LGPL-2.1+~OpenSSL(* ); LGPL-2.1+~OpenSSL(include/libssh/auth.h); LGPL-2.1+~OpenSSL(examples/exec.c); public-domain(examples/authentication.c); public-domain(src/external/curve25519_ref.c); LGPL-2.1+~OpenSSL(tests/pkd/pkd_client.h); LGPL-2.1+~OpenSSL(src/channels.c); LGPL-2.1+~OpenSSL(include/libssh/agent.h); LGPL-2.1(include/libssh/curve25519.h); LGPL-2.1+~OpenSSL(include/libssh/callbacks.h); BSD-2-clause(src/match.c); LGPL-2.1(include/libssh/knownhosts.h); LGPL-2.1+~OpenSSL(src/poll.c); LGPL-2.1+~OpenSSL(src/dh.c); LGPL-2.1+~OpenSSL(src/auth.c); LGPL-2.1+~OpenSSL(src/getpass.c); LGPL-2.1+~OpenSSL(src/gssapi.c); BSD-3-clause(cmake/Modules/DefineCMakeDefaults.cmake); BSD-3-clause(cmake/Modules/AddCMockaTest.cmake); LGPL-2.1+~OpenSSL or BSD-2-clause or BSD-3-clause(debian/* ); LGPL-2.1+~OpenSSL(debian/* ); LGPL-2.1(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 0.8.7-1+deb10u1 | LGPL-2.1+~OpenSSL(* ); LGPL-2.1+~OpenSSL(include/libssh/auth.h); LGPL-2.1+~OpenSSL(examples/exec.c); public-domain(examples/authentication.c); public-domain(src/external/curve25519_ref.c); LGPL-2.1+~OpenSSL(tests/pkd/pkd_client.h); LGPL-2.1+~OpenSSL(src/channels.c); LGPL-2.1+~OpenSSL(include/libssh/agent.h); LGPL-2.1(include/libssh/curve25519.h); LGPL-2.1+~OpenSSL(include/libssh/callbacks.h); BSD-2-clause(src/match.c); LGPL-2.1(include/libssh/knownhosts.h); LGPL-2.1+~OpenSSL(src/poll.c); LGPL-2.1+~OpenSSL(src/dh.c); LGPL-2.1+~OpenSSL(src/auth.c); LGPL-2.1+~OpenSSL(src/getpass.c); LGPL-2.1+~OpenSSL(src/gssapi.c); BSD-3-clause(cmake/Modules/DefineCMakeDefaults.cmake); BSD-3-clause(cmake/Modules/AddCMockaTest.cmake); LGPL-2.1+~OpenSSL or BSD-2-clause or BSD-3-clause(debian/* ); LGPL-2.1+~OpenSSL(debian/* ); LGPL-2.1(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 0.8.7-1+deb10u1 | LGPL-2.1+~OpenSSL(* ); LGPL-2.1+~OpenSSL(include/libssh/auth.h); LGPL-2.1+~OpenSSL(examples/exec.c); public-domain(examples/authentication.c); public-domain(src/external/curve25519_ref.c); LGPL-2.1+~OpenSSL(tests/pkd/pkd_client.h); LGPL-2.1+~OpenSSL(src/channels.c); LGPL-2.1+~OpenSSL(include/libssh/agent.h); LGPL-2.1(include/libssh/curve25519.h); LGPL-2.1+~OpenSSL(include/libssh/callbacks.h); BSD-2-clause(src/match.c); LGPL-2.1(include/libssh/knownhosts.h); LGPL-2.1+~OpenSSL(src/poll.c); LGPL-2.1+~OpenSSL(src/dh.c); LGPL-2.1+~OpenSSL(src/auth.c); LGPL-2.1+~OpenSSL(src/getpass.c); LGPL-2.1+~OpenSSL(src/gssapi.c); BSD-3-clause(cmake/Modules/DefineCMakeDefaults.cmake); BSD-3-clause(cmake/Modules/AddCMockaTest.cmake); LGPL-2.1+~OpenSSL or BSD-2-clause or BSD-3-clause(debian/* ); LGPL-2.1+~OpenSSL(debian/* ); LGPL-2.1(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | -| {{}} | 1.1.1n-0+deb10u3 | BSD; OpenSSL; SSLeay | -| {{}} | 1.1.1n-0+deb10u3 | BSD; OpenSSL; SSLeay | +| {{}} | 1.1.1n-0+deb10u6 | BSD; OpenSSL; SSLeay | +| {{}} | 1.1.1n-0+deb10u5 | NO COPYRIGHT FILE | +| {{}} | 1.1.1n-0+deb10u6 | BSD; OpenSSL; SSLeay | +| {{}} | 1.1.1n-0+deb10u5 | BSD; OpenSSL; SSLeay | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 2.000005-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(inc/ExtUtils/HasCompiler.pm); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | @@ -1004,9 +1015,9 @@ pdfhidden: True | {{}} | 0.001013-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 0.21-1+b3 | Artistic or GPL-1+(* ); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 2.005001-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 2018.20181218.49446-1 | BSD; Common Public License; GPL; MIT | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 2018.20181218.49446-1+deb10u2 | BSD; Common Public License; GPL; MIT | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | | {{}} | 1.4.3-cl4u1 | GPL; GPL-2 | | {{}} | 1.4.3-cl4u1 | GPL; GPL-2 | | {{}} | 1.4.3-cl4u1 | NO COPYRIGHT FILE | @@ -1015,14 +1026,14 @@ pdfhidden: True | {{}} | 1.0.1-cl4u1 | GPL-2+(* ); GPL-2+(* ) | | {{}} | 1.0.1-cl4u1 | NO COPYRIGHT FILE | | {{}} | 1.0.1-cl4u1 | GPL-2+(* ); GPL-2+(* ) | -| {{}} | 4.13-3 | GFDL-1; GPL; GPL-3; LGPL; LGPL-2 | -| {{}} | 4.13-3 | GFDL-1; GPL; GPL-3; LGPL; LGPL-2 | +| {{}} | 4.13-3+deb10u1 | GFDL-1; GPL; GPL-3; LGPL; LGPL-2 | +| {{}} | 4.13-3+deb10u1 | GFDL-1; GPL; GPL-3; LGPL; LGPL-2 | | {{}} | 8.6.9+dfsg-2 | BSD | | {{}} | 2.7-1 | BSD-3-clause(* ); GPL-2+(debian/* ) | | {{}} | 2.5.8+ds2-5 | LGPL-2.1+ or CPL-0.5+(* ); LGPL-2.1+ or GPL-2+ or MPL-1.1(SFconv/UtfCodec.* ); LGPL-2.1+(debian* /* ); LGPL-2.1+(debian* /* ); GPL-2+(debian* /* ); MPL-1.1(debian* /* ); CPL-0.5+(debian* /* ) | -| {{}} | 2018.20181218.49446-1 | BSD; Common Public License; GPL; MIT | -| {{}} | 2018.20181218.49446-1 | BSD; Common Public License; GPL; MIT | -| {{}} | 2018.20181218.49446-1 | BSD; Common Public License; GPL; MIT | +| {{}} | 2018.20181218.49446-1+deb10u2 | BSD; Common Public License; GPL; MIT | +| {{}} | 2018.20181218.49446-1+deb10u2 | BSD; Common Public License; GPL; MIT | +| {{}} | 2018.20181218.49446-1+deb10u2 | BSD; Common Public License; GPL; MIT | | {{}} | 0.04-7.1+b1 | Artistic; GPL; GPL-2 | | {{}} | 1.7-5+b7 | Artistic; GPL; GPL-2 | | {{}} | 0.13-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | @@ -1030,10 +1041,10 @@ pdfhidden: True | {{}} | 0.06-7.1 | Artistic; GPL | | {{}} | 0.1.28-2 | LGPL-2.1+(* ); GPL-2+(debian/* ) | | {{}} | 0.1.28-2 | LGPL-2.1+(* ); GPL-2+(debian/* ) | -| {{}} | 4.1.0+git191117-2~deb10u4 | Hylafax(* ); Hylafax(debian/* ); Hylafax(debian/* ) | +| {{}} | 4.1.0+git191117-2~deb10u8 | Hylafax(* ); Hylafax(debian/* ); Hylafax(debian/* ) | | {{}} | 2.3000-2+deb10u1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(lib/Date/Language/Bulgarian.pm); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 6.1+20181013-2+deb10u2 | Dickey; MIT | -| {{}} | 6.1+20181013-2+deb10u2 | Dickey; MIT | +| {{}} | 6.1+20181013-2+deb10u4 | Dickey; MIT | +| {{}} | 6.1+20181013-2+deb10u4 | Dickey; MIT | | {{}} | 2.4.6-9 | GFDL; GPL | | {{}} | 2.4.6-9 | GFDL; GPL | | {{}} | 0.30-1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | @@ -1041,9 +1052,9 @@ pdfhidden: True | {{}} | 7.4.0-6 | NO COPYRIGHT FILE | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 0.0.6-3 | MPL-1.1 or GPL-2+ or LGPL-2.1+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); MPL-1.1(debian/* ) | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | -| {{}} | 1.9.0-2+deb10u2 | BSD-3-NLnetLabs(* ); GPL-3(debian/* ); ISC(compat/arc4random.c); BSD-3-WIDE(compat/fake-rfc2553.c); ISC(compat/getentropy_linux.c); BSD-3-Regents-DEC(compat/inet_aton.c); ISC(compat/inet_ntop.c compat/inet_pton.c); ISC(compat/reallocarray.c); BSD-3-ADG(compat/sha512.c); BSD-3-Todd-Miller(compat/strlcat.c); ISC(compat/strlcpy.c); BSD-3-NLnetLabs-Mekking(compat/strptime.c); BSD-3-Viagénie(dns64/dns64.c); BSD-3-Farsight(dnstap/dnstap.c); BSD-3-VUT(libunbound/python/* ); BSD-2-VUT(libunbound/python/examples/* ); BSD-3-CZ.NIC(libunbound/python/file_py3.i); GPL-3+ with Bison exception(util/configparser.c); ISC(util/random.c); public-domain(util/storage/lookup3.c); ISC(util/storage/lookup3.c) | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 1.9.0-2+deb10u3 | BSD-3-NLnetLabs(* ); GPL-3(debian/* ); ISC(compat/arc4random.c); BSD-3-WIDE(compat/fake-rfc2553.c); ISC(compat/getentropy_linux.c); BSD-3-Regents-DEC(compat/inet_aton.c); ISC(compat/inet_ntop.c compat/inet_pton.c); ISC(compat/reallocarray.c); BSD-3-ADG(compat/sha512.c); BSD-3-Todd-Miller(compat/strlcat.c); ISC(compat/strlcpy.c); BSD-3-NLnetLabs-Mekking(compat/strptime.c); BSD-3-Viagénie(dns64/dns64.c); BSD-3-Farsight(dnstap/dnstap.c); BSD-3-VUT(libunbound/python/* ); BSD-2-VUT(libunbound/python/examples/* ); BSD-3-CZ.NIC(libunbound/python/file_py3.i); GPL-3+ with Bison exception(util/configparser.c); ISC(util/random.c); public-domain(util/storage/lookup3.c); ISC(util/storage/lookup3.c) | | {{}} | 0.9.10-1 | FreeSoftware; GFDL-1; GFDL-1.2+; GPL; GPL-2; GPL-2+; GPL-2+ with distribution exception; GPL-3; GPL-3+; LGPL-3; LGPL-3+; MIT | | {{}} | 1.2.1-10~deb10u1 | Expat(* ); Expat(src/arm/* ); Expat(src/mi/strerror.c); Expat(src/mips/* ); Expat(src/os-freebsd.c src/x86/* -freebsd.* ); Expat(src/ppc* /* ); Expat(src/ptrace/_UPT_access_* ); Expat(src/unwind/GetIPInfo.c); Expat(src/x86/getcontext-linux.S); Expat(src/x86_64/Gstash_frame.c src/x86_64/Gtrace.c); Expat(src/x86_64/* context.S); Expat(tests/Gtest-nocalloc.c tests/Gtest-nomalloc.c); Expat(tests/Gtest-trace.c); Expat(tests/Ltest-cxx-exceptions.cxx); GPL-2+(debian/* ); Expat(debian/* ) | | {{}} | 1.2.1-10~deb10u1 | Expat(* ); Expat(src/arm/* ); Expat(src/mi/strerror.c); Expat(src/mips/* ); Expat(src/os-freebsd.c src/x86/* -freebsd.* ); Expat(src/ppc* /* ); Expat(src/ptrace/_UPT_access_* ); Expat(src/unwind/GetIPInfo.c); Expat(src/x86/getcontext-linux.S); Expat(src/x86_64/Gstash_frame.c src/x86_64/Gtrace.c); Expat(src/x86_64/* context.S); Expat(tests/Gtest-nocalloc.c tests/Gtest-nomalloc.c); Expat(tests/Gtest-trace.c); Expat(tests/Ltest-cxx-exceptions.cxx); GPL-2+(debian/* ); Expat(debian/* ) | @@ -1062,22 +1073,22 @@ pdfhidden: True | {{}} | 1.3.6-2 | BSD-3-Clause(* ); RFC-special(doc/rfc5215.* ); BSD-3-Clause(debian/* ); BSD-3-Clause(debian/* ) | | {{}} | 1.16.0-1 | X11 | | {{}} | 1.16.0-1 | X11 | -| {{}} | 0.6.1-2+deb10u1 | Apache-2 | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 0.6.1-2+deb10u3 | Apache-2 | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | | {{}} | 1.0.2-1 | Expat( * ); Expat( CMakeLists.txt); Expat( CMakeLists.txt) | | {{}} | 7.6.q-28 | BSD | | {{}} | 7.6.q-28 | NO COPYRIGHT FILE | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | | {{}} | 6.36-2 | Artistic or GPL-1+(* ); Artistic or GPL-1+(lib/LWP.pm); Artistic or GPL-1+(lib/LWP/Authen/Ntlm.pm); Artistic or GPL-1+(lwptut.pod); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 6.02-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | -| {{}} | 1.6.7-1+deb10u2 | MIT | +| {{}} | 1.6.7-1+deb10u4 | MIT | | {{}} | 1.6.7-1+deb10u2 | MIT | -| {{}} | 1.6.7-1+deb10u2 | MIT | -| {{}} | 1.6.7-1+deb10u2 | MIT | -| {{}} | 1.6.7-1+deb10u2 | MIT | +| {{}} | 1.6.7-1+deb10u4 | MIT | +| {{}} | 1.6.7-1+deb10u4 | MIT | +| {{}} | 1.6.7-1+deb10u4 | MIT | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | | {{}} | 8.3.0-6 | NO COPYRIGHT FILE | @@ -1133,9 +1144,9 @@ pdfhidden: True | {{}} | 5.0.3-1 | BSD | | {{}} | 1.7.9-1 | BSD | | {{}} | 1.1.4-2 | BSD | -| {{}} | 2.9.4+dfsg1-7+deb10u4 | ISC; MIT; MIT-1 | -| {{}} | 2.9.4+dfsg1-7+deb10u4 | ISC; MIT; MIT-1 | -| {{}} | 2.9.4+dfsg1-7+deb10u4 | ISC; MIT; MIT-1 | +| {{}} | 2.9.4+dfsg1-7+deb10u6 | ISC; MIT; MIT-1 | +| {{}} | 2.9.4+dfsg1-7+deb10u6 | ISC; MIT; MIT-1 | +| {{}} | 2.9.4+dfsg1-7+deb10u6 | ISC; MIT; MIT-1 | | {{}} | 2.0134+dfsg-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(Devel.xs); Expat(scripts/Test.pm-to-Test-More.pl); Expat(t/48_reader_undef_warning_on_empty_str_rt106830.t); Expat(example/create-sample-html-document.pl); Artistic or GPL-1+(inc/Devel/CheckLib.pm); Artistic or GPL-1+(ppport.h); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ); Expat(debian/* ) | | {{}} | 1.12-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.09-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | @@ -1144,16 +1155,17 @@ pdfhidden: True | {{}} | 1.2.27-2 | BSD | | {{}} | 2.25-1 | Artistic or GPL-1+(* ); Artistic or GPL-1+(debian/* ); Artistic(debian/* ); GPL-1+(debian/* ) | | {{}} | 1.1.2-2+b3 | BSD | -| {{}} | 3.5.12-1 | BSD | +| {{}} | 3.5.12-1+deb10u2 | BSD | +| {{}} | 3.5.12-1+deb10u2 | BSD | | {{}} | 1.5.1-1 | BSD-like | | {{}} | 0.9.10-1 | BSD-like | | {{}} | 1.3-1 | BSD-like | | {{}} | 1.3-1 | BSD-like | | {{}} | 1.1.32-2.2~deb10u1 | BSD | | {{}} | 1.1.5-1+b3 | MIT | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | -| {{}} | 1.8.2-3-cl4.3.1u7 | NO COPYRIGHT FILE | -| {{}} | 1.8.2-3-cl4.3.1u7 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | +| {{}} | 1.8.2-3-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 1.8.2-3-cl4.3.2u1 | GPL-2(* ); GPL-2(extensions/libebt_802_3.c); GPL-2(extensions/libebt_ip.c extensions/libebt_log.c extensions/libebt_mark* .c); GPL-2(extensions/libebt_limit.c); GPL-2(extensions/libebt_nflog.c); GPL-2(extensions/libip6t_DNAT.c); GPL-2(extensions/libip6t_DNPT.c); GPL-2(extensions/libip6t_MASQUERADE.c); GPL-2(extensions/libip6t_NETMAP.c); GPL-2(extensions/libip6t_REDIRECT.c); GPL-2(extensions/libip6t_REJECT.c); GPL-2(extensions/libip6t_SNAT.c); GPL-2(extensions/libip6t_SNPT.c); GPL-2(extensions/libip6t_mh.c); GPL-2(extensions/libipt_CLUSTERIP.c); GPL-2(extensions/libipt_ECN.c); GPL-2(extensions/libipt_REJECT.c); GPL-2(extensions/libipt_TTL.c); GPL-2(extensions/libipt_ULOG.c); GPL-2(extensions/libipt_ttl.c); GPL-2(extensions/libxt_AUDIT.c); GPL-2(extensions/libxt_CHECKSUM.c); GPL-2(extensions/libxt_CLASSIFY.c); GPL-2(extensions/libxt_CONNMARK.c); GPL-2(extensions/libxt_CONNSECMARK.c); GPL-2(extensions/libxt_CT.c); GPL-2(extensions/libxt_DSCP.c); GPL-2(extensions/libxt_HMARK.c); GPL-2(extensions/libxt_IDLETIMER.c); GPL-2(extensions/libxt_LED.c); GPL-2(extensions/libxt_NFQUEUE.c); GPL-2(extensions/libxt_RATEEST.c); GPL-2(extensions/libxt_SECMARK.c); GPL-2(extensions/libxt_SET.c); GPL-2(extensions/libxt_SYNPROXY.c); GPL-2(extensions/libxt_TCPMSS.c); GPL-2(extensions/libxt_TCPOPTSTRIP.c); GPL-2(extensions/libxt_TEE.c); GPL-2(extensions/libxt_TOS.c); GPL-2(extensions/libxt_TPROXY.c); GPL-2(extensions/libxt_addrtype.c); GPL-2(extensions/libxt_bpf.c); GPL-2(extensions/libxt_cluster.c); GPL-2(extensions/libxt_connmark.c); GPL-2(extensions/libxt_conntrack.c); GPL-2(extensions/libxt_dccp.c); GPL-2(extensions/libxt_devgroup.c); GPL-2(extensions/libxt_dscp.c); GPL-2(extensions/libxt_ecn.c); GPL-2(extensions/libxt_hashlimit.c); GPL-2(extensions/libxt_osf.c); GPL-2(extensions/libxt_owner.c); GPL-2(extensions/libxt_policy.c); GPL-2(extensions/libxt_rateest.c); GPL-2(extensions/libxt_sctp.c); GPL-2(extensions/libxt_set.c); GPL-2(extensions/libxt_socket.c); GPL-2(extensions/libxt_statistic.c); GPL-2(extensions/libxt_string.c); GPL-2(extensions/libxt_time.c); GPL-2(extensions/libxt_tos.c); GPL-2(extensions/libxt_u32.c); GPL-2(include/linux/netfilter/ipset/ip_set.h); GPL-2(include/linux/netfilter/xt_AUDIT.h); GPL-2(include/linux/netfilter/xt_CHECKSUM.h); GPL-2(include/linux/netfilter/xt_DSCP.h); GPL-2(include/linux/netfilter/xt_IDLETIMER.h); GPL-2(include/linux/netfilter/xt_NFQUEUE.h); GPL-2(include/linux/netfilter/xt_connmark.h); GPL-2(include/linux/netfilter/xt_conntrack.h); GPL-2(include/linux/netfilter/xt_dscp.h); GPL-2(include/linux/netfilter/xt_ecn.h); GPL-2(include/linux/netfilter/xt_osf.h); GPL-2(include/linux/netfilter_ipv4.h); GPL-2(include/linux/netfilter_ipv4/ip_queue.h); GPL-2(include/linux/netfilter_ipv4/ipt_ECN.h); GPL-2(include/linux/netfilter_ipv4/ipt_TTL.h); GPL-2(include/linux/netfilter_ipv4/ipt_ULOG.h); GPL-2(include/linux/netfilter_ipv4/ipt_ttl.h); GPL-2(include/linux/netfilter_ipv6.h); Artistic-2(iptables/iptables-apply); GPL-2(iptables/iptables-save.c); GPL-2(iptables/iptables-xml.c); GPL-2+(iptables/nft.c); GPL-2+(iptables/nft-arp.c); GPL-2+(iptables/nft-bridge.c); GPL-2+(iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c); GPL-2+(iptables/xtables-arp.c iptables/xtables-eb.c); GPL-2(libiptc/libip4tc.c); GPL-2(libiptc/libip6tc.c); GPL-2(libiptc/libiptc.c); GPL-2(libxtables/xtables.c); GPL-2(libxtables/xtoptions.c); GPL-2(utils/nfsynproxy.c); custom(utils/pf.os); GPL-2(utils/pf.os); GPL-2+(utils/pf.os); Artistic-2(utils/pf.os) | | {{}} | 1.2.3-1 | MIT; NCD | | {{}} | 1.1.4-1+b2 | BSD | | {{}} | 1.1.4-1+b2 | BSD | @@ -1170,41 +1182,42 @@ pdfhidden: True | {{}} | 0.16.105-1+deb10u1 | BSD-3-clause(* ); BSD-3-clause(swig/* ); BSD-3-clause(swig/java/* ); BSD-3-clause AND Apache-2.0(swig/python/config.py.in swig/python/tests/test_libyang.py swig/python/tests/test_tree_data.py swig/python/tests/test_tree_schema.py); IETF-BSD-3-clause(* /iana-* .yin * /iana-* .yang * /ietf-* .yin * /ietf-* .yang * /ietf-* .h); BSD-2-clause(linenoise/* ); Expat(swig/cpp/tests/microtest.h); BSD-3-clause(swig/java/tests/hamcrest-core-1.3.jar); EPL-1.0(swig/java/tests/junit-4.12.jar); GPL-3(swig/* .deb); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ); Apache-2.0(debian/* ) | | {{}} | 4.3.1-4+deb10u2 | LGPL-3.0+(* ); LGPL-3.0+(src/xreq.cpp); LGPL-3.0+(src/msg.hpp); LGPL-3.0+(src/pgm_receiver.* ); LGPL-2.0+(debian/* ); MIT(debian/zmq.hpp); LGPL-2.0+(debian/zmq.hpp); LGPL-3.0+(debian/zmq.hpp); MIT(debian/zmq.hpp) | | {{}} | 4.3.1-4+deb10u2 | LGPL-3.0+(* ); LGPL-3.0+(src/xreq.cpp); LGPL-3.0+(src/msg.hpp); LGPL-3.0+(src/pgm_receiver.* ); LGPL-2.0+(debian/* ); MIT(debian/zmq.hpp); LGPL-2.0+(debian/zmq.hpp); LGPL-3.0+(debian/zmq.hpp); MIT(debian/zmq.hpp) | -| {{}} | 1.3.8+dfsg-3+deb10u2 | BSD-3-clause and GPL-2(* ); zlib(zlibWrapper/examples/* .c); zlib(zlibWrapper/gz* .c); zlib(zlibWrapper/gz* .c); GPL-2+(contrib/linux-kernel/fs/squashfs/* ); Expat(lib/dictBuilder/divsufsort.* ); BSD-3-clause and GPL-2(examples/* ); Expat(debian/* ); Expat(debian/* ); GPL-2(debian/* ); BSD-3-clause(debian/* ) | +| {{}} | 1.4.4+dfsg-3~bpo10+1 | BSD-3-clause and GPL-2(* ); zlib(zlibWrapper/examples/* .c); zlib(zlibWrapper/gz* .c); zlib(zlibWrapper/gz* .c); GPL-2+(contrib/linux-kernel/fs/squashfs/* ); Expat(lib/dictBuilder/divsufsort.* ); BSD-3-clause and GPL-2(examples/* ); Expat(debian/* ); Expat(debian/* ); GPL-2(debian/* ); BSD-3-clause(debian/* ) | +| {{}} | 1.4.4+dfsg-3~bpo10+1 | BSD-3-clause and GPL-2(* ); zlib(zlibWrapper/examples/* .c); zlib(zlibWrapper/gz* .c); zlib(zlibWrapper/gz* .c); GPL-2+(contrib/linux-kernel/fs/squashfs/* ); Expat(lib/dictBuilder/divsufsort.* ); BSD-3-clause and GPL-2(examples/* ); Expat(debian/* ); Expat(debian/* ); GPL-2(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 0.13.62-3.2+deb10u1 | LGPL-2 | | {{}} | 2.15.0 | GPL-2+(* ) | | {{}} | 4.6 | GPL; GPL-2 | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | NO COPYRIGHT FILE | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | NO COPYRIGHT FILE | -| {{}} | 4.19.257-1+cl4.3.1u1 | NO COPYRIGHT FILE | -| {{}} | 4.19.257-1+cl4.3.1u1 | NO COPYRIGHT FILE | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | NO COPYRIGHT FILE | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | NO COPYRIGHT FILE | +| {{}} | 4.19.273-1+cl4.3.2u4 | NO COPYRIGHT FILE | +| {{}} | 4.19.273-1+cl4.3.2u4 | NO COPYRIGHT FILE | | {{}} | 4.19+63+cl4u1 | GPL; GPL-2 | | {{}} | 4.19+63+cl4u1 | GPL; GPL-2 | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | | {{}} | 4.19+63+cl4u1 | GPL; GPL-2 | | {{}} | 4.19+63+cl4u1 | GPL; GPL-2 | | {{}} | 4.19+63+cl4u1 | GPL; GPL-2 | | {{}} | 4.19+63+cl4u1 | GPL; GPL-2 | | {{}} | 4.19.37-5+deb10u2 | GPL-2(* ); GPL-2(debian/* ); LGPL-2.1(debian/rules.d/tools/hv/check-hyperv.c); GPL-2+ or X11(Files:); CRYPTOGAMS(drivers/crypto/vmx/* .pl); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ); LGPL-2.1(scripts/extract-cert.c scripts/sign-file.c); GPL-2(scripts/extract-cert.c scripts/sign-file.c); LGPL-2.1(scripts/extract-cert.c scripts/sign-file.c); GPL-2+ or X11(scripts/extract-cert.c scripts/sign-file.c) | -| {{}} | 4.19.257-1+cl4.3.1u1 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | | {{}} | 4.19+105+deb10u16 | GPL; GPL-2 | | {{}} | 4.19.249-2 | GPL-2(* ); GPL-2(debian/* ); LGPL-2.1(debian/rules.d/tools/hv/check-hyperv.c); GPL-2+ or X11(Files:); CRYPTOGAMS(drivers/crypto/vmx/* .pl); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ); LGPL-2.1(scripts/extract-cert.c scripts/sign-file.c); GPL-2(scripts/extract-cert.c scripts/sign-file.c); LGPL-2.1(scripts/extract-cert.c scripts/sign-file.c); GPL-2+ or X11(scripts/extract-cert.c scripts/sign-file.c) | -| {{}} | 1.8-cl4.3.1u4 | GPL-2(* ); GPL-2(fault.c fault.h); GPL-2(phc_ctl.c); GPL-2(clockadj.h); GPL-2(address.h notification.h); GPL-2(debian/* ); GPL-2(debian/* .service) | -| {{}} | 1.8-cl4.3.1u4 | NO COPYRIGHT FILE | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | -| {{}} | 4.19.257-1+cl4.3.1u2 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 1.8-cl4.3.2u1 | GPL-2(* ); GPL-2(fault.c fault.h); GPL-2(phc_ctl.c); GPL-2(clockadj.h); GPL-2(address.h notification.h); GPL-2(debian/* ); GPL-2(debian/* .service) | +| {{}} | 1.8-cl4.3.2u1 | NO COPYRIGHT FILE | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | +| {{}} | 4.19.273-1+cl4.3.2u4 | GPL-2(* ); GPL-2(debian/* ); Unicode-data(fs/nls/mac-* ); Xen-interface(include/xen/interface/* ) | | {{}} | 1.0.3-1+b1 | APSL-2; BSD; BSD-2-clause; BSD-3-clause; Expat; GPL; GPL-2; GPL-2+; GPL-2+ with Autoconf exception; ISC; permissive | | {{}} | 1.0.4-0-cl4.3.0u2 | APSL-2; BSD; BSD-2-clause; BSD-3-clause; Expat; GPL; GPL-2; GPL-2+; GPL-2+ with Autoconf exception; ISC; permissive | | {{}} | 7.0-47 | GPL | @@ -1248,7 +1261,7 @@ pdfhidden: True | {{}} | 3.62 | ad-hoc(* ); Bellcore(mailcap.man) | | {{}} | 4.2-1.0.1.0.g75959ea | GPL-2(* ) | | {{}} | 4.2-1.0.1.0 | Proprietary(* ) | -| {{}} | 0.3.0+1538710437.fb6250f-1 | GPL-3+ with OpenSSL exception(* ) | +| {{}} | 0.6.0-2~deb10u1 | GPL-3+ with OpenSSL exception(* ) | | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | | {{}} | 4.8.0-1.4.g501cec1.42100 | GPL; GPL-2; GPL-2+; | | {{}} | 0.r37-cl4.3.1u4 | GPL; GPL-2; GPLv2. | @@ -1260,22 +1273,22 @@ pdfhidden: True | {{}} | 0.40-1.1+b1 | GPL; GPL-2; GPL-2+ | | {{}} | 3.2-3 | GPL-3+(* ); GFDL-NIV+ or GPL-3+(doc/* .1 doc/* .5 doc/* .texi); GPL-3+(debian/* ); GPL-3+(debian/* ); GFDL-NIV+(debian/* ) | | {{}} | 1.13-1+b1 | GPL; MIT | -| {{}} | 1.0-cl4.3.1u6 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .8 | +| {{}} | 1.0-cl4.3.1u7 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .8 | | {{}} | 6.1+20181013-2+deb10u2 | Dickey; MIT | -| {{}} | 6.1+20181013-2+deb10u2 | Dickey; MIT | +| {{}} | 6.1+20181013-2+deb10u4 | Dickey; MIT | | {{}} | 4.0-cl4.3.1u3 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 5.6 | GPL; GPL-2 | | {{}} | 3.6.1-1 | NGPL(* ); NGPL and BSD-3-clause(include/winlisp.h); NTP-Wisconsin-Madison(win/X11/dialogs.c); NTP(win/share/gifread.c); NGPL(debian/* ); BSD-3-clause(debian/* ); NGPL(debian/* ); NTP(debian/* ); NTP-Wisconsin-Madison(debian/* ) | | {{}} | 3.6.1-1 | NGPL(* ); NGPL and BSD-3-clause(include/winlisp.h); NTP-Wisconsin-Madison(win/X11/dialogs.c); NTP(win/share/gifread.c); NGPL(debian/* ); BSD-3-clause(debian/* ); NGPL(debian/* ); NTP(debian/* ); NTP-Wisconsin-Madison(debian/* ) | -| {{}} | 4.3.0-cl4u39~1659297587.34aa65d5 | NO COPYRIGHT FILE | -| {{}} | 4.3.0-cl4u39~1659297587.34aa65d5 | NO COPYRIGHT FILE | +| {{}} | 4.7.0-cl4u43~1690981360.9d32c7a0 | NO COPYRIGHT FILE | +| {{}} | 4.7.0-cl4u43~1690981360.9d32c7a0 | NO COPYRIGHT FILE | | {{}} | 3.4.1-1+deb10u1 | LGPL-2.1+(* ); LGPL-2.1+(aes-set-* ); LGPL-2.1+(arctwo* ); LGPL-2.1+(base64.h base64-meta.c); LGPL-2.1+(blowfish.c); LGPL-2.1+(blowfish.h); LGPL-2.1+(camellia-table.c camellia-crypt-internal.c); LGPL-2.1+(der2dsa.c); LGPL-2+(desCode.h descode.README desdata.c desinfo.c); LGPL-2.1+(des.c des.h); LGPL-2.1+(gcm.c gcm.h); LGPL-2.1+(md2.c); LGPL-2.1+(md4.c); LGPL-2.1+(md5.c md5-compress.c); LGPL-2.1+(memxor.c); LGPL-2.1+(ripemd160.c ripemd160-compress.c); LGPL-2.1+(ripemd160-meta.c ripemd160.h); LGPL-2.1+(serpent-encrypt.c serpent-decrypt.c serpent-set-key.c); LGPL-2.1+(sha* ); LGPL-2.1+(twofish* ); LGPL-2.1+(dsa2sexp.c); other(testsuite/des-compat-test.c); LGPL-2.1+(tools/pkcs1-conv.c); LGPL-2.1+(x86* /aes-* -internal.asm); GPL-2+(tools/getopt* ); GPL-2+ with Autoconf exception(config.guess config.sub); public-domain(debian/* ); GPL-2(debian/sexp-conv.1); GAP(debian/pkcs1-conv.1 debian/nettle-lfib-stream.1); LGPL-2.1+(debian/pkcs1-conv.1 debian/nettle-lfib-stream.1); GPL-2+(debian/pkcs1-conv.1 debian/nettle-lfib-stream.1) | | {{}} | 1.60-cl4.3.1u4 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/iptunnel.8); GPL-2+(debian/iptunnel.8) | | {{}} | 1.60-cl4.3.1u4 | NO COPYRIGHT FILE | | {{}} | 3.0.1-cl4u1 | Apache-2(* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | -| {{}} | 1.14.2-2+deb10u4 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | +| {{}} | 1.14.2-2+deb10u5 | BSD-2-clause(* ); BSD-2-clause(src/core/ngx_murmurhash.c); BSD-2-clause(src/http/modules/ngx_http_scgi_module.c); BSD-2-clause(contrib/geo2nginx.pl); BSD-2-clause(debian/* ); BSD-2-clause(debian/modules/http-headers-more-filter/* ); BSD-3-clause(debian/modules/http-ndk/* ); BSD-4-clause(debian/modules/http-ndk/src/hash/md5.h); BSD-2-clause(debian/modules/http-auth-pam/* ); BSD-2-clause(debian/modules/http-echo/* ); BSD-2-clause(debian/modules/http-lua/* ); BSD-2-clause(debian/modules/http-upstream-fair/* ); MIT(debian/modules/nchan/* ); MIT(debian/modules/nchan/src/store/redis/cmp.* ); BSD-2-clause(debian/modules/http-uploadprogress/* ); BSD-2-clause(debian/modules/http-cache-purge/* ); BSD-2-clause(debian/modules/http-dav-ext/* ); BSD-2-clause(debian/modules/http-fancyindex/* ); BSD-2-clause(debian/modules/http-subs-filter/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-2-clause(debian/modules/rtmp/* ); BSD-3-clause(debian/modules/rtmp/* ); BSD-4-clause(debian/modules/rtmp/* ); MIT(debian/modules/rtmp/* ) | | {{}} | 0.1.1-3+b3 | GPL | | {{}} | 7.70+dfsg1-6+deb10u2 | nmap-GPL-2(* ); nmap-GPL-2(debian/* ); nmap-GPL-2(aclocal.m4 configure depcomp ltmain.sh nbase/configure ncat/Makefile.in); BSD-3-clause-author1(docs/nmap.xsl docs/nmap-fo.xsl); retain-copyright-cisco(docs/nmap.dtd); unlimited-retain-copyright(docs/style/* ); BSD-3-clause-authors-copyright-holders(libdnet-stripped/* ); BSD-3-clause-authors-copyright-holders(libdnet-stripped/Makefile.in libdnet-stripped/aclocal.m4); BSD-4-clause(libdnet-stripped/include/err.h libdnet-stripped/include/queue.h); BSD-3-clause-author2(libdnet-stripped/src/strlcat.c); Expat(lpeg.c nselib/re.lua); Expat(nbase/getopt.c); ISC(nbase/inet_ntop.c); nmap-GPL-2(nbase/nbase_rnd.c); BSD-3-clause-institute(nbase/snprintf.c); BSD-like-SVN(nmap-update/svn_auth.c); Expat(nse_fs.cc); Expat(nselib/base32.lua nselib/base64.lua); Expat(nselib/slaxml.lua); preserve-copyright(nsock/src/acinclude.m4); GPL-2+(shtool); BSD-3-clause-copyright-holders-contributors(libssh2/* ); BSD-3-clause-copyright-holders-contributors(libssh2/Makefile.in libssh2/aclocal.m4 libssh2/configure libssh2/m4/* ); BSD-3-clause-copyright-holders-contributors(libssh2/m4/autobuild.m4); BSD-3-clause-copyright-holders-contributors(libssh2/nw/* ); BSD-3-clause-copyright-holders-contributors(libssh2/os400/* libssh2/src/os400qc3.c libssh2/src/os400qc3.h); BSD-3-clause-copyright-holders-contributors(libssh2/src/libssh2_config_cmake.h.in); BSD-3-clause-copyright-holders-contributors(libssh2/src/wincng.c); nmap-GPL-2(libssh2/src/wincng.c); BSD-3-clause-author1(libssh2/src/wincng.c); BSD-3-clause-author2(libssh2/src/wincng.c); BSD-3-clause-authors-copyright-holders(libssh2/src/wincng.c); BSD-3-clause-institute(libssh2/src/wincng.c); BSD-3-clause-copyright-holders-contributors(libssh2/src/wincng.c); BSD-4-clause(libssh2/src/wincng.c); retain-copyright-cisco(libssh2/src/wincng.c); unlimited-retain-copyright(libssh2/src/wincng.c); Expat(libssh2/src/wincng.c); preserve-copyright(libssh2/src/wincng.c); GPL-2+(libssh2/src/wincng.c); BSD-like-SVN(libssh2/src/wincng.c); ISC(libssh2/src/wincng.c) | | {{}} | 7.70+dfsg1-6+deb10u2 | nmap-GPL-2(* ); nmap-GPL-2(debian/* ); nmap-GPL-2(aclocal.m4 configure depcomp ltmain.sh nbase/configure ncat/Makefile.in); BSD-3-clause-author1(docs/nmap.xsl docs/nmap-fo.xsl); retain-copyright-cisco(docs/nmap.dtd); unlimited-retain-copyright(docs/style/* ); BSD-3-clause-authors-copyright-holders(libdnet-stripped/* ); BSD-3-clause-authors-copyright-holders(libdnet-stripped/Makefile.in libdnet-stripped/aclocal.m4); BSD-4-clause(libdnet-stripped/include/err.h libdnet-stripped/include/queue.h); BSD-3-clause-author2(libdnet-stripped/src/strlcat.c); Expat(lpeg.c nselib/re.lua); Expat(nbase/getopt.c); ISC(nbase/inet_ntop.c); nmap-GPL-2(nbase/nbase_rnd.c); BSD-3-clause-institute(nbase/snprintf.c); BSD-like-SVN(nmap-update/svn_auth.c); Expat(nse_fs.cc); Expat(nselib/base32.lua nselib/base64.lua); Expat(nselib/slaxml.lua); preserve-copyright(nsock/src/acinclude.m4); GPL-2+(shtool); BSD-3-clause-copyright-holders-contributors(libssh2/* ); BSD-3-clause-copyright-holders-contributors(libssh2/Makefile.in libssh2/aclocal.m4 libssh2/configure libssh2/m4/* ); BSD-3-clause-copyright-holders-contributors(libssh2/m4/autobuild.m4); BSD-3-clause-copyright-holders-contributors(libssh2/nw/* ); BSD-3-clause-copyright-holders-contributors(libssh2/os400/* libssh2/src/os400qc3.c libssh2/src/os400qc3.h); BSD-3-clause-copyright-holders-contributors(libssh2/src/libssh2_config_cmake.h.in); BSD-3-clause-copyright-holders-contributors(libssh2/src/wincng.c); nmap-GPL-2(libssh2/src/wincng.c); BSD-3-clause-author1(libssh2/src/wincng.c); BSD-3-clause-author2(libssh2/src/wincng.c); BSD-3-clause-authors-copyright-holders(libssh2/src/wincng.c); BSD-3-clause-institute(libssh2/src/wincng.c); BSD-3-clause-copyright-holders-contributors(libssh2/src/wincng.c); BSD-4-clause(libssh2/src/wincng.c); retain-copyright-cisco(libssh2/src/wincng.c); unlimited-retain-copyright(libssh2/src/wincng.c); Expat(libssh2/src/wincng.c); preserve-copyright(libssh2/src/wincng.c); GPL-2+(libssh2/src/wincng.c); BSD-like-SVN(libssh2/src/wincng.c); ISC(libssh2/src/wincng.c) | @@ -1294,22 +1307,23 @@ pdfhidden: True | {{}} | 0.19.0-1+deb10u1 | LGPL-2.1+(* ); LGPL-2.1+(src/libopensc/authentic.h); LGPL-2.1+(src/libopensc/card-gpk.c); LGPL-2.1+(src/libopensc/card-dnie.c); LGPL-2.1+(src/pkcs11/framework-pkcs15.c); LGPL-2.1+(src/scconf/* ); LGPL-2.1+(src/libopensc/card-entersafe.c); LGPL-2.1+(src/libopensc/card-muscle.c); LGPL-2.1+(src/tests/lottery.c); LGPL-2.1+(src/libopensc/card-westcos.c); LGPL-2.1+(src/libopensc/card-sc-hsm.h); LGPL-2.1+(src/libopensc/ef-atr.c); LGPL-2.1+(src/pkcs11/pkcs11-display.c); public-domain(src/common/compat_getopt_main.c); Expat(src/common/compat_getopt.c); ISC(src/common/simclist.c); LGPL-2.1+(src/libopensc/card-rtecp.c); LGPL-2.1+(src/libopensc/log.c); LGPL-2.1+(src/libopensc/card-asepcos.c); LGPL-2.1+(src/libopensc/card-myeid.c); LGPL-2.1+(src/libopensc/card-rutoken.c); LGPL-2.1+(src/libopensc/card-atrust-acos.c); LGPL-2.1+(src/libopensc/pkcs15-skey.c); LGPL-2.1+(src/common/libpkcs11.h); LGPL-2.1+(src/libopensc/apdu.c); LGPL-2.1+(src/libopensc/sm.c); LGPL-2.1+(src/libopensc/card-epass2003.c); BSD-3-clause(src/common/compat_strlcat.c); GPL-2+(src/scconf/test-conf.c); ISC(src/common/compat_strlcpy.c); LGPL-2+(src/libopensc/ctbcs.h); LGPL-2.1+(src/libopensc/pkcs15-piv.c); LGPL-2.1+(src/libopensc/pace.h); LGPL-2.1+(src/libopensc/pkcs15-dnie.c); LGPL-2.1+(src/libopensc/pkcs15-actalis.c); LGPL-2.1+(src/libopensc/pkcs15-oberthur.c); LGPL-2.1+(src/libopensc/card-itacns.c); LGPL-2.1+(src/tools/cardos-tool.c); LGPL-2.1+(src/tools/pkcs15-tool.c); LGPL-2.1+(src/libopensc/card-cardos.c); LGPL-2.1+(src/libopensc/card-incrypto34.c); LGPL-2.1+(src/libopensc/card-sc-hsm.c); LGPL-2.1+(src/libopensc/pkcs15-esteid.c); LGPL-2.1+(src/libopensc/pkcs15-postecert.c); LGPL-2.1+(src/libopensc/pkcs15-infocamere.c); LGPL-2.1+(src/libopensc/cards.h); LGPL-2.1+(src/libopensc/card-setcos.c); LGPL-2.1+(src/libopensc/card-jcop.c); LGPL-2.1+(src/pkcs15init/pkcs15-jcop.c); LGPL-2.1+(src/libopensc/pkcs15-data.c); LGPL-2.1+(src/libopensc/pkcs15-gemsafeGPK.c); LGPL-2.1+(src/libopensc/card-piv.c); LGPL-2.1+(src/tools/piv-tool.c); LGPL-2.1+(src/libopensc/pkcs15-itacns.c); LGPL-2.1+(src/libopensc/card-acos5.c); LGPL-2.1+(src/libopensc/card-ias.c); LGPL-2.1+(src/libopensc/pkcs15-pteid.c); LGPL-2.1+(src/pkcs15init/pkcs15-oberthur-awp.c); LGPL-2.1+(src/libopensc/card-mcrd.c); LGPL-2.1+(src/libopensc/reader-pcsc.c); LGPL-2.1+(src/libopensc/padding.c); LGPL-2.1+(src/libopensc/pkcs15-sec.c); LGPL-2.1+(src/libopensc/card-tcos.c); LGPL-2.1+(src/tools/iasecc-tool.c); LGPL-2.1+(src/libopensc/card-oberthur.c); LGPL-2.1+(src/tools/sc-hsm-tool.c); LGPL-2.1+(src/libopensc/card-starcos.c); LGPL-2.1+(src/pkcs11/slot.c); LGPL-2.1+(src/pkcs15init/pkcs15-openpgp.c); LGPL-2.1+(src/libopensc/pkcs15-starcert.c); LGPL-2.1+(src/pkcs15init/pkcs15-cardos.c); LGPL-2.1+(src/pkcs15init/pkcs15-incrypto34.c); LGPL-2.1+(src/tools/util.c); LGPL-2.1+(src/libopensc/pkcs15-tcos.c); LGPL-2.1+(src/tools/openpgp-tool.c); LGPL-2.1+(src/libopensc/card-akis.c); LGPL-2.1+(src/libopensc/card-iasecc.c); LGPL-2.1+(src/pkcs15init/pkcs15-setcos.c); LGPL-2.1+(src/libopensc/card-belpic.c); LGPL-2.1+(src/common/compat_strlcpy.h); permissive(src/pkcs11/pkcs11.h); LGPL-2.1+(src/pkcs11/pkcs11.h); ISC(src/pkcs11/pkcs11.h) | | {{}} | 0.19.0-1+deb10u1 | LGPL-2.1+(* ); LGPL-2.1+(src/libopensc/authentic.h); LGPL-2.1+(src/libopensc/card-gpk.c); LGPL-2.1+(src/libopensc/card-dnie.c); LGPL-2.1+(src/pkcs11/framework-pkcs15.c); LGPL-2.1+(src/scconf/* ); LGPL-2.1+(src/libopensc/card-entersafe.c); LGPL-2.1+(src/libopensc/card-muscle.c); LGPL-2.1+(src/tests/lottery.c); LGPL-2.1+(src/libopensc/card-westcos.c); LGPL-2.1+(src/libopensc/card-sc-hsm.h); LGPL-2.1+(src/libopensc/ef-atr.c); LGPL-2.1+(src/pkcs11/pkcs11-display.c); public-domain(src/common/compat_getopt_main.c); Expat(src/common/compat_getopt.c); ISC(src/common/simclist.c); LGPL-2.1+(src/libopensc/card-rtecp.c); LGPL-2.1+(src/libopensc/log.c); LGPL-2.1+(src/libopensc/card-asepcos.c); LGPL-2.1+(src/libopensc/card-myeid.c); LGPL-2.1+(src/libopensc/card-rutoken.c); LGPL-2.1+(src/libopensc/card-atrust-acos.c); LGPL-2.1+(src/libopensc/pkcs15-skey.c); LGPL-2.1+(src/common/libpkcs11.h); LGPL-2.1+(src/libopensc/apdu.c); LGPL-2.1+(src/libopensc/sm.c); LGPL-2.1+(src/libopensc/card-epass2003.c); BSD-3-clause(src/common/compat_strlcat.c); GPL-2+(src/scconf/test-conf.c); ISC(src/common/compat_strlcpy.c); LGPL-2+(src/libopensc/ctbcs.h); LGPL-2.1+(src/libopensc/pkcs15-piv.c); LGPL-2.1+(src/libopensc/pace.h); LGPL-2.1+(src/libopensc/pkcs15-dnie.c); LGPL-2.1+(src/libopensc/pkcs15-actalis.c); LGPL-2.1+(src/libopensc/pkcs15-oberthur.c); LGPL-2.1+(src/libopensc/card-itacns.c); LGPL-2.1+(src/tools/cardos-tool.c); LGPL-2.1+(src/tools/pkcs15-tool.c); LGPL-2.1+(src/libopensc/card-cardos.c); LGPL-2.1+(src/libopensc/card-incrypto34.c); LGPL-2.1+(src/libopensc/card-sc-hsm.c); LGPL-2.1+(src/libopensc/pkcs15-esteid.c); LGPL-2.1+(src/libopensc/pkcs15-postecert.c); LGPL-2.1+(src/libopensc/pkcs15-infocamere.c); LGPL-2.1+(src/libopensc/cards.h); LGPL-2.1+(src/libopensc/card-setcos.c); LGPL-2.1+(src/libopensc/card-jcop.c); LGPL-2.1+(src/pkcs15init/pkcs15-jcop.c); LGPL-2.1+(src/libopensc/pkcs15-data.c); LGPL-2.1+(src/libopensc/pkcs15-gemsafeGPK.c); LGPL-2.1+(src/libopensc/card-piv.c); LGPL-2.1+(src/tools/piv-tool.c); LGPL-2.1+(src/libopensc/pkcs15-itacns.c); LGPL-2.1+(src/libopensc/card-acos5.c); LGPL-2.1+(src/libopensc/card-ias.c); LGPL-2.1+(src/libopensc/pkcs15-pteid.c); LGPL-2.1+(src/pkcs15init/pkcs15-oberthur-awp.c); LGPL-2.1+(src/libopensc/card-mcrd.c); LGPL-2.1+(src/libopensc/reader-pcsc.c); LGPL-2.1+(src/libopensc/padding.c); LGPL-2.1+(src/libopensc/pkcs15-sec.c); LGPL-2.1+(src/libopensc/card-tcos.c); LGPL-2.1+(src/tools/iasecc-tool.c); LGPL-2.1+(src/libopensc/card-oberthur.c); LGPL-2.1+(src/tools/sc-hsm-tool.c); LGPL-2.1+(src/libopensc/card-starcos.c); LGPL-2.1+(src/pkcs11/slot.c); LGPL-2.1+(src/pkcs15init/pkcs15-openpgp.c); LGPL-2.1+(src/libopensc/pkcs15-starcert.c); LGPL-2.1+(src/pkcs15init/pkcs15-cardos.c); LGPL-2.1+(src/pkcs15init/pkcs15-incrypto34.c); LGPL-2.1+(src/tools/util.c); LGPL-2.1+(src/libopensc/pkcs15-tcos.c); LGPL-2.1+(src/tools/openpgp-tool.c); LGPL-2.1+(src/libopensc/card-akis.c); LGPL-2.1+(src/libopensc/card-iasecc.c); LGPL-2.1+(src/pkcs15init/pkcs15-setcos.c); LGPL-2.1+(src/libopensc/card-belpic.c); LGPL-2.1+(src/common/compat_strlcpy.h); permissive(src/pkcs11/pkcs11.h); LGPL-2.1+(src/pkcs11/pkcs11.h); ISC(src/pkcs11/pkcs11.h) | | {{}} | 1.5.2-13+b1 | GPL | -| {{}} | 7.9p1-10+deb10u2 | OpenSSH(* ); Mazieres-BSD-style(ssh-keyscan.* ); public-domain(rijndael.* ); BSD-3-clause(loginrec.c openbsd-compat/* scp.c); Beer-ware(md5crypt.* ); Powell-BSD-style(openbsd-compat/bsd-snprintf.c); Expat-with-advertising-restriction(openbsd-compat/sigact.* ); BSD-2-clause(debian/* ) | -| {{}} | 7.9p1-10+deb10u2 | NO COPYRIGHT FILE | -| {{}} | 7.9p1-10+deb10u2 | NO COPYRIGHT FILE | -| {{}} | 1.1.1n-0+deb10u3 | BSD; OpenSSL; SSLeay | -| {{}} | 10.3.10-1+deb10u3 | LGPL-2.1(* ); GPL-2(* /Makefile* modules/* ); BSD-3(lib/include/bsd* lib/string/bsd* ); MIT(* )(lib/misc/base64.c); MIT(* * )(Files:); GPL-2+(debian/* ); BSD-3(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1(debian/* ); MIT(* )(debian/* ); MIT(* * )(debian/* ) | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | GPL2 | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | +| {{}} | 8.4p1-2~bpo10+1 | OpenSSH(* ); Mazieres-BSD-style(ssh-keyscan.* ); public-domain(rijndael.* ); BSD-3-clause(loginrec.c openbsd-compat/* scp.c); Beer-ware(md5crypt.* ); Powell-BSD-style(openbsd-compat/bsd-snprintf.c); Expat-with-advertising-restriction(openbsd-compat/sigact.* ); BSD-2-clause(debian/* ) | +| {{}} | 8.4p1-2~bpo10+1 | NO COPYRIGHT FILE | +| {{}} | 8.4p1-2~bpo10+1 | NO COPYRIGHT FILE | +| {{}} | 1.1.1n-0+deb10u6 | BSD; OpenSSL; SSLeay | +| {{}} | 1.1.1n-0+deb10u5 | NO COPYRIGHT FILE | +| {{}} | 10.3.10-1+deb10u5 | LGPL-2.1(* ); GPL-2(* /Makefile* modules/* ); BSD-3(lib/include/bsd* lib/string/bsd* ); MIT(* )(lib/misc/base64.c); MIT(* * )(Files:); GPL-2+(debian/* ); BSD-3(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1(debian/* ); MIT(* )(debian/* ); MIT(* * )(debian/* ) | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | GPL2 | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | | {{}} | 1.3.4+dfsg-4+b1 | MPL-2.0(* ); MPL-2.0(debian/* ); Expat(post-processor/compress/* ); Expat(post-processor/checksum/* ); Expat(builder/azure/* ); BSD-3-Clause(builder/azure/pkcs12/pkcs8_test.go); Expat(debian/vendor/github.com/mitchellh/mapstructure/* ); BSD-3-Clause(debian/vendor/github.com/mitchellh/mapstructure/* ); MPL-2.0(debian/vendor/github.com/mitchellh/mapstructure/* ); Expat(debian/vendor/github.com/mitchellh/mapstructure/* ) | | {{}} | 3.2-25 | GPL; GPL-3 | | {{}} | 4.5-1.1 | BSD; GPL; GPL-2 | @@ -1324,10 +1338,10 @@ pdfhidden: True | {{}} | 0.112-5 | GPL-2.0+(* ); GPL-2.0+(debian/* ); GPL-2.0+(debian/test-certs.tgz); GPL-2.0+(debian/test-certs.tgz) | | {{}} | 1.1.0-2 | GPL-2+(* ); GPL-2+(fltk/* ); GPL-2+(tqt/Makefile.am tqt/main.cpp tqt/pinentrydialog.h tqt/pinentrydialog.cpp); GPL-2(tqt/secqinternal.cpp tqt/secqinternal_p.h); GPL-2(tqt/secqlineedit.cpp tqt/secqlineedit.h tqt/secqstring.cpp tqt/secqstring.h); GPL-2+(build-aux/* depcomp doc/mdate-sh doc/texinfo.tex m4/curses.m4 m4/iconv.m4 missing secmem/secmem.c); X11(install-sh); GPL-2+(gtk+-2/pinentry-gtk-2.c); GPL-2+(m4/pkg.m4); GPL-2+(m4/qt.m4); LGPL-3+ or GPL-2+(pinentry/argparse.c); GPL-2+(configure.ac secmem/util.* ); GPL-2+(secmem/memory.h); GPL-2+(secmem/secmem++.h); GPL-2+(tty/pinentry-tty.c); GPL-2+(qt/pinentrydialog.* ); GPL-2+(qt/pinentryconfirm.* ); GPL-2+(qt/main.cpp); GPL-2+(qt/Makefile.am); GPL-2+(debian/* ); X11(debian/* ); GPL-2+(debian/* ); GPL-2(debian/* ); LGPL-3+(debian/* ) | | {{}} | 0.29-6 | GPL | -| {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 4.19-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 4.19-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 4.19-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 4.19-cl4.3.2u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 4.19-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | @@ -1339,26 +1353,27 @@ pdfhidden: True | {{}} | 11.91-2 | GPL-3+(* ); GPL-3+(debian/* ); GFDL-NIV-1.3(doc/auctex.texi); permissive(doc/intro.texi); preserve-notice(doc/tex-ref.tex); MIT(install-sh); publicdomain(mkinstalldirs); tobeclarified(style/j-article.el); tobeclarified(style/amsbsy.el style/amstext.el); tobeclarified(style/amsart.el style/amsbook.el style/article.el style/book.el); tobeclarified(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); GFDL-NIV-1.3(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); GPL-3+(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); MIT(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); permissive(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); preserve-notice(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); publicdomain(style/dk.el style/dutch.el style/plfonts.el style/plhb.el); tobeclarified(style/dk.el style/dutch.el style/plfonts.el style/plhb.el) | | {{}} | 3.3.15-2 | LGPL-2.1+(* ); LGPL-2.0+(top/* ); GPL-2.0+(pgrep.* ); GPL-2.0+(pidof.* ); GPL-2.0+(free.* ); GPL-2.0+(sysctl.* ); GPL-2.0+(debian/* ); GPL-2.0+(debian/* ); LGPL-2.0+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 1.3.1-1+b1 | BSD-2-Clause(* ); BSD-3-Clause(protoc-c/* ); permissive(debian/* ) | -| {{}} | 3.6.1.3-2 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | +| {{}} | 3.6.1.3-2+deb10u1 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | | {{}} | 1.16.1-1 | Apache-2.0(* ); GPL-2+(debian/* ); Zlib(third_party/nanopb/* ); Expat(third_party/rake-compiler-dock/* ); Apache-2.0(src/php/tests/bootstrap.php); BSD-3-clause(third_party/address_sorting/* ); Apache-2.0(third_party/address_sorting/* ) | | {{}} | 23.2-1+deb10u1 | GPL-2+(* ); GPL-2+(src/lists.h); GPL-2+(src/peekfd.c); GPL-2+(src/peekfd.c) | -| {{}} | 4.0-cl4.3.1u4 | EPL-1(* ); GPL-2(debian/* ) | +| {{}} | 4.0-cl4.3.2u2 | EPL-1(* ); GPL-2(debian/* ) | | {{}} | 2.3.1-debian1-4 | BSD | -| {{}} | 20211109.1735-0+deb10u1 | MPL-2.0(* ); MPL-2.0(debian/* ); CC0(tests/test_psl.txt); MPL-2.0(tests/test_psl.txt); CC0(tests/test_psl.txt) | +| {{}} | 20220811.1734-0+deb10u1 | MPL-2.0(* ); MPL-2.0(debian/* ); CC0(tests/test_psl.txt); MPL-2.0(tests/test_psl.txt); CC0(tests/test_psl.txt) | | {{}} | 1.6.6-1 | Artistic(* ); GPL-2+(debian/* ) | | {{}} | 4.999.99~beta5+gitfcfea93-5 | GPL-2(* ); GPL-2(debian/* ); GPL-2(debian/* ) | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | -| {{}} | 2.7.16-2+deb10u1 | Apache-2; BEOPEN; BSD; CNRI; GPL; GPL-2; ISC; OpenSSL; Python; SSLeay; zlib | -| {{}} | 2.7.16-2+deb10u1 | NO COPYRIGHT FILE | -| {{}} | 2.7.16-2+deb10u1 | Apache-2; BEOPEN; BSD; CNRI; GPL; GPL-2; ISC; OpenSSL; Python; SSLeay; zlib | +| {{}} | 2.7.16-2+deb10u3 | Apache-2; BEOPEN; BSD; CNRI; GPL; GPL-2; ISC; OpenSSL; Python; SSLeay; zlib | +| {{}} | 2.7.16-2+deb10u3 | NO COPYRIGHT FILE | +| {{}} | 2.7.16-2+deb10u3 | Apache-2; BEOPEN; BSD; CNRI; GPL; GPL-2; ISC; OpenSSL; Python; SSLeay; zlib | | {{}} | 2.7.16-1 | NO COPYRIGHT FILE | | {{}} | 2.7.16-1 | BEOPEN; CNRI; GPL; Python | | {{}} | 3.7.3-1 | BEOPEN; CNRI; GPL; Python | -| {{}} | 3.7.3-2+deb10u3 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | -| {{}} | 3.7.3-2+deb10u3 | NO COPYRIGHT FILE | -| {{}} | 3.7.3-2+deb10u3 | NO COPYRIGHT FILE | -| {{}} | 3.7.3-2+deb10u3 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | +| {{}} | 3.7.3-2+deb10u6 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | +| {{}} | 3.7.3-2+deb10u6 | NO COPYRIGHT FILE | +| {{}} | 3.7.3-2+deb10u6 | NO COPYRIGHT FILE | +| {{}} | 3.7.3-2+deb10u6 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | +| {{}} | 3.7.3-2+deb10u6 | BEOPEN; BSD; CNRI; GPL; GPL-2; OpenSSL; Python; SSLeay; zlib | | {{}} | 0.7.8-1 | BSD-3-clause( MANIFEST.in); permissive(debian/* ) | | {{}} | 3.7.3-1 | NO COPYRIGHT FILE | | {{}} | 3.7.3-1 | NO COPYRIGHT FILE | @@ -1373,7 +1388,7 @@ pdfhidden: True | {{}} | 1.12.2-1 | Expat(* ); Expat(c/libffi_msvc/* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 1.12.2-1 | Expat(* ); Expat(c/libffi_msvc/* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 3.0.4-3 | LGPL-2.1+(* ); LGPL-2.1+(chardet/cli/chardetect.py); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ) | -| {{}} | 1.4.0-cl4.3.1u10 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* ); GPL-2(debian/* ) | +| {{}} | 1.4.0-cl4.3.2u11 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* ); GPL-2(debian/* ) | | {{}} | 7.0-1 | BSD-3-clause(* ); BSD-3-clause(click/parser.py); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.2.2-cl4.3u1 | NO COPYRIGHT FILE | | {{}} | 0.3.7-1 | BSD-3(* ); GPL-2+(debian/* ) | @@ -1412,15 +1427,17 @@ pdfhidden: True | {{}} | 0.2.7-cl4.3.1u4 | Apache-2.0(* ); Expat(debian/* ); Apache-2.0(debian/* ); Expat(debian/* ) | | {{}} | 19.0-1 | Apache-2.0(* ); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 4.2.0-5 | Apache-2(* ); BSD-2-clause(doc/source/semver.rst); BSD-3-clause(pbr/tests/testpackage/* ); Apache-2(debian/* ); Apache-2(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ) | +| {{}} | 18.1-5 | Expat(* ); public-domain(pip/cacert.pem); Expat(debian/* ); Expat(debian/* ) | | {{}} | 40.8.0-1 | BEOPEN; CNRI; GPL | | {{}} | 0.8.0-1 | MIT/Expat(* ); Expat(debian/* ) | | {{}} | 3.11-3 | BSD-3-clause(* ); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | -| {{}} | 3.6.1.3-2 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | +| {{}} | 3.6.1.3-2+deb10u1 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | | {{}} | 5.5.1-1 | BSD-3-clause(* ); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 5.5.1-1 | BSD-3-clause(* ); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 1.7.0-2 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 2.4.0-2 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 2.19-1 | bsd-3-bendersky(* ); bsd-3-dabeaz(pycparser/ply/* ); bsd-3-bendersky(debian/* ); bsd-3-bendersky(debian/* ); bsd-3-dabeaz(debian/* ) | +| {{}} | 7.43.0.2-0.1 | LGPL-2.1(* ); MIT(* ); MIT(tests/ext/test-lib.sh); MIT(debian/* ) | | {{}} | 4.7.5-cl4.3.1u4 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 2.0.0-1 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | | {{}} | 2.3.1+dfsg-1+deb10u2 | Apache-2; BSD | @@ -1434,13 +1451,17 @@ pdfhidden: True | {{}} | 0.15.34-1+b1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 0.2.0-3-cl4.3.1u6 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 0.2.0-3-cl4.3.1u6 | NO COPYRIGHT FILE | +| {{}} | 2.4.0-2 | GPL; GPL-2 | | {{}} | 40.8.0-1 | BEOPEN; CNRI; GPL | | {{}} | 1.12.14-1.1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 3.16.0-1 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | | {{}} | 1.12.0-1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 1.8.4-1 | BSD-2-clause(* ); BSD-2-clause(debian/dh-sphinxdoc/dh_sphinxdoc); BSD-2-clause(sphinx/ext/apidoc.py); BSD-2-clause(sphinx/ext/napoleon/docstring.py); Expat(sphinx/themes/basic/static/jquery* .js); Expat(sphinx/themes/basic/static/underscore* .js); BSD-3-clause(sphinx/util/smartypants.py); public-domain(sphinx/util/stemmer/porter.py); BSD-2-clause(sphinx/util/stemmer/porter.py); BSD-3-clause(sphinx/util/stemmer/porter.py); Expat(sphinx/util/stemmer/porter.py) | +| {{}} | 234-2+b1 | LGPL-2.1+(* ); LGPL-2.1+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 0.8.2-1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 3.1.0-2 | MIT(* ); MIT(debian/* ); MIT(debian/* ) | +| {{}} | 1.6.0-1 | Expat(* ); LGPL-2.1+(debian/* ); Expat(debian/* ); LGPL-2.1+(debian/* ) | +| {{}} | 3.7.4.1-1~bpo10+1 | PSF(* ); PSF(debian/* ); PSF(debian/* ) | | {{}} | 2019.1-1 | Expat(* ) | | {{}} | 1.24.1-1 | Expat(* ); Expat(src/urllib3/contrib/_securetransport/* ); PSF-2(src/urllib3/packages/backports/makefile.py); Expat(src/urllib3/packages/six.py); PSF-2(src/urllib3/packages/ssl_match_hostname/__init__.py); Expat(debian/* ); Expat(debian/* ); PSF-2(debian/* ) | | {{}} | 15.1.0+ds-2+deb10u1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | @@ -1468,8 +1489,7 @@ pdfhidden: True | {{}} | 15.1.0-1 | MIT(* ); CC0(versioneer.py); MIT(debian/* ); MIT(debian/* ); CC0(debian/* ) | | {{}} | 4.5.2+dfsg.1-1 | Apache-2(* ); GPL-2(coverage/htmlfiles/jquery.hotkeys.js); Expat(coverage/htmlfiles/jquery.isonscreen.js); GPL-3+(debian/* ); Apache-2(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-3+(debian/* ) | | {{}} | 2.6.1-9+b1 | public-domain(* ); BSD-3-clause(debian/* ) | -| {{}} | 2.6.1-3+deb10u2 | Apache(* ); Expat(debian/* ); Apache(debian/* ); Expat(debian/* ) | -| {{}} | 0.1-cl4.3.1u2 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); Cumulus Networks Proprietary(debian/* .{service | +| {{}} | 2.6.1-3+deb10u4 | Apache(* ); Expat(debian/* ); Apache(debian/* ); Expat(debian/* ) | | {{}} | 2.2.3-1 | Apache-2(* ); GPL-3+(setup.py); GPL-3+(debian/* ); Apache-2(debian/* ); GPL-3+(debian/* ) | | {{}} | 1.20.0-2 | Apache-2(* ); Apache-2(debian/* ); Apache-2(debian/* ) | | {{}} | 2.7.16-1 | NO COPYRIGHT FILE | @@ -1502,9 +1522,9 @@ pdfhidden: True | {{}} | 5.8.0-cl4.3.0u1 | NO COPYRIGHT FILE | | {{}} | 5.8.0-cl4.3.0u1 | NO COPYRIGHT FILE | | {{}} | 0.1.11-cl4.3.1u1 | GPL-2+(* ) | -| {{}} | 4.2-cl4.3.1u2 | GPL; GPL-2 | +| {{}} | 4.2-cl4.3.2u1 | GPL; GPL-2 | | {{}} | 19.0.0-1 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ); Apache-2.0(examples/simple/* .py examples/certgen.py src/OpenSSL/version.py); public-domain(examples/SecureXMLRPCServer.py); Apache-2.0(examples/proxy.py); Apache-2.0(tests/test_rand.py); Apache-2.0(tests/util.py); Apache-2.0(src/OpenSSL/__init__.py); Apache-2.0(tests/conftest.py) | -| {{}} | 2.8.90-1-cl4.3.1u4 | Apache | +| {{}} | 2.8.90-1-cl4.3.2u1 | Apache | | {{}} | 6.4.1-1 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ) | | {{}} | 3.21.0-2 | Apache-2(* ); Apache-2(debian/* ); Apache-2(debian/* ) | | {{}} | 19.0-1 | Apache-2.0(* ); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ) | @@ -1514,7 +1534,7 @@ pdfhidden: True | {{}} | 18.1-5 | Expat(* ); public-domain(pip/cacert.pem); Expat(debian/* ); Expat(debian/* ) | | {{}} | 40.8.0-1 | BEOPEN; CNRI; GPL | | {{}} | 0.8.0-1 | MIT/Expat(* ); Expat(debian/* ) | -| {{}} | 3.6.1.3-2 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | +| {{}} | 3.6.1.3-2+deb10u1 | BSD-3-Clause~Google(* ); BSD-3-Clause~Bloomberg(Files:); BSD-3-Clause~RedHat(Files:); GPLWithACException(m4/acx_pthread.m4); Apache-2.0(Files:); Public-Domain or Expat(conformance/third_party/jsoncpp/* ); GPL-3(debian/* ); Public-Domain(debian/* ); Expat(debian/* ); BSD-3-Clause~Google(debian/* ); BSD-3-Clause~Bloomberg(debian/* ); BSD-3-Clause~RedHat(debian/* ); Apache-2.0(debian/* ); GPL-3(debian/* ) | | {{}} | 1.7.0-2 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 0.4.2-3 | BSD-2-clause(* ); GPL-2+(debian/* ); BSD-2-clause(debian/* ) | | {{}} | 0.2.1-0.2 | BSD; BSD-2-Clause; BSD-3-Clause | @@ -1537,9 +1557,9 @@ pdfhidden: True | {{}} | 1.29.0-2 | Apache-2.0(* ); Apache-2.0(debian/* ); Apache-2.0(debian/* ) | | {{}} | 0.8.2-1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 1.1.0-2 | MIT(debian/* ); MIT(* ); MIT(* ) | -| {{}} | 18.9.0-3 | BSD | -| {{}} | 18.9.0-3 | BSD | -| {{}} | 18.9.0-3 | BSD | +| {{}} | 18.9.0-3+deb10u1 | BSD | +| {{}} | 18.9.0-3+deb10u1 | BSD | +| {{}} | 18.9.0-3+deb10u1 | BSD | | {{}} | 3.6.6-1 | PSF(* ); GPL-2(debian/* ); PSF(debian/* ) | | {{}} | 2019.1-1 | Expat(* ) | | {{}} | 1.24.1-1 | Expat(* ); Expat(src/urllib3/contrib/_securetransport/* ); PSF-2(src/urllib3/packages/backports/makefile.py); Expat(src/urllib3/packages/six.py); PSF-2(src/urllib3/packages/ssl_match_hostname/__init__.py); Expat(debian/* ); Expat(debian/* ); PSF-2(debian/* ) | @@ -1548,14 +1568,14 @@ pdfhidden: True | {{}} | 3.13-2 | BSD | | {{}} | 17.1.2-2+deb10u1 | BSD-3-clause(* ); BSD-3-clause(examples/mongodb/* ); LGPL-3+link(examples/chat/* ); LGPL-3+link(zmq/backend/cython/* ); LGPL-3+link(zmq/devices/monitoredqueue.pxd); LGPL-3+link(perf/* ); LGPL-2.1(zmq/ssh/forward.py); Apache-2.0(zmq/eventloop/zmqstream.py zmq/eventloop/minitornado/* ); LGPL-3+link(debian/* ); BSD-3-clause(debian/* ); LGPL-3+link(debian/* ); LGPL-2.1(debian/* ); Apache-2.0(debian/* ) | | {{}} | 4.3.2-1+b2 | Zope-2.1(* ) | -| {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | -| {{}} | 3.1+dfsg-8+deb10u8 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 4.8.7+dfsg-18+deb10u2 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | +| {{}} | 3.1+dfsg-8+deb10u11 | BSD; GPL; GPL-2; LGPL-2; MIT | | {{}} | 66-2 | LGPL-2.1 with Digia-1.1 exception or GPL-3(* ); BSD-3-clause(scripts/* ); LGPL-2.1(debian/* ); LGPL-2.1 with Digia-1.1 exception(debian/* ); GPL-3(debian/* ); LGPL-2.1(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 4.8.7+dfsg-18+deb10u1 | BSD; GPL; GPL-2; GPL-3; LGPL-2 | | {{}} | 0.65-3 | GPL; GPL-2 | @@ -1570,7 +1590,7 @@ pdfhidden: True | {{}} | 3.1.3-6 | GPL; GPL-3 | | {{}} | 8.1901.0-1+deb10u2 | GPL-3.0+ and Apache-2.0(* ); LGPL-3.0+ and Apache-2.0(runtime/* ); BSD-3-clause(runtime/hashtable* ); GPL-3.0+(plugins/imklog/ksym* ); GPL-3.0+(debian/* ); Apache-2.0(debian/* ); LGPL-3.0+(debian/* ); GPL-3.0+(debian/* ); BSD-3-clause(debian/* ) | | {{}} | 2.5.1 | RubyLicense(* ) | -| {{}} | 2.5.5-3+deb10u4 | BSD-2-clause or Ruby(* ); BSD-2-clause(Files:); Expat(Files:); BSD-2-clause(enc/* .c); BSD-2-clause(enc/ascii.c enc/euc_jp.c enc/shift_jis.c enc/windows_31j.c); BSD-2-clause(enc/gb18030.c); BSD-2-clause(enc/encdb.c); BSD-2-clause(enc/windows_1250.c enc/windows_1252.c); BSD-2-clause(enc/windows_1251.c); GPL-3+(misc/ruby-mode.el); BSD-2-clause(lib/rdoc/generator/darkfish.rb lib/rdoc/generator/template/darkfish/* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/SourceCodePro* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/Lato* ); CC-BY-3.0-famfamfam(lib/rdoc/generator/template/darkfish/images/* ); Expat(lib/rdoc/generator/json_index.rb lib/rdoc/generator/template/json_index/* ); Expat or Ruby(lib/rubygems.rb lib/rubygems/* ); PreserveNotice(util.c); BSD-2-clause(random.c); 3C-BSD(vsnprintf.c); PublicDomain(Files:); 3C-BSD(missing/crypt.c); 3C-BSD(missing/setproctitle.c); BSD-3-clause(missing/strlcat.c missing/strlcpy.c); AllPermissions(missing/langinfo.c); PartialGplArtisticAndRuby(win32/win32.* ); zlib/libpng(ext/digest/md5/md5.c ext/digest/md5/md5.h); BSD-3-clause(ext/digest/rmd160/rmd160.c ext/digest/rmd160/rmd160.h); BSD-3-clause(ext/digest/sha2/sha2.c ext/digest/sha2/sha2.h); zlib/libpng(ext/nkf/nkf-utf8/config.h ext/nkf/nkf-utf8/nkf.c ext/nkf/nkf-utf8/utf8tbl.c); BSD-3-clause(ext/socket/addrinfo.h ext/socket/getaddrinfo.c ext/socket/getnameinfo.c); GPL-1+ or Artistic(ext/win32ole/win32ole.c); Expat(ccan/list/list.h); CC0(Files:); Unicode(Files:); Permissive(Files:); Permissive(Files:); BSD-2-clause or Ruby(debian/* ); Artistic(debian/* ); BSD-2-clause(debian/* ); 3C-BSD(debian/* ); BSD-3-clause(debian/* ); Expat(debian/* ); GPL-1+(debian/* ); Ruby(debian/* ); SIL-1.1(debian/* ); zlib/libpng(debian/* ); CC0(debian/* ); Unicode(debian/* ); Permissive(debian/* ); GPL-3+(debian/* ); CC-BY-3.0-famfamfam(debian/* ) | +| {{}} | 2.5.5-3+deb10u6 | BSD-2-clause or Ruby(* ); BSD-2-clause(Files:); Expat(Files:); BSD-2-clause(enc/* .c); BSD-2-clause(enc/ascii.c enc/euc_jp.c enc/shift_jis.c enc/windows_31j.c); BSD-2-clause(enc/gb18030.c); BSD-2-clause(enc/encdb.c); BSD-2-clause(enc/windows_1250.c enc/windows_1252.c); BSD-2-clause(enc/windows_1251.c); GPL-3+(misc/ruby-mode.el); BSD-2-clause(lib/rdoc/generator/darkfish.rb lib/rdoc/generator/template/darkfish/* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/SourceCodePro* ); SIL-1.1(lib/rdoc/generator/template/darkfish/fonts/Lato* ); CC-BY-3.0-famfamfam(lib/rdoc/generator/template/darkfish/images/* ); Expat(lib/rdoc/generator/json_index.rb lib/rdoc/generator/template/json_index/* ); Expat or Ruby(lib/rubygems.rb lib/rubygems/* ); PreserveNotice(util.c); BSD-2-clause(random.c); 3C-BSD(vsnprintf.c); PublicDomain(Files:); 3C-BSD(missing/crypt.c); 3C-BSD(missing/setproctitle.c); BSD-3-clause(missing/strlcat.c missing/strlcpy.c); AllPermissions(missing/langinfo.c); PartialGplArtisticAndRuby(win32/win32.* ); zlib/libpng(ext/digest/md5/md5.c ext/digest/md5/md5.h); BSD-3-clause(ext/digest/rmd160/rmd160.c ext/digest/rmd160/rmd160.h); BSD-3-clause(ext/digest/sha2/sha2.c ext/digest/sha2/sha2.h); zlib/libpng(ext/nkf/nkf-utf8/config.h ext/nkf/nkf-utf8/nkf.c ext/nkf/nkf-utf8/utf8tbl.c); BSD-3-clause(ext/socket/addrinfo.h ext/socket/getaddrinfo.c ext/socket/getnameinfo.c); GPL-1+ or Artistic(ext/win32ole/win32ole.c); Expat(ccan/list/list.h); CC0(Files:); Unicode(Files:); Permissive(Files:); Permissive(Files:); BSD-2-clause or Ruby(debian/* ); Artistic(debian/* ); BSD-2-clause(debian/* ); 3C-BSD(debian/* ); BSD-3-clause(debian/* ); Expat(debian/* ); GPL-1+(debian/* ); Ruby(debian/* ); SIL-1.1(debian/* ); zlib/libpng(debian/* ); CC0(debian/* ); Unicode(debian/* ); Permissive(debian/* ); GPL-3+(debian/* ); CC-BY-3.0-famfamfam(debian/* ) | | {{}} | 1.5.8-1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 1.2.1-1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 1.11+deb10u1 | Expat(* ) | @@ -1592,7 +1612,7 @@ pdfhidden: True | {{}} | 2.0.11 | GPL; GPL-2; MIT | | {{}} | 1.03ii-36 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 1.10-1 | GPL | -| {{}} | 6.6-1 | GPL-2+(* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-2(debian/* ) | +| {{}} | 7.2-1~bpo10+1 | GPL-2+(* ); GPL-2(Files:); GPL-2+(Files:); LGPL-2.1+(Files:); Expat-like(Files:); BSD-2-Clause(Files:); BSD-2-Clause and GPL-2+(Files:); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-2(debian/* ); LGPL-2.1+(debian/* ); BSD-2-Clause(debian/* ) | | {{}} | 5.8.0-cl4.3.0u1 | NO COPYRIGHT FILE | | {{}} | 5.8.0-cl4.3.0u1 | NO COPYRIGHT FILE | | {{}} | 5.8.0-cl4.3.0u1 | NO COPYRIGHT FILE | @@ -1606,28 +1626,30 @@ pdfhidden: True | {{}} | 1.8.4-1 | BSD-2-clause(* ); BSD-2-clause(debian/dh-sphinxdoc/dh_sphinxdoc); BSD-2-clause(sphinx/ext/apidoc.py); BSD-2-clause(sphinx/ext/napoleon/docstring.py); Expat(sphinx/themes/basic/static/jquery* .js); Expat(sphinx/themes/basic/static/underscore* .js); BSD-3-clause(sphinx/util/smartypants.py); public-domain(sphinx/util/stemmer/porter.py); BSD-2-clause(sphinx/util/stemmer/porter.py); BSD-3-clause(sphinx/util/stemmer/porter.py); Expat(sphinx/util/stemmer/porter.py) | | {{}} | 0.4.3+dfsg-1 | Expat(* ); BSD-2-clause(sphinx_rtd_theme/search.html); Expat(debian/* ); Expat(debian/missing-sources/bourbon/* ); Expat(debian/missing-sources/neat/* ); Expat(debian/missing-sources/wyrm/* ); Expat(debian/missing-sources/wyrm/* ) | | {{}} | 3.27.2-3+deb10u1 | public-domain(* ); GPL-2+(debian/* ) | +| {{}} | 8.4p1-2~bpo10+1 | OpenSSH(* ); Mazieres-BSD-style(ssh-keyscan.* ); public-domain(rijndael.* ); BSD-3-clause(loginrec.c openbsd-compat/* scp.c); Beer-ware(md5crypt.* ); Powell-BSD-style(openbsd-compat/bsd-snprintf.c); Expat-with-advertising-restriction(openbsd-compat/sigact.* ); BSD-2-clause(debian/* ) | | {{}} | 1.06-1 | GPL-2+(* ) | | {{}} | 1.0.39 | BSD-3-clause(* ); BSD-3-clause(* ) | | {{}} | 0.18-1 | GPL; GPL-2 | | {{}} | 4.26-0.2 | BSD | -| {{}} | 1.8.27-1+deb10u3 | ISC | +| {{}} | 1.8.27-1+deb10u5 | ISC | | {{}} | 3.0.12-2 | GPL; GPL-3 | | {{}} | 3.0.12-2 | GPL; GPL-3 | -| {{}} | 1.0-cl4.3.1u33 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | -| {{}} | 1.0-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 1.0-cl4.3.1u33 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | -| {{}} | 1.0-cl4.3.1u1 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | -| {{}} | 1.0-cl4.3.1u38 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | -| {{}} | 1.0-cl4.3.1u38 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | +| {{}} | 1.0-cl4.3.2u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | +| {{}} | 1.0-cl4.3.2u9 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 1.0-cl4.3.2u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | +| {{}} | 1.0-cl4.3.2u9 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | +| {{}} | 1.0-cl4.3.2u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | +| {{}} | 1.0-cl4.3.2u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | NO OR UNKNOWN LICENSE FOUND IN COPYRIGHT FILE | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | NO OR UNKNOWN LICENSE FOUND IN COPYRIGHT FILE | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | -| {{}} | 12.0.3-2 | GPL-2+(* ); GPL-2+(cifsiostat.c ioconf.c); GPL-2+(tapestat.c); GPL-2+(contrib/isag/* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 12.0.3-2+deb10u2 | GPL-2+(* ); GPL-2+(cifsiostat.c ioconf.c); GPL-2+(tapestat.c); GPL-2+(contrib/isag/* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 241-7~deb10u10 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | | {{}} | 2.93-8 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 1.41-3 | MIT | | {{}} | 1.0.4-cl4u1 | GPL-2+(* ); GPL-2+(* ) | @@ -1645,7 +1667,7 @@ pdfhidden: True | {{}} | 6.11 | GPL; GPL-2 | | {{}} | 6.5.0.dfsg.1-4+b1 | GPL; GPL-3 | | {{}} | 2018.20190227-2 | TeX-various | -| {{}} | 2018.20181218.49446-1 | TeX-various | +| {{}} | 2018.20181218.49446-1+deb10u2 | TeX-various | | {{}} | 2018.20190227-2 | TeX-various | | {{}} | 2018.20190227-2 | TeX-various | | {{}} | 2018.20190227-2 | TeX-various | @@ -1654,17 +1676,18 @@ pdfhidden: True | {{}} | 2018.20190227-2 | TeX-various | | {{}} | 2018.20190227-2 | TeX-various | | {{}} | 2018.20190227-2 | TeX-various | +| {{}} | 1.7-25.1+b1 | GPL-2+(* ); GPL-2+(debian/* ); freely redistributable(debian/time.1); GPL-2+(debian/time.1) | | {{}} | 1.3-20 | GPL; LPPL | | {{}} | 2.8-3 | BSD; BSD-2; BSD-3 | | {{}} | 2.6.1-0.1 | GPL-2(* ); LGPL-2.1(list.h parse-* plugin_* trace-cmd.h trace-cmd.local); LGPL-2.1(event-parse.c); LGPL-2.1(plugin_hrtimer.c); LGPL-2.1(plugin_mac80211.c); GPL-2(trace-view-store.c); GPL-2(tracecmdgui.py tracecmd.py); GPL-2(Documentation/trace-cmd-check-events.1.txt); GPL-2(debian/* ); GPL-2(debian/* ); LGPL-2.1(debian/* ) | | {{}} | 2.1.0-2 | GPL-2+(* ); LGPL-2.1+(libsupp/* ); GPL-2+(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ) | | {{}} | 1.8.0-1 | GPL; GPL-2 | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | | {{}} | 2.37-1 | bitstream-vera(* ); GPL-2+(debian/* ) | -| {{}} | 2021a-0+deb10u6 | public domain | +| {{}} | 2021a-0+deb10u11 | public domain | | {{}} | 2019.01+dfsg-7 | GPL-2(* ); GPL-2+(Files:); GPL-2+(debian/* ); LGPL-2.1(fs/yaffs2/yaffs_allocator.h); LGPL-2.1(lib/sha1.c); bzlib-BSD-3(include/bzlib.h); GPL-2(drivers/usb/musb-new/musb_host.h); Beerware(net/dns.c); libfdt-BSD-GPL(scripts/dtc/libfdt/* ); MPL-GPL(include/pcmcia/yenta.h); MPL-GPL(include/pcmcia/yenta.h); libfdt-BSD-GPL(include/pcmcia/yenta.h); Beerware(include/pcmcia/yenta.h); GPL-2(include/pcmcia/yenta.h); bzlib-BSD-3(include/pcmcia/yenta.h); GPL-2+(include/pcmcia/yenta.h); LGPL-2.1(include/pcmcia/yenta.h) | | {{}} | 3.0038+nmu1 | GPL-2(* ); GPL-2(debian/po/ca.po); GPL-2(debian/po/cs.po); GPL-2(debian/po/da.po); GPL-2(debian/po/de.po); GPL-2(debian/po/es.po); GPL-2(debian/po/eu.po); GPL-2(debian/po/fi.po); GPL-2(debian/po/fr.po); GPL-2(debian/po/gl.po); GPL-2(debian/po/it.po); GPL-2(debian/po/ja.po); GPL-2(debian/po/nl.po); GPL-2(debian/po/pl.po); GPL-2(debian/po/pt_BR.po); GPL-2(debian/po/pt.po); GPL-2(debian/po/ru.po); GPL-2(debian/po/sk.po); GPL-2(debian/po/sv.po); GPL-2(debian/po/vi.po); GPL-2(debian/po/vi.po) | -| {{}} | 241-7~deb10u8 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/securebits.h); GPL-2(src/basic/ioprio.h); GPL-2+(src/shared/linux/auto_dev-ioctl.h); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/* ); LGPL-2.1+(src/udev/udev-ctrl.c); GPL-2(src/udev/scsi_id/scsi.h); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | +| {{}} | 247.3-6~bpo10+1 | LGPL-2.1+(* ); CC0-1.0(src/basic/siphash24.h); GPL-2(src/basic/ioprio.h); GPL-2 with Linux-syscall-note exception(src/shared/linux/* ); Expat(src/basic/sparse-endian.h); public-domain(src/journal/lookup3.c); GPL-2+(src/udev/ata_id/ata_id.c); GPL-2+(src/udev/scsi_id/* ); LGPL-2.1+(debian/* ); Expat(debian/* ); GPL-2(debian/* ); GPL-2 with Linux-syscall-note exception(debian/* ); GPL-2+(debian/* ); LGPL-2.1+(debian/* ); CC0-1.0(debian/* ) | | {{}} | 6.0-23+deb10u2 | BSD | | {{}} | 4.49 | GPL-2+(Files:) | | {{}} | 2019.07.27-0+deb10u1 | BSD; GPL | @@ -1672,17 +1695,17 @@ pdfhidden: True | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | | {{}} | 2.33.1-0.1 | GPL-2+(* ); GPL-2(schedutils/ionice.c); GPL-2(schedutils/chrt.c); GPL-2(disk-utils/raw.c); GPL-2(sys-utils/nsenter.c); GPL-2(disk-utils/mkfs.minix.c); public-domain(lib/at.c); BSD-4-clause(login-utils/vipw.c); MIT(text-utils/tailf.c); MIT(sys-utils/flock.c); BSD-2-clause(text-utils/pg.c); BSD-2-clause(login-utils/last-deprecated.c); BSD-2-clause(login-utils/login.c); BSD-3-clause(login-utils/logindefs.c); BSD-3-clause(libuuid/* ); LGPL-2+(lib/procutils.c); LGPL-2+(* /colors.* ); LGPL-2+(login-utils/setpwnam.h); LGPL-2.1+(libfdisk/* ); LGPL-2.1+(lib/cpuset.c); LGPL-2.1+(* /mbsalign.* ); GPL-3+(* /readutmp.* ); LGPL-2.1+(* /timeutils.* ); LGPL(include/list.h); LGPL-2.1+(libblkid/* ); LGPL(include/cpuset.h); LGPL(misc-utils/blkid.c); LGPL-2.1+(libmount/* ); LGPL-3+(libmount/python/* ); LGPL(libsmartcols/* ); GPL-2+(debian/* ); public-domain(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); GPL-3+(debian/* ); BSD-2-clause(debian/* ); BSD-3-clause(debian/* ); BSD-4-clause(debian/* ); LGPL(debian/* ); LGPL-2+(debian/* ); LGPL-2.1+(debian/* ); LGPL-3+(debian/* ); MIT(debian/* ) | -| {{}} | 8.1.0875-5+deb10u2 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | -| {{}} | 8.1.0875-5+deb10u2 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | -| {{}} | 8.1.0875-5+deb10u2 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | -| {{}} | 8.1.0875-5+deb10u2 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | +| {{}} | 8.1.0875-5+deb10u6 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | +| {{}} | 8.1.0875-5+deb10u6 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | +| {{}} | 8.1.0875-5+deb10u6 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | +| {{}} | 8.1.0875-5+deb10u6 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | | {{}} | 15.1.0+ds-2+deb10u1 | Expat(* ); Expat(debian/* ); Expat(debian/* ) | | {{}} | 1.19-1 | GPL-2+(* ); GPL-2+(debian/* ); GPL-2+(debian/* ) | | {{}} | 2.0.5 | GPL-2+(vconfig); GPL-2+(debian/* ); GPL-2+(vconfig.8); GPL-2+(vconfig.8) | | {{}} | 1.0-cl4.2.1+u1 | GPL-2(* ); GPL-2(debian/* ) | | {{}} | 1.0-cl4.2.1+u1 | NO COPYRIGHT FILE | | {{}} | 4.0-cl4u5 | Cumulus Networks Proprietary(* ); GPLv2(debian/* ) | -| {{}} | 0.5.3-37 | w3m(* ); w3m(* ); permissive-Str(Str.* ); copyleft-matrix-c(matrix.c); permissive-matrix-h(matrix.h); w3m(w3mimg/fb/* ); w3m(islang.c); X11(scrsize.c); Unicode-Data-Files(libwc/EastAsianWidth.txt); X11-install-sh(install-sh); Ruby and w3m(doc-jp/README.SSL); Ruby(doc-jp/README.SSL); Ruby's License:(doc-jp/README.SSL); GPL-3+ with Autoconf exception(config.guess config.sub); permissive-aclocal(aclocal.m4 config.rpath); permissive-configure(configure); permissive-po(po/Makefile.in.in); w3m(po/* .po* ); public-domain(alloc.h); permissive-debian(debian/* ); permissive-gitlog2changelog(debian/gitlog2changelog) | +| {{}} | 0.5.3-37+deb10u1 | w3m(* ); w3m(* ); permissive-Str(Str.* ); copyleft-matrix-c(matrix.c); permissive-matrix-h(matrix.h); w3m(w3mimg/fb/* ); w3m(islang.c); X11(scrsize.c); Unicode-Data-Files(libwc/EastAsianWidth.txt); X11-install-sh(install-sh); Ruby and w3m(doc-jp/README.SSL); Ruby(doc-jp/README.SSL); Ruby's License:(doc-jp/README.SSL); GPL-3+ with Autoconf exception(config.guess config.sub); permissive-aclocal(aclocal.m4 config.rpath); permissive-configure(configure); permissive-po(po/Makefile.in.in); w3m(po/* .po* ); public-domain(alloc.h); permissive-debian(debian/* ); permissive-gitlog2changelog(debian/gitlog2changelog) | | {{}} | 2018.04.16-1 | public domain | | {{}} | 5.14-cl4.3.1u4 | GPL | | {{}} | 5.14-cl4.3.1u4 | NO COPYRIGHT FILE | @@ -1690,7 +1713,7 @@ pdfhidden: True | {{}} | 1.20.1-1.1 | GFDL-1; GPL; GPL-3 | | {{}} | 1.3.0-cl4.3.0u1 | NO COPYRIGHT FILE | | {{}} | 0.52.20-8 | LGPL-2 | -| {{}} | 2.6.20-0+deb10u3 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | +| {{}} | 2.6.20-0+deb10u4 | GPL-2+(* ); GPL-2+(debian/* ); public-domain(wsutil/g711.c:); LGPL-2+(wsutil/strptime.c); LGPL-2+(tools/lemon/lempar.c); FSL-Kaz(epan/except.c); Free Software License:(epan/except.c); BSD-3-clause(epan/in_cksum.c); ISC(wsutil/inet_ntop.c); BSD-2-clause(epan/dissectors/packet-enc.c); BSD-2-clause-no-conditions(epan/dissectors/packet-pflog.c:); BSD-3-clause-Endance(wiretap/erf.c); BSD-2-clause(wiretap/i4b_trace.h); GPL-3+(epan/dissectors/pidl/rfr/rfr.idl); GPL-3+(tools/pidl/idl.yp); BSD-2-clause(tools/pidl/idl.yp); GPL-2+(tools/pidl/idl.yp); GPL-3+(tools/pidl/idl.yp); ISC(tools/pidl/idl.yp); LGPL-2+(tools/pidl/idl.yp) | | {{}} | 7.7+19 | GPL | | {{}} | 2018.4-4 | MIT(* ); SGI(include/GL/* ); MIT(debian); MIT(debian); SGI(debian) | | {{}} | 2018.4-4 | MIT(* ); SGI(include/GL/* ); MIT(debian); MIT(debian); SGI(debian) | @@ -1712,7 +1735,7 @@ pdfhidden: True | {{}} | 1.1.32-2.2~deb10u1 | BSD | | {{}} | 344-1+deb10u2 | Dickey; MIT | | {{}} | 1.3.5-1 | BSD | -| {{}} | 8.1.0875-5+deb10u2 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | +| {{}} | 8.1.0875-5+deb10u6 | Vim(* ); OPL-1+(runtime/doc/* ); BSD-3-clause(runtime/syntax/cmake.vim); Expat(runtime/ftplugin/wast.vim); BSD-2-clause(runtime/syntax/tmux.vim); Apache or Expat(runtime/syntax/rust.vim); GPL-1+ or Artistic-1(runtime/tools/efm_perl.pl); Expat(src/libvterm/* ); Vim-Regexp(src/regexp.c); UC(src/if_xcmdsrv.c); public-domain(src/tee/tee.c); Expat or GPL-2(src/xxd/* ); SRA(src/gui_at_fs.c); X11(src/gui_at_sb.* src/install-sh); Compaq(src/gui_gtk_vms.h); GPL-2+(src/pty.c); Expat or Vim(src/iscygpty.* ); XPM(src/xpm/* ); LGPL-2.1+(src/xdiff/* ); EDL-1(src/xdiff/xhistogram.c); Vim(src/xdiff/xhistogram.c); OPL-1+(src/xdiff/xhistogram.c); GPL-2(src/xdiff/xhistogram.c); GPL-2+(src/xdiff/xhistogram.c); GPL-1+(src/xdiff/xhistogram.c); LGPL-2.1+(src/xdiff/xhistogram.c); Artistic-1(src/xdiff/xhistogram.c); Vim-Regexp(src/xdiff/xhistogram.c); Apache(src/xdiff/xhistogram.c); Expat(src/xdiff/xhistogram.c); SRA(src/xdiff/xhistogram.c); X11(src/xdiff/xhistogram.c); UC(src/xdiff/xhistogram.c); public-domain(src/xdiff/xhistogram.c); Compaq(src/xdiff/xhistogram.c); XPM(src/xdiff/xhistogram.c); BSD-3-clause(src/xdiff/xhistogram.c); BSD-2-clause(src/xdiff/xhistogram.c); EDL-1(src/xdiff/xhistogram.c) | | {{}} | 5.2.4-1+deb10u1 | PD(* ); probably-PD(INSTALL NEWS PACKAGERS); GPL-2+(src/scripts/* lib/* extra/scanlzma/scanlzma.c); PD(src/scripts/Makefile.am src/scripts/xzless.1); PD(doc/examples/xz_pipe_comp.c doc/examples/xz_pipe_decomp.c); LGPL-2.1+(lib/getopt.c lib/getopt1.c lib/getopt.in.h); permissive-fsf(m4/getopt.m4 m4/posix-shell.m4); Autoconf(m4/acx_pthread.m4); permissive-nowarranty(m4/acx_pthread.m4); GPL-2(Doxyfile.in); none(src/liblzma/check/crc32_table_?e.h); none(.gitignore m4/.gitignore po/.gitignore po/LINGUAS po/POTFILES.in); PD(tests/compress_prepared_bcj_* ); PD(po/cs.po po/de.po po/fr.po); PD(po/it.po po/pl.po); permissive-nowarranty(INSTALL.generic); config-h(dos/config.h); LGPL-2.1+(po/Makevars); noderivs(COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1); PD-debian(debian/* ); LGPL-2.1+(debian/* ); GPL-2(debian/* ); GPL-2+(debian/* ); Autoconf(debian/* ); permissive-fsf(debian/* ); permissive-nowarranty(debian/* ) | | {{}} | 1.0.184-2+cl4.3.0u1 | BSD-3-clause(* ); BSD-3-clause(swig/* ); BSD-3-clause(swig/java/* ); BSD-3-clause AND Apache-2.0(swig/python/config.py.in swig/python/tests/test_libyang.py swig/python/tests/test_tree_data.py swig/python/tests/test_tree_schema.py); IETF-BSD-3-clause(* /iana-* .yin * /iana-* .yang * /ietf-* .yin * /ietf-* .yang * /ietf-* .h); BSD-2-clause(linenoise/* ); Expat(swig/cpp/tests/microtest.h); BSD-3-clause(swig/java/tests/hamcrest-core-1.3.jar); EPL-1.0(swig/java/tests/junit-4.12.jar); GPL-3(swig/* .deb); BSD-3-clause(debian/* ); BSD-3-clause(debian/* ); Apache-2.0(debian/* ) | | {{}} | 1.0.184-2+cl4.3.0u1 | NO COPYRIGHT FILE | @@ -1720,4 +1743,6 @@ pdfhidden: True | {{}} | 3.0-11+b1 | BSD | | {{}} | 1.2.11.dfsg-1+deb10u1 | Zlib(* ); Zlib(amiga/Makefile.pup); Zlib(contrib/minizip/* ); Zlib(debian/* ); Zlib(debian/* ) | | {{}} | 1.2.11.dfsg-1+deb10u1 | Zlib(* ); Zlib(amiga/Makefile.pup); Zlib(contrib/minizip/* ); Zlib(debian/* ); Zlib(debian/* ) | +| {{}} | 5.7.1-1+deb10u1 | Zsh(* ); Expat(debian/* ); BSD-3(Src/compat.c); Zsh(Completion/Unix/Command/_hg); GPL-2+(Completion/Unix/Command/_darcs); GPL-2(Completion/openSUSE/Command/_osc); GPL-2(Completion/openSUSE/Command/_zypper); Artistic or GPL-1+ or Zsh(Misc/make-zsh-urls); PWS-Zsh-FAQ(Etc/FAQ.yo); Zsh(Etc/FAQ.yo); Expat(Etc/FAQ.yo); BSD-3(Etc/FAQ.yo); GPL-2+(Etc/FAQ.yo); GPL-2(Etc/FAQ.yo); GPL-1+(Etc/FAQ.yo); Artistic(Etc/FAQ.yo) | +| {{}} | 5.7.1-1+deb10u1 | Zsh(* ); Expat(debian/* ); BSD-3(Src/compat.c); Zsh(Completion/Unix/Command/_hg); GPL-2+(Completion/Unix/Command/_darcs); GPL-2(Completion/openSUSE/Command/_osc); GPL-2(Completion/openSUSE/Command/_zypper); Artistic or GPL-1+ or Zsh(Misc/make-zsh-urls); PWS-Zsh-FAQ(Etc/FAQ.yo); Zsh(Etc/FAQ.yo); Expat(Etc/FAQ.yo); BSD-3(Etc/FAQ.yo); GPL-2+(Etc/FAQ.yo); GPL-2(Etc/FAQ.yo); GPL-1+(Etc/FAQ.yo); Artistic(Etc/FAQ.yo) | diff --git a/content/cumulus-linux-43/Whats-New/licenses/bind9.txt b/content/cumulus-linux-43/Whats-New/licenses/bind9.txt new file mode 100644 index 0000000000..3b0579c5f2 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/bind9.txt @@ -0,0 +1,159 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: BIND +Upstream-Contact: Internet Systems Consortium +Source: https://ftp.isc.org/isc/bind9/ +Files-Excluded: contrib/idn + contrib/dnsperf-2.1.0.0-1 + contrib/nslint-3.0a2 + contrib/query-loc-0.4.0 + contrib/queryperf + contrib/zkt-1.1.3 + doc/arm/Bv9ARM.pdf + +Files: * +Copyright: 2004-2017, Internet Systems Consortium, Inc. ("ISC") + 1996-2003, Internet Software Consortium + 2012, Vadim Goncharov + 2009-2012, John Eaglesham + 2008, Damien Miller + 2004, 2008, Nominet, Ltd. + 2004, Masarykova universita + 1997-2003, Kungliga Tekniska Högskolan + 2002, Nuno M. Rodrigues. + 2002, Stichting NLnet, Netherlands + 2000-2002, Japan Network Information Center. + 2001, Jake Burkholder + 1996-2001, Nominum, Inc. + 1995-2000, Network Associates, Inc. + 2000, Aaron D. Gifford + 1999-2000, Nortel Networks Corporation + 1996, David Mazieres + 1993, Digital Equipment Corporation. + 1990, 1993, The Regents of the University of California. +License: ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause + +Files: bin/tests/system/chain/ + doc/misc/docbook-options.pl +Copyright: 2016-2017, Internet Systems Consortium, Inc. ("ISC") +License: MPL-2.0 or ISC + +Files: unit/atf-src/ +Copyright: 2007-2012, The NetBSD Foundation, Inc. +License: BSD-2-clause + +Files: contrib/idn/ +Copyright: 2000-2002, Japan Network Information Center +License: BSD-4-clause + +Files: debian/ +Copyright: 2007-2017 LaMont Jones + 2013-2017 Michael Gilbert + 2017 Ondřej Surý + 2008-2016 Jamie Strandboge +License: ISC or MPL-2.0 + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + PERFORMANCE OF THIS SOFTWARE. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY + WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY + WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: BSD-4-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: This product + includes software developed by the the organization . + . + 4. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY COPYRIGHT HOLDER "AS IS" AND ANY EXPRESS + OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: MPL-2.0 + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. + . + On Debian systems, the full copy of MPL-2.0 can be found at + /usr/share/common-licenses/MPL-2.0 diff --git a/content/cumulus-linux-43/Whats-New/licenses/curl-dbgsym.txt b/content/cumulus-linux-43/Whats-New/licenses/curl-dbgsym.txt new file mode 100644 index 0000000000..992ef45a13 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/curl-dbgsym.txt @@ -0,0 +1 @@ +curl-dbgsym has no copyright file diff --git a/content/cumulus-linux-43/Whats-New/licenses/grub-efi-amd64-signed-template.txt b/content/cumulus-linux-43/Whats-New/licenses/grub-efi-amd64-signed-template.txt index a6caeb5296..20be383284 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/grub-efi-amd64-signed-template.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/grub-efi-amd64-signed-template.txt @@ -1,7 +1,6 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: GNU GRUB Source: https://www.gnu.org/software/grub/ -Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c Files: * Copyright: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc @@ -10,9 +9,9 @@ License: GPL-3+ Files: debian/* Copyright: 2003, 2004, 2005, 2006, 2007, 2008, 2009, Robert Millan - 2005, 2006, 2007, Otavio Salvador - 2008, 2009, Felix Zielcke - 2009, Jordi Mallach + 2005, 2006, 2007, Otavio Salvador + 2008, 2009, Felix Zielcke + 2009, Jordi Mallach License: GPL-3+ Files: debian/grub-extras/* @@ -163,21 +162,21 @@ License: CC-BY-SA-3.0 to Distribute and Publicly Perform Adaptations. . For the avoidance of doubt: - Non-waivable Compulsory License Schemes. In those jurisdictions in - which the right to collect royalties through any statutory or - compulsory licensing scheme cannot be waived, the Licensor reserves - the exclusive right to collect such royalties for any exercise by - You of the rights granted under this License; - Waivable Compulsory License Schemes. In those jurisdictions in which - the right to collect royalties through any statutory or compulsory - licensing scheme can be waived, the Licensor waives the exclusive - right to collect such royalties for any exercise by You of the - rights granted under this License; and, - Voluntary License Schemes. The Licensor waives the right to collect - royalties, whether individually or, in the event that the Licensor - is a member of a collecting society that administers voluntary - licensing schemes, via that society, from any exercise by You of the - rights granted under this License. + Non-waivable Compulsory License Schemes. In those jurisdictions in + which the right to collect royalties through any statutory or + compulsory licensing scheme cannot be waived, the Licensor reserves + the exclusive right to collect such royalties for any exercise by + You of the rights granted under this License; + Waivable Compulsory License Schemes. In those jurisdictions in which + the right to collect royalties through any statutory or compulsory + licensing scheme can be waived, the Licensor waives the exclusive + right to collect such royalties for any exercise by You of the + rights granted under this License; and, + Voluntary License Schemes. The Licensor waives the right to collect + royalties, whether individually or, in the event that the Licensor + is a member of a collecting society that administers voluntary + licensing schemes, via that society, from any exercise by You of the + rights granted under this License. . The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such diff --git a/content/cumulus-linux-43/Whats-New/licenses/grub2-common.txt b/content/cumulus-linux-43/Whats-New/licenses/grub2-common.txt index 19e2ee0d81..a6caeb5296 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/grub2-common.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/grub2-common.txt @@ -1 +1,376 @@ -grub2-common has no copyright file +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GNU GRUB +Source: https://www.gnu.org/software/grub/ +Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c + +Files: * +Copyright: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc +License: GPL-3+ + + +Files: debian/* +Copyright: 2003, 2004, 2005, 2006, 2007, 2008, 2009, Robert Millan + 2005, 2006, 2007, Otavio Salvador + 2008, 2009, Felix Zielcke + 2009, Jordi Mallach +License: GPL-3+ + +Files: debian/grub-extras/* +Copyright: Nathan Coulson + 2003, 2007 Free Software Foundation, Inc + 2003 NIIBE Yutaka +License: GPL-3+ + +Files: themes/starfield/* +Copyright: 2012 Free Software Foundation, Inc +License: CC-BY-SA-3.0 + +Files: themes/starfield/theme.txt +Copyright: 2011 Daniel Tschudi +License: Expat + +License: GPL-3+ + On Debian systems the full text of the GNU General Public + License can be found in the `/usr/share/common-licenses/GPL-3' + file. + +License: CC-BY-SA-3.0 + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL + SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT + RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" + BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION + PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE. + . + License + . + THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE + COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY + COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS + AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. + . + BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO + BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE + CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED + HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. + . + 1. Definitions + "Adaptation" means a work based upon the Work, or upon the Work and + other pre-existing works, such as a translation, adaptation, derivative + work, arrangement of music or other alterations of a literary or + artistic work, or phonogram or performance and includes cinematographic + adaptations or any other form in which the Work may be recast, + transformed, or adapted including in any form recognizably derived from + the original, except that a work that constitutes a Collection will not + be considered an Adaptation for the purpose of this License. For the + avoidance of doubt, where the Work is a musical work, performance or + phonogram, the synchronization of the Work in timed-relation with a + moving image ("synching") will be considered an Adaptation for the + purpose of this License. + "Collection" means a collection of literary or artistic works, such as + encyclopedias and anthologies, or performances, phonograms or + broadcasts, or other works or subject matter other than works listed in + Section 1(f) below, which, by reason of the selection and arrangement of + their contents, constitute intellectual creations, in which the Work is + included in its entirety in unmodified form along with one or more other + contributions, each constituting separate and independent works in + themselves, which together are assembled into a collective whole. A work + that constitutes a Collection will not be considered an Adaptation (as + defined below) for the purposes of this License. + "Creative Commons Compatible License" means a license that is listed at + http://creativecommons.org/compatiblelicenses that has been approved by + Creative Commons as being essentially equivalent to this License, + including, at a minimum, because that license: (i) contains terms that + have the same purpose, meaning and effect as the License Elements of + this License; and, (ii) explicitly permits the relicensing of + adaptations of works made available under that license under this + License or a Creative Commons jurisdiction license with the same License + Elements as this License. + "Distribute" means to make available to the public the original and + copies of the Work or Adaptation, as appropriate, through sale or other + transfer of ownership. + "License Elements" means the following high-level license attributes as + selected by Licensor and indicated in the title of this License: + Attribution, ShareAlike. + "Licensor" means the individual, individuals, entity or entities that + offer(s) the Work under the terms of this License. + "Original Author" means, in the case of a literary or artistic work, the + individual, individuals, entity or entities who created the Work or if + no individual or entity can be identified, the publisher; and in + addition (i) in the case of a performance the actors, singers, + musicians, dancers, and other persons who act, sing, deliver, declaim, + play in, interpret or otherwise perform literary or artistic works or + expressions of folklore; (ii) in the case of a phonogram the producer + being the person or legal entity who first fixes the sounds of a + performance or other sounds; and, (iii) in the case of broadcasts, the + organization that transmits the broadcast. + "Work" means the literary and/or artistic work offered under the terms + of this License including without limitation any production in the + literary, scientific and artistic domain, whatever may be the mode or + form of its expression including digital form, such as a book, pamphlet + and other writing; a lecture, address, sermon or other work of the same + nature; a dramatic or dramatico-musical work; a choreographic work or + entertainment in dumb show; a musical composition with or without words; + a cinematographic work to which are assimilated works expressed by a + process analogous to cinematography; a work of drawing, painting, + architecture, sculpture, engraving or lithography; a photographic work + to which are assimilated works expressed by a process analogous to + photography; a work of applied art; an illustration, map, plan, sketch + or three-dimensional work relative to geography, topography, + architecture or science; a performance; a broadcast; a phonogram; a + compilation of data to the extent it is protected as a copyrightable + work; or a work performed by a variety or circus performer to the extent + it is not otherwise considered a literary or artistic work. + "You" means an individual or entity exercising rights under this License + who has not previously violated the terms of this License with respect + to the Work, or who has received express permission from the Licensor to + exercise rights under this License despite a previous violation. + "Publicly Perform" means to perform public recitations of the Work and + to communicate to the public those public recitations, by any means or + process, including by wire or wireless means or public digital + performances; to make available to the public Works in such a way that + members of the public may access these Works from a place and at a place + individually chosen by them; to perform the Work to the public by any + means or process and the communication to the public of the performances + of the Work, including by public digital performance; to broadcast and + rebroadcast the Work by any means including signs, sounds or images. + "Reproduce" means to make copies of the Work by any means including + without limitation by sound or visual recordings and the right of + fixation and reproducing fixations of the Work, including storage of a + protected performance or phonogram in digital form or other electronic + medium. + . + 2. Fair Dealing Rights. Nothing in this License is intended to reduce, + limit, or restrict any uses free from copyright or rights arising from + limitations or exceptions that are provided for in connection with the + copyright protection under copyright law or other applicable laws. + . + 3. License Grant. Subject to the terms and conditions of this License, + Licensor hereby grants You a worldwide, royalty-free, non-exclusive, + perpetual (for the duration of the applicable copyright) license to + exercise the rights in the Work as stated below: + . + to Reproduce the Work, to incorporate the Work into one or more + Collections, and to Reproduce the Work as incorporated in the + Collections; + to create and Reproduce Adaptations provided that any such Adaptation, + including any translation in any medium, takes reasonable steps to + clearly label, demarcate or otherwise identify that changes were made to + the original Work. For example, a translation could be marked "The + original work was translated from English to Spanish," or a modification + could indicate "The original work has been modified."; + to Distribute and Publicly Perform the Work including as incorporated in + Collections; and, + to Distribute and Publicly Perform Adaptations. + . + For the avoidance of doubt: + Non-waivable Compulsory License Schemes. In those jurisdictions in + which the right to collect royalties through any statutory or + compulsory licensing scheme cannot be waived, the Licensor reserves + the exclusive right to collect such royalties for any exercise by + You of the rights granted under this License; + Waivable Compulsory License Schemes. In those jurisdictions in which + the right to collect royalties through any statutory or compulsory + licensing scheme can be waived, the Licensor waives the exclusive + right to collect such royalties for any exercise by You of the + rights granted under this License; and, + Voluntary License Schemes. The Licensor waives the right to collect + royalties, whether individually or, in the event that the Licensor + is a member of a collecting society that administers voluntary + licensing schemes, via that society, from any exercise by You of the + rights granted under this License. + . + The above rights may be exercised in all media and formats whether now + known or hereafter devised. The above rights include the right to make such + modifications as are technically necessary to exercise the rights in other + media and formats. Subject to Section 8(f), all rights not expressly + granted by Licensor are hereby reserved. + . + 4. Restrictions. The license granted in Section 3 above is expressly made + subject to and limited by the following restrictions: + . + You may Distribute or Publicly Perform the Work only under the terms of + this License. You must include a copy of, or the Uniform Resource + Identifier (URI) for, this License with every copy of the Work You + Distribute or Publicly Perform. You may not offer or impose any terms on + the Work that restrict the terms of this License or the ability of the + recipient of the Work to exercise the rights granted to that recipient + under the terms of the License. You may not sublicense the Work. You + must keep intact all notices that refer to this License and to the + disclaimer of warranties with every copy of the Work You Distribute or + Publicly Perform. When You Distribute or Publicly Perform the Work, You + may not impose any effective technological measures on the Work that + restrict the ability of a recipient of the Work from You to exercise the + rights granted to that recipient under the terms of the License. This + Section 4(a) applies to the Work as incorporated in a Collection, but + this does not require the Collection apart from the Work itself to be + made subject to the terms of this License. If You create a Collection, + upon notice from any Licensor You must, to the extent practicable, + remove from the Collection any credit as required by Section 4(c), as + requested. If You create an Adaptation, upon notice from any Licensor + You must, to the extent practicable, remove from the Adaptation any + credit as required by Section 4(c), as requested. + You may Distribute or Publicly Perform an Adaptation only under the + terms of: (i) this License; (ii) a later version of this License with + the same License Elements as this License; (iii) a Creative Commons + jurisdiction license (either this or a later license version) that + contains the same License Elements as this License (e.g., + Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible + License. If you license the Adaptation under one of the licenses + mentioned in (iv), you must comply with the terms of that license. If + you license the Adaptation under the terms of any of the licenses + mentioned in (i), (ii) or (iii) (the "Applicable License"), you must + comply with the terms of the Applicable License generally and the + following provisions: (I) You must include a copy of, or the URI for, + the Applicable License with every copy of each Adaptation You Distribute + or Publicly Perform; (II) You may not offer or impose any terms on the + Adaptation that restrict the terms of the Applicable License or the + ability of the recipient of the Adaptation to exercise the rights + granted to that recipient under the terms of the Applicable License; + (III) You must keep intact all notices that refer to the Applicable + License and to the disclaimer of warranties with every copy of the Work + as included in the Adaptation You Distribute or Publicly Perform; (IV) + when You Distribute or Publicly Perform the Adaptation, You may not + impose any effective technological measures on the Adaptation that + restrict the ability of a recipient of the Adaptation from You to + exercise the rights granted to that recipient under the terms of the + Applicable License. This Section 4(b) applies to the Adaptation as + incorporated in a Collection, but this does not require the Collection + apart from the Adaptation itself to be made subject to the terms of the + Applicable License. + If You Distribute, or Publicly Perform the Work or any Adaptations or + Collections, You must, unless a request has been made pursuant to + Section 4(a), keep intact all copyright notices for the Work and + provide, reasonable to the medium or means You are utilizing: (i) the + name of the Original Author (or pseudonym, if applicable) if supplied, + and/or if the Original Author and/or Licensor designate another party or + parties (e.g., a sponsor institute, publishing entity, journal) for + attribution ("Attribution Parties") in Licensor's copyright notice, + terms of service or by other reasonable means, the name of such party or + parties; (ii) the title of the Work if supplied; (iii) to the extent + reasonably practicable, the URI, if any, that Licensor specifies to be + associated with the Work, unless such URI does not refer to the + copyright notice or licensing information for the Work; and (iv) , + consistent with Ssection 3(b), in the case of an Adaptation, a credit + identifying the use of the Work in the Adaptation (e.g., "French + translation of the Work by Original Author," or "Screenplay based on + original Work by Original Author"). The credit required by this Section + 4(c) may be implemented in any reasonable manner; provided, however, + that in the case of a Adaptation or Collection, at a minimum such credit + will appear, if a credit for all contributing authors of the Adaptation + or Collection appears, then as part of these credits and in a manner at + least as prominent as the credits for the other contributing authors. + For the avoidance of doubt, You may only use the credit required by this + Section for the purpose of attribution in the manner set out above and, + by exercising Your rights under this License, You may not implicitly or + explicitly assert or imply any connection with, sponsorship or + endorsement by the Original Author, Licensor and/or Attribution Parties, + as appropriate, of You or Your use of the Work, without the separate, + express prior written permission of the Original Author, Licensor and/or + Attribution Parties. + Except as otherwise agreed in writing by the Licensor or as may be + otherwise permitted by applicable law, if You Reproduce, Distribute or + Publicly Perform the Work either by itself or as part of any Adaptations + or Collections, You must not distort, mutilate, modify or take other + derogatory action in relation to the Work which would be prejudicial to + the Original Author's honor or reputation. Licensor agrees that in those + jurisdictions (e.g. Japan), in which any exercise of the right granted + in Section 3(b) of this License (the right to make Adaptations) would be + deemed to be a distortion, mutilation, modification or other derogatory + action prejudicial to the Original Author's honor and reputation, the + Licensor will waive or not assert, as appropriate, this Section, to the + fullest extent permitted by the applicable national law, to enable You + to reasonably exercise Your right under Section 3(b) of this License + (right to make Adaptations) but not otherwise. + . + 5. Representations, Warranties and Disclaimer + . + UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR + OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY + KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, + INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, + FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT + OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER + OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF + IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. + . + 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE + LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY + SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING + OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + . + 7. Termination + . + This License and the rights granted hereunder will terminate + automatically upon any breach by You of the terms of this License. + Individuals or entities who have received Adaptations or Collections + from You under this License, however, will not have their licenses + terminated provided such individuals or entities remain in full + compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will + survive any termination of this License. + Subject to the above terms and conditions, the license granted here is + perpetual (for the duration of the applicable copyright in the Work). + Notwithstanding the above, Licensor reserves the right to release the + Work under different license terms or to stop distributing the Work at + any time; provided, however that any such election will not serve to + withdraw this License (or any other license that has been, or is + required to be, granted under the terms of this License), and this + License will continue in full force and effect unless terminated as + stated above. + . + 8. Miscellaneous + . + Each time You Distribute or Publicly Perform the Work or a Collection, + the Licensor offers to the recipient a license to the Work on the same + terms and conditions as the license granted to You under this License. + Each time You Distribute or Publicly Perform an Adaptation, Licensor + offers to the recipient a license to the original Work on the same terms + and conditions as the license granted to You under this License. + If any provision of this License is invalid or unenforceable under + applicable law, it shall not affect the validity or enforceability of + the remainder of the terms of this License, and without further action + by the parties to this agreement, such provision shall be reformed to + the minimum extent necessary to make such provision valid and + enforceable. + No term or provision of this License shall be deemed waived and no + breach consented to unless such waiver or consent shall be in writing + and signed by the party to be charged with such waiver or consent. + This License constitutes the entire agreement between the parties with + respect to the Work licensed here. There are no understandings, + agreements or representations with respect to the Work not specified + here. Licensor shall not be bound by any additional provisions that may + appear in any communication from You. This License may not be modified + without the mutual written agreement of the Licensor and You. + The rights granted under, and the subject matter referenced, in this + License were drafted utilizing the terminology of the Berne Convention + for the Protection of Literary and Artistic Works (as amended on + September 28, 1979), the Rome Convention of 1961, the WIPO Copyright + Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and + the Universal Copyright Convention (as revised on July 24, 1971). These + rights and subject matter take effect in the relevant jurisdiction in + which the License terms are sought to be enforced according to the + corresponding provisions of the implementation of those treaty + provisions in the applicable national law. If the standard suite of + rights granted under applicable copyright law includes additional rights + not granted under this License, such additional rights are deemed to be + included in the License; this License is not intended to restrict the + license of any rights under applicable law. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libbind-dev.txt b/content/cumulus-linux-43/Whats-New/licenses/libbind-dev.txt new file mode 100644 index 0000000000..3b0579c5f2 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libbind-dev.txt @@ -0,0 +1,159 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: BIND +Upstream-Contact: Internet Systems Consortium +Source: https://ftp.isc.org/isc/bind9/ +Files-Excluded: contrib/idn + contrib/dnsperf-2.1.0.0-1 + contrib/nslint-3.0a2 + contrib/query-loc-0.4.0 + contrib/queryperf + contrib/zkt-1.1.3 + doc/arm/Bv9ARM.pdf + +Files: * +Copyright: 2004-2017, Internet Systems Consortium, Inc. ("ISC") + 1996-2003, Internet Software Consortium + 2012, Vadim Goncharov + 2009-2012, John Eaglesham + 2008, Damien Miller + 2004, 2008, Nominet, Ltd. + 2004, Masarykova universita + 1997-2003, Kungliga Tekniska Högskolan + 2002, Nuno M. Rodrigues. + 2002, Stichting NLnet, Netherlands + 2000-2002, Japan Network Information Center. + 2001, Jake Burkholder + 1996-2001, Nominum, Inc. + 1995-2000, Network Associates, Inc. + 2000, Aaron D. Gifford + 1999-2000, Nortel Networks Corporation + 1996, David Mazieres + 1993, Digital Equipment Corporation. + 1990, 1993, The Regents of the University of California. +License: ISC and BSD-2-clause and BSD-3-clause and BSD-4-clause + +Files: bin/tests/system/chain/ + doc/misc/docbook-options.pl +Copyright: 2016-2017, Internet Systems Consortium, Inc. ("ISC") +License: MPL-2.0 or ISC + +Files: unit/atf-src/ +Copyright: 2007-2012, The NetBSD Foundation, Inc. +License: BSD-2-clause + +Files: contrib/idn/ +Copyright: 2000-2002, Japan Network Information Center +License: BSD-4-clause + +Files: debian/ +Copyright: 2007-2017 LaMont Jones + 2013-2017 Michael Gilbert + 2017 Ondřej Surý + 2008-2016 Jamie Strandboge +License: ISC or MPL-2.0 + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + PERFORMANCE OF THIS SOFTWARE. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY + WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY + WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +License: BSD-4-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: This product + includes software developed by the the organization . + . + 4. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY COPYRIGHT HOLDER "AS IS" AND ANY EXPRESS + OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: MPL-2.0 + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. + . + On Debian systems, the full copy of MPL-2.0 can be found at + /usr/share/common-licenses/MPL-2.0 diff --git a/content/cumulus-linux-43/Whats-New/licenses/libcbor0.txt b/content/cumulus-linux-43/Whats-New/licenses/libcbor0.txt new file mode 100644 index 0000000000..7e91b4b407 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libcbor0.txt @@ -0,0 +1,54 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libcbor +Source: https://github.com/PJK/libcbor +Files-Excluded: docs/doxygen + +Files: * +Copyright: Copyright (c) Pavel Kalvoda, 2014-2017 +License: Expat + +Files: src/cbor/internal/unicode.c +Copyright: (c) Pavel Kalvoda, 2014, 2015 + (c) 2008-2009 Bjoern Hoehrmann +License: Expat + +Files: docs/stylesheets/github-light.css +Copyright: 2014 GitHub Inc +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the full license can be found in + /usr/share/common-licenses/Apache-2.0. + +Files: debian/* +Copyright: 2015 Vincent Bernat +License: Expat + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss-dbgsym.txt b/content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss-dbgsym.txt new file mode 100644 index 0000000000..79b92944ca --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss-dbgsym.txt @@ -0,0 +1 @@ +libcurl3-nss-dbgsym has no copyright file diff --git a/content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss.txt b/content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss.txt new file mode 100644 index 0000000000..fa6f07daa9 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libcurl3-nss.txt @@ -0,0 +1,241 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: curl +Source: http://curl.haxx.se + +Files: * +Copyright: 1996-2015, Daniel Stenberg +License: curl + +Files: lib/vtls/darwinssl.* +Copyright: 2012-2014, Nick Zitzmann + 2012-2015, Daniel Stenberg +License: curl + +Files: lib/curl_rtmp.* +Copyright: 2010, Howard Chu +License: curl + +Files: lib/vtls/schannel.* +Copyright: 2012-2014, Marc Hoersken + 2012, Mark Salisbury + 2012-2015, Daniel Stenberg +License: curl + +Files: lib/inet_pton.c + lib/inet_ntop.c +Copyright: 1996-2001 Internet Software Consortium +License: ISC + +Files: lib/krb5.c + lib/security.c +Copyright: 2004-2015 Daniel Stenberg + 1995-1999 Kungliga Tekniska Högskolan +License: BSD-3-Clause + +Files: lib/md4.c +Copyright: 2001, Solar Designer +License: public-domain + +Files: lib/openldap.* +Copyright: 2011-2015, Daniel Stenberg + 2010, Howard Chu +License: curl + +Files: lib/vtls/polarssl.* +Copyright: 2010-2011, Hoi-Ho Chan + 2012-2015, Daniel Stenberg +License: curl + +Files: lib/socks_gssapi.c + lib/socks_sspi.* +Copyright: 2009, 2011, Markus Moeller, + 2012-2015, Daniel Stenberg, +License: curl + +Files: tests/certs/scripts/genroot.sh + tests/certs/scripts/genserv.sh +Copyright: 2000-2009, EdelWeb for EdelKey and OpenEvidence +License: curl + +Files: tests/server/tftpd.c +Copyright: 1983 Regents of the University of California +License: BSD-4-Clause + +Files: tests/server/fake_ntlm.c +Copyright: 2010, Mandy Wu + 2011-2013, Daniel Stenberg +License: curl + +Files: docs/examples/fopen.c +Copyright: 2003, Simtec Electronics +License: BSD-3-Clause + +Files: docs/examples/rtsp.c +Copyright: 2011, Jim Hollinger +License: BSD-3-Clause + +Files: docs/examples/curlgtk.c +Copyright: 2003, The OpenEvidence Project +License: curl + +Files: docs/examples/curlx.c +Copyright: 2003, The OpenEvidence Project +License: other + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions, the following disclaimer, + and the original OpenSSL and SSLeay Licences below. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions, the following disclaimer + and the original OpenSSL and SSLeay Licences below in + the documentation and/or other materials provided with the + distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgments: + "This product includes software developed by the Openevidence Project + for use in the OpenEvidence Toolkit. (http://www.openevidence.org/)" + This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com)." + . + 4. The names "OpenEvidence Toolkit" and "OpenEvidence Project" must not be + used to endorse or promote products derived from this software without + prior written permission. For written permission, please contact + openevidence-core@openevidence.org. + . + 5. Products derived from this software may not be called "OpenEvidence" + nor may "OpenEvidence" appear in their names without prior written + permission of the OpenEvidence Project. + . + 6. Redistributions of any form whatsoever must retain the following + acknowledgments: + "This product includes software developed by the OpenEvidence Project + for use in the OpenEvidence Toolkit (http://www.openevidence.org/) + This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com)." + . + THIS SOFTWARE IS PROVIDED BY THE OpenEvidence PROJECT ``AS IS'' AND ANY + EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenEvidence PROJECT OR + ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +Files: src/macos/src/macos_main.cpp +Copyright: 2001, Eric Lavigne +License: other + Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions: - The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from defects in it. - The origin of this software must not be misrepresented, either by explicit claim or by omission. - You are allowed to distributed modified copies of the software, in source and binary form, provided they are marked plainly as altered versions, and are not misrepresented as being the original software. + +Files: debian/* +Copyright: 2000-2010, Domenico Andreoli + 2010-2011, Ramakrishnan Muthukrishnan + 2011, Alessandro Ghedini +License: curl + +License: curl + All rights reserved. + . + Permission to use, copy, modify, and distribute this software for any purpose + with or without fee is hereby granted, provided that the above copyright + notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE + OR OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name of a copyright holder shall not + be used in advertising or otherwise to promote the sale, use or other dealings + in this Software without prior written authorization of the copyright holder. + +License: BSD-3-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: BSD-4-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + 4. Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libcurl4-doc.txt b/content/cumulus-linux-43/Whats-New/licenses/libcurl4-doc.txt new file mode 100644 index 0000000000..fa6f07daa9 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libcurl4-doc.txt @@ -0,0 +1,241 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: curl +Source: http://curl.haxx.se + +Files: * +Copyright: 1996-2015, Daniel Stenberg +License: curl + +Files: lib/vtls/darwinssl.* +Copyright: 2012-2014, Nick Zitzmann + 2012-2015, Daniel Stenberg +License: curl + +Files: lib/curl_rtmp.* +Copyright: 2010, Howard Chu +License: curl + +Files: lib/vtls/schannel.* +Copyright: 2012-2014, Marc Hoersken + 2012, Mark Salisbury + 2012-2015, Daniel Stenberg +License: curl + +Files: lib/inet_pton.c + lib/inet_ntop.c +Copyright: 1996-2001 Internet Software Consortium +License: ISC + +Files: lib/krb5.c + lib/security.c +Copyright: 2004-2015 Daniel Stenberg + 1995-1999 Kungliga Tekniska Högskolan +License: BSD-3-Clause + +Files: lib/md4.c +Copyright: 2001, Solar Designer +License: public-domain + +Files: lib/openldap.* +Copyright: 2011-2015, Daniel Stenberg + 2010, Howard Chu +License: curl + +Files: lib/vtls/polarssl.* +Copyright: 2010-2011, Hoi-Ho Chan + 2012-2015, Daniel Stenberg +License: curl + +Files: lib/socks_gssapi.c + lib/socks_sspi.* +Copyright: 2009, 2011, Markus Moeller, + 2012-2015, Daniel Stenberg, +License: curl + +Files: tests/certs/scripts/genroot.sh + tests/certs/scripts/genserv.sh +Copyright: 2000-2009, EdelWeb for EdelKey and OpenEvidence +License: curl + +Files: tests/server/tftpd.c +Copyright: 1983 Regents of the University of California +License: BSD-4-Clause + +Files: tests/server/fake_ntlm.c +Copyright: 2010, Mandy Wu + 2011-2013, Daniel Stenberg +License: curl + +Files: docs/examples/fopen.c +Copyright: 2003, Simtec Electronics +License: BSD-3-Clause + +Files: docs/examples/rtsp.c +Copyright: 2011, Jim Hollinger +License: BSD-3-Clause + +Files: docs/examples/curlgtk.c +Copyright: 2003, The OpenEvidence Project +License: curl + +Files: docs/examples/curlx.c +Copyright: 2003, The OpenEvidence Project +License: other + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions, the following disclaimer, + and the original OpenSSL and SSLeay Licences below. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions, the following disclaimer + and the original OpenSSL and SSLeay Licences below in + the documentation and/or other materials provided with the + distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgments: + "This product includes software developed by the Openevidence Project + for use in the OpenEvidence Toolkit. (http://www.openevidence.org/)" + This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com)." + . + 4. The names "OpenEvidence Toolkit" and "OpenEvidence Project" must not be + used to endorse or promote products derived from this software without + prior written permission. For written permission, please contact + openevidence-core@openevidence.org. + . + 5. Products derived from this software may not be called "OpenEvidence" + nor may "OpenEvidence" appear in their names without prior written + permission of the OpenEvidence Project. + . + 6. Redistributions of any form whatsoever must retain the following + acknowledgments: + "This product includes software developed by the OpenEvidence Project + for use in the OpenEvidence Toolkit (http://www.openevidence.org/) + This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com)." + . + THIS SOFTWARE IS PROVIDED BY THE OpenEvidence PROJECT ``AS IS'' AND ANY + EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenEvidence PROJECT OR + ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +Files: src/macos/src/macos_main.cpp +Copyright: 2001, Eric Lavigne +License: other + Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions: - The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from defects in it. - The origin of this software must not be misrepresented, either by explicit claim or by omission. - You are allowed to distributed modified copies of the software, in source and binary form, provided they are marked plainly as altered versions, and are not misrepresented as being the original software. + +Files: debian/* +Copyright: 2000-2010, Domenico Andreoli + 2010-2011, Ramakrishnan Muthukrishnan + 2011, Alessandro Ghedini +License: curl + +License: curl + All rights reserved. + . + Permission to use, copy, modify, and distribute this software for any purpose + with or without fee is hereby granted, provided that the above copyright + notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE + OR OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name of a copyright holder shall not + be used in advertising or otherwise to promote the sale, use or other dealings + in this Software without prior written authorization of the copyright holder. + +License: BSD-3-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: BSD-4-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + 4. Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libfido2-1.txt b/content/cumulus-linux-43/Whats-New/licenses/libfido2-1.txt new file mode 100644 index 0000000000..f1469c1089 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libfido2-1.txt @@ -0,0 +1,91 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libfido2 +Upstream-Contact: Yubico Open Source Maintainers +Source: https://github.com/yubico/libfido2 + +Files: * +Copyright: 2018-2019 Yubico AB +License: BSD-2-clause + +Files: debian/* +Copyright: 2018-2019 Yubico AB + 2020 nicoo +License: BSD-2-clause + +Files: openbsd-compat/strlcpy.c openbsd-compat/strlcat.c +Copyright: 1998 Todd C. Miller +License: ISC + +Files: openbsd-compat/timingsafe_bcmp.c +Copyright: 2010 Damien Miller +License: ISC + +Files: + openbsd-compat/bsd-getpagesize.c + openbsd-compat/err.h + openbsd-compat/explicit_bzero.c + openbsd-compat/explicit_bzero_win32.c + openbsd-compat/types.h +Copyright: Public domain +License: public-domain + +Files: openbsd-compat/recallocarray.c +Copyright: 2008, 2017 Otto Moerbeek +License: ISC + +Files: openbsd-compat/readpassphrase.h +Copyright: 2000, 2002 Todd C. Miller +License: ISC + +Files: openbsd-compat/readpassphrase.c +Copyright: 2000-2002, 2007, 2010 Todd C. Miller +License: ISC + +Files: openbsd-compat/getopt.h +Copyright: 2000 The NetBSD Foundation, Inc. All rights reserved. +License: BSD-2-clause + +Files: openbsd-compat/getopt_long.c +Copyright: 2002 Todd C. Miller + 2000 The NetBSD Foundation, Inc. All rights reserved. +License: ISC and BSD-2-clause + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: public-domain + Public domain. + +License: ISC + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libkrb5-dbg.txt b/content/cumulus-linux-43/Whats-New/licenses/libkrb5-dbg.txt new file mode 100644 index 0000000000..a36e7d2e5e --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libkrb5-dbg.txt @@ -0,0 +1,1338 @@ +This package was debianized by Sam Hartman on +Thu, 19 Oct 2000 16:05:06 -0400. + +It was downloaded from: + + + +Upstream Maintainers: + + MIT Kerberos Team + +Copyright: + +Copyright (C) 1985-2018 by the Massachusetts Institute of Technology. + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +* Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Downloading of this software may constitute an export of cryptographic +software from the United States of America that is subject to the +United States Export Administration Regulations (EAR), 15 CFR 730-774. +Additional laws or regulations may apply. It is the responsibility of +the person or entity contemplating export to comply with all +applicable export laws and regulations, including obtaining any +required license from the U.S. government. + +The U.S. government prohibits export of encryption source code to +certain countries and individuals, including, but not limited to, the +countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and +nationals of those countries. + +Documentation components of this software distribution are licensed +under a Creative Commons Attribution-ShareAlike 3.0 Unported License. +(http://creativecommons.org/licenses/by-sa/3.0/) + +Individual source code files are copyright MIT, Cygnus Support, +Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, +FundsXpress, and others. + +Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, +and Zephyr are trademarks of the Massachusetts Institute of Technology +(MIT). No commercial use of these trademarks may be made without +prior written permission of MIT. + +"Commercial use" means use of a name in a product or other for-profit +manner. It does NOT prevent a commercial firm from referring to the +MIT trademarks in order to convey information (although in doing so, +recognition of their trademark status should be given). + +====================================================================== + +The following copyright and permission notice applies to the +OpenVision Kerberos Administration system located in "kadmin/create", +"kadmin/dbutil", "kadmin/passwd", "kadmin/server", "lib/kadm5", and +portions of "lib/rpc": + + Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights + Reserved + + WARNING: Retrieving the OpenVision Kerberos Administration system + source code, as described below, indicates your acceptance of the + following terms. If you do not agree to the following terms, do + not retrieve the OpenVision Kerberos administration system. + + You may freely use and distribute the Source Code and Object Code + compiled from it, with or without modification, but this Source + Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, + INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR + FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER + EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY + FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR + CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, + WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE + CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY + OTHER REASON. + + OpenVision retains all copyrights in the donated Source Code. + OpenVision also retains copyright to derivative works of the Source + Code, whether created by OpenVision or by a third party. The + OpenVision copyright notice must be preserved if derivative works + are made based on the donated Source Code. + + OpenVision Technologies, Inc. has donated this Kerberos + Administration system to MIT for inclusion in the standard Kerberos + 5 distribution. This donation underscores our commitment to + continuing Kerberos technology development and our gratitude for + the valuable work which has been performed by MIT and the Kerberos + community. + +====================================================================== + + Portions contributed by Matt Crawford "crawdad@fnal.gov" were work + performed at Fermi National Accelerator Laboratory, which is + operated by Universities Research Association, Inc., under contract + DE-AC02-76CHO3000 with the U.S. Department of Energy. + +====================================================================== + +Portions of "src/lib/crypto" have the following copyright: + + Copyright (C) 1998 by the FundsXpress, INC. + + All rights reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. + It is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of FundsXpress. not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. FundsXpress makes no representations + about the suitability of this software for any purpose. It is + provided "as is" without express or implied warranty. + + THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +====================================================================== + +The implementation of the AES encryption algorithm in +"src/lib/crypto/builtin/aes" has the following copyright: + + Copyright (C) 2001, Dr Brian Gladman "brg@gladman.uk.net", Worcester, UK. + All rights reserved. + + LICENSE TERMS + + The free distribution and use of this software in both source and + binary form is allowed (with or without changes) provided that: + + 1. distributions of this source code include the above copyright + notice, this list of conditions and the following disclaimer; + + 2. distributions in binary form include the above copyright notice, + this list of conditions and the following disclaimer in the + documentation and/or other associated materials; + + 3. the copyright holder's name is not used to endorse products + built using this software without specific written permission. + + DISCLAIMER + + This software is provided 'as is' with no explcit or implied + warranties in respect of any properties, including, but not limited + to, correctness and fitness for purpose. + +====================================================================== + +Portions contributed by Red Hat, including the pre-authentication +plug-in framework and the NSS crypto implementation, contain the +following copyright: + + Copyright (C) 2006 Red Hat, Inc. + Portions copyright (C) 2006 Massachusetts Institute of Technology + All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + * Neither the name of Red Hat, Inc., nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The bundled verto source code is subject to the following license: + + Copyright 2011 Red Hat, Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + +====================================================================== + +The MS-KKDCP client implementation has the following copyright: + + Copyright 2013,2014 Red Hat, Inc. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in +"src/lib/gssapi", including the following files: + + lib/gssapi/generic/gssapi_err_generic.et + lib/gssapi/mechglue/g_accept_sec_context.c + lib/gssapi/mechglue/g_acquire_cred.c + lib/gssapi/mechglue/g_canon_name.c + lib/gssapi/mechglue/g_compare_name.c + lib/gssapi/mechglue/g_context_time.c + lib/gssapi/mechglue/g_delete_sec_context.c + lib/gssapi/mechglue/g_dsp_name.c + lib/gssapi/mechglue/g_dsp_status.c + lib/gssapi/mechglue/g_dup_name.c + lib/gssapi/mechglue/g_exp_sec_context.c + lib/gssapi/mechglue/g_export_name.c + lib/gssapi/mechglue/g_glue.c + lib/gssapi/mechglue/g_imp_name.c + lib/gssapi/mechglue/g_imp_sec_context.c + lib/gssapi/mechglue/g_init_sec_context.c + lib/gssapi/mechglue/g_initialize.c + lib/gssapi/mechglue/g_inquire_context.c + lib/gssapi/mechglue/g_inquire_cred.c + lib/gssapi/mechglue/g_inquire_names.c + lib/gssapi/mechglue/g_process_context.c + lib/gssapi/mechglue/g_rel_buffer.c + lib/gssapi/mechglue/g_rel_cred.c + lib/gssapi/mechglue/g_rel_name.c + lib/gssapi/mechglue/g_rel_oid_set.c + lib/gssapi/mechglue/g_seal.c + lib/gssapi/mechglue/g_sign.c + lib/gssapi/mechglue/g_store_cred.c + lib/gssapi/mechglue/g_unseal.c + lib/gssapi/mechglue/g_userok.c + lib/gssapi/mechglue/g_utils.c + lib/gssapi/mechglue/g_verify.c + lib/gssapi/mechglue/gssd_pname_to_uid.c + lib/gssapi/mechglue/mglueP.h + lib/gssapi/mechglue/oid_ops.c + lib/gssapi/spnego/gssapiP_spnego.h + lib/gssapi/spnego/spnego_mech.c + +and the initial implementation of incremental propagation, including +the following new or changed files: + + include/iprop_hdr.h + kadmin/server/ipropd_svc.c + lib/kdb/iprop.x + lib/kdb/kdb_convert.c + lib/kdb/kdb_log.c + lib/kdb/kdb_log.h + lib/krb5/error_tables/kdb5_err.et + slave/kpropd_rpc.c + slave/kproplog.c + +are subject to the following license: + + Copyright (C) 2004 Sun Microsystems, Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +====================================================================== + +Kerberos V5 includes documentation and software developed at the +University of California at Berkeley, which includes this copyright +notice: + + Copyright (C) 1983 Regents of the University of California. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the University nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +Portions contributed by Novell, Inc., including the LDAP database +backend, are subject to the following license: + + Copyright (C) 2004-2005, Novell, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + * The copyright holder's name is not used to endorse or promote + products derived from this software without specific prior + written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +Portions funded by Sandia National Laboratory and developed by the +University of Michigan's Center for Information Technology +Integration, including the PKINIT implementation, are subject to the +following license: + + COPYRIGHT (C) 2006-2007 + THE REGENTS OF THE UNIVERSITY OF MICHIGAN + ALL RIGHTS RESERVED + + Permission is granted to use, copy, create derivative works and + redistribute this software and such derivative works for any + purpose, so long as the name of The University of Michigan is not + used in any advertising or publicity pertaining to the use of + distribution of this software without specific, written prior + authorization. If the above copyright notice or any other + identification of the University of Michigan is included in any + copy of any portion of this software, then the disclaimer below + must also be included. + + THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE + UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND + WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER + EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR + ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR + CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR + IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR + IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +====================================================================== + +The pkcs11.h file included in the PKINIT code has the following +license: + + Copyright 2006 g10 Code GmbH + Copyright 2006 Andreas Jellinghaus + + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. + +====================================================================== + +Portions contributed by Apple Inc. are subject to the following +license: + + Copyright 2004-2008 Apple Inc. All Rights Reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. + It is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of Apple Inc. not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. Apple Inc. makes no representations + about the suitability of this software for any purpose. It is + provided "as is" without express or implied warranty. + + THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +====================================================================== + +The implementations of UTF-8 string handling in src/util/support and +src/lib/krb5/unicode are subject to the following copyright and +permission notice: + + The OpenLDAP Public License + Version 2.8, 17 August 2003 + + Redistribution and use of this software and associated + documentation ("Software"), with or without modification, are + permitted provided that the following conditions are met: + + 1. Redistributions in source form must retain copyright statements + and notices, + + 2. Redistributions in binary form must reproduce applicable + copyright statements and notices, this list of conditions, and + the following disclaimer in the documentation and/or other + materials provided with the distribution, and + + 3. Redistributions must contain a verbatim copy of this document. + + The OpenLDAP Foundation may revise this license from time to time. + Each revision is distinguished by a version number. You may use + this Software under terms of this license revision or under the + terms of any subsequent revision of the license. + + THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS + CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS + CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + + The names of the authors and copyright holders must not be used in + advertising or otherwise to promote the sale, use or other dealing + in this Software without specific, written prior permission. Title + to copyright in this Software shall at all times remain with + copyright holders. + + OpenLDAP is a registered trademark of the OpenLDAP Foundation. + + Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, + California, USA. All Rights Reserved. Permission to copy and + distribute verbatim copies of this document is granted. + +====================================================================== + +Marked test programs in src/lib/krb5/krb have the following copyright: + + Copyright (C) 2006 Kungliga Tekniska Högskola + (Royal Institute of Technology, Stockholm, Sweden). + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of KTH nor the names of its contributors may be + used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +The KCM Mach RPC definition file used on OS X has the following +copyright: + + Copyright (C) 2009 Kungliga Tekniska Högskola + (Royal Institute of Technology, Stockholm, Sweden). + All rights reserved. + + Portions Copyright (C) 2009 Apple Inc. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the Institute nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +Portions of the RPC implementation in src/lib/rpc and +src/include/gssrpc have the following copyright and permission notice: + + Copyright (C) 2010, Oracle America, Inc. + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the "Oracle America, Inc." nor the names of + its contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + + Copyright (C) 2006,2007,2009 NTT (Nippon Telegraph and Telephone + Corporation). All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer as + the first lines of this file unmodified. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + + Copyright 2000 by Carnegie Mellon University + + All Rights Reserved + + Permission to use, copy, modify, and distribute this software and + its documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appear in all + copies and that both that copyright notice and this permission + notice appear in supporting documentation, and that the name of + Carnegie Mellon University not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. + + CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + SOFTWARE. + +====================================================================== + + Copyright (C) 2002 Naval Research Laboratory (NRL/CCS) + + Permission to use, copy, modify and distribute this software and + its documentation is hereby granted, provided that both the + copyright notice and this permission notice appear in all copies of + the software, derivative works or modified versions, and any + portions thereof. + + NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" CONDITION AND + DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER + RESULTING FROM THE USE OF THIS SOFTWARE. + +====================================================================== + +Portions extracted from Internet RFCs have the following copyright +notice: + + Copyright (C) The Internet Society (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on + an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE + REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT + THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR + ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A + PARTICULAR PURPOSE. + +====================================================================== + + Copyright (C) 1991, 1992, 1994 by Cygnus Support. + + Permission to use, copy, modify, and distribute this software and + its documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appear in all + copies and that both that copyright notice and this permission + notice appear in supporting documentation. Cygnus Support makes no + representations about the suitability of this software for any + purpose. It is provided "as is" without express or implied + warranty. + +====================================================================== + + Copyright (C) 2006 Secure Endpoints Inc. + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +====================================================================== + +Portions of the implementation of the Fortuna-like PRNG are subject to +the following notice: + + Copyright (C) 2005 Marko Kreen + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + Copyright (C) 1994 by the University of Southern California + + EXPORT OF THIS SOFTWARE from the United States of America may + require a specific license from the United States Government. It + is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute + this software and its documentation in source and binary forms is + hereby granted, provided that any documentation or other materials + related to such distribution or use acknowledge that the software + was developed by the University of Southern California. + + DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED "AS IS". The + University of Southern California MAKES NO REPRESENTATIONS OR + WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not + limitation, the University of Southern California MAKES NO + REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY + PARTICULAR PURPOSE. The University of Southern California shall not + be held liable for any liability nor for any direct, indirect, or + consequential damages with respect to any claim by the user or + distributor of the ksu software. + +====================================================================== + + Copyright (C) 1995 + The President and Fellows of Harvard University + + This code is derived from software contributed to Harvard by Jeremy + Rassen. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: + + This product includes software developed by the University of + California, Berkeley and its contributors. + + 4. Neither the name of the University nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + + Copyright (C) 2008 by the Massachusetts Institute of Technology. + Copyright 1995 by Richard P. Basch. All Rights Reserved. + Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. It + is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of Richard P. Basch, Lehman Brothers and M.I.T. not be + used in advertising or publicity pertaining to distribution of the + software without specific, written prior permission. Richard P. + Basch, Lehman Brothers and M.I.T. make no representations about the + suitability of this software for any purpose. It is provided "as + is" without express or implied warranty. + +====================================================================== + +The following notice applies to "src/lib/krb5/krb/strptime.c" and +"src/include/k5-queue.h". + + Copyright (C) 1997, 1998 The NetBSD Foundation, Inc. + All rights reserved. + + This code was contributed to The NetBSD Foundation by Klaus Klein. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgement: + + This product includes software developed by the NetBSD + Foundation, Inc. and its contributors. + + 4. Neither the name of The NetBSD Foundation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND + CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + +====================================================================== + +The following notice applies to Unicode library files in +"src/lib/krb5/unicode": + + Copyright 1997, 1998, 1999 Computing Research Labs, + New Mexico State University + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, copy, + modify, merge, publish, distribute, sublicense, and/or sell copies + of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR + NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE + OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +====================================================================== + +The following notice applies to "src/util/support/strlcpy.c": + + Copyright (C) 1998 Todd C. Miller "Todd.Miller@courtesan.com" + + Permission to use, copy, modify, and distribute this software for + any purpose with or without fee is hereby granted, provided that + the above copyright notice and this permission notice appear in all + copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL + WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR + CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS + OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +====================================================================== + +The following notice applies to "src/util/profile/argv_parse.c" and +"src/util/profile/argv_parse.h": + + Copyright 1999 by Theodore Ts'o. + + Permission to use, copy, modify, and distribute this software for + any purpose with or without fee is hereby granted, provided that + the above copyright notice and this permission notice appear in all + copies. THE SOFTWARE IS PROVIDED "AS IS" AND THEODORE TS'O (THE + AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN + NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER + RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR + IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't + it sick that the U.S. culture of lawsuit-happy lawyers requires + this kind of disclaimer?) + +====================================================================== + +The following notice applies to SWIG-generated code in +"src/util/profile/profile_tcl.c": + + Copyright (C) 1999-2000, The University of Chicago + + This file may be freely redistributed without license or fee + provided this copyright message remains intact. + +====================================================================== + +The following notice applies to portiions of "src/lib/rpc" and +"src/include/gssrpc": + + Copyright (C) 2000 The Regents of the University of Michigan. All + rights reserved. + + Copyright (C) 2000 Dug Song "dugsong@UMICH.EDU". All rights + reserved, all wrongs reversed. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of the University nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + +====================================================================== + +Implementations of the MD4 algorithm are subject to the following +notice: + + Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD4 Message Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD4 Message Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + +====================================================================== + +Implementations of the MD5 algorithm are subject to the following +notice: + + Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message- Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + +====================================================================== + +The following notice applies to +"src/lib/crypto/crypto_tests/t_mddriver.c": + + Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All + rights reserved. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" without + express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + +====================================================================== + +Portions of "src/lib/krb5" are subject to the following notice: + + Copyright (C) 1994 CyberSAFE Corporation. + Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. + All Rights Reserved. + + Export of this software from the United States of America may + require a specific license from the United States Government. It + is the responsibility of any person or organization + contemplating export to obtain such a license before exporting. + + WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + distribute this software and its documentation for any purpose and + without fee is hereby granted, provided that the above copyright + notice appear in all copies and that both that copyright notice and + this permission notice appear in supporting documentation, and that + the name of M.I.T. not be used in advertising or publicity + pertaining to distribution of the software without specific, + written prior permission. Furthermore if you modify this software + you must label your software as modified software and not + distribute it in such a fashion that it might be confused with the + original M.I.T. software. Neither M.I.T., the Open Computing + Security Group, nor CyberSAFE Corporation make any representations + about the suitability of this software for any purpose. It is + provided "as is" without express or implied warranty. + +====================================================================== + +Portions contributed by PADL Software are subject to the following +license: + + Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + 3. Neither the name of PADL Software nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +====================================================================== + +The bundled libev source code is subject to the following license: + + All files in libev are Copyright (C)2007,2008,2009 Marc Alexander + Lehmann. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + + Alternatively, the contents of this package may be used under the + terms of the GNU General Public License ("GPL") version 2 or any + later version, in which case the provisions of the GPL are + applicable instead of the above. If you wish to allow the use of + your version of this package only under the terms of the GPL and + not to allow others to use your version of this file under the BSD + license, indicate your decision by deleting the provisions above + and replace them with the notice and other provisions required by + the GPL in this and the other files of this package. If you do not + delete the provisions above, a recipient may use your version of + this file under either the BSD or the GPL. + + On Debian systems, the complete text of the GNU General Public License + version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +====================================================================== + +Files copied from the Intel AESNI Sample Library are subject to the +following license: + + Copyright (C) 2010, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The following notice applies to +"src/ccapi/common/win/OldCC/autolock.hxx": + + Copyright (C) 1998 by Danilo Almeida. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The Debian Packaging is licensed under the same terms as MIT Kerberos. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libncursesw6-dbg.txt b/content/cumulus-linux-43/Whats-New/licenses/libncursesw6-dbg.txt new file mode 100644 index 0000000000..9ad8f1a1f2 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libncursesw6-dbg.txt @@ -0,0 +1 @@ +libncursesw6-dbg has no copyright file diff --git a/content/cumulus-linux-43/Whats-New/licenses/libnginx-mod-rtmp.txt b/content/cumulus-linux-43/Whats-New/licenses/libnginx-mod-rtmp.txt new file mode 100644 index 0000000000..66a44d870a --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libnginx-mod-rtmp.txt @@ -0,0 +1,201 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: nginx +Source: https://nginx.org/en/download.html + +Files: * +Copyright: 2002-2014 Igor Sysoev + 2011-2014 Nginx, Inc. + Maxim Dounin + Valentin V. Bartenev + Roman Arutyunyan + Ruslan Ermilov +License: BSD-2-clause + +Files: src/core/ngx_murmurhash.c +Copyright: Copyright (C) Austin Appleby +License: BSD-2-clause + +Files: src/http/modules/ngx_http_scgi_module.c + src/http/modules/ngx_http_uwsgi_module.c +Copyright: Copyright (C) Igor Sysoev + Copyright (C) Nginx, Inc. + 2009-2010 Unbit S.a.s. + 2008 Manlio Perillo (manlio.perillo@gmail.com) +License: BSD-2-clause + +Files: contrib/geo2nginx.pl +Copyright: 2005, Andrei Nigmatulin +License: BSD-2-clause + +Files: debian/* +Copyright: 2007-2009, Fabio Tranchitella + 2008, Jose Parrella + 2009-2014, Kartik Mistry + 2010-2014, Michael Lustfield + 2011 Dmitry E. Oboukhov + 2011-2013, Cyril Lavier + 2013-2016, Christos Trochalakis +License: BSD-2-clause + +Files: debian/modules/http-headers-more-filter/* +Copyright: Copyright (c) 2009-2014, Yichun "agentzh" Zhang (章亦春) , CloudFlare Inc. + Copyright (c) 2010-2013, Bernd Dorn + Copyright (c) Igor Sysoev +License: BSD-2-clause + +Files: debian/modules/http-ndk/* +Copyright: Marcus Clyne +License: BSD-3-clause + +Files: debian/modules/http-ndk/src/hash/md5.h + debian/modules/http-ndk/src/hash/sha.h +Copyright: Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) +License: BSD-4-clause + +Files: debian/modules/http-auth-pam/* +Copyright: 2008-2013, Sergio Talens Oliag +License: BSD-2-clause + +Files: debian/modules/http-echo/* +Copyright: Copyright (c) 2009-2014, Yichun "agentzh" Zhang +License: BSD-2-clause + +Files: debian/modules/http-lua/* +Copyright: Copyright (C) 2009-2014, by Xiaozhe Wang (chaoslawful) . + Copyright (C) 2009-2014, by Yichun "agentzh" Zhang (章亦春) , CloudFlare Inc. +License: BSD-2-clause + +Files: debian/modules/http-upstream-fair/* +Copyright: Copyright (c) 2007 Grzegorz Nosek + Igor Sysoev +License: BSD-2-clause + +Files: debian/modules/nchan/* +Copyright: 2009-2016 Leo Ponomarev +License: MIT + +Files: debian/modules/nchan/src/store/redis/cmp.* +Copyright: 2015 Charles Gunyon +License: MIT + +Files: debian/modules/http-uploadprogress/* +Copyright: Brice Figureau + 2002-2007, Igor Sysoev +License: BSD-2-clause + +Files: debian/modules/http-cache-purge/* +Copyright: 2009-2012, FRiCKLE , + 2009-2012, Piotr Sikora +License: BSD-2-clause + +Files: debian/modules/http-dav-ext/* +Copyright: Arutyunyan Roman +License: BSD-2-clause + +Files: debian/modules/http-fancyindex/* +Copyright: Copyright (c) Adrian Perez +License: BSD-2-clause + +Files: debian/modules/http-subs-filter/* +Copyright: Copyright (C) 2014 by Weibin Yao +License: BSD-2-clause + +Files: debian/modules/rtmp/* +Copyright: Copyright (C) 2012-2014, Roman Arutyunyan +License: BSD-2-clause + +License: BSD-2-clause + All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-3-clause + All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this + software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-4-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 4. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to + deal in the Software without restriction, including without limitation the + rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + sell copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + IN THE SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libssl-doc.txt b/content/cumulus-linux-43/Whats-New/licenses/libssl-doc.txt new file mode 100644 index 0000000000..496bdfdbce --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libssl-doc.txt @@ -0,0 +1,135 @@ +This package was debianized by Christoph Martin martin@uni-mainz.de on +Fri, 22 Nov 1996 21:29:51 +0100. + +Copyright (c) 1998-2004 The OpenSSL Project +Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson + +The upstream sources were obtained from https://www.openssl.org/ + + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a dual license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. Actually both licenses are BSD-style + Open Source licenses. In case of any license issues related to OpenSSL + please contact openssl-core@openssl.org. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + diff --git a/content/cumulus-linux-43/Whats-New/licenses/libssl1.1-dbgsym.txt b/content/cumulus-linux-43/Whats-New/licenses/libssl1.1-dbgsym.txt new file mode 100644 index 0000000000..09a06b2f5d --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libssl1.1-dbgsym.txt @@ -0,0 +1 @@ +libssl1.1-dbgsym has no copyright file diff --git a/content/cumulus-linux-43/Whats-New/licenses/libsystemd-dev.txt b/content/cumulus-linux-43/Whats-New/licenses/libsystemd-dev.txt index 1f66c2054a..8dc9bd1380 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/libsystemd-dev.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/libsystemd-dev.txt @@ -38,18 +38,33 @@ Copyright: 2012 Jean-Philippe Aumasson 2012 Daniel J. Bernstein License: CC0-1.0 -Files: src/basic/securebits.h -Copyright: Linus Torvalds -License: GPL-2 - Files: src/basic/ioprio.h Copyright: Jens Axboe License: GPL-2 -Files: src/shared/linux/auto_dev-ioctl.h -Copyright: 2008 Red Hat, Inc. +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. 2008 Ian Kent -License: GPL-2+ + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception Files: src/basic/sparse-endian.h Copyright: 2012 Josh Triplett @@ -62,7 +77,44 @@ License: public-domain You can use this free for any purpose. It's in the public domain. It has no warranty. -Files: src/udev/* +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c Copyright: 2003-2012 Kay Sievers 2003-2004 Greg Kroah-Hartman 2004 Chris Friesen @@ -84,25 +136,9 @@ Copyright: 2003-2012 Kay Sievers 2014 Carlos Garnacho License: GPL-2+ -Files: src/udev/udev-ctrl.c - src/udev/udevadm-hwdb.c - src/udev/udev-builtin.c - src/udev/udev-builtin-net_id.c - src/udev/udev-builtin-net_setup_link.c - src/udev/udev-builtin-hwdb.c - src/udev/udev-builtin-btrfs.c - src/udev/udev-builtin-keyboard.c - src/udev/net/link-config.h - src/udev/net/link-config.c - src/udev/net/ethtool-util.c - src/udev/net/ethtool-util.h -Copyright: 2007-2013 Kay Sievers - 2013 Tom Gundersen -License: LGPL-2.1+ - -Files: src/udev/scsi_id/scsi.h +Files: src/udev/scsi_id/* Copyright: 2003 IBM Corp. -License: GPL-2 +License: GPL-2+ Files: debian/* Copyright: 2010-2013 Tollef Fog Heen @@ -147,6 +183,37 @@ License: GPL-2 License version 2 can be found in the file `/usr/share/common-licenses/GPL-2` +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/content/cumulus-linux-43/Whats-New/licenses/libsystemd0.txt b/content/cumulus-linux-43/Whats-New/licenses/libsystemd0.txt index 1f66c2054a..8dc9bd1380 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/libsystemd0.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/libsystemd0.txt @@ -38,18 +38,33 @@ Copyright: 2012 Jean-Philippe Aumasson 2012 Daniel J. Bernstein License: CC0-1.0 -Files: src/basic/securebits.h -Copyright: Linus Torvalds -License: GPL-2 - Files: src/basic/ioprio.h Copyright: Jens Axboe License: GPL-2 -Files: src/shared/linux/auto_dev-ioctl.h -Copyright: 2008 Red Hat, Inc. +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. 2008 Ian Kent -License: GPL-2+ + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception Files: src/basic/sparse-endian.h Copyright: 2012 Josh Triplett @@ -62,7 +77,44 @@ License: public-domain You can use this free for any purpose. It's in the public domain. It has no warranty. -Files: src/udev/* +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c Copyright: 2003-2012 Kay Sievers 2003-2004 Greg Kroah-Hartman 2004 Chris Friesen @@ -84,25 +136,9 @@ Copyright: 2003-2012 Kay Sievers 2014 Carlos Garnacho License: GPL-2+ -Files: src/udev/udev-ctrl.c - src/udev/udevadm-hwdb.c - src/udev/udev-builtin.c - src/udev/udev-builtin-net_id.c - src/udev/udev-builtin-net_setup_link.c - src/udev/udev-builtin-hwdb.c - src/udev/udev-builtin-btrfs.c - src/udev/udev-builtin-keyboard.c - src/udev/net/link-config.h - src/udev/net/link-config.c - src/udev/net/ethtool-util.c - src/udev/net/ethtool-util.h -Copyright: 2007-2013 Kay Sievers - 2013 Tom Gundersen -License: LGPL-2.1+ - -Files: src/udev/scsi_id/scsi.h +Files: src/udev/scsi_id/* Copyright: 2003 IBM Corp. -License: GPL-2 +License: GPL-2+ Files: debian/* Copyright: 2010-2013 Tollef Fog Heen @@ -147,6 +183,37 @@ License: GPL-2 License version 2 can be found in the file `/usr/share/common-licenses/GPL-2` +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/content/cumulus-linux-43/Whats-New/licenses/libudev-dev.txt b/content/cumulus-linux-43/Whats-New/licenses/libudev-dev.txt index 1f66c2054a..8dc9bd1380 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/libudev-dev.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/libudev-dev.txt @@ -38,18 +38,33 @@ Copyright: 2012 Jean-Philippe Aumasson 2012 Daniel J. Bernstein License: CC0-1.0 -Files: src/basic/securebits.h -Copyright: Linus Torvalds -License: GPL-2 - Files: src/basic/ioprio.h Copyright: Jens Axboe License: GPL-2 -Files: src/shared/linux/auto_dev-ioctl.h -Copyright: 2008 Red Hat, Inc. +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. 2008 Ian Kent -License: GPL-2+ + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception Files: src/basic/sparse-endian.h Copyright: 2012 Josh Triplett @@ -62,7 +77,44 @@ License: public-domain You can use this free for any purpose. It's in the public domain. It has no warranty. -Files: src/udev/* +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c Copyright: 2003-2012 Kay Sievers 2003-2004 Greg Kroah-Hartman 2004 Chris Friesen @@ -84,25 +136,9 @@ Copyright: 2003-2012 Kay Sievers 2014 Carlos Garnacho License: GPL-2+ -Files: src/udev/udev-ctrl.c - src/udev/udevadm-hwdb.c - src/udev/udev-builtin.c - src/udev/udev-builtin-net_id.c - src/udev/udev-builtin-net_setup_link.c - src/udev/udev-builtin-hwdb.c - src/udev/udev-builtin-btrfs.c - src/udev/udev-builtin-keyboard.c - src/udev/net/link-config.h - src/udev/net/link-config.c - src/udev/net/ethtool-util.c - src/udev/net/ethtool-util.h -Copyright: 2007-2013 Kay Sievers - 2013 Tom Gundersen -License: LGPL-2.1+ - -Files: src/udev/scsi_id/scsi.h +Files: src/udev/scsi_id/* Copyright: 2003 IBM Corp. -License: GPL-2 +License: GPL-2+ Files: debian/* Copyright: 2010-2013 Tollef Fog Heen @@ -147,6 +183,37 @@ License: GPL-2 License version 2 can be found in the file `/usr/share/common-licenses/GPL-2` +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/content/cumulus-linux-43/Whats-New/licenses/libudev1.txt b/content/cumulus-linux-43/Whats-New/licenses/libudev1.txt index 1f66c2054a..8dc9bd1380 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/libudev1.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/libudev1.txt @@ -38,18 +38,33 @@ Copyright: 2012 Jean-Philippe Aumasson 2012 Daniel J. Bernstein License: CC0-1.0 -Files: src/basic/securebits.h -Copyright: Linus Torvalds -License: GPL-2 - Files: src/basic/ioprio.h Copyright: Jens Axboe License: GPL-2 -Files: src/shared/linux/auto_dev-ioctl.h -Copyright: 2008 Red Hat, Inc. +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. 2008 Ian Kent -License: GPL-2+ + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception Files: src/basic/sparse-endian.h Copyright: 2012 Josh Triplett @@ -62,7 +77,44 @@ License: public-domain You can use this free for any purpose. It's in the public domain. It has no warranty. -Files: src/udev/* +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c Copyright: 2003-2012 Kay Sievers 2003-2004 Greg Kroah-Hartman 2004 Chris Friesen @@ -84,25 +136,9 @@ Copyright: 2003-2012 Kay Sievers 2014 Carlos Garnacho License: GPL-2+ -Files: src/udev/udev-ctrl.c - src/udev/udevadm-hwdb.c - src/udev/udev-builtin.c - src/udev/udev-builtin-net_id.c - src/udev/udev-builtin-net_setup_link.c - src/udev/udev-builtin-hwdb.c - src/udev/udev-builtin-btrfs.c - src/udev/udev-builtin-keyboard.c - src/udev/net/link-config.h - src/udev/net/link-config.c - src/udev/net/ethtool-util.c - src/udev/net/ethtool-util.h -Copyright: 2007-2013 Kay Sievers - 2013 Tom Gundersen -License: LGPL-2.1+ - -Files: src/udev/scsi_id/scsi.h +Files: src/udev/scsi_id/* Copyright: 2003 IBM Corp. -License: GPL-2 +License: GPL-2+ Files: debian/* Copyright: 2010-2013 Tollef Fog Heen @@ -147,6 +183,37 @@ License: GPL-2 License version 2 can be found in the file `/usr/share/common-licenses/GPL-2` +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/content/cumulus-linux-43/Whats-New/licenses/libxpm-dev.txt b/content/cumulus-linux-43/Whats-New/licenses/libxpm-dev.txt new file mode 100644 index 0000000000..ed6e05bf93 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libxpm-dev.txt @@ -0,0 +1,71 @@ +This package was downloaded from +https://xorg.freedesktop.org/releases/individual/lib/ + +Copyright (C) 1989-95 GROUPE BULL + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +GROUPE BULL BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of GROUPE BULL shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from GROUPE BULL. + +Copyright (C) 1998 Arnaud LE HORS + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Arnaud LE HORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Arnaud LE HORS shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Arnaud LE HORS. + +Copyright (C) 19896 Lorens Younes + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Lorens Younes BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Lorens Younes shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Lorens Younes. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libzstd-dev.txt b/content/cumulus-linux-43/Whats-New/licenses/libzstd-dev.txt new file mode 100644 index 0000000000..65461ac92e --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/libzstd-dev.txt @@ -0,0 +1,133 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Zstd +Source: https://github.com/facebook/zstd +Files-Excluded: appveyor.yml + build/* + programs/windres/* + .travis.yml + .buckversion + .buckconfig + .circleci/* + .cirrus.yml + +Files: * +Copyright: 2013-2018, Yann Collet + 2016, Przemyslaw Skibinski + 2016-2018, Facebook, Inc. +License: BSD-3-clause and GPL-2 +Comment: Starting from 1.3.1 zstd's patent claim is removed + see: https://github.com/facebook/zstd/pull/801 + +Files: zlibWrapper/examples/*.c +Copyright: 1995-2006, 2011 Jean-loup Gailly +License: zlib + +Files: zlibWrapper/gz*.c +Copyright: (C) 2004, 2005, 2010, 2011, 2012, 2013 Mark Adler +License: zlib + +License: zlib + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + . + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + . + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgement in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + +Files: contrib/linux-kernel/fs/squashfs/* +Copyright: 2017 Facebook +License: GPL-2+ + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation; either version 2, + or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + On Debian systems you can find a full copy of the GNU General Public + License version 2 at /usr/share/common-licenses/GPL-2. + +Files: lib/dictBuilder/divsufsort.* +Copyright: 2003-2008, Yuta Mori +License: Expat + +Files: examples/* +Copyright: 2016-present, Yann Collet, Facebook, Inc. +License: BSD-3-clause and GPL-2 + +Files: debian/* +Copyright: 2015-2016 Kevin Murray +License: Expat + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License, v2, as + published by the Free Software Foundation + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of cereal nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL RANDOLPH VOORHIES OR SHANE GRANT BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/libzstd1.txt b/content/cumulus-linux-43/Whats-New/licenses/libzstd1.txt index 4242179ead..65461ac92e 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/libzstd1.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/libzstd1.txt @@ -2,13 +2,13 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Zstd Source: https://github.com/facebook/zstd Files-Excluded: appveyor.yml - circle.yml build/* programs/windres/* .travis.yml .buckversion .buckconfig .circleci/* + .cirrus.yml Files: * Copyright: 2013-2018, Yann Collet diff --git a/content/cumulus-linux-43/Whats-New/licenses/openssl-dbgsym.txt b/content/cumulus-linux-43/Whats-New/licenses/openssl-dbgsym.txt new file mode 100644 index 0000000000..44c119229e --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/openssl-dbgsym.txt @@ -0,0 +1 @@ +openssl-dbgsym has no copyright file diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3-pip.txt b/content/cumulus-linux-43/Whats-New/licenses/python3-pip.txt new file mode 100644 index 0000000000..1293be681c --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3-pip.txt @@ -0,0 +1,111 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: http://www.pip-installer.org/ + +Files: * +Copyright: Copyright © 2008-2013 The pip developers: + Alex Grönholm + Alex Morega + Alexandre Conrad + Andrey Bulgakov + Antti Kaihola + Armin Ronacher + Aziz Köksal + Ben Rosser + Brian Rosner + Carl Meyer + Chris McDonough + Christian Oudard + Clay McClure + Cody Soyland + Daniel Holth + Dave Abrahams + David (d1b) + Dmitry Gladkov + Donald Stufft + Francesco + Geoffrey Lehée + Georgi Valkov + Hugo Lopes Tavares + Ian Bicking + Igor Sobreira + Ionel Maries Cristian + Jakub Vysoky + James Cleveland + Jannis Leidel + Jay Graves + John-Scott Atlakson + Jon Parise + Jonas Nockert + Josh Bronson + Kamal Bin Mustafa + Kelsey Hightower + Kenneth Belitzky + Kumar McMillan + Luke Macken + Masklinn + Marc Abramowitz + Marcus Smith + Markus Hametner + Matt Maker + Maxime R. + Miguel Araujo + Nick Stenning + Nowell Strite + Oliver Tonnhofer + Olivier Girardot + Patrick Jenkins + Paul Moore + Paul Nasrat + Paul Oswald + Paul van der Linden + Peter Waller + Phil Whelan + Piet Delport + Przemek Wrzos + Qiangning Hong + Rafael Caricio + Rene Dudfield + Roey Berman + Ronny Pfannschmidt + Rory McCann + Simon Cross + Stavros Korokithakis + Thomas Fenzl + Thomas Johansson + Vinay Sajip + Vitaly Babiy + W Trevor King + Wil Tan + Hsiaoming Yang +License: Expat + +Files: pip/cacert.pem +Copyright: No copyrightable material +License: public-domain + Upstream declares that this bundle is licensed, but it seems unreasonable + to think that CA certificates would be protected by copyright. + Forwarded: https://github.com/pypa/pip/pull/971 + +Files: debian/* +Copyright: Copyright 2009 Jeff Licquia +License: Expat + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3-pycurl.txt b/content/cumulus-linux-43/Whats-New/licenses/python3-pycurl.txt new file mode 100644 index 0000000000..7674f114a4 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3-pycurl.txt @@ -0,0 +1,42 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: pycurl +Source: http://pycurl.sourceforge.net + +Files: * +Copyright: + Copyright (C) 2001-2008 by Kjetil Jacobsen + Copyright (C) 2001-2008 by Markus F.X.J. Oberhumer + Copyright (C) 2013-2014 by Oleg Pudeyev +License: LGPL-2.1 + PycURL is dual licensed under the LGPL (either version 2.1 or later) + and an MIT/X derivative license based on the cURL license. You can + redistribute and/or modify PycURL according to the terms of either + license. + . + On Debian GNU/Linux systems, the complete text of the GNU Lesser General + Public License can be found in '/usr/share/common-licenses/LGPL-2.1'. + +License: MIT + Permission to use, copy, modify, and distribute this software for any purpose + with or without fee is hereby granted, provided that the above copyright + notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE + OR OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name of a copyright holder shall not + be used in advertising or otherwise to promote the sale, use or other dealings + in this Software without prior written authorization of the copyright holder. + +Files: tests/ext/test-lib.sh +Copyright: Copyright (c) 2010 Ryan Tomayko +License: MIT + +Files: debian/* +Copyright: 2008-2014 Sandro Tosi +License: MIT diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3-scapy.txt b/content/cumulus-linux-43/Whats-New/licenses/python3-scapy.txt new file mode 100644 index 0000000000..40ccd04460 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3-scapy.txt @@ -0,0 +1,27 @@ +This package was debianized by Alberto Gonzalez Iniesta on +Thu, 08 May 2003 15:22:45 +0200 + +It was downloaded from http://www.secdev.org/projects/scapy/files/ + +Upstream Authors: Philippe Biondi + +Copyright (C) 2003 Philippe Biondi + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License version 2 as + published by the Free Software Foundation. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL-2'. + +The Debian packaging is (C) 2007,2008 David Villa and +is licensed under the GPL. diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3-systemd.txt b/content/cumulus-linux-43/Whats-New/licenses/python3-systemd.txt new file mode 100644 index 0000000000..ec954d2f01 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3-systemd.txt @@ -0,0 +1,33 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: python-systemd +Upstream-Contact: systemd-devel@lists.freedesktop.org +Source: https://github.com/systemd/python-systemd + +Files: * +Copyright: 2012 David Strauss + 2012-2013 Zbigniew Jędrzejewski-Szmek + 2010 Lennart Poettering + 2012 Marti Raudsepp +License: LGPL-2.1+ + +Files: debian/* +Copyright: 2015 Michael Biebl +License: LGPL-2.1+ + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1, or (at your option) + any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public License along + with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian systems, the complete text of the GNU Lesser General Public + License version 2.1 can be found in ‘/usr/share/common-licenses/LGPL-2.1’. diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3-texttable.txt b/content/cumulus-linux-43/Whats-New/licenses/python3-texttable.txt new file mode 100644 index 0000000000..03b44acebc --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3-texttable.txt @@ -0,0 +1,50 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: texttable +Source: https://pypi.python.org/pypi/texttable + +Files: * +Copyright: 2018 Gerome Fournier +License: Expat + +Files: debian/* +Copyright: 2013 Léo Cavaillé + 2016 Sergio Durigan Junior +License: LGPL-2.1+ + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: LGPL-2.1+ + texttable is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + . + texttable is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with texttable; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, a copy of the license can be found at + `/usr/share/common-licenses/LGPL-2.1`. diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3-typing-extensions.txt b/content/cumulus-linux-43/Whats-New/licenses/python3-typing-extensions.txt new file mode 100644 index 0000000000..3264d29b4f --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3-typing-extensions.txt @@ -0,0 +1,57 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: typing-extensions +Source: https://pypi.python.org/pypi/typing-extensions + +Files: * +Copyright: 2016 Python Software Foundation +License: PSF + +Files: debian/* +Copyright: 2018 Michael R. Crusoe +License: PSF + +License: PSF + 1. This LICENSE AGREEMENT is between the Python Software Foundation + ("PSF"), and the Individual or Organization ("Licensee") accessing and + otherwise using this software ("Python") in source or binary form and + its associated documentation. + . + 2. Subject to the terms and conditions of this License Agreement, PSF hereby + grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, + analyze, test, perform and/or display publicly, prepare derivative works, + distribute, and otherwise use Python alone or in any derivative version, + provided, however, that PSF's License Agreement and PSF's notice of copyright, + i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, + 2011, 2012, 2013, 2014 Python Software Foundation; All Rights Reserved" are + retained in Python alone or in any derivative version prepared by Licensee. + . + 3. In the event Licensee prepares a derivative work that is based on + or incorporates Python or any part thereof, and wants to make + the derivative work available to others as provided herein, then + Licensee hereby agrees to include in any such work a brief summary of + the changes made to Python. + . + 4. PSF is making Python available to Licensee on an "AS IS" + basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR + IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND + DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS + FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT + INFRINGE ANY THIRD PARTY RIGHTS. + . + 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON + FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS + A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, + OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + . + 6. This License Agreement will automatically terminate upon a material + breach of its terms and conditions. + . + 7. Nothing in this License Agreement shall be deemed to create any + relationship of agency, partnership, or joint venture between PSF and + Licensee. This License Agreement does not grant permission to use PSF + trademarks or trade name in a trademark sense to endorse or promote + products or services of Licensee, or any third party. + . + 8. By copying, installing or otherwise using Python, Licensee + agrees to be bound by the terms and conditions of this License + Agreement. diff --git a/content/cumulus-linux-43/Whats-New/licenses/python3.7-doc.txt b/content/cumulus-linux-43/Whats-New/licenses/python3.7-doc.txt new file mode 100644 index 0000000000..1655fbe09c --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/python3.7-doc.txt @@ -0,0 +1,995 @@ +This package was put together by Klee Dienes from +sources from ftp.python.org:/pub/python, based on the Debianization by +the previous maintainers Bernd S. Brentrup and +Bruce Perens. Current maintainer is Matthias Klose . + +It was downloaded from http://python.org/ + +Copyright: + +Upstream Author: Guido van Rossum and others. + +License: + +The following text includes the Python license and licenses and +acknowledgements for incorporated software. The licenses can be read +in the HTML and texinfo versions of the documentation as well, after +installing the pythonx.y-doc package. Licenses for files not licensed +under the Python Licenses are found at the end of this file. + + +Python License +============== + +A. HISTORY OF THE SOFTWARE +========================== + +Python was created in the early 1990s by Guido van Rossum at Stichting +Mathematisch Centrum (CWI, see http://www.cwi.nl) in the Netherlands +as a successor of a language called ABC. Guido remains Python's +principal author, although it includes many contributions from others. + +In 1995, Guido continued his work on Python at the Corporation for +National Research Initiatives (CNRI, see http://www.cnri.reston.va.us) +in Reston, Virginia where he released several versions of the +software. + +In May 2000, Guido and the Python core development team moved to +BeOpen.com to form the BeOpen PythonLabs team. In October of the same +year, the PythonLabs team moved to Digital Creations (now Zope +Corporation, see http://www.zope.com). In 2001, the Python Software +Foundation (PSF, see http://www.python.org/psf/) was formed, a +non-profit organization created specifically to own Python-related +Intellectual Property. Zope Corporation is a sponsoring member of +the PSF. + +All Python releases are Open Source (see http://www.opensource.org for +the Open Source Definition). Historically, most, but not all, Python +releases have also been GPL-compatible; the table below summarizes +the various releases. + + Release Derived Year Owner GPL- + from compatible? (1) + + 0.9.0 thru 1.2 1991-1995 CWI yes + 1.3 thru 1.5.2 1.2 1995-1999 CNRI yes + 1.6 1.5.2 2000 CNRI no + 2.0 1.6 2000 BeOpen.com no + 1.6.1 1.6 2001 CNRI yes (2) + 2.1 2.0+1.6.1 2001 PSF no + 2.0.1 2.0+1.6.1 2001 PSF yes + 2.1.1 2.1+2.0.1 2001 PSF yes + 2.2 2.1.1 2001 PSF yes + 2.1.2 2.1.1 2002 PSF yes + 2.1.3 2.1.2 2002 PSF yes + 2.2 and above 2.1.1 2001-now PSF yes + +Footnotes: + +(1) GPL-compatible doesn't mean that we're distributing Python under + the GPL. All Python licenses, unlike the GPL, let you distribute + a modified version without making your changes open source. The + GPL-compatible licenses make it possible to combine Python with + other software that is released under the GPL; the others don't. + +(2) According to Richard Stallman, 1.6.1 is not GPL-compatible, + because its license has a choice of law clause. According to + CNRI, however, Stallman's lawyer has told CNRI's lawyer that 1.6.1 + is "not incompatible" with the GPL. + +Thanks to the many outside volunteers who have worked under Guido's +direction to make these releases possible. + + +B. TERMS AND CONDITIONS FOR ACCESSING OR OTHERWISE USING PYTHON +=============================================================== + +PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 +-------------------------------------------- + +1. This LICENSE AGREEMENT is between the Python Software Foundation +("PSF"), and the Individual or Organization ("Licensee") accessing and +otherwise using this software ("Python") in source or binary form and +its associated documentation. + +2. Subject to the terms and conditions of this License Agreement, PSF +hereby grants Licensee a nonexclusive, royalty-free, world-wide +license to reproduce, analyze, test, perform and/or display publicly, +prepare derivative works, distribute, and otherwise use Python alone +or in any derivative version, provided, however, that PSF's License +Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, +2013, 2014 Python Software Foundation; All Rights Reserved" are +retained in Python alone or in any derivative version prepared by +Licensee. + +3. In the event Licensee prepares a derivative work that is based on +or incorporates Python or any part thereof, and wants to make +the derivative work available to others as provided herein, then +Licensee hereby agrees to include in any such work a brief summary of +the changes made to Python. + +4. PSF is making Python available to Licensee on an "AS IS" +basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR +IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND +DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS +FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT +INFRINGE ANY THIRD PARTY RIGHTS. + +5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON +FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS +A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, +OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +6. This License Agreement will automatically terminate upon a material +breach of its terms and conditions. + +7. Nothing in this License Agreement shall be deemed to create any +relationship of agency, partnership, or joint venture between PSF and +Licensee. This License Agreement does not grant permission to use PSF +trademarks or trade name in a trademark sense to endorse or promote +products or services of Licensee, or any third party. + +8. By copying, installing or otherwise using Python, Licensee +agrees to be bound by the terms and conditions of this License +Agreement. + + +BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 +------------------------------------------- + +BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 + +1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an +office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the +Individual or Organization ("Licensee") accessing and otherwise using +this software in source or binary form and its associated +documentation ("the Software"). + +2. Subject to the terms and conditions of this BeOpen Python License +Agreement, BeOpen hereby grants Licensee a non-exclusive, +royalty-free, world-wide license to reproduce, analyze, test, perform +and/or display publicly, prepare derivative works, distribute, and +otherwise use the Software alone or in any derivative version, +provided, however, that the BeOpen Python License is retained in the +Software, alone or in any derivative version prepared by Licensee. + +3. BeOpen is making the Software available to Licensee on an "AS IS" +basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR +IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND +DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS +FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT +INFRINGE ANY THIRD PARTY RIGHTS. + +4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE +SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS +AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY +DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +5. This License Agreement will automatically terminate upon a material +breach of its terms and conditions. + +6. This License Agreement shall be governed by and interpreted in all +respects by the law of the State of California, excluding conflict of +law provisions. Nothing in this License Agreement shall be deemed to +create any relationship of agency, partnership, or joint venture +between BeOpen and Licensee. This License Agreement does not grant +permission to use BeOpen trademarks or trade names in a trademark +sense to endorse or promote products or services of Licensee, or any +third party. As an exception, the "BeOpen Python" logos available at +http://www.pythonlabs.com/logos.html may be used according to the +permissions granted on that web page. + +7. By copying, installing or otherwise using the software, Licensee +agrees to be bound by the terms and conditions of this License +Agreement. + + +CNRI LICENSE AGREEMENT FOR PYTHON 1.6.1 +--------------------------------------- + +1. This LICENSE AGREEMENT is between the Corporation for National +Research Initiatives, having an office at 1895 Preston White Drive, +Reston, VA 20191 ("CNRI"), and the Individual or Organization +("Licensee") accessing and otherwise using Python 1.6.1 software in +source or binary form and its associated documentation. + +2. Subject to the terms and conditions of this License Agreement, CNRI +hereby grants Licensee a nonexclusive, royalty-free, world-wide +license to reproduce, analyze, test, perform and/or display publicly, +prepare derivative works, distribute, and otherwise use Python 1.6.1 +alone or in any derivative version, provided, however, that CNRI's +License Agreement and CNRI's notice of copyright, i.e., "Copyright (c) +1995-2001 Corporation for National Research Initiatives; All Rights +Reserved" are retained in Python 1.6.1 alone or in any derivative +version prepared by Licensee. Alternately, in lieu of CNRI's License +Agreement, Licensee may substitute the following text (omitting the +quotes): "Python 1.6.1 is made available subject to the terms and +conditions in CNRI's License Agreement. This Agreement together with +Python 1.6.1 may be located on the Internet using the following +unique, persistent identifier (known as a handle): 1895.22/1013. This +Agreement may also be obtained from a proxy server on the Internet +using the following URL: http://hdl.handle.net/1895.22/1013". + +3. In the event Licensee prepares a derivative work that is based on +or incorporates Python 1.6.1 or any part thereof, and wants to make +the derivative work available to others as provided herein, then +Licensee hereby agrees to include in any such work a brief summary of +the changes made to Python 1.6.1. + +4. CNRI is making Python 1.6.1 available to Licensee on an "AS IS" +basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR +IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND +DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS +FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6.1 WILL NOT +INFRINGE ANY THIRD PARTY RIGHTS. + +5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON +1.6.1 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS +A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 1.6.1, +OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +6. This License Agreement will automatically terminate upon a material +breach of its terms and conditions. + +7. This License Agreement shall be governed by the federal +intellectual property law of the United States, including without +limitation the federal copyright law, and, to the extent such +U.S. federal law does not apply, by the law of the Commonwealth of +Virginia, excluding Virginia's conflict of law provisions. +Notwithstanding the foregoing, with regard to derivative works based +on Python 1.6.1 that incorporate non-separable material that was +previously distributed under the GNU General Public License (GPL), the +law of the Commonwealth of Virginia shall govern this License +Agreement only as to issues arising under or with respect to +Paragraphs 4, 5, and 7 of this License Agreement. Nothing in this +License Agreement shall be deemed to create any relationship of +agency, partnership, or joint venture between CNRI and Licensee. This +License Agreement does not grant permission to use CNRI trademarks or +trade name in a trademark sense to endorse or promote products or +services of Licensee, or any third party. + +8. By clicking on the "ACCEPT" button where indicated, or by copying, +installing or otherwise using Python 1.6.1, Licensee agrees to be +bound by the terms and conditions of this License Agreement. + + ACCEPT + + +CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 +-------------------------------------------------- + +Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, +The Netherlands. All rights reserved. + +Permission to use, copy, modify, and distribute this software and its +documentation for any purpose and without fee is hereby granted, +provided that the above copyright notice appear in all copies and that +both that copyright notice and this permission notice appear in +supporting documentation, and that the name of Stichting Mathematisch +Centrum or CWI not be used in advertising or publicity pertaining to +distribution of the software without specific, written prior +permission. + +STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO +THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE +FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + +Licenses and Acknowledgements for Incorporated Software +======================================================= + +Mersenne Twister +---------------- + +The `_random' module includes code based on a download from +`http://www.math.keio.ac.jp/~matumoto/MT2002/emt19937ar.html'. The +following are the verbatim comments from the original code: + + A C-program for MT19937, with initialization improved 2002/1/26. + Coded by Takuji Nishimura and Makoto Matsumoto. + + Before using, initialize the state by using init_genrand(seed) + or init_by_array(init_key, key_length). + + Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura, + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The names of its contributors may not be used to endorse or promote + products derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + Any feedback is very welcome. + http://www.math.keio.ac.jp/matumoto/emt.html + email: matumoto@math.keio.ac.jp + + +Sockets +------- + +The `socket' module uses the functions, `getaddrinfo', and +`getnameinfo', which are coded in separate source files from the WIDE +Project, `http://www.wide.ad.jp/about/index.html'. + + Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the project nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + GAI_ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + FOR GAI_ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON GAI_ANY THEORY OF LIABILITY, WHETHER + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN GAI_ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + + +Floating point exception control +-------------------------------- + +The source for the `fpectl' module includes the following notice: + + --------------------------------------------------------------------- + / Copyright (c) 1996. \ + | The Regents of the University of California. | + | All rights reserved. | + | | + | Permission to use, copy, modify, and distribute this software for | + | any purpose without fee is hereby granted, provided that this en- | + | tire notice is included in all copies of any software which is or | + | includes a copy or modification of this software and in all | + | copies of the supporting documentation for such software. | + | | + | This work was produced at the University of California, Lawrence | + | Livermore National Laboratory under contract no. W-7405-ENG-48 | + | between the U.S. Department of Energy and The Regents of the | + | University of California for the operation of UC LLNL. | + | | + | DISCLAIMER | + | | + | This software was prepared as an account of work sponsored by an | + | agency of the United States Government. Neither the United States | + | Government nor the University of California nor any of their em- | + | ployees, makes any warranty, express or implied, or assumes any | + | liability or responsibility for the accuracy, completeness, or | + | usefulness of any information, apparatus, product, or process | + | disclosed, or represents that its use would not infringe | + | privately-owned rights. Reference herein to any specific commer- | + | cial products, process, or service by trade name, trademark, | + | manufacturer, or otherwise, does not necessarily constitute or | + | imply its endorsement, recommendation, or favoring by the United | + | States Government or the University of California. The views and | + | opinions of authors expressed herein do not necessarily state or | + | reflect those of the United States Government or the University | + | of California, and shall not be used for advertising or product | + \ endorsement purposes. / + --------------------------------------------------------------------- + + +Cookie management +----------------- + +The `Cookie' module contains the following notice: + + Copyright 2000 by Timothy O'Malley + + All Rights Reserved + + Permission to use, copy, modify, and distribute this software + and its documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appear in all + copies and that both that copyright notice and this permission + notice appear in supporting documentation, and that the name of + Timothy O'Malley not be used in advertising or publicity + pertaining to distribution of the software without specific, written + prior permission. + + Timothy O'Malley DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS + SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS, IN NO EVENT SHALL Timothy O'Malley BE LIABLE FOR + ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, + WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + PERFORMANCE OF THIS SOFTWARE. + + +Execution tracing +----------------- + +The `trace' module contains the following notice: + + portions copyright 2001, Autonomous Zones Industries, Inc., all rights... + err... reserved and offered to the public under the terms of the + Python 2.2 license. + Author: Zooko O'Whielacronx + http://zooko.com/ + mailto:zooko@zooko.com + + Copyright 2000, Mojam Media, Inc., all rights reserved. + Author: Skip Montanaro + + Copyright 1999, Bioreason, Inc., all rights reserved. + Author: Andrew Dalke + + Copyright 1995-1997, Automatrix, Inc., all rights reserved. + Author: Skip Montanaro + + Copyright 1991-1995, Stichting Mathematisch Centrum, all rights reserved. + + Permission to use, copy, modify, and distribute this Python software and + its associated documentation for any purpose without fee is hereby + granted, provided that the above copyright notice appears in all copies, + and that both that copyright notice and this permission notice appear in + supporting documentation, and that the name of neither Automatrix, + Bioreason or Mojam Media be used in advertising or publicity pertaining + to distribution of the software without specific, written prior + permission. + + +UUencode and UUdecode functions +------------------------------- + +The `uu' module contains the following notice: + + Copyright 1994 by Lance Ellinghouse + Cathedral City, California Republic, United States of America. + All Rights Reserved + Permission to use, copy, modify, and distribute this software and its + documentation for any purpose and without fee is hereby granted, + provided that the above copyright notice appear in all copies and that + both that copyright notice and this permission notice appear in + supporting documentation, and that the name of Lance Ellinghouse + not be used in advertising or publicity pertaining to distribution + of the software without specific, written prior permission. + LANCE ELLINGHOUSE DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS, IN NO EVENT SHALL LANCE ELLINGHOUSE CENTRUM BE LIABLE + FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + Modified by Jack Jansen, CWI, July 1995: + - Use binascii module to do the actual line-by-line conversion + between ascii and binary. This results in a 1000-fold speedup. The C + version is still 5 times faster, though. + - Arguments more compliant with python standard + + +XML Remote Procedure Calls +-------------------------- + +The `xmlrpclib' module contains the following notice: + + The XML-RPC client interface is + + Copyright (c) 1999-2002 by Secret Labs AB + Copyright (c) 1999-2002 by Fredrik Lundh + + By obtaining, using, and/or copying this software and/or its + associated documentation, you agree that you have read, understood, + and will comply with the following terms and conditions: + + Permission to use, copy, modify, and distribute this software and + its associated documentation for any purpose and without fee is + hereby granted, provided that the above copyright notice appears in + all copies, and that both that copyright notice and this permission + notice appear in supporting documentation, and that the name of + Secret Labs AB or the author not be used in advertising or publicity + pertaining to distribution of the software without specific, written + prior permission. + + SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD + TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANT- + ABILITY AND FITNESS. IN NO EVENT SHALL SECRET LABS AB OR THE AUTHOR + BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY + DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, + WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE + OF THIS SOFTWARE. + +Licenses for Software linked to +=============================== + +Note that the choice of GPL compatibility outlined above doesn't extend +to modules linked to particular libraries, since they change the +effective License of the module binary. + + +GNU Readline +------------ + +The 'readline' module makes use of GNU Readline. + + The GNU Readline Library is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 2, or (at + your option) any later version. + + On Debian systems, you can find the complete statement in + /usr/share/doc/readline-common/copyright'. A copy of the GNU General + Public License is available in /usr/share/common-licenses/GPL-2'. + + +OpenSSL +------- + +The '_ssl' module makes use of OpenSSL. + + The OpenSSL toolkit stays under a dual license, i.e. both the + conditions of the OpenSSL License and the original SSLeay license + apply to the toolkit. Actually both licenses are BSD-style Open + Source licenses. Note that both licenses are incompatible with + the GPL. + + On Debian systems, you can find the complete license text in + /usr/share/doc/openssl/copyright'. + + +Files with other licenses than the Python License +------------------------------------------------- + +Files: Include/dynamic_annotations.h +Files: Python/dynamic_annotations.c +Copyright: (c) 2008-2009, Google Inc. +License: Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Neither the name of Google Inc. nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Files: Include/unicodeobject.h +Copyright: (c) Corporation for National Research Initiatives. +Copyright: (c) 1999 by Secret Labs AB. +Copyright: (c) 1999 by Fredrik Lundh. +License: By obtaining, using, and/or copying this software and/or its + associated documentation, you agree that you have read, understood, + and will comply with the following terms and conditions: + + Permission to use, copy, modify, and distribute this software and its + associated documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appears in all + copies, and that both that copyright notice and this permission notice + appear in supporting documentation, and that the name of Secret Labs + AB or the author not be used in advertising or publicity pertaining to + distribution of the software without specific, written prior + permission. + + SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS. IN NO EVENT SHALL SECRET LABS AB OR THE AUTHOR BE LIABLE FOR + ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: Lib/logging/* +Copyright: 2001-2010 by Vinay Sajip. All Rights Reserved. +License: Permission to use, copy, modify, and distribute this software and + its documentation for any purpose and without fee is hereby granted, + provided that the above copyright notice appear in all copies and that + both that copyright notice and this permission notice appear in + supporting documentation, and that the name of Vinay Sajip + not be used in advertising or publicity pertaining to distribution + of the software without specific, written prior permission. + VINAY SAJIP DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING + ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + VINAY SAJIP BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR + ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER + IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: Lib/multiprocessing/* +Files: Modules/_multiprocessing/* +Copyright: (c) 2006-2008, R Oudkerk. All rights reserved. +License: Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of author nor the names of any contributors may be + used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +Files: Lib/sqlite3/* +Files: Modules/_sqlite/* +Copyright: (C) 2004-2005 Gerhard Häring +License: This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + +Files: Lib/async* +Copyright: Copyright 1996 by Sam Rushing +License: Permission to use, copy, modify, and distribute this software and + its documentation for any purpose and without fee is hereby + granted, provided that the above copyright notice appear in all + copies and that both that copyright notice and this permission + notice appear in supporting documentation, and that the name of Sam + Rushing not be used in advertising or publicity pertaining to + distribution of the software without specific, written prior + permission. + + SAM RUSHING DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN + NO EVENT SHALL SAM RUSHING BE LIABLE FOR ANY SPECIAL, INDIRECT OR + CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS + OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: Lib/tarfile.py +Copyright: (C) 2002 Lars Gustaebel +License: Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, + copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following + conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES + OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + +Files: Lib/turtle.py +Copyright: (C) 2006 - 2010 Gregor Lingl +License: This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + is copyright Gregor Lingl and licensed under a BSD-like license + +Files: Modules/_ctypes/libffi/* +Copyright: Copyright (C) 1996-2011 Red Hat, Inc and others. + Copyright (C) 1996-2011 Anthony Green + Copyright (C) 1996-2010 Free Software Foundation, Inc + Copyright (c) 2003, 2004, 2006, 2007, 2008 Kaz Kojima + Copyright (c) 2010, 2011, Plausible Labs Cooperative , Inc. + Copyright (c) 2010 CodeSourcery + Copyright (c) 1998 Andreas Schwab + Copyright (c) 2000 Hewlett Packard Company + Copyright (c) 2009 Bradley Smith + Copyright (c) 2008 David Daney + Copyright (c) 2004 Simon Posnjak + Copyright (c) 2005 Axis Communications AB + Copyright (c) 1998 Cygnus Solutions + Copyright (c) 2004 Renesas Technology + Copyright (c) 2002, 2007 Bo Thorsen + Copyright (c) 2002 Ranjit Mathew + Copyright (c) 2002 Roger Sayle + Copyright (c) 2000, 2007 Software AG + Copyright (c) 2003 Jakub Jelinek + Copyright (c) 2000, 2001 John Hornkvist + Copyright (c) 1998 Geoffrey Keating + Copyright (c) 2008 Björn König + +License: Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + ``Software''), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + DEALINGS IN THE SOFTWARE. + + Documentation: + Permission is granted to copy, distribute and/or modify this document + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2, or (at your option) any + later version. A copy of the license is included in the + section entitled ``GNU General Public License''. + +Files: Modules/_gestalt.c +Copyright: 1991-1997 by Stichting Mathematisch Centrum, Amsterdam. +License: Permission to use, copy, modify, and distribute this software and its + documentation for any purpose and without fee is hereby granted, + provided that the above copyright notice appear in all copies and that + both that copyright notice and this permission notice appear in + supporting documentation, and that the names of Stichting Mathematisch + Centrum or CWI not be used in advertising or publicity pertaining to + distribution of the software without specific, written prior permission. + + STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE + FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: Modules/syslogmodule.c +Copyright: 1994 by Lance Ellinghouse +License: Permission to use, copy, modify, and distribute this software and its + documentation for any purpose and without fee is hereby granted, + provided that the above copyright notice appear in all copies and that + both that copyright notice and this permission notice appear in + supporting documentation, and that the name of Lance Ellinghouse + not be used in advertising or publicity pertaining to distribution + of the software without specific, written prior permission. + + LANCE ELLINGHOUSE DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS, IN NO EVENT SHALL LANCE ELLINGHOUSE BE LIABLE FOR ANY SPECIAL, + INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: Modules/zlib/* +Copyright: (C) 1995-2010 Jean-loup Gailly and Mark Adler +License: This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + Jean-loup Gailly Mark Adler + jloup@gzip.org madler@alumni.caltech.edu + + If you use the zlib library in a product, we would appreciate *not* receiving + lengthy legal documents to sign. The sources are provided for free but without + warranty of any kind. The library has been entirely written by Jean-loup + Gailly and Mark Adler; it does not include third-party code. + +Files: Modules/expat/* +Copyright: Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd + and Clark Cooper + Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers +License: Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Files: Modules/_decimal/libmpdec/* +Copyright: Copyright (c) 2008-2012 Stefan Krah. All rights reserved. +License: Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + , + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +Files: Misc/python-mode.el +Copyright: Copyright (C) 1992,1993,1994 Tim Peters +License: This software is provided as-is, without express or implied + warranty. Permission to use, copy, modify, distribute or sell this + software, without fee, for any purpose and by any individual or + organization, is hereby granted, provided that the above copyright + notice and this paragraph appear in all copies. + +Files: Python/dtoa.c +Copyright: (c) 1991, 2000, 2001 by Lucent Technologies. +License: Permission to use, copy, modify, and distribute this software for any + purpose without fee is hereby granted, provided that this entire notice + is included in all copies of any software which is or includes a copy + or modification of this software and in all copies of the supporting + documentation for such software. + + THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED + WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR LUCENT MAKES ANY + REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY + OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. + +Files: Python/getopt.c +Copyright: 1992-1994, David Gottner +License: Permission to use, copy, modify, and distribute this software and its + documentation for any purpose and without fee is hereby granted, + provided that the above copyright notice, this permission notice and + the following disclaimer notice appear unmodified in all copies. + + I DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL I + BE LIABLE FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY + DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA, OR PROFITS, WHETHER + IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: PC/_subprocess.c +Copyright: Copyright (c) 2004 by Fredrik Lundh + Copyright (c) 2004 by Secret Labs AB, http://www.pythonware.com + Copyright (c) 2004 by Peter Astrand +License: + * Permission to use, copy, modify, and distribute this software and + * its associated documentation for any purpose and without fee is + * hereby granted, provided that the above copyright notice appears in + * all copies, and that both that copyright notice and this permission + * notice appear in supporting documentation, and that the name of the + * authors not be used in advertising or publicity pertaining to + * distribution of the software without specific, written prior + * permission. + * + * THE AUTHORS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. + * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS + * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: PC/winsound.c +Copyright: Copyright (c) 1999 Toby Dickenson +License: * Permission to use this software in any way is granted without + * fee, provided that the copyright notice above appears in all + * copies. This software is provided "as is" without any warranty. + */ + +/* Modified by Guido van Rossum */ +/* Beep added by Mark Hammond */ +/* Win9X Beep and platform identification added by Uncle Timmy */ + +Files: Tools/pybench/* +Copyright: (c), 1997-2006, Marc-Andre Lemburg (mal@lemburg.com) + (c), 2000-2006, eGenix.com Software GmbH (info@egenix.com) +License: Permission to use, copy, modify, and distribute this software and its + documentation for any purpose and without fee or royalty is hereby + granted, provided that the above copyright notice appear in all copies + and that both that copyright notice and this permission notice appear + in supporting documentation or portions thereof, including + modifications, that you make. + + THE AUTHOR MARC-ANDRE LEMBURG DISCLAIMS ALL WARRANTIES WITH REGARD TO + THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND + FITNESS, IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, + INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + WITH THE USE OR PERFORMANCE OF THIS SOFTWARE ! diff --git a/content/cumulus-linux-43/Whats-New/licenses/smartmontools.txt b/content/cumulus-linux-43/Whats-New/licenses/smartmontools.txt index 476b25a4ce..560f8ff4a8 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/smartmontools.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/smartmontools.txt @@ -1,19 +1,103 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: smartmontools +Upstream-Contact: Christian Franke Source: http://smartmontools.sourceforge.net/ Files: * -Copyright: Copyright (C) 2002-8 Bruce Allen - Copyright (C) 2004-15 Christian Franke +Copyright: + 2004-2020 Christian Franke + 2016 Casey Biemiller + 2014 Alex Samorukov + 2000 Andre Hedrick + 1999-2000 Michael Cornwell + 2002-2018 Bruce Allen + 2003-2015 Casper Dik + 2004-2010 David Snyder + 2003-2020 Douglas Gilbert + 2003-2010 Eduard Martinescu + 2012 Hank Wu + 2013 Hannes von Haugwitz + 2018 Harry Mallon + 2004-2008 Geoff Keating + 2007 Joerg Hering + 2008 Jordan Hargrave + 2016 Kimihiro Nonaka + 2015 Nidhi Malhotra + 2008 Oliver Bock + 2003-2008 Philip Williams + 2014 Raghava Aditya + 2003-2008 Sergey Svishchev + 2003-2008 SAWADA Keiji + 2004-2008 Yuri Dario + 1999-2003 3ware Inc. License: GPL-2+ +Files: + linux_nvme_ioctl.h +Copyright: + 2011-2014 Intel Corporation. +License: GPL-2 + +Files: + m4/pkg.m4 +Copyright: + 2004 Scott James Remnant . + 2012-2015 Dan Nicholson +License: GPL-2+ + +Files: + getopt/* + regex/* +Copyright: + 1987-2018 Free Software Foundation, Inc. +License: LGPL-2.1+ + +Files: + netbsd_nvme_ioctl.h +Copyright: 2014 David Gwynne +License: Expat-like + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: + cissio_freebsd.h + freebsd_nvme_ioctl.h + sg_unaligned.h +Copyright: + 2014-2018 Douglas Gilbert + 2012-2013 Intel Corporation + 2001 Michael Smith +License: BSD-2-Clause + +Files: + os_freebsd.h +Copyright: + 2000 BSDi + 2000 Michael Smith + 2003-2005 Vinod Kashyap + 2003-2010 Eduard Martinescu + 2003 Paul Saab + 2004-2005 Applied Micro Circuits Corporation. +License: BSD-2-Clause and GPL-2+ + Files: debian/* -Copyright: 2003-2009 Guido Guenther - 2009-2015 Giuseppe Iuculano - 2010 Florian Weimer - 2014 Eric Dorland - 2015 Tobias Frost - 2015-2016 Jonathan Dowland +Copyright: + 2019-2021 Dmitry Smirnov + 2003-2009 Guido Guenther + 2009-2015 Giuseppe Iuculano + 2010 Florian Weimer + 2014 Eric Dorland + 2015 Tobias Frost + 2015-2016 Jonathan Dowland License: GPL-2 License: GPL-2+ @@ -32,3 +116,38 @@ License: GPL-2 . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: LGPL-2.1+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + ․ + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + ․ + On Debian systems, the complete text of the GNU Lesser General Public + License Version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1". + +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + 1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/ssh.txt b/content/cumulus-linux-43/Whats-New/licenses/ssh.txt new file mode 100644 index 0000000000..ef1bc8e69c --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/ssh.txt @@ -0,0 +1,247 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: OpenSSH +Upstream-Contact: openssh-unix-dev@mindrot.org +Source: http://www.openssh.com/portable.html +Comment: + The overall licence of the OpenSSH upstream code amounts to BSD-3-clause or + various less restrictive licences, with the additional restrictions that + derived versions must be clearly marked as such and that if derived works + are incompatible with the RFC-specified protocol then they must be called + by a name other than "ssh" or "Secure Shell". + +Files: * +Copyright: + 1995 Tatu Ylonen , Espoo, Finland + Markus Friedl + Theo de Raadt + Niels Provos + Dug Song + Aaron Campbell + Damien Miller + Kevin Steves + Daniel Kouril + Wesley Griffin + Per Allansson + Nils Nordman + Simon Wilkinson + Ben Lindstrom + Tim Rice + Andre Lucas + Chris Adams + Corinna Vinschen + Cray Inc. + Denis Parker + Gert Doering + Jakob Schlyter + Jason Downs + Juha Yrjölä + Michael Stone + Networks Associates Technology, Inc. + Solar Designer + Todd C. Miller + Wayne Schroeder + William Jones + Darren Tucker + Sun Microsystems + The SCO Group + Daniel Walsh + Red Hat, Inc + Simon Vallet / Genoscope + Internet Software Consortium + Reyk Floeter + Chad Mynhier +License: OpenSSH + Tatu Ylonen's original licence is as follows (excluding some terms about + third-party code which are no longer relevant; see the LICENCE file for + details): + . + As far as I am concerned, the code I have written for this software + can be used freely for any purpose. Any derived versions of this + software must be clearly marked as such, and if the derived work is + incompatible with the protocol description in the RFC file, it must be + called by a name other than "ssh" or "Secure Shell". + . + Note that any information and cryptographic algorithms used in this + software are publicly available on the Internet and at any major + bookstore, scientific library, and patent office worldwide. More + information can be found e.g. at "http://www.cs.hut.fi/crypto". + . + The legal status of this program is some combination of all these + permissions and restrictions. Use only at your own responsibility. + You will be responsible for any legal consequences yourself; I am not + making any claims whether possessing or using this is legal or not in + your country, and I am not taking any responsibility on your behalf. + . + Most remaining components of the software are provided under a standard + 2-term BSD licence: + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + . + Some code is licensed under an ISC-style license, to the following + copyright holders: + . + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL + WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE + FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Files: ssh-keyscan.* +Copyright: 1995, 1996 David Mazieres +License: Mazieres-BSD-style + Modification and redistribution in source and binary forms is + permitted provided that due credit is given to the author and the + OpenBSD project by leaving this copyright notice intact. + +Files: rijndael.* +License: public-domain + This code is from a reference implementation of the Rijndael cipher which + has been dedicated to the public domain. + . + @version 3.0 (December 2000) + . + Optimised ANSI C code for the Rijndael cipher (now AES) + . + @author Vincent Rijmen + @author Antoon Bosselaers + @author Paulo Barreto + . + This code is hereby placed in the public domain. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +Files: loginrec.c openbsd-compat/* scp.c +Copyright: + 1983, 1995-1997 Eric P. Allman + 1999 Aaron Campbell + 1993 by Digital Equipment Corporation + 2000 Andre Lucas + 1999-2010 Damien Miller + 1997-2010 Todd C. Miller + 1995, 1996, 1998, 1999, 2008 Theo de Raadt + 2003 Constantin S. Svintsoff + 1980, 1983, 1987, 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995 The Regents of the University of California +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +Files: md5crypt.* +Copyright: Poul-Henning Kamp +License: Beer-ware + "THE BEER-WARE LICENSE" (Revision 42): + wrote this file. As long as you retain this + notice you can do whatever you want with this stuff. If we meet + some day, and you think this stuff is worth it, you can buy me a + beer in return. Poul-Henning Kamp + +Files: openbsd-compat/bsd-snprintf.c +Copyright: 1995 Patrick Powell +License: Powell-BSD-style + This code is based on code written by Patrick Powell + (papowell@astart.com) It may be used for any purpose as long as this + notice remains intact on all source code distributions + +Files: openbsd-compat/sigact.* +Copyright: 1998, 2000 Free Software Foundation, Inc. +License: Expat-with-advertising-restriction + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, distribute with modifications, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR + THE USE OR OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name(s) of the above copyright + holders shall not be used in advertising or otherwise to promote the + sale, use or other dealings in this Software without prior written + authorization. + +Files: debian/* +Copyright: Matthew Vernon, Colin Watson +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/content/cumulus-linux-43/Whats-New/licenses/systemd-timesyncd.txt b/content/cumulus-linux-43/Whats-New/licenses/systemd-timesyncd.txt new file mode 100644 index 0000000000..8dc9bd1380 --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/systemd-timesyncd.txt @@ -0,0 +1,262 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: systemd +Upstream-Contact: systemd-devel@lists.freedesktop.org +Source: https://www.freedesktop.org/wiki/Software/systemd/ + +Files: * +Copyright: 2008-2015 Kay Sievers + 2010-2015 Lennart Poettering + 2012-2015 Zbigniew Jędrzejewski-Szmek + 2013-2015 Tom Gundersen + 2013-2015 Daniel Mack + 2010-2015 Harald Hoyer + 2013-2015 David Herrmann + 2013, 2014 Thomas H.P. Andersen + 2013, 2014 Daniel Buch + 2014 Susant Sahani + 2009-2015 Intel Corporation + 2000, 2005 Red Hat, Inc. + 2009 Alan Jenkins + 2010 ProFUSION embedded systems + 2010 Maarten Lankhorst + 1995-2004 Miquel van Smoorenburg + 1999 Tom Tromey + 2011 Michal Schmidt + 2012 B. Poettering + 2012 Holger Hans Peter Freyther + 2012 Dan Walsh + 2012 Roberto Sassu + 2013 David Strauss + 2013 Marius Vollmer + 2013 Jan Janssen + 2013 Simon Peeters +License: LGPL-2.1+ + +Files: src/basic/siphash24.h + src/basic/siphash24.c +Copyright: 2012 Jean-Philippe Aumasson + 2012 Daniel J. Bernstein +License: CC0-1.0 + +Files: src/basic/ioprio.h +Copyright: Jens Axboe +License: GPL-2 + +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. + 2008 Ian Kent + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception + +Files: src/basic/sparse-endian.h +Copyright: 2012 Josh Triplett +License: Expat + +Files: src/journal/lookup3.c + src/journal/lookup3.h +Copyright: none +License: public-domain + You can use this free for any purpose. It's in the public domain. It has no + warranty. + +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c +Copyright: 2003-2012 Kay Sievers + 2003-2004 Greg Kroah-Hartman + 2004 Chris Friesen + 2004, 2009, 2010 David Zeuthen + 2005, 2006 SUSE Linux Products GmbH + 2003 IBM Corp. + 2007 Hannes Reinecke + 2009 Canonical Ltd. + 2009 Scott James Remnant + 2009 Martin Pitt + 2009 Piter Punk + 2009, 2010 Lennart Poettering + 2009 Filippo Argiolas + 2010 Maxim Levitsky + 2011 ProFUSION embedded systems + 2011 Karel Zak + 2014 Zbigniew Jędrzejewski-Szmek + 2014 David Herrmann + 2014 Carlos Garnacho +License: GPL-2+ + +Files: src/udev/scsi_id/* +Copyright: 2003 IBM Corp. +License: GPL-2+ + +Files: debian/* +Copyright: 2010-2013 Tollef Fog Heen + 2013-2018 Michael Biebl + 2013 Michael Stapelberg +License: LGPL-2.1+ + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to + deal in the Software without restriction, including without limitation the + rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + sell copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + IN THE SOFTWARE. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian systems, the complete text of the GNU General Public License + version 2 can be found in ‘/usr/share/common-licenses/GPL-2’. + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1, or (at your option) + any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public License along + with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian systems, the complete text of the GNU Lesser General Public + License version 2.1 can be found in ‘/usr/share/common-licenses/LGPL-2.1’. + +License: CC0-1.0 + To the extent possible under law, the author(s) have dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. + . + You should have received a copy of the CC0 Public Domain Dedication along with + this software. If not, see . + . + On Debian systems, the complete text of the CC0 1.0 Universal license can be + found in ‘/usr/share/common-licenses/CC0-1.0’. diff --git a/content/cumulus-linux-43/Whats-New/licenses/systemd.txt b/content/cumulus-linux-43/Whats-New/licenses/systemd.txt index 1f66c2054a..8dc9bd1380 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/systemd.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/systemd.txt @@ -38,18 +38,33 @@ Copyright: 2012 Jean-Philippe Aumasson 2012 Daniel J. Bernstein License: CC0-1.0 -Files: src/basic/securebits.h -Copyright: Linus Torvalds -License: GPL-2 - Files: src/basic/ioprio.h Copyright: Jens Axboe License: GPL-2 -Files: src/shared/linux/auto_dev-ioctl.h -Copyright: 2008 Red Hat, Inc. +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. 2008 Ian Kent -License: GPL-2+ + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception Files: src/basic/sparse-endian.h Copyright: 2012 Josh Triplett @@ -62,7 +77,44 @@ License: public-domain You can use this free for any purpose. It's in the public domain. It has no warranty. -Files: src/udev/* +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c Copyright: 2003-2012 Kay Sievers 2003-2004 Greg Kroah-Hartman 2004 Chris Friesen @@ -84,25 +136,9 @@ Copyright: 2003-2012 Kay Sievers 2014 Carlos Garnacho License: GPL-2+ -Files: src/udev/udev-ctrl.c - src/udev/udevadm-hwdb.c - src/udev/udev-builtin.c - src/udev/udev-builtin-net_id.c - src/udev/udev-builtin-net_setup_link.c - src/udev/udev-builtin-hwdb.c - src/udev/udev-builtin-btrfs.c - src/udev/udev-builtin-keyboard.c - src/udev/net/link-config.h - src/udev/net/link-config.c - src/udev/net/ethtool-util.c - src/udev/net/ethtool-util.h -Copyright: 2007-2013 Kay Sievers - 2013 Tom Gundersen -License: LGPL-2.1+ - -Files: src/udev/scsi_id/scsi.h +Files: src/udev/scsi_id/* Copyright: 2003 IBM Corp. -License: GPL-2 +License: GPL-2+ Files: debian/* Copyright: 2010-2013 Tollef Fog Heen @@ -147,6 +183,37 @@ License: GPL-2 License version 2 can be found in the file `/usr/share/common-licenses/GPL-2` +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/content/cumulus-linux-43/Whats-New/licenses/time.txt b/content/cumulus-linux-43/Whats-New/licenses/time.txt new file mode 100644 index 0000000000..1f17a2a42d --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/time.txt @@ -0,0 +1,54 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: time +Upstream-Contact: bug-gnu-utils@gnu.org +Source: http://ftp.gnu.org/pub/gnu/time/time-1.7.tar.gz +Comment: + This is Debian GNU/Linux's prepackaged version of the FSF's GNU time utility. + `time' is a program that measures many of the CPU resources, such as time and + memory, that other programs use. It was written by David Keppel. It + was subsequently maintained and improved by David MacKenzie with help + from Arne Henrik Juul, and Francois Pinard. + . + This package was put together by Dirk Eddelbuettel from the previous + Debian package time-1.6-2 (from ftp.debian.org) and the GNU sources + for time-1.6. The package was subsequently maintained and updated by + Tollef Fog Heen, Salvatore Bonaccorso, and Bob Proulx. + +Files: * +Copyright: Copyright 1987-1996 Free Software Foundation, Inc. +License: GPL-2+ + +Files: debian/* +Copyright: Copyright 1995 Peter Tobias + Copyright 1995-2004 Dirk Eddelbuettel + Copyright 2005, 2008 Tollef Fog Heen + Copyright 2010 Salvatore Bonaccorso + Copyright 2012 Bob Proulx +License: GPL-2+ + +Files: debian/time.1 +Copyright: Copyright 1996 Dirk Eddelbuettel +License: freely redistributable + Copyright Dirk Eddelbuettel but freely redistributable + +License: GPL-2+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. diff --git a/content/cumulus-linux-43/Whats-New/licenses/udev.txt b/content/cumulus-linux-43/Whats-New/licenses/udev.txt index 1f66c2054a..8dc9bd1380 100644 --- a/content/cumulus-linux-43/Whats-New/licenses/udev.txt +++ b/content/cumulus-linux-43/Whats-New/licenses/udev.txt @@ -38,18 +38,33 @@ Copyright: 2012 Jean-Philippe Aumasson 2012 Daniel J. Bernstein License: CC0-1.0 -Files: src/basic/securebits.h -Copyright: Linus Torvalds -License: GPL-2 - Files: src/basic/ioprio.h Copyright: Jens Axboe License: GPL-2 -Files: src/shared/linux/auto_dev-ioctl.h -Copyright: 2008 Red Hat, Inc. +Files: src/shared/linux/* + src/basic/linux/* +Copyright: 2004-2009 Red Hat, Inc. + 2011-2014 PLUMgrid + 2001-2003 Sistina Software (UK) Limited. 2008 Ian Kent -License: GPL-2+ + 1998 David S. Miller >davem@redhat.com> + 2001 Jeff Garzik + 2006-2010 Johannes Berg + 2008 Luis Carlos Cobo + 2008 Michael Buesch + 2008, 2009 Luis R. Rodriguez + 2008 Jouni Malinen + 2008 Colin McCabe + 2018-2019 Intel Corporation + 2007 Oracle. + 2009 Wolfgang Grandegger + 1999 Thomas Davis + 2015 Sabrina Dubroca + 1999-2000 Maxim Krasnyansky + 2015-2019 Jason A. Donenfeld +License: GPL-2 with Linux-syscall-note exception Files: src/basic/sparse-endian.h Copyright: 2012 Josh Triplett @@ -62,7 +77,44 @@ License: public-domain You can use this free for any purpose. It's in the public domain. It has no warranty. -Files: src/udev/* +Files: src/udev/ata_id/ata_id.c + src/udev/cdrom_id/cdrom_id.c + src/udev/mtd_probe/mtd_probe.c + src/udev/mtd_probe/mtd_probe.h + src/udev/mtd_probe/probe_smartmedia.c + src/udev/scsi_id/scsi.h + src/udev/scsi_id/scsi_id.c + src/udev/scsi_id/scsi_id.h + src/udev/scsi_id/scsi_serial.c + src/udev/udevadm.c + src/udev/udevadm-control.c + src/udev/udevadm.h + src/udev/udevadm-info.c + src/udev/udevadm-monitor.c + src/udev/udevadm-settle.c + src/udev/udevadm-test-builtin.c + src/udev/udevadm-test.c + src/udev/udevadm-trigger.c + src/udev/udevadm-util.c + src/udev/udevadm-util.h + src/udev/udev-builtin-blkid.c + src/udev/udev-builtin.h + src/udev/udev-builtin-input_id.c + src/udev/udev-builtin-kmod.c + src/udev/udev-builtin-path_id.c + src/udev/udev-builtin-uaccess.c + src/udev/udev-builtin-usb_id.c + src/udev/udev-ctrl.h + src/udev/udevd.c + src/udev/udev-event.c + src/udev/udev-event.h + src/udev/udev-node.c + src/udev/udev-node.h + src/udev/udev-rules.c + src/udev/udev-rules.h + src/udev/udev-watch.c + src/udev/udev-watch.h + src/udev/v4l_id/v4l_id.c Copyright: 2003-2012 Kay Sievers 2003-2004 Greg Kroah-Hartman 2004 Chris Friesen @@ -84,25 +136,9 @@ Copyright: 2003-2012 Kay Sievers 2014 Carlos Garnacho License: GPL-2+ -Files: src/udev/udev-ctrl.c - src/udev/udevadm-hwdb.c - src/udev/udev-builtin.c - src/udev/udev-builtin-net_id.c - src/udev/udev-builtin-net_setup_link.c - src/udev/udev-builtin-hwdb.c - src/udev/udev-builtin-btrfs.c - src/udev/udev-builtin-keyboard.c - src/udev/net/link-config.h - src/udev/net/link-config.c - src/udev/net/ethtool-util.c - src/udev/net/ethtool-util.h -Copyright: 2007-2013 Kay Sievers - 2013 Tom Gundersen -License: LGPL-2.1+ - -Files: src/udev/scsi_id/scsi.h +Files: src/udev/scsi_id/* Copyright: 2003 IBM Corp. -License: GPL-2 +License: GPL-2+ Files: debian/* Copyright: 2010-2013 Tollef Fog Heen @@ -147,6 +183,37 @@ License: GPL-2 License version 2 can be found in the file `/usr/share/common-licenses/GPL-2` +License: GPL-2 with Linux-syscall-note exception + NOTE! This copyright does *not* cover user programs that use kernel services + by normal system calls - this is merely considered normal use of the kernel, + and does *not* fall under the heading of "derived work". Also note that the + GPL below is copyrighted by the Free Software Foundation, but the instance of + code that it refers to (the Linux kernel) is copyrighted by me and others who + actually wrote it. + . + Also note that the only valid version of the GPL as far as the kernel is + concerned is _this_ particular version of the license (ie v2, not v2.2 or v3.x + or whatever), unless explicitly otherwise stated. + . + Linus Torvalds + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian and systems the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2` + License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/content/cumulus-linux-43/Whats-New/licenses/zsh-common.txt b/content/cumulus-linux-43/Whats-New/licenses/zsh-common.txt new file mode 100644 index 0000000000..7c123aae5b --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/zsh-common.txt @@ -0,0 +1,163 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Zsh (Z Shell) +Upstream-Contact: zsh-workers@zsh.org +Source: https://www.zsh.org/pub/ + ftp://ftp.zsh.org/pub/ + https://sourceforge.net/projects/zsh/files/ + +Files: * +Copyright: 1992-2014 The Zsh Development Group (Paul Falstad, Richard + Coleman, Zoltán Hidvégi, Andrew Main, Peter W. Stephenson, + Sven Wischnowsky, and others). All rights reserved. + Individual authors, whether or not specifically named, + retain copyright in all changes. +Comment: + The Z shell is distributed under the following licence; any + provisions made in individual files take precedence. +License: Zsh + +Files: debian/* +Copyright: 1996 Robert Leslie + 1997-2011 Clint Adams + 2011-2012 Michael Prokop + 2011-2014 Frank Terbeck + 2011-2014 Axel Beckert + 2012-2013 Richard Hartmann +License: Expat + +Files: Src/compat.c +Comment: This applies to portions of Src/compat.c, the remainder is + under the copyright of The Zsh Development Group and licensed under + the Zsh license as mentioned above. +Copyright: 1990, 1993 The Regents of the University of California +License: BSD-3 + +Files: Completion/Unix/Command/_hg +Copyright: 2005, 2006 Steve Borho + 2006-2009 Brendan Cully +License: Zsh + +Files: Completion/Unix/Command/_darcs +Copyright: 2009 Nicolas Pouillard +License: GPL-2+ + +Files: Completion/openSUSE/Command/_osc +Copyright: 2009, 2010 Holger Macht +License: GPL-2 + +Files: Completion/openSUSE/Command/_zypper +Copyright: 2009 Holger Macht + 2014 Thomas Mitterfellner + 2014 Mariusz Fik +License: GPL-2 + +Files: Misc/make-zsh-urls +Copyright: 1999 Adam Spiers +License: Artistic or GPL-1+ or Zsh +Comment: + This program is free software; you can redistribute it and/or modify + it under the same terms as Perl or zsh. + +Files: Etc/FAQ.yo +Copyright: 1995-2000, 2012 Peter W. Stephenson +License: PWS-Zsh-FAQ + This text originates in the U.K. and the author asserts his moral + rights under the Copyrights, Designs and Patents Act, 1988. + . + Permission is hereby granted, without written agreement and without + license or royalty fees, to use, copy, modify, and distribute this + documentation for any purpose, provided that the above copyright + notice appears in all copies of this documentation. + +License: Zsh + Permission is hereby granted, without written agreement and without + licence or royalty fees, to use, copy, modify, and distribute this + software and to distribute modified versions of this software for any + purpose, provided that the above copyright notice and the following + two paragraphs appear in all copies of this software. + . + In no event shall the copy right owners liable to any party for + direct, indirect, special, incidental, or consequential damages + arising out of the use of this software and its documentation, even + if and the copyright owners have been advised of the possibility of + such damage. + . + The copyright owners specifically disclaim any warranties, including, + but not limited to, the implied warranties of merchantability and + fitness for a particular purpose. The software provided hereunder is + on an "as is" basis, and the copyright owners have no obligation to + provide maintenance, support, updates, enhancements, or + modifications. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: BSD-3 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + * Neither the name of the nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or (at + your option) any later version. + . + On Debian systems, the full text of the GNU General Public License + version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-2 + On Debian systems, the full text of the GNU General Public License + version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-1+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 1 of the License, or (at + your option) any later version. + . + On Debian systems, the full text of the GNU General Public License + version 1 can be found in `/usr/share/common-licenses/GPL-1'. + +License: Artistic + On Debian GNU/Linux systems, the complete text of the + Artistic Licence can be found in `/usr/share/common-licenses/Artistic'. diff --git a/content/cumulus-linux-43/Whats-New/licenses/zsh.txt b/content/cumulus-linux-43/Whats-New/licenses/zsh.txt new file mode 100644 index 0000000000..7c123aae5b --- /dev/null +++ b/content/cumulus-linux-43/Whats-New/licenses/zsh.txt @@ -0,0 +1,163 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Zsh (Z Shell) +Upstream-Contact: zsh-workers@zsh.org +Source: https://www.zsh.org/pub/ + ftp://ftp.zsh.org/pub/ + https://sourceforge.net/projects/zsh/files/ + +Files: * +Copyright: 1992-2014 The Zsh Development Group (Paul Falstad, Richard + Coleman, Zoltán Hidvégi, Andrew Main, Peter W. Stephenson, + Sven Wischnowsky, and others). All rights reserved. + Individual authors, whether or not specifically named, + retain copyright in all changes. +Comment: + The Z shell is distributed under the following licence; any + provisions made in individual files take precedence. +License: Zsh + +Files: debian/* +Copyright: 1996 Robert Leslie + 1997-2011 Clint Adams + 2011-2012 Michael Prokop + 2011-2014 Frank Terbeck + 2011-2014 Axel Beckert + 2012-2013 Richard Hartmann +License: Expat + +Files: Src/compat.c +Comment: This applies to portions of Src/compat.c, the remainder is + under the copyright of The Zsh Development Group and licensed under + the Zsh license as mentioned above. +Copyright: 1990, 1993 The Regents of the University of California +License: BSD-3 + +Files: Completion/Unix/Command/_hg +Copyright: 2005, 2006 Steve Borho + 2006-2009 Brendan Cully +License: Zsh + +Files: Completion/Unix/Command/_darcs +Copyright: 2009 Nicolas Pouillard +License: GPL-2+ + +Files: Completion/openSUSE/Command/_osc +Copyright: 2009, 2010 Holger Macht +License: GPL-2 + +Files: Completion/openSUSE/Command/_zypper +Copyright: 2009 Holger Macht + 2014 Thomas Mitterfellner + 2014 Mariusz Fik +License: GPL-2 + +Files: Misc/make-zsh-urls +Copyright: 1999 Adam Spiers +License: Artistic or GPL-1+ or Zsh +Comment: + This program is free software; you can redistribute it and/or modify + it under the same terms as Perl or zsh. + +Files: Etc/FAQ.yo +Copyright: 1995-2000, 2012 Peter W. Stephenson +License: PWS-Zsh-FAQ + This text originates in the U.K. and the author asserts his moral + rights under the Copyrights, Designs and Patents Act, 1988. + . + Permission is hereby granted, without written agreement and without + license or royalty fees, to use, copy, modify, and distribute this + documentation for any purpose, provided that the above copyright + notice appears in all copies of this documentation. + +License: Zsh + Permission is hereby granted, without written agreement and without + licence or royalty fees, to use, copy, modify, and distribute this + software and to distribute modified versions of this software for any + purpose, provided that the above copyright notice and the following + two paragraphs appear in all copies of this software. + . + In no event shall the copy right owners liable to any party for + direct, indirect, special, incidental, or consequential damages + arising out of the use of this software and its documentation, even + if and the copyright owners have been advised of the possibility of + such damage. + . + The copyright owners specifically disclaim any warranties, including, + but not limited to, the implied warranties of merchantability and + fitness for a particular purpose. The software provided hereunder is + on an "as is" basis, and the copyright owners have no obligation to + provide maintenance, support, updates, enhancements, or + modifications. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: BSD-3 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + * Neither the name of the nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or (at + your option) any later version. + . + On Debian systems, the full text of the GNU General Public License + version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-2 + On Debian systems, the full text of the GNU General Public License + version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-1+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 1 of the License, or (at + your option) any later version. + . + On Debian systems, the full text of the GNU General Public License + version 1 can be found in `/usr/share/common-licenses/GPL-1'. + +License: Artistic + On Debian GNU/Linux systems, the complete text of the + Artistic Licence can be found in `/usr/share/common-licenses/Artistic'. diff --git a/utils/build_foss_licenses.py b/utils/build_foss_licenses.py index bc26d58ac9..000adf5901 100644 --- a/utils/build_foss_licenses.py +++ b/utils/build_foss_licenses.py @@ -295,7 +295,7 @@ def get_products(): ''' # Some versions are included in the JSON file that don't have correct licenses # This is the list of versions to exclude from processing - cl_exclude_list = ["3.7.12", "4.1.0", "4.1.1", "4.2.0", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.5", "5.0.1", "5.1.0", "5.2.0", "5.3.0", "5.3.1", "5.4.0", "5.5.0", "5.5.1", "5.6.0"] + cl_exclude_list = ["3.7.12", "4.1.0", "4.1.1", "4.2.0", "4.3.0", "4.3.1", "4.3.2", "4.4.0", "4.4.1", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.5", "5.0.1", "5.1.0", "5.2.0", "5.3.0", "5.3.1", "5.4.0", "5.5.0", "5.5.1", "5.6.0"] netq_exclude_list = ["4.1.0", "4.2.0", "4.3.0", "4.4.0", "4.5.0", "4.6.0", "4.7.0", "4.8.0"] session = requests.Session() From ef552705d7efe851d325291d6a5df51f91c9ea5a Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 15 Nov 2023 13:31:15 -0800 Subject: [PATCH 028/204] updates to dot1x --- .../802.1X-Interfaces.md | 370 ++++++++---------- content/cumulus-linux-57/Whats-New/_index.md | 2 - 2 files changed, 156 insertions(+), 216 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index 085b484601..efc804b38e 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -4,18 +4,19 @@ author: NVIDIA weight: 315 toc: 3 --- -The {{}} provides a method of authenticating a client (called a *supplicant*) over wired media. It also provides access for individual MAC addresses on a switch (called the *authenticator*) after an authentication server authenticates the MAC addresses. The authentication server is typically a {{}} (Remote Authentication Dial In User Service, defined by {{}}) server. +The {{}} provides a way to authenticate a client (called a *supplicant*) over wired media. It also provides access for individual MAC addresses on a switch (called the *authenticator*) after an authentication server authenticates the MAC addresses. The authentication server is typically a [RADIUS](## "Remote Authentication Dial In User Service") server. -A Cumulus Linux switch acts as an intermediary between the clients connected to the wired ports and the authentication server, which is reachable over the existing network. [EAPOL](## "Extensible Authentication Protocol (EAP) over LAN") (EtherType value of 0x888E, defined by {{}}) operates on top of the data link layer; the switch uses EAPOL to communicate with supplicants connected to the switch ports. +A Cumulus Linux switch acts as an intermediary between the clients connected to the wired ports and the authentication server, which is reachable over the existing network. [EAPOL](## "Extensible Authentication Protocol (EAP) over LAN") operates on top of the data link layer; the switch uses EAPOL to communicate with supplicants connected to the switch ports. Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity"). {{< img src = "/images/cumulus-linux/802.1X.png" >}} -Cumulus Linux supports parking VLAN, dynamic VLAN, and MAB (MAC-based authentication bypass) on 802.1X interfaces. +Cumulus Linux supports parking VLAN, dynamic VLAN, and [MAB](## "MAC-based authentication bypass") on 802.1X interfaces. {{%notice note%}} -- Cumulus Linux supports 802.1X on routed interfaces and physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. 802.1X is **not** supported on eth0. +- Cumulus Linux supports 802.1X on routed interfaces and physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. +- eth0 does not support 802.1X. - 802.1X on Cumulus Linux is tested with only a few `wpa_supplicant` (Debian), Windows 10 and Windows 7 supplicants. - RADIUS authentication is supported with FreeRADIUS and Cisco ACS. - 802.1X supports simple login and password, PEAP/MSCHAPv2 (Win7) and EAP-TLS (Debian). @@ -55,11 +56,11 @@ To configure an 802.1X interface: - **Required**: Provide the 802.1X RADIUS shared secret. - Optional: Change the default 802.1X RADIUS accounting port. The default port is 1813. - Optional: Change the default 802.1X RADIUS authentication port. The default port is 1812. -- Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, re-authentication is disabled with a reauthentication period of 0. You can set a value between 0-86640. +- Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. - **Required**: Enable 802.1X on an interface. {{%notice note%}} -Changing the 802.1X interface settings do *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, or accounting port restarts `hostapd`, which forces existing, authorized users to re-authenticate. +Changing the 802.1X interface settings does *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, accounting port, or EAP reauthentication period restarts `hostapd`, which forces existing, authorized users to re-authenticate. {{%/notice%}} {{< tabs "TabID64 ">}} @@ -82,11 +83,11 @@ The following example: - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. -- Sets re-authentication for [EAP](## "Extensible Authentication Protocol"), by setting the reauthentication period to 60. -- Enables 802.1X on swp1 through swp3. +- Sets the EAP reauthentication period to 60. +- Enables 802.1X on swp1, swp2, and swp3. ``` -cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 vrf turtle +cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 vrf BLUE cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 authentication-port 2812 cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 accounting-port 2813 @@ -94,7 +95,7 @@ cumulus@switch:~$ nv set system dot1x reauthentication-interval 60 cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled cumulus@switch:~$ nv config apply ``` - -- radius\_das\_port= -- radius\_das\_time\_window=300 -- radius\_das\_require\_event\_timestamp=1 -- radius\_das\_require\_message\_authenticator=1 +Edit the `/etc/hostapd.conf` file to set the following options: +- `dynamic_vlan` Specify 1 for VLAN attributes to be optional. Specify 2 to require VLAN attributes; if VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN, if you have configured parking VLAN). +- `radius_das_port` +- `radius_das_time_window` +- `radius_das_require_event_timestamp` +- `radius_das_require_message_authenticator` Remove the `eap_send_identity=0` option. For example: ``` cumulus@switch:~$ sudo nano /etc/hostapd.conf -eap_server=0 -ieee8021x=1 -driver=wired +... dynamic_vlan=1 -interfaces=swp1,swp2,swp3,swp4 -mab_interfaces= -parking_vlan_interfaces=swp1 -parking_vlan_id=777 -mab_activation_delay=30 -eap_reauth_period=0 -ctrl_interface=/var/run/hostapd -nas_identifier=localhost -auth_server_addr=127.0.0.1 -auth_server_port=1812 -auth_server_shared_secret=mysecret -acct_server_addr= -acct_server_port=1813 -acct_server_shared_secret= -radius_das_port= +... +radius_das_port=swp1 radius_das_time_window=300 radius_das_require_event_timestamp=1 radius_das_require_message_authenticator=1 ``` - -Restart the `hostapd` service : + +Restart the `hostapd` service: ``` cumulus@switch:~$ sudo systemctl restart hostapd @@ -486,37 +461,12 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `/etc/hostapd.conf` file to remove the following options: - -- dynamic_vlan=1 -- radius\_das\_port= -- radius\_das\_time\_window=300 -- radius\_das\_require\_event\_timestamp=1 -- radius\_das\_require\_message\_authenticator=1 - -Add the `eap_send_identity=0` option. The following example shows the options in the `/etc/hostapd.conf` file - -``` -cumulus@switch:~$ sudo nano /etc/hostapd.conf -eap_server=0 -ieee8021x=1 -driver=wired -interfaces= -mab_interfaces= -parking_vlan_interfaces=swp1 -parking_vlan_id=777 -mab_activation_delay=30 -eap_reauth_period=0 -eap_send_identity=0 -ctrl_interface=/var/run/hostapd -nas_identifier=localhost -auth_server_addr=127.0.0.1 -auth_server_port=1812 -auth_server_shared_secret=mysecret -acct_server_addr= -acct_server_port=1813 -acct_server_shared_secret= -``` +Edit the `/etc/hostapd.conf` file to add the `eap_send_identity=0` option and to remove the following options: +- `dynamic_vlan=1` +- `radius_das_port=` +- `radius_das_time_window=300` +- `radius_das_require_event_timestamp=1` +- `radius_das_require_message_authenticator=1` Restart the `hostapd` service. @@ -543,39 +493,41 @@ DACLs work with Voice VLAN for phones (MDA). {{%notice note%}} - You can configure DACLs for {{}} only. -- Port security (MAC address restrictions) cannot be used at the same time as DACLs. -- Cumulus Linux does not support configuring both Dynamic VLAN and DACLs at the same time on a switch port. +- You cannot configure both port security (MAC address restrictions) and DACLs at the same time. +- You cannot configure both Dynamic VLAN and DACLs at the same time on a switch port. - The source MAC address of the user gaining authorization in the `ebtables` filter replaces the `from any` source IPv4 address. -- Only a single destination port integer is supported; port ranges are not supported. -- Any IPv4 protocol is supported either by name or number as supported in the Cumulus Linux `ebtables` implementation. +- Cumulus Linux supports only a single destination port integer; you cannot use port ranges. +- Cumulus Linux supports any IPv4 protocol either by name or number as in the Cumulus Linux `ebtables` implementation. {{%/notice%}} ### How It Works -1. A supplicant sends packets over a network port. A {{}} executes. You can manually create your own pre-auth ACL filter or just use the Cumulus Linux default ({{}}). There are no NVUE commands for creating the filter itself. -1. When `dot1x dynamic-acl` is {{}}, Cumulus Linux installs the pre-auth ACL defaults for the port. -1. When a supplicant on the port tries to get 802.1X authorized, the RADIUS server may (or may not) send along some {{}} in the Access-Accept message. -1. If any filters are sent from the RADIUS server, Cumulus Linux applies them before the default pre-auth ACL. -1. If no filters are sent, Cumulus Linux leaves the defaults in place, and no special access is granted to the user. +1. A supplicant sends packets over a network port. A {{}} executes. You can manually create your own pre-auth ACL filter or just use the Cumulus Linux default ({{}}). +1. When you {{}}, Cumulus Linux installs the pre-auth ACL defaults for the port. +1. When a supplicant on the port tries to get 802.1X authorized, the RADIUS server might send along {{}} in the Access-Accept message. +1. If the RADIUS server sends any filters, Cumulus Linux applies them before the default pre-auth ACL. +1. If the RADIUS server does not send any filters, Cumulus Linux leaves the defaults in place and no special access is granted to the user. ### The NAS-Filter-Rule Attribute -The NAS-Filter-Rule attribute is a string of one or more octets that contains filter rules in the IPFilterRule syntax defined by {{}}. The IPFilterRule filters **must** follow this format: +The NAS-Filter-Rule attribute is a string of one or more octets that contains filter rules in IPFilterRule syntax defined by {{}}. The IPFilterRule filters **must** follow this format: - action dir proto from src to dst [options] +``` +action dir proto from src to dst [options] +``` | Keyword | Definition | | --------- | ---------- | -| `action` | _permit_: Allow packets that match the rule.
_deny_: Drop packets that match the rule. | -| `dir` | Direction: _in_ is from the terminal, _out_ is to the terminal. Only the _in_ direction is supported. | -| `proto` | An IP protocol specified by number. The `ip` keyword means any protocol will match. Only IPv4 ACLs are supported. | -| `src` / `dst` | Source and destination IP address/subnet mask, and optional ports. | +| `action` | `permit` allows packets that match the rule. `deny` drops packets that match the rule. | +| `dir` | The direction: `in` is from the terminal and `out` is to the terminal. Cumulus Linux supports only the `in` direction. | +| `proto` | An IP protocol specified by number. `ip` matches any protocol. Cumulus Linux supports only IPv4 ACLs. | +| `src` and `dst` | Source and destination IP address, subnet mask, and optional ports. | -The syntax for NAS-Filter-Rule attributes configured in the RADIUS server varies widely by RADIUS vendor. But the resulting format for these rules contained in the Access-Accept must conform to the IPFilterRule syntax defined in by {{}}, Section 4.3, as mentioned above. When the Cumulus Linux switch gets these rules for a particular user, they are converted to `ebtables` rules using the actual user MAC address, and are then combined with the default pre-auth ACL rules. +The syntax for NAS-Filter-Rule attributes configured in the RADIUS server varies widely by RADIUS vendor. However, the resulting format for these rules in the Access-Accept must conform to the IPFilterRule syntax defined in {{}}, Section 4.3, as mentioned above. When the Cumulus Linux switch gets these rules for a particular user, it converts them to `ebtable` rules using the actual user MAC address, then combines them with the default pre-auth ACL rules. The rules for the appropriate direction are evaluated in order, with the first matched rule terminating the evaluation. Each packet is evaluated once. If no rule matches, the packet is dropped if the last rule was a deny. -If these rules are invalid — for example, they contain port ranges or IPv6 addresses — the port does not get authorized and a log message is written to `/var/log/syslog`. +If these rules are invalid (for example, they contain port ranges or IPv6 addresses), the port does not get authorized and a log message is written to `/var/log/syslog`. ### Get Started @@ -587,11 +539,11 @@ To start applying a DACL to a port, configure the {{}} server. +Configure DACLs on the RADIUS server on your network using the methods provided by the RADIUS software, then enable them for one or more switch ports on a given switch. This section shows the configuration methods for the {{}} server. #### Configure the RADIUS Server -On the RADIUS server, set the password for the RADIUS client (the Cumulus Linux switch) in the `/etc/freeradius/3.0/clients.conf` file as follows, using the src IP address of the switch: +On the RADIUS server, set the password for the RADIUS client (the Cumulus Linux switch) in the `/etc/freeradius/3.0/clients.conf` file as follows, using the source IP address of the switch: ``` client leaf01 { @@ -621,7 +573,7 @@ leaf01 Cleartext-Password := "CumulusLinux!" NAS-Filter-Rule = "deny in ip from any to any" ``` -`ebtables` converts this to a temporary file on the switch with a name similar to `/etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002.rules` (the filename is always prefaced with _150\__; default rule filenames are prefaced with _200\__). It looks like the following: +`ebtables` converts this to a temporary file on the switch with a name similar to `/etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002.rules` (the filename is always prefaced with `150_`; default rule filenames are prefaced with `200_`). It looks like the following: ``` cumulus@switch:~$ cat /etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002.rules @@ -656,56 +608,59 @@ cumulus@switch:~$ cat /etc/cumulus/acl/policy.d/150_dot1x_dacl_swp2_000200000002 ``` {{%notice tip%}} -In the above rules file, the `--set-mark 2` option ensures that the nearly identical next rule gets installed in the dedicated TCAM slice for 802.1X. +In the above rules file, the `--set-mark 2` option ensures that the nearly identical next rule installs in the dedicated TCAM slice for 802.1X. {{%/notice%}} #### Configure the RADIUS Client The Cumulus Linux switch is the RADIUS client. -1. Edit the `/etc/hostapd.conf` file to configure the RADIUS client and the DACL interface. The example below sets the IP address of the 802.1X RADIUS server to 10.0.0.1 (`auth_server_addr=10.0.0.1`), the shared secret to mysecret (`auth_server_shared_secret=mysecret`), 802.1X on swp1 and swp2 (`interfaces=swp1,swp2`), and swp2 as a DACL interface (`dynamic_acl_interfaces=swp2`). - - cumulus@switch:~$ sudo nano /etc/hostapd.conf - eap_server=0 - ieee8021x=1 - driver=wired - dynamic_vlan=0 - eap_send_identity=0 - interfaces=swp1,swp2 - voice_interfaces= - mab_interfaces= - dynamic_acl_interfaces=swp2 - default_dynamic_acl=default_preauth_dacl.rules - parking_vlan_interfaces= - parking_vlan_id= - mab_activation_delay=0 - max_num_sta=4 - eap_reauth_period=0 - ctrl_interface=/run/hostapd - nas_identifier=localhost - auth_server_addr=10.0.0.1 - auth_server_port=1812 - auth_server_shared_secret=mysecret - acct_server_addr=10.0.0.1 - acct_server_port=1813 - acct_server_shared_secret=mysecret - radius_das_port= - radius_das_time_window=300 - radius_das_require_event_timestamp=1 - radius_das_require_message_authenticator=1 - -2. Enable then restart the `hostapd` service so that the configuration persists between reboots: - - ``` - cumulus@switch:~$ sudo systemctl enable hostapd - cumulus@switch:~$ sudo systemctl restart hostapd - ``` +Edit the `/etc/hostapd.conf` file to configure the RADIUS client and the DACL interface. + +The example below sets the IP address of the 802.1X RADIUS server to 10.0.0.1 (`auth_server_addr=10.0.0.1`) and the shared secret to mysecret (`auth_server_shared_secret=mysecret`), enables 802.1X on swp1 and swp2 (`interfaces=swp1,swp2`), and sets swp2 as a DACL interface (`dynamic_acl_interfaces=swp2`). + +``` +cumulus@switch:~$ sudo nano /etc/hostapd.conf +eap_server=0 +ieee8021x=1 +driver=wired +dynamic_vlan=0 +eap_send_identity=0 +interfaces=swp1,swp2 +voice_interfaces= +mab_interfaces= +dynamic_acl_interfaces=swp2 +default_dynamic_acl=default_preauth_dacl.rules +parking_vlan_interfaces= +parking_vlan_id= +mab_activation_delay=0 +max_num_sta=4 +eap_reauth_period=0 +ctrl_interface=/run/hostapd +nas_identifier=localhost +auth_server_addr=10.0.0.1 +auth_server_port=1812 +auth_server_shared_secret=mysecret +acct_server_addr=10.0.0.1 +acct_server_port=1813 +acct_server_shared_secret=mysecret +radius_das_port= +radius_das_time_window=300 +radius_das_require_event_timestamp=1 +radius_das_require_message_authenticator=1 +``` + +Rstart the `hostapd` service so that the configuration persists between reboots: + +``` +cumulus@switch:~$ sudo systemctl restart hostapd +``` ### Pre-auth ACLs -A *pre-auth ACL* is a static ACL that is applied to **all** 802.1X dynamic ACL-enabled ports by default. It provides some basic services that are available before 802.1X authorization occurs. The default pre-auth ACL in Cumulus Linux allows for DHCP and DNS to operate without authorizing the supplicant. +A *pre-auth ACL* is a static ACL that the switch applies to **all** 802.1X dynamic ACL-enabled ports by default. It provides some basic services that are available before 802.1X authorization occurs. The default pre-auth ACL in Cumulus Linux allows for DHCP and DNS to operate without authorizing the supplicant. -The default pre-auth ACL file is `/etc/cumulus/acl/policy.d/dot1x_preauth_dacl/default_preauth_dacl.rules`, which you can modify, or you can create your own. The default pre-auth ACL permits DHCP (using source port 68 and destination port 67) and DNS (using destination port 53) before 802.1X authorization. You configure pre-auth ACLs only with `ebtables` syntax. +The default the pre-auth ACL file is `/etc/cumulus/acl/policy.d/dot1x_preauth_dacl/default_preauth_dacl.rules`. You can modify this file or create your own. The default pre-auth ACL permits DHCP (using source port 68 and destination port 67) and DNS (using destination port 53) before 802.1X authorization. You configure pre-auth ACLs only with `ebtables` syntax. ``` cumulus@switch:~$ cat /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/default_preauth_dacl.rules @@ -714,13 +669,13 @@ cumulus@switch:~$ cat /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/default_preau -A INPUT -p IPV4 --ip-protocol UDP --ip-dport 67 --ip-sport 68 -j ACCEPT ``` -The pre-auth ACL is always applied to dynamic ACL-enabled 802.1X ports, even after authentication has already completed for any clients on a given switch port. +The pre-auth ACL always applies to dynamic ACL-enabled 802.1X ports, even after authentication completes for any clients on a given switch port. {{%notice warning%}} -If you don't use the default pre-auth ACL and don't create your own, all traffic gets denied. +If you do not use the default pre-auth ACL or you do not create your own, the switch denies all traffic. {{%/notice%}} -Create your own pre-auth ACL file in the `/etc/cumulus/acl/policy.d/dot1x_preauth_dacl/` directory. For example, the following file allows for DHCP, DNS and PXE to operate before authorizing the supplicant: +Create your own pre-auth ACL file in the `/etc/cumulus/acl/policy.d/dot1x_preauth_dacl/` directory. For example, the following file allows for DHCP, DNS, and PXE to operate before authorizing the supplicant: ``` cumulus@switch:~$ sudo nano /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/my_preauth_dacl.rules @@ -734,12 +689,11 @@ cumulus@switch:~$ sudo nano /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/my_prea Cumulus Linux supports Multi Domain Authentication (MDA), where 802.1X is extended to allow authorization of multiple devices (a data and a voice device) on a single port and assign different VLANs to the devices based on authorization. -MDA is enabled by default; however, you need to assign a tagged VLAN for voice devices (see {{}}). - - - The 802.1X-enabled port must be a trunk port to allow tagged voice traffic from a phone; you cannot enable 802.1X on an access port. - - Only one untagged VLAN and one tagged VLAN is supported on the 802.1X enabled ports. - - Multiple MAB (non voice) devices on a port are supported for VLAN-aware bridges only. Authorization of multiple MAB devices for different VLANs is not supported. - - Cumulus Linux does not support 802.1X with MLAG; the switch cannot synchronize 802.1X authenticated MAC addresses over the peerlink. +MDA is enabled by default; however, you need to assign a tagged VLAN for voice devices. +- The 802.1X-enabled port must be a trunk port to allow tagged voice traffic from a phone; you cannot enable 802.1X on an access port. +- The 802.1X enabled ports support only one untagged VLAN and one tagged VLAN. +- Only VLAN-aware bridges support multiple MAB (non voice) devices on a port. Cumulus Linux does not support authorization of multiple MAB devices for different VLANs. +- Cumulus Linux does not support 802.1X with MLAG; the switch cannot synchronize 802.1X authenticated MAC addresses over the peerlink. To show which interfaces are enabled for 802.1X, run the `nv show interface dot1x` command. The `Interfaces` line shows all 802.1X-enabled interfaces while the `Dynamic ACL Interfaces` line shows only 802.1X interfaces enabled for DACLs: @@ -763,7 +717,7 @@ Dynamic VLAN Status Disabled To see which interfaces have attempted authorization for DACLs, run `nv show interface dot1x-summary`: ``` -cumulus@switch:~$ nv show interface –view=dot1x-summary +cumulus@switch:~$ nv show interface dot1x-summary Interface MAC Address Username State Authentication Type MAB VLAN DACL Active --------- ----------------- -------- ---------- ------------------- --- ---- ----------- @@ -864,24 +818,7 @@ ieee8021x=1 driver=wired dynamic_vlan=1 max_num_sta=10 -interfaces=swp1,swp2,swp3,swp4 -mab_interfaces= -parking_vlan_interfaces=swp1 -parking_vlan_id=777 -mab_activation_delay=30 -eap_reauth_period=0 -ctrl_interface=/var/run/hostapd -nas_identifier=localhost -auth_server_addr=127.0.0.1 -auth_server_port=1812 -auth_server_shared_secret=mysecret -acct_server_addr= -acct_server_port=1813 -acct_server_shared_secret= -radius_das_port= -radius_das_time_window=300 -radius_das_require_event_timestamp=1 -radius_das_require_message_authenticator=1 +... ``` Restart the `hostapd` service : @@ -893,23 +830,37 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} - ## RADIUS Change of Authorization and Disconnect Requests @@ -960,16 +911,7 @@ Restart the `hostapd` service: cumulus@switch:~$ sudo systemctl restart hostapd ``` -To disable DAS, edit the `/etc/hostapd.conf` file to remove the following options: - -- `radius_das_port` -- `radius_das_client` - -Restart the `hostapd` service: - -``` -cumulus@switch:~$ sudo systemctl restart hostapd -``` +To disable DAS, edit the `/etc/hostapd.conf` file to remove the `radius_das_port` and `radius_das_client` options, then restart the `hostapd` service with the `sudo systemctl restart hostapd` command. ### Terminate a User Session @@ -1069,26 +1011,21 @@ Cisco-AVPair: subscriber:command=bounce-host-port You can send the NAS IPv4 or IPv6 address in access request and accounting packets. You can only configure one NAS IP address on the switch, which is used for all interface authorizations. -To configure the NAS IP address, edit the `/etc/hostapd.conf` file and configure the `own_ip_addr` setting with the NAS IP address: +To configure the NAS IP address, edit the `/etc/hostapd.conf` file and configure the `nas_identifier` setting with the NAS IP address: ``` cumulus@switch:~$ sudo nano /etc/hostapd.conf ... -interfaces=swp1,swp2,swp3,swp4 -mab_interfaces= -parking_vlan_interfaces= -parking_vlan_id= -mab_activation_delay=30 -eap_reauth_period=0 -eap_send_identity=0 -ctrl_interface=/var/run/hostapd -own_ip_addr=10.0.0.1 +nas_identifier=localhost +radius_das_port= +radius_das_time_window=300 +radius_das_require_event_timestamp=1 +radius_das_require_message_authenticator=1 ``` -Enable, then restart the `hostapd` service so that the configuration persists between reboots: +Rstart the `hostapd` service so that the configuration persists between reboots: ``` -cumulus@switch:~$ sudo systemctl enable hostapd cumulus@switch:~$ sudo systemctl restart hostapd ``` @@ -1163,11 +1100,10 @@ swp1 Mac Addresses 00:02:00:00:00:01 last_eap_type_sta 4 (MD5) ``` -To check RADIUS counters: +To check RADIUS counters, run the `nv show interface swp1 dot1x counters` command: ``` -cumulus@switch:~$ net show dot1x radius-details swp1 - +cumulus@switch:~$ nv show interface swp1 dot1x counters Interface Attribute Value ----------- ---------------------------------------- --------- swp1 radiusAccClientRequests 1 @@ -1202,7 +1138,7 @@ Apr 19 22:17:12 switch hostapd[12462]: done. ``` You can perform more advanced troubleshooting with the following commands. - + To increase the debug level in `hostapd`, copy over the `hostapd` service file, then add *-d*, *-dd* or *-ddd* to the `ExecStart` line in the `hostapd.service` file: ``` @@ -1212,7 +1148,7 @@ cumulus@switch:~$ sudo nano /etc/systemd/system/hostapd.service ExecStart=/usr/sbin/hostapd -ddd -c /etc/hostapd.conf ... ``` - + To watch debugs with `journalctl` as supplicants attempt to connect: ``` @@ -1233,3 +1169,9 @@ To check `tc` rules in `/var/lib/hostapd/acl/tc_swpX.rules` with: cumulus@switch:~$ sudo tc -s filter show dev swp1 parent 1: cumulus@switch:~$ sudo tc -s filter show dev swp1 parent ffff: ``` + +## Related Information + +- {{}} +- {{}} +- {{}} diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 873a73279c..8f1d81aa9e 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -36,13 +36,11 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} with more granularity - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. - - The `nv show interface` command output includes the admin state - PIM show commands for PIM RP, JOIN, PIM MLAG summary, and MLAG upstream information - Show commands to see the {{}} and {{}} - Set and show commands to configure and show the IP neighbor table - Enhanced {{}} command output now in table format - Improvements to {{}} - - Provide interface summary view with filtering {{< expand "New NVUE Commands" >}} From eaac6ecbf5bf12ce61163373e002882e4b6ad37e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 15 Nov 2023 15:17:27 -0800 Subject: [PATCH 029/204] updates to dor1x --- .../802.1X-Interfaces.md | 359 +++++++----------- 1 file changed, 130 insertions(+), 229 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index efc804b38e..a696144998 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -8,11 +8,9 @@ The {{[EAPOL](## "Extensible Authentication Protocol (EAP) over LAN") operates on top of the data link layer; the switch uses EAPOL to communicate with supplicants connected to the switch ports. -Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity"). - {{< img src = "/images/cumulus-linux/802.1X.png" >}} -Cumulus Linux supports parking VLAN, dynamic VLAN, and [MAB](## "MAC-based authentication bypass") on 802.1X interfaces. +Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity") and supports parking VLANs, dynamic VLANs, and [MAB](## "MAC-based authentication bypass") on 802.1X interfaces. {{%notice note%}} - Cumulus Linux supports 802.1X on routed interfaces and physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. @@ -49,15 +47,15 @@ After you install and configure FreeRADIUS, the FreeRADIUS server can serve Cumu All the 802.1X interfaces share the same RADIUS server settings. Make sure you configure the RADIUS server before you configure the 802.1X interfaces. See {{}} above. -You must configure 802.1X on a bridged port. To configure a bridge, refer to {{}}. NVUE does not support traditional bridge mode. +You must configure 802.1X on a bridged port. To configure a bridge, refer to {{}}. To configure an 802.1X interface: - **Required**: Provide the 802.1X RADIUS server IPv4 or IPv6 address. You can also specify a VRF for outgoing RADIUS accounting and authorization packets. A VRF is optional. - **Required**: Provide the 802.1X RADIUS shared secret. -- Optional: Change the default 802.1X RADIUS accounting port. The default port is 1813. -- Optional: Change the default 802.1X RADIUS authentication port. The default port is 1812. -- Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. - **Required**: Enable 802.1X on an interface. +- Optional: Change the default 802.1X RADIUS accounting port. You can specify a port value between 1000 and 65535. The default port is 1813. +- Optional: Change the default 802.1X RADIUS authentication port. You can specify a port value between 1000 and 65535. The default port is 1812. +- Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. {{%notice note%}} Changing the 802.1X interface settings does *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, accounting port, or EAP reauthentication period restarts `hostapd`, which forces existing, authorized users to re-authenticate. @@ -83,7 +81,7 @@ The following example: - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. -- Sets the EAP reauthentication period to 60. +- Sets the EAP reauthentication period to 40. - Enables 802.1X on swp1, swp2, and swp3. ``` @@ -91,7 +89,7 @@ cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 vrf BLUE cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 authentication-port 2812 cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 accounting-port 2813 -cumulus@switch:~$ nv set system dot1x reauthentication-interval 60 +cumulus@switch:~$ nv set system dot1x reauthentication-interval 40 cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled cumulus@switch:~$ nv config apply ``` @@ -134,7 +132,7 @@ The following example: - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. -- Sets the EAP re-authentication period to 60. +- Sets the EAP re-authentication period to 40. - Enables 802.1X on swp1 through swp3. ``` @@ -142,7 +140,7 @@ cumulus@switch:~$ sudo nano /etc/hostapd.conf ... interfaces=swp1,swp2,swp3 ... -eap_reauth_period=60 +eap_reauth_period=40 ... auth_server_addr=127.0.0.1%BLUE auth_server_port=1812 @@ -162,75 +160,8 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} - -## Configure MAC Authentication Bypass +## MAC Authentication Bypass MAC Authentication Bypass (MAB) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support [PAE](## "Port Access Entity"), such as printers or phones. @@ -273,7 +204,7 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} -## Configure a Parking VLAN +## Parking VLAN If a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant is attached. Cumulus Linux assigns the parking VLAN by manipulating the PVID of the switch port. @@ -344,7 +275,7 @@ If the authentication for swp1 fails, the port is moved to the parking VLAN. {{< /tab >}} {{< /tabs >}} -## Configure Dynamic VLAN Assignments +## Dynamic VLAN Assignments A common requirement for campus networks is to assign dynamic VLANs to specific users in combination with IEEE 802.1x. After authenticating a supplicant, the user is assigned a VLAN based on the RADIUS configuration. Cumulus Linux assigns the dynamic VLAN by manipulating the PVID of the switch port. @@ -353,19 +284,19 @@ To enable dynamic VLAN assignment globally, where VLAN attributes from the RADIU {{< tabs "TabID595 ">}} {{< tab "NVUE Commands ">}} +Run the `nv set system dot1x dynamic-vlan optional` or `nv set system dot1x dynamic-vlan required` command. If you run the `nv set system dot1x dynamic-vlan required` command, when VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN (if you configure parking VLAN). + ``` cumulus@switch:~$ nv set system dot1x dynamic-vlan optional cumulus@switch:~$ nv config apply ``` -You can specify the `require` option in the command so that VLAN attributes are required. If VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN (if you have configured parking VLAN). - ``` cumulus@switch:~$ nv set system dot1x dynamic-vlan required cumulus@switch:~$ nv config apply ``` -The following example shows a typical RADIUS configuration (shown for FreeRADIUS, not typically configured or run on the Cumulus Linux device) for a user with dynamic VLAN assignment: +The following example shows a typical RADIUS configuration (shown for FreeRADIUS,) for a user with dynamic VLAN assignment: ``` # # VLAN 100 Client Configuration for Freeradius RADIUS Server. @@ -407,31 +338,25 @@ swp1 00:02:00:00:00:08 Status Flags [DYNAMIC_VLAN][AUTHO {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `/etc/hostapd.conf` file to set the following options: -- `dynamic_vlan` Specify 1 for VLAN attributes to be optional. Specify 2 to require VLAN attributes; if VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN, if you have configured parking VLAN). -- `radius_das_port` -- `radius_das_time_window` -- `radius_das_require_event_timestamp` -- `radius_das_require_message_authenticator` +1. Edit the `/etc/hostapd.conf` file to set the `dynamic_vlan` option. + + - Specify 1 for VLAN attributes to be optional. + - Specify 2 to require VLAN attributes; if VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN, if you have configured parking VLAN. -Remove the `eap_send_identity=0` option. For example: + ``` + cumulus@switch:~$ sudo nano /etc/hostapd.conf + ... + dynamic_vlan=1 + ... + ``` -``` -cumulus@switch:~$ sudo nano /etc/hostapd.conf -... -dynamic_vlan=1 -... -radius_das_port=swp1 -radius_das_time_window=300 -radius_das_require_event_timestamp=1 -radius_das_require_message_authenticator=1 -``` +2. Remove the `eap_send_identity=0` option. -Restart the `hostapd` service: + Restart the `hostapd` service: -``` -cumulus@switch:~$ sudo systemctl restart hostapd -``` + ``` + cumulus@switch:~$ sudo systemctl restart hostapd + ``` The following example shows a typical RADIUS configuration (shown for FreeRADIUS, not typically configured or run on the Cumulus Linux device) for a user with dynamic VLAN assignment: @@ -461,14 +386,45 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `/etc/hostapd.conf` file to add the `eap_send_identity=0` option and to remove the following options: -- `dynamic_vlan=1` -- `radius_das_port=` -- `radius_das_time_window=300` -- `radius_das_require_event_timestamp=1` -- `radius_das_require_message_authenticator=1` +Edit the `/etc/hostapd.conf` file to set the `eap_send_identity` option to 0, then restart the `hostapd` service with the `sudo systemctl restart hostapd` command. + +{{< /tab >}} +{{< /tabs >}} + +{{%notice note%}} +Enabling or disabling dynamic VLAN assignment restarts `hostapd`, which forces existing, authorized users to re-authenticate. +{{%/notice%}} -Restart the `hostapd` service. +## MAC Addresses per Port + +You can specify the maximum number of authenticated MAC addresses allowed on a port. You can specify any number between 0 and 255. The default value is 6. + +The following example sets the maximum number of authenticated MAC addresses to 10. + +{{< tabs "TabID1166 ">}} +{{< tab "NVUE Commands ">}} + +``` +cumulus@switch:~$ nv set system dot1x max-stations 10 +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +Edit the `/etc/hostapd.conf` file to add the `max_num_sta=` option. For example: + +``` +cumulus@switch:~$ sudo nano /etc/hostapd.conf +eap_server=0 +ieee8021x=1 +driver=wired +dynamic_vlan=1 +max_num_sta=10 +... +``` + +Restart the `hostapd` service : ``` cumulus@switch:~$ sudo systemctl restart hostapd @@ -477,10 +433,6 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} -{{%notice note%}} -Enabling or disabling dynamic VLAN assignment restarts `hostapd`, which forces existing, authorized users to re-authenticate. -{{%/notice%}} - ## Dynamic ACLs In high-security campus environments where 802.1X interfaces are in use, you can implement network access control at the user (supplicant) level using *dynamic access control lists*, or DACLs. A _pre-auth ACL_ permits some traffic to traverse the network before 802.1X authorization takes place, then a dynamic ACL can be applied for that supplicant that is specific to an interface and the MAC address that was authorized (sometimes called a *station*). @@ -792,45 +744,7 @@ swp2 EBTABLES ACLs -i swp2 -j DROP , pcnt = 0 -- bcnt = 0 ``` -## Configure MAC Addresses per Port - -You can specify the maximum number of authenticated MAC addresses allowed on a port. You can specify any number between 0 and 255. The default value is 6. - -The following example sets the maximum number of authenticated MAC addresses to 10. - -{{< tabs "TabID1166 ">}} -{{< tab "NVUE Commands ">}} - -``` -cumulus@switch:~$ nv set system dot1x max-stations 10 -cumulus@switch:~$ nv config apply -``` - -{{< /tab >}} -{{< tab "Linux Commands ">}} - -Edit the `/etc/hostapd.conf` file to add the `max_num_sta=` option. For example: - -``` -cumulus@switch:~$ sudo nano /etc/hostapd.conf -eap_server=0 -ieee8021x=1 -driver=wired -dynamic_vlan=1 -max_num_sta=10 -... -``` - -Restart the `hostapd` service : - -``` -cumulus@switch:~$ sudo systemctl restart hostapd -``` - -{{< /tab >}} -{{< /tabs >}} - -## Configure EAP Requests from the Switch +## EAP Requests Cumulus Linux provides the `eap_send_identity` option, which you can use to trigger EAP packets to be sent from the host side of a connection. For example, this option is required in a configuration where a PC connected to a phone attempts to send EAP packets to the switch via the phone but the PC does not receive a response from the switch (the phone might not be ready to forward packets to the switch after a reboot). Because the switch does not receive EAP packets, it attempts to authorize the PC with MAB instead of waiting for the packets. In this case, the PC might be placed into a parking VLAN to isolate it. To remove the PC from the parking VLAN, the switch needs to send an EAP request to the PC to trigger EAP. @@ -868,6 +782,10 @@ Extensions to the RADIUS protocol (RFC 5176) enable the Cumulus Linux switch to {{< img src = "/images/cumulus-linux/802.1X-das.png" >}} +{{%notice note%}} +NVUE does not provide commands to configure this feature. +{{%/notice%}} + ### Configure DAS Edit the `/etc/hostapd.conf` file to add the following options to configure the UDP port (3799 is the default port), the IP address and secret key for the DAS client: @@ -1007,7 +925,7 @@ Length: 37 Cisco-AVPair: subscriber:command=bounce-host-port ``` -## Configure the NAS IP Address +## NAS IP Address in Access Request and Accounting Packets You can send the NAS IPv4 or IPv6 address in access request and accounting packets. You can only configure one NAS IP address on the switch, which is used for all interface authorizations. @@ -1016,11 +934,8 @@ To configure the NAS IP address, edit the `/etc/hostapd.conf` file and configure ``` cumulus@switch:~$ sudo nano /etc/hostapd.conf ... -nas_identifier=localhost -radius_das_port= -radius_das_time_window=300 -radius_das_require_event_timestamp=1 -radius_das_require_message_authenticator=1 +nas_identifier=10.10.10.1 +... ``` Rstart the `hostapd` service so that the configuration persists between reboots: @@ -1044,80 +959,66 @@ PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. rtt min/avg/max/mdev = 0.552/0.578/0 ``` -You can run `net show dot1x` with the following options for more data: - -- `json` prints the command output in JSON format. -- `macs` displays MAC address information. -- `port-details` shows counters from the IEEE8021-PAE-MIB for ports. -- `radius-details` shows counters from the RADIUS-CLIENT MIB (RFC 2618) for ports. -- `status` displays the status of the daemon. - -To check to see which MAC addresses have been authorized by RADIUS: - -``` -cumulus@switch:~$ net show dot1x macs -Interface Attribute Value ------------ ------------- ----------------- -swp1 MAC Addresses 00:02:00:00:00:01 -swp2 No Data -swp3 No Data -swp4 No Data -``` - -To check the port detail counters: - -``` -cumulus@switch:~$ net show dot1x port-details - -Interface Attribute Value ------------ ---------------------------------------- --------- -swp1 Mac Addresses 00:02:00:00:00:01 - authMultiSessionId 96703ADC82D77DF2 - connected_time 182 - dot1xAuthEapolFramesRx 3 - dot1xAuthEapolFramesTx 3 - dot1xAuthEapolLogoffFramesRx 0 - dot1xAuthEapolReqFramesTx 2 - dot1xAuthEapolReqIdFramesTx 1 - dot1xAuthEapolRespFramesRx 2 - dot1xAuthEapolRespIdFramesRx 1 - dot1xAuthEapolStartFramesRx 1 - dot1xAuthInvalidEapolFramesRx 0 - dot1xAuthLastEapolFrameSource 00:02:00:00:00:01 - dot1xAuthLastEapolFrameVersion 2 - dot1xAuthPaeState 5 - dot1xAuthQuietPeriod 60 - dot1xAuthReAuthEnabled FALSE - dot1xAuthReAuthPeriod 0 - dot1xAuthServerTimeout 30 - dot1xAuthSessionAuthenticMethod 1 - dot1xAuthSessionId 1B50FE8939FD9F5E - dot1xAuthSessionTerminateCause 999 - dot1xAuthSessionTime 182 - dot1xAuthSessionUserName testing - dot1xPaePortProtocolVersion 2 - last_eap_type_as 4 (MD5) - last_eap_type_sta 4 (MD5) +To show the list of RADIUS servers, run the `nv show system dot1x radius` command: + +``` +cumulus@switch:~$ nv show system dot1x radius + operational applied +-------- ----------- --------- +[server] 127.0.0.1 +``` + +To show configuration information for a RADIUS server, run the `nv show system dot1x radius server ` command: + +``` +cumulus@switch:~$ nv show system dot1x radius server 127.0.0.1 + operational applied +------------------- ----------- -------- +priority 1 +vrf BLUE +accounting-port 2813 +authentication-port 2812 +shared-secret mysecret +``` + +To check which MAC addresses RADIUS has authorized: + +``` +cumulus@switch:~$ nv show interface dot1x-summary +Interface MAC Address Username State Authentication Type MAB VLAN DACL Active +--------- ----------------- ------------ ---------- ------------------- --- ---- ----------- +swp4 00:00:00:00:99:44 000000009944 AUTHORIZED unknown YES NO + 00:00:00:00:99:55 000000009955 AUTHORIZED unknown YES NO + 00:00:00:00:99:66 000000009966 AUTHORIZED unknown YES NO + 00:00:00:00:99:77 000000009977 AUTHORIZED unknown YES NO + 00:00:00:00:99:88 000000009988 AUTHORIZED unknown YES NO + 00:00:00:00:99:99 000000009999 AUTHORIZED unknown YES NO + 00:02:00:00:00:09 000200000009 AUTHORIZED unknown YES NO +swp53s0 00:02:00:00:00:0a 00020000000a AUTHORIZED unknown YES NO ``` To check RADIUS counters, run the `nv show interface swp1 dot1x counters` command: ``` cumulus@switch:~$ nv show interface swp1 dot1x counters -Interface Attribute Value ------------ ---------------------------------------- --------- -swp1 radiusAccClientRequests 1 - radiusAccClientResponses 1 - radiusAccClientServerPortNumber 1813 - radiusAccServerAddress 127.0.0.1 - radiusAuthClientAccessAccepts 1 - radiusAuthClientAccessChallenges 1 - radiusAuthClientAccessRejects 0 - radiusAuthClientAccessRequests 0 - radiusAuthClientServerPortNumber 1812 - radiusAuthServerAddress 127.0.0.1 - radiusAuthServerIndex 1 - +Interface Eapol Tx Eapol Rx Summary +--------- -------- ---------- ---------- +swp1 20 20 eapol-len-err-frames-tx : 0 + eapol-req-frames-tx : 5 + eapol-resp-frames-rx : 5 + eapol-start-frames-tx : 5 + eapol-req-id-frames-tx : 5 + eapol-resp-id-frames-rx : 5 + eapol-invalid-frames-rx : 0 + eapol-logoff-frames-rx : 0 +swp2 10 10 eapol-len-err-frames-tx : 0 + eapol-req-frames-tx : 3 + eapol-resp-frames-rx : 3 + eapol-start-frames-tx : 3 + eapol-req-id-frames-tx : 3 + eapol-resp-id-frames-rx : 3 + eapol-invalid-frames-rx : 0 + eapol-logoff-frames-rx : 0 ... ``` From 4be307945ad877227147beafc09bce45ae183ad0 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 15 Nov 2023 15:43:29 -0800 Subject: [PATCH 030/204] port security updates --- .../Layer-1-and-Switch-Ports/Port-Security.md | 52 ++++++++++++++++--- .../Layer-2/MAC-Address-Translation.md | 11 ++++ 2 files changed, 56 insertions(+), 7 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index b2c52696b9..3914e5db89 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -25,7 +25,7 @@ To configure port security: To enable security on a port, run the `nv set interface port-security enabled` command: ``` -cumulus@switch:~$ nv set interface swp1 port-security enabled +cumulus@switch:~$ nv set interface swp1 port-security enable cumulus@switch:~$ nv config apply ``` @@ -61,14 +61,14 @@ cumulus@switch:~$ nv config apply To enable sticky MAC aging, run the `nv set interface port-security sticky-aging enabled` command. ``` -cumulus@switch:~$ nv set interface swp1 port-security sticky-aging enable +cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enable cumulus@switch:~$ nv config apply ``` -To configure the violation mode: `shutdown` to put a port into ADMIN down state or `restrict` to drop packets, run the run the `nv set interface port-security violation-mode shutdown` command. +To configure the violation mode: `protodown` to put a port into ADMIN down state or `restrict` to drop packets, run the run the `nv set interface port-security violation-mode shutdown` command. ``` -cumulus@switch:~$ nv set interface swp1 port-security violation-mode shutdown +cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown cumulus@switch:~$ nv config apply ``` @@ -99,16 +99,54 @@ The following shows an example `/etc/cumulus/switchd.d/port_security.conf` confi ``` cumulus@switch:~$ sudo nano /etc/cumulus/switchd.d/port_security.conf +... +## Interface Port security interface.swp1.port_security.enable = 1 -interface.swp1.port_security.mac_limit = 32 -interface.swp1.port_security.static_mac = 00:02:00:00:00:05 00:02:00:00:00:06 +interface.swp1.port_security.mac_limit = 100 interface.swp1.port_security.sticky_mac = 1 interface.swp1.port_security.sticky_timeout = 2000 interface.swp1.port_security.sticky_aging = 1 interface.swp1.port_security.violation_mode = 0 interface.swp1.port_security.violation_timeout = 3600 -... +interface.swp1.port_security.static_mac = 00:02:00:00:00:05 00:02:00:00:00:06 ``` {{< /tab >}} {{< /tabs >}} + +## Troubleshooting + +To show port security configuration, run the `nv show interface port-security` command: + +``` +cumulus@switch:~$ nv show interface swp1 port-security + operational applied +----------------- ----------- --------- +enable off on +mac-limit 100 +sticky-mac enabled +sticky-timeout 2000 +sticky-ageing enabled +violation-mode protodown +violation-timeout 3600 + +Static MAC +============= +No Data + +mac-addresses +================ +No Data +``` + +To show the port security static MAC addresses, run the `nv show interface port-security static-mac` command: + +``` +cumulus@switch:~$ nv show interface swp1 port-security static-mac +``` + +To show the port security MAC addresses, run the `nv show interface port-security mac-addresses` command: + +``` +cumulus@switch:~$ nv show interface swp1 port-security mac-addresses +``` diff --git a/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md b/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md index a019ff91c6..af3e3f5a2e 100644 --- a/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md +++ b/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md @@ -85,10 +85,21 @@ To show the current MAC address translation configuration: ``` cumulus@switch:~$ nv show acl + type Summary +----- ---- ------- +MACL1 mac rule: 1 +MACL2 mac rule: 1 ``` To show information about a specific MAC address translation rule, run the `nv show acl `: command ``` cumulus@switch:~$ nv show acl MACL1 + operational applied +---- ----------- ------- +type mac + +rule +======= +No Data ``` From 759833d5c949e1a41c45e2b9f31b59140fc02f63 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 15 Nov 2023 16:51:04 -0800 Subject: [PATCH 031/204] updates --- .../_index.md | 16 +++++++++++----- .../Layer-1-and-Switch-Ports/Port-Security.md | 5 +++-- .../User-Accounts.md | 12 ++++++------ 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md index 8f9e479960..6a72c70f66 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md @@ -696,7 +696,7 @@ cumulus@switch:~$ ip link show swp2 You can change the following link flap protection settings: - The duration in seconds during which a link must flap the number of times set in the link flap threshold before link flap protection triggers. You can specify a value between 0 (off) and 60. The default setting is 10. -- The number of times the link must flap within the link flap window before link flap protection triggers. You can specify a value between 0 (off) and 30. The default setting is 5. +- The number of times the link can flap within the link flap window before link flap protection triggers. You can specify a value between 0 (off) and 30. The default setting is 5. The following example configures the link flap duration to 30 and the number of times the link must flap to 8. @@ -704,7 +704,7 @@ The following example configures the link flap duration to 30 and the number of {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set system link flap-protection time-interval 30 +cumulus@switch:~$ nv set system link flap-protection interval 30 cumulus@switch:~$ nv set system link flap-protection threshold 8 cumulus@switch:~$ nv config apply ``` @@ -759,14 +759,20 @@ link_flap_threshold = 0 To show the link flap protection time interval and threshold settings: ``` -cumulus@switch:~$ nv show system link flap-protection time-interval -cumulus@switch:~$ nv show system link flap-protection threshold +cumulus@switch:~$ nv show system link flap-protection + applied +--------- ------- +threshold 8 +interval 30 ``` -To show the link flap protection configuration for an interface, run the `nv show interface link flap-protection` command: +To show if link flap protection is enabled on an interface, run the `nv show interface link flap-protection` command: ``` cumulus@switch:~$ nv show interface swp1 link flap-protection + applied +------ ------- +enable off ``` ## Mako Templates diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index 3914e5db89..f3ea8a5c73 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -65,7 +65,7 @@ cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enable cumulus@switch:~$ nv config apply ``` -To configure the violation mode: `protodown` to put a port into ADMIN down state or `restrict` to drop packets, run the run the `nv set interface port-security violation-mode shutdown` command. +To configure the violation mode: `protodown` to put a port into ADMIN down state or `restrict` to drop packets, run the `nv set interface port-security violation-mode shutdown` command. ``` cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown @@ -132,7 +132,8 @@ violation-timeout 3600 Static MAC ============= -No Data +00:02:00:00:00:05 +00:02:00:00:00:06 mac-addresses ================ diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index 8ad95d0b90..0565043516 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -124,13 +124,13 @@ cumulus@switch:~$ nv set system aaa user user1 role switch-admin cumulus@switch:~$ nv set system aaa user user1 password cumulus@switch:~$ nv set system aaa role switch-admin class nvapply cumulus@switch:~$ nv set system aaa class nvapply action allow -cumulus@switch:~$ nv set system aaa class nvapply command-path * permission all +cumulus@switch:~$ nv set system aaa class nvapply command-path /system permission all cumulus@switch:~$ nv set system aaa role switch-admin class nvshow cumulus@switch:~$ nv set system aaa class nvshow action allow -cumulus@switch:~$ nv set system aaa class nvshow command-path * permission all +cumulus@switch:~$ nv set system aaa class nvshow command-path /system permission all cumulus@switch:~$ nv set system aaa role switch-admin class restrict cumulus@switch:~$ nv set system aaa class restrict action deny -cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/* +cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/ cumulus@switch:~$ nv config apply ``` @@ -143,8 +143,8 @@ cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action allow cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/lo permission all cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/mgmt permission all cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/eth0 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/vrf* permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/swp[1-5]/* permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/vrf permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/swp1-swp5/* permission all cumulus@switch:~$ nv config apply ``` @@ -154,7 +154,7 @@ The following example assigns user3 the role of `OSPF`. user3 does **not** have cumulus@switch:~$ nv set system aaa user user3 role OSPF cumulus@switch:~$ nv set system aaa role IFMgr class OSPF-DENY cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action deny -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/.*/router/ospf permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/*/router/ospf permission all cumulus@switch:~$ nv config apply ``` From 3334b5695ae3e6241ca8d32c28bf206aba5b8ac6 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 15 Nov 2023 16:54:04 -0800 Subject: [PATCH 032/204] updates to whats new --- content/cumulus-linux-57/Whats-New/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 8f1d81aa9e..4613dc6d03 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -36,9 +36,9 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} with more granularity - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. - - PIM show commands for PIM RP, JOIN, PIM MLAG summary, and MLAG upstream information + - Show commands to see the {{}} and {{}} - - Set and show commands to configure and show the IP neighbor table + - Show commands to show the IP neighbor table - Enhanced {{}} command output now in table format - Improvements to {{}} From 589314345106c9b7018db83fc470deef94de347d Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Thu, 16 Nov 2023 12:14:07 -0500 Subject: [PATCH 033/204] removed 5000 device support claim --- .../cumulus-netq-40/Manage-Deployment/Install-NetQ/_index.md | 2 +- .../cumulus-netq-41/Manage-Deployment/Install-NetQ/_index.md | 2 +- .../Installation-Management/Install-NetQ/_index.md | 2 +- .../Installation-Management/Install-NetQ/Before-You-Install.md | 2 +- .../Installation-Management/Install-NetQ/Before-You-Install.md | 2 +- .../Installation-Management/Install-NetQ/Before-You-Install.md | 2 +- .../Installation-Management/Install-NetQ/Before-You-Install.md | 2 +- .../Installation-Management/Install-NetQ/Before-You-Install.md | 2 +- .../Installation-Management/Install-NetQ/Before-You-Install.md | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/_index.md b/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/_index.md index ca5756d86c..ec04ef1df8 100644 --- a/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/_index.md +++ b/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/_index.md @@ -47,7 +47,7 @@ The documentation walks you through these choices and then provides the instruct Deploying the NetQ servers in a cluster arrangement has many benefits even though it's a more complex configuration. The primary benefits of having multiple servers that run the software and store the data are reduced potential downtime and increased availability. -The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 devices in total (switches, servers and hosts). When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you later {{}} to the cluster, you do not need to configure these nodes again. +The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you later {{}} to the cluster, you do not need to configure these nodes again. The Agents connect to the server using gRPC. diff --git a/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/_index.md b/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/_index.md index ca5756d86c..ec04ef1df8 100644 --- a/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/_index.md +++ b/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/_index.md @@ -47,7 +47,7 @@ The documentation walks you through these choices and then provides the instruct Deploying the NetQ servers in a cluster arrangement has many benefits even though it's a more complex configuration. The primary benefits of having multiple servers that run the software and store the data are reduced potential downtime and increased availability. -The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 devices in total (switches, servers and hosts). When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you later {{}} to the cluster, you do not need to configure these nodes again. +The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you later {{}} to the cluster, you do not need to configure these nodes again. The Agents connect to the server using gRPC. diff --git a/content/cumulus-netq-42/Installation-Management/Install-NetQ/_index.md b/content/cumulus-netq-42/Installation-Management/Install-NetQ/_index.md index 020437d45a..b217b0cb00 100644 --- a/content/cumulus-netq-42/Installation-Management/Install-NetQ/_index.md +++ b/content/cumulus-netq-42/Installation-Management/Install-NetQ/_index.md @@ -47,7 +47,7 @@ The documentation walks you through these choices and then provides the instruct Deploying the NetQ servers in a cluster arrangement has many benefits even though it's a more complex configuration. The primary benefits of having multiple servers that run the software and store the data are reduced potential downtime and increased availability. -The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 devices in total (switches, servers and hosts). When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you later {{}} to the cluster, you do not need to configure these nodes again. +The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you later {{}} to the cluster, you do not need to configure these nodes again. The Agents connect to the server using gRPC. diff --git a/content/cumulus-netq-43/Installation-Management/Install-NetQ/Before-You-Install.md b/content/cumulus-netq-43/Installation-Management/Install-NetQ/Before-You-Install.md index 16368fc672..1a7f20c3cc 100644 --- a/content/cumulus-netq-43/Installation-Management/Install-NetQ/Before-You-Install.md +++ b/content/cumulus-netq-43/Installation-Management/Install-NetQ/Before-You-Install.md @@ -60,7 +60,7 @@ The next installation step is deciding whether to deploy a single server or a se A single server is easier to set up, configure and manage, but can limit your ability to scale your network monitoring quickly. Deploying multiple servers is a bit more complicated, but you limit potential downtime and increase availability by having more than one server that can run the software and store the data. Select the standalone single-server arrangements for smaller, simpler deployments. Be sure to consider the capabilities and resources needed on this server to support the size of your final deployment. -Select the server cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 devices in total (switches, servers, and hosts). When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you decide to {{}} to the cluster, you do not need to configure these nodes again. +Select the server cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you decide to {{}} to the cluster, you do not need to configure these nodes again. ### Cluster Deployments and Kubernetes diff --git a/content/cumulus-netq-44/Installation-Management/Install-NetQ/Before-You-Install.md b/content/cumulus-netq-44/Installation-Management/Install-NetQ/Before-You-Install.md index 16368fc672..8fdc840185 100644 --- a/content/cumulus-netq-44/Installation-Management/Install-NetQ/Before-You-Install.md +++ b/content/cumulus-netq-44/Installation-Management/Install-NetQ/Before-You-Install.md @@ -60,7 +60,7 @@ The next installation step is deciding whether to deploy a single server or a se A single server is easier to set up, configure and manage, but can limit your ability to scale your network monitoring quickly. Deploying multiple servers is a bit more complicated, but you limit potential downtime and increase availability by having more than one server that can run the software and store the data. Select the standalone single-server arrangements for smaller, simpler deployments. Be sure to consider the capabilities and resources needed on this server to support the size of your final deployment. -Select the server cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 devices in total (switches, servers, and hosts). When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you decide to {{}} to the cluster, you do not need to configure these nodes again. +Select the server cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you decide to {{}} to the cluster, you do not need to configure these nodes again. ### Cluster Deployments and Kubernetes diff --git a/content/cumulus-netq-45/Installation-Management/Install-NetQ/Before-You-Install.md b/content/cumulus-netq-45/Installation-Management/Install-NetQ/Before-You-Install.md index 16368fc672..1a7f20c3cc 100644 --- a/content/cumulus-netq-45/Installation-Management/Install-NetQ/Before-You-Install.md +++ b/content/cumulus-netq-45/Installation-Management/Install-NetQ/Before-You-Install.md @@ -60,7 +60,7 @@ The next installation step is deciding whether to deploy a single server or a se A single server is easier to set up, configure and manage, but can limit your ability to scale your network monitoring quickly. Deploying multiple servers is a bit more complicated, but you limit potential downtime and increase availability by having more than one server that can run the software and store the data. Select the standalone single-server arrangements for smaller, simpler deployments. Be sure to consider the capabilities and resources needed on this server to support the size of your final deployment. -Select the server cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 devices in total (switches, servers, and hosts). When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you decide to {{}} to the cluster, you do not need to configure these nodes again. +Select the server cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. When you configure the cluster, {{}} to connect to these three nodes in the cluster first by providing the IP addresses as a comma-separated list. If you decide to {{}} to the cluster, you do not need to configure these nodes again. ### Cluster Deployments and Kubernetes diff --git a/content/cumulus-netq-46/Installation-Management/Install-NetQ/Before-You-Install.md b/content/cumulus-netq-46/Installation-Management/Install-NetQ/Before-You-Install.md index 948753e344..febbf7b237 100644 --- a/content/cumulus-netq-46/Installation-Management/Install-NetQ/Before-You-Install.md +++ b/content/cumulus-netq-46/Installation-Management/Install-NetQ/Before-You-Install.md @@ -47,7 +47,7 @@ Both single-server and server-cluster deployments provide identical services and A single server is easier to set up, configure, and manage, but can limit your ability to scale your network monitoring quickly. Deploying multiple servers is more complicated, but you limit potential downtime and increase availability by having more than one server that can run the software and store the data. Select the standalone, single-server arrangements for smaller, simpler deployments. Be sure to consider the capabilities and resources needed on this server to support the size of your final deployment. -Select the server-cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 total devices (switches, servers, and hosts). Part of the cluster configuration includes {{}} to connect to these three nodes. If you decide to {{}} to the cluster, you do not need to configure these nodes again. +Select the server-cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. Part of the cluster configuration includes {{}} to connect to these three nodes. If you decide to {{}} to the cluster, you do not need to configure these nodes again. ### Cluster Deployments and Kubernetes diff --git a/content/cumulus-netq-47/Installation-Management/Install-NetQ/Before-You-Install.md b/content/cumulus-netq-47/Installation-Management/Install-NetQ/Before-You-Install.md index 948753e344..febbf7b237 100644 --- a/content/cumulus-netq-47/Installation-Management/Install-NetQ/Before-You-Install.md +++ b/content/cumulus-netq-47/Installation-Management/Install-NetQ/Before-You-Install.md @@ -47,7 +47,7 @@ Both single-server and server-cluster deployments provide identical services and A single server is easier to set up, configure, and manage, but can limit your ability to scale your network monitoring quickly. Deploying multiple servers is more complicated, but you limit potential downtime and increase availability by having more than one server that can run the software and store the data. Select the standalone, single-server arrangements for smaller, simpler deployments. Be sure to consider the capabilities and resources needed on this server to support the size of your final deployment. -Select the server-cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 total devices (switches, servers, and hosts). Part of the cluster configuration includes {{}} to connect to these three nodes. If you decide to {{}} to the cluster, you do not need to configure these nodes again. +Select the server-cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. Part of the cluster configuration includes {{}} to connect to these three nodes. If you decide to {{}} to the cluster, you do not need to configure these nodes again. ### Cluster Deployments and Kubernetes diff --git a/content/cumulus-netq-48/Installation-Management/Install-NetQ/Before-You-Install.md b/content/cumulus-netq-48/Installation-Management/Install-NetQ/Before-You-Install.md index d5d3e181e5..e3ab1847c0 100644 --- a/content/cumulus-netq-48/Installation-Management/Install-NetQ/Before-You-Install.md +++ b/content/cumulus-netq-48/Installation-Management/Install-NetQ/Before-You-Install.md @@ -47,7 +47,7 @@ Both single-server and server-cluster deployments provide identical services and A single server is easier to set up, configure, and manage, but can limit your ability to scale your network monitoring quickly. Deploying multiple servers is more complicated, but you limit potential downtime and increase availability by having more than one server that can run the software and store the data. Select the standalone, single-server arrangements for smaller, simpler deployments. Be sure to consider the capabilities and resources needed on this server to support the size of your final deployment. -Select the server-cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster, and up to 5000 total devices (switches, servers, and hosts). Part of the cluster configuration includes {{}} to connect to these three nodes. If you decide to {{}} to the cluster, you do not need to configure these nodes again. +Select the server-cluster arrangement to obtain scalability and high availability for your network. The default clustering implementation has three servers: 1 master and 2 workers. However, NetQ supports up to 10 worker nodes in a cluster. Part of the cluster configuration includes {{}} to connect to these three nodes. If you decide to {{}} to the cluster, you do not need to configure these nodes again. You can enable {{}} (HA) of NetQ control plane processing and UI access with the use of an additional virtual IP address assigned to the cluster nodes. From 1f60c970fedff2c26d58970f38a6c3bba95e8b91 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 16 Nov 2023 09:37:52 -0800 Subject: [PATCH 034/204] change route-redistribute to redistribute --- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- .../Layer-3/Routing/Route-Filtering-and-Redistribution.md | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/content/cumulus-linux-50/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-50/Layer-3/Routing/Route-Filtering-and-Redistribution.md index 9aeaf20e25..e902bb337a 100644 --- a/content/cumulus-linux-50/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-50/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -176,7 +176,7 @@ The following example commands redistribute routing information from [OSPF](## " {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -203,7 +203,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-51/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-51/Layer-3/Routing/Route-Filtering-and-Redistribution.md index c36dfb9782..d207656887 100644 --- a/content/cumulus-linux-51/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-51/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -240,7 +240,7 @@ The following example commands redistribute routing information from [OSPF](## " {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -267,7 +267,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-52/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-52/Layer-3/Routing/Route-Filtering-and-Redistribution.md index c36dfb9782..d207656887 100644 --- a/content/cumulus-linux-52/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-52/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -240,7 +240,7 @@ The following example commands redistribute routing information from [OSPF](## " {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -267,7 +267,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md index e5730802e5..8b6470c9cc 100644 --- a/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -450,7 +450,7 @@ The following example commands redistribute routing information from }} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -477,7 +477,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md index b728e01efe..9a2db84756 100644 --- a/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -462,7 +462,7 @@ The following example commands redistribute routing information from }} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -489,7 +489,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md index bd85d663d1..90b3423873 100644 --- a/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -488,7 +488,7 @@ The following example commands redistribute routing information from }} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -515,7 +515,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md index bd85d663d1..90b3423873 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -488,7 +488,7 @@ The following example commands redistribute routing information from }} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute ospf +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute ospf cumulus@switch:~$ nv config apply ``` @@ -515,7 +515,7 @@ To redistribute all directly connected networks, use the `redistribute connected {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast route-redistribute connected +cumulus@switch:~$ nv set vrf default router bgp address-family ipv4-unicast redistribute connected cumulus@switch:~$ nv config apply ``` From 3c77dfc7fa6943ede4e677037f19963f5327c31d Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 16 Nov 2023 12:14:40 -0800 Subject: [PATCH 035/204] update whats new --- content/cumulus-linux-57/Whats-New/_index.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 4613dc6d03..fa289dfa45 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -42,6 +42,17 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Enhanced {{}} command output now in table format - Improvements to {{}} +{{< expand "Changed NVUE Commands" >}} + +| Previous Command | New Command | +| ------------ | ------------- | +| `nv set router pim timers keep-alive`| `nv set router pim timers keepalive` | +| `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | +| `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | +| `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | + +{{< /expand >}} + {{< expand "New NVUE Commands" >}} For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) for Cumulus Linux. From 4b7cd8222c66f52d1f848c0f65d968296d6b3904 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 16 Nov 2023 16:18:48 -0800 Subject: [PATCH 036/204] updates to custom roles --- .../User-Accounts.md | 36 ++++++++----------- content/cumulus-linux-57/Whats-New/_index.md | 2 +- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index 0565043516..1503b71c35 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -108,43 +108,37 @@ Custom role-based access control consists of the following elements: | Element | Description | | ------- | ----------- | | Role | A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called `IFMgr`. | -| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. You can assign a maximum of 64 classes to a role.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `interface/vrf*` command path to allow or deny a user access to all VRFs, or `/system/hostname` to allow or deny a user access to hostname configuration. You can configure a maximum of 128 command paths.
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| +| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. You can assign a maximum of 64 classes to a role.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. You can configure a maximum of 128 command paths.
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| | Action | The action for the class; `allow` or `deny`. | To add a new user account and assign the user a custom role: - Assign a role to a user. -- Assign a password for the user. -- Create classes for the role. Add command paths and permissions for each class. +- Create classes for the role. +- Add command paths and permissions for each class. - Assign the action (`allow` or `deny`) for each class. The following example assigns user1 the role of `switch-admin`. user1 can manage the entire switch except for authentication, authorization, and accounting settings (`system aaa`). ``` cumulus@switch:~$ nv set system aaa user user1 role switch-admin -cumulus@switch:~$ nv set system aaa user user1 password -cumulus@switch:~$ nv set system aaa role switch-admin class nvapply -cumulus@switch:~$ nv set system aaa class nvapply action allow -cumulus@switch:~$ nv set system aaa class nvapply command-path /system permission all -cumulus@switch:~$ nv set system aaa role switch-admin class nvshow -cumulus@switch:~$ nv set system aaa class nvshow action allow -cumulus@switch:~$ nv set system aaa class nvshow command-path /system permission all -cumulus@switch:~$ nv set system aaa role switch-admin class restrict +cumulus@switch:~$ nv set system aaa role switch-admin class RESTRICT cumulus@switch:~$ nv set system aaa class restrict action deny -cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/ +cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/*/ cumulus@switch:~$ nv config apply ``` -The following example assigns user2 the role of `IFMgr`. user2 can manage the loopback, management, eth0, and swp1 through 5 interfaces, and all VRFs. +The following example assigns user2 the role of `IFMgr`. user2 can manage the loopback, management, eth0, and swp1 through 3 interfaces. ``` cumulus@switch:~$ nv set system aaa user user2 role IFMgr cumulus@switch:~$ nv set system aaa role IFMgr class InterfaceMgmt_1 cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action allow -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/lo permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/mgmt permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/eth0 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/vrf permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/swp1-swp5/* permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/lo permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/mgmt permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/eth0 permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp1 permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp2 permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp3 permission all cumulus@switch:~$ nv config apply ``` @@ -152,9 +146,9 @@ The following example assigns user3 the role of `OSPF`. user3 does **not** have ``` cumulus@switch:~$ nv set system aaa user user3 role OSPF -cumulus@switch:~$ nv set system aaa role IFMgr class OSPF-DENY -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action deny -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path interface/*/router/ospf permission all +cumulus@switch:~$ nv set system aaa role OSPF class OSPF-DENY +cumulus@switch:~$ nv set system aaa class OSPF-DENY action deny +cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index fa289dfa45..e23d1c22f6 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -33,7 +33,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} - - {{}} with more granularity + - {{}} with more granularity - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. From f385921dce5f9ab904707ba4b926d32a97a838d0 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 16 Nov 2023 16:21:59 -0800 Subject: [PATCH 037/204] typo --- .../User-Accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index 1503b71c35..d92d607a25 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -113,7 +113,7 @@ Custom role-based access control consists of the following elements: To add a new user account and assign the user a custom role: - Assign a role to a user. -- Create classes for the role. +- Create classes for the role. - Add command paths and permissions for each class. - Assign the action (`allow` or `deny`) for each class. From 25f19715a9d3f74f2f34148266db73227addfba9 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 17 Nov 2023 09:37:07 -0800 Subject: [PATCH 038/204] change acls - dest-port and source-port --- .../Network-Address-Translation-NAT.md | 8 +++--- .../System-Configuration/Netfilter-ACLs.md | 28 +++++++++---------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index c4fd5b3268..df81df7e0a 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -70,7 +70,7 @@ The following rule matches UDP packets with source IP address 10.0.0.1 and sourc ``` cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.1 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-port 5000 +cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip udp source-port 5000 cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-port 6000 cumulus@switch:~$ nv config apply @@ -81,7 +81,7 @@ The following rule matches UDP packets with destination IP address 172.30.58.80 ``` cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip dest-ip 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip dest-port 6000 +cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip udp dest-port 6000 cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-ip 10.0.0.1 cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-port 5000 cumulus@switch:~$ nv config apply @@ -172,7 +172,7 @@ To delete a static NAT rule: ``` cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip protocol udp cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip dest-ip 172.30.58.80 -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip dest-port 6000 +cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip udp dest-port 6000 cumulus@switch:~$ nv config apply ``` @@ -303,7 +303,7 @@ The following rule matches UDP packets with source IP address in the range 10.0. ``` cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-port 5000 +cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip udp source-port 5000 cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-port 1024-1200 cumulus@switch:~$ nv config apply diff --git a/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md index e55da5c645..6dc5db901d 100644 --- a/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md @@ -256,9 +256,9 @@ To create this rule with NVUE, follow the steps below. NVUE adds all options in cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-ip 10.0.14.2/32 - cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-port ANY + cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp source-port ANY cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-ip 10.0.15.8/32 - cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port ANY + cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port ANY cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action permit ``` @@ -866,7 +866,7 @@ To set SSH as high priority traffic: ``` cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port 22 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 22 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action set dscp 46 cumulus@switch:~$ nv set interface swp1-48 acl EXAMPLE1 inbound cumulus@switch:~$ nv config apply @@ -897,9 +897,9 @@ To use a range of ports for TCP traffic: cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-ip 10.0.0.17/32 -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-port 10000:20000 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp source-port 10000:20000 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-ip 10.0.100.27/32 -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port 10000:20000 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 10000:20000 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action set dscp 34 cumulus@switch:~$ nv set interface swp1-48 acl EXAMPLE1 inbound cumulus@switch:~$ nv config apply @@ -1129,7 +1129,7 @@ The following rule blocks any TCP traffic with destination port 200 going throug ``` cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port 200 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 200 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action deny cumulus@switch:~$ nv set interface swp1 acl EXAMPLE1 outbound cumulus@switch:~$ nv config apply @@ -1156,7 +1156,7 @@ The following rule blocks any UDP traffic with source port 200 going from server ``` cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol udp -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-port 200 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip udp source-port 200 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action deny cumulus@switch:~$ nv set interface swp1 acl EXAMPLE1 inbound cumulus@switch:~$ nv config apply @@ -1183,7 +1183,7 @@ The following rule blocks any UDP traffic with source port 200 and destination p ``` cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol udp -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port 50 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip udp dest-port 50 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action deny cumulus@switch:~$ nv set interface swp2 acl EXAMPLE1 inbound control-plane cumulus@switch:~$ nv config apply @@ -1210,8 +1210,8 @@ The following rule blocks any TCP traffic with source port 123 and destination p ``` cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-port 123 -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port 123 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp source-port 123 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 123 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action deny cumulus@switch:~$ nv set interface swp2 acl EXAMPLE1 outbound control-plane cumulus@switch:~$ nv config apply @@ -1246,14 +1246,14 @@ This also becomes two ACLs and is the same as: ``` cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-port 123 -cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-port 123 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp source-port 123 +cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 123 cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action deny cumulus@switch:~$ nv set interface swp1-48 acl EXAMPLE1 outbound cumulus@switch:~$ nv set acl EXAMPLE2 type ipv4 cumulus@switch:~$ nv set acl EXAMPLE2 rule 10 match ip protocol tcp -cumulus@switch:~$ nv set acl EXAMPLE2 rule 10 match ip source-port 123 -cumulus@switch:~$ nv set acl EXAMPLE2 rule 10 match ip dest-port 123 +cumulus@switch:~$ nv set acl EXAMPLE2 rule 10 match ip tcp source-port 123 +cumulus@switch:~$ nv set acl EXAMPLE2 rule 10 match ip tcp dest-port 123 cumulus@switch:~$ nv set acl EXAMPLE2 rule 10 action deny cumulus@switch:~$ nv set interface swp1-48 acl EXAMPLE2 outbound control-plane cumulus@switch:~$ nv config apply From be09ca105324ea4fcb36cd2dee32b28d9898057e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 17 Nov 2023 10:19:39 -0800 Subject: [PATCH 039/204] update to user permissions --- .../User-Accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index d92d607a25..c1b72e63db 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -108,7 +108,7 @@ Custom role-based access control consists of the following elements: | Element | Description | | ------- | ----------- | | Role | A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called `IFMgr`. | -| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. You can assign a maximum of 64 classes to a role.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. You can configure a maximum of 128 command paths.
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| +| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. You can assign a maximum of 64 classes to a role.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`). You can configure a maximum of 128 command paths.
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| | Action | The action for the class; `allow` or `deny`. | To add a new user account and assign the user a custom role: From f5773f26cacbaa34cc403b177dd447fd5532e2b5 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 11:04:27 -0800 Subject: [PATCH 040/204] update custom roles --- .../User-Accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index c1b72e63db..a806a09af4 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -111,7 +111,7 @@ Custom role-based access control consists of the following elements: | Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. You can assign a maximum of 64 classes to a role.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`). You can configure a maximum of 128 command paths.
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| | Action | The action for the class; `allow` or `deny`. | -To add a new user account and assign the user a custom role: +To a custom role to a user account: - Assign a role to a user. - Create classes for the role. - Add command paths and permissions for each class. From 4fcff5bf9bba322afd90020f2101e68cc7fcb9b0 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 11:46:40 -0800 Subject: [PATCH 041/204] updates to role based access control --- .../Role-Based-Access-Control.md | 171 ++++++++++++++++++ .../User-Accounts.md | 114 +++++------- content/cumulus-linux-57/Whats-New/_index.md | 2 +- 3 files changed, 218 insertions(+), 69 deletions(-) create mode 100644 content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md new file mode 100644 index 0000000000..be5b7d7ce8 --- /dev/null +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -0,0 +1,171 @@ +--- +title: Role-Based Access Control +author: NVIDIA +weight: 152 +toc: 4 +--- +In addition to the default roles that Cumulus Linux provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of Network Manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command. + +Custom role-based access control consists of the following elements: + +| Element | Description | +| ------- | ----------- | +| Role | A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called `IFMgr`. | +| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`).
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| +| Action | The action for the class; `allow` or `deny`. | + +{{%notice note%}} +- You can assign a maximum of 64 classes to a role. +- You can configure a maximum of 128 command paths. +- When you configure a command path, you are authorize a specific schema path and its children. +{{%/notice%}} + +## Assign a Custom Role to a User Account + +To assign custom role to a user account: +- Assign a role to a user. +- Create classes for the role. +- Add command paths and permissions for each class. +- Assign the action (`allow` or `deny`) for each class. + +The following example assigns user1 the role of `switch-admin`. user1 can manage the entire switch except for authentication, authorization, and accounting settings (`system aaa`). + +``` +cumulus@switch:~$ nv set system aaa user user1 role switch-admin +cumulus@switch:~$ nv set system aaa role switch-admin class RESTRICT +cumulus@switch:~$ nv set system aaa class restrict action deny +cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/*/ +cumulus@switch:~$ nv config apply +``` + +The following example assigns user2 the role of `IFMgr`. user2 can manage the loopback, management, eth0, and swp1 through 3 interfaces. + +``` +cumulus@switch:~$ nv set system aaa user user2 role IFMgr +cumulus@switch:~$ nv set system aaa role IFMgr class InterfaceMgmt_1 +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action allow +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/lo permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/mgmt permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/eth0 permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp1 permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp2 permission all +cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp3 permission all +cumulus@switch:~$ nv config apply +``` + +The following example assigns user3 the role of `OSPF`. user3 does **not** have permissions to manage OSPF on an interface. + +``` +cumulus@switch:~$ nv set system aaa user user3 role OSPF +cumulus@switch:~$ nv set system aaa role OSPF class OSPF-DENY +cumulus@switch:~$ nv set system aaa class OSPF-DENY action deny +cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all +cumulus@switch:~$ nv config apply +``` + +## Show Custom Role Information + +To show the user accounts configured on the system, run the NVUE `nv show system aaa user` command or the linux `sudo cat /etc/passwd` command. + +``` +cumulus@switch:~$ nv show system aaa user +Username Full-name Role enable Summary +---------------- ---------------------------------- ------- ------ ------- +_apt Unknown system +_lldpd Unknown system +backup backup Unknown system +bin bin Unknown system +cumulus cumulus,,, Unknown on +daemon daemon Unknown system +dnsmasq dnsmasq,,, Unknown system +frr Frr routing suite,,, Unknown system +games games Unknown system +gnats Gnats Bug-Reporting System (admin) Unknown system +irc ircd Unknown system +list Mailing List Manager Unknown system +lp lp Unknown system +mail mail Unknown system +man man Unknown system +messagebus Unknown system +news news Unknown system +nobody nobody Unknown off +ntp Unknown system +nvue NVIDIA User Experience Unknown system +proxy proxy Unknown system +root root Unknown system +snmp Unknown system +sshd Unknown system +sync sync Unknown system +sys sys Unknown system +systemd-coredump systemd Core Dumper Unknown system +systemd-network systemd Network Management,,, Unknown system +systemd-resolve systemd Resolver,,, Unknown system +systemd-timesync systemd Time Synchronization,,, Unknown system +user1 OSPF on +user2 IFMgr on +uucp uucp Unknown system +uuidd Unknown system +www-data www-data Unknown system +``` + +To show information about a specific user account including the role assigned to the user, run the run the NVUE `nv show system aaa user ` command: + +``` +cumulus@switch:~$ nv show system aaa user admin2 + operational applied +--------- ----------- ------- +role IFMgr IFMgr +full-name +enable on on +``` + +To show all the roles configured on the switch: + +``` +cumulus@switch:~$ nv show system aaa role +Role Class +------------ --------------- +IFMgr InterfaceMgmt_1 +OSPF OSPF-DENY +nvue-admin nvapply +nvue-monitor nvshow +system-admin nvapply + sudo +``` + +To the classes applied to specific role: + +``` +cumulus@switch:~$ nv show system aaa role IFMgr + applied +------- --------------- +[class] InterfaceMgmt_1 +``` + +To show all the classes configured on the switch: + +``` +cumulus@switch:~$ nv show system aaa class +Class Name Command Path Permission Action +--------------- ------------------------- ---------- ------ +InterfaceMgmt_1 /interface/eth0/ all allow + /interface/lo/ all + /interface/mgmt/ all + /interface/swp1/ all + /interface/swp2/ all + /interface/swp3/ all +OSPF-DENY /interface/*/router/ospf/ all deny +nvapply / all allow +nvshow / ro allow +sudo / all allow +``` + +To show the configuration and state of the command-paths for a class: + +``` +cumulus@switch:~$ nv show system aaa class OSPF-DENY + applied +-------------- ------------------------- +action deny +[command-path] /interface/*/router/ospf/ +``` diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index a806a09af4..b66c98c9e7 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -99,59 +99,6 @@ Only the following user accounts can create, modify, and delete other `system-ad - Non NVUE-managed users that are in the `sudo` group. {{%/notice%}} -### Custom Roles - -In addition to the default roles that Cumulus Linux provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of Network Manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command. - -Custom role-based access control consists of the following elements: - -| Element | Description | -| ------- | ----------- | -| Role | A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called `IFMgr`. | -| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions. You can assign a maximum of 64 classes to a role.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`). You can configure a maximum of 128 command paths.
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| -| Action | The action for the class; `allow` or `deny`. | - -To a custom role to a user account: -- Assign a role to a user. -- Create classes for the role. -- Add command paths and permissions for each class. -- Assign the action (`allow` or `deny`) for each class. - -The following example assigns user1 the role of `switch-admin`. user1 can manage the entire switch except for authentication, authorization, and accounting settings (`system aaa`). - -``` -cumulus@switch:~$ nv set system aaa user user1 role switch-admin -cumulus@switch:~$ nv set system aaa role switch-admin class RESTRICT -cumulus@switch:~$ nv set system aaa class restrict action deny -cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/*/ -cumulus@switch:~$ nv config apply -``` - -The following example assigns user2 the role of `IFMgr`. user2 can manage the loopback, management, eth0, and swp1 through 3 interfaces. - -``` -cumulus@switch:~$ nv set system aaa user user2 role IFMgr -cumulus@switch:~$ nv set system aaa role IFMgr class InterfaceMgmt_1 -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action allow -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/lo permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/mgmt permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/eth0 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp1 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp2 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp3 permission all -cumulus@switch:~$ nv config apply -``` - -The following example assigns user3 the role of `OSPF`. user3 does **not** have permissions to manage OSPF on an interface. - -``` -cumulus@switch:~$ nv set system aaa user user3 role OSPF -cumulus@switch:~$ nv set system aaa role OSPF class OSPF-DENY -cumulus@switch:~$ nv set system aaa class OSPF-DENY action deny -cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all -cumulus@switch:~$ nv config apply -``` - ### Hashed Passwords Instead of a plain text password, you can provide a hashed password for a local user. @@ -272,26 +219,57 @@ cumulus@switch:~$ sudo userdel admin2 To show the user accounts configured on the system, run the NVUE `nv show system aaa` command or the linux `sudo cat /etc/passwd` command. ``` -cumulus@switch:~$ nv show system aaa -Username Full-name Role enable ----------------- ---------------------------------- ------------ ------ -Debian-snmp Unknown system -_apt Unknown system -_lldpd Unknown system -admin2 FIRST LAST system-admin on -... +cumulus@switch:~$ nv show system aaa user +Username Full-name Role enable Summary +---------------- ---------------------------------- ------- ------ ------- +_apt Unknown system +_lldpd Unknown system +backup backup Unknown system +bin bin Unknown system +cumulus cumulus,,, Unknown on +daemon daemon Unknown system +dnsmasq dnsmasq,,, Unknown system +frr Frr routing suite,,, Unknown system +games games Unknown system +gnats Gnats Bug-Reporting System (admin) Unknown system +irc ircd Unknown system +list Mailing List Manager Unknown system +lp lp Unknown system +mail mail Unknown system +man man Unknown system +messagebus Unknown system +news news Unknown system +nobody nobody Unknown off +ntp Unknown system +nvue NVIDIA User Experience Unknown system +proxy proxy Unknown system +root root Unknown system +snmp Unknown system +sshd Unknown system +sync sync Unknown system +sys sys Unknown system +systemd-coredump systemd Core Dumper Unknown system +systemd-network systemd Network Management,,, Unknown system +systemd-resolve systemd Resolver,,, Unknown system +systemd-timesync systemd Time Synchronization,,, Unknown system +user1 OSPF on +user2 IFMgr on +uucp uucp Unknown system +uuidd Unknown system ``` To show information about a specific user account, run the run the NVUE `nv show system aaa user ` command: ``` -cumulus@switch:~$ nv show system aaa user admin2 - operational applied ---------------- ------------ ------------ -full-name FIRST LAST FIRST LAST -hashed-password * * -role system-admin system-admin -enable on on +cumulus@switch:~$ nv show system aaa user cumulus + operational applied +------------------ ----------- ------- +role Unknown +full-name cumulus,,, +hashed-password * +ssh + [authorized-key] +enable on ``` ## Enable the root User diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index e23d1c22f6..e42c3ceeb5 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -33,7 +33,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} - - {{}} with more granularity + - {{}} - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. From 86bb2b42dcc5a46733badaf71010ca327e8928a7 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 12:03:37 -0800 Subject: [PATCH 042/204] updates to user accounts and role based accounts --- .../Role-Based-Access-Control.md | 6 +++++- .../User-Accounts.md | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index be5b7d7ce8..27b78c4072 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -11,7 +11,7 @@ Custom role-based access control consists of the following elements: | Element | Description | | ------- | ----------- | | Role | A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called `IFMgr`. | -| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions.
A class consists of:
- Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`).
- Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.| +| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions.

A class consists of:
  • Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`).
  • Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.
| | Action | The action for the class; `allow` or `deny`. | {{%notice note%}} @@ -28,6 +28,10 @@ To assign custom role to a user account: - Add command paths and permissions for each class. - Assign the action (`allow` or `deny`) for each class. +{{%notice note%}} +You assign a custom role to an existing user account. For information about creating user accounts, see {{}} commands. +{{%/notice%}} + The following example assigns user1 the role of `switch-admin`. user1 can manage the entire switch except for authentication, authorization, and accounting settings (`system aaa`). ``` diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index b66c98c9e7..a837758e06 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -99,6 +99,8 @@ Only the following user accounts can create, modify, and delete other `system-ad - Non NVUE-managed users that are in the `sudo` group. {{%/notice%}} +You can also create custom roles and assign a custom role to a user. See {{}}. + ### Hashed Passwords Instead of a plain text password, you can provide a hashed password for a local user. From 7d1946c67c59c533f5460319eef9a2d94c8fc6f7 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 12:19:07 -0800 Subject: [PATCH 043/204] updates --- .../Role-Based-Access-Control.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index 27b78c4072..926090d69e 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -11,13 +11,13 @@ Custom role-based access control consists of the following elements: | Element | Description | | ------- | ----------- | | Role | A virtual identifier for multiple classes (groups). You can assign only one role for a user. For example, for a user that can manage interfaces, you can create a role called `IFMgr`. | -| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions.

A class consists of:
  • Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path <>`).
  • Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.
| +| Class | A class is similar in concept to a Linux group. Creating and managing classes is the simplest way to configure multiple users simultaneously, especially when configuring permissions.

A class consists of:
  • Command paths, which are based on the objects in the NVUE declarative model and are the same as URI paths; for example; you can use the `/vrf/` command path to allow or deny a user access to all VRFs, or `/system/nat` to allow or deny a user access to NAT configuration. Use the tab key to see available command paths (`nv set system aaa class command-path / <>`).
  • Permissions for the command paths: (`ro`) to run show commands, (`rw`) to run set, unset, and apply commands, (`act`) to run action commands, or (`all`) to run all commands. The default permission setting is `all`.
| | Action | The action for the class; `allow` or `deny`. | {{%notice note%}} - You can assign a maximum of 64 classes to a role. - You can configure a maximum of 128 command paths. -- When you configure a command path, you are authorize a specific schema path and its children. +- When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to all QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to the QoS egress scheduler commands. {{%/notice%}} ## Assign a Custom Role to a User Account @@ -137,7 +137,7 @@ system-admin nvapply sudo ``` -To the classes applied to specific role: +To show the classes applied to specific role: ``` cumulus@switch:~$ nv show system aaa role IFMgr From 5a92d3c60250cc7956791b5b7f8fa85f168e9cfd Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 12:28:30 -0800 Subject: [PATCH 044/204] updates --- .../Role-Based-Access-Control.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index 926090d69e..601f0b191a 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -4,7 +4,7 @@ author: NVIDIA weight: 152 toc: 4 --- -In addition to the default roles that Cumulus Linux provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of Network Manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command. +In addition to the default roles that Cumulus Linux provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of network manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command. Custom role-based access control consists of the following elements: @@ -17,12 +17,12 @@ Custom role-based access control consists of the following elements: {{%notice note%}} - You can assign a maximum of 64 classes to a role. - You can configure a maximum of 128 command paths. -- When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to all QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to the QoS egress scheduler commands. +- When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to QoS egress scheduler commands. {{%/notice%}} ## Assign a Custom Role to a User Account -To assign custom role to a user account: +To assign a custom role to a user account: - Assign a role to a user. - Create classes for the role. - Add command paths and permissions for each class. @@ -115,7 +115,7 @@ www-data www-data Unknown system To show information about a specific user account including the role assigned to the user, run the run the NVUE `nv show system aaa user ` command: ``` -cumulus@switch:~$ nv show system aaa user admin2 +cumulus@switch:~$ nv show system aaa user user2 operational applied --------- ----------- ------- role IFMgr IFMgr From 9eea8fb8ce5d80f8c3d4c2ada70f761d16c27b83 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 12:56:55 -0800 Subject: [PATCH 045/204] updates --- .../Role-Based-Access-Control.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index 601f0b191a..eefa7bf5cd 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -67,6 +67,23 @@ cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/ro cumulus@switch:~$ nv config apply ``` +## Delete Custom Roles + +To delete a custom role and all its classes, you must first unassign the role from the user, then delete the role: + +``` +cumulus@switch:~$ nv unset system aaa user user1 role OSPF +cumulus@switch:~$ nv unset system aaa role OSPF +cumulus@switch:~$ nv config apply +``` + +To delete a class from a role, run the `nv unset system aaa role class ` command: + +``` +cumulus@switch:~$ nv unset system aaa role OSPF class OSPF-DENY +cumulus@switch:~$ nv config apply +``` + ## Show Custom Role Information To show the user accounts configured on the system, run the NVUE `nv show system aaa user` command or the linux `sudo cat /etc/passwd` command. From ba9a2d589a31dd978a3ca63091220c5a24f597f1 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 14:27:01 -0800 Subject: [PATCH 046/204] asdd link for default roles --- .../Role-Based-Access-Control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index eefa7bf5cd..e885bb2e78 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -4,7 +4,7 @@ author: NVIDIA weight: 152 toc: 4 --- -In addition to the default roles that Cumulus Linux provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of network manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command. +In addition to the {{}} that Cumulus Linux provides, you can create your own roles to restrict authorization, giving you more granular control over what a user can manage on the switch. For example, you can assign a user the role of network manager and provide the user privileges for interface management, service management and system management. When the user logs in and executes an NVUE command, NVUE checks the user privileges and authorizes the user to run that command. Custom role-based access control consists of the following elements: From 615195ad9ca10015c3e25ad9e70b8dcc28c834be Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 20 Nov 2023 16:15:07 -0800 Subject: [PATCH 047/204] updates to mac address translation --- .../802.1X-Interfaces.md | 19 ++++++++++++++++++- content/cumulus-linux-57/Whats-New/_index.md | 2 -- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index a696144998..e9b2c36a9c 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -50,12 +50,13 @@ All the 802.1X interfaces share the same RADIUS server settings. Make sure you c You must configure 802.1X on a bridged port. To configure a bridge, refer to {{}}. To configure an 802.1X interface: -- **Required**: Provide the 802.1X RADIUS server IPv4 or IPv6 address. You can also specify a VRF for outgoing RADIUS accounting and authorization packets. A VRF is optional. +- **Required**: Provide the 802.1X RADIUS server IPv4 or IPv6 address. If you want to specify more than one server, provide the priority for each server (a value between 1 and 3). If you specify just one server, Cumulus Linux sets the priority to 1. You can also specify a VRF for outgoing RADIUS accounting and authorization packets. A VRF is optional. - **Required**: Provide the 802.1X RADIUS shared secret. - **Required**: Enable 802.1X on an interface. - Optional: Change the default 802.1X RADIUS accounting port. You can specify a port value between 1000 and 65535. The default port is 1813. - Optional: Change the default 802.1X RADIUS authentication port. You can specify a port value between 1000 and 65535. The default port is 1812. - Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. +- Optional: Set a fixed IP address for the RADIUS client to receive requests. {{%notice note%}} Changing the 802.1X interface settings does *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, accounting port, or EAP reauthentication period restarts `hostapd`, which forces existing, authorized users to re-authenticate. @@ -81,6 +82,7 @@ The following example: - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. +- Sets the fixed IP address for the RADIUS client to receive requests to 10.10.10.6. - Sets the EAP reauthentication period to 40. - Enables 802.1X on swp1, swp2, and swp3. @@ -89,6 +91,7 @@ cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 vrf BLUE cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 authentication-port 2812 cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 accounting-port 2813 +cumulus@switch:~$ nv set system dot1x radius client-src-ip 10.10.10.6 cumulus@switch:~$ nv set system dot1x reauthentication-interval 40 cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled cumulus@switch:~$ nv config apply @@ -132,6 +135,7 @@ The following example: - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. +- Sets the fixed IP address for the RADIUS client to receive requests to 10.10.10.6. - Sets the EAP re-authentication period to 40. - Enables 802.1X on swp1 through swp3. @@ -148,6 +152,7 @@ auth_server_shared_secret=mysecret acct_server_addr=127.0.0.1%BLUE acct_server_port=2813 acct_server_shared_secret=mysecret +radius_client_addr=10.10.10.6 ... ``` @@ -1038,6 +1043,18 @@ Apr 19 22:17:12 switch hostapd[12462]: Installing acl policy Apr 19 22:17:12 switch hostapd[12462]: done. ``` +To show the authenticated sessions for an interface, run the `nv show interface dot1x authenticated-sessions` command: + +``` +cumulus@switch:~$ nv show interface swp1 dot1x authenticated-sessions +``` + +To show the authenticated sessions for a specific MAC address, run the `nv show interface dot1x authenticated-sessions ` command: + +``` +cumulus@switch:~$ nv show interface swp1 dot1x authenticated-sessions 00:00:00:00:99:44 +``` + You can perform more advanced troubleshooting with the following commands. To increase the debug level in `hostapd`, copy over the `hostapd` service file, then add *-d*, *-dd* or *-ddd* to the `ExecStart` line in the `hostapd.service` file: diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index e42c3ceeb5..be9f428270 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -21,7 +21,6 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} -- {{}} to optimize and share resources, and avoid resource exhaustion - {{}} forwarding profile - PTP PPS In or Out Support - NVUE enhancements include: @@ -36,7 +35,6 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. - - Show commands to see the {{}} and {{}} - Show commands to show the IP neighbor table - Enhanced {{}} command output now in table format From a4207e3492ef91b1b3fe359127c7313018b28360 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 21 Nov 2023 10:52:22 -0800 Subject: [PATCH 048/204] updates to maintenance mode --- .../In-Service-System-Upgrade-ISSU.md | 69 ++++++++++++++++--- 1 file changed, 60 insertions(+), 9 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md b/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md index 8c076ff2c6..52a3a3482b 100644 --- a/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md +++ b/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md @@ -199,7 +199,14 @@ Run the following command to enable maintenance mode. When maintenance mode is o {{< tab "NVUE Command ">}} ``` -cumulus@switch:~$ nv action change system maintenance mode enabled +cumulus@switch:~$ nv action enable system maintenance mode +System maintenance mode has been enabled successfully + Current System Mode: Maintenance, cold + Maintenance mode since Sat Nov 18 07:09:25 2023 (Duration: 00:00:00) + frr : Maintenance, cold, down, up time: 12:55:51 (1 restart) + switchd : Maintenance, cold, down, up time: 13:10:16 + System Services : Maintenance, cold, down, up time: 13:10:35 +Action succeeded ``` {{< /tab >}} @@ -217,15 +224,44 @@ You can run additional commands to bring all the ports down, then up to restore {{< tabs "176 ">}} {{< tab "NVUE Command ">}} +To bring all the ports down: + ``` -cumulus@switch:~$ nv action change system maintenance ports enabled +cumulus@switch:~$ nv action enable system maintenance ports +System maintenance ports has been enabled successfully + Current System Mode: Maintenance, cold + Maintenance mode since Sat Nov 18 07:09:25 2023 (Duration: 00:00:56) + frr : Maintenance, cold, down, up time: 12:56:47 (1 restart) + switchd : Maintenance, cold, down, up time: 13:11:12 + System Services : Maintenance, cold, down, up time: 13:11:31 +Action succeeded +``` + +To restore the port admin state: + +``` +cumulus@switch:~$ nv action disable system maintenance ports +System maintenance ports has been disabled successfully + Current System Mode: cold + Ports shutdown for Maintenance + frr : cold, up, up time: 13:00:57 (1 restart) + switchd : cold, up, up time: 13:15:22 + System Services : cold, up, up time: 13:15:41 +Action succeeded ``` {{< /tab >}} {{< tab "csmgrctl Commands ">}} +To bring all the ports down: + ``` cumulus@switch:~$ sudo csmgrctl -p0 +``` + +To restore the port admin state: + +``` cumulus@switch:~$ sudo csmgrctl -p1 ``` @@ -244,7 +280,13 @@ Run the following command to disable maintenance mode and restore normal operati {{< tab "NVUE Command ">}} ``` -cumulus@switch:~$ nv action change system maintenance mode disabled +cumulus@switch:~$ nv action disable system maintenance mode +System maintenance mode has been disabled successfully + Current System Mode: cold + frr : cold, up, up time: 12:57:48 (1 restart) + switchd : cold, up, up time: 13:12:13 + System Services : cold, up, up time: 13:12:32 +Action succeeded ``` {{< /tab >}} @@ -259,13 +301,22 @@ cumulus@switch:~$ sudo csmgrctl -m0 ### Show Maintenance Mode Status -To see the status of maintenance mode, run the Linux `sudo csmgrctl -s` command. For example: +To see the status of maintenance mode, run the NVUE `nv show system maintenance` command or the Linux `sudo csmgrctl -s` command. For example: + +``` +cumulus@switch:~$ nv show system maintenance + operational +----- ----------- +mode enabled +ports disabled +``` ``` cumulus@switch:~$ sudo csmgrctl -s -Current System Mode: Maintenance since Tue Jan 5 00:13:37 2021 (Duration: 00:00:31) - Boot Mode: reboot_cold - 2 registered modules - frr : Maintenance, down - switchd : Maintenance, down +Current System Mode: Maintenance, cold + Maintenance mode since Sat Nov 18 07:24:11 2023 (Duration: 00:00:38) + Ports shutdown for Maintenance + frr : Maintenance, cold, down, up time: 13:11:15 (1 restart) + switchd : Maintenance, cold, down, up time: 13:25:40 + System Services : Maintenance, cold, down, up time: 13:25:59 ``` From dcecb30c6c2c25ae1fea145f51c662fdc244e1b5 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 21 Nov 2023 15:50:07 -0800 Subject: [PATCH 049/204] updates --- .../Role-Based-Access-Control.md | 2 +- content/cumulus-linux-57/Whats-New/_index.md | 23 ++++++++++++++++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index e885bb2e78..eea5b4c315 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -63,7 +63,7 @@ The following example assigns user3 the role of `OSPF`. user3 does **not** have cumulus@switch:~$ nv set system aaa user user3 role OSPF cumulus@switch:~$ nv set system aaa role OSPF class OSPF-DENY cumulus@switch:~$ nv set system aaa class OSPF-DENY action deny -cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all +cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all cumulus@switch:~$ nv config apply ``` diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index be9f428270..b53bbba62a 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -40,20 +40,37 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Enhanced {{}} command output now in table format - Improvements to {{}} -{{< expand "Changed NVUE Commands" >}} +{{< expand "Commands that now need a reload instead of a restart" >}} +``` +nv set system acl mode non-atomic +nv set system acl mode atomic +nv set system forwarding host-route-preference route +nv set system forwarding host-route-preference neighbor +nv set system forwarding host-route-preference route-and-neighbour +nv set evpn multihoming enable +nv set nve vxlan encapsulation dscp action +nv set nve vxlan encapsulation dscp value +nv set nve vxlan decapsulation dscp action +nv set interface router adaptive-routing link-utilization-threshold +nv set system forwarding profile +nv set router bgp wait-for-install +nv set router adaptive-routing enable +nv set interface router adaptive-routing enable +``` +{{< /expand >}} +{{< expand "Changed Commands" >}} | Previous Command | New Command | | ------------ | ------------- | | `nv set router pim timers keep-alive`| `nv set router pim timers keepalive` | | `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | | `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | | `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | - {{< /expand >}} {{< expand "New NVUE Commands" >}} -For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) for Cumulus Linux. +For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) for Cumulus Linux. {{< tabs "TabID40 ">}} {{< tab "nv show ">}} From f315dc4b3d0abd80ac7e69fb385990426cd8e7bb Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 21 Nov 2023 17:37:50 -0800 Subject: [PATCH 050/204] add PTP PPS in and out --- .../Precision Time Protocol-PTP.md | 112 +++++++++++++++++- 1 file changed, 111 insertions(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 35976e38f7..8d628a5da8 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -526,6 +526,116 @@ cumulus@switch:~$ sudo systemctl restart ptp4l.service {{< /tab >}} {{< /tabs >}} +## PPS Synchronization + +[PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a high precision signal each second, which can synchronize the clock of a system. The switch can receive PPS from an accurate PPS source as a slave to use for frequency synchronization of its clock and can also generate PPS as a master to other devices. + +Cumulus Linux supports two PPS modes: +- PPS Out is a signal that is generated every time the [PHC](## "Physical Hardware Clock") reaches 1-rounded second. This signal can provide synchronization to other PHC devices and to check if the clock is synchronized by comparing this signal with other outputs in the network. +- PPS In is a signal that is pushed to the switch from an external device. This allows the PHC to be synchronized to an external source capable of providing a PPS signal. + +## Enable PPS Synchronization + +To enable PPS In and PPS Out: + +{{< tabs "TabID541 ">}} +{{< tab "NVUE Commands ">}} + +To enable PPS out: + +``` +cumulus@switch:~$ nv set platform pulse-per-second out state enabled +cumulus@switch:~$ nv config apply +``` + +To enable PPS In: + +``` +cumulus@switch:~$ nv set platform pulse-per-second in state enabled +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +Edit the `` file to , then restart the PTP service. + +``` +``` + +``` +cumulus@switch:~$ sudo systemctl restart ptp4l.service +``` + +{{< /tab >}} +{{< /tabs >}} + +## PPS Synchronization Settings + +You can configure these PPS In settings: + +| PPS In Setting | Description | +| ------- | ----------- | +| `channel-index` | Enables and disables channel index. 1 enables channel index. 0 disables channel index. The default value is 0.| +| `logging-level` | Sets the logging level for PPS In. You can specify `emergency`, `alert`, `critical`, `error`, `warning`, `notice`, `info`,or `debug`. The default logging level is `info`.| +| `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 0.| +| `signal-polarity` | Sets the polarity of the PPS IN signal. You can specify `rising-edge`, `falling-edge`, or `both`. Teh default setting is `rising-edge`.| +| `signal-width` | Sets the pulse width of the PPS IN signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| +| `timestamp-correction` | Sets the value, in nanoseconds, to add to each PPS time stamp. You can set a value between -1000000000 and 1000000000. The default value is 0. | + +You can configure these PPS Out options: + +| PPS Out Setting | Description | +| ------- | ----------- | +| `channel-index`| Enables and disables channel index. 1 enables channel index. 0 disables channel index. The default value is 0.| +| `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| +| `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| +| `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 0.| +| `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| + +{{< tabs "TabID592 ">}} +{{< tab "NVUE Commands ">}} + +The following example configures PPS In and sets: +- The channel index to 1 +- The pin index to 1 +- The signal width to 999000000. +- The number of nanoseconds to add to each PPS time stamp to 1000000000. +- The logging level to `warning`. +- The polarity of the PPS IN signal to `falling-edge`. + +``` +cumulus@switch:~$ nv set platform pulse-per-second in channel-index 1 +cumulus@switch:~$ nv set platform pulse-per-second in pin-index 1 +cumulus@switch:~$ nv set platform pulse-per-second in signal-width 999000000 +cumulus@switch:~$ nv set platform pulse-per-second in timestamp-correction 1000000000 +cumulus@switch:~$ nv set platform pulse-per-second in logging-level warning +cumulus@switch:~$ nv set platform pulse-per-second in signal-polarity falling-edge +cumulus@switch:~$ nv config apply +``` + +The following example configures PPS Out and sets: +- The channel index to 1. +- The pin index to 1. +- The signal width to 999000000. +- The phase adjustment of the PPS Out signal to 1000000000. +- The frequency-adjustment of the PPS Out signal to 2147483647. + +``` +cumulus@switch:~$ nv set platform pulse-per-second out channel-index 1 +cumulus@switch:~$ nv set platform pulse-per-second out pin-index 1 +cumulus@switch:~$ nv set platform pulse-per-second out signal-width 999000000 +cumulus@switch:~$ nv set platform pulse-per-second out phase-adjustment 1000000000 +cumulus@switch:~$ nv set platform pulse-per-second out frequency-adjustment 2147483647 +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +{{< /tab >}} +{{< /tabs >}} + ## PTP Interface Configuration Cumulus Linux provides several ways to modify the default basic interface configuration. You can: @@ -539,7 +649,7 @@ When a profile is in use, avoid configuring the following interface configuratio By default, Cumulus Linux encapsulates PTP messages in UDP IPV4 frames. To encapsulate PTP messages on an interface in UDP IPV6 frames: -{{< tabs "TabID274 ">}} +{{< tabs "TabID557 ">}} {{< tab "NVUE Commands ">}} ``` From a106333d84dc779cf620d7e8c04852d09aeaaf13 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 21 Nov 2023 17:40:44 -0800 Subject: [PATCH 051/204] updates to PPS in and out --- .../Precision Time Protocol-PTP.md | 92 +++++++++---------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 8d628a5da8..6f7323ea6d 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -483,50 +483,7 @@ cumulus@switch:~$ sudo systemctl restart ptp4l.service {{< /tab >}} {{< /tabs >}} -## Optional Global Configuration - -Optional global PTP configuration includes configuring the DiffServ code point (DSCP). You can configure the DSCP value for all PTP IPv4 packets originated locally. You can set a value between 0 and 63. - -{{< tabs "TabID320 ">}} -{{< tab "NVUE Commands ">}} - -``` -cumulus@switch:~$ nv set service ptp 1 ip-dscp 22 -cumulus@switch:~$ nv config apply -``` - -{{< /tab >}} -{{< tab "Linux Commands ">}} - -Edit the `Default Data Set` section of the `/etc/ptp4l.conf` file to change the `dscp_event` setting for PTP messages that trigger a timestamp read from the clock and the `dscp_general` setting for PTP messages that carry commands, responses, information, or timestamps. - -After you save the `/etc/ptp4l.conf` file, restart the `ptp4l` service. - -``` -cumulus@switch:~$ sudo nano /etc/ptp4l.conf -[global] -# -# Default Data Set -# -slaveOnly 0 -priority1 200 -priority2 200 -domainNumber 3 - -twoStepFlag 1 -dscp_event 22 -dscp_general 22 -... -``` - -``` -cumulus@switch:~$ sudo systemctl restart ptp4l.service -``` - -{{< /tab >}} -{{< /tabs >}} - -## PPS Synchronization +### PPS Synchronization [PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a high precision signal each second, which can synchronize the clock of a system. The switch can receive PPS from an accurate PPS source as a slave to use for frequency synchronization of its clock and can also generate PPS as a master to other devices. @@ -534,7 +491,7 @@ Cumulus Linux supports two PPS modes: - PPS Out is a signal that is generated every time the [PHC](## "Physical Hardware Clock") reaches 1-rounded second. This signal can provide synchronization to other PHC devices and to check if the clock is synchronized by comparing this signal with other outputs in the network. - PPS In is a signal that is pushed to the switch from an external device. This allows the PHC to be synchronized to an external source capable of providing a PPS signal. -## Enable PPS Synchronization +#### Enable PPS Synchronization To enable PPS In and PPS Out: @@ -570,7 +527,7 @@ cumulus@switch:~$ sudo systemctl restart ptp4l.service {{< /tab >}} {{< /tabs >}} -## PPS Synchronization Settings +#### PPS Synchronization Settings You can configure these PPS In settings: @@ -636,6 +593,49 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< /tabs >}} +## Optional Global Configuration + +Optional global PTP configuration includes configuring the DiffServ code point (DSCP). You can configure the DSCP value for all PTP IPv4 packets originated locally. You can set a value between 0 and 63. + +{{< tabs "TabID320 ">}} +{{< tab "NVUE Commands ">}} + +``` +cumulus@switch:~$ nv set service ptp 1 ip-dscp 22 +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +Edit the `Default Data Set` section of the `/etc/ptp4l.conf` file to change the `dscp_event` setting for PTP messages that trigger a timestamp read from the clock and the `dscp_general` setting for PTP messages that carry commands, responses, information, or timestamps. + +After you save the `/etc/ptp4l.conf` file, restart the `ptp4l` service. + +``` +cumulus@switch:~$ sudo nano /etc/ptp4l.conf +[global] +# +# Default Data Set +# +slaveOnly 0 +priority1 200 +priority2 200 +domainNumber 3 + +twoStepFlag 1 +dscp_event 22 +dscp_general 22 +... +``` + +``` +cumulus@switch:~$ sudo systemctl restart ptp4l.service +``` + +{{< /tab >}} +{{< /tabs >}} + ## PTP Interface Configuration Cumulus Linux provides several ways to modify the default basic interface configuration. You can: From a2a58ed2c41e3f8106c6c8195d90bff0cc794cfc Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 21 Nov 2023 17:44:27 -0800 Subject: [PATCH 052/204] updates to pps in and out --- .../Date-and-Time/Precision Time Protocol-PTP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 6f7323ea6d..6f6702292d 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -485,7 +485,7 @@ cumulus@switch:~$ sudo systemctl restart ptp4l.service ### PPS Synchronization -[PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a high precision signal each second, which can synchronize the clock of a system. The switch can receive PPS from an accurate PPS source as a slave to use for frequency synchronization of its clock and can also generate PPS as a master to other devices. +[PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a high precision signal each second, which can synchronize a system clock. The switch can receive PPS from an accurate PPS source as a slave to use for frequency synchronization of its clock and can also generate PPS as a master to other devices. Cumulus Linux supports two PPS modes: - PPS Out is a signal that is generated every time the [PHC](## "Physical Hardware Clock") reaches 1-rounded second. This signal can provide synchronization to other PHC devices and to check if the clock is synchronized by comparing this signal with other outputs in the network. From 490f203c8f664fd2aa7880d91aa1d50ee2f98068 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 21 Nov 2023 17:46:51 -0800 Subject: [PATCH 053/204] add link for PTP PPS --- content/cumulus-linux-57/Whats-New/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index b53bbba62a..a1ced3a1fb 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -22,7 +22,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} forwarding profile -- PTP PPS In or Out Support +- {{}} - NVUE enhancements include: - {{}} - {{}} From 94f25f9cacd9f5ee4688c77cdb85dc7954e36e77 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 10:29:00 -0800 Subject: [PATCH 054/204] updates --- .../Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md b/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md index 478d685982..553c13a2d2 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md @@ -510,7 +510,7 @@ The benefits of using adaptive routing include: With adaptive routing, the switch forwards packets to the less loaded path on a per packet basis to best utilize the fabric resources and avoid congestion. The change decision for port selection is set to one microsecond; you cannot change it. Cumulus Linux supports adaptive routing with: -- Switches with the Spectrum-4 ASIC. +- Switches with the Spectrum-4 ASIC at 400G and 200G speeds. - {{}} unicast traffic. - VXLAN-encapsulated RoCE traffic. - Layer 3 interfaces. From 9c5ac708b13f0f7a75545bf9e4b4b47cca4ef0af Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 10:33:56 -0800 Subject: [PATCH 055/204] update kernel version --- content/cumulus-linux-43/Whats-New/foss.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-43/Whats-New/foss.md b/content/cumulus-linux-43/Whats-New/foss.md index f875cc6f0c..69155b7888 100644 --- a/content/cumulus-linux-43/Whats-New/foss.md +++ b/content/cumulus-linux-43/Whats-New/foss.md @@ -1640,8 +1640,8 @@ pdfhidden: True | {{}} | 1.0-cl4.3.2u9 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ) | | {{}} | 1.0-cl4.3.2u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | | {{}} | 1.0-cl4.3.2u5 | Cumulus Networks Proprietary(* ); GPL-2(debian/* ); The MIT License(include/kvec.h); CC0-1.0(lib/ccan/* ) | -| {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | NO OR UNKNOWN LICENSE FOUND IN COPYRIGHT FILE | -| {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | +| {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | NO OR UNKNOWN LICENSE FOUND IN COPYRIGHT FILE | +| {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | NO OR UNKNOWN LICENSE FOUND IN COPYRIGHT FILE | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | | {{}} | 1.mlnx.4.4.2224-cl4.3.1u12 | Mellanox Proprietary(* ) | From 1497de9a23e757ec772377c898957c95236a4b18 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 11:22:43 -0800 Subject: [PATCH 056/204] update date and time --- .../Date-and-Time/Setting-Date-and-Time.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md index 1e1b39e28d..3a4845f631 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md @@ -18,16 +18,16 @@ To show the current time zone, date, and time on the switch: ``` cumulus@switch:~$ nv show system date-time - operational -------------------------- --------------------------- -local-time Wed 2023-05-10 08:01:21 UTC -universal-time Wed 2023-05-10 08:01:21 UTC -rtc-time Wed 2023-05-10 08:02:13 -time-zone Etc/UTC (UTC, +0000) -system-clock-synchronized no -ntp-service inactive -rtc-in-local-tz no -unix-time 1683705681.5062315 + operational +------------------------- ----------------------------- +local-time Wed 2023-11-22 11:22:54 EST +universal-time Wed 2023-11-22 16:22:54 UTC +rtc-time Wed 2023-11-22 16:22:54 +time-zone America/New_York (EST, -0500) +system-clock-synchronized no +ntp-service inactive +rtc-in-local-tz no +unix-time 1700670174.4371066 ``` {{< /tab >}} From 91b87008905eccaf2c5869c9754e3ec2c8f5c51d Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 11:36:28 -0800 Subject: [PATCH 057/204] 3605181 -IGMPv3 note --- .../Layer-3/Protocol-Independent-Multicast-PIM.md | 4 ++++ .../Layer-3/Protocol-Independent-Multicast-PIM.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md index 9e0cbb79d1..8fd8ca6ecf 100644 --- a/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -17,6 +17,10 @@ PIM-SM has three configuration options: Cumulus Linux supports ASM and SSM only. +{{%notice note%}} +IGMPv3 works only with SSM multicast group ranges. +{{%/notice%}} + For additional information on PIM-SM, refer to {{}}. For a brief description of how PIM works, refer to [PIM Overview]({{}}). ## Example PIM Topology diff --git a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md index e32c99a83c..80f6beaec6 100644 --- a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -17,6 +17,10 @@ PIM-SM has three configuration options: Cumulus Linux supports ASM and SSM only. +{{%notice note%}} +IGMPv3 works only with SSM multicast group ranges. +{{%/notice%}} + For additional information on PIM-SM, refer to {{}}. For a brief description of how PIM works, refer to [PIM Overview]({{}}). ## Example PIM Topology From d33f02ba74f82145204c6b7015e34cb38675884f Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 11:36:53 -0800 Subject: [PATCH 058/204] Revert "3605181 -IGMPv3 note" This reverts commit 91b87008905eccaf2c5869c9754e3ec2c8f5c51d. --- .../Layer-3/Protocol-Independent-Multicast-PIM.md | 4 ---- .../Layer-3/Protocol-Independent-Multicast-PIM.md | 4 ---- 2 files changed, 8 deletions(-) diff --git a/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md index 8fd8ca6ecf..9e0cbb79d1 100644 --- a/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -17,10 +17,6 @@ PIM-SM has three configuration options: Cumulus Linux supports ASM and SSM only. -{{%notice note%}} -IGMPv3 works only with SSM multicast group ranges. -{{%/notice%}} - For additional information on PIM-SM, refer to {{}}. For a brief description of how PIM works, refer to [PIM Overview]({{}}). ## Example PIM Topology diff --git a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md index 80f6beaec6..e32c99a83c 100644 --- a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -17,10 +17,6 @@ PIM-SM has three configuration options: Cumulus Linux supports ASM and SSM only. -{{%notice note%}} -IGMPv3 works only with SSM multicast group ranges. -{{%/notice%}} - For additional information on PIM-SM, refer to {{}}. For a brief description of how PIM works, refer to [PIM Overview]({{}}). ## Example PIM Topology From 2f613b10b92ed63023023088c9989d4bf25c1b05 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 11:40:31 -0800 Subject: [PATCH 059/204] 3605181-IGMPv3 note --- .../Layer-3/Protocol-Independent-Multicast-PIM.md | 4 ++++ .../Layer-3/Protocol-Independent-Multicast-PIM.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md index 9e0cbb79d1..8fd8ca6ecf 100644 --- a/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-56/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -17,6 +17,10 @@ PIM-SM has three configuration options: Cumulus Linux supports ASM and SSM only. +{{%notice note%}} +IGMPv3 works only with SSM multicast group ranges. +{{%/notice%}} + For additional information on PIM-SM, refer to {{}}. For a brief description of how PIM works, refer to [PIM Overview]({{}}). ## Example PIM Topology diff --git a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md index e32c99a83c..80f6beaec6 100644 --- a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -17,6 +17,10 @@ PIM-SM has three configuration options: Cumulus Linux supports ASM and SSM only. +{{%notice note%}} +IGMPv3 works only with SSM multicast group ranges. +{{%/notice%}} + For additional information on PIM-SM, refer to {{}}. For a brief description of how PIM works, refer to [PIM Overview]({{}}). ## Example PIM Topology From eb44677d8fcd2fc6263f9cfba40570145b948e96 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 11:55:35 -0800 Subject: [PATCH 060/204] changed commands --- content/cumulus-linux-57/Whats-New/_index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index a1ced3a1fb..ed1ebef81e 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -40,7 +40,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Enhanced {{}} command output now in table format - Improvements to {{}} -{{< expand "Commands that now need a reload instead of a restart" >}} +{{< expand "Commands that reload instead restart a service" >}} ``` nv set system acl mode non-atomic nv set system acl mode atomic @@ -66,6 +66,8 @@ nv set interface router adaptive-routing enable | `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | | `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | | `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | +| `nv set acl rule match ip dest-port ` | `nv set acl rule match ip dest-port `| +| `nv set acl rule match ip source-port `| `nv set acl rule match ip source-port ` | {{< /expand >}} {{< expand "New NVUE Commands" >}} From 2a4855e90e2e2161bfe5e6685bf42137bf40347e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 12:00:34 -0800 Subject: [PATCH 061/204] add ecn and frag to ipv4 and remove frag from ipv6 --- content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md | 2 +- content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md index e55da5c645..d9187d4357 100644 --- a/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md @@ -526,7 +526,7 @@ INPUT FORWARD OUTPUT |Rule Element|Supported|Unsupported| |--- |--- |--- | -|**Matches**|Src/Dst, IP protocol
In/out interface
IPv4: icmp, ttl,
IPv6: icmp6, frag, hl,
IP common: tcp ({{}}), udp, multiport, DSCP, addrtype|Rules with input/output Ethernet interfaces do not apply
Inverse matches| +|**Matches**|Src/Dst, IP protocol
In/out interface
IPv4: ecn, icmp, frag, ttl,
IPv6: icmp6, hl,
IP common: tcp ({{}}), udp, multiport, DSCP, addrtype|Rules with input/output Ethernet interfaces do not apply
Inverse matches| |**Standard Targets**|ACCEPT, DROP|RETURN, QUEUE, STOP, Fall Thru, Jump| |**Extended Targets**|LOG (IPv4/IPv6); UID is not supported for LOG
TCP SEQ, TCP options or IP options
ULOG
SETQOS
DSCP
Unique to Cumulus Linux:
SPAN
ERSPAN (IPv4/IPv6)
POLICE
TRICOLORPOLICE
SETCLASS|| diff --git a/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md index 6dc5db901d..d65dc44c62 100644 --- a/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md @@ -526,7 +526,7 @@ INPUT FORWARD OUTPUT |Rule Element|Supported|Unsupported| |--- |--- |--- | -|**Matches**|Src/Dst, IP protocol
In/out interface
IPv4: icmp, ttl,
IPv6: icmp6, frag, hl,
IP common: tcp ({{}}), udp, multiport, DSCP, addrtype|Rules with input/output Ethernet interfaces do not apply
Inverse matches| +|**Matches**|Src/Dst, IP protocol
In/out interface
IPv4: ecn, icmp, frag, ttl,
IPv6: icmp6, hl,
IP common: tcp ({{}}), udp, multiport, DSCP, addrtype|Rules with input/output Ethernet interfaces do not apply
Inverse matches| |**Standard Targets**|ACCEPT, DROP|RETURN, QUEUE, STOP, Fall Thru, Jump| |**Extended Targets**|LOG (IPv4/IPv6); UID is not supported for LOG
TCP SEQ, TCP options or IP options
ULOG
SETQOS
DSCP
Unique to Cumulus Linux:
SPAN
ERSPAN (IPv4/IPv6)
POLICE
TRICOLORPOLICE
SETCLASS|| From e7563f31655dc0abbd495c9bd27e286726399fb7 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 14:36:52 -0800 Subject: [PATCH 062/204] typos --- .../Date-and-Time/Precision Time Protocol-PTP.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 6f6702292d..3240e142e6 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -536,7 +536,7 @@ You can configure these PPS In settings: | `channel-index` | Enables and disables channel index. 1 enables channel index. 0 disables channel index. The default value is 0.| | `logging-level` | Sets the logging level for PPS In. You can specify `emergency`, `alert`, `critical`, `error`, `warning`, `notice`, `info`,or `debug`. The default logging level is `info`.| | `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 0.| -| `signal-polarity` | Sets the polarity of the PPS IN signal. You can specify `rising-edge`, `falling-edge`, or `both`. Teh default setting is `rising-edge`.| +| `signal-polarity` | Sets the polarity of the PPS IN signal. You can specify `rising-edge`, `falling-edge`, or `both`. The default setting is `rising-edge`.| | `signal-width` | Sets the pulse width of the PPS IN signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| | `timestamp-correction` | Sets the value, in nanoseconds, to add to each PPS time stamp. You can set a value between -1000000000 and 1000000000. The default value is 0. | @@ -547,7 +547,7 @@ You can configure these PPS Out options: | `channel-index`| Enables and disables channel index. 1 enables channel index. 0 disables channel index. The default value is 0.| | `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| | `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| -| `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 0.| +| `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 1.| | `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| {{< tabs "TabID592 ">}} From c54690d4d1bc09735d8265d5e8b78f93f9993c52 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 22 Nov 2023 15:42:58 -0800 Subject: [PATCH 063/204] updates to PPS --- .../Precision Time Protocol-PTP.md | 89 ++++++++++++++++--- 1 file changed, 78 insertions(+), 11 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 3240e142e6..58aa80c4f9 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -515,15 +515,34 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `` file to , then restart the PTP service. +To enable PPS In: -``` -``` +1. Edit the `/etc/linuxptp/ts2phc.conf` file to set the following parameters. + + ``` + ``` + +2. Enable and start the `ptp4l` and `phc2sys` services: + + ``` + cumulus@switch:~$ sudo systemctl enable ptp4l.service phc2sys.service + cumulus@switch:~$ sudo systemctl start ptp4l.service phc2sys.service + ``` + +To enable PPS Out: + +1.Edit the `/etc/linuxptp/pps_out.conf` file to set the following parameters. ``` -cumulus@switch:~$ sudo systemctl restart ptp4l.service ``` +2. Enable and start the `pps_out` service: + + ``` + cumulus@switch:~$ sudo systemctl enable pps_out.service + cumulus@switch:~$ sudo systemctl start pps_out.service + ``` + {{< /tab >}} {{< /tabs >}} @@ -533,22 +552,22 @@ You can configure these PPS In settings: | PPS In Setting | Description | | ------- | ----------- | -| `channel-index` | Enables and disables channel index. 1 enables channel index. 0 disables channel index. The default value is 0.| +| `channel-index` | Sets the channel index. You can set a value of 1 or 0. The default value is 0.| | `logging-level` | Sets the logging level for PPS In. You can specify `emergency`, `alert`, `critical`, `error`, `warning`, `notice`, `info`,or `debug`. The default logging level is `info`.| -| `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 0.| +| `pin-index` | Sets the pin index. You can set a value of 1 or 0. The default value is 0.| | `signal-polarity` | Sets the polarity of the PPS IN signal. You can specify `rising-edge`, `falling-edge`, or `both`. The default setting is `rising-edge`.| | `signal-width` | Sets the pulse width of the PPS IN signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| | `timestamp-correction` | Sets the value, in nanoseconds, to add to each PPS time stamp. You can set a value between -1000000000 and 1000000000. The default value is 0. | -You can configure these PPS Out options: +You can configure these PPS Out settings: | PPS Out Setting | Description | | ------- | ----------- | -| `channel-index`| Enables and disables channel index. 1 enables channel index. 0 disables channel index. The default value is 0.| +| `channel-index`| Sets the channel index. You can set a value of 1 or 0. The default value is 0.| | `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| | `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| -| `pin-index` | Enables and disables pin index. 1 enables pin index. 0 disables pin index. The default value is 1.| -| `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| +| `pin-index` | Sets the pin index. You can set a value of 1 or 0. The default value is 0.| +| `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| {{< tabs "TabID592 ">}} {{< tab "NVUE Commands ">}} @@ -557,7 +576,7 @@ The following example configures PPS In and sets: - The channel index to 1 - The pin index to 1 - The signal width to 999000000. -- The number of nanoseconds to add to each PPS time stamp to 1000000000. +- The time stamp correction to 1000000000. - The logging level to `warning`. - The polarity of the PPS IN signal to `falling-edge`. @@ -590,6 +609,54 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} +To configure PPS In, edit the `/etc/linuxptp/ts2phc.conf` file, then restart the PPS In service with the `sudo systemctl restart ts2phc.service` command. + +The following example configures PPS In and sets: +- The channel index to 1 +- The pin index to 1 +- The signal width to 999000000. +- The time stamp correction to 1000000000. +- The logging level to `warning`. +- The polarity of the PPS IN signal to `falling-edge`. + +``` +# ts2phc is enabled +[global] +use_syslog 0 +verbose 1 +slave_event_monitor /var/run/ptp_sem.sock +logging_level 3 +ts2phc.pulsewidth 999000000 +ts2phc.tod_source ptp +domainNumber 0 +... +[/dev/ptp1] +ts2phc.pin_index 1 +ts2phc.channel 1 +ts2phc.extts_polarity falling +ts2phc.extts_correction 0 +``` + +To configure PPS Out, edit the `/etc/linuxptp/pps_out.conf.conf` file, then restart the PPS Out service with the `sudo systemctl restart pps_out.service` command. + +The following example configures PPS Out and sets: +- The channel index to 1. +- The pin index to 1. +- The signal width to 999000000. +- The phase adjustment of the PPS Out signal to 1000000000. +- The frequency-adjustment of the PPS Out signal to 2147483647. + +``` +# pps out is enabled +PTP_DEV=/dev/ptp1 +CACHE_FILE=/var/run/pps_out +OUT_PIN=1 +OUT_CHANNEL=1 +PULSE_FREQ= 2147483647 +PULSE_WIDTH= 999000000 +PULSE_PHASE= 1000000000 +``` + {{< /tab >}} {{< /tabs >}} From 3df70fb8e453c1bcc6748bf7867a176d2a3705bc Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Sun, 26 Nov 2023 15:58:02 -0500 Subject: [PATCH 064/204] custom certificate update --- .../Install-a-Custom-Signed-Certificate.md | 80 ++++++++++++------- 1 file changed, 50 insertions(+), 30 deletions(-) diff --git a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md index 6d8aa94deb..c638531ad6 100644 --- a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md +++ b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md @@ -30,7 +30,7 @@ You need the following items to perform the certificate installation: 1. Log in to the NetQ VM via SSH and copy your certificate and key file there. -1. Generate a Kubernetes secret called `netq-gui-ingress-tls`: +2. Generate a Kubernetes secret called `netq-gui-ingress-tls`: ``` cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \ @@ -39,7 +39,7 @@ You need the following items to perform the certificate installation: --cert .crt ``` -1. Verify that you created the secret successfully: +3. Verify that you created the secret successfully: ``` cumulus@netq-ts:~$ kubectl get secret @@ -48,9 +48,9 @@ You need the following items to perform the certificate installation: netq-gui-ingress-tls kubernetes.io/tls 2 5s ``` -1. Update the ingress rule file to install self-signed certificates. +4. Update the ingress rule file to install self-signed certificates. - 1. Create a new file called `ingress.yaml`. + 1. Create a new file called `ingress.yaml` 2. Copy and add the following content to the file: @@ -90,7 +90,7 @@ You need the following items to perform the certificate installation: ``` 3. Replace `` with the FQDN of the NetQ VM.

-1. Apply the new rule: +5. Apply the new rule: ``` cumulus@netq-ts:~$ kubectl apply -f ingress.yaml @@ -99,38 +99,51 @@ You need the following items to perform the certificate installation: The message above appears if your ingress rule is successfully configured. -1. Configure the NetQ API to use the new certificate. +6. Configure the NetQ API to use the new certificate by updating the Swagger ingress rule file. - Edit the `netq-swagger-ingress-external` service: + 1. Create a new file called `swagger-ingress.yaml` - ``` - kubectl edit ingress netq-swagger-ingress-external - ``` - - Add the `tls:` section in the `spec:` stanza, referencing your configured hostname and the `netq-gui-ingress-tls` secretName: + 2. Copy and add the following content to the file: ``` + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/proxy-send-timeout: "300" + nginx.ingress.kubernetes.io/proxy-body-size: 10g + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" + name: netq-swagger-ingress-external + namespace: default spec: - rules: - - host: - http: - paths: - - backend: - serviceName: swagger-ui - servicePort: 8080 - path: /swagger(/|$)(.*) - tls: - - hosts: - - - secretName: netq-gui-ingress-tls + ingressClassName: ingress-nginx-class + rules: + - host: + http: + paths: + - path: "/swagger" + pathType: Prefix + backend: + service: + name: swagger-ui + port: + number: 8080 + tls: + - hosts: + - + secretName: netq-gui-ingress-tls ``` + 3. Replace `` with the FQDN of the NetQ VM.
+
+7. Apply the new rule: - After saving your changes, delete the current swagger-ui pod to restart the service: - - ``` - cumulus@netq-ts:~$ kubectl delete pod -l app=swagger-ui - pod "swagger-ui-deploy-69cfff7b45-cj6r6" deleted - ``` + ``` + cumulus@netq-ts:~$ kubectl apply -f swagger-ingress.yaml + ``` + {{}} @@ -138,3 +151,10 @@ You need the following items to perform the certificate installation: Your custom certificate should now be working. Verify this by opening the NetQ UI at `https://` in your browser. + \ No newline at end of file From 3d216f9fa1761142e90c8c4770334958b29ec780 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Sun, 26 Nov 2023 16:07:04 -0500 Subject: [PATCH 065/204] updated certificate note box --- .../Install-a-Custom-Signed-Certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md index c638531ad6..e6c8dd2f15 100644 --- a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md +++ b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md @@ -8,7 +8,7 @@ toc: 3 When you first log in to the NetQ UI via an on-premises deployment, your browser will display a warning indicating that the default certificate is not trusted. You can avoid this warning by installing your own signed certificate using the steps outlined on this page. The self-signed certificate is sufficient for non-production environments or cloud deployments. {{%notice note%}} -If you already have a certificate installed and want to change or update it, run the `kubectl delete secret netq-gui-ingress-tls [name] --namespace default` command. +If you already have a certificate installed and want to change or update it, run the `kubectl delete secret netq-gui-ingress-tls [name] --namespace default` command. After making your updates, restart nginx with the `kubectl delete pod -l app.kubernetes.io/name=ingress-nginx --namespace ingress-nginx` command. {{%/notice%}} You need the following items to perform the certificate installation: From 188f8702ec11ddc7f5d7fe89d5e0072ec3608737 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 27 Nov 2023 10:25:29 -0800 Subject: [PATCH 066/204] updates --- content/cumulus-linux-57/Layer-3/FRRouting.md | 2 - .../Equal-Cost-Multipath-Load-Sharing.md | 10 +- .../Routing/Supported-Route-Table-Entries.md | 2 +- .../EVPN-Multihoming.md | 4 +- .../VXLAN-Tunnel-DSCP.md | 7 +- .../Configuring-switchd.md | 14 +- content/cumulus-linux-57/Whats-New/_index.md | 136 +++++++++--------- 7 files changed, 83 insertions(+), 92 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/FRRouting.md b/content/cumulus-linux-57/Layer-3/FRRouting.md index 4edcad0e99..ceb7096b45 100644 --- a/content/cumulus-linux-57/Layer-3/FRRouting.md +++ b/content/cumulus-linux-57/Layer-3/FRRouting.md @@ -81,7 +81,6 @@ cumulus@switch:~$ sudo systemctl start frr.service The information in this section does not apply if you use NVUE to configure your switch. NVUE manages FRR daemons and configuration automatically. These instructions are only applicable for users managing FRR directly through linux flat file configurations. {{%/notice%}} - If you need to restore the FRR configuration to the default running configuration, delete the `frr.conf` file and restart the `frr` service. Back up `frr.conf` (or any configuration files you want to remove) before proceeding. @@ -94,7 +93,6 @@ Back up `frr.conf` (or any configuration files you want to remove) before procee cumulus@switch:~$ sudo rm /etc/frr/frr.conf ``` - 3. Restart FRR with this command: ``` diff --git a/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md b/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md index 553c13a2d2..035dd5c39b 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md @@ -565,14 +565,10 @@ interface.swp52.adaptive_routing.link_util_thresh = 70 ... ``` -{{}} the `switchd` service: - -{{}} - - -To disable adaptive routing, set the `adaptive_routing.enable` parameter to `FALSE` in the `/etc/cumulus/switchd.d/adaptive_routing.conf` file. +Reload `switchd` with the `sudo systemctl reload switchd.service` command. -To disable adaptive routing on a specific port, set the `interface..adaptive_routing.enable` parameter to `FALSE` in the `/etc/cumulus/switchd.d/adaptive_routing.conf` file. +- To disable adaptive routing, set the `adaptive_routing.enable` parameter to `FALSE` in the `/etc/cumulus/switchd.d/adaptive_routing.conf` file. +- To disable adaptive routing on a specific port, set the `interface..adaptive_routing.enable` parameter to `FALSE` in the `/etc/cumulus/switchd.d/adaptive_routing.conf` file. {{< /tab >}} {{< /tabs >}} diff --git a/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md b/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md index 316e221d70..266ef7e977 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md @@ -98,7 +98,7 @@ cumulus@switch:~$ sudo cat /etc/cumulus/datapath/traffic.conf forwarding_table.profile = l2-heavy ``` -After you specify a different profile, {{%link url="Configuring-switchd#restart-switchd" text="restart `switchd`"%}} for the change to take effect. +After you specify a different profile, reload `switchd` with the `sudo systemctl reload switchd.service` command. {{< /tab >}} {{< /tabs >}} diff --git a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md index 7e17a747ed..2f83b0482d 100644 --- a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md +++ b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md @@ -116,7 +116,7 @@ cumulus@leaf01:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Set the `evpn.multihoming.enable` variable in the `/etc/cumulus/switchd.conf` file to `TRUE`, then restart the `switchd` service. Cumulus Linux disables this variable by default. +Set the `evpn.multihoming.enable` variable in the `/etc/cumulus/switchd.conf` file to `TRUE`, then reload the `switchd` service. Cumulus Linux disables this variable by default. ``` cumulus@leaf01:~$ sudo nano /etc/cumulus/switchd.conf @@ -126,7 +126,7 @@ evpn.multihoming.enable = TRUE ``` ``` -cumulus@leaf01:~$ sudo systemctl restart switchd.service +cumulus@leaf01:~$ sudo systemctl reload switchd.service ``` {{< /tab >}} diff --git a/content/cumulus-linux-57/Network-Virtualization/VXLAN-Tunnel-DSCP.md b/content/cumulus-linux-57/Network-Virtualization/VXLAN-Tunnel-DSCP.md index d67060b361..5bccbafc93 100644 --- a/content/cumulus-linux-57/Network-Virtualization/VXLAN-Tunnel-DSCP.md +++ b/content/cumulus-linux-57/Network-Virtualization/VXLAN-Tunnel-DSCP.md @@ -42,7 +42,7 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `/etc/cumulus/switchd.conf` file, then restart `switchd`. +Edit the `/etc/cumulus/switchd.conf` file, then reload `switchd`. The following example sets the VXLAN encapsulation DSCP action to `copy`. @@ -87,10 +87,7 @@ vxlan.def_decap_dscp_action = preserve ... ``` -After you modify `/etc/cumulus/switchd.conf` file, you must restart `switchd` for the changes to take effect. - -{{}} - +After you modify `/etc/cumulus/switchd.conf` file, you must reload `switchd` with the `sudo systemctl reload switchd.service` command. {{< /tab >}} {{< /tabs >}} diff --git a/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md b/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md index 76a15329b9..488623fcb0 100644 --- a/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md +++ b/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md @@ -149,9 +149,9 @@ Restarting the `switchd` service causes all network ports to reset in addition t | `nat.table_size` | The NAT table size limit in number of entries. You can configure this setting only when `nat.dynamic_enable` is set to TRUE.
The default setting is 1024. | restart | | `nat.config_table_size` | The NAT configuration table size limit in number of entries. You can configure this setting only when `nat.dynamic_enable` is set to TRUE.
The default setting is 64. | restart | | `logging` | Configures logging in the format BACKEND=LEVEL. Separate multiple BACKEND=LEVEL pairs with a space. The BACKEND value can be `stderr`, `file:filename`, `syslog`, `program:executable`. The LEVEL value can be `CRIT`, `ERR`, `WARN`, `INFO`, `DEBUG`.
The default value is `syslog=INFO`| restart | -| `interface.swp1.storm_control.broadcast` | Enables broadcast storm control and sets the number of packets per second (pps).
The default setting is 400. | reload | -| `interface.swp1.storm_control.multicast` | Enables multicast storm control and sets the number of packets per second (pps).
The default setting is 3000. | reload | -| `interface.swp1.storm_control.unknown_unicast` | Enables unicast storm control and sets the number of packets per second (pps).
The default setting is 2000. | reload | +| `interface..storm_control.broadcast` | Enables broadcast storm control and sets the number of packets per second (pps).
The default setting is 400. | reload | +| `interface..storm_control.multicast` | Enables multicast storm control and sets the number of packets per second (pps).
The default setting is 3000. | reload | +| `interface..storm_control.unknown_unicast` | Enables unicast storm control and sets the number of packets per second (pps).
The default setting is 2000. | reload | | `stats.vlan.aggregate` | Enables hardware statistics for VLANs and specifies the type of statistics needed. You can specify NONE, BRIEF, or DETAIL.
The default setting is BRIEF. | restart | | `stats.vxlan.aggregate` | Enables hardware statistics for VXLANs and specifies the type of statistics needed. You can specify NONE, BRIEF, or DETAIL.
The default setting is DETAIL. | restart | | `stats.vxlan.member` | Enables hardware statistics for VXLAN members and specifies the type of statistics needed. You can specify NONE, BRIEF, or DETAIL.
The default setting is BRIEF. | restart | @@ -167,14 +167,14 @@ Restarting the `switchd` service causes all network ports to reset in addition t | `bridge.unreg_v6_mcast_prune` | Enables unregistered layer 2 multicast prune to mrouter ports (IPv6).
The default setting is FALSE (flood unregistered layer 2 multicast traffic). | restart | | `netlink libnl logger` | The default setting is [0-5]. | restart | | `netlink.nl_logger` | The default setting is 0. | restart | -| `vxlan.def_encap_dscp_action` | Sets the default VXLAN router DSCP action during encapsulation. You can specify `copy` if the inner packet is IP, `set` to set a specific value, or `derive` to derive the value from the switch priority.
The default setting is `derive`. | restart | -| `vxlan.def_encap_dscp_value` | Sets the default VXLAN encapsulation DSCP value if the action is `set`.
| restart | -| `vxlan.def_decap_dscp_action` | Sets the default VXLAN router DSCP action during decapsulation. You can specify `copy` if the inner packet is IP, `preserve` to preserve the inner DSCP value, or `derive` to derive the value from the switch priority.
The default setting is `derive`. | restart | +| `vxlan.def_encap_dscp_action` | Sets the default VXLAN router DSCP action during encapsulation. You can specify `copy` if the inner packet is IP, `set` to set a specific value, or `derive` to derive the value from the switch priority.
The default setting is `derive`. | reload | +| `vxlan.def_encap_dscp_value` | Sets the default VXLAN encapsulation DSCP value if the action is `set`.
| reload | +| `vxlan.def_decap_dscp_action` | Sets the default VXLAN router DSCP action during decapsulation. You can specify `copy` if the inner packet is IP, `preserve` to preserve the inner DSCP value, or `derive` to derive the value from the switch priority.
The default setting is `derive`. | reload | | `ipmulticast.unknown_ipmc_to_cpu` | Enables sending unknown IPMC to the CPU.
The default setting is FALSE. | restart | | `vrf_route_leak_enable_dynamic` | Enables dynamic VRF route leaking.
The default setting is FALSE. | restart | | `sync_queue_depth_val` | The event queue depth.
The default setting is 50000. | restart | | `route.route_preferred_over_neigh` | Sets the preference between a route and neighbor with the same IP address and mask. You can specify `TRUE` to prefer the route over the neighbor, `FALSE` to prefer the neighbor over the route, or `BOTH` to install both the route and neighbor.
The default setting is TRUE. | reload | -| `evpn.multihoming.enable` | Enables EVPN multihoming.
The default setting is TRUE. | restart | +| `evpn.multihoming.enable` | Enables EVPN multihoming.
The default setting is TRUE. | reload | | `evpn.multihoming.shared_l2_groups` | Enables sharing for layer 2 next hop groups.
The default setting is FALSE. | restart | | `evpn.multihoming.shared_l3_groups` | Enables sharing for layer 3 next hop groups.
The default setting is FALSE. | restart | | `evpn.multihoming.fast_local_protect` | Enables fast reroute for egress link protection. The default setting is FALSE. | restart | diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index ed1ebef81e..85e0d9d2c7 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -38,74 +38,74 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Show commands to see the {{}} and {{}} - Show commands to show the IP neighbor table - Enhanced {{}} command output now in table format - - Improvements to {{}} - -{{< expand "Commands that reload instead restart a service" >}} -``` -nv set system acl mode non-atomic -nv set system acl mode atomic -nv set system forwarding host-route-preference route -nv set system forwarding host-route-preference neighbor -nv set system forwarding host-route-preference route-and-neighbour -nv set evpn multihoming enable -nv set nve vxlan encapsulation dscp action -nv set nve vxlan encapsulation dscp value -nv set nve vxlan decapsulation dscp action -nv set interface router adaptive-routing link-utilization-threshold -nv set system forwarding profile -nv set router bgp wait-for-install -nv set router adaptive-routing enable -nv set interface router adaptive-routing enable -``` -{{< /expand >}} - -{{< expand "Changed Commands" >}} -| Previous Command | New Command | -| ------------ | ------------- | -| `nv set router pim timers keep-alive`| `nv set router pim timers keepalive` | -| `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | -| `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | -| `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | -| `nv set acl rule match ip dest-port ` | `nv set acl rule match ip dest-port `| -| `nv set acl rule match ip source-port `| `nv set acl rule match ip source-port ` | -{{< /expand >}} - -{{< expand "New NVUE Commands" >}} - -For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) for Cumulus Linux. - -{{< tabs "TabID40 ">}} -{{< tab "nv show ">}} - -``` -nv show -``` - -{{< /tab >}} -{{< tab "nv set ">}} - -``` -nv set -``` - -{{< /tab >}} -{{< tab "nv unset ">}} - -``` -nv unset -``` - -{{< /tab >}} -{{< tab "nv action ">}} - -``` -nv action -``` - -{{< /tab >}} -{{< /tabs >}} - -{{< /expand >}} + - Improvements to adaptive-routing link-utilization-threshold{{}} + + {{< expand "Commands that now reload a service instead of restarting a service" >}} + ``` + nv set system acl mode non-atomic + nv set system acl mode atomic + nv set system forwarding host-route-preference route + nv set system forwarding host-route-preference neighbor + nv set system forwarding host-route-preference route-and-neighbour + nv set evpn multihoming enable + nv set nve vxlan encapsulation dscp action + nv set nve vxlan encapsulation dscp value + nv set nve vxlan decapsulation dscp action + nv set interface router + nv set system forwarding profile + nv set router bgp wait-for-install + nv set router adaptive-routing enable + nv set interface router adaptive-routing enable + ``` + {{< /expand >}} + + {{< expand "Changed Commands" >}} + | Previous Command | New Command | + | ------------ | ------------- | + | `nv set router pim timers keep-alive`| `nv set router pim timers keepalive` | + | `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | + | `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | + | `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | + | `nv set acl rule match ip dest-port ` | `nv set acl rule match ip dest-port `| + | `nv set acl rule match ip source-port `| `nv set acl rule match ip source-port ` | + {{< /expand >}} + + {{< expand "New NVUE Commands" >}} + + For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) for Cumulus Linux. + + {{< tabs "TabID40 ">}} + {{< tab "nv show ">}} + + ``` + nv show + ``` + + {{< /tab >}} + {{< tab "nv set ">}} + + ``` + nv set + ``` + + {{< /tab >}} + {{< tab "nv unset ">}} + + ``` + nv unset + ``` + + {{< /tab >}} + {{< tab "nv action ">}} + + ``` + nv action + ``` + + {{< /tab >}} + {{< /tabs >}} + + {{< /expand >}} {{%notice info%}} Cumulus Linux 5.7 includes the NVUE object model. After you upgrade to Cumulus Linux 5.7, running NVUE configuration commands might override configuration for features that are now configurable with NVUE and removes configuration you added manually to files or with automation tools like Ansible, Chef, or Puppet. To keep your configuration, you can do one of the following: From 05e56ba36de3c1ab7416bb860bed2984ee93cb6e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 27 Nov 2023 13:56:05 -0800 Subject: [PATCH 067/204] updates --- .../Routing/Supported-Route-Table-Entries.md | 2 +- .../EVPN-Multihoming.md | 4 +- .../Configuring-switchd.md | 2 +- .../Precision Time Protocol-PTP.md | 4 +- .../In-Service-System-Upgrade-ISSU.md | 11 +- content/cumulus-linux-57/Whats-New/_index.md | 134 +++++++++--------- 6 files changed, 78 insertions(+), 79 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md b/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md index 266ef7e977..c3ba5ee341 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md @@ -98,7 +98,7 @@ cumulus@switch:~$ sudo cat /etc/cumulus/datapath/traffic.conf forwarding_table.profile = l2-heavy ``` -After you specify a different profile, reload `switchd` with the `sudo systemctl reload switchd.service` command. +After you specify a different profile, restart `switchd` with the `sudo systemctl restart switchd.service` command. {{< /tab >}} {{< /tabs >}} diff --git a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md index 2f83b0482d..7e17a747ed 100644 --- a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md +++ b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/EVPN-Multihoming.md @@ -116,7 +116,7 @@ cumulus@leaf01:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Set the `evpn.multihoming.enable` variable in the `/etc/cumulus/switchd.conf` file to `TRUE`, then reload the `switchd` service. Cumulus Linux disables this variable by default. +Set the `evpn.multihoming.enable` variable in the `/etc/cumulus/switchd.conf` file to `TRUE`, then restart the `switchd` service. Cumulus Linux disables this variable by default. ``` cumulus@leaf01:~$ sudo nano /etc/cumulus/switchd.conf @@ -126,7 +126,7 @@ evpn.multihoming.enable = TRUE ``` ``` -cumulus@leaf01:~$ sudo systemctl reload switchd.service +cumulus@leaf01:~$ sudo systemctl restart switchd.service ``` {{< /tab >}} diff --git a/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md b/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md index 488623fcb0..3536cb338e 100644 --- a/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md +++ b/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md @@ -174,7 +174,7 @@ Restarting the `switchd` service causes all network ports to reset in addition t | `vrf_route_leak_enable_dynamic` | Enables dynamic VRF route leaking.
The default setting is FALSE. | restart | | `sync_queue_depth_val` | The event queue depth.
The default setting is 50000. | restart | | `route.route_preferred_over_neigh` | Sets the preference between a route and neighbor with the same IP address and mask. You can specify `TRUE` to prefer the route over the neighbor, `FALSE` to prefer the neighbor over the route, or `BOTH` to install both the route and neighbor.
The default setting is TRUE. | reload | -| `evpn.multihoming.enable` | Enables EVPN multihoming.
The default setting is TRUE. | reload | +| `evpn.multihoming.enable` | Enables EVPN multihoming.
The default setting is TRUE. | restart | | `evpn.multihoming.shared_l2_groups` | Enables sharing for layer 2 next hop groups.
The default setting is FALSE. | restart | | `evpn.multihoming.shared_l3_groups` | Enables sharing for layer 3 next hop groups.
The default setting is FALSE. | restart | | `evpn.multihoming.fast_local_protect` | Enables fast reroute for egress link protection. The default setting is FALSE. | restart | diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 58aa80c4f9..6c108ef58b 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -548,7 +548,7 @@ To enable PPS Out: #### PPS Synchronization Settings -You can configure these PPS In settings: +You can configure these PPS settings: | PPS In Setting | Description | | ------- | ----------- | @@ -559,8 +559,6 @@ You can configure these PPS In settings: | `signal-width` | Sets the pulse width of the PPS IN signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| | `timestamp-correction` | Sets the value, in nanoseconds, to add to each PPS time stamp. You can set a value between -1000000000 and 1000000000. The default value is 0. | -You can configure these PPS Out settings: - | PPS Out Setting | Description | | ------- | ----------- | | `channel-index`| Sets the channel index. You can set a value of 1 or 0. The default value is 0.| diff --git a/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md b/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md index 52a3a3482b..003d379fb6 100644 --- a/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md +++ b/content/cumulus-linux-57/System-Configuration/In-Service-System-Upgrade-ISSU.md @@ -313,10 +313,9 @@ ports disabled ``` cumulus@switch:~$ sudo csmgrctl -s -Current System Mode: Maintenance, cold - Maintenance mode since Sat Nov 18 07:24:11 2023 (Duration: 00:00:38) - Ports shutdown for Maintenance - frr : Maintenance, cold, down, up time: 13:11:15 (1 restart) - switchd : Maintenance, cold, down, up time: 13:25:40 - System Services : Maintenance, cold, down, up time: 13:25:59 +Current System Mode: cold + frr : cold, up, up time: 00:14:51 (2 restarts) + clagd : cold, up, up time: 00:14:47 + switchd : cold, up, up time: 01:09:48 + System Services : cold, up, up time: 01:10:07 ``` diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 85e0d9d2c7..fab3a78e11 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -40,72 +40,74 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Enhanced {{}} command output now in table format - Improvements to adaptive-routing link-utilization-threshold{{}} - {{< expand "Commands that now reload a service instead of restarting a service" >}} - ``` - nv set system acl mode non-atomic - nv set system acl mode atomic - nv set system forwarding host-route-preference route - nv set system forwarding host-route-preference neighbor - nv set system forwarding host-route-preference route-and-neighbour - nv set evpn multihoming enable - nv set nve vxlan encapsulation dscp action - nv set nve vxlan encapsulation dscp value - nv set nve vxlan decapsulation dscp action - nv set interface router - nv set system forwarding profile - nv set router bgp wait-for-install - nv set router adaptive-routing enable - nv set interface router adaptive-routing enable - ``` - {{< /expand >}} - - {{< expand "Changed Commands" >}} - | Previous Command | New Command | - | ------------ | ------------- | - | `nv set router pim timers keep-alive`| `nv set router pim timers keepalive` | - | `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | - | `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | - | `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | - | `nv set acl rule match ip dest-port ` | `nv set acl rule match ip dest-port `| - | `nv set acl rule match ip source-port `| `nv set acl rule match ip source-port ` | - {{< /expand >}} - - {{< expand "New NVUE Commands" >}} - - For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) for Cumulus Linux. - - {{< tabs "TabID40 ">}} - {{< tab "nv show ">}} - - ``` - nv show - ``` - - {{< /tab >}} - {{< tab "nv set ">}} - - ``` - nv set - ``` - - {{< /tab >}} - {{< tab "nv unset ">}} - - ``` - nv unset - ``` - - {{< /tab >}} - {{< tab "nv action ">}} - - ``` - nv action - ``` - - {{< /tab >}} - {{< /tabs >}} - - {{< /expand >}} +{{< expand "Commands that require a switchd reload instead of a restart" >}} + +``` +nv set system acl mode non-atomic +nv set system acl mode atomic +nv set system forwarding host-route-preference route +nv set system forwarding host-route-preference neighbor +nv set system forwarding host-route-preference route-and-neighbour +nv set nve vxlan encapsulation dscp action +nv set nve vxlan encapsulation dscp value +nv set nve vxlan decapsulation dscp action +nv set interface router +nv set router bgp wait-for-install +nv set router adaptive-routing enable +nv set interface router adaptive-routing enable +``` + +{{< /expand >}} + +{{< expand "Changed Commands" >}} + +| Previous Command | New Command | +| ------------ | ------------- | +| `nv set router pim timers keep-alive`| `nv set router pim timers keepalive` | +| `nv set router pim timers rp-keep-alive`| `nv set router pim timers rp-keepalive` | +| `nv set vrf default router pim timers keep-alive`| `nv set vrf default router pim timers keepalive` | +| `nv set vrf default router pim timers rp-keep-alive`| `nv set vrf default router pim timers rp-keepalive` | +| `nv set acl rule match ip dest-port ` | `nv set acl rule match ip dest-port `| +| `nv set acl rule match ip source-port `| `nv set acl rule match ip source-port ` | + +{{< /expand >}} + +{{< expand "New NVUE Commands" >}} + +For descriptions and examples of all NVUE commands, refer to the [NVUE Command Reference]({{}}) fCumulus Linux. + +{{< tabs "TabID40 ">}} +{{< tab "nv show ">}} + +``` +nv show +``` + +{{< /tab >}} +{{< tab "nv set ">}} + +``` +nv set +``` + +{{< /tab >}} +{{< tab "nv unset ">}} + +`` +nv unset +``` + +{{< /tab >}} +{{< tab "nv action ">}} + +``` +nv action +``` + +{{< /tab >}} +{{< /tabs >}} + +{{< /expand >}} {{%notice info%}} Cumulus Linux 5.7 includes the NVUE object model. After you upgrade to Cumulus Linux 5.7, running NVUE configuration commands might override configuration for features that are now configurable with NVUE and removes configuration you added manually to files or with automation tools like Ansible, Chef, or Puppet. To keep your configuration, you can do one of the following: From 842366e268dd07459cf8be1eb3824cc2acea5954 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 27 Nov 2023 15:32:12 -0800 Subject: [PATCH 068/204] updates --- content/cumulus-linux-57/Layer-3/FRRouting.md | 2 +- .../Precision Time Protocol-PTP.md | 2 +- content/cumulus-linux-57/Whats-New/_index.md | 29 ++++++++++--------- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/FRRouting.md b/content/cumulus-linux-57/Layer-3/FRRouting.md index ceb7096b45..057fc868c2 100644 --- a/content/cumulus-linux-57/Layer-3/FRRouting.md +++ b/content/cumulus-linux-57/Layer-3/FRRouting.md @@ -78,7 +78,7 @@ cumulus@switch:~$ sudo systemctl start frr.service ## Restore the Default Configuration {{%notice note%}} -The information in this section does not apply if you use NVUE to configure your switch. NVUE manages FRR daemons and configuration automatically. These instructions are only applicable for users managing FRR directly through linux flat file configurations. +The information in this section does not apply if you use NVUE to configure your switch. NVUE manages FRR daemons and configuration automatically. These instructions are only applicable if you manage FRR directly with linux flat file configurations. {{%/notice%}} If you need to restore the FRR configuration to the default running configuration, delete the `frr.conf` file and restart the `frr` service. diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 6c108ef58b..304398da7b 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -493,7 +493,7 @@ Cumulus Linux supports two PPS modes: #### Enable PPS Synchronization -To enable PPS In and PPS Out: +To enable PPS synchronization: {{< tabs "TabID541 ">}} {{< tab "NVUE Commands ">}} diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index fab3a78e11..d5e87ef3ec 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -36,25 +36,26 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. - Show commands to see the {{}} and {{}} - - Show commands to show the IP neighbor table + - Show commands to show the IP neighbor table and set commands to create an IP neighbor table entry for an interface - Enhanced {{}} command output now in table format - Improvements to adaptive-routing link-utilization-threshold{{}} + - FRR now restarts only when you change the FRR daemon file, change the BGP ASN, remove the default instance, disable the SNMP server (with agentx configuration present). -{{< expand "Commands that require a switchd reload instead of a restart" >}} +{{< expand "Commands that now reload switchd instead of restarting switchd" >}} ``` -nv set system acl mode non-atomic -nv set system acl mode atomic -nv set system forwarding host-route-preference route -nv set system forwarding host-route-preference neighbor -nv set system forwarding host-route-preference route-and-neighbour -nv set nve vxlan encapsulation dscp action -nv set nve vxlan encapsulation dscp value -nv set nve vxlan decapsulation dscp action -nv set interface router -nv set router bgp wait-for-install -nv set router adaptive-routing enable -nv set interface router adaptive-routing enable +nv set/unset system acl mode non-atomic +nv set/unset system acl mode atomic +nv set/unset system forwarding host-route-preference route +nv set/unset system forwarding host-route-preference neighbor +nv set/unset system forwarding host-route-preference route-and-neighbour +nv set/unset nve vxlan encapsulation dscp action +nv set/unset nve vxlan encapsulation dscp value +nv set/unset nve vxlan decapsulation dscp action +nv set/unset interface router +nv set/unset router bgp wait-for-install +nv set/unset router adaptive-routing enable +nv set/unset interface router adaptive-routing enable ``` {{< /expand >}} From 9eabb40c07feed4f5fb026171a03254383b4220b Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 28 Nov 2023 16:30:28 -0800 Subject: [PATCH 069/204] updates --- .../Basic-BGP-Configuration.md | 4 + .../Open-Shortest-Path-First-v2-OSPFv2.md | 4 + .../Open-Shortest-Path-First-v3-OSPFv3.md | 4 + .../Protocol-Independent-Multicast-PIM.md | 4 + .../Layer-3/Routing/Policy-based-Routing.md | 4 + .../Routing/Supported-Route-Table-Entries.md | 2 +- ...Virtual-Router-Redundancy-Protocol-VRRP.md | 4 + .../Configure-SNMP.md | 9 +++ .../Precision Time Protocol-PTP.md | 79 ++++++++++++++++--- content/cumulus-linux-57/Whats-New/_index.md | 5 +- 10 files changed, 106 insertions(+), 13 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Basic-BGP-Configuration.md b/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Basic-BGP-Configuration.md index 7469557287..19a9fa47d2 100644 --- a/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Basic-BGP-Configuration.md +++ b/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Basic-BGP-Configuration.md @@ -10,6 +10,10 @@ This section describes how to configure BGP using either BGP numbered or {{[OSPF](## "Open Shortest Path First") using either numbered interfaces or unnumbered interfaces. +{{%notice warning%}} +When you enable or disable OSPF, the FRR service restarts, which might impact traffic. +{{%/notice%}} + ### OSPFv2 Numbered To configure OSPF using numbered interfaces, you specify the router ID, IP subnet prefix, and area address. You must put all the interfaces on the switch with an IP address that matches the network subnet into the specified area. OSPF attempts to discover other OSPF routers on those interfaces. Cumulus Linux adds all matching interface network addresses to a type-1 [LSA](## "Link-State Advertisement") and advertises to discovered neighbors for proper reachability. diff --git a/content/cumulus-linux-57/Layer-3/OSPF/Open-Shortest-Path-First-v3-OSPFv3.md b/content/cumulus-linux-57/Layer-3/OSPF/Open-Shortest-Path-First-v3-OSPFv3.md index 1f0d9ab1bc..132da9ed48 100644 --- a/content/cumulus-linux-57/Layer-3/OSPF/Open-Shortest-Path-First-v3-OSPFv3.md +++ b/content/cumulus-linux-57/Layer-3/OSPF/Open-Shortest-Path-First-v3-OSPFv3.md @@ -14,6 +14,10 @@ IETF has defined extensions to OSPFv3 to support multiple address families (both You can configure [OSPF](## "Open Shortest Path First") using either numbered interfaces or unnumbered interfaces. +{{%notice warning%}} +When you enable or disable OSPF, the FRR service restarts, which might impact traffic. +{{%/notice%}} + {{%notice note%}} NVUE commands are not supported for OSPFv3. {{%/notice%}} diff --git a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md index 80f6beaec6..aa0f38cd8c 100644 --- a/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md +++ b/content/cumulus-linux-57/Layer-3/Protocol-Independent-Multicast-PIM.md @@ -44,6 +44,10 @@ To configure PIM: [SSM](## "Source Specific Multicast") uses prefix lists to configure a receiver to only allow traffic to a multicast address from a single source. This removes the need for an RP because the receiver must know the source before accepting traffic. To enable SSM, you only need to enable PIM and IGMPv3 on the interfaces. +{{%notice warning%}} +When you enable or disable PIM, the FRR service restarts, which might impact traffic. +{{%/notice%}} + These example commands configure leaf01, leaf02 and spine01 as shown in the topology example above. {{< tabs "TabID44 ">}} diff --git a/content/cumulus-linux-57/Layer-3/Routing/Policy-based-Routing.md b/content/cumulus-linux-57/Layer-3/Routing/Policy-based-Routing.md index 2d177a3f52..11b326075d 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Policy-based-Routing.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Policy-based-Routing.md @@ -35,6 +35,10 @@ To configure a PBR policy: {{< tabs "TabID35 ">}} {{< tab "NVUE Commands ">}} +{{%notice warning%}} +When you configure PBR with NVUE commands, NVUE enables the `pbrd` service and restarts the FRR service; An FRR service restart might impact traffic. +{{%/notice%}} + 1. Configure the policy map. The example commands below configure a policy map called `map1` with rule number 1 that matches on destination address 10.1.2.0/24 and source address 10.1.4.1/24. diff --git a/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md b/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md index c3ba5ee341..41efdfaccb 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Supported-Route-Table-Entries.md @@ -45,7 +45,6 @@ The values in the following tables reflect results from testing, which can diffe | default | 50k | 41k (IPv4) and 20k (IPv6) | 82k (IPv4), 74k (IPv6-long), 1K (IPv4-Mcast)| | l2-heavy | 115k | 74k (IPv4) and 37k (IPv6) | 16k (IPv4), 24k (IPv6-long), 1K (IPv4-Mcast)| | l2-heavy-1 | 239k | 16k (IPv4) and 12k (IPv6) | 16k (IPv4), 16k (IPv6-long), 1K (IPv4-Mcast)| -| l2-heavy-v4-lpm | 125k | 1k (IPv4) and 128 (IPv6) | 65k (IPv4), 512 (IPv6-long), 0 (IPv4-Mcast)| | l2-heavy-3 | 107k | 90k (IPv4) and 80k (IPv6) | 25k (IPv4), 10k (IPv6-long), 1K (IPv4-Mcast) | | v4-lpm-heavy | 16k | 41k (IPv4) and 24k (IPv6) | 124k (IPv4), 24k (IPv6-long), 1K (IPv4-Mcast)| | v4-lpm-heavy-1 | 16k | 16k (IPv4) and 4k (IPv6) | 256k (IPv4), 8k (IPv6-long), 1K (IPv4-Mcast)| @@ -55,6 +54,7 @@ The values in the following tables reflect results from testing, which can diffe | ipmc-heavy | 57k | 41k (IPv4) and 20k (IPv6) | 82K (IPv4), 66K (IPv6-long), 8K (IPv4-Mcast) | | ipmc-max | 41K | 41k (IPv4) and 20k (IPv6) | 74K (IPv4), 66K (IPv6-long), 15K (IPv4-Mcast)| + The IPv6 number corresponds to the /64 IPv6 prefix. The /128 IPv6 prefix number is half of the /64 IPv6 prefix number. {{%notice note%}} diff --git a/content/cumulus-linux-57/Layer-3/Virtual-Router-Redundancy-Protocol-VRRP.md b/content/cumulus-linux-57/Layer-3/Virtual-Router-Redundancy-Protocol-VRRP.md index 1782850124..2adf0c5b8c 100644 --- a/content/cumulus-linux-57/Layer-3/Virtual-Router-Redundancy-Protocol-VRRP.md +++ b/content/cumulus-linux-57/Layer-3/Virtual-Router-Redundancy-Protocol-VRRP.md @@ -51,6 +51,10 @@ The parent interface must use a primary address as the source address on VRRP ad {{< tabs "TabID448 ">}} {{< tab "NVUE Commands ">}} +{{%notice warning%}} +When you configure VRRP with NVUE commands, NVUE enables the `vrrpd` service and restarts the FRR service; An FRR service restart might impact traffic. +{{%/notice%}} + {{< tabs "TabID504 ">}} {{< tab "spine01 ">}} diff --git a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index 1aef38eb96..df275e7fb3 100644 --- a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -26,6 +26,10 @@ cumulus@switch:~$ nv set service snmp-server listening-address localhost cumulus@switch:~$ nv config apply ``` +{{%notice warning%}} +If you disable the `snmpd` service with the `nv set service snmp-server enable off` command, the FRR service restarts, which might impact traffic. +{{%/notice%}} + {{< /tab >}} {{< tab "Linux Commands ">}} @@ -527,6 +531,11 @@ To verify the configuration, you can run `snmpwalk`. ``` cumulus@switch:~$ sudo snmpwalk -v2c -cpublic localhost 1.3.6.1.2.1.14 ``` + +{{%notice warning%}} +If you disable the SNMP server with AgentX enabled, the FRR service restarts, which might impact traffic. +{{%/notice%}} + ### Enable the .1.3.6.1.2.1 Range diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 304398da7b..d1c2adf100 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -520,6 +520,35 @@ To enable PPS In: 1. Edit the `/etc/linuxptp/ts2phc.conf` file to set the following parameters. ``` + # Default configurations + [global] + use_syslog 0 + verbose 1 + logging_level 6 + slave_event_monitor /var/run/ptp_sem.sock + ts2phc.pulsewidth 500000000 + ts2phc.tod_source ptp + # + # servo parameters + # + pi_proportional_const 0.000000 + pi_integral_const 0.000000 + pi_proportional_scale 0.700000 + pi_proportional_exponent -0.300000 + pi_proportional_norm_max 0.700000 + pi_integral_scale 0.300000 + pi_integral_exponent 0.400000 + pi_integral_norm_max 0.300000 + step_threshold 0.000000050 + first_step_threshold 0.000000001 + max_frequency 500000000 + sanity_freq_limit 0 + + [/dev/ptp1] + ts2phc.pin_index 0 + ts2phc.channel 0 + ts2phc.extts_polarity rising + ts2phc.extts_correction 0 ``` 2. Enable and start the `ptp4l` and `phc2sys` services: @@ -533,8 +562,27 @@ To enable PPS Out: 1.Edit the `/etc/linuxptp/pps_out.conf` file to set the following parameters. -``` -``` + ``` + # Configuration file used for the pps_out.service + # It is shell formatted and the file is source'd by the service + + # Set the PTP device to source our PPS from. + # If not specified, the service will find the first device with a clock name "sx_ptp". + PTP_DEV=/dev/ptp1 + + # Set the pin index on the PPS device to send on. + # On the NVIDIA systems, only pin 1 (0-based) is supported + OUT_PIN=1 + + # Set the file where to cache the last started values. + # This is used primarily in the "stop" operation to know what to clean up. + CACHE_FILE=/var/run/pps_out + + # Set the out pulse charateristics for frequency and width + PULSE_FREQ=1000000000 + PULSE_WIDTH=500000000 + PULSE_PHASE=0 + ``` 2. Enable and start the `pps_out` service: @@ -564,7 +612,7 @@ You can configure these PPS settings: | `channel-index`| Sets the channel index. You can set a value of 1 or 0. The default value is 0.| | `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| | `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| -| `pin-index` | Sets the pin index. You can set a value of 1 or 0. The default value is 0.| +| `pin-index` | Sets the pin index. The default value is 1. NVIDIA switches only support pin 1.| | `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| {{< tabs "TabID592 ">}} @@ -645,14 +693,27 @@ The following example configures PPS Out and sets: - The frequency-adjustment of the PPS Out signal to 2147483647. ``` -# pps out is enabled -PTP_DEV=/dev/ptp1 -CACHE_FILE=/var/run/pps_out +# Configuration file used for the pps_out.service +# It is shell formatted and the file is source'd by the service + +# Set the PTP device to source our PPS from. +# If not specified, the service will find the first device with a clock name "sx_ptp". +PTP_DEV=/dev/ptp1 + +# Set the pin index on the PPS device to send on. +# On the NVIDIA systems, only pin 1 (0-based) is supported OUT_PIN=1 + OUT_CHANNEL=1 -PULSE_FREQ= 2147483647 -PULSE_WIDTH= 999000000 -PULSE_PHASE= 1000000000 + +# Set the file where to cache the last started values. +# This is used primarily in the "stop" operation to know what to clean up. +CACHE_FILE=/var/run/pps_out + +# Set the out pulse charateristics for frequency and width +PULSE_FREQ=2147483647 +PULSE_WIDTH=999000000 +PULSE_PHASE=1000000000 ``` {{< /tab >}} diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index d5e87ef3ec..f42891dabb 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -21,7 +21,6 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} -- {{}} forwarding profile - {{}} - NVUE enhancements include: - {{}} @@ -39,9 +38,9 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Show commands to show the IP neighbor table and set commands to create an IP neighbor table entry for an interface - Enhanced {{}} command output now in table format - Improvements to adaptive-routing link-utilization-threshold{{}} - - FRR now restarts only when you change the FRR daemon file, change the BGP ASN, remove the default instance, disable the SNMP server (with agentx configuration present). + - FRR now restarts only when you enable or disable a routing protocol, change the BGP ASN, or disable the SNMP server. -{{< expand "Commands that now reload switchd instead of restarting switchd" >}} +{{< expand "Commands that no longer require a switchd restart" >}} ``` nv set/unset system acl mode non-atomic From 7ddbec38083d272968edf833d1a2c1a9588616b2 Mon Sep 17 00:00:00 2001 From: cstizza <105511174+cstizza@users.noreply.github.com> Date: Wed, 29 Nov 2023 10:01:41 -0500 Subject: [PATCH 070/204] Update Basic-Configuration.md Fixed typo in the config sample. --- .../Basic-Configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3bc1e47072..4a04c3efc3 100644 --- a/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -275,7 +275,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` From 610ecc9a8461589325eacff7d72ee8c7b90c07ed Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Wed, 29 Nov 2023 11:11:42 -0500 Subject: [PATCH 071/204] updated custom signed certs --- .../Install-a-Custom-Signed-Certificate.md | 76 +++++++++++-------- .../Install-a-Custom-Signed-Certificate.md | 12 +-- 2 files changed, 46 insertions(+), 42 deletions(-) diff --git a/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md b/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md index 6d8aa94deb..018c63a80c 100644 --- a/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md +++ b/content/cumulus-netq-47/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md @@ -8,7 +8,7 @@ toc: 3 When you first log in to the NetQ UI via an on-premises deployment, your browser will display a warning indicating that the default certificate is not trusted. You can avoid this warning by installing your own signed certificate using the steps outlined on this page. The self-signed certificate is sufficient for non-production environments or cloud deployments. {{%notice note%}} -If you already have a certificate installed and want to change or update it, run the `kubectl delete secret netq-gui-ingress-tls [name] --namespace default` command. +If you already have a certificate installed and want to change or update it, run the `kubectl delete secret netq-gui-ingress-tls [name] --namespace default` command before following the steps outlined in this section. After making your updates, restart nginx with the `kubectl delete pod -l app.kubernetes.io/name=ingress-nginx --namespace ingress-nginx` command. {{%/notice%}} You need the following items to perform the certificate installation: @@ -30,7 +30,7 @@ You need the following items to perform the certificate installation: 1. Log in to the NetQ VM via SSH and copy your certificate and key file there. -1. Generate a Kubernetes secret called `netq-gui-ingress-tls`: +2. Generate a Kubernetes secret called `netq-gui-ingress-tls`: ``` cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \ @@ -39,7 +39,7 @@ You need the following items to perform the certificate installation: --cert .crt ``` -1. Verify that you created the secret successfully: +3. Verify that you created the secret successfully: ``` cumulus@netq-ts:~$ kubectl get secret @@ -48,9 +48,9 @@ You need the following items to perform the certificate installation: netq-gui-ingress-tls kubernetes.io/tls 2 5s ``` -1. Update the ingress rule file to install self-signed certificates. +4. Update the ingress rule file to install self-signed certificates. - 1. Create a new file called `ingress.yaml`. + 1. Create a new file called `ingress.yaml` 2. Copy and add the following content to the file: @@ -90,7 +90,7 @@ You need the following items to perform the certificate installation: ``` 3. Replace `` with the FQDN of the NetQ VM.

-1. Apply the new rule: +5. Apply the new rule: ``` cumulus@netq-ts:~$ kubectl apply -f ingress.yaml @@ -99,42 +99,54 @@ You need the following items to perform the certificate installation: The message above appears if your ingress rule is successfully configured. -1. Configure the NetQ API to use the new certificate. +6. Configure the NetQ API to use the new certificate by updating the Swagger ingress rule file. - Edit the `netq-swagger-ingress-external` service: + 1. Create a new file called `swagger-ingress.yaml` - ``` - kubectl edit ingress netq-swagger-ingress-external - ``` - - Add the `tls:` section in the `spec:` stanza, referencing your configured hostname and the `netq-gui-ingress-tls` secretName: + 2. Copy and add the following content to the file: ``` + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/proxy-send-timeout: "300" + nginx.ingress.kubernetes.io/proxy-body-size: 10g + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" + name: netq-swagger-ingress-external + namespace: default spec: - rules: - - host: - http: - paths: - - backend: - serviceName: swagger-ui - servicePort: 8080 - path: /swagger(/|$)(.*) - tls: - - hosts: - - - secretName: netq-gui-ingress-tls + ingressClassName: ingress-nginx-class + rules: + - host: + http: + paths: + - path: "/swagger" + pathType: Prefix + backend: + service: + name: swagger-ui + port: + number: 8080 + tls: + - hosts: + - + secretName: netq-gui-ingress-tls ``` + 3. Replace `` with the FQDN of the NetQ VM.
+
+7. Apply the new rule: - After saving your changes, delete the current swagger-ui pod to restart the service: - - ``` - cumulus@netq-ts:~$ kubectl delete pod -l app=swagger-ui - pod "swagger-ui-deploy-69cfff7b45-cj6r6" deleted - ``` + ``` + cumulus@netq-ts:~$ kubectl apply -f swagger-ingress.yaml + ``` + {{}} {{}} Your custom certificate should now be working. Verify this by opening the NetQ UI at `https://` in your browser. - diff --git a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md index e6c8dd2f15..79aa746919 100644 --- a/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md +++ b/content/cumulus-netq-48/Installation-Management/Configure-Integrations/Install-a-Custom-Signed-Certificate.md @@ -8,7 +8,7 @@ toc: 3 When you first log in to the NetQ UI via an on-premises deployment, your browser will display a warning indicating that the default certificate is not trusted. You can avoid this warning by installing your own signed certificate using the steps outlined on this page. The self-signed certificate is sufficient for non-production environments or cloud deployments. {{%notice note%}} -If you already have a certificate installed and want to change or update it, run the `kubectl delete secret netq-gui-ingress-tls [name] --namespace default` command. After making your updates, restart nginx with the `kubectl delete pod -l app.kubernetes.io/name=ingress-nginx --namespace ingress-nginx` command. +If you already have a certificate installed and want to change or update it, run the `kubectl delete secret netq-gui-ingress-tls [name] --namespace default` command before following the steps outlined in this section. After making your updates, restart nginx with the `kubectl delete pod -l app.kubernetes.io/name=ingress-nginx --namespace ingress-nginx` command. {{%/notice%}} You need the following items to perform the certificate installation: @@ -149,12 +149,4 @@ You need the following items to perform the certificate installation: {{}} -Your custom certificate should now be working. Verify this by opening the NetQ UI at `https://` in your browser. - - \ No newline at end of file +Your custom certificate should now be working. Verify this by opening the NetQ UI at `https://` in your browser. \ No newline at end of file From f0f6112c09366e02b350d17768812a752a2a2bc9 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 08:57:21 -0800 Subject: [PATCH 072/204] nv set system control-plane policer lldp change --- .../Date-and-Time/Precision Time Protocol-PTP.md | 2 +- .../Date-and-Time/Precision Time Protocol-PTP.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 35976e38f7..d64f526584 100644 --- a/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1044,7 +1044,7 @@ Cumulus Linux supports the following predefined profiles: - You cannot set global PTP parameters in a profile currently in use. - PTP profiles do not support VLANs or bonds. - If you set a predefined or custom profile, do not change any global PTP settings, such as the [DSCP](## "DiffServ code point") or the clock domain. -- For better performance in a high scale network with PTP on multiple interfaces, configure a higher system policer rate with the `nv set system control-plane policer lldp burst ` and `nv set system control-plane policer lldp rate ` commands. The switch uses the LLDP policer for PTP protocol packets. The default value for the LLDP policer is 2500. When you use the ITU 8275.1 profile with higher sync rates, use higher policer values. +- For better performance in a high scale network with PTP on multiple interfaces, configure a higher system policer rate with the `nv set system control-plane policer lldp-ptp burst ` and `nv set system control-plane policer lldp-ptp rate ` commands. The switch uses the LLDP policer for PTP protocol packets. The default value for the LLDP policer is 2500. When you use the ITU 8275.1 profile with higher sync rates, use higher policer values. {{%/notice%}} ### Set a Predefined Profile diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index d1c2adf100..1e421602ce 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1280,7 +1280,7 @@ Cumulus Linux supports the following predefined profiles: - You cannot set global PTP parameters in a profile currently in use. - PTP profiles do not support VLANs or bonds. - If you set a predefined or custom profile, do not change any global PTP settings, such as the [DSCP](## "DiffServ code point") or the clock domain. -- For better performance in a high scale network with PTP on multiple interfaces, configure a higher system policer rate with the `nv set system control-plane policer lldp burst ` and `nv set system control-plane policer lldp rate ` commands. The switch uses the LLDP policer for PTP protocol packets. The default value for the LLDP policer is 2500. When you use the ITU 8275.1 profile with higher sync rates, use higher policer values. +- For better performance in a high scale network with PTP on multiple interfaces, configure a higher system policer rate with the `nv set system control-plane policer lldp-ptp burst ` and `nv set system control-plane policer lldp-ptp rate ` commands. The switch uses the LLDP policer for PTP protocol packets. The default value for the LLDP policer is 2500. When you use the ITU 8275.1 profile with higher sync rates, use higher policer values. {{%/notice%}} ### Set a Predefined Profile From 7e549f6604f5f560abbff91f112b41ee0f4a34b8 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 09:06:24 -0800 Subject: [PATCH 073/204] update 5.7 --- .../Basic-Configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index d009e38cbc..85ee22c210 100644 --- a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -275,7 +275,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` From d4e8a1d70e8f9add4fb76e0659a88fc663f97b5c Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 09:24:47 -0800 Subject: [PATCH 074/204] update all ugs --- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 4 ++-- .../Basic-Configuration.md | 2 +- .../Basic-Configuration.md | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 97443871f6..c8f3a6324b 100644 --- a/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -365,7 +365,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -381,7 +381,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3b19c79fcb..e831a6eaea 100644 --- a/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -289,7 +289,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -305,7 +305,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3b19c79fcb..e831a6eaea 100644 --- a/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -289,7 +289,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -305,7 +305,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3b19c79fcb..e831a6eaea 100644 --- a/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -289,7 +289,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -305,7 +305,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3bc1e47072..d7142cd91c 100644 --- a/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -275,7 +275,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -291,7 +291,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3bc1e47072..d7142cd91c 100644 --- a/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -275,7 +275,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -291,7 +291,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 3bc1e47072..d7142cd91c 100644 --- a/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -275,7 +275,7 @@ router bgp 65101 bgp router-id 10.10.10.1 neighbor swp51 interface remote-as external address-family l2vpn evpn -neighbor swp1 activate +neighbor swp51 activate advertise-all-vni ... ``` @@ -291,7 +291,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 4a04c3efc3..d7142cd91c 100644 --- a/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -291,7 +291,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01)# write memory spine01)# exit diff --git a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 85ee22c210..80e6a158c8 100644 --- a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -291,7 +291,7 @@ spine01(config)# router bgp 65199 spine01(config-router)# bgp router-id 10.10.10.101 spine01(config-router)# neighbor swp1 interface remote-as external spine01(config-router)# address-family l2vpn evpn -spine01(config-router-af)# neighbor swp51 activate +spine01(config-router-af)# neighbor swp1 activate spine01(config-router-af)# end spine01# write memory spine01# exit From bce2ea96eedd98265308f96ea21abe089f35d660 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 09:54:50 -0800 Subject: [PATCH 075/204] update what's new --- content/cumulus-linux-57/Whats-New/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index f42891dabb..e39f708bd2 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -37,7 +37,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - Show commands to see the {{}} and {{}} - Show commands to show the IP neighbor table and set commands to create an IP neighbor table entry for an interface - Enhanced {{}} command output now in table format - - Improvements to adaptive-routing link-utilization-threshold{{}} + - Improvements to {{}} - FRR now restarts only when you enable or disable a routing protocol, change the BGP ASN, or disable the SNMP server. {{< expand "Commands that no longer require a switchd restart" >}} From b5176fa8b28e4b66d98886b1c7ec5f5924fb3573 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 10:21:09 -0800 Subject: [PATCH 076/204] rn generation for 4.3.2 --- .github/workflows/build_rns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_rns.yml b/.github/workflows/build_rns.yml index 151004fc16..e47cc43850 100644 --- a/.github/workflows/build_rns.yml +++ b/.github/workflows/build_rns.yml @@ -3,7 +3,7 @@ name: 'Release Note Publisher' on: push: branches: - - rn-stage + - stage jobs: release-notes: From 34ad02a14606cc547eba2b250772532d488106cf Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 18:23:10 +0000 Subject: [PATCH 077/204] Automated release note commit --- content/cumulus-linux-37/Whats-New/rn.md | 148 +- content/cumulus-linux-37/rn.xml | 228 +- content/cumulus-linux-43/Whats-New/rn.md | 425 +++- content/cumulus-linux-43/rn.xml | 2375 +++++++++++++++++- content/cumulus-linux-44/Whats-New/rn.md | 240 +- content/cumulus-linux-44/rn.xml | 1106 +------- content/cumulus-linux-50/Whats-New/rn.md | 24 +- content/cumulus-linux-50/rn.xml | 48 +- content/cumulus-linux-51/Whats-New/rn.md | 17 +- content/cumulus-linux-51/rn.xml | 30 +- content/cumulus-linux-52/Whats-New/rn.md | 26 +- content/cumulus-linux-52/rn.xml | 52 +- content/cumulus-linux-53/Whats-New/rn.md | 34 +- content/cumulus-linux-53/rn.xml | 84 +- content/cumulus-linux-54/Whats-New/rn.md | 21 +- content/cumulus-linux-54/rn.xml | 62 +- content/cumulus-linux-55/Whats-New/rn.md | 37 +- content/cumulus-linux-55/rn.xml | 176 +- content/cumulus-linux-56/Whats-New/rn.md | 29 +- content/cumulus-linux-56/rn.xml | 172 +- content/cumulus-netq-24/More-Documents/rn.md | 4 +- content/cumulus-netq-24/rn.xml | 4 +- content/cumulus-netq-30/More-Documents/rn.md | 4 +- content/cumulus-netq-30/rn.xml | 4 +- content/cumulus-netq-31/More-Documents/rn.md | 6 +- content/cumulus-netq-31/rn.xml | 6 +- content/cumulus-netq-32/Whats-New/rn.md | 14 +- content/cumulus-netq-32/rn.xml | 14 +- content/cumulus-netq-33/Whats-New/rn.md | 24 +- content/cumulus-netq-33/rn.xml | 24 +- content/cumulus-netq-40/Whats-New/rn.md | 20 +- content/cumulus-netq-40/rn.xml | 20 +- content/cumulus-netq-41/Whats-New/rn.md | 38 +- content/cumulus-netq-41/rn.xml | 38 +- content/cumulus-netq-42/Whats-New/rn.md | 22 +- content/cumulus-netq-42/rn.xml | 22 +- content/cumulus-netq-43/Whats-New/rn.md | 30 +- content/cumulus-netq-43/rn.xml | 30 +- content/cumulus-netq-44/Whats-New/rn.md | 44 +- content/cumulus-netq-44/rn.xml | 44 +- content/cumulus-netq-45/Whats-New/rn.md | 26 +- content/cumulus-netq-45/rn.xml | 26 +- content/cumulus-netq-46/Whats-New/rn.md | 2 +- content/cumulus-netq-46/rn.xml | 4 +- content/cumulus-netq-47/Whats-New/rn.md | 2 +- content/cumulus-netq-47/rn.xml | 4 +- content/cumulus-netq-48/rn.xml | 44 +- 47 files changed, 3790 insertions(+), 2064 deletions(-) diff --git a/content/cumulus-linux-37/Whats-New/rn.md b/content/cumulus-linux-37/Whats-New/rn.md index 14f80e1b5c..bc42649770 100644 --- a/content/cumulus-linux-37/Whats-New/rn.md +++ b/content/cumulus-linux-37/Whats-New/rn.md @@ -14,8 +14,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -67,7 +67,7 @@ pdfhidden: True | [2656291](#2656291)
| The following CVEs affect the linux kernel package:
CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For the detailed security status of linux, refer to its security tracker page at:
https://security-tracker.debian.org/tracker/linux | 3.7.12-3.7.16 | 4.0.0-4.4.5| | [2653400](#2653400)
None | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2652003](#2652003)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-4.3.0 | 4.3.1-4.4.5| -| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.1 | 4.4.0-4.4.5| +| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | 4.4.0-4.4.5| | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | | [2607965](#2607965)
| On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | | @@ -75,7 +75,7 @@ pdfhidden: True | [2556037](#2556037)
CM-33012 | After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| | [2555908](#2555908)
CM-32940 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
CM-32750 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | +| [2555175](#2555175)
CM-32528 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554785](#2554785)
CM-32275 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554709](#2554709)
CM-32217 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | | | [2554588](#2554588)
CM-32149 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}"
to:
DHCPD_PID="-pf {1}"
| 3.7.13-4.2.1 | 4.3.0-4.4.5| @@ -115,7 +115,7 @@ pdfhidden: True | [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2549307](#2549307)
| The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2548962](#2548962)
CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2548930](#2548930)
CM-29148 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| @@ -308,7 +308,7 @@ pdfhidden: True | [2699464](#2699464)
| In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | | | [2690100](#2690100)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!
To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.3.0 | | | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | | -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | | +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | | | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | | | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | | | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | | @@ -332,8 +332,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -448,7 +448,7 @@ pdfhidden: True | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -464,7 +464,7 @@ pdfhidden: True | [2653521](#2653521)
| CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331: Several security vulnerabilities were discovered in libwebp, a lossy compression library for digital photographic images. Heap-based buffer overflows may lead to a denial-of-service or potentially the execution of arbitrary code
Vulnerable: 0.4.1-1.2Fixed: 0.4.1-1.2+deb8u1 | 3.7.0-3.7.15 | 3.7.16| | [2653400](#2653400)
None | When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2652003](#2652003)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static FDB entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-4.3.0 | 4.3.1-4.4.5| -| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.1 | 4.4.0-4.4.5| +| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | 4.4.0-4.4.5| | [2646974](#2646974)
| The following vulnerabilities have been announced in bind9:CVE-2021-25214: a malformed incoming IXFR transfercould trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.9.5.dfsg-9+deb8u21Fixed: 9.9.5.dfsg-9+deb8u22 | 3.7.0-3.7.15 | 3.7.16| | [2646968](#2646968)
| CVE-2021-20312: A flaw was found in ImageMagick, where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. This could lead to a denial-of-service
Vulnerable: <= 6.8.9.9-5+deb8u23Fixed: 6.8.9.9-5+deb8u24 | 3.7.0-3.7.15 | 3.7.16| | [2645846](#2645846)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5| @@ -477,7 +477,7 @@ pdfhidden: True | [2556037](#2556037)
CM-33012 | After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| | [2555908](#2555908)
CM-32940 | If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
CM-32750 | In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | +| [2555175](#2555175)
CM-32528 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554785](#2554785)
CM-32275 | After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554709](#2554709)
CM-32217 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | | | [2554588](#2554588)
CM-32149 | If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}"
to:
DHCPD_PID="-pf {1}"
| 3.7.13-4.2.1 | 4.3.0-4.4.5| @@ -517,7 +517,7 @@ pdfhidden: True | [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2549307](#2549307)
| The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2548962](#2548962)
CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2548930](#2548930)
CM-29148 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| @@ -641,7 +641,7 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [2635951](#2635951)
| The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | | -| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | | +| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | | | [2617009](#2617009)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | | | [2617008](#2617008)
| CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | | | [2617007](#2617007)
| CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | | @@ -655,12 +655,12 @@ pdfhidden: True | [2589570](#2589570)
| The following denial-of-service vulnerability has been announced in Pygments, a syntax highlighting library for Python:CVE-2021-27291: A number of regular expressions had exponential or cubic worst-case complexity which could cause a remote denial of service (DoS) when provided with malicious input
Vulnerable: <= 2.0.1+dfsg-1.1+deb8u2Fixed: 2.0.1+dfsg-1.1+deb8u3 | 3.7.0-3.7.14.2 | | | [2589567](#2589567)
| The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | | | [2574294](#2574294)
| CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context
Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | | -| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | | +| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | | | [2562511](#2562511)
| hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | | | [2562396](#2562396)
| CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified.
CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read.
CVE-2020-27845: Crafted input can cause out-of-bounds-read.
Vulnerable: <= 2.1.0-2+deb8u11
Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | | | [2562301](#2562301)
| CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: <= 4.2.1-3+deb8u1
Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | | | [2556815](#2556815)
CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 | | -| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | | +| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | | | [2556780](#2556780)
CM-33397 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u9
Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | | | [2556779](#2556779)
CM-33396 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation.
Vulnerable: <= 9.9.5.dfsg-9+deb8u20
Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | | | [2556763](#2556763)
CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | | @@ -707,8 +707,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -783,7 +783,7 @@ pdfhidden: True | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -804,7 +804,7 @@ pdfhidden: True | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2635951](#2635951)
| The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | -| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2617009](#2617009)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2617008](#2617008)
| CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2617007](#2617007)
| CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| @@ -819,13 +819,13 @@ pdfhidden: True | [2589567](#2589567)
| The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2581473](#2581473)
| When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16| | [2574294](#2574294)
| CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context
Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| -| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2562511](#2562511)
| hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16| | [2562396](#2562396)
| CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified.
CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read.
CVE-2020-27845: Crafted input can cause out-of-bounds-read.
Vulnerable: <= 2.1.0-2+deb8u11
Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2562347](#2562347)
| When you bring VXLAN interfaces up and down physically or administratively, the MTU for the SVIs changes to 1550 (the default value). | 3.7.14.2-3.7.16 | | | [2562301](#2562301)
| CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: <= 4.2.1-3+deb8u1
Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2556815](#2556815)
CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| -| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2556780](#2556780)
CM-33397 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u9
Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2556779](#2556779)
CM-33396 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation.
Vulnerable: <= 9.9.5.dfsg-9+deb8u20
Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2556763](#2556763)
CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| @@ -899,7 +899,7 @@ pdfhidden: True | [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2549307](#2549307)
| The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2549226](#2549226)
CM-29259 | You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548962](#2548962)
CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| @@ -1037,8 +1037,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -1106,7 +1106,7 @@ pdfhidden: True | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -1126,7 +1126,7 @@ pdfhidden: True | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2635951](#2635951)
| The following vulnerability has been announced for the libgstreamer-plugins-base1.0-0 package. There is no CVE number yet; the Debian advisory number is ELA-412-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: <= 1.4.4-2+deb8u2Fixed: 1.4.4-2+deb8u3 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | -| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2617009](#2617009)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.7.0~dfsg-1Fixed: 1.7.0~dfsg-1+deb8u1 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2617008](#2617008)
| CVE-2021-28831: The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data
Vulnerable: <= 1.22.0-9+deb8u4Fixed: 1.22.0-9+deb8u5 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2617007](#2617007)
| CVE-2021-3443 CVE-2021-3467: Two issues have been found in jasper, a JPEG-2000 runtime library. Both issues are related to jpeg 2000 decoding, where a null pointer dereference and a missing check of valid component numbers referenced by CDEF box, could be exploited
Vulnerable: <= 1.900.1-debian1-2.4+deb8u9Fixed: 1.900.1-debian1-2.4+deb8u10 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| @@ -1140,12 +1140,12 @@ pdfhidden: True | [2589567](#2589567)
| The following vulnerabilities have been announced in Pillow, a Python imaging library, which can be used to cause a denial-of-service attack with crafted image files:CVE-2020-35653: PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations
CVE-2021-25290: In TiffDecode.c, there is a negative-offset memcpy with an invalid size
Vulnerable: <= 2.6.1-2+deb8u5FIxed: 2.6.1-2+deb8u6 | 3.7.0-3.7.14.2 | 3.7.15-3.7.16| | [2581473](#2581473)
| When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | 3.7.16| | [2574294](#2574294)
| CVE-2021-3410: A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context
Vulnerable: <= 0.99.beta19-2+deb8u1Fixed: 0.99.beta19-2+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| -| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2562511](#2562511)
| hostapd does not fail over to secondary RADIUS servers for 802.1x authentication when the primary radius is reachable but not responding to Access-Requests
If the primary RADIUS server is having a problem servicing requests, you can remove it from the configuration temporarily to force requests to be sent to alternate servers. | 3.7.10-3.7.14.2 | 3.7.15-3.7.16| | [2562396](#2562396)
| CVE-2020-27824: Global buffer overflow on irreversible conversion when too many decomposition levels are specified.
CVE-2020-27841: Crafted input to be processed by the openjpeg encoder could cause an out-of-bounds read.
CVE-2020-27845: Crafted input can cause out-of-bounds-read.
Vulnerable: <= 2.1.0-2+deb8u11
Fixed: 2.1.0-2+deb8u12 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2562301](#2562301)
| CVE-2021-26937: encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Vulnerable: <= 4.2.1-3+deb8u1
Fixed: 4.2.1-3+deb8u2 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2556815](#2556815)
CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| -| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2556780](#2556780)
CM-33397 | CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.40+dfsg-1+deb8u9
Fixed: 2.4.40+dfsg-1+deb8u10 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2556779](#2556779)
CM-33396 | CVE-2020-8625: Buffer overflow attack in the bind9 DNS server caused by an issue in the GSSAPI (“Generic Security Services”) security policy negotiation.
Vulnerable: <= 9.9.5.dfsg-9+deb8u20
Fixed: 9.9.5.dfsg-9+deb8u21 | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2556763](#2556763)
CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| @@ -1227,7 +1227,7 @@ pdfhidden: True | [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2549307](#2549307)
| The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2549226](#2549226)
CM-29259 | You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548962](#2548962)
CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| @@ -1417,8 +1417,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -1486,7 +1486,7 @@ pdfhidden: True | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -1606,7 +1606,7 @@ pdfhidden: True | [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2549307](#2549307)
| The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2549226](#2549226)
CM-29259 | You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548962](#2548962)
CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| @@ -1799,8 +1799,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -1867,7 +1867,7 @@ pdfhidden: True | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -1985,7 +1985,7 @@ pdfhidden: True | [2549676](#2549676)
CM-29471 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1.
To work around this issue, revert the configuration change. | 3.7.10-4.1.1 | 4.2.0-4.4.5| | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2549397](#2549397)
CM-29322 | When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI. | 3.7.12 | 3.7.13-3.7.16, 4.0.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2549307](#2549307)
| The following vulnerabilities affect git, which is available in the repository for optional installation:
CVE-2020-5260: Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
CVE-2020-11008: Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2549226](#2549226)
CM-29259 | You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548962](#2548962)
CM-29165 | With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| @@ -2180,8 +2180,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -2234,7 +2234,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -2288,7 +2288,7 @@ pdfhidden: True | [2549794](#2549794)
CM-29525 | The asic-monitor.service fails when you configure /etc/cumulus/datapath/monitor.conf with monitor.histogram_pg.collect.port_group_list = [all_packet_pg] and there is traffic passing through the buffer. When the service fails, you see the following traceback in journalctl:

asic-monitor[7389]: asic-monitor-module INFO: 2020-05-01 18:28:12.548734: Egress queue(s) greater than 500 bytes in monitor port group histogram_pg
asic-monitor[7389]: asic-monitor ERROR: ASIC monitor exception: sx_api_port_counter_tc_get failed: Parameter Error
asic-monitor[7389]: File "/usr/bin/asic-monitor", line 139, in 
asic-monitor[7389]: main(sys.argv[1:])
asic-monitor[7389]: File "/usr/bin/asic-monitor", line 126, in main
asic-monitor[7389]: traceback.print_stack()
asic-monitor[7389]: Traceback (most recent call last):
asic-monitor[7389]: File "/usr/bin/asic-monitor", line 117, in main
asic-monitor[7389]: monitor.run()
asic-monitor[7389]: File "/usr/lib/python2.7/dist-packages/cumulus/asic_monitor.py", line 158, in run
...
| 3.7.11-3.7.13, 4.1.1-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2549676](#2549676)
CM-29471 | After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1.
To work around this issue, revert the configuration change. | 3.7.10-4.1.1 | 4.2.0-4.4.5| | [2549472](#2549472)
CM-29367 | On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2548930](#2548930)
CM-29148 | On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548746](#2548746)
CM-29068 | On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548673](#2548673)
CM-29044 | A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-4.1.1 | 4.2.0-4.4.5| @@ -2530,8 +2530,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -2584,7 +2584,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -2818,8 +2818,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -2871,7 +2871,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -3117,8 +3117,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -3170,7 +3170,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -3368,8 +3368,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -3421,7 +3421,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -3657,8 +3657,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -3710,7 +3710,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -3919,8 +3919,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -3972,7 +3972,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -4136,8 +4136,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -4189,7 +4189,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -4362,8 +4362,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -4415,7 +4415,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -4602,8 +4602,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -4655,7 +4655,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -4835,8 +4835,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -4888,7 +4888,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| @@ -4987,8 +4987,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | +| [3418046](#3418046)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.6.0| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -5040,7 +5040,7 @@ pdfhidden: True | [2705168](#2705168)
| CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.
CVE-2021-0129: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access
Vulnerable: <= 5.43-2+deb9u2~deb8u2Fixed: 5.43-2+deb9u2~deb8u3 | 3.7.0-3.7.15 | 3.7.16| | [2702519](#2702519)
| CVE-2021-33560: Mishandling of ElGamal encryption results in a possible side-channel attack and an interoperability problem with keys not generated by GnuPG/libgcrypt
Vulnerable: <= 1.6.3-2+deb8u8Fixed: 1.6.2-2+dev8u9 | 3.7.0-3.7.15 | 3.7.16| | [2684404](#2684404)
| CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module
Vulnerable: <= 1.6.2-5+deb8u8Fixed: 1.6.2-5+deb8u9 | 3.7.0-3.7.15 | 3.7.16| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| | [2677063](#2677063)
| CVE-2021-3541: "Parameter Laughs" attack related to parameter entities expansion
Vulnerable: <= 2.9.1+dfsg1-5+deb8u10Fixed: 2.9.1+dfsg1-5+deb8u11 | 3.7.0-3.7.15 | 3.7.16| | [2677061](#2677061)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.6.2-5+deb8u7Fixed: 1.6.2-5+deb8u8 | 3.7.0-3.7.15 | 3.7.16| | [2677060](#2677060)
| CVE-2021-23336: Python2.7 is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter
Vulnerable: <= 2.7.9-2-ds1-1+deb8u6Fixed: 2.7.9-2-ds1-1+deb8u7 | 3.7.0-3.7.15 | 3.7.16| diff --git a/content/cumulus-linux-37/rn.xml b/content/cumulus-linux-37/rn.xml index 0532ee4e34..3d6bd99031 100644 --- a/content/cumulus-linux-37/rn.xml +++ b/content/cumulus-linux-37/rn.xml @@ -9,8 +9,8 @@ 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -19,8 +19,8 @@ switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -478,7 +478,7 @@ https://security-tracker.debian.org/tracker/linux 2648658 If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure. -3.7.15-4.3.1 +3.7.15-4.3.2 4.4.0-4.4.5 @@ -530,9 +530,9 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 2555175 -Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. -3.7.15-3.7.16, 4.2.1-4.4.5 - +Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. +3.7.15-4.3.1 +4.3.2-4.4.5 2554785 @@ -893,7 +893,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -2361,7 +2361,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 2677063 @@ -2493,8 +2493,8 @@ Fixed: 6.8.9.9-5+deb8u24 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -2503,8 +2503,8 @@ Fixed: 6.8.9.9-5+deb8u24 switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -3472,7 +3472,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -3602,7 +3602,7 @@ Fixed: 0.4.1-1.2+deb8u1 2648658 If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure. -3.7.15-4.3.1 +3.7.15-4.3.2 4.4.0-4.4.5 @@ -3691,9 +3691,9 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 2555175 -Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. -3.7.15-3.7.16, 4.2.1-4.4.5 - +Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. +3.7.15-4.3.1 +4.3.2-4.4.5 2554785 @@ -4054,7 +4054,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -5043,7 +5043,7 @@ Fixed: 1.4.4-2+deb8u3 CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. Vulnerable: <= 2.8.0-cl3.7.15u2 Fixed: 2.8.0-cl3.7.15u3 -3.7.14-3.7.14.2, 4.3.0-4.3.1 +3.7.14-3.7.14.2, 4.3.0-4.3.2 2617009 @@ -5134,7 +5134,7 @@ Fixed: 0.99.beta19-2+deb8u2 2566880 CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. -3.7.14-3.7.14.2, 4.0.0-4.3.1 +3.7.14-3.7.14.2, 4.0.0-4.3.2 2562511 @@ -5168,7 +5168,7 @@ To work around this issue, disable ARP suppression. 2556782 CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 -3.7.14-3.7.14.2, 4.0.0-4.3.1 +3.7.14-3.7.14.2, 4.0.0-4.3.2 2556780 @@ -5472,8 +5472,8 @@ These messages are harmless and can be ignored. 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -5482,8 +5482,8 @@ These messages are harmless and can be ignored. switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -6137,7 +6137,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -6309,7 +6309,7 @@ Fixed: 1.4.4-2+deb8u3 CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. Vulnerable: <= 2.8.0-cl3.7.15u2 Fixed: 2.8.0-cl3.7.15u3 -3.7.14-3.7.14.2, 4.3.0-4.3.1 +3.7.14-3.7.14.2, 4.3.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5 @@ -6420,7 +6420,7 @@ Fixed: 0.99.beta19-2+deb8u2 2566880 CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. -3.7.14-3.7.14.2, 4.0.0-4.3.1 +3.7.14-3.7.14.2, 4.0.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5 @@ -6465,7 +6465,7 @@ To work around this issue, disable ARP suppression. 2556782 CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 -3.7.14-3.7.14.2, 4.0.0-4.3.1 +3.7.14-3.7.14.2, 4.0.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5 @@ -7108,7 +7108,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -8160,8 +8160,8 @@ You can see the temperature reading in the output of the {{sensors}} command. 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -8170,8 +8170,8 @@ You can see the temperature reading in the output of the {{sensors}} command. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -8782,7 +8782,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -8943,7 +8943,7 @@ Fixed: 1.4.4-2+deb8u3 CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. Vulnerable: <= 2.8.0-cl3.7.15u2 Fixed: 2.8.0-cl3.7.15u3 -3.7.14-3.7.14.2, 4.3.0-4.3.1 +3.7.14-3.7.14.2, 4.3.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5 @@ -9048,7 +9048,7 @@ Fixed: 0.99.beta19-2+deb8u2 2566880 CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. -3.7.14-3.7.14.2, 4.0.0-4.3.1 +3.7.14-3.7.14.2, 4.0.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5 @@ -9087,7 +9087,7 @@ To work around this issue, disable ARP suppression. 2556782 CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 -3.7.14-3.7.14.2, 4.0.0-4.3.1 +3.7.14-3.7.14.2, 4.0.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5 @@ -9792,7 +9792,7 @@ If you flap the link with the {{ip link set vni10100 down; ip link set vni10100 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -11214,8 +11214,8 @@ To work around this issue, modify the routing design or policy such that routes 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -11224,8 +11224,8 @@ To work around this issue, modify the routing design or policy such that routes switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -11836,7 +11836,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -12836,7 +12836,7 @@ asic-monitor[7389]: File "/usr/lib/python2.7/dist-packages/cumulus/asic_monitor. 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -14323,8 +14323,8 @@ Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IG 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -14333,8 +14333,8 @@ Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IG switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -14938,7 +14938,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -15928,7 +15928,7 @@ To work around this issue, revert the configuration change. 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -17397,8 +17397,8 @@ net.ipv6.ip6frag_high_thresh = 262144 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -17407,8 +17407,8 @@ net.ipv6.ip6frag_high_thresh = 262144 switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -17834,7 +17834,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -18274,7 +18274,7 @@ To work around this issue, revert the configuration change. 2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. -3.7.11-4.3.1 +3.7.11-4.3.2 4.4.0-4.4.5 @@ -20098,8 +20098,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -20108,8 +20108,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -20535,7 +20535,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -22330,8 +22330,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -22340,8 +22340,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -22760,7 +22760,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -24883,8 +24883,8 @@ To work around this issue, run the {{sudo ethtool -S swp1}} command to collect i 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -24893,8 +24893,8 @@ To work around this issue, run the {{sudo ethtool -S swp1}} command to collect i switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -25313,7 +25313,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -26863,8 +26863,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -26873,8 +26873,8 @@ To work around this issue, use {{net show interface}} command for LLDP output wh switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -27293,7 +27293,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -29182,8 +29182,8 @@ If you need link pause or PFC functionality, you must use a switch that does not 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -29192,8 +29192,8 @@ If you need link pause or PFC functionality, you must use a switch that does not switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -29612,7 +29612,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -31246,8 +31246,8 @@ This issue was discovered on the Helix4 switch but applies to all switches. 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -31256,8 +31256,8 @@ This issue was discovered on the Helix4 switch but applies to all switches. switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -31676,7 +31676,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -32955,8 +32955,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -32965,8 +32965,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -33385,7 +33385,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -34691,8 +34691,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -34701,8 +34701,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -35121,7 +35121,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -36527,8 +36527,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -36537,8 +36537,8 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -36957,7 +36957,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -38406,8 +38406,8 @@ Permanent MAC address sync between MLAG peers is now supported. 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -38416,8 +38416,8 @@ Permanent MAC address sync between MLAG peers is now supported. switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -38836,7 +38836,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 @@ -39598,8 +39598,8 @@ To work around this issue, remove the matching {{network}} statement. 3418046 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 -5.5.0-5.6.0 +3.7.0-4.3.1 +4.3.2-4.4.5, 5.5.0-5.6.0 3376798 @@ -39608,8 +39608,8 @@ To work around this issue, remove the matching {{network}} statement. switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. -3.7.0-3.7.16, 4.3.1-4.4.5 - +3.7.0-4.3.1 +4.3.2-4.4.5 3330705 @@ -40028,7 +40028,7 @@ Fixed: 1.6.2-5+deb8u9 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u1 -3.7.0-3.7.15, 4.0.0-4.3.1 +3.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5 diff --git a/content/cumulus-linux-43/Whats-New/rn.md b/content/cumulus-linux-43/Whats-New/rn.md index 8d57ce82a5..72ad8c779b 100644 --- a/content/cumulus-linux-43/Whats-New/rn.md +++ b/content/cumulus-linux-43/Whats-New/rn.md @@ -9,44 +9,344 @@ type: rn pdfhidden: True --- {{}} +## 4.3.2 Release Notes +### Open Issues in 4.3.2 + +| Issue ID | Description | Affects | Fixed | +|--- |--- |--- |--- | +| [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-5.5.1 | 5.6.0| +| [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| +| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| +| [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| +| [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| +| [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3321391](#3321391)
None | On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| +| [3218207](#3218207)
None | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3216921](#3216921)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | +| [3216759](#3216759)
None | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | +| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | +| [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.6.0| +| [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.6.0| +| [3129819](#3129819)
| On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | +| [3119615](#3119615)
| In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.6.0| +| [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.6.0| +| [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | +| [3093863](#3093863)
| The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. | 3.7.16-4.4.3 | 4.4.4-4.4.5, 5.2.0-5.6.0| +| [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| +| [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.6.0 | | +| [3073668](#3073668)
| On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | | +| [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | +| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.6.0| +| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.6.0| +| [3007564](#3007564)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. | 3.7.15-5.0.1 | 5.1.0-5.6.0, 5.2.0-5.6.0| +| [2999341](#2999341)
| CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution
Fixed: 1.9.2-1+deb10u1 | 4.2.1-4.4.1 | 4.4.2-4.4.5| +| [2968495](#2968495)
| If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2 | 4.4.3-4.4.5, 5.1.0-5.6.0| +| [2961008](#2961008)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.6.0| +| [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.6.0 | | +| [2940051](#2940051)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.6.0| +| [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | +| [2896450](#2896450)
CM-31978 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. | 4.3.0-4.4.5 | | +| [2893895](#2893895)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.2 | 4.4.0-4.4.5, 5.1.0-5.6.0| +| [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| +| [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| +| [2866080](#2866080)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | | +| [2854787](#2854787)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.2 | 4.4.0-4.4.5, 5.1.0-5.6.0| +| [2854784](#2854784)
| After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 | 4.4.2-4.4.5, 5.0.0-5.6.0| +| [2845531](#2845531)
| If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI's parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. | 4.2.1-4.4.5 | 5.0.0-5.6.0| +| [2838905](#2838905)
| On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd. chrony synchronizes the system clock faster and with better accuracy
Instructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ | 4.3.0-4.4.5 | | +| [2820565](#2820565)
| SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
  Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
  Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
 Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2803044](#2803044)
| In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16| +| [2794766](#2794766)
| The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2792616](#2792616)
| If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2783611](#2783611)
| If you remove ports from a bridge and add IP addresses in one ifreload, connected routes are bound to the wrong routing information field. | 4.3.0-4.4.1 | 4.4.2-4.4.5| +| [2782033](#2782033)
| The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2771871](#2771871)
| IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs. | 4.3.0-4.4.1 | 4.4.2-4.4.5| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | +| [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | +| [2754691](#2754691)
| CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2754685](#2754685)
| CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2754679](#2754679)
| CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device
CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code
Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.6.0| +| [2747605](#2747605)
| CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file
Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.6.0| +| [2739690](#2739690)
| CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure
Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2739639](#2739639)
| CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST
Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2734122](#2734122)
| CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8 | 4.0.0-4.4.1 | 4.4.2-4.4.5| +| [2734119](#2734119)
| The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.6.0| +| [2728207](#2728207)
| CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2728206](#2728206)
| CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2728205](#2728205)
| CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5| +| [2728134](#2728134)
| CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.6.0| +| [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | +| [2710208](#2710208)
| The net show bgp neighbor command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down. | 4.2.1-4.4.5 | | +| [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| +| [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| +| [2695526](#2695526)
| CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2687159](#2687159)
| CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.6.0| +| [2682971](#2682971)
| CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.2 | 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| +| [2671667](#2671667)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2669858](#2669858)
CM-32169 | OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. | 3.7.14-3.7.16, 4.0.0-4.4.5 | | +| [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2666838](#2666838)
| CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2663479](#2663479)
| CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2656527](#2656527)
| CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | 4.4.0-4.4.5| +| [2644053](#2644053)
| The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | +| [2632379](#2632379)
| When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | +| [2617000](#2617000)
| CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616998](#2616998)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616987](#2616987)
| CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616976](#2616976)
| Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616967](#2616967)
| CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616964](#2616964)
| CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616954](#2616954)
| CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.2 | 4.4.0-4.4.5| +| [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.6.0| +| [2582639](#2582639)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2578872](#2578872)
| CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2578870](#2578870)
| CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | +| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2564534](#2564534)
| Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2556777](#2556777)
CM-33395 | CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2556772](#2556772)
CM-33391 | The net show clag verify-vlans command fails with the following log: 

WARNING: '/usr/bin/clagctl verifyvlans' failed due to:
Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. | 4.2.1-4.4.5 | | +| [2556730](#2556730)
CM-33359 | CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2556369](#2556369)
CM-33196 | If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | +| [2556082](#2556082)
CM-33050 | The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | +| [2556081](#2556081)
CM-33049 | You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | +| [2555873](#2555873)
CM-32914 | On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | | +| [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | +| [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | +| [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | +| [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | +| [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | +| [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| +| [2554709](#2554709)
CM-32217 | The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | | +| [2554670](#2554670)
CM-32194 | When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete. | 4.3.0-4.4.5 | | +| [2554582](#2554582)
CM-32144 | On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | +| [2554533](#2554533)
CM-32112 | On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | +| [2554466](#2554466)
CM-32068 | Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | +| [2554299](#2554299)
CM-31962 | In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.2 | 4.4.0-4.4.5| +| [2554222](#2554222)
CM-31921 | The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554218](#2554218)
CM-31917 | MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | +| [2554202](#2554202)
CM-31904 | The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2553989](#2553989)
CM-31759 | Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | +| [2553887](#2553887)
CM-31700 | When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | +| [2553677](#2553677)
CM-31605 | When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | +| [2553237](#2553237)
CM-31418 | The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553116](#2553116)
CM-31357 | When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2553015](#2553015)
CM-31300 | If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | +| [2552691](#2552691)
CM-31111 | On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | +| [2552453](#2552453)
CM-30987 | On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. | 4.2.0-4.4.5 | | +| [2552309](#2552309)
CM-30889 | The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

| 4.2.0-4.4.5 | | +| [2552294](#2552294)
CM-30879 | NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2552266](#2552266)
CM-30863 | OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files.
The two scenarios where an exploit may be useful to an attacker:
-The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.
-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.
Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.
If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar, zip, or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp, which you can use instead of scp to copy files.
To disable scp completely, use /bin/chmod 0 /usr/bin/scp . | 3.7.14-3.7.16, 4.0.0-4.4.5 | | +| [2551666](#2551666)
CM-30473 | If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:

warning: : interface not recognized - please check interface configuration

| 4.1.0-4.4.5 | | +| [2551578](#2551578)
CM-30422 | When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2551565](#2551565)
CM-30414 | If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | | +| [2551335](#2551335)
CM-30312 | When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. | 4.0.0-4.4.5 | | +| [2551305](#2551305)
CM-30296 | The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

| 3.7.12-3.7.16, 4.1.0-4.4.5 | | +| [2551273](#2551273)
CM-30280 | On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | | +| [2551221](#2551221)
CM-30255 | When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport's IP address don't reach switchport. To capture packets directed towards switcport's IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | | +| [2551111](#2551111)
CM-30230 | If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | +| [2550974](#2550974)
CM-30195 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | +| [2550793](#2550793)
CM-30101 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2550713](#2550713)
CM-30052 | Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. | 4.1.1-4.4.5 | | +| [2550704](#2550704)
| On the Mellanox SN3420 switch, 25G SR optics only link up in force mode. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2550642](#2550642)
CM-30006 | ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | | +| [2550444](#2550444)
CM-29872 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2550443](#2550443)
CM-29871 | The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2550243](#2550243)
CM-29759 | When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2550056](#2550056)
CM-29652 | The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue...
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | +| [2549925](#2549925)
CM-29594 | When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:

error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with 'Network is down' (100)
warning: cmd '/bin/ip addr del 10.0.0.1/24 dev eth0' failed: returned 2 (RTNETLINK answers: Cannot assign requested address

To work around this issue, run the ifreload -a command a second time. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2549872](#2549872)
CM-29562 | If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. | 3.7.12-3.7.16, 4.1.1-4.4.5 | | +| [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | +| [2549392](#2549392)
CM-29319 | When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. | 4.1.0-4.4.5 | | +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| +| [2548924](#2548924)
CM-29146 | On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | | +| [2548657](#2548657)
CM-29035 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2548579](#2548579)
| The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2548315](#2548315)
CM-28816 | The following security advisory has been announced for bash:
CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability
When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.
To work around this issue, do not make bash or bash scripts setuid. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2548310](#2548310)
CM-28812 | When the system boots, we might see " cumulus systemd-udevd[7566]: Process '/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25' failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
| 4.1.0-4.4.5 | | +| [2548260](#2548260)
CM-28770 | The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | +| [2548243](#2548243)
CM-28754 | On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | +| [2548117](#2548117)
CM-28659 | In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support _traditional_ bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2548062](#2548062)
CM-28622 | When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | | +| [2548044](#2548044)
CM-28608 | When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| +| [2547903](#2547903)
CM-28506 | CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs
Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 | 4.0.0-4.4.5 | | +| [2547890](#2547890)
CM-28497 | QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | +| [2547782](#2547782)
CM-28441 | If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706](#2547706)
CM-28397 | When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547405](#2547405)
CM-28226 | When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | +| [2547120](#2547120)
CM-28076 | After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546991](#2546991)
CM-28003 | The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546895](#2546895)
CM-27957 | If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546874](#2546874)
CM-27950 | On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | +| [2546255](#2546255)
CM-27637 | On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | +| [2546225](#2546225)
CM-27627 | When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131](#2546131)
CM-27581 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2545837](#2545837)
CM-27444 | If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| +| [2545520](#2545520)
CM-27243 | The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2545239](#2545239)
CM-27099 | On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2545233](#2545233)
CM-27094 | On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | +| [2545125](#2545125)
CM-27018 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | +| [2544978](#2544978)
CM-26921 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544968](#2544968)
CM-26913 | FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544957](#2544957)
CM-26907 | NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | +| [2544953](#2544953)
CM-26905 | When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | +| [2544880](#2544880)
CM-26860 | When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544723](#2544723)
CM-26769 | Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2544463](#2544463)
CM-26599 | Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456](#2544456)
CM-26595 | The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544311](#2544311)
CM-26516 | Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | +| [2544155](#2544155)
CM-26423 | NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | +| [2544113](#2544113)
CM-26412 | Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2543937](#2543937)
CM-26308 | An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2543915](#2543915)
CM-26301 | When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [2543900](#2543900)
CM-26288 | On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841](#2543841)
CM-26256 | The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543816](#2543816)
CM-26241 | On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| +| [2543781](#2543781)
CM-26217 | NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2543724](#2543724)
CM-26179 | If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2543646](#2543646)
CM-26136 | In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | +| [2543401](#2543401)
CM-25986 | On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543211](#2543211)
CM-25890 | In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2543164](#2543164)
CM-25859 | The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | +| [2543096](#2543096)
CM-25815 | When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | +| [2542945](#2542945)
CM-25740 | On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | +| [2542837](#2542837)
CM-25674 | On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| +| [2542305](#2542305)
CM-25400 | If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | +| [2542301](#2542301)
CM-25397 | When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | +| [2541212](#2541212)
CM-24894 | The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | +| [2541029](#2541029)
CM-24799 | On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
| 3.7.5-3.7.16, 4.0.0-4.4.5 | | +| [2540753](#2540753)
CM-24618 | If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error: 
 
ERROR: No closing quotation 
See /var/log/netd.log for more details.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | +| [2540444](#2540444)
CM-24473 | SNMP incorrectly requires engine ID specification.
| 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540352](#2540352)
CM-24435 | When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2540340](#2540340)
CM-24426 | NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540274](#2540274)
CM-24379 | On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | +| [2540204](#2540204)
CM-24350 | When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540192](#2540192)
CM-24343 | The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540155](#2540155)
CM-24332 | On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | +| [2540042](#2540042)
CM-24272 | When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540041](#2540041)
CM-24271 | On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU.
To work around this issue, run the vtysh command inside FRR to change the default priority. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface vlan100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540040](#2540040)
CM-24270 | Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface swp4 
switch(config-if)# vrrp 1 version 2 
switch(config-if)# no vrrp 1 preempt 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540031](#2540031)
CM-24262 | NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | +| [2539994](#2539994)
CM-24241 | When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example: 
 
cumulus@switch:~$ net del bgp neighbor fabric peer-group
'router bgp 65001' configuration does not have 'neighbor fabric peer-group'

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2539962](#2539962)
CM-24222 | When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2539670](#2539670)
CM-24035 | On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type.
| 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2539124](#2539124)
CM-23825 | The net add interface ptm-enable command adds no ptm-enable for that interface in the frr.conf file.
Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh.
| 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2538790](#2538790)
CM-23665 | NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2538590](#2538590)
CM-23584 | When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain.
| 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2538562](#2538562)
CM-23570 | On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | +| [2538294](#2538294)
CM-23417 | If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2537699](#2537699)
CM-23075 | There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544](#2537544)
CM-23021 | When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2536576](#2536576)
CM-22554 | If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | +| [2536384](#2536384)
CM-22386 | The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2536256](#2536256)
CM-22301 | For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | +| [2536242](#2536242)
CM-22287 | On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | | +| [2536179](#2536179)
CM-22228 | On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2535986](#2535986)
CM-22041 | At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2535965](#2535965)
CM-22020 | On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | +| [2535723](#2535723)
CM-21785 | The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | | +| [2535605](#2535605)
CM-21667 | FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | +| [2535209](#2535209)
CM-21278 | The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2534734](#2534734)
CM-20813 | Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | +| [2533691](#2533691)
CM-19788 | If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | +| [2533625](#2533625)
CM-19724 | PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | +| [2533337](#2533337)
CM-19454 | When you use NCLU to bring a bond admin down (net add bond link down), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.
To work around this issue, use the sudo ifdown command. | 4.0.0-4.4.5 | | +| [2531273](#2531273)
CM-17494 | In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.
To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide\|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. | 4.0.0-4.4.5 | | + +### Fixed Issues in 4.3.2 +| Issue ID | Description | Affects | +|--- |--- |--- | +| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | | +| [3544701](#3544701)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | | +| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1 | | +| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-4.3.1 | | +| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1 | | +| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1 | | +| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1 | | +| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.3.1 | | +| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1 | | +| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1 | | +| [3413826](#3413826)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | | +| [3410952](#3410952)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | | +| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.3.1 | | +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | | +| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1 | | +| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.3.1 | | +| [3336590](#3336590)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.3.1 | | +| [3334036](#3334036)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.3.1 | | +| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.3.1 | | +| [3319919](#3319919)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | | +| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1 | | +| [3288343](#3288343)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1 | | +| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.3.1 | | +| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1 | | +| [3244739](#3244739)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | | +| [3236349](#3236349)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.3.1 | | +| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.3.1 | | +| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-4.3.1 | | +| [3191517](#3191517)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | | +| [2555175](#2555175)
CM-32528 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | | + ## 4.3.1 Release Notes ### Open Issues in 4.3.1 | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | -| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1-4.4.5 | | +| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1 | 4.3.2-4.4.5| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | 5.6.0| -| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1-4.4.5 | | +| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-4.3.1 | 4.3.2-4.4.5, 5.6.0| +| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1 | 4.3.2-4.4.5| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| -| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1-4.4.5 | | -| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1-4.4.5 | | -| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.4.5 | | +| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1 | 4.3.2-4.4.5| +| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1 | 4.3.2-4.4.5| +| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1-4.4.5 | | -| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1-4.4.5 | | +| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1 | 4.3.2-4.4.5| +| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1 | 4.3.2-4.4.5| | [3410952](#3410952)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.4.5 | | -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | -| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1-4.4.5 | | -| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.4.5 | | +| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.3.1 | 4.3.2-4.4.5| +| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| +| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1 | 4.3.2-4.4.5| +| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3336590](#3336590)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.4.5 | | -| [3334036](#3334036)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | 5.4.0-5.6.0| -| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.4.5 | | +| [3334036](#3334036)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.3.1 | 4.3.2-4.4.5, 5.4.0-5.6.0| +| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3321391](#3321391)
None | On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. | 4.2.1-5.3.1 | 5.4.0-5.6.0| | [3319919](#3319919)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| | [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| -| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1-4.4.5 | | +| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1 | 4.3.2-4.4.5| | [3288343](#3288343)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1-4.4.5 | | -| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.4.5 | | -| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1-4.4.5 | | -| [3236349](#3236349)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.4.5 | | -| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.4.5 | | -| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | 5.3.0-5.6.0| +| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.3.1 | 4.3.2-4.4.5| +| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1 | 4.3.2-4.4.5| +| [3236349](#3236349)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.3.1 | 4.3.2-4.4.5| +| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.3.1 | 4.3.2-4.4.5| +| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-4.3.1 | 4.3.2-4.4.5, 5.3.0-5.6.0| | [3218207](#3218207)
None | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| | [3216921](#3216921)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | @@ -75,11 +375,11 @@ pdfhidden: True | [2940051](#2940051)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.6.0| | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | | [2896450](#2896450)
CM-31978 | On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. | 4.3.0-4.4.5 | | -| [2893895](#2893895)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.1 | 4.4.0-4.4.5, 5.1.0-5.6.0| +| [2893895](#2893895)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.2 | 4.4.0-4.4.5, 5.1.0-5.6.0| | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2866080](#2866080)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | | -| [2854787](#2854787)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.1 | 4.4.0-4.4.5, 5.1.0-5.6.0| +| [2854787](#2854787)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.2 | 4.4.0-4.4.5, 5.1.0-5.6.0| | [2854784](#2854784)
| After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 | 4.4.2-4.4.5, 5.0.0-5.6.0| | [2845531](#2845531)
| If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI's parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. | 4.2.1-4.4.5 | 5.0.0-5.6.0| | [2838905](#2838905)
| On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd. chrony synchronizes the system clock faster and with better accuracy
Instructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ | 4.3.0-4.4.5 | | @@ -92,6 +392,7 @@ pdfhidden: True | [2782033](#2782033)
| The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption
CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function
More details at https://www.openssl.org/news/secadv/20210824.txt
Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7 | 4.0.0-4.4.1 | 4.4.2-4.4.5| | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.6.0| | [2771871](#2771871)
| IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs. | 4.3.0-4.4.1 | 4.4.2-4.4.5| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2754691](#2754691)
| CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking)
Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1 | 4.0.0-4.4.1 | 4.4.2-4.4.5| | [2754685](#2754685)
| CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data
Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1 | 4.0.0-4.4.1 | 4.4.2-4.4.5| @@ -108,53 +409,53 @@ pdfhidden: True | [2728207](#2728207)
| CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2728206](#2728206)
| CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2728205](#2728205)
| CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5| -| [2728134](#2728134)
| CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6 | 4.0.0-4.3.1 | 4.4.0-4.4.5| +| [2728134](#2728134)
| CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6 | 4.0.0-4.3.2 | 4.4.0-4.4.5| | [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.6.0| | [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.6.0| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| -| [2695526](#2695526)
| CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.1 | 4.4.0-4.4.5| -| [2687159](#2687159)
| CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| +| [2695526](#2695526)
| CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2687159](#2687159)
| CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.6.0| -| [2682971](#2682971)
| CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.1 | 4.4.0-4.4.5| -| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | 3.7.16, 4.4.0-4.4.5| -| [2671667](#2671667)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.1 | 4.4.0-4.4.5| +| [2682971](#2682971)
| CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.2 | 4.4.0-4.4.5| +| [2679950](#2679950)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | 3.7.16, 4.4.0-4.4.5| +| [2671667](#2671667)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.2 | 4.4.0-4.4.5| | [2669858](#2669858)
CM-32169 | OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. | 3.7.14-3.7.16, 4.0.0-4.4.5 | | -| [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.1 | 4.4.0-4.4.5| -| [2666838](#2666838)
| CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2663479](#2663479)
| CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2656527](#2656527)
| CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.1 | 4.4.0-4.4.5| -| [2644053](#2644053)
| The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 | 4.0.0-4.3.1 | 4.4.0-4.4.5| +| [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2666838](#2666838)
| CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2663479](#2663479)
| CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2656527](#2656527)
| CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | 4.4.0-4.4.5| +| [2644053](#2644053)
| The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 | 4.0.0-4.3.2 | 4.4.0-4.4.5| | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | -| [2632379](#2632379)
| When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. | 4.3.0-4.3.1 | 4.4.0-4.4.5| -| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2632379](#2632379)
| When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2628515](#2628515)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | -| [2617000](#2617000)
| CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2616998](#2616998)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2616987](#2616987)
| CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2616976](#2616976)
| Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2616967](#2616967)
| CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2616964](#2616964)
| CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2616954](#2616954)
| CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.1 | 4.4.0-4.4.5| +| [2617000](#2617000)
| CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616998](#2616998)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616987](#2616987)
| CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616976](#2616976)
| Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616967](#2616967)
| CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616964](#2616964)
| CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2616954](#2616954)
| CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.2 | 4.4.0-4.4.5| | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.6.0| -| [2582639](#2582639)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.1 | 4.4.0-4.4.5| -| [2578872](#2578872)
| CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2578870](#2578870)
| CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.1 | 4.4.0-4.4.5| +| [2582639](#2582639)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.2 | 4.4.0-4.4.5| +| [2578872](#2578872)
| CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2578870](#2578870)
| CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.2 | 4.4.0-4.4.5| | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | -| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| -| [2564534](#2564534)
| Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. | 4.0.0-4.3.1 | 4.4.0-4.4.5| -| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | 3.7.15-3.7.16, 4.4.0-4.4.5| -| [2556777](#2556777)
CM-33395 | CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1 | 4.0.0-4.3.1 | 4.4.0-4.4.5| +| [2566880](#2566880)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2564534](#2564534)
| Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. | 4.0.0-4.3.2 | 4.4.0-4.4.5| +| [2556782](#2556782)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | 3.7.15-3.7.16, 4.4.0-4.4.5| +| [2556777](#2556777)
CM-33395 | CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1 | 4.0.0-4.3.2 | 4.4.0-4.4.5| | [2556772](#2556772)
CM-33391 | The net show clag verify-vlans command fails with the following log: 

WARNING: '/usr/bin/clagctl verifyvlans' failed due to:
Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. | 4.2.1-4.4.5 | | -| [2556730](#2556730)
CM-33359 | CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 | 4.0.0-4.3.1 | 4.4.0-4.4.5| +| [2556730](#2556730)
CM-33359 | CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 | 4.0.0-4.3.2 | 4.4.0-4.4.5| | [2556369](#2556369)
CM-33196 | If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | | [2556082](#2556082)
CM-33050 | The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
CM-33049 | You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | @@ -162,7 +463,7 @@ pdfhidden: True | [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | +| [2555175](#2555175)
CM-32528 | Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -171,7 +472,7 @@ pdfhidden: True | [2554582](#2554582)
CM-32144 | On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | | [2554533](#2554533)
CM-32112 | On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
CM-32068 | Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | -| [2554299](#2554299)
CM-31962 | In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.1 | 4.4.0-4.4.5| +| [2554299](#2554299)
CM-31962 | In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.2 | 4.4.0-4.4.5| | [2554222](#2554222)
CM-31921 | The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
CM-31917 | MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | | [2554202](#2554202)
CM-31904 | The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | @@ -197,7 +498,7 @@ pdfhidden: True | [2550974](#2550974)
CM-30195 | On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | | [2550793](#2550793)
CM-30101 | The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2550713](#2550713)
CM-30052 | Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.
To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. | 4.1.1-4.4.5 | | -| [2550704](#2550704)
| On the Mellanox SN3420 switch, 25G SR optics only link up in force mode. | 4.3.0-4.3.1 | 4.4.0-4.4.5| +| [2550704](#2550704)
| On the Mellanox SN3420 switch, 25G SR optics only link up in force mode. | 4.3.0-4.3.2 | 4.4.0-4.4.5| | [2550642](#2550642)
CM-30006 | ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | | | [2550444](#2550444)
CM-29872 | Tab completion for the net show rollback description command returns information about a snapshot instead of context help.
To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2550443](#2550443)
CM-29871 | The net show rollback description command returns an error even if the string matches a commit description.
To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | @@ -208,7 +509,7 @@ pdfhidden: True | [2549782](#2549782)
CM-29519 | The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2549731](#2549731)
CM-29492 | When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:

[ebtables]
-A FORWARD --in-interface swp10 -j span --dport swp1
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549392](#2549392)
CM-29319 | When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. | 4.1.0-4.4.5 | | -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | 4.4.0-4.4.5| +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | 4.4.0-4.4.5| | [2548924](#2548924)
CM-29146 | On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | | | [2548657](#2548657)
CM-29035 | When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548579](#2548579)
| The following security vulnerability has been announced:
CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| @@ -233,7 +534,7 @@ pdfhidden: True | [2546131](#2546131)
CM-27581 | On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
CM-27444 | If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
CM-27243 | The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2545239](#2545239)
CM-27099 | On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.1 | 4.4.0-4.4.5| +| [2545239](#2545239)
CM-27099 | On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.2 | 4.4.0-4.4.5| | [2545233](#2545233)
CM-27094 | On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | | [2545125](#2545125)
CM-27018 | If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | | [2544978](#2544978)
CM-26921 | If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | diff --git a/content/cumulus-linux-43/rn.xml b/content/cumulus-linux-43/rn.xml index a02dc3d35f..c649894bb7 100644 --- a/content/cumulus-linux-43/rn.xml +++ b/content/cumulus-linux-43/rn.xml @@ -1,4 +1,2203 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Issue ID Description Affects Fixed
3647424When you remove the {{update-source}} configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same {{update-source}} configuration.4.3.0-5.5.15.6.0
3488136When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command.4.2.1-5.5.15.6.0
3474391The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB.4.3.1-5.5.15.6.0
3429530On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time.4.2.1-5.4.05.5.0-5.6.0
3330705When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.6.0
3327477If you use {{su}} to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run {{sudo}} commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0
3321391On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the {{sensor}} command output.4.2.1-5.3.15.4.0-5.6.0
3291548In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}.4.2.1-4.4.55.0.0-5.6.0
3218207Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes.4.3.0-5.2.15.3.0-5.6.0
3216921RADIUS authenticated users with read-only access to NCLU commands (users in the {{users_with_show}} list) can run edit commands if a username for a non-local account is on the {{users_with_edit}} line of the {{/etc/netd.conf}} file. To work around this issue, make sure that all usernames on the {{users_with_edit}} line of the {{/etc/netd.conf}} file are configured local users for the system (real Linux users). +3.7.0-3.7.16, 4.3.0-4.4.5
3216759With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. + +hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources + +To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl-heavy}} with ACL non-atomic mode.3.7.15-3.7.16, 4.3.0-4.4.5
3168564In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. +On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled.4.3.1-4.4.5
3163845If bond slaves listed in the {{/etc/network/interfaces}} file are not in alphabetical order, the bond interface MAC address can change when you run {{ifreload}}. For example, if the bond slaves in the {{/etc/network/interfaces}} file are listed as {{swp32 swp31}}, the switch initially uses the MAC address for swp32 as the bond MAC address. An another {{ifreload}} can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes.4.3.1-4.4.5
3138746The switch duplicates DHCP packets that pass through the VTEP.4.3.0-5.1.05.2.0-5.6.0
3131423During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the {{systemctl restart frr}} command.4.3.0-5.1.05.2.0-5.6.0
3129819On the EdgeCore AS4610 switch, the {{clagd}} service loses communication after 198 days of uptime.3.7.15-3.7.16, 4.3.0-4.4.5
3119615In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. 3.7.15-5.1.05.2.0-5.6.0
3117340When you edit the {{/usr/share/openvswitch/scripts/ovs-ctl-vtep}} file to change the {{ovs-vtepd}} configuration between {{vlan-aware}} and {{vlan-unaware}} mode, {{ovs-vtepd}} crashes when you restart the service. To recover, restart the networking service with the {{sudo systemctl restart networking}} command.4.3.0-5.1.05.2.0-5.6.0
3093966On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. 3.7.15-3.7.16, 4.3.0-4.4.5
3093863The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the {{systemctl restart snmpd}} command.3.7.16-4.4.34.4.4-4.4.5, 5.2.0-5.6.0
3089165A slow memory leak might occur in {{switchd}}} if the route fails to install in hardware when hardware resources are exhausted.4.2.1-4.4.34.4.4-4.4.5
3084027Under a high load, you might see ingress drop counters increase. The drops are classified as {{HwIfInDiscards}} in ethtool and shown as {{ingress_general}} in hardware.4.3.0-4.4.5, 5.0.0-5.6.0
3073668On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap.3.7.12-3.7.16, 4.3.0-4.4.5
3072613When you delete a bond interface with NCLU, BGP peer group configuration is removed.3.7.15-3.7.16, 4.3.0-4.4.5
3059135In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. +To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command.4.3.0-5.1.05.2.0-5.6.0
3046023The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install.4.2.1-5.1.05.2.0-5.6.0
3007564After you delete the last {{vxlan-remoteip}} configuration line from the {{/etc/network/interfaces}} file and run the {{ifreload -a}} command, the corresponding BUM flood entry is not removed.3.7.15-5.0.15.1.0-5.6.0, 5.2.0-5.6.0
2999341CVE-2021-3570 +The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution. +Fixed: 1.9.2-1+deb10u14.2.1-4.4.14.4.2-4.4.5
2968495If {{switchd}} requires more time to update port or bond configuration after the port or bond flaps, the {{systemd}} watchdog times out. As result, {{systemd}} might assume that {{switchd}} is unresponsive and restarts it.4.2.1-4.4.24.4.3-4.4.5, 5.1.0-5.6.0
2961008SNMP reports the same {{ifType}} of {{ethernetCsmacd(6)}} for loopback interfaces.3.7.15-4.4.2, 5.0.0-5.0.14.4.3-4.4.5, 5.1.0-5.6.0
2951110The {{net show time ntp servers}} command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.6.0
2940051In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during {{ifreload}} when adding new VLANS or bridges. 3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16, 5.0.0-5.6.0
2902013The NCLU commit command adds a five second delay.4.2.1-4.4.5
2896450On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in {{Paused}} mode after a {{switchd}} restart, which blocks traffic on that interface. To work around this issue, restart {{switchd}} a second or third time until all interfaces are functioning correctly, or reboot the switch.4.3.0-4.4.5
2893895CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. +Vulnerable: <= 2.8.90-1-cl4u5 +Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u84.0.0-4.3.24.4.0-4.4.5, 5.1.0-5.6.0
2891255CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. +Vulnerable: <= 2.6.20-0+deb10u1 +Fixed: 2.6.20-0+deb10u24.0.0-4.4.1, 5.0.0-5.6.04.4.2-4.4.5
2890681CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code. +Vulnerable: 2.6.0+dfsg.1-1 +Fixed: 2.6.0+dfsg.1-1+deb10u14.0.0-4.4.1, 5.0.0-5.6.04.4.2-4.4.5
2866080On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic.4.3.0-4.4.5
2854787An unexpected software system shutdown can occur due to a thermal zones issue in the {{hw-management}} package. The following message might appear in {{/var/log/syslog}} before the shutdown: + +thermal thermal_zoneX: critical temperature reached (33 C), shutting down +4.3.0-4.3.24.4.0-4.4.5, 5.1.0-5.6.0
2854784After building VLAN or VXLAN interfaces, MLAG becomes unstable.4.3.0-4.4.14.4.2-4.4.5, 5.0.0-5.6.0
2845531If you update the MAC address of an SVI when the SVI is in a {{protodown}} state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI's parent bridge changes), {{clagd}} does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address.4.2.1-4.4.55.0.0-5.6.0
2838905On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. +To work around this issue, use the {{chrony}} implementation of NTP instead of {{ntpd}}. {{chrony}} synchronizes the system clock faster and with better accuracy. + +Instructions for using {{chrony}} are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/4.3.0-4.4.5
2820565SNMP does not start and you see errors similar to the following: + +cumulus@switch:~$ sudo systemctl status snmpd.service +snmpd.service - Simple Network Management Protocol (SNMP) Daemon. + Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled) + Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago + Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE) + Main PID: 1987 (code=exited, status=1/FAILURE) + +To work around this issue, run the {{sudo systemctl restart snmpd.service}} command.4.3.0-4.4.55.0.0-5.6.0
2803044In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks.3.7.14.2-3.7.15, 4.3.0-4.4.53.7.16
2794766The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up.4.3.0-4.4.55.0.0-5.6.0
2792616If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information.4.3.0-4.4.55.0.0-5.6.0
2783611If you remove ports from a bridge and add IP addresses in one {{ifreload}}, connected routes are bound to the wrong routing information field.4.3.0-4.4.14.4.2-4.4.5
2782033The following vulnerabilities have been announced in the openssl packages: +CVE-2021-3711: buffer overflow vulnerability in SM2 decryption. +CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function. +More details at https://www.openssl.org/news/secadv/20210824.txt . +Vulnerable: <= 1.1.1d-0+deb10u6 +Fixed: 1.1.1d-0+deb10u74.0.0-4.4.14.4.2-4.4.5
2781537In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use {{ -t mangle -A PREROUTING}} instead of {{FORWARD}}.4.3.0-4.4.55.0.0-5.6.0
2771871IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address. + +This affects failed neighbor entries on routed interfaces that are not SVIs.4.3.0-4.4.14.4.2-4.4.5
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2754791Remote MAC addreses in zebra are out of sync with {{bgpd}}. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. 3.7.14.2-3.7.16, 4.3.0-4.4.5
2754691CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking). +Vulnerable: 1.14.0-1 +Fixed: 1.14.0-1+deb10u14.0.0-4.4.14.4.2-4.4.5
2754685CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data. +Vulnerable: 2.8.9rel.1-3 +Fixed: 2.8.9rel.1-3+deb10u14.0.0-4.4.14.4.2-4.4.5
2754679CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device. +CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code. +Vulnerable: <= 5.50-1.2~deb10u1 +Fixed: 5.50-1.2~deb10u24.0.0-4.4.14.4.2-4.4.5
2753955On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails.4.2.1-4.4.55.0.0-5.6.0
2747605CVE-2021-3246: a buffer overflow in libsndfile, a library +for reading/writing audio files, which could result in denial of service +or potentially the execution of arbitrary code when processing a +malformed audio file. +Vulnerable: 1.0.28-6 +Fixed: 1.0.28-6+deb10u14.0.0-4.4.14.4.2-4.4.5
2743186When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish.3.7.15-5.1.05.2.0-5.6.0
2739690CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure. +Vulnerable: 1.24.1-1 +Fixed: 1.24.1-1+deb 10u14.0.0-4.4.14.4.2-4.4.5
2739639CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST. +Vulnerable: <= 1.17-3+deb10u1 +Fixed: 1.17-3+deb10u24.0.0-4.4.14.4.2-4.4.5
2739402The destination MAC address of ERSPAN GRE packets is set to all zeros.4.3.0-4.4.55.0.0-5.6.0
2734122CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memory +corruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt . +Vulnerable: <= 241-7~deb10u7 +Fixed: 241-7~deb10u84.0.0-4.4.14.4.2-4.4.5
2734119The ESI line in the {{show bgp l2vpn evpn route}} command output always shows VNI: 0. This is a cosmetic software issue.4.3.0-4.4.55.0.0-5.6.0
2734103{{ACL [No More Resources]}} messages keep appearing and you can't reinstall the ACL.4.3.0-5.1.05.2.0-5.6.0
2728207CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 3.7.0-3.7.16, 4.0.0-4.4.5
2728206CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 3.7.0-3.7.16, 4.0.0-4.4.5
2728205CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 3.7.0-4.4.14.4.2-4.4.5
2728134CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. +Vulnerable: <= 2.4.47+dfsg-3+deb10u5 +Fixed: 2.4.47+dfsg-3+deb10u64.0.0-4.3.24.4.0-4.4.5
2728119When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. +To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command.4.3.0-4.4.55.0.0-5.6.0
2713888With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. + +hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources + +To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl-heavy}} with ACL non-atomic mode.3.7.15-5.0.15.1.0-5.6.0
2711533On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate.4.2.1-4.4.5
2710208The {{net show bgp neighbor}} command output shows the BFD status as UP even when the BGP neighbor is not established, such as when the interface is down.4.2.1-4.4.5
2706744In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event.4.3.0-4.4.14.4.2-4.4.5
2700767Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration.3.7.12-3.7.15, 4.3.0-4.4.53.7.16
2695526CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures. +Vulnerable: 3.4.1-1 +Fixed: 3.4.1-1+deb10u14.0.0-4.3.24.4.0-4.4.5
2690017When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: + +sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). +switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error + +To work around this issue, restart {{switchd}}.4.3.0-4.3.24.4.0-4.4.5
2687159CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed. +Vulnerable: 0.6.1-2 +Fixed: 0.6.1-2+deb10u14.0.0-4.3.24.4.0-4.4.5
2685994When you use the NVUE command {{nv set interface lo router ospf area}} to configure OSPF on a loopback interface, the configuration fails to apply. +To work around this issue, configure the loopback interface in the desired OSPF area with the {{nv set vrf default router ospf area 0 network}} command and reference the assigned prefix of the loopback interface. For example: + +cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 +4.0.0-5.0.15.1.0-5.6.0
2682971CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed. +Vulnerable: 0.12.2+cl4u1 +Fixed: 0.12.2+cl4.4.0u14.0.0-4.3.24.4.0-4.4.5
2682780Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly. +To work around this issue, add the MAC access list configuration to the end of the {{/etc/frr/frr.conf}} file.4.2.0-4.3.24.4.0-4.4.5
2679950CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. +Vulnerable: <= 4.3.1-6-cl3.7.14u1 +Fixed: 4.3.1-6-cl3.7.16u13.7.0-3.7.15, 4.0.0-4.3.23.7.16, 4.4.0-4.4.5
2671667CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which could +result in denial of service and potentially the execution of arbitrary code. +Vulnerable: <= 1.14.2-2+deb10u3 +Fixed: 1.14.2-2+deb10u44.0.0-4.3.24.4.0-4.4.5
2669873In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. 4.3.0-4.3.24.4.0-4.4.5
2669858OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. +This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper.3.7.14-3.7.16, 4.0.0-4.4.5
2669073On Spectrum, Spectrum-2, and Spectrum-3 switches, the {{l1-show}} command shows the wrong data when the MST service is stopped. +To work around this issue, start the MST service with the {{sudo mst start}} command.4.3.0-4.3.24.4.0-4.4.5
2666838CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code. +Vulnerable: <= 1.6.7-1+deb10u1 +Fixed: 1.6.7-1+deb10u24.0.0-4.3.24.4.0-4.4.5
2663479CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption. +Vulnerable: 1.8.3-1 +Fixed: 1.8.3-1+deb10u14.0.0-4.3.24.4.0-4.4.5
2656527CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file. +Vulnerable: 2.40.1-6 +Fixed: 2.40.1-6+deb10u14.0.0-4.3.24.4.0-4.4.5
2648658If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure.3.7.15-4.3.24.4.0-4.4.5
2644053The following vulnerabilities have been announced in BIND: +CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service. +CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. +CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries. +Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4 +Fixed: 9.11.5.P4+dfsg-5.1+deb10u54.0.0-4.3.24.4.0-4.4.5
2639303When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following: +ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values' +See /var/log/netd.log for more details.4.3.0-4.4.5
2632379When you upgrade the switch with {{apt-get upgrade}}, the {{kexec-tools}} package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly.4.3.0-4.3.24.4.0-4.4.5
2628515CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. +Vulnerable: <= 2.8.0-cl3.7.15u2 +Fixed: 2.8.0-cl3.7.15u33.7.14-3.7.14.2, 4.3.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2618227The NCLU {{net show bridge macs}} command displays permanent MAC addresses for trunked VLANs.4.3.0-4.4.5
2617000CVE-2021-26933 CVE-2021-27379 +Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure. +Vulnerable: < 4.11.4+99-g8bce4698f6-1 +Fixed: 4.11.4+99-g8bce4698f6-14.0.0-4.3.24.4.0-4.4.5
2616998CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code. +Vulnerable: 1.9.1~dfsg-1 +Fixed: 1.9.1~dfsg-1+deb10u14.0.0-4.3.24.4.0-4.4.5
2616987CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image. +Vulnerable: <= 2.3.0-2+deb10u1 +Fixed: 2.3.0-2+deb10u24.0.0-4.3.24.4.0-4.4.5
2616976Multiple vulnerabilities were discovered in cURL, an URL transfer library: +CVE-2020-8169: partial password leak to DNS servers. +CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file. +CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection. +CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port. +CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION). +CVE-2020-8286: failure to verify that OSCP response matches intended certificate. +CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header. +CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check. +Vulnerable: <= 7.64.0-4+deb10u1 +Fixed: 7.64.0-4+deb10u24.0.0-4.3.24.4.0-4.4.5
2616967CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack. +Vulnerable: <= 4.3.2-1+deb10u2 +Fixed: 4.3.2-1+deb10u34.0.0-4.3.24.4.0-4.4.5
2616964CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service. +Vulnerable: <= 2.3.1+dfsg-1+deb10u1 +Fixed: 2.3.1+dfsg-1+deb10u24.0.0-4.3.24.4.0-4.4.5
2616954CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service. +Vulnerable: <= 1.1.1d-0+deb10u5 +Fixed: 1.1.1d-0+deb10u64.0.0-4.3.24.4.0-4.4.5
2614016The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.4.2.0-4.3.24.4.0-4.4.5
2599274On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress. +To recover from this state, flap the bond interface (not the physical swp) by running {{ifdown <bond_name> ; sleep 1 ; ifup <bond_name>}}.4.3.0-4.4.55.0.0-5.6.0
2582639On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.4.3.0-4.3.24.4.0-4.4.5
2578872CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service. +Vulnerable: 2.3.1+dfsg-1 +Fixed: 2.3.1+dfsg-1+deb10u14.0.0-4.3.24.4.0-4.4.5
2578870CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. +Vulnerable: <= 4.1.0+git191117-2~deb10u1 +Fixed: 4.1.0+git191117-2~deb10u24.0.0-4.3.24.4.0-4.4.5
2577499QSFP+ 40G optics do not work on Spectrum platforms.4.3.0-4.3.24.4.0-4.4.5
2574368When you run the NCLU {{net add bgp maximum-paths ibgp}} command, FRR restarts unexpectedly. +To work around this issue, either use the {{vtysh}} commands or edit the {{/etc/frr/frr.conf}} file directly, then run {{systemctl reload frr}}.4.1.1-4.4.5
2566880CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2564534Several vulnerabilities have been discovered in the GRUB2 bootloader. +CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled. +CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command. +CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization. +CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline. +CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled. +CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser. +CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering.4.0.0-4.3.24.4.0-4.4.5
2556782CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. +Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u13.7.14-3.7.14.2, 4.0.0-4.3.23.7.15-3.7.16, 4.4.0-4.4.5
2556777CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. +Vulnerable: 4.6.2-3 +Fixed: 4.6.2-3+deb10u14.0.0-4.3.24.4.0-4.4.5
2556772The {{net show clag verify-vlans}} command fails with the following log: + +WARNING: '/usr/bin/clagctl verifyvlans' failed due to: +Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1 + +To work around this issue, run the {{/usr/bin/clagctl verifyvlans}} command or the {{net show clag verbose}} command.4.2.1-4.4.5
2556730CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. +Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2 +Fixed: 9.11.5.P4+dfsg-5.1+deb10u34.0.0-4.3.24.4.0-4.4.5
2556369If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the {{/etc/cumulus/acl/policy.d/50_nclu_acl.rules}} file. +To work around this issue, manually create an ACL in the {{/etc/cumulus/acl/policy.d/}} file with "-A INPUT -i eth0".4.2.1-4.4.5
2556082The NCLU {{net del vrf}} command does not delete a numbered VRF. For example: + +cumulus@leaf01:~$ net del vrf 55 +ERROR: Command not found +4.2.1-4.4.5
2556081You cannot set the time zone can with NCLU commands.4.1.1-4.4.5
2555873On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic.4.3.0-4.4.5
2555763The NCLU {{net del bgp neighbor}} command does not delete the neighbor and displays an error similar to the following: + +ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline 2021-01-04 17:23:59.250463331 +0000 ++++ /run/nclu/frr/frr.conf.scratchpad 2021-01-04 17:25:59.213673980 +0000 + +To work around this issue, use the FRR command to delete a neighbor.4.3.0-4.4.5
2555613The {{net show configuration commands}} command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example: + +# net show configuration commands +net add vlan 1 ip6-forward off + +The correct NCLU command to disable IPv6 forwarding is {{net add vlan 1 ipv6 forward off}} (without the hyphen).4.2.1-4.4.5
2555318If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the {{frr.log}} file: + +2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID + +This error has no functional impact.4.3.0-4.4.5
2554986The {{ethtool}} utility doesn't contain the latest values, as a result the {{Revision Compliance}} field shows {{Unallocated}}. 4.2.1-4.4.5
2554812If the RMAC of a layer 3 SVI changes, the {{show vrf vni}} command is not updated with the new value. However, the new RMAC is seen in the {{show evpn vni}} command and is present on self-originated EVPN routes.4.2.1-4.4.5
2554783If you apply an outbound route map to a BGP peer that uses {{set as-path prepend last-as}}, advertised locally-originated routes have the ASN of the peer prepended to the AS path. +This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes.4.2.1-4.4.55.0.0-5.6.0
2554709The IP address specified in the {{ip pim use-source}} command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If {{ip pim use-source}} is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface. +To work around this issue, configure {{ip pim use-source}} on each unnumbered interface directly or ensure {{ip pim use-source}} is applied to the loopback before other unnumbered interfaces are enabled for PIM.3.7.13-3.7.16, 4.2.1-4.4.5
2554670When you have a large number of ACLs, the {{cl-acltool -L ip}} and {{cl-resource-query}} commands take a long time to complete.4.3.0-4.4.5
2554582On switches with the Maverick ASIC, control traffic is dropped due to receive buffering.4.2.0-4.4.5
2554533On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms).4.0.0-4.4.5
2554466Kernel routes added by {{iproute2}} are missing in FRR after an interface flap. +To work around this issue, configure a static route in FRR. +4.2.1-4.4.5
2554299In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.2.0-4.3.24.4.0-4.4.5
2554222The NCLU command to enable bridge learning fails. +As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: + +auto vni-30 +iface vni-30 + vxlan-id 30 + bridge-access 30 + bridge-arp-nd-suppress on + bridge-learning on + vxlan-local-tunnelip 10.10.10.1 + mstpctl-bpduguard yes + mstpctl-portbpdufilter yes + mtu 9166 +4.2.1-4.4.5
2554218MLAG packets received on the peer link are dropped instead of routed.4.2.0-4.4.5
2554202The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead.4.2.1-4.4.5
2553989Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down.4.2.1-4.4.5
2553887When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as {{net add}} and {{net del}} and see an error similar to the following: + +ERROR: You do not have permission to execute that command. + +To work around this issue, remove the DEFAULT user from the TACACS+ server.3.7.7-3.7.16, 4.0.0-4.4.5
2553677When you configure an SNMPv3 user with the {{net-snmp-config}} configuration command from the {{libsnmp-dev}} package, you get an error message similar to the one below: + +cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES +adding the following line to /var/lib/snmp/snmpd.conf: + createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass" +adding the following line to /snmp/snmpd.conf: + rwuser userSHAwithAES +touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory +/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent + +To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example: + +cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption + +Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in the documentation.3.7.13-3.7.16, 4.0.0-4.4.5
2553237The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. +NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. + +4.2.0-4.4.5
2553116When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a {{switchd}} service heartbeat failure. +To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool.3.7.12-3.7.16, 4.0.0-4.4.5
2553015If a neighbour contains a special character in PortID for LLDP, the {{net show interface}} command does not display the LLDP information or the command might fail.3.7.10-3.7.16, 4.2.0-4.4.5
2552691On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. +To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the {{ip link set eth0 down/up}} command to bring up the port.4.2.0-4.4.5
2552453On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the {{traffic.conf}} file. +To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the {{traffic.conf}} file.4.2.0-4.4.5
2552309The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0: + +{code} +Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned +Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned +{code} + +These messages are for internal validation purposes only and can be safely ignored. + +4.2.0-4.4.5
2552294NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. + 3.7.12-3.7.16, 4.0.0-4.4.5
2552266OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. +The two scenarios where an exploit may be useful to an attacker: +-The user is authorized to {{scp}} but not {{ssh}} (based on the {{command}} option in the {{authorized_keys}} file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so. +-An attacker plants a maliciously named file in a directory tree that someone later uses {{scp -r}} to copy over to the target computer. +Be aware that restricting users to {{scp}} by using the {{command}} option in the {{authorized_keys}} file is not effective in preventing those users from executing arbitrary commands on the server. +If you want to use {{scp -r}} to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with {{tar}}, {{zip}}, or a similar program, then copying the archive over to be extracted on the server avoids having to use {{scp -r}} altogether. In addition, OpenSSH provides {{sftp}}, which you can use instead of {{scp}} to copy files. +To disable scp completely, use {{/bin/chmod 0 /usr/bin/scp}} .3.7.14-3.7.16, 4.0.0-4.4.5
2551666If you modify an interface name, then reuse the previous interface name for a different VLAN, the {{ifreload -a}} command generates an error similar to the following: + +warning: <interface-name>: interface not recognized - please check interface configuration + +4.1.0-4.4.5
2551578When you configure a bridge in the {{/etc/network/interfaces}} file, then try to reconfigure the bridge to be a VRF interface with the same name, {{ifreload}}/{{ifup}} commands fail with an {{invalid table id}} or {{unable to get vrf table id}} error.3.7.12-3.7.16, 4.0.0-4.4.5
2551565If you toggle VRRP priority values between VRRP routers, then restart {{switchd}}, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected. +To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands.3.7.13-3.7.16, 4.2.0-4.4.5
2551335When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running {{ip}} and {{cat}} commands.4.0.0-4.4.5
2551305The {{net show configuration}} command provides the wrong {{net add}} command for ACL under the VLAN interface. + +3.7.12-3.7.16, 4.1.0-4.4.5
2551273On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux.4.1.0-4.4.5
2551221When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport's IP address don't reach switchport. To capture packets directed towards switcport's IP, disable span-to-cpu and use tcpdump on swichport instead.4.2.0-4.4.5
2551111If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. +zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address.4.0.0-4.4.5
2550974On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured.3.7.11-3.7.16, 4.1.1-4.4.5
2550793The NCLU {{net show bridge spanning-tree}} command displays the aging timer incorrectly. 3.7.12-3.7.16, 4.0.0-4.4.5
2550713Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes {{switchd}} to use high CPU due to very frequent VXLAN tunnel sync events. +To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration.4.1.1-4.4.5
2550704On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.4.3.0-4.3.24.4.0-4.4.5
2550642ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches 4.2.0-4.4.5
2550444Tab completion for the {{net show rollback description}} command returns information about a snapshot instead of context help. +To work around this issue, run the {{net show commit history}} command to find descriptions instead of the {{net show rollback description}} command.3.7.12-3.7.16, 4.0.0-4.4.5
2550443The {{net show rollback description <string>}} command returns an error even if the string matches a commit description. +To work around this issue, look for your string in the output of the {{net show commit history}} command (or grep for it there) instead.3.7.12-3.7.16, 4.0.0-4.4.5
2550243When you use {{nginx}} and {{restserver}} in management VRF to provide a REST API for the switch, {{nginx}} starts but {{restserver}} fails to start. +To work around this issue, comment out the {{Requires=}} line in the {{/lib/systemd/system/restserver.service}}. For example: + +#Requires=nginx.service restserver.socket +3.7.12-3.7.16, 4.0.0-4.4.5
2550056The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error: + +error: invalid signature. +Press any key to continue... +3.7.12-3.7.16, 4.1.1-4.4.5
2549925When you run an Ansible script to replace the {{/etc/network/interfaces}} file, then run the {{ifreload -a}} command, you see errors similar to the following: + +error: swp1s1.2: netlink: cannot set link swp1s1.2 up: operation failed with 'Network is down' (100) +warning: cmd '/bin/ip addr del 10.0.0.1/24 dev eth0' failed: returned 2 (RTNETLINK answers: Cannot assign requested address + +To work around this issue, run the {{ifreload -a}} command a second time.3.7.12-3.7.16, 4.0.0-4.4.5
2549872If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, {{net commit}} or {{ifreload -a}} returns an error.3.7.12-3.7.16, 4.1.1-4.4.5
2549782The JSON format output of the {{net show bgp l2vpn evpn summary}} command shows the incorrect neighbour state. 3.7.12-3.7.16, 4.0.0-4.4.5
2549731When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example: + +[ebtables] +-A FORWARD --in-interface swp10 -j span --dport swp1 +3.7.12-3.7.16, 4.1.1-4.4.5
2549392When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the {{/etc/frr/frr.conf}} file. +To work around this issue, manually edit the {{etc/frr/frr.conf}} file to define {{advertise-all-vni}} before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the {{sudo systemctl reload frr}} command.4.1.0-4.4.5
2549371When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.24.4.0-4.4.5
2548924On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic.4.1.1-4.4.5
2548657When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following: + +W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3 +W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3 +W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3 + +You can safely ignore these error messages.3.7.12-3.7.16, 4.0.0-4.4.5
2548579The following security vulnerability has been announced: +CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.3.7.12, 4.0.0-4.4.53.7.13-3.7.16
2548315The following security advisory has been announced for bash: +CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability +When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use {{enable -f}} for runtime loading of a new builtin that calls {{setuid()}} to regain dropped privileges. +To work around this issue, do not make bash or bash scripts {{setuid}}.3.7.12-3.7.16, 4.0.0-4.4.5
2548310When the system boots, we might see " cumulus systemd-udevd[7566]: Process '/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25' failed with exit code 1" errors. + +These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; +4.1.0-4.4.5
2548260The {{net add routing route-map <name> permit <seq> set community <comm>}} command does not add the set statement into the {{/etc/frr/frr.conf}} file.4.0.0-4.4.5
2548243On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules.3.7.3-3.7.16, 4.0.0-4.4.5
2548117In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support _traditional_ bridge mode with VMware NSX.3.7.12-3.7.16, 4.0.0-4.4.5
2548062When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches).4.1.0-4.4.5
2548044When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor.3.7.12-3.7.15, 4.0.0-4.4.53.7.16
2547903CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. +Vulnerable: 2.9.4+dfsg1-7 +Fixed: 2.9.4+dfsg1-7+deb10u14.0.0-4.4.5
2547890QinQ across VXLAN on a traditional bridge does not work.4.1.0-4.4.5
2547782If a LLDP neighbor advertises a {{PortDescr}} that contains commas, {{ptmctl -d}} splits the string on the commas and misplaces its components in other columns.3.7.11-3.7.16, 4.0.0-4.4.5
2547706When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. +To work around this issue, reboot the switch.3.7.11-3.7.16, 4.0.0-4.4.5
2547405When you restart the {{hsflowd}} service, you see a {{systemd}} warning message similar to the following: + +Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'. +4.0.0-4.4.5
2547120After you hot swap a PSU, the {{decode-syseeprom -t psuX}} command shows the old PSU information (such as the serial number), until you run the {{decode-syseeprom --init}} command.3.7.11-3.7.16, 4.0.0-4.4.5
2546991The FRR service does not provide a way for automation to know if the configuration applied properly. +To work around this issue, execute the {{vtysh -f <file>}} command in the automation file before starting the FRR service to validate the functional configuration and return an error code.3.7.11-3.7.16, 4.0.0-4.4.5
2546895If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the {{switchd}} service might fail to send a {{systemd keepalive}} within the watchdog timeout value (2 minutes by default) and you see an error similar to the following: + +bq. systemd[1]: switchd.service watchdog timeout (limit 2min)! + +To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the {{systemd}} timeout for {{switchd.service}}. +To increase the {{systemd}} timeout: + +1.Edit the {{/etc/systemd/system/switchd.service.d/override.conf}} file and increase the {{WatchdogSec}} parameter. +2.Restart the {{switchd}} service with the {{sudo systemctl restart switchd.service}} command. +{{systemd}} attempts to restart the {{switchd}} service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the {{sudo systemctl reset-failed}} command followed by the {{sudo systemctl restart switchd}} command.3.7.11-3.7.16, 4.0.0-4.4.5
2546874On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the {{poweroff}} or {{halt}} commands does not fully power off the switch.4.0.0-4.4.5
2546255On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time.4.0.0-4.4.5
2546225When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. + + sudo onie-install -fai http://<path to image> + sudo reboot + + To work around this issue, use the {{onie-select}} command to access ONIE, and then use the {{nos-install}} command in ONIE to install a new binary image. 3.7.11-3.7.16, 4.0.0-4.4.5
2546131On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. +To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. +This workaround only works when an out-of-band network is present.3.7.11-3.7.16, 4.0.0-4.4.5
2545837If you use the NCLU commands to configure NTP and run the {{net add time ntp source <interface>}} command before you run the {{net add time ntp server <server> iburst}} command, the {{/etc/ntp.conf}} file is misconfigured. +To work around this issue, run the {{net add time ntp server <server> iburst}} command before you run the {{net add time ntp source <interface>}} command.3.7.10-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2545520The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages.3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2545239On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. 4.0.0-4.3.24.4.0-4.4.5
2545233On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power.4.0.0-4.4.5
2545125If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. 3.7.10-3.7.16, 4.0.0-4.4.5
2544978If you delete an undefined bond, then add a bond slave, the {{net commit}} command fails.3.7.9-3.7.16, 4.0.0-4.4.5
2544968FRR configuration commands for an SVI interface might have the {{\n}} misplaced in the output. For example: + +sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf" + +should be: + +sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf" + +To work around this issue, configure the interface manually in the {{/etc/frr/frr.conf}} file.3.7.9-3.7.16, 4.0.0-4.4.5
2544957NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge.4.0.0-4.4.5
2544953When you update the hostname of a switch with the NCLU {{net add hostname <hostname>}} command, then run {{net commit}}, the {{lldpd}} service does not restart and other devices still see the old hostname. +To work around this issue, run the {{sudo systemctl restart lldpd.service}} command.3.7.10-3.7.16, 4.0.0-4.4.5
2544880When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5
2544723Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link.3.7.6-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2544463Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with {{ethtool -s swp<#> autoneg on}} returns {{Operation not supported}}. +To work around this issue, do not use auto-negotiation and set the local port speed to 10G.3.7.9-3.7.16, 4.0.0-4.4.5
2544456The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds.3.7.9-3.7.16, 4.0.0-4.4.5
2544311Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host.3.7.5-3.7.16, 4.0.0-4.4.5
2544155NCLU requires you to specify an interface with multiple {{address-virtual}} statements in ascending MAC address order. + +3.7.5-3.7.16, 4.0.0-4.4.5
2544113Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. +To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge-learning off}} to the VLAN stanza in the {{etc/network/interfaces}} file.3.7.9-3.7.16, 4.0.0-4.4.5
2543937An interface alias configured outside FRR using {{iproute2}} is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out. +To work around this issue, remove the interface alias description from {{iproute2}}.3.7.8-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543915When you enable a service in the management VRF, {{systemctl}} issues a warning similar to the following: + +Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit + +You can safely ignore this warning.4.0.0-4.4.5, 5.0.0-5.6.0
2543900On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address.3.7.8-3.7.16, 4.0.0-4.4.5
2543841The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. + 3.7.8-3.7.16, 4.0.0-4.4.5
2543816On the Dell S5248F-ON switch, {{smond}} might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. +3.7.6-3.7.11, 4.0.0-4.4.53.7.12-3.7.16
2543781NCLU does not allow you to configure OSPF NSSAs. For example: + +cumulus@switch:~$ net add ospf area 0.0.0.1 nssa +ERROR: Command not found. +net add ospf area 0.0.0.1 nssa + +To work around this issue, use FRR instead. For example: + +switch# configure terminal +switch(config)# router ospf +switch(config-router)# area 0.0.0.1 nssa +3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543724If a hostname contains utf-8 characters, the NCLU {{net show lldp}} command outputs the following error: + +ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) +See /var/log/netd.log for more details. +3.7.7-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2543646In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case).3.7.6-3.7.16, 4.0.0-4.4.5
2543401On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. +To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish.4.0.0-4.4.5
2543211In some cases, the {{switchd}} service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). +3.7.0-3.7.16, 4.0.0-4.4.5
2543164The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The {{net commit}} command succeeds even though the MTU is not changed as expected. +To work around this issue, change the MTU on all SVIs and the bridge manually in the {{/etc/network/interfaces}} file, then apply the change with the {{ifreload -a}} command.3.7.7-3.7.16, 4.0.0-4.4.5
2543096When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the {{/etc/network/interfaces}} file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. + 3.7.6-3.7.16, 4.0.0-4.4.5
2542945On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. +To work around this issue, configure the bridge with {{bridge-vlan-protocol 802.1ad}}: + +cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad + 3.7.6-3.7.16, 4.0.0-4.4.5
2542837On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. 3.7.6-3.7.8, 4.0.0-4.4.53.7.9-3.7.16
2542305If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the {{vlan-id}} and the raw-device bridge stanzas are not added automatically. + 3.7.6-3.7.16, 4.0.0-4.4.5
2542301When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. + 3.7.3-3.7.16, 4.0.0-4.4.5
2541212The {{maximum-prefix}} configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. 3.7.5-3.7.16, 4.0.0-4.4.5
2541029On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. +This issue only affects QinQ configurations. + 3.7.5-3.7.16, 4.0.0-4.4.5
2540753If the interface alias contains a single or double quotation mark, or an apostrophe, the {{net show configuration}} commands fail with the following error: + + ERROR: No closing quotation + See /var/log/netd.log for more details. + + 3.7.5-3.7.16, 4.0.0-4.4.5
2540444SNMP incorrectly requires engine ID specification. + 3.7.4-3.7.16, 4.0.0-4.4.5
2540352When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. + For example, this command is incorrect: + + net add routing route-map Proxy-ARP permit 25 match interface swp9-10 + + These commands are correct: + + net add routing route-map Proxy-ARP permit 25 match interface swp9 + net add routing route-map Proxy-ARP permit 30 match interface swp10 + + 3.7.2-3.7.16, 4.0.0-4.4.5
2540340NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the {{net add vrf <name>}} command just displays <ENTER>. For example: + + cumulus@switch:~$ net add vrf mgmt + <ENTER> + + Tab completion for the {{net add vrf <name> ip address <address>}} command works correctly. 3.7.4-3.7.16, 4.0.0-4.4.5
2540274On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route.3.7.5-3.7.16, 4.0.0-4.4.5
2540204When links come up after FRR is started, VRF connected routes do not get redistributed.3.7.4-3.7.16, 4.0.0-4.4.5
2540192The {{net del bridge bridge mcsnoop yes}} command does not return the value to the default of disabled. +To work around this issue, use the {{net add bridge bridge mcsnoop no}} command to delete the {{mcsnoop attribute}} and return to the default value.3.7.4-3.7.16, 4.0.0-4.4.5
2540155On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. + 3.7.3-3.7.16, 4.0.0-4.4.5
2540042When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the {{net commit}} command fails. + To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: + + cumulus@switch:~$ sudo vtysh + switch# configure terminal + switch(config)# interface br0.100 + switch(config-if)# vrrp 1 priority 110 + switch(config-if)# vrrp 1 advertisement-interval + switch(config-if)# end + switch# write memory + switch# exit + cumulus@switch:~ + + 3.7.4-3.7.16, 4.0.0-4.4.5
2540041On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. + To work around this issue, run the vtysh command inside FRR to change the default priority. For example: + + cumulus@switch:~$ sudo vtysh + switch# configure terminal + switch(config)# interface vlan100 + switch(config-if)# vrrp 1 priority 110 + switch(config-if)# end + switch# write memory + switch# exit + cumulus@switch:~ + + 3.7.4-3.7.16, 4.0.0-4.4.5
2540040Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. +To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example: + + cumulus@switch:~$ sudo vtysh + switch# configure terminal + switch(config)# interface swp4 + switch(config-if)# vrrp 1 version 2 + switch(config-if)# no vrrp 1 preempt + switch(config-if)# end + switch# write memory + switch# exit + cumulus@switch:~ + + 3.7.4-3.7.16, 4.0.0-4.4.5
2540031NCLU does not honor {{auto all}} in the {{/etc/network/interfaces}} file and removes the existing configuration if no individual {{auto <iface>}} lines exist. + 3.7.3-3.7.16, 4.0.0-4.4.5
2539994When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example: + +cumulus@switch:~$ net del bgp neighbor fabric peer-group +'router bgp 65001' configuration does not have 'neighbor fabric peer-group' + + 3.7.2-3.7.16, 4.0.0-4.4.5
2539962When an LDAP user that does not have NCLU privileges (either in the {{netshow}} or {{netedit}} group, or in the {{/etc/netd.conf}} file) runs an NCLU command, a traceback occurs instead of a permissions error. + 3.7.0-3.7.16, 4.0.0-4.4.5
2539670On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. + 3.7.2-3.7.16, 4.0.0-4.4.5
2539124The {{net add interface <interface> ptm-enable}} command adds {{no ptm-enable}} for that interface in the {{frr.conf}} file. + Running the {{net add}} or the {{net del}} command does not remove {{no ptm-enable}} from the {{frr.conf}} file. You have to remove it manually using vtysh. + 3.7.2-3.7.16, 4.0.0-4.4.5
2538790NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run {{net add vxlan <layer3-vni> bridge access <vlan>}}. This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. +To restore connectivity, remove the VLAN ID from the bridge. 3.7.2-3.7.16, 4.0.0-4.4.5
2538590When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. + 3.7.2-3.7.16, 4.0.0-4.4.5
2538562On an RMP/1G-T switch, when you remove {{link-speed 100}} with the NCLU command or by editing the {{etc/network/interfaces}} file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up. +After you remove the link-speed, {{ethtool}} shows the advertised link modes as not reported and Speed/Duplex as unknown. +To work around this issue and bring the interface back up, either restart {{switchd}} or use ethtool to configure the speed, advertised, duplex or MDI-X settings. +Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G.3.7.2-3.7.16, 4.0.0-4.4.5
2538294If you use NCLU to create an iBGP peering across the peer link, running the {{net add bgp l2vpn evpn neighbor peerlink.4094 activate}} command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. 3.7.0-3.7.16, 4.0.0-4.4.5
2537699There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the {{/etc/default/isc-dhcp-relay}} file. For example, 1500 SVI interfaces causes the {{dhcrelay}} service to exit without a core file and logs similar to the following are generated for the interfaces: + + 2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 + 2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51 + + Eventually the {{dhcrelay}} service stops. + 3.7.1-3.7.16, 4.0.0-4.4.5
2537544When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB.3.7.1-3.7.16, 4.0.0-4.4.5
2536576If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. + 4.0.0-4.4.5
2536384The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. + 3.7.0-3.7.16, 4.0.0-4.4.5
2536256For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. + + A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type + IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 + + These packets are now policed by catch all rules. + To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. + 4.0.0-4.4.5
2536242On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. 4.0.0-4.4.5
2536179On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working.3.7.0-3.7.16, 4.0.0-4.4.5
2535986At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in {{No buffer space available}} error messages on protocol sockets. +When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a {{switchd}} restart.3.7.0-3.7.16, 4.0.0-4.4.5
2535965On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. +To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic.3.7.0-3.7.16, 4.0.0-4.4.5
2535723The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF.4.0.0-4.4.5
2535605FRR does not add BGP {{ttl-security}} to either the running configuration or to the {{/etc/frr/frr.conf}} file when configured on a peer group instead of a specific neighbor. +To work around this issue, add {{ttl-security}} to individual neighbors instead of the peer group.4.0.0-4.4.5
2535209The {{net show lldp}} command sometimes shows the port description in the {{Remote Port}} field. The {{net show interface}} command shows the correct value in the {{Remote Host}} field. +To work around this issue, use {{net show interface}} command for LLDP output when connected to Cisco equipment.3.7.5-3.7.10, 4.0.0-4.4.53.7.11-3.7.16
2534734Span rules matching the out-interface as a bond do not mirror packets.4.0.0-4.4.5
2533691If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the {{ifreload}} command does not resolve the conflict. +To work around this issue, correct the bridge VIDs and restart {{switchd}} or delete the subinterface. 3.7.12-3.7.16, 4.0.0-4.4.5
2533625PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default {{traffic.conf}} file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. 4.0.0-4.4.5
2533337When you use NCLU to bring a bond admin down ({{net add bond <bond> link down}}), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge. +To work around this issue, use the {{sudo ifdown <bondname>}} command.4.0.0-4.4.5
2531273In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. +To work around this issue, change the value of {{arp_ignore}} to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information.4.0.0-4.4.5
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Issue ID Description Affects
3647731CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. +Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). +For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.3.1, 5.0.0-5.6.0
3544701If BGP {{remote-as}} is set to an integer and you try to configure the {{local-as}} for a BGP instance, you see the following error: + +% AS specified for local as is the same as the remote as and this is not allowed. + +This configuration is not allowed; it is considered to be eBGP and local preference is not advertised.5.0.0-5.5.1
3534654On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1
3486888If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-4.3.1
3479967When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1
3455998When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1
3448171If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter. + +This only impacts the default VRF and a default route learned dynamically. + +In order to recover from this condition:  + +1. Restart switchd.service (sudo systemctl restart switchd.service) + +OR +  +2. Reboot the switch (sudo reboot)4.3.1
3434315IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.3.1
3419962On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: + +switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 +4.3.1
3419953If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1
3413826During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors.5.0.0-5.4.0
3410952If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-4.3.1
3401121sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the {{hsflowd.conf}} file to enable egress sampling: + +samplingDirection=out +psample { group=1 } +4.3.0-4.3.1
3376798On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts: + +switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready + +MAC learning looks correct, but traffic does not flow as expected.3.7.0-4.3.1
3366612The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1
3364996Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.3.1
3336590On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.3.1
3334036When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.3.1
3334031When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.3.1
3319919Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-4.3.1, 4.4.0-5.3.1
3288385On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1
3288343When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below: + +ip route 0.0.0.0/1 10.1.1.1 +ip route 128.0.0.0/1 10.1.1.1 +4.3.1
3269538The {{cl-ecmpcalc}} command prints the following error when the egress interface is a bond or SVI: + +ecmpcalc: will query hardware +Traceback (most recent call last): +File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, in +isTrunkMbr, port = ecmp.getHdPort(hd_cmd) +File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort +port = int(str4) +ValueError: invalid literal for int() with base 10: ‘0t +4.3.0-4.3.1
3267353In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1
3244739If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps.4.4.0-5.2.1
3236349Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.3.1
3235956With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.3.1
3234031If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-4.3.1
3191517When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes.4.3.0-4.3.1, 4.4.0-5.2.1
2555175Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps.3.7.15-4.3.1
@@ -11,8 +2210,8 @@ - - + + @@ -23,8 +2222,8 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn - - + + @@ -35,14 +2234,14 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn - - + + - - + + @@ -53,8 +2252,8 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn - - + + @@ -69,14 +2268,14 @@ In order to recover from this condition:  OR   2. Reboot the switch (sudo reboot) - - + + - - + + @@ -90,14 +2289,14 @@ OR switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 - - + + - - + + @@ -112,8 +2311,8 @@ switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ex samplingDirection=out psample { group=1 } - - + + @@ -122,20 +2321,20 @@ psample { group=1 } switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready MAC learning looks correct, but traffic does not flow as expected. - - + + - - + + - - + + @@ -146,14 +2345,14 @@ MAC learning looks correct, but traffic does not flow as expected. - - + + - - + + @@ -188,8 +2387,8 @@ MAC learning looks correct, but traffic does not flow as expected. - - + + @@ -213,32 +2412,32 @@ File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort port = int(str4) ValueError: invalid literal for int() with base 10: ‘0t - - + + - - + + - - + + - - + + - - + + @@ -422,7 +2621,7 @@ Fixed: 1.9.2-1+deb10u1 - + @@ -453,7 +2652,7 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 thermal thermal_zoneX: critical temperature reached (33 C), shutting down - + @@ -565,6 +2764,12 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.4.4.2-4.4.5 + + + + + + @@ -684,7 +2889,7 @@ Fixed: 241-7~deb10u8 - + @@ -733,7 +2938,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- - + @@ -744,7 +2949,7 @@ sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error To work around this issue, restart {{switchd}}. - + @@ -752,7 +2957,7 @@ To work around this issue, restart {{switchd}}. - + @@ -770,14 +2975,14 @@ cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 - + - + @@ -785,7 +2990,7 @@ To work around this issue, add the MAC access list configuration to the end of t - + @@ -794,13 +2999,13 @@ Fixed: 4.3.1-6-cl3.7.16u1 result in denial of service and potentially the execution of arbitrary code. Vulnerable: <= 1.14.2-2+deb10u3 Fixed: 1.14.2-2+deb10u4 - + - + @@ -814,7 +3019,7 @@ This is an information leak in algorithm negotiation that can allow man-in-the-m - + @@ -822,7 +3027,7 @@ To work around this issue, start the MST service with the {{sudo mst start}} com - + @@ -830,7 +3035,7 @@ Fixed: 1.6.7-1+deb10u2 - + @@ -838,13 +3043,13 @@ Fixed: 1.8.3-1+deb10u1 - + - + @@ -855,7 +3060,7 @@ CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER secti CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4 Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 - + @@ -869,7 +3074,7 @@ See /var/log/netd.log for more details. - + @@ -877,7 +3082,7 @@ See /var/log/netd.log for more details. - + @@ -892,7 +3097,7 @@ Fixed: 2.8.0-cl3.7.15u3 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure. Vulnerable: < 4.11.4+99-g8bce4698f6-1 Fixed: 4.11.4+99-g8bce4698f6-1 - + @@ -900,7 +3105,7 @@ Fixed: 4.11.4+99-g8bce4698f6-1 - + @@ -908,7 +3113,7 @@ Fixed: 1.9.1~dfsg-1+deb10u1 - + @@ -924,7 +3129,7 @@ CVE-2021-22876: libcurl did not strip user credentials from URL when populating CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check. Vulnerable: <= 7.64.0-4+deb10u1 Fixed: 7.64.0-4+deb10u2 - + @@ -932,7 +3137,7 @@ Fixed: 7.64.0-4+deb10u2 - + @@ -940,7 +3145,7 @@ Fixed: 4.3.2-1+deb10u3 - + @@ -948,13 +3153,13 @@ Fixed: 2.3.1+dfsg-1+deb10u2 - + - + @@ -967,7 +3172,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru - + @@ -975,7 +3180,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru - + @@ -983,13 +3188,13 @@ Fixed: 2.3.1+dfsg-1+deb10u1 - + - + @@ -1002,7 +3207,7 @@ To work around this issue, either use the {{vtysh}} commands or edit the {{/etc/ - + @@ -1015,14 +3220,14 @@ CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdl CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled. CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser. CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. - + - + @@ -1030,7 +3235,7 @@ Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 - + @@ -1049,7 +3254,7 @@ To work around this issue, run the {{/usr/bin/clagctl verifyvlans}} command or t - + @@ -1115,9 +3320,9 @@ This error has no functional impact. - - - + + + @@ -1174,7 +3379,7 @@ To work around this issue, configure a static route in FRR. - + @@ -1392,7 +3597,7 @@ To work around this issue, do not enslave the subinterface of a VXLAN layer 3 up - + @@ -1478,7 +3683,7 @@ To work around this issue, manually edit the {{etc/frr/frr.conf}} file to define - + @@ -1665,7 +3870,7 @@ To work around this issue, run the {{net add time ntp server <server> ibur - + diff --git a/content/cumulus-linux-44/Whats-New/rn.md b/content/cumulus-linux-44/Whats-New/rn.md index 8fb21f3064..864aff6b0c 100644 --- a/content/cumulus-linux-44/Whats-New/rn.md +++ b/content/cumulus-linux-44/Whats-New/rn.md @@ -14,30 +14,13 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | -| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | 5.6.0| -| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1-4.4.5 | | | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| -| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1-4.4.5 | | -| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1-4.4.5 | | -| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.4.5 | | | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1-4.4.5 | | -| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1-4.4.5 | | -| [3418045](#3418045)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.4.5 | | | [3387852](#3387852)
None | If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | -| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1-4.4.5 | | -| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.4.5 | | -| [3364717](#3364717)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.4.5 | | -| [3358865](#3358865)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1-4.4.5 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| -| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.4.5 | | +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3333064](#3333064)
None | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 4.4.0-5.3.1 | 5.4.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | @@ -46,20 +29,13 @@ pdfhidden: True | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | | [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| -| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1-4.4.5 | | | [3288156](#3288156)
None | When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 4.4.3-5.1.0 | 5.2.0-5.6.0| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | | [3270988](#3270988)
| After restarting switchd on the NVIDIA SN2100 switch, the FAN speeds are at one hundred percent. To work around this issue, restart the hw-management service. | 4.4.5-5.2.0 | 5.2.1-5.6.0| -| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.4.5 | | | [3269537](#3269537)
None | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.6.0| -| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1-4.4.5 | | -| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 5.3.0-5.6.0| -| [3240406](#3240406)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | 5.4.0-5.6.0| +| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3236366](#3236366)
None | When you run docker commands, the command process might crash. The crash can occur during the apt upgrade process, where you can run docker commands implicitly. To work around this issue, run ulimit -v unlimited before running docker commands. | 4.4.5 | | -| [3236334](#3236334)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.4.5 | | -| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.4.5 | | | [3235368](#3235368)
| When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. | 4.4.4-5.2.1 | 5.3.0-5.6.0| -| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | 5.3.0-5.6.0| | [3227677](#3227677)
| When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-5.2.1 | 5.3.0-5.6.0| | [3226579](#3226579)
None | The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-4.4.5 | | | [3221470](#3221470)
None | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.6.0| @@ -70,7 +46,7 @@ pdfhidden: True | [3211359](#3211359)
| The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-5.0.1 | 5.1.0-5.6.0| | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3209699](#3209699)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.6.0| @@ -139,6 +115,7 @@ pdfhidden: True | [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.6.0| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2763819](#2763819)
| When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | | | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -182,7 +159,6 @@ pdfhidden: True | [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | | [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -329,30 +305,13 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | -| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | 5.6.0| -| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1-4.4.5 | | | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| -| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1-4.4.5 | | -| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1-4.4.5 | | -| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.4.5 | | | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1-4.4.5 | | -| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1-4.4.5 | | -| [3418045](#3418045)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.4.5 | | | [3387852](#3387852)
None | If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | -| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1-4.4.5 | | -| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.4.5 | | -| [3364717](#3364717)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.4.5 | | -| [3358865](#3358865)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1-4.4.5 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| -| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.4.5 | | +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3333064](#3333064)
None | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 4.4.0-5.3.1 | 5.4.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | @@ -361,18 +320,11 @@ pdfhidden: True | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | | [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| -| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1-4.4.5 | | | [3288156](#3288156)
None | When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 4.4.3-5.1.0 | 5.2.0-5.6.0| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | -| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.4.5 | | | [3269537](#3269537)
None | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.6.0| -| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1-4.4.5 | | -| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 5.3.0-5.6.0| -| [3240406](#3240406)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | 5.4.0-5.6.0| -| [3236334](#3236334)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.4.5 | | -| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.4.5 | | +| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3235368](#3235368)
| When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. | 4.4.4-5.2.1 | 5.3.0-5.6.0| -| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | 5.3.0-5.6.0| | [3227677](#3227677)
| When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-5.2.1 | 5.3.0-5.6.0| | [3226579](#3226579)
None | The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-4.4.5 | | | [3221470](#3221470)
None | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.6.0| @@ -384,7 +336,7 @@ pdfhidden: True | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3209699](#3209699)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.6.0| | [3205701](#3205701)
None | A firmware upgrade has been implemented to optimize the PCIe bus between the CPU and Spectrum ASIC on NVIDIA SN4700, SN4600, SN4600C, and SN4410 switches manufactured with 0x26 1 17 in EEPROM. Affected switches will not boot properly without this firmware upgrade. To see the EEPROM value, run the onie-syseeprom command from ONIE or run the decode-syseeprom command from Cumulus Linux. | 4.4.4, 5.2.0 | 4.4.5, 5.2.1-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.6.0| @@ -453,6 +405,7 @@ pdfhidden: True | [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.6.0| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2763819](#2763819)
| When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | | | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -496,7 +449,6 @@ pdfhidden: True | [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | | [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -668,29 +620,12 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | -| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | 5.6.0| -| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1-4.4.5 | | | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| -| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1-4.4.5 | | -| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1-4.4.5 | | -| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.4.5 | | | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1-4.4.5 | | -| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1-4.4.5 | | -| [3418045](#3418045)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.4.5 | | | [3387852](#3387852)
None | If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | -| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1-4.4.5 | | -| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.4.5 | | -| [3364717](#3364717)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.4.5 | | -| [3358865](#3358865)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1-4.4.5 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| -| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.4.5 | | +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3333064](#3333064)
None | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 4.4.0-5.3.1 | 5.4.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | @@ -700,17 +635,10 @@ pdfhidden: True | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | | [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| -| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1-4.4.5 | | | [3288156](#3288156)
None | When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 4.4.3-5.1.0 | 5.2.0-5.6.0| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | -| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.4.5 | | | [3269537](#3269537)
None | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.6.0| -| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1-4.4.5 | | -| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 5.3.0-5.6.0| -| [3240406](#3240406)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | 5.4.0-5.6.0| -| [3236334](#3236334)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.4.5 | | -| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.4.5 | | -| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | 5.3.0-5.6.0| +| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3226579](#3226579)
None | The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-4.4.5 | | | [3221470](#3221470)
None | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.6.0| | [3218207](#3218207)
None | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| @@ -720,7 +648,7 @@ pdfhidden: True | [3211359](#3211359)
| The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-5.0.1 | 5.1.0-5.6.0| | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3209699](#3209699)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.6.0| @@ -802,6 +730,7 @@ pdfhidden: True | [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.6.0| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2763819](#2763819)
| When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | | | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -845,7 +774,6 @@ pdfhidden: True | [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | | [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -998,29 +926,12 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | -| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | 5.6.0| -| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1-4.4.5 | | | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| -| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1-4.4.5 | | -| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1-4.4.5 | | -| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.4.5 | | | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1-4.4.5 | | -| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1-4.4.5 | | -| [3418045](#3418045)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.4.5 | | | [3387852](#3387852)
None | If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | -| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1-4.4.5 | | -| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.4.5 | | -| [3364717](#3364717)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.4.5 | | -| [3358865](#3358865)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1-4.4.5 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| -| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.4.5 | | +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3333064](#3333064)
None | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 4.4.0-5.3.1 | 5.4.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | @@ -1030,16 +941,9 @@ pdfhidden: True | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | | [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| -| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1-4.4.5 | | | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | -| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.4.5 | | | [3269537](#3269537)
None | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.6.0| -| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1-4.4.5 | | -| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 5.3.0-5.6.0| -| [3240406](#3240406)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | 5.4.0-5.6.0| -| [3236334](#3236334)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.4.5 | | -| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.4.5 | | -| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | 5.3.0-5.6.0| +| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3221470](#3221470)
None | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.6.0| | [3218207](#3218207)
None | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| @@ -1047,7 +951,7 @@ pdfhidden: True | [3216759](#3216759)
None | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3209699](#3209699)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.6.0| @@ -1130,6 +1034,7 @@ pdfhidden: True | [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.6.0| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2763819](#2763819)
| When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | | | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -1173,7 +1078,6 @@ pdfhidden: True | [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | | [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -1353,51 +1257,27 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | -| [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | 5.6.0| -| [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1-4.4.5 | | | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| -| [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1-4.4.5 | | -| [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1-4.4.5 | | -| [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.4.5 | | | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1-4.4.5 | | -| [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1-4.4.5 | | -| [3418045](#3418045)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | 5.5.0-5.6.0| -| [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.4.5 | | | [3387852](#3387852)
None | If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | -| [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-3.7.16, 4.3.1-4.4.5 | | -| [3366612](#3366612)
| The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues. | 4.3.1-4.4.5 | | -| [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.4.5 | | -| [3364717](#3364717)
None | On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.4.5 | | -| [3358865](#3358865)
None | When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below:
ip route 0.0.0.0/1 10.1.1.1ip route 128.0.0.0/1 10.1.1.1
| 4.3.1-4.4.5 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| -| [3334031](#3334031)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.4.5 | | +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3333064](#3333064)
None | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 4.4.0-5.3.1 | 5.4.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3321391](#3321391)
None | On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. | 4.2.1-5.3.1 | 5.4.0-5.6.0| | [3303105](#3303105)
None | Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event:
unhandled exception:
Traceback (most recent call last):
File "/usr/sbin/clagd", line 1304, in PeerRecvT
PeerRecv()
File "/usr/sbin/clagd", line 513, in PeerRecv
ParseProtoBufMessage(nlm, myPeerMsg)
File "/usr/sbin/clagd", line 853, in ParseProtoBufMessage
msgData = FdbSync.ParseProtoBufMessage(msgHdr)
File "/usr/lib/python3/dist-packages/clag/fdbsync.py", line 892, in ParseProtoBufMessage
msgData.ParseFromString(msgHdr.data)
google.protobuf.message.DecodeError: Error parsing message | 4.4.0-4.4.5 | | | [3291548](#3291548)
None | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.6.0| -| [3288385](#3288385)
| On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs. | 4.3.1-4.4.5 | | -| [3269538](#3269538)
None | The cl-ecmpcalc command prints the following error when the egress interface is a bond or SVI:
ecmpcalc: will query hardwareTraceback (most recent call last):File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, inisTrunkMbr, port = ecmp.getHdPort(hd_cmd)File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPortport = int(str4)ValueError: invalid literal for int() with base 10: ‘0t
| 4.3.0-4.4.5 | | | [3269537](#3269537)
None | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.6.0| -| [3267353](#3267353)
| In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. | 4.3.1-4.4.5 | | -| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 5.3.0-5.6.0| -| [3240406](#3240406)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | 5.4.0-5.6.0| -| [3236334](#3236334)
None | Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.3.0-4.4.5 | | -| [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.4.5 | | -| [3234031](#3234031)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | 5.3.0-5.6.0| +| [3244740](#3244740)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3221470](#3221470)
None | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.6.0| | [3218207](#3218207)
None | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| | [3216922](#3216922)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). | 3.7.0-5.2.1 | 5.3.0-5.6.0| | [3216921](#3216921)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | | [3216759](#3216759)
None | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3209699](#3209699)
None | RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.6.0| @@ -1480,6 +1360,7 @@ pdfhidden: True | [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.6.0| | [2771871](#2771871)
| IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs. | 4.3.0-4.4.1 | 4.4.2-4.4.5| +| [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2763819](#2763819)
| When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | | | [2755614](#2755614)
| When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.6.0| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | @@ -1537,7 +1418,6 @@ pdfhidden: True | [2555763](#2555763)
CM-32861 | The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
CM-32786 | The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
CM-32612 | If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
CM-32528 | Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link. | 3.7.15-3.7.16, 4.2.1-4.4.5 | | | [2554986](#2554986)
CM-32416 | The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
CM-32296 | If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
CM-32274 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.6.0| @@ -1677,66 +1557,66 @@ pdfhidden: True ### Fixed Issues in 4.4.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [2828927](#2828927)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.1 | | +| [2828927](#2828927)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.2 | | | [2734173](#2734173)
| The Mellanox 100G transceiver MMA1L30-CM Rev A3 is not recognized on the SN4600 switch even though the link is up. The ethtool output shows the error Cannot get Module EEPROM data: Invalid argument. | | | | [2728138](#2728138)
CM-33237 | CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u4
Fixed: 2.4.47+dfsg-3+deb10u5 | 4.0.0-4.3.0 | | -| [2728134](#2728134)
| CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6 | 4.0.0-4.3.1 | | -| [2695526](#2695526)
| CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 | 4.0.0-4.3.1 | | +| [2728134](#2728134)
| CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets.
Vulnerable: <= 2.4.47+dfsg-3+deb10u5
Fixed: 2.4.47+dfsg-3+deb10u6 | 4.0.0-4.3.2 | | +| [2695526](#2695526)
| CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures
Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 | 4.0.0-4.3.2 | | | [2691506](#2691506)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.3.0 | | -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.1 | | -| [2687159](#2687159)
| CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 | 4.0.0-4.3.1 | | +| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.2 | | +| [2687159](#2687159)
| CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed
Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 | 4.0.0-4.3.2 | | | [2684418](#2684418)
| If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes. | 4.3.0 | | -| [2682971](#2682971)
| CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 | 4.0.0-4.3.1 | | -| [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.1 | | -| [2679948](#2679948)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.1 | | +| [2682971](#2682971)
| CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed
Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 | 4.0.0-4.3.2 | | +| [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.2 | | +| [2679948](#2679948)
| CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash
Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 | 3.7.0-3.7.15, 4.0.0-4.3.2 | | | [2679936](#2679936)
| Following an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer-ip-mismatch. This behavior is seen when you use a clagd-peer-ip linklocal configuration. | 4.3.0 | | | [2677049](#2677049)
CM-33247 | CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code. | 4.0.0-4.3.0 | | -| [2671667](#2671667)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 | 4.0.0-4.3.1 | | -| [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.1 | | -| [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.1 | | -| [2666838](#2666838)
| CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 | 4.0.0-4.3.1 | | -| [2663479](#2663479)
| CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 | 4.0.0-4.3.1 | | -| [2656527](#2656527)
| CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 | 4.0.0-4.3.1 | | -| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.1 | | +| [2671667](#2671667)
| CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code
Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 | 4.0.0-4.3.2 | | +| [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.2 | | +| [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.2 | | +| [2666838](#2666838)
| CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code
Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 | 4.0.0-4.3.2 | | +| [2663479](#2663479)
| CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption
Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 | 4.0.0-4.3.2 | | +| [2656527](#2656527)
| CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file
Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 | 4.0.0-4.3.2 | | +| [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.2 | | | [2648587](#2648587)
CM-29978 | The received PVST BPDU for a VLAN is flooded even though the ingress port doesn't have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | | | [2644072](#2644072)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | -| [2644053](#2644053)
| The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 | 4.0.0-4.3.1 | | +| [2644053](#2644053)
| The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service
CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query
CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 | 4.0.0-4.3.2 | | | [2643822](#2643822)
None | On a Mellanox Spectrum-2 switch, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports. To work around this issue, run the ifreload -a command to restart networking. | 4.2.1-4.3.0 | | | [2638106](#2638106)
None | The NCLU net show route vrf summary and vtysh show [ip\|ipv6] route vrf summary commands do not return any output. | 4.3.0 | | | [2637554](#2637554)
None | The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. | 4.2.0-4.3.0 | | | [2633061](#2633061)
| The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened
Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1 | 4.0.0-4.3.0 | | -| [2632379](#2632379)
| When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. | 4.3.0-4.3.1 | | +| [2632379](#2632379)
| When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. | 4.3.0-4.3.2 | | | [2628693](#2628693)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.0 | | | [2628588](#2628588)
| After rebooting a switch with PFC configurations, non-PFC enabled ports might not send or receive traffic correctly. | | | -| [2628513](#2628513)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.1 | | -| [2617000](#2617000)
| CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 | 4.0.0-4.3.1 | | -| [2616998](#2616998)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 | 4.0.0-4.3.1 | | -| [2616987](#2616987)
| CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 | 4.0.0-4.3.1 | | -| [2616976](#2616976)
| Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 | 4.0.0-4.3.1 | | -| [2616967](#2616967)
| CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 | 4.0.0-4.3.1 | | -| [2616964](#2616964)
| CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 | 4.0.0-4.3.1 | | -| [2616954](#2616954)
| CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 | 4.0.0-4.3.1 | | -| [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.1 | | -| [2582639](#2582639)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.1 | | -| [2578872](#2578872)
| CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 | 4.0.0-4.3.1 | | -| [2578870](#2578870)
| CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 | 4.0.0-4.3.1 | | +| [2628513](#2628513)
| CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service
Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 | 3.7.14-3.7.14.2, 4.3.0-4.3.2 | | +| [2617000](#2617000)
| CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure
Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 | 4.0.0-4.3.2 | | +| [2616998](#2616998)
| CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code
Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 | 4.0.0-4.3.2 | | +| [2616987](#2616987)
| CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image
Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 | 4.0.0-4.3.2 | | +| [2616976](#2616976)
| Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers
CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file
CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection
CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port
CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION)
CVE-2020-8286: failure to verify that OSCP response matches intended certificate
CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header
CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check
Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 | 4.0.0-4.3.2 | | +| [2616967](#2616967)
| CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack
Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 | 4.0.0-4.3.2 | | +| [2616964](#2616964)
| CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service
Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 | 4.0.0-4.3.2 | | +| [2616954](#2616954)
| CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service
Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 | 4.0.0-4.3.2 | | +| [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.2 | | +| [2582639](#2582639)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.2 | | +| [2578872](#2578872)
| CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service
Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 | 4.0.0-4.3.2 | | +| [2578870](#2578870)
| CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed
Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 | 4.0.0-4.3.2 | | | [2578845](#2578845)
CM-30832 | The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | -| [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.1 | | -| [2566878](#2566878)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | | -| [2564534](#2564534)
| Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. | 4.0.0-4.3.1 | | +| [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.2 | | +| [2566878](#2566878)
| CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | | +| [2564534](#2564534)
| Several vulnerabilities have been discovered in the GRUB2 bootloader
CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled
CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command
CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization
CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline
CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled
CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser
CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. | 4.0.0-4.3.2 | | | [2556814](#2556814)
CM-33419 | When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 | | -| [2556781](#2556781)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.1 | | -| [2556777](#2556777)
CM-33395 | CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1 | 4.0.0-4.3.1 | | +| [2556781](#2556781)
CM-33398 | CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution.
Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 | 3.7.14-3.7.14.2, 4.0.0-4.3.2 | | +| [2556777](#2556777)
CM-33395 | CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence.
Vulnerable: 4.6.2-3
Fixed: 4.6.2-3+deb10u1 | 4.0.0-4.3.2 | | | [2556774](#2556774)
CM-33393 | DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions.
Vulnerable: <= 1.3.8+dfsg-3+deb10u1
Fixed: 1.3.8+dfsg-3+deb10u2 | 4.0.0-4.3.0 | | | [2556762](#2556762)
CM-33385 | In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | | -| [2556730](#2556730)
CM-33359 | CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 | 4.0.0-4.3.1 | | +| [2556730](#2556730)
CM-33359 | CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.
Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2
Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 | 4.0.0-4.3.2 | | | [2556690](#2556690)
CM-33334 | The following vulnerabilities have been announced in the openssl packages:
CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.
CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
Vulnerable: <= 1.1.1d-0+deb10u4
Fixed: 1.1.1d-0+deb10u5 | 4.0.0-4.3.0 | | -| [2556658](#2556658)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.1 | | +| [2556658](#2556658)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.2 | | | [2556568](#2556568)
CM-33283 | DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed.
Vulnerable: 1.3.8+dfsg-3
Fixed: 1.3.8+dfsg-3+deb10u1 | 4.0.0-4.3.0 | | | [2556499](#2556499)
CM-33258 | Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.0 | | | [2554797](#2554797)
CM-32286 | On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.0 | | -| [2554299](#2554299)
CM-31962 | In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.1 | | -| [2550704](#2550704)
| On the Mellanox SN3420 switch, 25G SR optics only link up in force mode. | 4.3.0-4.3.1 | | -| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.1 | | -| [2545239](#2545239)
CM-27099 | On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.1 | | +| [2554299](#2554299)
CM-31962 | In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.2 | | +| [2550704](#2550704)
| On the Mellanox SN3420 switch, 25G SR optics only link up in force mode. | 4.3.0-4.3.2 | | +| [2549371](#2549371)
CM-29309 | When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.2 | | +| [2545239](#2545239)
CM-27099 | On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.2 | | diff --git a/content/cumulus-linux-44/rn.xml b/content/cumulus-linux-44/rn.xml index 372d1f0988..08528bd25a 100644 --- a/content/cumulus-linux-44/rn.xml +++ b/content/cumulus-linux-44/rn.xml @@ -7,175 +7,46 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -241,12 +112,6 @@ ip route 128.0.0.0/1 10.1.1.1 - - - - - - @@ -266,43 +131,16 @@ To work around this issue, set the VNI interface mapped to VLAN 1 down and up ag - - - - - - - - - - - - - - - - - - - + @@ -311,30 +149,12 @@ ValueError: invalid literal for int() with base 10: ‘0t - - - - - - - - - - - - - - - - - - @@ -410,8 +230,8 @@ Packet size is larger than router interface MTU – Validate the router interfac - - + + @@ -879,6 +699,12 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi + + + + + + @@ -1178,12 +1004,6 @@ This error has no functional impact. - - - - - - @@ -2282,175 +2102,46 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -2516,12 +2207,6 @@ ip route 128.0.0.0/1 10.1.1.1 - - - - - - @@ -2535,55 +2220,16 @@ To work around this issue, set the VNI interface mapped to VLAN 1 down and up ag - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -2592,12 +2238,6 @@ ValueError: invalid literal for int() with base 10: ‘0t - - - - - - @@ -2679,8 +2319,8 @@ Packet size is larger than router interface MTU – Validate the router interfac - - + + @@ -3148,6 +2788,12 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi + + + + + + @@ -3447,12 +3093,6 @@ This error has no functional impact. - - - - - - @@ -4686,169 +4326,40 @@ To work around this issue, restart {{switchd}} with the {{sudo systemctl restart - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -4920,12 +4431,6 @@ ip route 128.0.0.0/1 10.1.1.1 - - - - - - @@ -4935,65 +4440,20 @@ To work around this issue, set the VNI interface mapped to VLAN 1 down and up ag - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - + + + + - - - - + + + + @@ -5065,8 +4525,8 @@ Packet size is larger than router interface MTU – Validate the router interfac - - + + @@ -5613,6 +5073,12 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi + + + + + + @@ -5912,12 +5378,6 @@ This error has no functional impact. - - - - - - @@ -7054,169 +6514,40 @@ Fixed: 9.27~dfsg-2+deb10u5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -7288,73 +6619,22 @@ ip route 128.0.0.0/1 10.1.1.1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -7414,8 +6694,8 @@ Packet size is larger than router interface MTU – Validate the router interfac - - + + @@ -7971,6 +7251,12 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi + + + + + + @@ -8270,12 +7556,6 @@ This error has no functional impact. - - - - - - @@ -9604,169 +8884,40 @@ The minimum supported size of the reserved VLAN range in the {{/etc/cumulus/swit - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + @@ -9817,67 +8968,16 @@ ip route 128.0.0.0/1 10.1.1.1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + @@ -9928,8 +9028,8 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- - - + + @@ -10523,6 +9623,12 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.4.4.2-4.4.5 + + + + + + @@ -10926,12 +10032,6 @@ This error has no functional impact. - - - - - - @@ -12022,7 +11122,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address thermal thermal_zoneX: critical temperature reached (33 C), shutting down - + @@ -12041,14 +11141,14 @@ Fixed: 2.4.47+dfsg-3+deb10u5 - + - + @@ -12063,14 +11163,14 @@ sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error To work around this issue, restart {{switchd}}. - + - + @@ -12082,20 +11182,20 @@ Fixed: 0.6.1-2+deb10u1 - + - + - + @@ -12113,44 +11213,44 @@ Fixed: 4.3.1-6-cl3.7.16u1 result in denial of service and potentially the execution of arbitrary code. Vulnerable: <= 1.14.2-2+deb10u3 Fixed: 1.14.2-2+deb10u4 - + - + - + - + - + - + - + @@ -12170,7 +11270,7 @@ CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER secti CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4 Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 - + @@ -12198,7 +11298,7 @@ Fixed: 1.14.4-2+deb10u1 - + @@ -12215,7 +11315,7 @@ Fixed: 1.14.4-2+deb10u1 - + @@ -12223,21 +11323,21 @@ Fixed: 2.8.0-cl3.7.15u3 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure. Vulnerable: < 4.11.4+99-g8bce4698f6-1 Fixed: 4.11.4+99-g8bce4698f6-1 - + - + - + @@ -12252,52 +11352,52 @@ CVE-2021-22876: libcurl did not strip user credentials from URL when populating CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check. Vulnerable: <= 7.64.0-4+deb10u1 Fixed: 7.64.0-4+deb10u2 - + - + - + - + - + - + - + - + @@ -12307,12 +11407,12 @@ Fixed: 4.1.0+git191117-2~deb10u2 - + - + @@ -12324,7 +11424,7 @@ CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdl CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled. CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser. CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. - + @@ -12336,14 +11436,14 @@ To work around this issue, disable ARP suppression. - + - + @@ -12362,7 +11462,7 @@ Fixed: 1.3.8+dfsg-3+deb10u2 - + @@ -12380,7 +11480,7 @@ Fixed: 1.1.1d-0+deb10u5 - + @@ -12402,22 +11502,22 @@ Fixed: 1.3.8+dfsg-3+deb10u1 - + - + - + - +
Issue ID CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.4.5, 5.0.0-5.6.04.0.0-4.3.1, 5.0.0-5.6.04.3.2-4.4.5
3647424
3534654 On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1-4.4.54.3.14.3.2-4.4.5
3488136
3486888 If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-5.5.15.6.04.3.0-4.3.14.3.2-4.4.5, 5.6.0
3479967 When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1-4.4.54.3.14.3.2-4.4.5
3474391
3455998 When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1-4.4.54.3.14.3.2-4.4.5
34481714.3.1-4.4.54.3.14.3.2-4.4.5
3434315 IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
34295304.3.1-4.4.54.3.14.3.2-4.4.5
3419953 If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1-4.4.54.3.14.3.2-4.4.5
34109524.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
33767983.7.0-3.7.16, 4.3.1-4.4.53.7.0-4.3.14.3.2-4.4.5
3366612 The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1-4.4.54.3.14.3.2-4.4.5
3364996 Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
3336590
3334036 When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0-5.6.04.3.0-4.3.14.3.2-4.4.5, 5.4.0-5.6.0
3334031 When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
3330705
3288385 On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1-4.4.54.3.14.3.2-4.4.5
32883434.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
3267353 In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1-4.4.54.3.14.3.2-4.4.5
3236349 Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
3235956 With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.54.3.0-4.3.14.3.2-4.4.5
3234031 If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.6.04.2.1-4.3.14.3.2-4.4.5, 5.3.0-5.6.0
3218207 CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Vulnerable: <= 2.8.90-1-cl4u5 Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u84.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5, 5.1.0-5.6.0
4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5, 5.1.0-5.6.0
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2754791 Remote MAC addreses in zebra are out of sync with {{bgpd}}. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. 3.7.14.2-3.7.16, 4.3.0-4.4.5 CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u5 Fixed: 2.4.47+dfsg-3+deb10u64.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures. Vulnerable: 3.4.1-1 Fixed: 3.4.1-1+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed. Vulnerable: 0.6.1-2 Fixed: 0.6.1-2+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed. Vulnerable: 0.12.2+cl4u1 Fixed: 0.12.2+cl4.4.0u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2682780 Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly. To work around this issue, add the MAC access list configuration to the end of the {{/etc/frr/frr.conf}} file.4.2.0-4.3.14.2.0-4.3.2 4.4.0-4.4.5
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u13.7.0-3.7.15, 4.0.0-4.3.13.7.0-3.7.15, 4.0.0-4.3.2 3.7.16, 4.4.0-4.4.5
4.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2669873 In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. 4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
2669073 On Spectrum, Spectrum-2, and Spectrum-3 switches, the {{l1-show}} command shows the wrong data when the MST service is stopped. To work around this issue, start the MST service with the {{sudo mst start}} command.4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code. Vulnerable: <= 1.6.7-1+deb10u1 Fixed: 1.6.7-1+deb10u24.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption. Vulnerable: 1.8.3-1 Fixed: 1.8.3-1+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file. Vulnerable: 2.40.1-6 Fixed: 2.40.1-6+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2648658 If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure.3.7.15-4.3.13.7.15-4.3.2 4.4.0-4.4.5
4.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2632379 When you upgrade the switch with {{apt-get upgrade}}, the {{kexec-tools}} package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly.4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. Vulnerable: <= 2.8.0-cl3.7.15u2 Fixed: 2.8.0-cl3.7.15u33.7.14-3.7.14.2, 4.3.0-4.3.13.7.14-3.7.14.2, 4.3.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5
4.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code. Vulnerable: 1.9.1~dfsg-1 Fixed: 1.9.1~dfsg-1+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image. Vulnerable: <= 2.3.0-2+deb10u1 Fixed: 2.3.0-2+deb10u24.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
4.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack. Vulnerable: <= 4.3.2-1+deb10u2 Fixed: 4.3.2-1+deb10u34.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service. Vulnerable: <= 2.3.1+dfsg-1+deb10u1 Fixed: 2.3.1+dfsg-1+deb10u24.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service. Vulnerable: <= 1.1.1d-0+deb10u5 Fixed: 1.1.1d-0+deb10u64.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2614016 The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.4.2.0-4.3.14.2.0-4.3.2 4.4.0-4.4.5
2582639 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service. Vulnerable: 2.3.1+dfsg-1 Fixed: 2.3.1+dfsg-1+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. Vulnerable: <= 4.1.0+git191117-2~deb10u1 Fixed: 4.1.0+git191117-2~deb10u24.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2577499 QSFP+ 40G optics do not work on Spectrum platforms.4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
2566880 CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.13.7.14-3.7.14.2, 4.0.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5
4.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2556782 CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u13.7.14-3.7.14.2, 4.0.0-4.3.13.7.14-3.7.14.2, 4.0.0-4.3.2 3.7.15-3.7.16, 4.4.0-4.4.5
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. Vulnerable: 4.6.2-3 Fixed: 4.6.2-3+deb10u14.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2 Fixed: 9.11.5.P4+dfsg-5.1+deb10u34.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
2555175Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps.3.7.15-4.3.14.3.2-4.4.5
2554986
2554299 In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.2.0-4.3.14.2.0-4.3.2 4.4.0-4.4.5
2550704 On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.4.3.0-4.3.14.3.0-4.3.2 4.4.0-4.4.5
2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.13.7.11-4.3.2 4.4.0-4.4.5
2545239 On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. 4.0.0-4.3.14.0.0-4.3.2 4.4.0-4.4.5
Fixed
3647731CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. -Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). -For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.4.5, 5.0.0-5.6.0
3647424 When you remove the {{update-source}} configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same {{update-source}} configuration. 4.3.0-4.4.5
3534654On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1-4.4.5
3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 5.6.0
3486888If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-5.5.15.6.0
3479967When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1-4.4.5
3474391 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0
3455998When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1-4.4.5
3448171If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter. - -This only impacts the default VRF and a default route learned dynamically. - -In order to recover from this condition:  - -1. Restart switchd.service (sudo systemctl restart switchd.service) - -OR -  -2. Reboot the switch (sudo reboot)4.3.1-4.4.5
3434315IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.4.5
3429530 On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. 4.2.1-5.4.0 5.5.0-5.6.0
3419962On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: - -switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 -4.3.1-4.4.5
3419953If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1-4.4.5
3418045If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3401121sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the {{hsflowd.conf}} file to enable egress sampling: - -samplingDirection=out -psample { group=1 } -4.3.0-4.4.5
3387852 If you remove NGINX from the switch, then run {{apt autoremove}}, switchd does not reload because the {{libyaml-0-2}} and {{python-yaml }} packages are missing; these packages are required for {{switchd}} consistency checking. To work around this issue, reinstall the {{libyaml-0-2}} and {{python-yaml }}packages. 4.4.0-4.4.5
3376798On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts: - -switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready - -MAC learning looks correct, but traffic does not flow as expected.3.7.0-3.7.16, 4.3.1-4.4.5
3368217 When daylight saving time changes, the MLAG {{initDelay}} timer resets and all MLAG bonds go down. 4.4.4-4.4.5, 5.2.1-5.6.0
3366612The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1-4.4.5
3364996Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.4.5
3364717On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3358865When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below: - -ip route 0.0.0.0/1 10.1.1.1 -ip route 128.0.0.0/1 10.1.1.1 -4.3.1-4.4.5
3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0-5.6.0
3334031When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.54.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.6.0
33330645.0.0-5.6.0
3288385On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1-4.4.5
3288156 When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again.5.2.1-5.6.0
3269538The {{cl-ecmpcalc}} command prints the following error when the egress interface is a bond or SVI: - -ecmpcalc: will query hardware -Traceback (most recent call last): -File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, in -isTrunkMbr, port = ecmp.getHdPort(hd_cmd) -File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort -port = int(str4) -ValueError: invalid literal for int() with base 10: ‘0t -4.3.0-4.4.5
3269537 When an FRR routing service (such as {{bgpd}}) becomes unresponsive, {{watchfrr}} might fail to stop and restart service. To work around this issue, restart FRR with the {{systemctl restart frr}} command. 4.4.0-5.3.1 5.4.0-5.6.0
3267353In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1-4.4.5
3244740 If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. 4.4.0-5.2.15.3.0-5.6.0
3240406When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0-5.6.04.3.2, 5.3.0-5.6.0
3236366
3236334Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.4.5
3235956With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.5
3235368 When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the {{net commit}} command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run {{net commit}} after each command. 4.4.4-5.2.1 5.3.0-5.6.0
3234031If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.6.0
3227677 When daylight saving time changes the time, the MLAG {{initDelay}} timer resets and all MLAG bonds go down. 4.4.4-5.2.1
3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes.4.3.0-5.2.15.3.0-5.6.04.3.0-4.3.1, 4.4.0-5.2.14.3.2, 5.3.0-5.6.0
31685645.0.0-5.6.0
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2763819 When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. 4.4.0-4.4.5
2555175Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554986 The {{ethtool}} utility doesn't contain the latest values, as a result the {{Revision Compliance}} field shows {{Unallocated}}. 4.2.1-4.4.5 Fixed
3647731CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. -Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). -For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.4.5, 5.0.0-5.6.0
3647424 When you remove the {{update-source}} configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same {{update-source}} configuration. 4.3.0-4.4.5
3534654On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1-4.4.5
3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 5.6.0
3486888If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-5.5.15.6.0
3479967When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1-4.4.5
3474391 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0
3455998When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1-4.4.5
3448171If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter. - -This only impacts the default VRF and a default route learned dynamically. - -In order to recover from this condition:  - -1. Restart switchd.service (sudo systemctl restart switchd.service) - -OR -  -2. Reboot the switch (sudo reboot)4.3.1-4.4.5
3434315IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.4.5
3429530 On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. 4.2.1-5.4.0 5.5.0-5.6.0
3419962On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: - -switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 -4.3.1-4.4.5
3419953If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1-4.4.5
3418045If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3401121sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the {{hsflowd.conf}} file to enable egress sampling: - -samplingDirection=out -psample { group=1 } -4.3.0-4.4.5
3387852 If you remove NGINX from the switch, then run {{apt autoremove}}, switchd does not reload because the {{libyaml-0-2}} and {{python-yaml }} packages are missing; these packages are required for {{switchd}} consistency checking. To work around this issue, reinstall the {{libyaml-0-2}} and {{python-yaml }}packages. 4.4.0-4.4.5
3376798On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts: - -switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready - -MAC learning looks correct, but traffic does not flow as expected.3.7.0-3.7.16, 4.3.1-4.4.5
3368217 When daylight saving time changes, the MLAG {{initDelay}} timer resets and all MLAG bonds go down. 4.4.4-4.4.5, 5.2.1-5.6.0
3366612The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1-4.4.5
3364996Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.4.5
3364717On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3358865When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below: - -ip route 0.0.0.0/1 10.1.1.1 -ip route 128.0.0.0/1 10.1.1.1 -4.3.1-4.4.5
3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0-5.6.0
3334031When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.54.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.6.0
33330645.0.0-5.6.0
3288385On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1-4.4.5
3288156 When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again.
3269538The {{cl-ecmpcalc}} command prints the following error when the egress interface is a bond or SVI: - -ecmpcalc: will query hardware -Traceback (most recent call last): -File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, in -isTrunkMbr, port = ecmp.getHdPort(hd_cmd) -File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort -port = int(str4) -ValueError: invalid literal for int() with base 10: ‘0t -4.3.0-4.4.5
3269537 When an FRR routing service (such as {{bgpd}}) becomes unresponsive, {{watchfrr}} might fail to stop and restart service. To work around this issue, restart FRR with the {{systemctl restart frr}} command. 4.4.0-5.3.1 5.4.0-5.6.0
3267353In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1-4.4.5
3244740 If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. 4.4.0-5.2.15.3.0-5.6.0
3240406When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0-5.6.0
3236334Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.4.5
3235956With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.54.3.2, 5.3.0-5.6.0
32353685.3.0-5.6.0
3234031If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.6.0
3227677 When daylight saving time changes the time, the MLAG {{initDelay}} timer resets and all MLAG bonds go down. 4.4.4-5.2.1
3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes.4.3.0-5.2.15.3.0-5.6.04.3.0-4.3.1, 4.4.0-5.2.14.3.2, 5.3.0-5.6.0
31685645.0.0-5.6.0
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2763819 When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. 4.4.0-4.4.5
2555175Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554986 The {{ethtool}} utility doesn't contain the latest values, as a result the {{Revision Compliance}} field shows {{Unallocated}}. 4.2.1-4.4.5 Fixed
3647731CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. -Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). -For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.4.5, 5.0.0-5.6.0
3647424 When you remove the {{update-source}} configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same {{update-source}} configuration. 4.3.0-4.4.5
3534654On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1-4.4.5
3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 5.6.0
3486888If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-5.5.15.6.0
3479967When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1-4.4.5
3474391 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0
3455998When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1-4.4.5
3448171If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter. - -This only impacts the default VRF and a default route learned dynamically. - -In order to recover from this condition:  - -1. Restart switchd.service (sudo systemctl restart switchd.service) - -OR -  -2. Reboot the switch (sudo reboot)4.3.1-4.4.5
3434315IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.4.5
3429530 On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. 4.2.1-5.4.0 5.5.0-5.6.0
3419962On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: - -switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 -4.3.1-4.4.5
3419953If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1-4.4.5
3418045If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3401121sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the {{hsflowd.conf}} file to enable egress sampling: - -samplingDirection=out -psample { group=1 } -4.3.0-4.4.5
3387852 If you remove NGINX from the switch, then run {{apt autoremove}}, switchd does not reload because the {{libyaml-0-2}} and {{python-yaml }} packages are missing; these packages are required for {{switchd}} consistency checking. To work around this issue, reinstall the {{libyaml-0-2}} and {{python-yaml }}packages. 4.4.0-4.4.5
3376798On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts: - -switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready - -MAC learning looks correct, but traffic does not flow as expected.3.7.0-3.7.16, 4.3.1-4.4.5
3366612The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1-4.4.5
3364996Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.4.5
3364717On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3358865When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below: - -ip route 0.0.0.0/1 10.1.1.1 -ip route 128.0.0.0/1 10.1.1.1 -4.3.1-4.4.5
3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0-5.6.0
3334031When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.54.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.6.0
33330645.0.0-5.6.0
3288385On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1-4.4.5
3288156 When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again.
3284719 Certain EVPN multihoming show commands might cause the {{bgpd}} service to crash if you use the {{json}} flag and try to reference the default VRF by name. For example: {{show bgp l2vpn evpn es-vrf json}}.4.4.2-4.4.5
3269538The {{cl-ecmpcalc}} command prints the following error when the egress interface is a bond or SVI: - -ecmpcalc: will query hardware -Traceback (most recent call last): -File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, in -isTrunkMbr, port = ecmp.getHdPort(hd_cmd) -File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort -port = int(str4) -ValueError: invalid literal for int() with base 10: ‘0t -4.3.0-4.4.5
3269537When an FRR routing service (such as {{bgpd}}) becomes unresponsive, {{watchfrr}} might fail to stop and restart service. To work around this issue, restart FRR with the {{systemctl restart frr}} command.4.4.0-5.3.15.4.0-5.6.0
3267353In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1-4.4.5
3244740If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps.4.4.0-5.2.15.3.0-5.6.0
3240406When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0-5.6.0
3236334Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.4.54.4.2-4.4.5
3235956With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.53269537When an FRR routing service (such as {{bgpd}}) becomes unresponsive, {{watchfrr}} might fail to stop and restart service. To work around this issue, restart FRR with the {{systemctl restart frr}} command.4.4.0-5.3.15.4.0-5.6.0
3234031If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.6.03244740If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps.4.4.0-5.2.14.3.2, 5.3.0-5.6.0
3226579
3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes.4.3.0-5.2.15.3.0-5.6.04.3.0-4.3.1, 4.4.0-5.2.14.3.2, 5.3.0-5.6.0
31685645.0.0-5.6.0
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2763819 When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. 4.4.0-4.4.5
2555175Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554986 The {{ethtool}} utility doesn't contain the latest values, as a result the {{Revision Compliance}} field shows {{Unallocated}}. 4.2.1-4.4.5 Fixed
3647731CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. -Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). -For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.4.5, 5.0.0-5.6.0
3647424 When you remove the {{update-source}} configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same {{update-source}} configuration. 4.3.0-4.4.5
3534654On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1-4.4.5
3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 5.6.0
3486888If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-5.5.15.6.0
3479967When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1-4.4.5
3474391 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0
3455998When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1-4.4.5
3448171If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter. - -This only impacts the default VRF and a default route learned dynamically. - -In order to recover from this condition:  - -1. Restart switchd.service (sudo systemctl restart switchd.service) - -OR -  -2. Reboot the switch (sudo reboot)4.3.1-4.4.5
3434315IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.4.5
3429530 On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. 4.2.1-5.4.0 5.5.0-5.6.0
3419962On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: - -switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 -4.3.1-4.4.5
3419953If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1-4.4.5
3418045If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3401121sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the {{hsflowd.conf}} file to enable egress sampling: - -samplingDirection=out -psample { group=1 } -4.3.0-4.4.5
3387852 If you remove NGINX from the switch, then run {{apt autoremove}}, switchd does not reload because the {{libyaml-0-2}} and {{python-yaml }} packages are missing; these packages are required for {{switchd}} consistency checking. To work around this issue, reinstall the {{libyaml-0-2}} and {{python-yaml }}packages. 4.4.0-4.4.5
3376798On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts: - -switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready - -MAC learning looks correct, but traffic does not flow as expected.3.7.0-3.7.16, 4.3.1-4.4.5
3366612The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1-4.4.5
3364996Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.4.5
3364717On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3358865When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below: - -ip route 0.0.0.0/1 10.1.1.1 -ip route 128.0.0.0/1 10.1.1.1 -4.3.1-4.4.5
3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0-5.6.0
3334031When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.54.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.6.0
33330645.0.0-5.6.0
3288385On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1-4.4.5
3284719 Certain EVPN multihoming show commands might cause the {{bgpd}} service to crash if you use the {{json}} flag and try to reference the default VRF by name. For example: {{show bgp l2vpn evpn es-vrf json}}. 4.4.2-4.4.5
3269538The {{cl-ecmpcalc}} command prints the following error when the egress interface is a bond or SVI: - -ecmpcalc: will query hardware -Traceback (most recent call last): -File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, in -isTrunkMbr, port = ecmp.getHdPort(hd_cmd) -File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort -port = int(str4) -ValueError: invalid literal for int() with base 10: ‘0t -4.3.0-4.4.5
3269537 When an FRR routing service (such as {{bgpd}}) becomes unresponsive, {{watchfrr}} might fail to stop and restart service. To work around this issue, restart FRR with the {{systemctl restart frr}} command. 4.4.0-5.3.1 5.4.0-5.6.0
3267353In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1-4.4.5
3244740 If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. 4.4.0-5.2.15.3.0-5.6.0
3240406When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0-5.6.0
3236334Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.4.5
3235956With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.5
3234031If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.6.04.3.2, 5.3.0-5.6.0
3221470
3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes.4.3.0-5.2.15.3.0-5.6.04.3.0-4.3.1, 4.4.0-5.2.14.3.2, 5.3.0-5.6.0
31685645.0.0-5.6.0
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2763819 When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. 4.4.0-4.4.5
2555175Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554986 The {{ethtool}} utility doesn't contain the latest values, as a result the {{Revision Compliance}} field shows {{Unallocated}}. 4.2.1-4.4.5 Fixed
3647731CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. -Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). -For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.4.0.0-4.4.5, 5.0.0-5.6.0
3647424 When you remove the {{update-source}} configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same {{update-source}} configuration. 4.3.0-4.4.5
3534654On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge.4.3.1-4.4.5
3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 5.6.0
3486888If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database.4.3.0-5.5.15.6.0
3479967When you remove VRF configuration, the {{systemctl reload frr.service}} command returns a non zero exit code after erroneously running the invalid command {{no exit-vrf}}.4.3.1-4.4.5
3474391 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0
3455998When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the {{bgpun_pp.py}} pass persist script in the {{/etc/snmpd/snmpd.conf}} file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the {{sudo chmod +x /usr/share/snmp/bgpun_pp.py}} command.4.3.1-4.4.5
3448171If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter. - -This only impacts the default VRF and a default route learned dynamically. - -In order to recover from this condition:  - -1. Restart switchd.service (sudo systemctl restart switchd.service) - -OR -  -2. Reboot the switch (sudo reboot)4.3.1-4.4.5
3434315IPv6 BGP sessions in a VRF do not be establish with MD5 authentication.4.3.0-4.4.5
3429530 On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. 4.2.1-5.4.0 5.5.0-5.6.0
3419962On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: - -switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 -4.3.1-4.4.5
3419953If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a {{switchd}} crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the {{/etc/network/interfaces}} file.4.3.1-4.4.5
3418045If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes.3.7.0-5.4.05.5.0-5.6.0
3401121sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the {{hsflowd.conf}} file to enable egress sampling: - -samplingDirection=out -psample { group=1 } -4.3.0-4.4.5
3387852 If you remove NGINX from the switch, then run {{apt autoremove}}, switchd does not reload because the {{libyaml-0-2}} and {{python-yaml }} packages are missing; these packages are required for {{switchd}} consistency checking. To work around this issue, reinstall the {{libyaml-0-2}} and {{python-yaml }}packages. 4.4.0-4.4.5
3376798On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during {{switchd}} restart. The {{/var/log/switchd.log}} file includes the following exception logs shortly after {{switchd}} restarts: - -switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan <x>.<y> not yet ready - -MAC learning looks correct, but traffic does not flow as expected.3.7.0-3.7.16, 4.3.1-4.4.5
3366612The base version of the Linux kernel is updated to the v4.19.273 stable release, which includes fixes for several CVE issues.4.3.1-4.4.5
3364996Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops.4.3.0-4.4.5
3364717On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options.4.3.0-4.4.5
3358865When you reboot a Broadcom switch with a static default route configured, the route might be installed in hardware without a next hop. This results in forwarded traffic to the CPU and drops. To recover from this issue, remove the default route configuration and reapply it. To prevent this issue, before rebooting the switch, split the default route configuration into two routes as below: - -ip route 0.0.0.0/1 10.1.1.1 -ip route 128.0.0.0/1 10.1.1.1 -4.3.1-4.4.5
3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-5.3.15.4.0-5.6.0
3334031When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-4.4.54.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.6.0
33330645.0.0-5.6.0
3288385On the EdgeCore AS7326-56X and AS7726-32X switch, the fan speed reports a minimum threshold in the logs.4.3.1-4.4.5
3269538The {{cl-ecmpcalc}} command prints the following error when the egress interface is a bond or SVI: - -ecmpcalc: will query hardware -Traceback (most recent call last): -File “/usr/cumulus/bin/cl-ecmpcalc”, line 986, in -isTrunkMbr, port = ecmp.getHdPort(hd_cmd) -File “/usr/cumulus/bin/cl-ecmpcalc”, line 618, in getHdPort -port = int(str4) -ValueError: invalid literal for int() with base 10: ‘0t -4.3.0-4.4.5
3269537 When an FRR routing service (such as {{bgpd}}) becomes unresponsive, {{watchfrr}} might fail to stop and restart service. To work around this issue, restart FRR with the {{systemctl restart frr}} command. 4.4.0-5.3.1 5.4.0-5.6.0
3267353In a QinQ configuration, if the VLAN priority is a non-zero value, double-tagged packets are translated to triple-tagged packets. 4.3.1-4.4.5
3244740 If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. 4.4.0-5.2.15.3.0-5.6.0
3240406When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash.4.3.0-5.3.15.4.0-5.6.0
3236334Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the {{neighmgrd}} log.4.3.0-4.4.5
3235956With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, {{switchd}} allocates the overlay next hop, which is incorrect and might affect traffic forwarding.4.3.0-4.4.5
3234031If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-5.2.15.3.0-5.6.04.3.2, 5.3.0-5.6.0
3221470
3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes.4.3.0-5.2.15.3.0-5.6.04.3.0-4.3.1, 4.4.0-5.2.14.3.2, 5.3.0-5.6.0
3168564
2771653When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more which consumes a lot of hardware space.4.3.0-4.4.5
2763819 When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. 4.4.0-4.4.5
2555175Control Plane Traffic (example - BGP peering from Leaf to Spine) goes down on Leaf due to Hold Down Timer Expiration of peer following prolonged link flaps on downlinks when vxlan enabled vlans are carried on the flapping link.3.7.15-3.7.16, 4.2.1-4.4.5
2554986 The {{ethtool}} utility doesn't contain the latest values, as a result the {{Revision Compliance}} field shows {{Unallocated}}. 4.2.1-4.4.54.3.0-4.3.14.3.0-4.3.2
2734173 CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u5 Fixed: 2.4.47+dfsg-3+deb10u64.0.0-4.3.14.0.0-4.3.2
2695526 CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures. Vulnerable: 3.4.1-1 Fixed: 3.4.1-1+deb10u14.0.0-4.3.14.0.0-4.3.2
26915064.3.0-4.3.14.3.0-4.3.2
2687159 CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed. Vulnerable: 0.6.1-2 Fixed: 0.6.1-2+deb10u14.0.0-4.3.14.0.0-4.3.2
2684418 CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed. Vulnerable: 0.12.2+cl4u1 Fixed: 0.12.2+cl4.4.0u14.0.0-4.3.14.0.0-4.3.2
2682780 Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly. To work around this issue, add the MAC access list configuration to the end of the {{/etc/frr/frr.conf}} file.4.2.0-4.3.14.2.0-4.3.2
2679948 CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash. Vulnerable: <= 4.3.1-6-cl3.7.14u1 Fixed: 4.3.1-6-cl3.7.16u13.7.0-3.7.15, 4.0.0-4.3.13.7.0-3.7.15, 4.0.0-4.3.2
26799364.0.0-4.3.14.0.0-4.3.2
2669873 In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. 4.3.0-4.3.14.3.0-4.3.2
2669073 On Spectrum, Spectrum-2, and Spectrum-3 switches, the {{l1-show}} command shows the wrong data when the MST service is stopped. To work around this issue, start the MST service with the {{sudo mst start}} command.4.3.0-4.3.14.3.0-4.3.2
2666838 CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code. Vulnerable: <= 1.6.7-1+deb10u1 Fixed: 1.6.7-1+deb10u24.0.0-4.3.14.0.0-4.3.2
2663479 CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption. Vulnerable: 1.8.3-1 Fixed: 1.8.3-1+deb10u14.0.0-4.3.14.0.0-4.3.2
2656527 CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file. Vulnerable: 2.40.1-6 Fixed: 2.40.1-6+deb10u14.0.0-4.3.14.0.0-4.3.2
2648658 If you try to use more than one percent of {{max-ecmp-nexthops}}, you get an error indicating a failure.3.7.15-4.3.13.7.15-4.3.2
26485874.0.0-4.3.14.0.0-4.3.2
2643822
2632379 When you upgrade the switch with {{apt-get upgrade}}, the {{kexec-tools}} package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly.4.3.0-4.3.14.3.0-4.3.2
2628693 CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. Vulnerable: <= 2.8.0-cl3.7.15u2 Fixed: 2.8.0-cl3.7.15u33.7.14-3.7.14.2, 4.3.0-4.3.13.7.14-3.7.14.2, 4.3.0-4.3.2
26170004.0.0-4.3.14.0.0-4.3.2
2616998 CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code. Vulnerable: 1.9.1~dfsg-1 Fixed: 1.9.1~dfsg-1+deb10u14.0.0-4.3.14.0.0-4.3.2
2616987 CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image. Vulnerable: <= 2.3.0-2+deb10u1 Fixed: 2.3.0-2+deb10u24.0.0-4.3.14.0.0-4.3.2
26169764.0.0-4.3.14.0.0-4.3.2
2616967 CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack. Vulnerable: <= 4.3.2-1+deb10u2 Fixed: 4.3.2-1+deb10u34.0.0-4.3.14.0.0-4.3.2
2616964 CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service. Vulnerable: <= 2.3.1+dfsg-1+deb10u1 Fixed: 2.3.1+dfsg-1+deb10u24.0.0-4.3.14.0.0-4.3.2
2616954 CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service. Vulnerable: <= 1.1.1d-0+deb10u5 Fixed: 1.1.1d-0+deb10u64.0.0-4.3.14.0.0-4.3.2
2614016 The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module.4.2.0-4.3.14.2.0-4.3.2
2582639 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap.4.3.0-4.3.14.3.0-4.3.2
2578872 CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service. Vulnerable: 2.3.1+dfsg-1 Fixed: 2.3.1+dfsg-1+deb10u14.0.0-4.3.14.0.0-4.3.2
2578870 CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. Vulnerable: <= 4.1.0+git191117-2~deb10u1 Fixed: 4.1.0+git191117-2~deb10u24.0.0-4.3.14.0.0-4.3.2
2578845
2577499 QSFP+ 40G optics do not work on Spectrum platforms.4.3.0-4.3.14.3.0-4.3.2
2566878 CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.3.7.14-3.7.14.2, 4.0.0-4.3.13.7.14-3.7.14.2, 4.0.0-4.3.2
25645344.0.0-4.3.14.0.0-4.3.2
2556814 2556781 CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u13.7.14-3.7.14.2, 4.0.0-4.3.13.7.14-3.7.14.2, 4.0.0-4.3.2
2556777 CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. Vulnerable: 4.6.2-3 Fixed: 4.6.2-3+deb10u14.0.0-4.3.14.0.0-4.3.2
2556774 CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2 Fixed: 9.11.5.P4+dfsg-5.1+deb10u34.0.0-4.3.14.0.0-4.3.2
2556690 CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Vulnerable: <= 2.8.90-1-cl4u5 Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u84.0.0-4.3.14.0.0-4.3.2
2556568
2554299 In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart.4.2.0-4.3.14.2.0-4.3.2
2550704 On the Mellanox SN3420 switch, 25G SR optics only link up in force mode.4.3.0-4.3.14.3.0-4.3.2
2549371 When Optimized Multicast Flooding (OMF) is enabled with the {{bridge.optimized_mcast_flood = TRUE}} setting in the {{/etc/cumulus/switchd.conf}} file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive.3.7.11-4.3.13.7.11-4.3.2
2545239 On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. 4.0.0-4.3.14.0.0-4.3.2
\ No newline at end of file diff --git a/content/cumulus-linux-50/Whats-New/rn.md b/content/cumulus-linux-50/Whats-New/rn.md index e378bb4ded..a89e3d7c64 100644 --- a/content/cumulus-linux-50/Whats-New/rn.md +++ b/content/cumulus-linux-50/Whats-New/rn.md @@ -14,10 +14,10 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| @@ -25,10 +25,10 @@ pdfhidden: True | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | @@ -46,11 +46,11 @@ pdfhidden: True | [3202991](#3202991)
| Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM. | 5.0.1-5.2.1 | 5.3.0-5.6.0| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3195345](#3195345)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.6.0| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3141818](#3141818)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.6.0| | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.6.0| @@ -131,7 +131,6 @@ pdfhidden: True | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.6.0| | [2859015](#2859015)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 5.0.0-5.0.1 | 5.1.0-5.6.0| | [2855908](#2855908)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 5.0.0-5.6.0 | 4.3.1-4.4.5| -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2831968](#2831968)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-4.4.5, 5.0.0-5.6.0 | 4.3.1| | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | @@ -158,10 +157,10 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| @@ -169,10 +168,10 @@ pdfhidden: True | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | @@ -187,7 +186,7 @@ pdfhidden: True | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3195345](#3195345)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.6.0| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| @@ -255,7 +254,6 @@ pdfhidden: True | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.6.0| | [2859015](#2859015)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 5.0.0-5.0.1 | 5.1.0-5.6.0| | [2855908](#2855908)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 5.0.0-5.6.0 | 4.3.1-4.4.5| -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2831968](#2831968)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-4.4.5, 5.0.0-5.6.0 | 4.3.1| | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | diff --git a/content/cumulus-linux-50/rn.xml b/content/cumulus-linux-50/rn.xml index d569eacb49..fdf6236091 100644 --- a/content/cumulus-linux-50/rn.xml +++ b/content/cumulus-linux-50/rn.xml @@ -14,7 +14,7 @@ This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -33,8 +33,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3491259 @@ -82,7 +82,7 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -103,8 +103,8 @@ ERR cannot allocate vlan for sub-interface 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3350789 @@ -214,8 +214,8 @@ Packet size is larger than router interface MTU – Validate the router interfac 3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes. -4.3.0-5.2.1 -5.3.0-5.6.0 +4.3.0-4.3.1, 4.4.0-5.2.1 +4.3.2, 5.3.0-5.6.0 3157240 @@ -250,8 +250,8 @@ sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port <swp> 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3141818 @@ -816,12 +816,6 @@ warning: vni10: possible mis-configuration detected: l2-vni configured with brid 4.3.1-4.4.5 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -952,7 +946,7 @@ To work around this issue, if you run {{apt dist-upgrade}} and {{switchd}} no lo This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -971,8 +965,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3491259 @@ -1020,7 +1014,7 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -1041,8 +1035,8 @@ ERR cannot allocate vlan for sub-interface 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3350789 @@ -1134,8 +1128,8 @@ Packet size is larger than router interface MTU – Validate the router interfac 3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes. -4.3.0-5.2.1 -5.3.0-5.6.0 +4.3.0-4.3.1, 4.4.0-5.2.1 +4.3.2, 5.3.0-5.6.0 3157240 @@ -1592,12 +1586,6 @@ warning: vni10: possible mis-configuration detected: l2-vni configured with brid 4.3.1-4.4.5 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 diff --git a/content/cumulus-linux-51/Whats-New/rn.md b/content/cumulus-linux-51/Whats-New/rn.md index a7589bc59f..b82700e44e 100644 --- a/content/cumulus-linux-51/Whats-New/rn.md +++ b/content/cumulus-linux-51/Whats-New/rn.md @@ -14,10 +14,10 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| @@ -26,11 +26,11 @@ pdfhidden: True | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.6.0| -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| @@ -48,7 +48,7 @@ pdfhidden: True | [3204533](#3204533)
| At high scale with 79 VRFs and 10 VLANs per VRF (a total of 790 VLANs), clagd loses backup connection during a switchd restart. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.2.1 | 5.3.0-5.6.0| | [3202991](#3202991)
| Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM. | 5.0.1-5.2.1 | 5.3.0-5.6.0| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0| | [3180043](#3180043)
| The EVPN Multihoming ESI configuration command nv set interface evpn multihoming segment identifier does not work. | 5.1.0-5.2.1 | 5.3.0-5.6.0| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0| @@ -64,7 +64,7 @@ pdfhidden: True | [3148920](#3148920)
| NVUE configuration commands produce errors when included as part of a ZTP script that executes automatically during the switch boot process. This occurs because the $HOME variable is not set during ZTP. This does not occur if you trigger ZTP manually from the CLI with the sudo ztp -r http://x.x.x.x/cumulus-ztp command. To work around this issue, define the $HOME variable within the ZTP script with export HOME=/root. | 5.1.0 | 5.2.0-5.6.0| | [3146886](#3146886)
| FRR does not establish BGP peering with neighbors configured with a router ID that overlaps with IP addresses in the class D or E address spaces. | 5.1.0 | 5.2.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3141818](#3141818)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.6.0| | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.6.0| @@ -127,7 +127,6 @@ pdfhidden: True | [2886476](#2886476)
| If you enable or disable the advertise primary IP address setting when originating EVPN default type-5 routes, the default route or prefix originated from one of the MLAG peers sends a null layer 3 VNI, which prevents the remote VTEP from installing the default route. | 5.0.0-5.1.0 | 5.2.0-5.6.0| | [2867248](#2867248)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.6.0| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2831968](#2831968)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-4.4.5, 5.0.0-5.6.0 | 4.3.1| | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | @@ -182,7 +181,7 @@ pdfhidden: True | [2910017](#2910017)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | | | [2903374](#2903374)
| The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fields
To work around this issue, disable LLDP on a single interface. | 5.0.0-5.0.1 | | | [2898044](#2898044)
| NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missing
Failed to prepare to applyUnrecoverable internal error
| 5.0.0-5.0.1 | | -| [2893895](#2893895)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.1 | | +| [2893895](#2893895)
CM-33315 | CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability
Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 | 4.0.0-4.3.2 | | | [2886488](#2886488)
| NVUE commands fail to configure port mirroring. | 5.0.0-5.0.1 | | | [2885287](#2885287)
| When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work. | 5.0.0-5.0.1 | | | [2875338](#2875338)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | | @@ -190,7 +189,7 @@ pdfhidden: True | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | | | [2859015](#2859015)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 5.0.0-5.0.1 | | | [2855908](#2855908)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send. To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 5.0.0-5.0.1 | | -| [2854787](#2854787)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.1 | | +| [2854787](#2854787)
| An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.2 | | | [2815646](#2815646)
| In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | | | [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | | | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | | diff --git a/content/cumulus-linux-51/rn.xml b/content/cumulus-linux-51/rn.xml index 9c2214e54b..41daa7a89a 100644 --- a/content/cumulus-linux-51/rn.xml +++ b/content/cumulus-linux-51/rn.xml @@ -14,7 +14,7 @@ This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -33,8 +33,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3541912 @@ -88,7 +88,7 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -116,8 +116,8 @@ To obtain the correct packages, install the {{tacplus-client}} package and its d 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3350789 @@ -229,8 +229,8 @@ Packet size is larger than router interface MTU – Validate the router interfac 3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes. -4.3.0-5.2.1 -5.3.0-5.6.0 +4.3.0-4.3.1, 4.4.0-5.2.1 +4.3.2, 5.3.0-5.6.0 3187469 @@ -341,8 +341,8 @@ To work around this issue, avoid restarting the {{switchd}} service in the ZTP s 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3141818 @@ -805,12 +805,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -1129,7 +1123,7 @@ Unrecoverable internal error CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Vulnerable: <= 2.8.90-1-cl4u5 Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 -4.0.0-4.3.1 +4.0.0-4.3.2 2886488 @@ -1175,7 +1169,7 @@ warning: vni10: possible mis-configuration detected: l2-vni configured with brid thermal thermal_zoneX: critical temperature reached (33 C), shutting down -4.3.0-4.3.1 +4.3.0-4.3.2 2815646 diff --git a/content/cumulus-linux-52/Whats-New/rn.md b/content/cumulus-linux-52/Whats-New/rn.md index 689f50dba3..404d90c0a0 100644 --- a/content/cumulus-linux-52/Whats-New/rn.md +++ b/content/cumulus-linux-52/Whats-New/rn.md @@ -14,11 +14,11 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| @@ -28,13 +28,13 @@ pdfhidden: True | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.6.0| | [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| @@ -75,7 +75,7 @@ pdfhidden: True | [3202401](#3202401)
| The ethtool -m command and the NVUE nv show interface pluggable command do not show the VPD for optical modules and AOCs (OUI, vendor name, part number, or revision serial number). | 5.2.0-5.2.1 | 5.3.0-5.6.0| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3196774](#3196774)
| In an EVPN configuration, after closing a BGP session on an EVPN peer, the VTEP RMAC is deleted and the hosts lose reachability to each other. To work around this issue, restart FRR or add a static RMAC entry to bridge FDB. | 5.2.0-5.2.1 | 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3188576](#3188576)
| IPv6 messages fill the /var/log/frr/frr.log files and logrotate is unable to clean up the old log files. As a result, a significant number of log files are never deleted, which fill up the file system. | 5.2.0-5.2.1 | 5.3.0-5.6.0| | [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0| | [3187408](#3187408)
| Certain NUE commands produce an Invalid Command error. For example:
cumulus@switch:~$ nv set vrf default router bgp peer-group SPINE password CumulusLinux!Invalid Command: set vrf default router bgp peer-group SPINE password CumulusLinux!cumulus@switch:~$ nv set router policy route-map GLOBAL rule 10 description globalInvalid Command: set router policy route-map GLOBAL rule 10 description global
| 5.2.0-5.2.1 | 5.3.0-5.6.0| @@ -96,7 +96,7 @@ pdfhidden: True | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3139164](#3139164)
| NVUE does not allow you to set 2X/4X lanes. To work around this issue, set the appropriate lanes for forced speed with the ethtool -s swpX speed autoneg off lanes command. For example, ethtool -s swp1 speed 100000 autoneg off lanes 2. | 5.2.0-5.2.1 | 5.3.0-5.6.0| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.6.0| @@ -128,7 +128,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.6.0| @@ -149,11 +148,11 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| @@ -163,12 +162,12 @@ pdfhidden: True | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.6.0| | [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | 5.5.0-5.6.0| -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| @@ -211,7 +210,7 @@ pdfhidden: True | [3202401](#3202401)
| The ethtool -m command and the NVUE nv show interface pluggable command do not show the VPD for optical modules and AOCs (OUI, vendor name, part number, or revision serial number). | 5.2.0-5.2.1 | 5.3.0-5.6.0| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3196774](#3196774)
| In an EVPN configuration, after closing a BGP session on an EVPN peer, the VTEP RMAC is deleted and the hosts lose reachability to each other. To work around this issue, restart FRR or add a static RMAC entry to bridge FDB. | 5.2.0-5.2.1 | 5.3.0-5.6.0| -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | 5.3.0-5.6.0| +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.6.0| | [3188576](#3188576)
| IPv6 messages fill the /var/log/frr/frr.log files and logrotate is unable to clean up the old log files. As a result, a significant number of log files are never deleted, which fill up the file system. | 5.2.0-5.2.1 | 5.3.0-5.6.0| | [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0| | [3187408](#3187408)
| Certain NUE commands produce an Invalid Command error. For example:
cumulus@switch:~$ nv set vrf default router bgp peer-group SPINE password CumulusLinux!Invalid Command: set vrf default router bgp peer-group SPINE password CumulusLinux!cumulus@switch:~$ nv set router policy route-map GLOBAL rule 10 description globalInvalid Command: set router policy route-map GLOBAL rule 10 description global
| 5.2.0-5.2.1 | 5.3.0-5.6.0| @@ -232,7 +231,7 @@ pdfhidden: True | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.6.0| | [3139164](#3139164)
| NVUE does not allow you to set 2X/4X lanes. To work around this issue, set the appropriate lanes for forced speed with the ethtool -s swpX speed autoneg off lanes command. For example, ethtool -s swp1 speed 100000 autoneg off lanes 2. | 5.2.0-5.2.1 | 5.3.0-5.6.0| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.6.0| @@ -264,7 +263,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.6.0| diff --git a/content/cumulus-linux-52/rn.xml b/content/cumulus-linux-52/rn.xml index 94eefc845d..2ed5df0357 100644 --- a/content/cumulus-linux-52/rn.xml +++ b/content/cumulus-linux-52/rn.xml @@ -14,7 +14,7 @@ This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -39,8 +39,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3541912 @@ -100,7 +100,7 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -140,8 +140,8 @@ To obtain the correct packages, install the {{tacplus-client}} package and its d 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3351936 @@ -402,8 +402,8 @@ Packet size is larger than router interface MTU – Validate the router interfac 3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes. -4.3.0-5.2.1 -5.3.0-5.6.0 +4.3.0-4.3.1, 4.4.0-5.2.1 +4.3.2, 5.3.0-5.6.0 3188576 @@ -550,8 +550,8 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3139364 @@ -782,12 +782,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -872,7 +866,7 @@ You can safely ignore this warning. This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -897,8 +891,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3541912 @@ -958,7 +952,7 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -992,8 +986,8 @@ To obtain the correct packages, install the {{tacplus-client}} package and its d 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3351936 @@ -1266,8 +1260,8 @@ Packet size is larger than router interface MTU – Validate the router interfac 3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes. -4.3.0-5.2.1 -5.3.0-5.6.0 +4.3.0-4.3.1, 4.4.0-5.2.1 +4.3.2, 5.3.0-5.6.0 3188576 @@ -1414,8 +1408,8 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3139364 @@ -1646,12 +1640,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 diff --git a/content/cumulus-linux-53/Whats-New/rn.md b/content/cumulus-linux-53/Whats-New/rn.md index 4f6ecd3552..d91da49a53 100644 --- a/content/cumulus-linux-53/Whats-New/rn.md +++ b/content/cumulus-linux-53/Whats-New/rn.md @@ -14,21 +14,23 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | +| [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | | [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | | [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3496931](#3496931)
| When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times. | 5.3.1-5.5.1 | 5.6.0| | [3496889](#3496889)
| When PTP is not enabled on the switch, NVUE nv show ptp commands freeze. This might cause other NVUE commands to fail and the NVUE service to restart. | 5.3.1-5.5.1 | 5.6.0| | [3495630](#3495630)
| The NVUE nv show service ptp current command output shows an incorrect value. To work around this issue, run the nv show service ptp monitor timestamp-log command or the Linux pmc utility. | 5.3.1-5.5.1 | 5.6.0| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.4.0 | 5.5.0-5.6.0| +| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3470941](#3470941)
None | On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 | 5.5.1-5.6.0| @@ -40,7 +42,7 @@ pdfhidden: True | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3393306](#3393306)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | 5.5.0-5.6.0| @@ -50,7 +52,7 @@ pdfhidden: True | [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | | [3351953](#3351953)
| In rare circumstances, attempting to install a Cumulus Linux 5.3 image can fail during installation. The device stops at the (initramfs) prompt. To resume installation, enter the exit command at the (initramfs) prompt. | 5.3.0-5.3.1 | 5.4.0-5.6.0| -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| @@ -69,6 +71,7 @@ pdfhidden: True | [3301950](#3301950)
| When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3298616](#3298616)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3296715](#3296715)
| When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter 'clear'
| 5.2.0-5.3.1 | 5.4.0-5.6.0| +| [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3293039](#3293039)
| When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3292773](#3292773)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3289972](#3289972)
None | When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly. | 5.3.0-5.3.1 | 5.4.0-5.6.0| @@ -97,7 +100,7 @@ pdfhidden: True | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | | [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | @@ -121,7 +124,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.6.0| @@ -142,16 +144,16 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | | [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.4.0 | 5.5.0-5.6.0| +| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3470941](#3470941)
None | On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 | 5.5.1-5.6.0| @@ -162,14 +164,14 @@ pdfhidden: True | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.6.0| | [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | | [3351953](#3351953)
| In rare circumstances, attempting to install a Cumulus Linux 5.3 image can fail during installation. The device stops at the (initramfs) prompt. To resume installation, enter the exit command at the (initramfs) prompt. | 5.3.0-5.3.1 | 5.4.0-5.6.0| -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | 5.4.0-5.6.0| +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.6.0| | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | 5.4.0-5.6.0| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| @@ -189,6 +191,7 @@ pdfhidden: True | [3301950](#3301950)
| When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3298616](#3298616)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3296715](#3296715)
| When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter 'clear'
| 5.2.0-5.3.1 | 5.4.0-5.6.0| +| [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3293039](#3293039)
| When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3292773](#3292773)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3289972](#3289972)
None | When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly. | 5.3.0-5.3.1 | 5.4.0-5.6.0| @@ -217,7 +220,7 @@ pdfhidden: True | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | | [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | @@ -241,7 +244,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.6.0| @@ -256,7 +258,7 @@ pdfhidden: True |--- |--- |--- | | [3255948](#3255948)
| When you upgrade from Cumulus Linux 5.0.0-5.1.0 to Cumulus Linux 5.2.0 or 5.2.1, warm or fast boot fails. Use regular reboot or csmgrctl -c in this case. | 5.2.0-5.2.1 | | | [3235368](#3235368)
| When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. | 4.4.4-5.2.1 | | -| [3231330](#3231330)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-5.2.1 | | +| [3231330](#3231330)
None | If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 4.2.1-4.3.1 | | | [3228856](#3228856)
None | If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | | | [3228690](#3228690)
| When you configure a routing policy multiple times in NVUE with a match evpn default-route statement, the bgpd daemon terminates. | | | | [3227905](#3227905)
| PTP forced master mode does not work. To work around this issue, change masterOnly to serverOnly in the /etc/ptp4l.conf file. | 5.2.0-5.2.1 | | @@ -277,7 +279,7 @@ pdfhidden: True | [3202401](#3202401)
| The ethtool -m command and the NVUE nv show interface pluggable command do not show the VPD for optical modules and AOCs (OUI, vendor name, part number, or revision serial number). | 5.2.0-5.2.1 | | | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | | | [3196774](#3196774)
| In an EVPN configuration, after closing a BGP session on an EVPN peer, the VTEP RMAC is deleted and the hosts lose reachability to each other. To work around this issue, restart FRR or add a static RMAC entry to bridge FDB. | 5.2.0-5.2.1 | | -| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-5.2.1 | | +| [3192808](#3192808)
None | When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | | | [3188576](#3188576)
| IPv6 messages fill the /var/log/frr/frr.log files and logrotate is unable to clean up the old log files. As a result, a significant number of log files are never deleted, which fill up the file system. | 5.2.0-5.2.1 | | | [3187408](#3187408)
| Certain NUE commands produce an Invalid Command error. For example:
cumulus@switch:~$ nv set vrf default router bgp peer-group SPINE password CumulusLinux!Invalid Command: set vrf default router bgp peer-group SPINE password CumulusLinux!cumulus@switch:~$ nv set router policy route-map GLOBAL rule 10 description globalInvalid Command: set router policy route-map GLOBAL rule 10 description global
| 5.2.0-5.2.1 | | | [3180043](#3180043)
| The EVPN Multihoming ESI configuration command nv set interface evpn multihoming segment identifier does not work. | 5.1.0-5.2.1 | | diff --git a/content/cumulus-linux-53/rn.xml b/content/cumulus-linux-53/rn.xml index 72fa7e02df..d5024ad972 100644 --- a/content/cumulus-linux-53/rn.xml +++ b/content/cumulus-linux-53/rn.xml @@ -7,6 +7,12 @@ Fixed +3663182 +Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the {{sudo systemctl restart frr.service}} command. +5.3.1-5.6.0 + + + 3647426 If BGP {{remote-as}} is set to an integer and you try to configure the {{local-as}} for a BGP instance, you see the following error: @@ -14,7 +20,7 @@ This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -23,6 +29,16 @@ This configuration is not allowed; it is considered to be eBGP and local prefere +3580435 +On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog: + +smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff) + +This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the {{hdparm -S 24 /dev/sda}} command to change the HD timeout. +5.3.1-5.6.0 + + + 3576949 When you run the NVUE {{nv set service snmp listening-address localhost vrf <vrf-name>}} or {{nv set service snmp listening-address localhost-v6 vrf <vrf-name>}} command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. 5.3.0-5.6.0 @@ -57,8 +73,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3541912 @@ -99,8 +115,8 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3484058 When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. -5.3.0-5.4.0 -5.5.0-5.6.0 +5.3.0-5.6.0 + 3479786 @@ -174,7 +190,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -243,8 +259,8 @@ To obtain the correct packages, install the {{tacplus-client}} package and its d 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3351936 @@ -364,6 +380,12 @@ ethtool (-S): unknown parameter 'clear' 5.4.0-5.6.0 +3293114 +In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. +5.3.0-5.5.1 +5.6.0 + + 3293039 When you add the {{/etc/frr/frr.conf}} file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. 5.3.0-5.3.1 @@ -561,8 +583,8 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3135952 @@ -715,12 +737,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -808,7 +824,7 @@ You can safely ignore this warning. This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -839,8 +855,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3541912 @@ -863,8 +879,8 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3484058 When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. -5.3.0-5.4.0 -5.5.0-5.6.0 +5.3.0-5.6.0 + 3479786 @@ -932,7 +948,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -978,8 +994,8 @@ To obtain the correct packages, install the {{tacplus-client}} package and its d 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 -5.4.0-5.6.0 +4.2.1-4.3.1, 4.4.0-5.3.1 +4.3.2, 5.4.0-5.6.0 3351936 @@ -1108,6 +1124,12 @@ ethtool (-S): unknown parameter 'clear' 5.4.0-5.6.0 +3293114 +In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. +5.3.0-5.5.1 +5.6.0 + + 3293039 When you add the {{/etc/frr/frr.conf}} file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. 5.3.0-5.3.1 @@ -1305,8 +1327,8 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3135952 @@ -1459,12 +1481,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -1536,7 +1552,7 @@ You can safely ignore this warning. 3231330 If BGP {{neighbor <name> allowas-in}} is set, negating with no {{no neighbor <name> allowas-in}} does not disable the setting. To work around this issue and disable the setting, restart the FRR service. -4.2.1-5.2.1 +4.2.1-4.3.1 3228856 @@ -1645,7 +1661,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 3192808 When the switch receives an LLDP frame from a Cisco router right after a {{ptmd}} restart, the {{ptmd}} service crashes. -4.3.0-5.2.1 +4.3.0-4.3.1, 4.4.0-5.2.1 3188576 diff --git a/content/cumulus-linux-54/Whats-New/rn.md b/content/cumulus-linux-54/Whats-New/rn.md index af7a2d992c..e7b5d4a0c0 100644 --- a/content/cumulus-linux-54/Whats-New/rn.md +++ b/content/cumulus-linux-54/Whats-New/rn.md @@ -14,14 +14,16 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | +| [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | | [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | | [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3498939](#3498939)
| In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. | 5.4.0-5.5.1 | 5.6.0| | [3496931](#3496931)
| When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times. | 5.3.1-5.5.1 | 5.6.0| @@ -29,7 +31,7 @@ pdfhidden: True | [3495630](#3495630)
| The NVUE nv show service ptp current command output shows an incorrect value. To work around this issue, run the nv show service ptp monitor timestamp-log command or the Linux pmc utility. | 5.3.1-5.5.1 | 5.6.0| | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| -| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.4.0 | 5.5.0-5.6.0| +| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | 5.6.0| @@ -49,14 +51,14 @@ pdfhidden: True | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| | [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | +| [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | | | [3418103](#3418103)
| On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 | 5.5.0-5.6.0| -| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 5.5.0-5.6.0| +| [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | 4.3.2-4.4.5, 5.5.0-5.6.0| | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3410303](#3410303)
| The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. | 5.4.0 | 5.5.0-5.6.0| | [3409223](#3409223)
| NGNIX might be listening on port 80 through its default configuration in /etc/nginx/sites-enabled/default. To work around this issue, run the following commands:
 cumulus@switch:~$ sudo rm -f /etc/nginx/sites-enabled/defaultcumulus@switch:~$ systemctl is-active nginx && sudo invoke-rc.d nginx restart
| 5.4.0 | 5.5.0-5.6.0| | [3402935](#3402935)
None | For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 5.0.0-5.4.0 | 5.5.0-5.6.0| | [3397649](#3397649)
| When an ECMP route is present in a non-default VRF, resilient hashing does not work as expected and flows might get remapped to a new next hop when the set of nexthops changes. | 5.4.0 | 5.5.0-5.6.0| -| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.6.0 | | | [3395247](#3395247)
| The NVUE nv show system forwarding profile-option command reports an incorrect Max ipv4 mcast routes value. To work around this issue, validate values with cl-resource-query. | 5.4.0 | 5.5.0-5.6.0| | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | 5.6.0| | [3393866](#3393866)
| On a VX, NVUE commands with an argument parameter that can be multiple types (such as IPv4 and IPv6) do not provide auto complete or additional options when you use a question mark. | 5.4.0 | 5.5.0-5.6.0| @@ -93,7 +95,7 @@ pdfhidden: True | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | | [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | | [3293560](#3293560)
| If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. | 5.4.0 | 5.5.0-5.6.0| -| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.6.0 | | +| [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | @@ -111,7 +113,7 @@ pdfhidden: True | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.6.0| -| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.4.0 | 5.5.0-5.6.0| +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | | [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | @@ -132,7 +134,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | @@ -145,7 +146,7 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [3351953](#3351953)
| In rare circumstances, attempting to install a Cumulus Linux 5.3 image can fail during installation. The device stops at the (initramfs) prompt. To resume installation, enter the exit command at the (initramfs) prompt. | 5.3.0-5.3.1 | | -| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-5.3.1 | | +| [3351951](#3351951)
None | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | | | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | | | [3344373](#3344373)
| When the switch boots up, you might see logs similar to the following in the nvued log files because switchd is not up and running. This does not impact switch functionality
2023-01-29T06:05:18.683152+00:00 cumulus nvued:  INFO: apply_config.py:2177 Apply Issues: (b'),(update-ports returned with error (code 254): ports validation node file is not accessibleswitchd validate_node is absent),(ports configuration(ports.conf/ports_width.conf) is invalid),(')
| | | | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | | @@ -172,7 +173,7 @@ pdfhidden: True | [3255899](#3255899)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | | | [3244955](#3244955)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | | | [3241047](#3241047)
| When you delete a route under the following conditions, switchd might crash:- The minimum number of routes is set to a non-zero value
- KVD utilization is higher than sixty percent
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue. | 5.2.0-5.3.1 | | -| [3234085](#3234085)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-5.3.1 | | +| [3234085](#3234085)
None | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 4.3.0-4.3.1 | | | [3226525](#3226525)
| When using TACACS+, if you configure per-command authorization with the tacplus-restrict command, NVUE configuration commands fail for any user with a privilege level lower than 15. This occurs because NVUE is not able to create a .local user directory. | 5.2.0-5.3.1 | | | [3145222](#3145222)
| The NVUE nv show system forwarding --output json command does not provide any output. To work around this issue, run the nv show system forwarding command. | 5.2.0-5.3.1 | | | [3074390](#3074390)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | | diff --git a/content/cumulus-linux-54/rn.xml b/content/cumulus-linux-54/rn.xml index 5ec37197d0..e2728d4cd8 100644 --- a/content/cumulus-linux-54/rn.xml +++ b/content/cumulus-linux-54/rn.xml @@ -7,6 +7,12 @@ Fixed +3663182 +Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the {{sudo systemctl restart frr.service}} command. +5.3.1-5.6.0 + + + 3647426 If BGP {{remote-as}} is set to an integer and you try to configure the {{local-as}} for a BGP instance, you see the following error: @@ -14,7 +20,7 @@ This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3585467 @@ -23,6 +29,16 @@ This configuration is not allowed; it is considered to be eBGP and local prefere +3580435 +On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog: + +smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff) + +This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the {{hdparm -S 24 /dev/sda}} command to change the HD timeout. +5.3.1-5.6.0 + + + 3576949 When you run the NVUE {{nv set service snmp listening-address localhost vrf <vrf-name>}} or {{nv set service snmp listening-address localhost-v6 vrf <vrf-name>}} command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. 5.3.0-5.6.0 @@ -57,8 +73,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3541912 @@ -105,8 +121,8 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3484058 When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. -5.3.0-5.4.0 -5.5.0-5.6.0 +5.3.0-5.6.0 + 3479786 @@ -228,6 +244,12 @@ cumulus@switch:~$ what-just-happened poll --export --no_metadata +3419928 +The NVUE PIM timer command option names {{keep-alive}} and {{rp-keep-alive}} are inconsistent and need to change to {{keepalive}} and {{rp-keepalive}}. +5.4.0-5.6.0 + + + 3418103 On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. 5.4.0 @@ -237,7 +259,7 @@ cumulus@switch:~$ what-just-happened poll --export --no_metadata 3413827 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The {{clagctl dumppermanentneighs}} command only shows local neighbors. 5.0.0-5.4.0 -5.5.0-5.6.0 +4.3.2-4.4.5, 5.5.0-5.6.0 3413785 @@ -278,12 +300,6 @@ ERR cannot allocate vlan for sub-interface 5.5.0-5.6.0 -3395489 -On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. -5.4.0-5.6.0 - - - 3395247 The NVUE {{nv show system forwarding profile-option}} command reports an incorrect {{Max ipv4 mcast routes}} value. To work around this issue, validate values with {{cl-resource-query}}. 5.4.0 @@ -530,10 +546,10 @@ cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map 5.5.0-5.6.0 -3269691 -When you restart the LLDP service, you see a {{broken pipe}} error and a log message in the {{lldpd.service}} logs. This error does not affect LLDP functionality. -5.4.0-5.6.0 - +3293114 +In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. +5.3.0-5.5.1 +5.6.0 3266197 @@ -657,8 +673,8 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 1.3.6.1.2.1.31 --> ifMIB 1.3.6.1.2.1.4 --> IP 1.3.6.1.2.1.25 --> hostResource -5.0.1-5.4.0 -5.5.0-5.6.0 +5.0.1-5.6.0 + 3135952 @@ -790,12 +806,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -856,7 +866,7 @@ You can safely ignore this warning. 3351951 Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. -4.2.1-5.3.1 +4.2.1-4.3.1, 4.4.0-5.3.1 3351936 @@ -1008,7 +1018,7 @@ Vlan: 0 3234085 When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. -4.3.0-5.3.1 +4.3.0-4.3.1 3226525 diff --git a/content/cumulus-linux-55/Whats-New/rn.md b/content/cumulus-linux-55/Whats-New/rn.md index f053723f52..7417b18391 100644 --- a/content/cumulus-linux-55/Whats-New/rn.md +++ b/content/cumulus-linux-55/Whats-New/rn.md @@ -14,12 +14,18 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| +| [3630492](#3630492)
| On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.6.0 | | +| [3616338](#3616338)
| When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 | | | [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi and might introduce a security issue. | 5.5.0-5.6.0 | | +| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | | | [3603237](#3603237)
| If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 | | | [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | +| [3597456](#3597456)
| NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 | | | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | +| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | | +| [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | | [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | | | [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | @@ -28,7 +34,7 @@ pdfhidden: True | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | | [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | | | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3549138](#3549138)
| In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | 5.6.0| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3541518](#3541518)
| When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 5.5.0-5.5.1 | 5.6.0| @@ -46,6 +52,7 @@ pdfhidden: True | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3486102](#3486102)
| SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | 5.6.0| +| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | 5.6.0| @@ -66,9 +73,9 @@ pdfhidden: True | [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | | [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | 5.6.0| +| [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | | | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | | -| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.6.0 | | | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | 5.6.0| | [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | 5.6.0| | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | @@ -85,7 +92,7 @@ pdfhidden: True | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | | [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | -| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.6.0 | | +| [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | @@ -99,6 +106,7 @@ pdfhidden: True | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.6.0 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.6.0 | | | [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.6.0 | | +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | | [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | @@ -116,7 +124,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | @@ -136,17 +143,20 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 5.6.0| +| [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | +| [3647426](#3647426)
None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi and might introduce a security issue. | 5.5.0-5.6.0 | | +| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | | | [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | +| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | | +| [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | | [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | | [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | | | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0| -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3549138](#3549138)
| In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | 5.6.0| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0| | [3541518](#3541518)
| When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 5.5.0-5.5.1 | 5.6.0| @@ -163,6 +173,7 @@ pdfhidden: True | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 5.6.0| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3486102](#3486102)
| SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | 5.6.0| +| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | 5.6.0| @@ -184,9 +195,9 @@ pdfhidden: True | [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | | [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | 5.6.0| +| [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | | | [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0| | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | | -| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.6.0 | | | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | 5.6.0| | [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | 5.6.0| | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | @@ -203,7 +214,7 @@ pdfhidden: True | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | | [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | -| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.6.0 | | +| [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | @@ -217,6 +228,7 @@ pdfhidden: True | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.6.0 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.6.0 | | | [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.6.0 | | +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | | [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | @@ -234,7 +246,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | @@ -254,7 +265,7 @@ pdfhidden: True | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | | | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | | | [3418103](#3418103)
| On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 | | -| [3413860](#3413860)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-5.4.0 | | +| [3413860](#3413860)
None | If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | | | [3413827](#3413827)
None | During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. | 5.0.0-5.4.0 | | | [3412357](#3412357)
| When you configure EVPN either with or without MLAG and change the mapping for a layer 2 or layer 3 VNI, you see a permanent traffic drop for the VNI. To work around this issue, remove the VNI configuration, then add and apply it again. | | | | [3410303](#3410303)
| The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. | 5.4.0 | | diff --git a/content/cumulus-linux-55/rn.xml b/content/cumulus-linux-55/rn.xml index fdc9ac4820..faad14d573 100644 --- a/content/cumulus-linux-55/rn.xml +++ b/content/cumulus-linux-55/rn.xml @@ -7,6 +7,12 @@ Fixed +3663182 +Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the {{sudo systemctl restart frr.service}} command. +5.3.1-5.6.0 + + + 3647426 If BGP {{remote-as}} is set to an integer and you try to configure the {{local-as}} for a BGP instance, you see the following error: @@ -14,7 +20,19 @@ This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 + + +3630492 +On the NVIDIA SN2201 switch, the {{ledmgrd -d}} command output shows the system and PSU LED status as orange when the physical LED is green. +5.5.1-5.6.0 + + + +3616338 +When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the {{clagd}} service {{initDelay}} to 300 seconds with the {{nv set mlag init-delay 300}} command. +5.5.1-5.6.0 + 3610611 @@ -24,7 +42,9 @@ This configuration is not allowed; it is considered to be eBGP and local prefere 3609128 -When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}} and might introduce a security issue. +When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. + +In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. 5.5.0-5.6.0 @@ -41,12 +61,34 @@ This configuration is not allowed; it is considered to be eBGP and local prefere +3597456 +NVUE does not allow you to use the reserved name {{lo}} in an interface name. +5.5.1-5.6.0 + + + 3585467 NVUE and {{ip link}} show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. 5.0.0-5.6.0 +3582826 +When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. +5.5.0-5.6.0 + + + +3580435 +On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog: + +smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff) + +This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the {{hdparm -S 24 /dev/sda}} command to change the HD timeout. +5.3.1-5.6.0 + + + 3576961 The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the {{cl-acltool -Z all}} command to reset the statistics for all ACL rules. 5.5.1-5.6.0 @@ -99,8 +141,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3549138 @@ -205,6 +247,12 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 5.6.0 +3484058 +When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. +5.3.0-5.6.0 + + + 3479786 The {{switchd}} service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, {{switchd}} has problems synchronizing other next hops in the group. @@ -366,6 +414,12 @@ This error message is benign and has no functional impact. 5.6.0 +3419928 +The NVUE PIM timer command option names {{keep-alive}} and {{rp-keep-alive}} are inconsistent and need to change to {{keepalive}} and {{rp-keepalive}}. +5.4.0-5.6.0 + + + 3413785 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 @@ -378,12 +432,6 @@ This error message is benign and has no functional impact. -3395489 -On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. -5.4.0-5.6.0 - - - 3394674 If you restart FRR with the log file debugging level set to {{informational}}, BGP crashes. 5.4.0-5.5.1 @@ -489,10 +537,10 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3269691 -When you restart the LLDP service, you see a {{broken pipe}} error and a log message in the {{lldpd.service}} logs. This error does not affect LLDP functionality. -5.4.0-5.6.0 - +3293114 +In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. +5.3.0-5.5.1 +5.6.0 3266197 @@ -578,6 +626,20 @@ To work around this issue, reference the OID without the preceding period ( {{.} +3141826 +A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1). + +1.3.6.1.2.1.47 --> Entity MIB + 1.3.6.1.2.1.99 --> Entity Sensor MIB + 1.3.6.1.2.1.23 --> rip2 + 1.3.6.1.2.1.2 --> interface/interfaces + 1.3.6.1.2.1.31 --> ifMIB + 1.3.6.1.2.1.4 --> IP + 1.3.6.1.2.1.25 --> hostResource +5.0.1-5.6.0 + + + 3135952 PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the {{ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes>}} command. For example: @@ -689,12 +751,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -767,6 +823,12 @@ You can safely ignore this warning. Fixed +3663182 +Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the {{sudo systemctl restart frr.service}} command. +5.3.1-5.6.0 + + + 3647426 If BGP {{remote-as}} is set to an integer and you try to configure the {{local-as}} for a BGP instance, you see the following error: @@ -774,7 +836,7 @@ You can safely ignore this warning. This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. 5.0.0-5.5.1 -5.6.0 +4.3.2-4.4.5, 5.6.0 3610611 @@ -784,7 +846,9 @@ This configuration is not allowed; it is considered to be eBGP and local prefere 3609128 -When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}} and might introduce a security issue. +When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. + +In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. 5.5.0-5.6.0 @@ -801,6 +865,22 @@ This configuration is not allowed; it is considered to be eBGP and local prefere +3582826 +When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. +5.5.0-5.6.0 + + + +3580435 +On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog: + +smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff) + +This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the {{hdparm -S 24 /dev/sda}} command to change the HD timeout. +5.3.1-5.6.0 + + + 3576949 When you run the NVUE {{nv set service snmp listening-address localhost vrf <vrf-name>}} or {{nv set service snmp listening-address localhost-v6 vrf <vrf-name>}} command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. 5.3.0-5.6.0 @@ -835,8 +915,8 @@ This configuration is not allowed; it is considered to be eBGP and local prefere CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3549138 @@ -935,6 +1015,12 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 5.6.0 +3484058 +When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. +5.3.0-5.6.0 + + + 3479786 The {{switchd}} service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, {{switchd}} has problems synchronizing other next hops in the group. @@ -1102,6 +1188,12 @@ This error message is benign and has no functional impact. 5.6.0 +3419928 +The NVUE PIM timer command option names {{keep-alive}} and {{rp-keep-alive}} are inconsistent and need to change to {{keepalive}} and {{rp-keepalive}}. +5.4.0-5.6.0 + + + 3413785 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 @@ -1114,12 +1206,6 @@ This error message is benign and has no functional impact. -3395489 -On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. -5.4.0-5.6.0 - - - 3394674 If you restart FRR with the log file debugging level set to {{informational}}, BGP crashes. 5.4.0-5.5.1 @@ -1225,10 +1311,10 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3269691 -When you restart the LLDP service, you see a {{broken pipe}} error and a log message in the {{lldpd.service}} logs. This error does not affect LLDP functionality. -5.4.0-5.6.0 - +3293114 +In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. +5.3.0-5.5.1 +5.6.0 3266197 @@ -1314,6 +1400,20 @@ To work around this issue, reference the OID without the preceding period ( {{.} +3141826 +A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1). + +1.3.6.1.2.1.47 --> Entity MIB + 1.3.6.1.2.1.99 --> Entity Sensor MIB + 1.3.6.1.2.1.23 --> rip2 + 1.3.6.1.2.1.2 --> interface/interfaces + 1.3.6.1.2.1.31 --> ifMIB + 1.3.6.1.2.1.4 --> IP + 1.3.6.1.2.1.25 --> hostResource +5.0.1-5.6.0 + + + 3135952 PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the {{ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes>}} command. For example: @@ -1425,12 +1525,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -1527,7 +1621,7 @@ You can safely ignore this warning. 3413860 If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. -3.7.0-5.4.0 +3.7.0-4.3.1 3413827 diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index fd4a8b509a..eb6f8e9e74 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -14,27 +14,42 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3634358](#3634358)
| After applying the nv set interface router ospf passive command to a MACVLAN virtual interface that has an OSPF network statement (example shown below), NVUE might get into a broken state and might not be able to apply any more configurations
nv set interface vlan10 ip vrr address 10.1.10.1/24nv set interface vlan10 ip vrr mac-address 00:00:5E:00:01:00nv set interface vlan10 vlan 10nv set vrf default router ospf area 0 network 10.1.10.1/24..
nv set interface vlan10-v0 router ospf passive on
To work around this issue, do not use a network statement on a VRR VLAN interface, use an interface statement instead:
nv set interface vlan10 router ospf area 0
| 5.6.0 | | +| [3669935](#3669935)
| When you add or delete VXLAN VNI and VLAN interfaces, a memory leak might occur in switchd. | 5.6.0 | | +| [3668809](#3668809)
| SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log:/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not existsmond has been modified to determine dynamically (at run-time) if the fan has the capability or not
To drop the messages before they get to the log, create a file, such as /etc/rsyslog.d/18-drop_fan_dir_msgs.conf with the following contents, then restart rsyslogd with the systemctl restart rsyslog command
# The lines below cause the offending message to be dropped from all logs:msg, ereregex, ".*Path /run/hw-management/thermal/fan[1-8]_dir does not exist" stop | 5.6.0 | | +| [3664986](#3664986)
| If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem. | 5.6.0 | | +| [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | +| [3662354](#3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 | | +| [3646119](#3646119)
| If you have VRFs configured and you change the global ASN in FRR, BGP crashes. To work around this issue, don't unset more than one BGP instance at a time if one of the router bgp instances has VRF leaking configured. | 5.6.0 | | +| [3643624](#3643624)
| The help text for the NVUE policer command nv set acl rule action police mode incorrectly indicates that the policer mode units are in bits per second. NVUE configures policers using bytes per second. | 5.6.0 | | +| [3639058](#3639058)
| When you run the nv show service ntp command, you see an error message instead of the expected output. | 5.6.0 | | +| [3630492](#3630492)
| On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.6.0 | | +| [3627913](#3627913)
| The switch drops untagged VLAN traffic on single VXLAN bridge ports. | 5.6.0 | | +| [3616338](#3616338)
| When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 | | +| [3612959](#3612959)
| The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again. | 5.6.0 | | | [3611215](#3611215)
| In an EVPN multihoming configuration, the switchd service produces error messages similar to the following:
2023-09-07T15:45:56.055477+02:00 switch1 switchd7903: hal_mlx_flx_acl.c:2388 hal_mlx_flx_region_pull_bulk_counters failed
These error messages do not affect how the switch functions; however the messages fill up the switchd logs, which is not desirable. | 5.6.0 | | | [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi and might introduce a security issue. | 5.5.0-5.6.0 | | +| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | | | [3608014](#3608014)
| Software MAC learning might not work for a bridged VLAN subinterface on a bond (such as bond1.100) if you remove a VLAN subinterface completely from the configuration, then add it back with an identical configuration. To work around this issue, restart switchd. | 5.6.0 | | | [3603237](#3603237)
| If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 | | | [3600588](#3600588)
| You can't reset the root password by booting into Cumulus Linux single-user recovery mode. To work around this issue, follow the steps in https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-56/Monitoring-and-Troubleshooting/Single-User-Mode-Password-Recovery/. | 5.6.0 | | | [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | +| [3597456](#3597456)
| NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 | | | [3590053](#3590053)
| If you connect a 1G BaseT module to the service port on the NVIDIA SN5600 switch when its peer is down, the link shows as active on one side while its peer is disabled. | 5.6.0 | | | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | +| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | | +| [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | | [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | | | [3576949](#3576949)
| When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify. | 5.3.0-5.6.0 | | | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | | [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | | -| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.4.5, 5.0.0-5.6.0 | | +| [3554231](#3554231)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3549798](#3549798)
| If you add a VRF, then SSH into that VRF, which is a generated service (for example, sshd@vrfname.service), the service fails as the VRF is not created in time. To work around this issue, configure the VRF first, apply the configuration, then enable the SSH service on the VRF. | 5.6.0 | | | [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the Slave state and one of the ports might remain in an Uncalibrated state. To work around this issue, toggle the port that is in the Uncalibrated state up and down to recover the PTP state so that one of the ports is selected as the Slave. | 5.6.0 | | | [3534718](#3534718)
| The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | | | [3533272](#3533272)
| If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can't unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network. | 5.6.0 | | | [3517739](#3517739)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | +| [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3463827](#3463827)
| In an EVPN configuration with PIM-SM for BUM handling, the host behind the DUT does not receive the expected number of BUM packets. Cumulus Linux 5.6 only supports Head-End Replication (HREP) for handling BUM traffic in an EVPN configuration. BUM handling using a PIM-SM Multicast tree is not supported. | 5.6.0 | | | [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | | | [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see the following error:
cumulus@switch:~$ nv show system aaa tacacs authorization 1Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND
| 5.5.0-5.6.0 | | @@ -42,8 +57,8 @@ pdfhidden: True | [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.6.0 | | | [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when the TACACS+ server is to be reached through the default VRF (with vrf=default set in the /etc/tacplus_servers file). To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.6.0 | | +| [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | | | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | | -| [3395489](#3395489)
| On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. | 5.4.0-5.6.0 | | | [3368217](#3368217)
None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.6.0 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file after upgrade that includes breakout ports with QoS configuration or you run the nv config patch command to update a configuration with a yaml file that includes breakout ports with QoS configuration, the NVUE configuration fails to apply and subsequent attempts to run nv config apply fail with the following message: 
cumulus@switch:~$ nv config applyInvalid config [rev_id: 11]
 qos config is not supported on following invalid interface: swp1s0. Supported on swp and bond interface types
To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.6.0 | | | [3350027](#3350027)
| If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules. | 5.4.0-5.6.0 | | @@ -56,7 +71,6 @@ pdfhidden: True | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | | [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | -| [3269691](#3269691)
| When you restart the LLDP service, you see a broken pipe error and a log message in the lldpd.service logs. This error does not affect LLDP functionality. | 5.4.0-5.6.0 | | | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | @@ -67,6 +81,7 @@ pdfhidden: True | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.6.0 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.6.0 | | | [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.6.0 | | +| [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.6.0 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.6.0 | | | [3122301](#3122301)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.6.0 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.6.0 | | @@ -83,7 +98,6 @@ pdfhidden: True | [2891255](#2891255)
| CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
Vulnerable: <= 2.6.20-0+deb10u1Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2890681](#2890681)
| CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.6.0 | 4.4.2-4.4.5| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.6.0 | | -| [2847919](#2847919)
| Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. | 5.0.0-5.6.0 | | | [2847755](#2847755)
| When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.6.0 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.6.0 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.6.0 | | @@ -116,7 +130,7 @@ pdfhidden: True | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | | | [3486102](#3486102)
| SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | | -| [3482006](#3482006)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-5.5.1 | | +| [3482006](#3482006)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-4.3.1 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | | | [3474427](#3474427)
| On rare occasions, LLDP and other CPU originated IP packets that egress a port might get replicated in the data plane and forwarded out of another port as well. The peer node might discard the unicast packets on the wrong port because of the destination MAC address; however, there might be problems with multicast packets, such as LLDP, which uses a multicast MAC address as the destination MAC address. To work around this issue, reboot the switch. | | | | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | | @@ -146,6 +160,7 @@ pdfhidden: True | [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | | | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | | | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | | +| [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | | | [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | | | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | | | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index 28578b42c8..15e704bb37 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -7,20 +7,85 @@ Fixed -3634358 -After applying the {{nv set interface <vlan> router ospf passive}} command to a MACVLAN virtual interface that has an OSPF network statement (example shown below), NVUE might get into a broken state and might not be able to apply any more configurations. - -nv set interface vlan10 ip vrr address 10.1.10.1/24 -nv set interface vlan10 ip vrr mac-address 00:00:5E:00:01:00 -nv set interface vlan10 vlan 10 -nv set vrf default router ospf area 0 network 10.1.10.1/24 -... -nv set interface vlan10-v0 router ospf passive on - -To work around this issue, do not use a network statement on a VRR VLAN interface, use an interface statement instead: +3669935 +When you add or delete VXLAN VNI and VLAN interfaces, a memory leak might occur in {{switchd}}. +5.6.0 + + + +3668809 +SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log: +<noformat> +/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist +/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not exist +</noformat> +{{smond}} has been modified to determine dynamically (at run-time) if the fan has the capability or not. -nv set interface vlan10 router ospf area 0 - +To drop the messages before they get to the log, create a file, such as {{/etc/rsyslog.d/18-drop_fan_dir_msgs.conf}} with the following contents, then restart {{rsyslogd}} with the {{systemctl restart rsyslog}} command. +<noformat> +# The lines below cause the offending message to be dropped from all logs +:msg, ereregex, ".*Path /run/hw-management/thermal/fan[1-8]_dir does not exist" stop +</noformat> +5.6.0 + + + +3664986 +If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem. +5.6.0 + + + +3663182 +Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the {{sudo systemctl restart frr.service}} command. +5.3.1-5.6.0 + + + +3662354 +When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. +5.6.0 + + + +3646119 +If you have VRFs configured and you change the global ASN in FRR, BGP crashes. To work around this issue, don't unset more than one BGP instance at a time if one of the {{router bgp}} instances has VRF leaking configured. +5.6.0 + + + +3643624 +The help text for the NVUE policer command {{nv set acl <acl> rule <rule> action police mode}} incorrectly indicates that the policer mode units are in bits per second. NVUE configures policers using bytes per second. +5.6.0 + + + +3639058 +When you run the {{nv show service ntp}} command, you see an error message instead of the expected output. +5.6.0 + + + +3630492 +On the NVIDIA SN2201 switch, the {{ledmgrd -d}} command output shows the system and PSU LED status as orange when the physical LED is green. +5.5.1-5.6.0 + + + +3627913 +The switch drops untagged VLAN traffic on single VXLAN bridge ports. +5.6.0 + + + +3616338 +When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the {{clagd}} service {{initDelay}} to 300 seconds with the {{nv set mlag init-delay 300}} command. +5.5.1-5.6.0 + + + +3612959 +The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again. 5.6.0 @@ -42,7 +107,9 @@ These error messages do not affect how the switch functions; however the message 3609128 -When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}} and might introduce a security issue. +When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. + +In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. 5.5.0-5.6.0 @@ -71,6 +138,12 @@ These error messages do not affect how the switch functions; however the message +3597456 +NVUE does not allow you to use the reserved name {{lo}} in an interface name. +5.5.1-5.6.0 + + + 3590053 If you connect a 1G BaseT module to the service port on the NVIDIA SN5600 switch when its peer is down, the link shows as active on one side while its peer is disabled. 5.6.0 @@ -83,6 +156,22 @@ These error messages do not affect how the switch functions; however the message +3582826 +When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. +5.5.0-5.6.0 + + + +3580435 +On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog: + +smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff) + +This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the {{hdparm -S 24 /dev/sda}} command to change the HD timeout. +5.3.1-5.6.0 + + + 3576961 The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the {{cl-acltool -Z all}} command to reset the statistics for all ACL rules. 5.5.1-5.6.0 @@ -117,8 +206,8 @@ These error messages do not affect how the switch functions; however the message CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ''). For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. -4.0.0-4.4.5, 5.0.0-5.6.0 - +4.0.0-4.3.1, 5.0.0-5.6.0 +4.3.2-4.4.5 3549798 @@ -151,6 +240,12 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn +3484058 +When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. +5.3.0-5.6.0 + + + 3463827 In an EVPN configuration with PIM-SM for BUM handling, the host behind the DUT does not receive the expected number of BUM packets. Cumulus Linux 5.6 only supports Head-End Replication (HREP) for handling BUM traffic in an EVPN configuration. BUM handling using a PIM-SM Multicast tree is not supported. 5.6.0 @@ -209,15 +304,15 @@ Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded -3405024 -You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. -5.5.0-5.6.0 +3419928 +The NVUE PIM timer command option names {{keep-alive}} and {{rp-keep-alive}} are inconsistent and need to change to {{keepalive}} and {{rp-keepalive}}. +5.4.0-5.6.0 -3395489 -On a switch running MLAG, when you configure QoS buffer settings, MLAG peering resets. -5.4.0-5.6.0 +3405024 +You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. +5.5.0-5.6.0 @@ -302,12 +397,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3269691 -When you restart the LLDP service, you see a {{broken pipe}} error and a log message in the {{lldpd.service}} logs. This error does not affect LLDP functionality. -5.4.0-5.6.0 - - - 3266197 When you disable BGP globally with the {{nv set router bgp enable off}} command, applying the configuration with NVUE might fail due to an FRR reload failure. 5.2.0-5.6.0 @@ -373,6 +462,20 @@ To work around this issue, reference the OID without the preceding period ( {{.} +3141826 +A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1). + +1.3.6.1.2.1.47 --> Entity MIB + 1.3.6.1.2.1.99 --> Entity Sensor MIB + 1.3.6.1.2.1.23 --> rip2 + 1.3.6.1.2.1.2 --> interface/interfaces + 1.3.6.1.2.1.31 --> ifMIB + 1.3.6.1.2.1.4 --> IP + 1.3.6.1.2.1.25 --> hostResource +5.0.1-5.6.0 + + + 3135952 PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the {{ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes>}} command. For example: @@ -478,12 +581,6 @@ Fixed: 2.6.0+dfsg.1-1+deb10u1 -2847919 -Configuring a router with the REST API through the switch front panel ports (swps) is supported in the default VRF only. To work around this issue, use the localHost IP address or the MGMT IP address to configure router using the Rest API. -5.0.0-5.6.0 - - - 2847755 When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. 5.0.0-5.6.0 @@ -649,7 +746,7 @@ This configuration is not allowed; it is considered to be eBGP and local prefere 3482006 If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. -4.3.0-5.5.1 +4.3.0-4.3.1 3479786 @@ -824,6 +921,11 @@ This error message is benign and has no functional impact. 5.4.0-5.5.1 +3293114 +In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. +5.3.0-5.5.1 + + 3187469 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 diff --git a/content/cumulus-netq-24/More-Documents/rn.md b/content/cumulus-netq-24/More-Documents/rn.md index 6d985ef8ec..0ee2a8040d 100644 --- a/content/cumulus-netq-24/More-Documents/rn.md +++ b/content/cumulus-netq-24/More-Documents/rn.md @@ -14,7 +14,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| | [2551641](#2551641)
NETQ-6673 | Infra: NetQ VM installation fails if the designated disk size is greater than 2TB. To work around this issue, specify the disk for cloud deployments to be between 256GB and 2TB SSD, and for on-premises deployments to be between 32 GB and 2TB. | 2.4.0-3.1.1 | 3.2.0-3.3.1| | [2549246](#2549246)
NETQ-5529 | NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| | [2548560](#2548560)
NETQ-5182 | When a switch or host reports its memory size in GB rather than MB, the NetQ Agent cannot parse the information and thus fails to register with the NetQ server. Contact customer support if you run into this issue. | 2.4.0-2.4.1 | 3.0.0-3.3.1| @@ -32,7 +32,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| | [2551641](#2551641)
NETQ-6673 | Infra: NetQ VM installation fails if the designated disk size is greater than 2TB. To work around this issue, specify the disk for cloud deployments to be between 256GB and 2TB SSD, and for on-premises deployments to be between 32 GB and 2TB. | 2.4.0-3.1.1 | 3.2.0-3.3.1| | [2549246](#2549246)
NETQ-5529 | NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| | [2548560](#2548560)
NETQ-5182 | When a switch or host reports its memory size in GB rather than MB, the NetQ Agent cannot parse the information and thus fails to register with the NetQ server. Contact customer support if you run into this issue. | 2.4.0-2.4.1 | 3.0.0-3.3.1| diff --git a/content/cumulus-netq-24/rn.xml b/content/cumulus-netq-24/rn.xml index c13b54400c..8dc49e2d52 100644 --- a/content/cumulus-netq-24/rn.xml +++ b/content/cumulus-netq-24/rn.xml @@ -10,7 +10,7 @@ 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2551641 @@ -70,7 +70,7 @@ 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2551641 diff --git a/content/cumulus-netq-30/More-Documents/rn.md b/content/cumulus-netq-30/More-Documents/rn.md index 2431668006..7dff920a99 100644 --- a/content/cumulus-netq-30/More-Documents/rn.md +++ b/content/cumulus-netq-30/More-Documents/rn.md @@ -14,7 +14,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| | [2551641](#2551641)
NETQ-6673 | Infra: NetQ VM installation fails if the designated disk size is greater than 2TB. To work around this issue, specify the disk for cloud deployments to be between 256GB and 2TB SSD, and for on-premises deployments to be between 32 GB and 2TB. | 2.4.0-3.1.1 | 3.2.0-3.3.1| | [2549842](#2549842)
NETQ-5833 | Switch upgrade of Cumulus Linux in the lifecycle management feature fails when attempted by a user with a standard or sudo user role and custom password credentials. To work around this issue, upgrades should be performed by users with root or sudo user role and an SSH key. Optionally, upgrade using a root user role with custom password. | 3.0.0-3.0.1 | 3.1.0-3.3.1| | [2549787](#2549787)
NETQ-5808 | When upgrading to NetQ 3.0.0, if you are using NetQ Agent 2.3.1 or earlier and have MLAG configured, the MLAG service becomes unresponsive. To resolve this issue, upgrade your NetQ Agents to version 3.0.0. | 3.0.0-3.0.1 | 3.1.0-3.3.1| @@ -22,7 +22,7 @@ pdfhidden: True | [2549704](#2549704)
NETQ-5768 | When multiple premises are deployed and Cumulus Linux upgrades have been performed on switches using the lifecycle management feature, the Upgrade History card displays history for all premises rather than only those for the selected premises. | 3.0.0-3.0.1 | 3.1.0-3.3.1| | [2549682](#2549682)
NETQ-5752 | Performing an upgrade using the lifecycle management feature fails intermittently when SSH key switch access authorization is used. To work around this issue, use basic authentication or retry an upgrade job that uses SSH key authorization. | 3.0.0-3.0.1 | 3.1.0-3.3.1| | [2549344](#2549344)
NETQ-5591 | UI: The lifecycle management feature does not present general alarm or info events; however, errors related to the upgrade process are reported within the NetQ UI. | 3.0.0-3.1.1 | 3.2.0-3.3.1| -| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.7.0| +| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.8.0| | [2549246](#2549246)
NETQ-5529 | NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| | [2547642](#2547642)
NETQ-4927 | Admin UI: If the Master Installation phase fails during NetQ installation, refreshing the page causes the error log to be lost. On failure, download the error log, then run netq bootstrap reset followed by netq bootstrap master interface on the node before restarting the installation process. | 2.4.1-3.0.1 | 3.1.0-3.3.1| diff --git a/content/cumulus-netq-30/rn.xml b/content/cumulus-netq-30/rn.xml index 181751f07e..8f8376b90f 100644 --- a/content/cumulus-netq-30/rn.xml +++ b/content/cumulus-netq-30/rn.xml @@ -10,7 +10,7 @@ 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2551641 @@ -83,7 +83,7 @@ systemctl restart netqd.service 2549319 NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. 3.0.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549246 diff --git a/content/cumulus-netq-31/More-Documents/rn.md b/content/cumulus-netq-31/More-Documents/rn.md index 4cf55b9f22..3bda09d707 100644 --- a/content/cumulus-netq-31/More-Documents/rn.md +++ b/content/cumulus-netq-31/More-Documents/rn.md @@ -14,13 +14,13 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| -| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| +| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.8.0| | [2551790](#2551790)
NETQ-6732 | CLI: Upgrade to NetQ 3.1.0 using the CLI fails due to an authentication issue. To work around this issue, run the netq bootstrap master upgrade command as usual, then use the Admin UI to complete the upgrade at _https://\:8443_. | 3.1.0-3.1.1 | 3.2.0-3.3.1| | [2551641](#2551641)
NETQ-6673 | Infra: NetQ VM installation fails if the designated disk size is greater than 2TB. To work around this issue, specify the disk for cloud deployments to be between 256GB and 2TB SSD, and for on-premises deployments to be between 32 GB and 2TB. | 2.4.0-3.1.1 | 3.2.0-3.3.1| | [2551569](#2551569)
NETQ-6650 | CLI: When a proxy server is configured for NetQ Cloud access and lifecycle management (LCM) is enabled, the associated LCM CLI commands fail due to incorrect port specification. To work around this issue, configure the NetQ Collector to connect directly to NetQ Cloud without a proxy. | 3.1.0-3.1.1 | 3.2.0-3.3.1| | [2549344](#2549344)
NETQ-5591 | UI: The lifecycle management feature does not present general alarm or info events; however, errors related to the upgrade process are reported within the NetQ UI. | 3.0.0-3.1.1 | 3.2.0-3.3.1| -| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.7.0| +| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.8.0| | [2549246](#2549246)
NETQ-5529 | NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| ### Fixed Issues in 3.1.0 diff --git a/content/cumulus-netq-31/rn.xml b/content/cumulus-netq-31/rn.xml index b5913205d7..ca1bef4daf 100644 --- a/content/cumulus-netq-31/rn.xml +++ b/content/cumulus-netq-31/rn.xml @@ -10,13 +10,13 @@ 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2553453 The {{netqd}} daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and {{netq show}} commands are run. 3.1.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2551790 @@ -46,7 +46,7 @@ 2549319 NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. 3.0.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549246 diff --git a/content/cumulus-netq-32/Whats-New/rn.md b/content/cumulus-netq-32/Whats-New/rn.md index a7e8385b15..4b22e6806b 100644 --- a/content/cumulus-netq-32/Whats-New/rn.md +++ b/content/cumulus-netq-32/Whats-New/rn.md @@ -14,12 +14,12 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| -| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| +| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.8.0| | [2556205](#2556205)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | 3.3.1| | [2556006](#2556006)
NETQ-8311 | NetQ Infra: Customers with cloud deployments who wish to use the lifecycle management (LCM) feature in NetQ 3.3.0 must upgrade their NetQ Cloud Appliance or Virtual Machine as well as the NetQ Agent. | 3.2.1 | 3.3.0-3.3.1| -| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.7.0| -| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.7.0| +| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.8.0| +| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.8.0| | [2549246](#2549246)
NETQ-5529 | NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| ### Fixed Issues in 3.2.1 @@ -34,12 +34,12 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| | [2553951](#2553951)
NETQ-7546 | Infra: In an on-premises deployment, the Kafka change logs can fill the NetQ appliance or VM disk space rapidly on systems with a large number of MAC or neighbor entries. If the disk usage exceeds 90%, the NetQ service is partially or completely disrupted. To workaround this issue, reduce the retention setting for log cleanup to 30 minutes by running the following script on your NetQ appliance/VM or the master server in a clustered arrangement:

MASTER_IP='cat /mnt/admin/master_ip' ; topics="netq-app-route-route_key_v1-changelog netq-app-macs-macs_key-changelog netq-app-neighbor-neighbor_key_v1-changelog netq-app-macfdb-macfdb_key_v3-changelog" ; for topic in $topics ; do kubectl exec -it rc/kafka-broker-rc-0 -- kafka-topics --zookeeper $MASTER_IP --topic $topic --alter --config delete.retention.ms=1800000 ; done
| 3.2.0 | 3.2.1-3.3.1| | [2553793](#2553793)
NETQ-7506 | NetQ CLI: For an on-premises deployment, an access_key and secret_key are not needed for the CLI to access the NetQ Collector. When these keys are configured NetQ assumes the system is in a cloud deployment and tries to validate the SSL certificates. This fails because for NetQ Collectors, the SSL certificates are usually self signed. As a result, the CLI fails with the following error:
cumulus@switch:~# netq show agentsFailed to process command. Check /var/log/netqd.log for more details
You also see an error in _/var/log/netqd.log_ similar to this:
2020-10-01T01:44:51.534875+00:00 leaf01 netqd[4782]: ERROR: GET request failed https://st-ts-01:32708/netq/telemetry/v1/object/bgp?count=2000&offset=02020-10-01T01:44:51.535251+00:00 leaf01 netqd[4782]: ERROR: HTTPSConnectionPool(host='st-ts-01', port=32708): Max retries exceeded with url: /netq/telemetry/v1/object/bgp?count=2000&offset=0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: {color:#d04437}CERTIFICATE_VERIFY_FAILED{color}] certificate verify failed: self signed certificate (_ssl.c:1056)')))
To resolve the failure, remove the access_key and secret_key from the CLI configuration
cumulus@switch:~# rm -f /etc/netq/.loginkeys.aescumulus@switch:~# rm -f /etc/netq/.login.aes
| 3.2.0 | 3.2.1-3.3.1| | [2553758](#2553758)
NETQ-7489 | NetQ CLI: When the NetQ Collector is configured with a proxy server for the CLI to access cloud APIs the SSL certificate validation fails because the proxy provides its own self-signed certificate. This causes the CLI to fail with the following error:
cumulus@switch:~# netq show agentsFailed to process command. Check /var/log/netqd.log for more details
You also see an error in _/var/log/netqd.log_ similar to this:
2020-10-01T01:44:51.534875+00:00 leaf01 netqd[4782]: ERROR: GET request failed https://st-ts-01:32708/netq/telemetry/v1/object/bgp?count=2000&offset=02020-10-01T01:44:51.535251+00:00 leaf01 netqd[4782]: ERROR: HTTPSConnectionPool(host='st-ts-01', port=32708): Max retries exceeded with url: /netq/telemetry/v1/object/bgp?count=2000&offset=0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: {color:#d04437}CERTIFICATE_VERIFY_FAILED{color}] certificate verify failed: self signed certificate (_ssl.c:1056)')))
Two options are available to work around this issue:* If the NetQ Collector has Internet access, configure the CLI to point to the cloud API instance directly:
cumulus@switch:~# netq config add cli server api.netq.cumulusnetworks.com port 443cumulus@switch:~# netq config restart cli
* To use the proxy server:
1. Delete the token file. Run sudo rm /tmp/token.aes.
2. Edit the _/etc/netq/netq.yml_ file as follows. The password is entered as cleartext.
netq-cli:
 port: 32708
 server: \
 vrf: \
 premises: \
 username: \
 password: \
 opid: \

Note: OPID is not directly visible to user. File a [support ticket\|https://cumulusnetworks.com/support/file-a-ticket/] for assistance with completing the configuration.
3. Restart the the CLI. Run netq config restart cli. | 3.2.0 | 3.2.1-3.3.1| -| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.7.0| -| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.7.0| +| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.8.0| +| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.8.0| | [2549246](#2549246)
NETQ-5529 | NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| ### Fixed Issues in 3.2.0 diff --git a/content/cumulus-netq-32/rn.xml b/content/cumulus-netq-32/rn.xml index 1a5610442a..00a6a41512 100644 --- a/content/cumulus-netq-32/rn.xml +++ b/content/cumulus-netq-32/rn.xml @@ -10,7 +10,7 @@ 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2690469 @@ -18,7 +18,7 @@ To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again: 'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' 3.2.1-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2556205 @@ -36,13 +36,13 @@ To work around this issue, run the following command on the NetQ telemetry serve 2553453 The {{netqd}} daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and {{netq show}} commands are run. 3.1.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549319 NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. 3.0.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549246 @@ -131,7 +131,7 @@ netq-cli: 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2553951 @@ -202,13 +202,13 @@ netq-cli: 2553453 The {{netqd}} daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and {{netq show}} commands are run. 3.1.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549319 NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. 3.0.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549246 diff --git a/content/cumulus-netq-33/Whats-New/rn.md b/content/cumulus-netq-33/Whats-New/rn.md index b4975942c7..70df1e74f8 100644 --- a/content/cumulus-netq-33/Whats-New/rn.md +++ b/content/cumulus-netq-33/Whats-New/rn.md @@ -14,12 +14,12 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| -| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.7.0| -| [2556754](#2556754)
NETQ-8649 | netq-agent installed on Cumulus Linux might slowly leak memory during sustained layer two network events at high scale. | 3.3.0-3.3.1 | 4.0.0-4.7.0| -| [2555197](#2555197)
NETQ-7966 | NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the json format option. | 3.3.0-3.3.1 | 4.0.0-4.7.0| -| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.7.0| -| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| +| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.8.0| +| [2556754](#2556754)
NETQ-8649 | netq-agent installed on Cumulus Linux might slowly leak memory during sustained layer two network events at high scale. | 3.3.0-3.3.1 | 4.0.0-4.8.0| +| [2555197](#2555197)
NETQ-7966 | NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the json format option. | 3.3.0-3.3.1 | 4.0.0-4.8.0| +| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.8.0| +| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.8.0| ### Fixed Issues in 3.3.1 | Issue ID | Description | Affects | @@ -42,9 +42,9 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| -| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.7.0| -| [2556754](#2556754)
NETQ-8649 | netq-agent installed on Cumulus Linux might slowly leak memory during sustained layer two network events at high scale. | 3.3.0-3.3.1 | 4.0.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| +| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.8.0| +| [2556754](#2556754)
NETQ-8649 | netq-agent installed on Cumulus Linux might slowly leak memory during sustained layer two network events at high scale. | 3.3.0-3.3.1 | 4.0.0-4.8.0| | [2556545](#2556545)
NETQ-8556 | NetQ Agent: When upgrading to NetQ 3.3.0, sometimes the NetQ Agent fails to complete the upgrade on Broadcom-based swtiches. To work around this issue, update the following file on the switch where the NetQ Agent is running:
Open the _armel-netq-commands.yml_ file in the _/etc/netq/commands/_ directory for editing.
Copy and append the following to the file:
 - service: "inventory"
   commands:
     - key: "os-release"
       command: "cat /etc/os-release"
       isactive: true
       parser: "local"
     - key: "eprom"
       command: "/usr/cumulus/bin/decode-syseeprom -j"
       isactive: true
       parser: "local"
     - key: "lscpu"
       command: "/usr/bin/lscpu"
       isactive: true
       parser: "local"
     - key: "meminfo"
       command: "cat /proc/meminfo"
       isactive: true
       parser: "local"
     - key: "lsblk"
       command: "lsblk -d -n -o name,size,type,vendor,tran,rev,model"
       isactive: true
       parser: "local"
     - key: "dmicode"
       command: "dmidecode -t 17"
       isactive: true
       parser: "local"
     - key: "is-opta"
       command: "cat /etc/app-release"
       isactive: true
       parser: "local"
Remove the existing generated command file
cumulus@switch:~$ rm /var/run/netq/netq-commands.yml
Restart the NetQ Agent
cumulus@switch:~$ netq config restart agent
| 3.3.0 | 3.3.1| | [2556434](#2556434)
NETQ-8492 | NetQ UI: When switches are running NetQ but hosts are not, the topology does not display the spine and leaf layers as separate tiers. | 3.3.0 | 3.3.1| | [2556275](#2556275)
NETQ-8410 | NetQ UI: The full-screen BGP Validation card for the default validation can become unresponsive when a very large number of sessions or errors are present. | 3.3.0 | 3.3.1| @@ -57,9 +57,9 @@ pdfhidden: True | [2555848](#2555848)
NETQ-8244 | NetQ Infra: It is important to plan your upgrade to NetQ 3.3.0 because the NetQ Appliance or VM becomes unavailable for approximately an hour during the process. No data is lost in the process. | 3.3.0 | 3.3.1| | [2555617](#2555617)
NETQ-8131 | NetQ Infra: Upgrading the NetQ Agent before upgrading the NetQ CLI for version 3.3.0 causes the NetQ CLI to fail the upgrade. To work around this issue, upgrade the NetQ CLI first, then follow with the NetQ Agent upgrade. | 3.3.0 | 3.3.1| | [2555587](#2555587)
NETQ-8117 | NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. | 3.3.0 | 3.3.1| -| [2555197](#2555197)
NETQ-7966 | NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the json format option. | 3.3.0-3.3.1 | 4.0.0-4.7.0| -| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.7.0| -| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.7.0| +| [2555197](#2555197)
NETQ-7966 | NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the json format option. | 3.3.0-3.3.1 | 4.0.0-4.8.0| +| [2553453](#2553453)
NETQ-7318 | The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.8.0| +| [2549319](#2549319)
NETQ-5571 | NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.8.0| ### Fixed Issues in 3.3.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-33/rn.xml b/content/cumulus-netq-33/rn.xml index 2e9f53d5ce..02b8a49f27 100644 --- a/content/cumulus-netq-33/rn.xml +++ b/content/cumulus-netq-33/rn.xml @@ -10,7 +10,7 @@ 2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2690469 @@ -18,31 +18,31 @@ To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again: 'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' 3.2.1-4.0.1 -4.1.0-4.7.0 +4.1.0-4.8.0 2556754 netq-agent installed on Cumulus Linux might slowly leak memory during sustained layer two network events at high scale. 3.3.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2555197 NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the {{json}} format option. 3.3.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2553453 The {{netqd}} daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and {{netq show}} commands are run. 3.1.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 2549319 NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. 3.0.0-3.3.1 -4.0.0-4.7.0 +4.0.0-4.8.0 @@ -249,7 +249,7 @@ Save the file. - + @@ -257,13 +257,13 @@ Save the file. To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again: 'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' - + - + @@ -467,19 +467,19 @@ Save the file. - + - + - +
2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.14.1.0-4.7.04.1.0-4.8.0
2690469 3.2.1-4.0.14.1.0-4.7.04.1.0-4.8.0
2556754 netq-agent installed on Cumulus Linux might slowly leak memory during sustained layer two network events at high scale. 3.3.0-3.3.14.0.0-4.7.04.0.0-4.8.0
2556545 2555197 NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the {{json}} format option. 3.3.0-3.3.14.0.0-4.7.04.0.0-4.8.0
2553453 The {{netqd}} daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and {{netq show}} commands are run. 3.1.0-3.3.14.0.0-4.7.04.0.0-4.8.0
2549319 NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. 3.0.0-3.3.14.0.0-4.7.04.0.0-4.8.0
diff --git a/content/cumulus-netq-40/Whats-New/rn.md b/content/cumulus-netq-40/Whats-New/rn.md index 5bb0189731..10692662d9 100644 --- a/content/cumulus-netq-40/Whats-New/rn.md +++ b/content/cumulus-netq-40/Whats-New/rn.md @@ -14,12 +14,12 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| -| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.7.0| -| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.7.0| -| [2815596](#2815596)
| The NetQ Cloud VM for KVM hypervisors installer and opta-check fail because the minimum disk requirements do not meet the default image settings. To work around this issue, increase the disk space from 32GB to 64GB before you run the netq bootstrap command
1. Check the size of the existing hard disk in the VM to confirm it is 32 GB. In this example, the number of 1 MB blocks is 31583, or 32 GB
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          31583  1192     30375   4% /
2. Shutdown the VM

3. Check the size of the existing disk on the server hosting the VM to confirm it is 32 GB. In this example, the size appears in the virtual size field: 
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 32G (34359738368 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
4. Add 32 GB to the image: 
root@server:/var/lib/libvirt/images# qemu-img resize netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2 +32G	Image resized.
5. Verify the change
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-3.1.0-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 64G (68719476736 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
6. Start the VM and log back in
7. Run the following commands on the partition, referencing the filesystem /dev/vda1 obtained in step 1: 
cumulus@netq-401-cloud:~$ sudo growpart /dev/vda 1	CHANGED: partition=1 start=227328 old: size=66881503 end=67108831 new: size=133990367,end=134217695	cumulus@netq-401-cloud:~$ sudo resize2fs /dev/vda1	resize2fs 1.44.1 (24-Mar-2018)	Filesystem at /dev/vda1 is mounted on /; on-line resizing required	old_desc_blocks = 4, new_desc_blocks = 8	The filesystem on /dev/vda1 is now 16748795 (4k) blocks long.
8. Verify the disk is now configured with 64 GB. In this example, the number of 1 MB blocks is now 63341, or 64 GB: 
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          63341  1193     62132   2% /
| 4.0.1-4.1.1 | 4.2.0-4.7.0| -| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.7.0| -| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| +| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.8.0| +| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.8.0| +| [2815596](#2815596)
| The NetQ Cloud VM for KVM hypervisors installer and opta-check fail because the minimum disk requirements do not meet the default image settings. To work around this issue, increase the disk space from 32GB to 64GB before you run the netq bootstrap command
1. Check the size of the existing hard disk in the VM to confirm it is 32 GB. In this example, the number of 1 MB blocks is 31583, or 32 GB
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          31583  1192     30375   4% /
2. Shutdown the VM

3. Check the size of the existing disk on the server hosting the VM to confirm it is 32 GB. In this example, the size appears in the virtual size field: 
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 32G (34359738368 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
4. Add 32 GB to the image: 
root@server:/var/lib/libvirt/images# qemu-img resize netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2 +32G	Image resized.
5. Verify the change
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-3.1.0-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 64G (68719476736 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
6. Start the VM and log back in
7. Run the following commands on the partition, referencing the filesystem /dev/vda1 obtained in step 1: 
cumulus@netq-401-cloud:~$ sudo growpart /dev/vda 1	CHANGED: partition=1 start=227328 old: size=66881503 end=67108831 new: size=133990367,end=134217695	cumulus@netq-401-cloud:~$ sudo resize2fs /dev/vda1	resize2fs 1.44.1 (24-Mar-2018)	Filesystem at /dev/vda1 is mounted on /; on-line resizing required	old_desc_blocks = 4, new_desc_blocks = 8	The filesystem on /dev/vda1 is now 16748795 (4k) blocks long.
8. Verify the disk is now configured with 64 GB. In this example, the number of 1 MB blocks is now 63341, or 64 GB: 
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          63341  1193     62132   2% /
| 4.0.1-4.1.1 | 4.2.0-4.8.0| +| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.8.0| +| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.8.0| ### Fixed Issues in 4.0.1 | Issue ID | Description | Affects | @@ -30,10 +30,10 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.7.0| -| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.7.0| -| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.7.0| -| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.7.0| +| [2893000](#2893000)
| CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 2.4.0-4.0.1 | 4.1.0-4.8.0| +| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.8.0| +| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.8.0| +| [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.8.0| ### Fixed Issues in 4.0.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-40/rn.xml b/content/cumulus-netq-40/rn.xml index 82ce6c6fa6..5607937646 100644 --- a/content/cumulus-netq-40/rn.xml +++ b/content/cumulus-netq-40/rn.xml @@ -10,19 +10,19 @@ - + - + - + @@ -91,7 +91,7 @@ Filesystem 1M-blocks Used Available Use% Mounted on /dev/vda1 63341 1193 62132 2% / - + @@ -111,7 +111,7 @@ To work around this issue, disable RoCE monitoring: 3. Restart the NetQ agent: $ netq config agent restart - + @@ -119,7 +119,7 @@ To work around this issue, disable RoCE monitoring: To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again: 'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' - +
2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.14.1.0-4.7.04.1.0-4.8.0
2843640 In NetQ clustered environments, the network snapshot feature may fail. 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2817749 If you configure an event suppression rule with {{is_active false}}, the event will no longer be displayed with the {{netq show events-config}} command. 4.0.1-4.2.04.3.0-4.7.04.3.0-4.8.0
2815596 4.0.1-4.1.14.2.0-4.7.04.2.0-4.8.0
2711101 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2690469 3.2.1-4.0.14.1.0-4.7.04.1.0-4.8.0
@@ -140,13 +140,13 @@ To work around this issue, run the following command on the NetQ telemetry serve - + - + @@ -166,7 +166,7 @@ To work around this issue, disable RoCE monitoring: 3. Restart the NetQ agent: $ netq config agent restart - + @@ -174,7 +174,7 @@ To work around this issue, disable RoCE monitoring: To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again: 'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' - +
2893000 CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 2.4.0-4.0.14.1.0-4.7.04.1.0-4.8.0
2843640 In NetQ clustered environments, the network snapshot feature may fail. 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2711101 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2690469 3.2.1-4.0.14.1.0-4.7.04.1.0-4.8.0
diff --git a/content/cumulus-netq-41/Whats-New/rn.md b/content/cumulus-netq-41/Whats-New/rn.md index 9f25e9b128..2c301f2863 100644 --- a/content/cumulus-netq-41/Whats-New/rn.md +++ b/content/cumulus-netq-41/Whats-New/rn.md @@ -14,16 +14,16 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.7.0| -| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.7.0| -| [3011307](#3011307)
| NetQ Agent: The NetQ Agent fails to start in Cumulus Linux on switches with ARM CPUs. The log files show the following message:
systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE
| 4.1.1 | 4.2.0-4.7.0| -| [2896825](#2896825)
| WJH monitoring fails to start with netq-agent on Cumulus Linux 5.0. To work around this issue, reinstall the netq-agent package and configure the netq agent to start monitoring:1. Add the gpg key for the repository:wget -qO - https://apps3.cumulusnetworks.com/setup/cumulus-apps-deb.pubkey \| sudo apt-key add -2. Add the repository to /etc/apt/sources.list:echo 'deb https://apps3.cumulusnetworks.com/repos/deb CumulusLinux-4 netq-latest' \| sudo tee -a /etc/apt/sources.list3. Reinstall the netq-agent package:sudo apt-get update && sudo apt-get install --reinstall netq-agent | 4.1.0-4.1.1 | 4.2.0-4.7.0| -| [2885440](#2885440)
| After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. | 4.1.0-4.1.1 | 4.2.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | -| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.7.0| -| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.7.0| -| [2815596](#2815596)
| The NetQ Cloud VM for KVM hypervisors installer and opta-check fail because the minimum disk requirements do not meet the default image settings. To work around this issue, increase the disk space from 32GB to 64GB before you run the netq bootstrap command
1. Check the size of the existing hard disk in the VM to confirm it is 32 GB. In this example, the number of 1 MB blocks is 31583, or 32 GB
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          31583  1192     30375   4% /
2. Shutdown the VM

3. Check the size of the existing disk on the server hosting the VM to confirm it is 32 GB. In this example, the size appears in the virtual size field: 
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 32G (34359738368 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
4. Add 32 GB to the image: 
root@server:/var/lib/libvirt/images# qemu-img resize netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2 +32G	Image resized.
5. Verify the change
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-3.1.0-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 64G (68719476736 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
6. Start the VM and log back in
7. Run the following commands on the partition, referencing the filesystem /dev/vda1 obtained in step 1: 
cumulus@netq-401-cloud:~$ sudo growpart /dev/vda 1	CHANGED: partition=1 start=227328 old: size=66881503 end=67108831 new: size=133990367,end=134217695	cumulus@netq-401-cloud:~$ sudo resize2fs /dev/vda1	resize2fs 1.44.1 (24-Mar-2018)	Filesystem at /dev/vda1 is mounted on /; on-line resizing required	old_desc_blocks = 4, new_desc_blocks = 8	The filesystem on /dev/vda1 is now 16748795 (4k) blocks long.
8. Verify the disk is now configured with 64 GB. In this example, the number of 1 MB blocks is now 63341, or 64 GB: 
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          63341  1193     62132   2% /
| 4.0.1-4.1.1 | 4.2.0-4.7.0| -| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.7.0| +| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.8.0| +| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.8.0| +| [3011307](#3011307)
| NetQ Agent: The NetQ Agent fails to start in Cumulus Linux on switches with ARM CPUs. The log files show the following message:
systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE
| 4.1.1 | 4.2.0-4.8.0| +| [2896825](#2896825)
| WJH monitoring fails to start with netq-agent on Cumulus Linux 5.0. To work around this issue, reinstall the netq-agent package and configure the netq agent to start monitoring:1. Add the gpg key for the repository:wget -qO - https://apps3.cumulusnetworks.com/setup/cumulus-apps-deb.pubkey \| sudo apt-key add -2. Add the repository to /etc/apt/sources.list:echo 'deb https://apps3.cumulusnetworks.com/repos/deb CumulusLinux-4 netq-latest' \| sudo tee -a /etc/apt/sources.list3. Reinstall the netq-agent package:sudo apt-get update && sudo apt-get install --reinstall netq-agent | 4.1.0-4.1.1 | 4.2.0-4.8.0| +| [2885440](#2885440)
| After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. | 4.1.0-4.1.1 | 4.2.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | +| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.8.0| +| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.8.0| +| [2815596](#2815596)
| The NetQ Cloud VM for KVM hypervisors installer and opta-check fail because the minimum disk requirements do not meet the default image settings. To work around this issue, increase the disk space from 32GB to 64GB before you run the netq bootstrap command
1. Check the size of the existing hard disk in the VM to confirm it is 32 GB. In this example, the number of 1 MB blocks is 31583, or 32 GB
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          31583  1192     30375   4% /
2. Shutdown the VM

3. Check the size of the existing disk on the server hosting the VM to confirm it is 32 GB. In this example, the size appears in the virtual size field: 
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 32G (34359738368 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
4. Add 32 GB to the image: 
root@server:/var/lib/libvirt/images# qemu-img resize netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2 +32G	Image resized.
5. Verify the change
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-3.1.0-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 64G (68719476736 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
6. Start the VM and log back in
7. Run the following commands on the partition, referencing the filesystem /dev/vda1 obtained in step 1: 
cumulus@netq-401-cloud:~$ sudo growpart /dev/vda 1	CHANGED: partition=1 start=227328 old: size=66881503 end=67108831 new: size=133990367,end=134217695	cumulus@netq-401-cloud:~$ sudo resize2fs /dev/vda1	resize2fs 1.44.1 (24-Mar-2018)	Filesystem at /dev/vda1 is mounted on /; on-line resizing required	old_desc_blocks = 4, new_desc_blocks = 8	The filesystem on /dev/vda1 is now 16748795 (4k) blocks long.
8. Verify the disk is now configured with 64 GB. In this example, the number of 1 MB blocks is now 63341, or 64 GB: 
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          63341  1193     62132   2% /
| 4.0.1-4.1.1 | 4.2.0-4.8.0| +| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.8.0| ### Fixed Issues in 4.1.1 | Issue ID | Description | Affects | @@ -35,15 +35,15 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.7.0| -| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.7.0| -| [2896825](#2896825)
| WJH monitoring fails to start with netq-agent on Cumulus Linux 5.0. To work around this issue, reinstall the netq-agent package and configure the netq agent to start monitoring:1. Add the gpg key for the repository:wget -qO - https://apps3.cumulusnetworks.com/setup/cumulus-apps-deb.pubkey \| sudo apt-key add -2. Add the repository to /etc/apt/sources.list:echo 'deb https://apps3.cumulusnetworks.com/repos/deb CumulusLinux-4 netq-latest' \| sudo tee -a /etc/apt/sources.list3. Reinstall the netq-agent package:sudo apt-get update && sudo apt-get install --reinstall netq-agent | 4.1.0-4.1.1 | 4.2.0-4.7.0| -| [2885440](#2885440)
| After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. | 4.1.0-4.1.1 | 4.2.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | -| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.7.0| -| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.7.0| -| [2815596](#2815596)
| The NetQ Cloud VM for KVM hypervisors installer and opta-check fail because the minimum disk requirements do not meet the default image settings. To work around this issue, increase the disk space from 32GB to 64GB before you run the netq bootstrap command
1. Check the size of the existing hard disk in the VM to confirm it is 32 GB. In this example, the number of 1 MB blocks is 31583, or 32 GB
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          31583  1192     30375   4% /
2. Shutdown the VM

3. Check the size of the existing disk on the server hosting the VM to confirm it is 32 GB. In this example, the size appears in the virtual size field: 
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 32G (34359738368 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
4. Add 32 GB to the image: 
root@server:/var/lib/libvirt/images# qemu-img resize netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2 +32G	Image resized.
5. Verify the change
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-3.1.0-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 64G (68719476736 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
6. Start the VM and log back in
7. Run the following commands on the partition, referencing the filesystem /dev/vda1 obtained in step 1: 
cumulus@netq-401-cloud:~$ sudo growpart /dev/vda 1	CHANGED: partition=1 start=227328 old: size=66881503 end=67108831 new: size=133990367,end=134217695	cumulus@netq-401-cloud:~$ sudo resize2fs /dev/vda1	resize2fs 1.44.1 (24-Mar-2018)	Filesystem at /dev/vda1 is mounted on /; on-line resizing required	old_desc_blocks = 4, new_desc_blocks = 8	The filesystem on /dev/vda1 is now 16748795 (4k) blocks long.
8. Verify the disk is now configured with 64 GB. In this example, the number of 1 MB blocks is now 63341, or 64 GB: 
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          63341  1193     62132   2% /
| 4.0.1-4.1.1 | 4.2.0-4.7.0| -| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.7.0| +| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.8.0| +| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.8.0| +| [2896825](#2896825)
| WJH monitoring fails to start with netq-agent on Cumulus Linux 5.0. To work around this issue, reinstall the netq-agent package and configure the netq agent to start monitoring:1. Add the gpg key for the repository:wget -qO - https://apps3.cumulusnetworks.com/setup/cumulus-apps-deb.pubkey \| sudo apt-key add -2. Add the repository to /etc/apt/sources.list:echo 'deb https://apps3.cumulusnetworks.com/repos/deb CumulusLinux-4 netq-latest' \| sudo tee -a /etc/apt/sources.list3. Reinstall the netq-agent package:sudo apt-get update && sudo apt-get install --reinstall netq-agent | 4.1.0-4.1.1 | 4.2.0-4.8.0| +| [2885440](#2885440)
| After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. | 4.1.0-4.1.1 | 4.2.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | +| [2843640](#2843640)
| In NetQ clustered environments, the network snapshot feature may fail. | 4.0.0-4.1.1 | 4.2.0-4.8.0| +| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.8.0| +| [2815596](#2815596)
| The NetQ Cloud VM for KVM hypervisors installer and opta-check fail because the minimum disk requirements do not meet the default image settings. To work around this issue, increase the disk space from 32GB to 64GB before you run the netq bootstrap command
1. Check the size of the existing hard disk in the VM to confirm it is 32 GB. In this example, the number of 1 MB blocks is 31583, or 32 GB
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          31583  1192     30375   4% /
2. Shutdown the VM

3. Check the size of the existing disk on the server hosting the VM to confirm it is 32 GB. In this example, the size appears in the virtual size field: 
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 32G (34359738368 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
4. Add 32 GB to the image: 
root@server:/var/lib/libvirt/images# qemu-img resize netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2 +32G	Image resized.
5. Verify the change
root@server:/var/lib/libvirt/images# qemu-img info netq-4.0.1-ubuntu-18.04-tscloud-qemu.qcow2	image: netq-3.1.0-ubuntu-18.04-tscloud-qemu.qcow2	file format: qcow2	virtual size: 64G (68719476736 bytes)	disk size: 1.3G	cluster_size: 65536	Format specific information:	    compat: 1.1	    lazy refcounts: false	    refcount bits: 16	    corrupt: false
6. Start the VM and log back in
7. Run the following commands on the partition, referencing the filesystem /dev/vda1 obtained in step 1: 
cumulus@netq-401-cloud:~$ sudo growpart /dev/vda 1	CHANGED: partition=1 start=227328 old: size=66881503 end=67108831 new: size=133990367,end=134217695	cumulus@netq-401-cloud:~$ sudo resize2fs /dev/vda1	resize2fs 1.44.1 (24-Mar-2018)	Filesystem at /dev/vda1 is mounted on /; on-line resizing required	old_desc_blocks = 4, new_desc_blocks = 8	The filesystem on /dev/vda1 is now 16748795 (4k) blocks long.
8. Verify the disk is now configured with 64 GB. In this example, the number of 1 MB blocks is now 63341, or 64 GB: 
cumulus@netq-401-cloud:~$ df -hm /	Filesystem     1M-blocks  Used Available Use% Mounted on	/dev/vda1          63341  1193     62132   2% /
| 4.0.1-4.1.1 | 4.2.0-4.8.0| +| [2711101](#2711101)
| When RoCE (RDMA over Converged Ethernet) data collection is enabled in Cumulus Linux 4.3.z and 4.4.z, you can experience high dual uplink convergence times
To work around this issue, disable RoCE monitoring:1. Edit '/etc/netq/commands/cl4-netq-commands.yml' and comment out the following lines:
#- period: "60"
# key: "roce"
# isactive: true
# command: "/usr/lib/cumulus/mlxcmd --json roce counters"
# parser: "local"2. Delete the '/var/run/netq/netq_commands.yml' file:
$ sudo rm /var/run/netq/netq_commands.yml3. Restart the NetQ agent:
$ netq config agent restart | 4.0.0-4.1.1 | 4.2.0-4.8.0| ### Fixed Issues in 4.1.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-41/rn.xml b/content/cumulus-netq-41/rn.xml index 7b68aa7488..6d82e738fa 100644 --- a/content/cumulus-netq-41/rn.xml +++ b/content/cumulus-netq-41/rn.xml @@ -10,13 +10,13 @@ - + - + @@ -26,7 +26,7 @@ systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE - + @@ -47,13 +47,13 @@ systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE {{sudo apt-get update && sudo apt-get install --reinstall netq-agent}} - + - + @@ -65,20 +65,20 @@ systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 - + - + - + @@ -147,7 +147,7 @@ systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE Filesystem 1M-blocks Used Available Use% Mounted on /dev/vda1 63341 1193 62132 2% / - + @@ -167,7 +167,7 @@ To work around this issue, disable RoCE monitoring: 3. Restart the NetQ agent: $ netq config agent restart - +
3085064 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3015875 NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. 4.1.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3011307 4.1.14.2.0-4.7.04.2.0-4.8.0
2896825 4.1.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2885440 After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. 4.1.0-4.1.14.2.0-4.7.04.2.0-4.8.0
28853124.1.0-4.7.04.1.0-4.8.0
2843640 In NetQ clustered environments, the network snapshot feature may fail. 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2817749 If you configure an event suppression rule with {{is_active false}}, the event will no longer be displayed with the {{netq show events-config}} command. 4.0.1-4.2.04.3.0-4.7.04.3.0-4.8.0
2815596 4.0.1-4.1.14.2.0-4.7.04.2.0-4.8.0
2711101 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
@@ -195,13 +195,13 @@ CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 - + - + @@ -222,13 +222,13 @@ CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 {{sudo apt-get update && sudo apt-get install --reinstall netq-agent}} - + - + @@ -240,20 +240,20 @@ CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 - + - + - + @@ -322,7 +322,7 @@ CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 Filesystem 1M-blocks Used Available Use% Mounted on /dev/vda1 63341 1193 62132 2% / - + @@ -342,7 +342,7 @@ To work around this issue, disable RoCE monitoring: 3. Restart the NetQ agent: $ netq config agent restart - +
3085064 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3015875 NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. 4.1.0-4.4.14.5.0-4.7.04.5.0-4.8.0
2896825 4.1.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2885440 After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. 4.1.0-4.1.14.2.0-4.7.04.2.0-4.8.0
28853124.1.0-4.7.04.1.0-4.8.0
2843640 In NetQ clustered environments, the network snapshot feature may fail. 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
2817749 If you configure an event suppression rule with {{is_active false}}, the event will no longer be displayed with the {{netq show events-config}} command. 4.0.1-4.2.04.3.0-4.7.04.3.0-4.8.0
2815596 4.0.1-4.1.14.2.0-4.7.04.2.0-4.8.0
2711101 4.0.0-4.1.14.2.0-4.7.04.2.0-4.8.0
diff --git a/content/cumulus-netq-42/Whats-New/rn.md b/content/cumulus-netq-42/Whats-New/rn.md index 3d193b4d81..ef340e660a 100644 --- a/content/cumulus-netq-42/Whats-New/rn.md +++ b/content/cumulus-netq-42/Whats-New/rn.md @@ -14,17 +14,17 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0| -| [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | 4.4.0-4.7.0| -| [3136898](#3136898)
| On switches running Cumulus Linux 5.2.0 and NetQ agent 4.2.0 or earlier, NetQ commands might fail and errors are logged to /var/log/netq-agent.log. To work around this issue, use NetQ agent version 4.3.0. | 4.2.0 | 4.3.0-4.7.0| -| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.7.0| -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.7.0| -| [3085017](#3085017)
| When you hover over a device with WJH events in the flow analysis graph, the number of WJH packet drops in the event summary might display 0 drops. This is because the device did not detect any WJH events on the selected path. To view the WJH events, select different paths to display any WJH events for that device. | 4.2.0 | 4.3.0-4.7.0| -| [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | 4.4.0-4.7.0| -| [3047149](#3047149)
| When you reboot the OPTA, the NetQ validation summary might show an incorrect number of validations. This condition will resolve itself within an hour of the reboot. | 4.2.0 | 4.3.0-4.7.0| -| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | -| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.7.0| +| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.8.0| +| [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | 4.4.0-4.8.0| +| [3136898](#3136898)
| On switches running Cumulus Linux 5.2.0 and NetQ agent 4.2.0 or earlier, NetQ commands might fail and errors are logged to /var/log/netq-agent.log. To work around this issue, use NetQ agent version 4.3.0. | 4.2.0 | 4.3.0-4.8.0| +| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.8.0| +| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.8.0| +| [3085017](#3085017)
| When you hover over a device with WJH events in the flow analysis graph, the number of WJH packet drops in the event summary might display 0 drops. This is because the device did not detect any WJH events on the selected path. To view the WJH events, select different paths to display any WJH events for that device. | 4.2.0 | 4.3.0-4.8.0| +| [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | 4.4.0-4.8.0| +| [3047149](#3047149)
| When you reboot the OPTA, the NetQ validation summary might show an incorrect number of validations. This condition will resolve itself within an hour of the reboot. | 4.2.0 | 4.3.0-4.8.0| +| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | +| [2817749](#2817749)
| If you configure an event suppression rule with is_active false, the event will no longer be displayed with the netq show events-config command. | 4.0.1-4.2.0 | 4.3.0-4.8.0| ### Fixed Issues in 4.2.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-42/rn.xml b/content/cumulus-netq-42/rn.xml index bf63c3b963..a26cdd5f9f 100644 --- a/content/cumulus-netq-42/rn.xml +++ b/content/cumulus-netq-42/rn.xml @@ -10,55 +10,55 @@ - + - + - + - + - + - + - + - + - + @@ -70,14 +70,14 @@ torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 - + - +
3442456 When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. 4.2.0-4.6.04.7.04.7.0-4.8.0
3157803 The {{netq show}} commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The {{netq show}} commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. 4.2.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3136898 On switches running Cumulus Linux 5.2.0 and NetQ agent 4.2.0 or earlier, NetQ commands might fail and errors are logged to {{/var/log/netq-agent.log}}. To work around this issue, use NetQ agent version 4.3.0. 4.2.04.3.0-4.7.04.3.0-4.8.0
3131311 Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. 4.2.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3085064 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3085017 When you hover over a device with WJH events in the flow analysis graph, the number of WJH packet drops in the event summary might display 0 drops. This is because the device did not detect any WJH events on the selected path. To view the WJH events, select different paths to display any WJH events for that device. 4.2.04.3.0-4.7.04.3.0-4.8.0
3053143 The MLAG Session card might not show all MLAG events. 4.2.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3047149 When you reboot the OPTA, the NetQ validation summary might show an incorrect number of validations. This condition will resolve itself within an hour of the reboot. 4.2.04.3.0-4.7.04.3.0-4.8.0
3015875 NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. 4.1.0-4.4.14.5.0-4.7.04.5.0-4.8.0
28853124.1.0-4.7.04.1.0-4.8.0
2817749 If you configure an event suppression rule with {{is_active false}}, the event will no longer be displayed with the {{netq show events-config}} command. 4.0.1-4.2.04.3.0-4.7.04.3.0-4.8.0
diff --git a/content/cumulus-netq-43/Whats-New/rn.md b/content/cumulus-netq-43/Whats-New/rn.md index 0770e39344..b2f6dc6335 100644 --- a/content/cumulus-netq-43/Whats-New/rn.md +++ b/content/cumulus-netq-43/Whats-New/rn.md @@ -14,21 +14,21 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0| -| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.7.0| -| [3303284](#3303284)
| When you run the netq show opta-health command, it might fail and produce the following error:
ERROR: Expecting value: line 1 column 1 (char 0)
| 4.3.0-4.4.1 | 4.5.0-4.7.0| -| [3226405](#3226405)
| TLS versions 1.0 and 1.1 are enabled for the OPTA API Gateway listening on TCP port 32708. Only TLS versions 1.2 and 1.3 should be enabled. | 4.3.0 | 4.4.0-4.7.0| -| [3216161](#3216161)
| In an OPTA clustered environment, NetQ agents might appear as rotten after upgrading to NetQ 4.3.0. To work around this issue, configure the spice: false parameter in /etc/netq/netq.yml. | 4.3.0 | 4.4.0-4.7.0| -| [3211317](#3211317)
| Upgrading Cumulus Linux with NetQ LCM fails when you upgrade a switch with the MLAG primary role. | 4.3.0 | 4.4.0-4.7.0| -| [3205778](#3205778)
| In some high scale environments, NetQ agents might appear as rotten during high load. | 4.3.0 | 4.4.0-4.7.0| -| [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.7.0| -| [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | 4.4.0-4.7.0| -| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.7.0| -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.7.0| -| [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | 4.4.0-4.7.0| -| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | -| [2605545](#2605545)
| Sort functionality is disabled when the number of records exceeds 10,000 entries in a full-screen, tabular view. | 4.3.0 | 4.4.0-4.7.0| +| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.8.0| +| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.8.0| +| [3303284](#3303284)
| When you run the netq show opta-health command, it might fail and produce the following error:
ERROR: Expecting value: line 1 column 1 (char 0)
| 4.3.0-4.4.1 | 4.5.0-4.8.0| +| [3226405](#3226405)
| TLS versions 1.0 and 1.1 are enabled for the OPTA API Gateway listening on TCP port 32708. Only TLS versions 1.2 and 1.3 should be enabled. | 4.3.0 | 4.4.0-4.8.0| +| [3216161](#3216161)
| In an OPTA clustered environment, NetQ agents might appear as rotten after upgrading to NetQ 4.3.0. To work around this issue, configure the spice: false parameter in /etc/netq/netq.yml. | 4.3.0 | 4.4.0-4.8.0| +| [3211317](#3211317)
| Upgrading Cumulus Linux with NetQ LCM fails when you upgrade a switch with the MLAG primary role. | 4.3.0 | 4.4.0-4.8.0| +| [3205778](#3205778)
| In some high scale environments, NetQ agents might appear as rotten during high load. | 4.3.0 | 4.4.0-4.8.0| +| [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.8.0| +| [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | 4.4.0-4.8.0| +| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.8.0| +| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.8.0| +| [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | 4.4.0-4.8.0| +| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | +| [2605545](#2605545)
| Sort functionality is disabled when the number of records exceeds 10,000 entries in a full-screen, tabular view. | 4.3.0 | 4.4.0-4.8.0| ### Fixed Issues in 4.3.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-43/rn.xml b/content/cumulus-netq-43/rn.xml index 461d721337..38d8cb6360 100644 --- a/content/cumulus-netq-43/rn.xml +++ b/content/cumulus-netq-43/rn.xml @@ -10,7 +10,7 @@ - + @@ -24,7 +24,7 @@ ERROR: Failed to install the master node This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. - + @@ -34,67 +34,67 @@ This is due to an expired key in the installation tarball. For assistance workin ERROR: Expecting value: line 1 column 1 (char 0) - + - + - + - + - + - + - + - + - + - + - + @@ -106,14 +106,14 @@ ERROR: Expecting value: line 1 column 1 (char 0) torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 - + - +
3442456 When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. 4.2.0-4.6.04.7.04.7.0-4.8.0
3438973 4.3.0-4.5.04.6.0-4.7.04.6.0-4.8.0
3303284 4.3.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3226405 TLS versions 1.0 and 1.1 are enabled for the OPTA API Gateway listening on TCP port 32708. Only TLS versions 1.2 and 1.3 should be enabled. 4.3.04.4.0-4.7.04.4.0-4.8.0
3216161 In an OPTA clustered environment, NetQ agents might appear as rotten after upgrading to NetQ 4.3.0. To work around this issue, configure the {{spice: false}} parameter in {{/etc/netq/netq.yml}}. 4.3.04.4.0-4.7.04.4.0-4.8.0
3211317 Upgrading Cumulus Linux with NetQ LCM fails when you upgrade a switch with the MLAG primary role. 4.3.04.4.0-4.7.04.4.0-4.8.0
3205778 In some high scale environments, NetQ agents might appear as rotten during high load. 4.3.04.4.0-4.7.04.4.0-4.8.0
3179145 The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. 4.3.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3157803 The {{netq show}} commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The {{netq show}} commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. 4.2.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3131311 Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. 4.2.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3085064 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3053143 The MLAG Session card might not show all MLAG events. 4.2.0-4.3.04.4.0-4.7.04.4.0-4.8.0
3015875 NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. 4.1.0-4.4.14.5.0-4.7.04.5.0-4.8.0
28853124.1.0-4.7.04.1.0-4.8.0
2605545 Sort functionality is disabled when the number of records exceeds 10,000 entries in a full-screen, tabular view. 4.3.04.4.0-4.7.04.4.0-4.8.0
diff --git a/content/cumulus-netq-44/Whats-New/rn.md b/content/cumulus-netq-44/Whats-New/rn.md index 09b4631743..705b5287a2 100644 --- a/content/cumulus-netq-44/Whats-New/rn.md +++ b/content/cumulus-netq-44/Whats-New/rn.md @@ -14,18 +14,18 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0| -| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.7.0| -| [3395385](#3395385)
| When you use NetQ LCM to upgrade a Cumulus Linux switch in an MLAG pair, the upgrade might fail. | 4.4.1-4.5.0 | 4.6.0-4.7.0| -| [3360627](#3360627)
| When the switch RoCE egress pool buffer limit is configured as unlimited, the maximum buffer usage for RoCE counters might display incorrect values in the NetQ UI. | 4.4.1-4.5.0 | 4.6.0-4.7.0| -| [3305144](#3305144)
| When you perform a netq trace between two hosts, the following message might be printed in the output even when the trace is successful:
argument of type ‘NoneType’ is not iterable
| 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3303284](#3303284)
| When you run the netq show opta-health command, it might fail and produce the following error:
ERROR: Expecting value: line 1 column 1 (char 0)
| 4.3.0-4.4.1 | 4.5.0-4.7.0| -| [3290068](#3290068)
| When you back up NetQ data with the backuprestore.sh script, the operation fails with the following log messages:
Failed to clear all earlier snapshot for keyspace:master. Exiting!command terminated with exit code 1Failed to execute /opt/backuprestore/createbackup.sh script on cassandra pod
Failed to proceed ahead with backup procedure. Exiting !
Contact NVIDIA support for assistance performing a backup. | 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3266922](#3266922)
| When a NetQ agent sends your NetQ server or OPTA an unexpectedly large number for switch interface counters, netq check and netq show commands might fail with the following message:
local variable ‘url’ referenced before assignment
| 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3241664](#3241664)
| When you start the netq-agent service, the WJH service is enabled by default. However, when you run the netq config show agent wjh command, the output might reflect the WJH service as disabled. | 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.7.0| -| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | +| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.8.0| +| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.8.0| +| [3395385](#3395385)
| When you use NetQ LCM to upgrade a Cumulus Linux switch in an MLAG pair, the upgrade might fail. | 4.4.1-4.5.0 | 4.6.0-4.8.0| +| [3360627](#3360627)
| When the switch RoCE egress pool buffer limit is configured as unlimited, the maximum buffer usage for RoCE counters might display incorrect values in the NetQ UI. | 4.4.1-4.5.0 | 4.6.0-4.8.0| +| [3305144](#3305144)
| When you perform a netq trace between two hosts, the following message might be printed in the output even when the trace is successful:
argument of type ‘NoneType’ is not iterable
| 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3303284](#3303284)
| When you run the netq show opta-health command, it might fail and produce the following error:
ERROR: Expecting value: line 1 column 1 (char 0)
| 4.3.0-4.4.1 | 4.5.0-4.8.0| +| [3290068](#3290068)
| When you back up NetQ data with the backuprestore.sh script, the operation fails with the following log messages:
Failed to clear all earlier snapshot for keyspace:master. Exiting!command terminated with exit code 1Failed to execute /opt/backuprestore/createbackup.sh script on cassandra pod
Failed to proceed ahead with backup procedure. Exiting !
Contact NVIDIA support for assistance performing a backup. | 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3266922](#3266922)
| When a NetQ agent sends your NetQ server or OPTA an unexpectedly large number for switch interface counters, netq check and netq show commands might fail with the following message:
local variable ‘url’ referenced before assignment
| 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3241664](#3241664)
| When you start the netq-agent service, the WJH service is enabled by default. However, when you run the netq config show agent wjh command, the output might reflect the WJH service as disabled. | 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.8.0| +| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | ### Fixed Issues in 4.4.1 | Issue ID | Description | Affects | @@ -36,16 +36,16 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0| -| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.7.0| -| [3305144](#3305144)
| When you perform a netq trace between two hosts, the following message might be printed in the output even when the trace is successful:
argument of type ‘NoneType’ is not iterable
| 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3303284](#3303284)
| When you run the netq show opta-health command, it might fail and produce the following error:
ERROR: Expecting value: line 1 column 1 (char 0)
| 4.3.0-4.4.1 | 4.5.0-4.7.0| -| [3290068](#3290068)
| When you back up NetQ data with the backuprestore.sh script, the operation fails with the following log messages:
Failed to clear all earlier snapshot for keyspace:master. Exiting!command terminated with exit code 1Failed to execute /opt/backuprestore/createbackup.sh script on cassandra pod
Failed to proceed ahead with backup procedure. Exiting !
Contact NVIDIA support for assistance performing a backup. | 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3266922](#3266922)
| When a NetQ agent sends your NetQ server or OPTA an unexpectedly large number for switch interface counters, netq check and netq show commands might fail with the following message:
local variable ‘url’ referenced before assignment
| 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3241664](#3241664)
| When you start the netq-agent service, the WJH service is enabled by default. However, when you run the netq config show agent wjh command, the output might reflect the WJH service as disabled. | 4.4.0-4.4.1 | 4.5.0-4.7.0| -| [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.7.0| -| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | +| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.8.0| +| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.8.0| +| [3305144](#3305144)
| When you perform a netq trace between two hosts, the following message might be printed in the output even when the trace is successful:
argument of type ‘NoneType’ is not iterable
| 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3303284](#3303284)
| When you run the netq show opta-health command, it might fail and produce the following error:
ERROR: Expecting value: line 1 column 1 (char 0)
| 4.3.0-4.4.1 | 4.5.0-4.8.0| +| [3290068](#3290068)
| When you back up NetQ data with the backuprestore.sh script, the operation fails with the following log messages:
Failed to clear all earlier snapshot for keyspace:master. Exiting!command terminated with exit code 1Failed to execute /opt/backuprestore/createbackup.sh script on cassandra pod
Failed to proceed ahead with backup procedure. Exiting !
Contact NVIDIA support for assistance performing a backup. | 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3266922](#3266922)
| When a NetQ agent sends your NetQ server or OPTA an unexpectedly large number for switch interface counters, netq check and netq show commands might fail with the following message:
local variable ‘url’ referenced before assignment
| 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3241664](#3241664)
| When you start the netq-agent service, the WJH service is enabled by default. However, when you run the netq config show agent wjh command, the output might reflect the WJH service as disabled. | 4.4.0-4.4.1 | 4.5.0-4.8.0| +| [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.8.0| +| [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | ### Fixed Issues in 4.4.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-44/rn.xml b/content/cumulus-netq-44/rn.xml index 54e20aa6aa..e7475a54ff 100644 --- a/content/cumulus-netq-44/rn.xml +++ b/content/cumulus-netq-44/rn.xml @@ -10,7 +10,7 @@ - + @@ -24,19 +24,19 @@ ERROR: Failed to install the master node This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. - + - + - + @@ -46,7 +46,7 @@ This is due to an expired key in the installation tarball. For assistance workin argument of type ‘NoneType’ is not iterable - + @@ -56,7 +56,7 @@ argument of type ‘NoneType’ is not iterable ERROR: Expecting value: line 1 column 1 (char 0) - + @@ -69,7 +69,7 @@ Failed to proceed ahead with backup procedure. Exiting ! Contact NVIDIA support for assistance performing a backup. - + @@ -79,25 +79,25 @@ Contact NVIDIA support for assistance performing a backup. local variable ‘url’ referenced before assignment - + - + - + - + @@ -109,7 +109,7 @@ local variable ‘url’ referenced before assignment torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 - +
3442456 When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. 4.2.0-4.6.04.7.04.7.0-4.8.0
3438973 4.3.0-4.5.04.6.0-4.7.04.6.0-4.8.0
3395385 When you use NetQ LCM to upgrade a Cumulus Linux switch in an MLAG pair, the upgrade might fail. 4.4.1-4.5.04.6.0-4.7.04.6.0-4.8.0
3360627 When the switch RoCE egress pool buffer limit is configured as unlimited, the maximum buffer usage for RoCE counters might display incorrect values in the NetQ UI. 4.4.1-4.5.04.6.0-4.7.04.6.0-4.8.0
3305144 4.4.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3303284 4.3.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3290068 4.4.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3266922 4.4.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3241664 When you start the {{netq-agent}} service, the WJH service is enabled by default. However, when you run the {{netq config show agent wjh}} command, the output might reflect the WJH service as disabled. 4.4.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3179145 The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. 4.3.0-4.4.14.5.0-4.7.04.5.0-4.8.0
3015875 NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. 4.1.0-4.4.14.5.0-4.7.04.5.0-4.8.0
28853124.1.0-4.7.04.1.0-4.8.0
@@ -131,7 +131,7 @@ local variable ‘url’ referenced before assignment 3442456 When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. 4.2.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3438973 @@ -145,7 +145,7 @@ ERROR: Failed to install the master node This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. 4.3.0-4.5.0 -4.6.0-4.7.0 +4.6.0-4.8.0 3305144 @@ -155,7 +155,7 @@ This is due to an expired key in the installation tarball. For assistance workin argument of type ‘NoneType’ is not iterable 4.4.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 3303284 @@ -165,7 +165,7 @@ argument of type ‘NoneType’ is not iterable ERROR: Expecting value: line 1 column 1 (char 0) 4.3.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 3290068 @@ -178,7 +178,7 @@ Failed to proceed ahead with backup procedure. Exiting ! Contact NVIDIA support for assistance performing a backup. 4.4.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 3266922 @@ -188,25 +188,25 @@ Contact NVIDIA support for assistance performing a backup. local variable ‘url’ referenced before assignment 4.4.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 3241664 When you start the {{netq-agent}} service, the WJH service is enabled by default. However, when you run the {{netq config show agent wjh}} command, the output might reflect the WJH service as disabled. 4.4.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 3179145 The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. 4.3.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 3015875 NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. 4.1.0-4.4.1 -4.5.0-4.7.0 +4.5.0-4.8.0 2885312 @@ -218,7 +218,7 @@ local variable ‘url’ referenced before assignment torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 -4.1.0-4.7.0 +4.1.0-4.8.0 diff --git a/content/cumulus-netq-45/Whats-New/rn.md b/content/cumulus-netq-45/Whats-New/rn.md index 627d8826d5..e40473b7ef 100644 --- a/content/cumulus-netq-45/Whats-New/rn.md +++ b/content/cumulus-netq-45/Whats-New/rn.md @@ -14,19 +14,19 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3491935](#3491935)
| NetQ might generate continuous TCA events for the NetQ VM squashfs mounts when disk utilization TCA rules are configured for all hosts. | 4.5.0-4.6.0 | 4.7.0| -| [3454057](#3454057)
| When you configure more than one TCA rule referencing the same TCA event type, adding additional TCA rules fails with the following message:
Failed to add/update TCA http status_code: 409
| 4.5.0-4.6.0 | 4.7.0| -| [3448057](#3448057)
| NetQ NTP validations will report time syncronization failures for switches running the NTP service in the default VRF. | 4.5.0-4.6.0 | 4.7.0| -| [3446351](#3446351)
| When you perform an apt upgrade from NetQ 4.5.0 to version 4.6.0, the sudo apt upgrade command fails with the following message: 
Setting up shim-signed (1.40.9+15.7-0ubuntu1) ..
mount: /var/lib/grub/esp: special device /dev/vda15 does not exist
dpkg: error processing package shim-signed (--configure):installed shim-signed package post-installation script subprocess returned error exit status 32Errors were encountered while processing:shim-signedE: Sub-process /usr/bin/dpkg returned an error code (1)
To work around this issue, run the sudo apt remove -y shim-signed grub-efi-amd64-bin --allow-remove-essential command and rerun the sudo apt upgrade command. | 4.5.0-4.6.0 | 4.7.0| -| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0| -| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.7.0| -| [3435373](#3435373)
| If your NetQ on-premises VM is not configured with at least 16 vCPUs, upgrades might fail with the following message: 
Job upgrade failed or timed out
To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. | 4.5.0-4.7.0 | | -| [3431386](#3431386)
| When you upgrade your NetQ VM from NetQ 4.5.0 to 4.6.0 using the netq upgrade bundle command, certain pods are not correctly retagged. To work around this issue, retag and restart the affected pods with the following commands for your deployment after upgrading:On-premises VMs:
sudo docker tag localhost:5000/fluend-aggregator-opta:1.14.3 docker-registry:5000/fluend-aggregator-opta:1.14.3sudo docker push docker-registry:5000/fluend-aggregator-opta:1.14.3sudo kubectl get pods -n default\|grep -i fluend-aggregator-opta\|awk '{print $1}'\|xargs kubectl delete pod -n defaultsudo docker tag localhost:5000/cp-schema-registry:7.2.0 docker-registry:5000/cp-schema-registry:7.2.0sudo docker push docker-registry:5000/cp-schema-registry:7.2.0sudo kubectl get pods -n default\|grep -i cp-schema-registry\|awk '{print $1}'\|xargs kubectl delete pod -n defaultsudo docker tag localhost:5000/cp-kafka:7.2.0 docker-registry:5000/cp-kafka:7.2.0sudo docker push docker-registry:5000/cp-kafka:7.2.0sudo kubectl get pods -n default\|grep -i kafka-broker\|awk '{print $1}'\|xargs kubectl delete pod -n default
Cloud VMs:
sudo docker tag localhost:5000/fluend-aggregator-opta:1.14.3 docker-registry:5000/fluend-aggregator-opta:1.14.3sudo docker push docker-registry:5000/fluend-aggregator-opta:1.14.3sudo kubectl get pods -n default\|grep -i fluend-aggregator-opta\|awk '{print $1}'\|xargs kubectl delete pod -n default
| 4.5.0-4.6.0 | 4.7.0| -| [3395385](#3395385)
| When you use NetQ LCM to upgrade a Cumulus Linux switch in an MLAG pair, the upgrade might fail. | 4.4.1-4.5.0 | 4.6.0-4.7.0| -| [3367267](#3367267)
| When you upgrade a switch with NetQ LCM using the root user, the upgrade fails with the following message: 
 Destination /home/root does not exist.
To work around this issue, perform the upgrade using a different user account. | 4.5.0 | 4.6.0-4.7.0| -| [3362224](#3362224)
| When you configure a new access profile with SSH authentication using the CLI, the command fails with the following log message:
Expecting value: line 1 column 1 (char 0)
To work around this issue, use the NetQ UI to configure the access profile. | 4.5.0 | 4.6.0-4.7.0| -| [3360627](#3360627)
| When the switch RoCE egress pool buffer limit is configured as unlimited, the maximum buffer usage for RoCE counters might display incorrect values in the NetQ UI. | 4.4.1-4.5.0 | 4.6.0-4.7.0| -| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.7.0 | | +| [3491935](#3491935)
| NetQ might generate continuous TCA events for the NetQ VM squashfs mounts when disk utilization TCA rules are configured for all hosts. | 4.5.0-4.6.0 | 4.7.0-4.8.0| +| [3454057](#3454057)
| When you configure more than one TCA rule referencing the same TCA event type, adding additional TCA rules fails with the following message:
Failed to add/update TCA http status_code: 409
| 4.5.0-4.6.0 | 4.7.0-4.8.0| +| [3448057](#3448057)
| NetQ NTP validations will report time syncronization failures for switches running the NTP service in the default VRF. | 4.5.0-4.6.0 | 4.7.0-4.8.0| +| [3446351](#3446351)
| When you perform an apt upgrade from NetQ 4.5.0 to version 4.6.0, the sudo apt upgrade command fails with the following message: 
Setting up shim-signed (1.40.9+15.7-0ubuntu1) ..
mount: /var/lib/grub/esp: special device /dev/vda15 does not exist
dpkg: error processing package shim-signed (--configure):installed shim-signed package post-installation script subprocess returned error exit status 32Errors were encountered while processing:shim-signedE: Sub-process /usr/bin/dpkg returned an error code (1)
To work around this issue, run the sudo apt remove -y shim-signed grub-efi-amd64-bin --allow-remove-essential command and rerun the sudo apt upgrade command. | 4.5.0-4.6.0 | 4.7.0-4.8.0| +| [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.8.0| +| [3438973](#3438973)
| When you install NetQ onto your VM, the installation fails with the following messages:
05:57:33.023618: master-node-installer: Installed Debian ...	[ FAILED ]--------------------------------------ERROR: Failed to install the master node
This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. | 4.3.0-4.5.0 | 4.6.0-4.8.0| +| [3435373](#3435373)
| If your NetQ on-premises VM is not configured with at least 16 vCPUs, upgrades might fail with the following message: 
Job upgrade failed or timed out
To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. | 4.5.0-4.8.0 | | +| [3431386](#3431386)
| When you upgrade your NetQ VM from NetQ 4.5.0 to 4.6.0 using the netq upgrade bundle command, certain pods are not correctly retagged. To work around this issue, retag and restart the affected pods with the following commands for your deployment after upgrading:On-premises VMs:
sudo docker tag localhost:5000/fluend-aggregator-opta:1.14.3 docker-registry:5000/fluend-aggregator-opta:1.14.3sudo docker push docker-registry:5000/fluend-aggregator-opta:1.14.3sudo kubectl get pods -n default\|grep -i fluend-aggregator-opta\|awk '{print $1}'\|xargs kubectl delete pod -n defaultsudo docker tag localhost:5000/cp-schema-registry:7.2.0 docker-registry:5000/cp-schema-registry:7.2.0sudo docker push docker-registry:5000/cp-schema-registry:7.2.0sudo kubectl get pods -n default\|grep -i cp-schema-registry\|awk '{print $1}'\|xargs kubectl delete pod -n defaultsudo docker tag localhost:5000/cp-kafka:7.2.0 docker-registry:5000/cp-kafka:7.2.0sudo docker push docker-registry:5000/cp-kafka:7.2.0sudo kubectl get pods -n default\|grep -i kafka-broker\|awk '{print $1}'\|xargs kubectl delete pod -n default
Cloud VMs:
sudo docker tag localhost:5000/fluend-aggregator-opta:1.14.3 docker-registry:5000/fluend-aggregator-opta:1.14.3sudo docker push docker-registry:5000/fluend-aggregator-opta:1.14.3sudo kubectl get pods -n default\|grep -i fluend-aggregator-opta\|awk '{print $1}'\|xargs kubectl delete pod -n default
| 4.5.0-4.6.0 | 4.7.0-4.8.0| +| [3395385](#3395385)
| When you use NetQ LCM to upgrade a Cumulus Linux switch in an MLAG pair, the upgrade might fail. | 4.4.1-4.5.0 | 4.6.0-4.8.0| +| [3367267](#3367267)
| When you upgrade a switch with NetQ LCM using the root user, the upgrade fails with the following message: 
 Destination /home/root does not exist.
To work around this issue, perform the upgrade using a different user account. | 4.5.0 | 4.6.0-4.8.0| +| [3362224](#3362224)
| When you configure a new access profile with SSH authentication using the CLI, the command fails with the following log message:
Expecting value: line 1 column 1 (char 0)
To work around this issue, use the NetQ UI to configure the access profile. | 4.5.0 | 4.6.0-4.8.0| +| [3360627](#3360627)
| When the switch RoCE egress pool buffer limit is configured as unlimited, the maximum buffer usage for RoCE counters might display incorrect values in the NetQ UI. | 4.4.1-4.5.0 | 4.6.0-4.8.0| +| [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | ### Fixed Issues in 4.5.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-45/rn.xml b/content/cumulus-netq-45/rn.xml index 9aebc5ae4d..28ad4b9ba5 100644 --- a/content/cumulus-netq-45/rn.xml +++ b/content/cumulus-netq-45/rn.xml @@ -10,7 +10,7 @@ 3491935 NetQ might generate continuous TCA events for the NetQ VM squashfs mounts when disk utilization TCA rules are configured for all hosts. 4.5.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3454057 @@ -18,13 +18,13 @@ Failed to add/update TCA http status_code: 409 4.5.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3448057 NetQ NTP validations will report time syncronization failures for switches running the NTP service in the default VRF. 4.5.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3446351 @@ -48,13 +48,13 @@ E: Sub-process /usr/bin/dpkg returned an error code (1) To work around this issue, run the {{sudo apt remove -y shim-signed grub-efi-amd64-bin --allow-remove-essential}} command and rerun the {{sudo apt upgrade}} command. 4.5.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3442456 When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. 4.2.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3438973 @@ -68,7 +68,7 @@ ERROR: Failed to install the master node This is due to an expired key in the installation tarball. For assistance working around this issue, contact NVIDIA support. 4.3.0-4.5.0 -4.6.0-4.7.0 +4.6.0-4.8.0 3435373 @@ -79,7 +79,7 @@ Job upgrade failed or timed out. To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. -4.5.0-4.7.0 +4.5.0-4.8.0 @@ -109,19 +109,19 @@ sudo kubectl get pods -n default|grep -i fluend-aggregator-opta|awk '{print $1}' 4.5.0-4.6.0 -4.7.0 +4.7.0-4.8.0 3395385 When you use NetQ LCM to upgrade a Cumulus Linux switch in an MLAG pair, the upgrade might fail. 4.4.1-4.5.0 -4.6.0-4.7.0 +4.6.0-4.8.0 3367267 When you upgrade a switch with NetQ LCM using the {{root}} user, the upgrade fails with the following message: Destination /home/root does not exist. To work around this issue, perform the upgrade using a different user account. 4.5.0 -4.6.0-4.7.0 +4.6.0-4.8.0 3362224 @@ -133,13 +133,13 @@ Expecting value: line 1 column 1 (char 0) To work around this issue, use the NetQ UI to configure the access profile. 4.5.0 -4.6.0-4.7.0 +4.6.0-4.8.0 3360627 When the switch RoCE egress pool buffer limit is configured as unlimited, the maximum buffer usage for RoCE counters might display incorrect values in the NetQ UI. 4.4.1-4.5.0 -4.6.0-4.7.0 +4.6.0-4.8.0 2885312 @@ -151,7 +151,7 @@ To work around this issue, use the NetQ UI to configure the access profile. torc-11 - - Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at Sun Dec 5 18:26:14 2021 torc-21:vx-282 and torc-11:peerlink-3 -4.1.0-4.7.0 +4.1.0-4.8.0 diff --git a/content/cumulus-netq-46/Whats-New/rn.md b/content/cumulus-netq-46/Whats-New/rn.md index 36ce00f53b..44e42c62c8 100644 --- a/content/cumulus-netq-46/Whats-New/rn.md +++ b/content/cumulus-netq-46/Whats-New/rn.md @@ -14,7 +14,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.7.0 | 4.8.0| +| [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.8.0 | | | [3491935](#3491935)
| NetQ might generate continuous TCA events for the NetQ VM squashfs mounts when disk utilization TCA rules are configured for all hosts. | 4.5.0-4.6.0 | 4.7.0-4.8.0| | [3454057](#3454057)
| When you configure more than one TCA rule referencing the same TCA event type, adding additional TCA rules fails with the following message:
Failed to add/update TCA http status_code: 409
| 4.5.0-4.6.0 | 4.7.0-4.8.0| | [3448057](#3448057)
| NetQ NTP validations will report time syncronization failures for switches running the NTP service in the default VRF. | 4.5.0-4.6.0 | 4.7.0-4.8.0| diff --git a/content/cumulus-netq-46/rn.xml b/content/cumulus-netq-46/rn.xml index 849191caed..f053e662a2 100644 --- a/content/cumulus-netq-46/rn.xml +++ b/content/cumulus-netq-46/rn.xml @@ -9,8 +9,8 @@ 3549877 NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. -4.6.0-4.7.0 -4.8.0 +4.6.0-4.8.0 + 3491935 diff --git a/content/cumulus-netq-47/Whats-New/rn.md b/content/cumulus-netq-47/Whats-New/rn.md index a4d234638f..e4ff3d3dc3 100644 --- a/content/cumulus-netq-47/Whats-New/rn.md +++ b/content/cumulus-netq-47/Whats-New/rn.md @@ -19,7 +19,7 @@ pdfhidden: True | [3575935](#3575935)
| When you upgrade to NetQ 4.7.0, configured premises names might get reset to the default name OPID0. | 4.7.0 | 4.8.0| | [3575934](#3575934)
| When you upgrade to NetQ 4.7.0, the password for the admin user is reset to the default password. | 4.7.0 | 4.8.0| | [3555031](#3555031)
| NetQ incorrectly reports a low health SSD event on SN5600 switches. To work around this issue, configure an event suppression rule for ssdutil messages from SN5600 switches in your network. | 4.7.0 | 4.8.0| -| [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.7.0 | 4.8.0| +| [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.8.0 | | | [3530739](#3530739)
| Queue histogram data received from switches might encounter a delay before appearing in the NetQ UI. | 4.7.0 | 4.8.0| | [3435373](#3435373)
| If your NetQ on-premises VM is not configured with at least 16 vCPUs, upgrades might fail with the following message: 
Job upgrade failed or timed out
To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. | 4.5.0-4.8.0 | | | [3429528](#3429528)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | | diff --git a/content/cumulus-netq-47/rn.xml b/content/cumulus-netq-47/rn.xml index b3f64bf0fb..3331476321 100644 --- a/content/cumulus-netq-47/rn.xml +++ b/content/cumulus-netq-47/rn.xml @@ -64,8 +64,8 @@ worker2 Ready,SchedulingDisabled <none> 18d v1.27.2 3549877 NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. -4.6.0-4.7.0 -4.8.0 +4.6.0-4.8.0 + 3530739 diff --git a/content/cumulus-netq-48/rn.xml b/content/cumulus-netq-48/rn.xml index 50fca4dfea..a15fdd755a 100644 --- a/content/cumulus-netq-48/rn.xml +++ b/content/cumulus-netq-48/rn.xml @@ -50,6 +50,34 @@ worker2 Ready,SchedulingDisabled <none> 18d v1.27.2 +3638703 +Upgrading to NetQ 4.8.0 might fail with the message {{Error: web socket connection broken to master}}. To work around this problem: + +For standalone on-premises deployments: + +1. Run the {{sudo netq bootstrap reset keep-db purge-images}} command + +2. Run the install command using the NetQ 4.8.0 tarball: {{sudo netq install standalone full interface <interface-name> bundle /mnt/installables/NetQ-4.8.0.tgz}} + +For cluster on-premises deployments: + +1. Run the {{sudo netq bootstrap reset keep-db purge-images}} command + +2. Run the {{sudo netq install cluster master-init}} command + +3. Take the command output from step 2 and run it on each worker node + +4. Run the install command using the NetQ 4.8.0 tarball: {{sudo netq install cluster full interface <interface-name> bundle /mnt/installables/NetQ-4.8.0.tgz workers <worker-1-ip> <worker-2-ip>}} +4.8.0 + + + +3634648 +The topology graph might show unexpected connections when devices in the topology do not have LLDP adjacencies. +4.8.0 + + + 3633458 The legacy topology diagram might categorize devices into tiers incorrectly. To work around this issue, use the updated topology diagram by selecting Topology Beta in the NetQ 4.8.0 UI. 4.7.0-4.8.0 @@ -77,6 +105,12 @@ sudo kubectl set image deployment/netq-prom-adapter prometheus=docker-registry:5 +3549877 +NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. +4.6.0-4.8.0 + + + 3435373 If your NetQ on-premises VM is not configured with at least 16 vCPUs, upgrades might fail with the following message: @@ -115,11 +149,6 @@ To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. Affects -3634648 -The topology graph might show unexpected connections when devices in the topology do not have LLDP adjacencies. - - - 3575935 When you upgrade to NetQ 4.7.0, configured premises names might get reset to the default name {{OPID0}}. 4.7.0 @@ -135,11 +164,6 @@ To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. 4.7.0 -3549877 -NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. -4.6.0-4.7.0 - - 3530739 Queue histogram data received from switches might encounter a delay before appearing in the NetQ UI. 4.7.0 From 72a27bc8e4345ff54246a6a693ad3f6738eeb568 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 10:23:57 -0800 Subject: [PATCH 078/204] trigger build --- build_trigger.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build_trigger.txt b/build_trigger.txt index 2567e86464..a132f34023 100644 --- a/build_trigger.txt +++ b/build_trigger.txt @@ -1 +1 @@ -build.. +build... From dfe0ecb9989cc2b2a41f0a34052c2fae735561b8 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Wed, 29 Nov 2023 13:44:40 -0500 Subject: [PATCH 079/204] copyedits --- .../Multi-Chassis-Link-Aggregation-MLAG.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../_index.md | 4 ++-- content/cumulus-linux-40/Layer-3/Routing.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../_index.md | 4 ++-- .../Inter-subnet-Routing.md | 2 +- content/cumulus-linux-41/Layer-3/Routing.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../_index.md | 4 ++-- .../Inter-subnet-Routing.md | 2 +- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Routing/Supported-Route-Table-Entries.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Inter-subnet-Routing.md | 2 +- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Routing/Supported-Route-Table-Entries.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Inter-subnet-Routing.md | 2 +- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Virtual-Router-Redundancy-VRR-and-VRRP.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 10 +++++----- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Virtual-Router-Redundancy-VRR-and-VRRP.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 10 +++++----- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Virtual-Router-Redundancy-VRR-and-VRRP.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 16 +++++++-------- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Quality-of-Service/_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Virtual-Router-Redundancy-VRR-and-VRRP.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 14 ++++++------- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Layer-2/Link-Layer-Discovery-Protocol.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Virtual-Router-Redundancy-VRR-and-VRRP.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 16 +++++++-------- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Layer-2/Link-Layer-Discovery-Protocol.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Virtual-Router-Redundancy-VRR-and-VRRP.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 20 +++++++++---------- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Layer-2/Link-Layer-Discovery-Protocol.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Layer-2/Virtual-Router-Redundancy-VRR.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 20 +++++++++---------- .../Installing-a-New-Cumulus-Linux-Image.md | 2 +- .../DHCP/DHCP-Relays.md | 2 +- .../Switch-Port-Attributes.md | 2 +- .../_index.md | 2 +- .../Layer-2/IGMP-and-MLD-Snooping.md | 2 +- .../Layer-2/Link-Layer-Discovery-Protocol.md | 2 +- .../Multi-Chassis-Link-Aggregation-MLAG.md | 4 ++-- .../Layer-2/Virtual-Router-Redundancy-VRR.md | 4 ++-- .../Optional-BGP-Configuration.md | 2 +- .../FRRouting-Log-Message-Reference.md | 20 +++++++++---------- .../Precision Time Protocol-PTP.md | 20 +++++++++---------- .../Monitor-Events/Events-Reference.md | 2 +- .../Monitor-Events/Events-Reference.md | 2 +- .../Monitor-Events/Events-Reference.md | 2 +- .../Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../More-Documents/NVLink4-Domains.md | 4 ++-- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../System-Events-Reference.md | 2 +- .../Cumulus-Linux-Command-Reference-Guide.md | 2 +- 128 files changed, 328 insertions(+), 328 deletions(-) diff --git a/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md b/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md index c5083b59be..a8524e7531 100644 --- a/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md +++ b/content/cumulus-linux-37/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md @@ -1008,7 +1008,7 @@ Peer priority and id: 32768 44:38:39:00:00:12; Peer role: secondary ``` {{%notice note%}} -The MLAG healthCheck module listens on UDP port 5342. If you have not configured a backup VRF, the module listens on all VRFs, which is normal UDP socket behaviour. Make sure to configure a backup link and backup VRF so that the MLAG healtcheck module only listens on the backup VRF. +The MLAG healthCheck module listens on UDP port 5342. If you have not configured a backup VRF, the module listens on all VRFs, which is normal UDP socket behavior. Make sure to configure a backup link and backup VRF so that the MLAG healthcheck module only listens on the backup VRF. {{%/notice%}} **Comparing VRF and Management VRF Configurations** diff --git a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index 2c014a67af..75fb23cc55 100644 --- a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -14,13 +14,13 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`. | Babel | HIGH | 16777218 | BABEL Packet Error | Babel has detected a packet encode/decode problem. | Collect the relevant log files and report the issue for troubleshooting. | | Babel | HIGH | 16777219 | BABEL Configuration Error | Babel has detected a configuration error of some sort. | Ensure that the configuration is correct. | | Babel | HIGH | 16777220 | BABEL Route Error | Babel has detected a routing error and is in an inconsistent state. | Gather data to report the issue for troubleshooting. Restart FRR. | -| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the soure of the attribute and determine why the attribute flag has been set incorrectly. | -| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the soure of the attribute and determine why the attribute length has been set incorrectly. | -| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the soure of the attribute and determine why the origin attribute has been set incorrectly. | -| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the soure of the update and determine why the AS path has been set incorrectly. | -| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the soure of the update and determine why the AS path first AS value has been set incorrectly. | -| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | -| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | +| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the source of the attribute and determine why the attribute flag has been set incorrectly. | +| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the source of the attribute and determine why the attribute length has been set incorrectly. | +| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the source of the attribute and determine why the origin attribute has been set incorrectly. | +| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the source of the update and determine why the AS path has been set incorrectly. | +| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the source of the update and determine why the AS path first AS value has been set incorrectly. | +| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | +| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | | BGP | HIGH | 33554442 | BGP peergroup operated on in error | BGP operating on peer-group instead of peers included. | Ensure the configuration doesn't contain peer-groups contained within peer-groups. | | BGP | HIGH | 33554443 | BGP failed to delete peer structure | BGP was unable to delete the peer structure when the address-family was removed. | Determine if all expected peers are removed and restart FRR if not. This is most likely a bug. | | BGP | HIGH | 33554444 | BGP failed to get table chunk memory | BGP unable to get chunk memory for table manager. | Ensure there is adequate memory on the device to support the table requirements. | @@ -39,8 +39,8 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`. | BGP | HIGH | 33554457 | BGP error receiving keepalive packet | BGP unable to process a keepalive packet. | BGP keepalive received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554458 | BGP error receiving route refresh message | BGP unable to process route refresh message. | BGP route refresh received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554459 | BGP error capability message | BGP unable to process received capability. | BGP capability message received while in a stopped state. If the problem persists, report it for troubleshooting. | -| BGP | HIGH | 33554460 | BGP error with nexthopo update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | -| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | +| BGP | HIGH | 33554460 | BGP error with nexthop update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | +| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554462 | Multipath specified is invalid | BGP was started with an invalid ECMP/multipath value. | Correct the ECMP/multipath value supplied when starting the BGP daemon. | | BGP | HIGH | 33554463 | Failure to process a packet | BGP attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554464 | Failure to connect to peer | BGP attempted to send open to a peer but couldn't connect. | This is most likely a bug. If the problem persists, report it for troubleshooting. | @@ -63,7 +63,7 @@ by FRRouting. These messages appear in `/var/log/frr/frr.log`. | EIGRP | HIGH | 50331650 | EIGRP Configuration Error | EIGRP has detected a configuration error. | Correct the configuration issue. If it still persists, report the issue for troubleshooting. | | General | HIGH | 100663297 | Failure to raise or lower privileges | FRR attempted to raise or lower its privileges and was unable to do so. | Ensure that you are running FRR as the frr user and that the user has sufficient privileges to properly access root privileges. | | General | HIGH | 100663298 | VRF Failure on Start | Upon startup, FRR failed to properly initialize and start up the VRF subsystem. | Ensure that there is sufficient memory to start processes, then restart FRR. | -| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occured and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permisions to work. | +| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occurred and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permissions to work. | | General | HIGH | 100663303 | System Call Error | FRR has detected an error from using a vital system call and has probably already exited. | Ensure permissions are correct for FRR users and groups. Additionally, check that sufficient system resources are available. | | General | HIGH | 100663304 | VTY Subsystem Error | FRR has detected a problem with the specified configuration file. | Ensure the configuration file exists and has the correct permissions for operations. Additionally, ensure that all config lines are correct as well. | | General | HIGH | 100663305 | SNMP Subsystem Error | FRR has detected a problem with the SNMP library it uses. A callback from this subsystem has indicated some error. | Examine the callback message and ensure SNMP is properly set up and working. | diff --git a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md index cae743ada8..dac9edcf63 100644 --- a/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md +++ b/content/cumulus-linux-37/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/_index.md @@ -1080,7 +1080,7 @@ way: OPTIONS - There are various options to control the behaviour of the monitored expression. These include: + There are various options to control the behavior of the monitored expression. These include: -D indicates that the expression should be evaluated using delta differences between sample values (rather than the values themselves). -d OID or -di OID @@ -1109,7 +1109,7 @@ way: -S indicates that the monitor expression should not be evaluated when the agent first starts up. The first evaluation will be done once the first repeat interval has expired. -s indicates that the monitor expression should be evaluated when the agent first starts up. - This is the default behaviour. + This is the default behavior. Note: Notifications triggered by this initial evaluation will be sent before the coldStart trap. -u SECNAME specifies a security name to use for scanning the local host, instead of the default diff --git a/content/cumulus-linux-40/Layer-3/Routing.md b/content/cumulus-linux-40/Layer-3/Routing.md index dcc50c58cd..a7b6a9c726 100644 --- a/content/cumulus-linux-40/Layer-3/Routing.md +++ b/content/cumulus-linux-40/Layer-3/Routing.md @@ -468,7 +468,7 @@ When {{}} ``` -cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr adress 10.1.10.1/24 -cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr adress 10.1.11.1/24 +cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr address 10.1.10.1/24 +cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr address 10.1.11.1/24 cumulus@switch:mgmt:~$ nv config apply ``` diff --git a/content/cumulus-linux-50/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-50/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md index d5cee2e518..6829f92a33 100644 --- a/content/cumulus-linux-50/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md +++ b/content/cumulus-linux-50/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md @@ -944,7 +944,7 @@ BGP add-path RX enables BGP to receive multiple paths for the same prefix. A pat To view the existing capabilities, run the vtysh `show ip bgp neighbors` command. You can see the existing capabilities in the subsection *Add Path*, below *Neighbor capabilities.* -The following example output shows that BGP can sent and receive additional BGP paths, and that the BGP neighbor on swp51 supports both. +The following example output shows that BGP can send and receive additional BGP paths, and that the BGP neighbor on swp51 supports both. ``` cumulus@leaf01:~$ sudo vtysh diff --git a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index 8102a9ced5..a56ab4dd11 100644 --- a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -13,13 +13,13 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | Babel | HIGH | 16777218 | BABEL Packet Error | Babel has detected a packet encode/decode problem. | Collect the relevant log files and report the issue for troubleshooting.| | Babel | HIGH | 16777219 | BABEL Configuration Error | Babel has detected a configuration error of some sort. | Ensure that the configuration is correct. | | Babel | HIGH | 16777220 | BABEL Route Error | Babel has detected a routing error and is in an inconsistent state. | Gather data to report the issue for troubleshooting. Restart FRR. | -| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the soure of the attribute and determine why the attribute flag has been set incorrectly. | -| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the soure of the attribute and determine why the attribute length has been set incorrectly. | -| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the soure of the attribute and determine why the origin attribute has been set incorrectly. | -| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the soure of the update and determine why the AS path has been set incorrectly. | -| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the soure of the update and determine why the AS path first AS value has been set incorrectly. | -| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | -| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | +| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the source of the attribute and determine why the attribute flag has been set incorrectly. | +| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the source of the attribute and determine why the attribute length has been set incorrectly. | +| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the source of the attribute and determine why the origin attribute has been set incorrectly. | +| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the source of the update and determine why the AS path has been set incorrectly. | +| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the source of the update and determine why the AS path first AS value has been set incorrectly. | +| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | +| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | | BGP | HIGH | 33554442 | BGP peergroup operated on in error | BGP operating on peer-group instead of peers included. | Ensure the configuration doesn't contain peer-groups contained within peer-groups. | | BGP | HIGH | 33554443 | BGP failed to delete peer structure | BGP was unable to delete the peer structure when the address-family was removed. | Determine if all expected peers are removed and restart FRR if not. This is most likely a bug. | | BGP | HIGH | 33554444 | BGP failed to get table chunk memory | BGP unable to get chunk memory for table manager. | Ensure there is adequate memory on the device to support the table requirements. | @@ -38,8 +38,8 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | BGP | HIGH | 33554457 | BGP error receiving keepalive packet | BGP unable to process a keepalive packet. | BGP keepalive received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554458 | BGP error receiving route refresh message | BGP unable to process route refresh message. | BGP route refresh received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554459 | BGP error capability message | BGP unable to process received capability. | BGP capability message received while in a stopped state. If the problem persists, report it for troubleshooting. | -| BGP | HIGH | 33554460 | BGP error with nexthopo update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | -| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | +| BGP | HIGH | 33554460 | BGP error with nexthop update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | +| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554462 | Multipath specified is invalid | BGP was started with an invalid ECMP/multipath value. | Correct the ECMP/multipath value supplied when starting the BGP daemon. | | BGP | HIGH | 33554463 | Failure to process a packet | BGP attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554464 | Failure to connect to peer | BGP attempted to send open to a peer but couldn't connect. | This is most likely a bug. If the problem persists, report it for troubleshooting. | @@ -62,7 +62,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | EIGRP | HIGH | 50331650 | EIGRP Configuration Error | EIGRP has detected a configuration error.| Correct the configuration issue. If it still persists, report the issue for troubleshooting.| | General | HIGH | 100663297 | Failure to raise or lower privileges | FRR attempted to raise or lower its privileges and was unable to do so. | Ensure that you are running FRR as the frr user and that the user has sufficient privileges to properly access root privileges. | | General | HIGH | 100663298 | VRF Failure on Start | Upon startup, FRR failed to properly initialize and start up the VRF subsystem. | Ensure that there is sufficient memory to start processes, then restart FRR. | -| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occured and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permisions to work. | +| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occurred and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permissions to work. | | General | HIGH | 100663303 | System Call Error | FRR has detected an error from using a vital system call and has probably already exited. | Ensure permissions are correct for FRR users and groups. Additionally, check that sufficient system resources are available. | | General | HIGH | 100663304 | VTY Subsystem Error | FRR has detected a problem with the specified configuration file. | Ensure the configuration file exists and has the correct permissions for operations. Additionally, ensure that all config lines are correct as well. | | General | HIGH | 100663305 | SNMP Subsystem Error | FRR has detected a problem with the SNMP library it uses. A callback from this subsystem has indicated some error. | Examine the callback message and ensure SNMP is properly set up and working. | diff --git a/content/cumulus-linux-50/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-50/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index bb9bd87c18..a82d814372 100644 --- a/content/cumulus-linux-50/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-50/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -206,7 +206,7 @@ delay_mechanism E2E network_transport UDPv4 ``` -For a trunk port, add the VLAN configuration to the switch port stanza: set `l2_mode` to `trunk`, `vlan_intf` to the VLAN interface, and `src_ip` to match the IP adress of the VLAN interface: +For a trunk port, add the VLAN configuration to the switch port stanza: set `l2_mode` to `trunk`, `vlan_intf` to the VLAN interface, and `src_ip` to match the IP address of the VLAN interface: ``` [swp1] @@ -223,7 +223,7 @@ delay_mechanism E2E network_transport RAWUDPv4 ``` -For an access port, add the VLAN configuration to the switch port stanza: set `l2_mode` to `access`, `vlan_intf` to the VLAN interface, and `src_ip` to match the IP adress of the VLAN interface: +For an access port, add the VLAN configuration to the switch port stanza: set `l2_mode` to `access`, `vlan_intf` to the VLAN interface, and `src_ip` to match the IP address of the VLAN interface: ``` [swp2] @@ -1116,9 +1116,9 @@ The following example shows that there are no violations: cumulus@switch:~$ nv show service ptp 1 monitor violations operational applied description ---------------- ----------- ------- ----------------------------------------------- -last-max-offset Time at which last max offest violation occured -last-min-offset Time at which last min offest violation occured -last-path-delay Time at which last path delay violation occured +last-max-offset Time at which last max offest violation occurred +last-min-offset Time at which last min offest violation occurred +last-path-delay Time at which last path delay violation occurred max-offset-count 0 Number of maximum offset violations min-offset-count 0 Number of min offset violations path-delay-count 0 Number of Path delay violations diff --git a/content/cumulus-linux-51/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md b/content/cumulus-linux-51/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md index a3c23daa98..1acb19595c 100644 --- a/content/cumulus-linux-51/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md +++ b/content/cumulus-linux-51/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md @@ -323,7 +323,7 @@ You can run several installer command line options from ONIE to perform basic sw - Execute a ZTP script to perform necessary configuration {{%notice note%}} -The `onie-nos-install` command does *not* allow you specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use. +The `onie-nos-install` command does *not* allow you to specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use. The following example commands transfer a disk image to the switch, make the image executable, and install the image with the `--password` option to change the default cumulus user password: diff --git a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md index 99d6dc9d0a..26fa012253 100644 --- a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md +++ b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md @@ -103,7 +103,7 @@ cumulus@leaf01:~$ nv config apply ## Optional Configuration -This section describes optional DHCP relay configuration. The steps provided in this section assume that you already done basic DHCP relay configuration, described above. +This section describes optional DHCP relay configurations. The steps provided in this section assume that you have already configured basic DHCP relay, as described above. ### DHCP Agent Information Option (Option 82) diff --git a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md index bd51daf2e4..d41c0f3a5a 100644 --- a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md +++ b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md @@ -1066,7 +1066,7 @@ SN4600 64xQSFP56 (200GbE) interfaces support both PAM4 and NRZ encodings with al For lower speeds, PAM4 is automatically converted to NRZ encoding. -Only 32xQSFP56 ports can brea kout into 4xSFP56 (4x50GbE). But, in this case, the adjacent QSFP56 port are blocked (only the first and third or the second and fourth rows can break out into 4xSFP56). +Only 32xQSFP56 ports can break out into 4xSFP56 (4x50GbE). But, in this case, the adjacent QSFP56 port are blocked (only the first and third or the second and fourth rows can break out into 4xSFP56). All 64xQSFP56 ports can break out into 2xQSFP56 (2x100GbE) without blocking ports. diff --git a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md index 80a25483e3..18d5d4387e 100644 --- a/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md +++ b/content/cumulus-linux-51/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md @@ -412,7 +412,7 @@ If you specify a subinterface, such as swp1.100, then run `ifup swp1.100`, Cumul You can specify both IPv4 and IPv6 addresses for the same interface. For IPv6 addresses: -- You can create or modify the IP address for an interface using either `::` or `0:0:0` notation. For example,both 2620:149:43:c109:0:0:0:5 and 2001:DB8::1/126 are valid. +- You can create or modify the IP address for an interface using either `::` or `0:0:0` notation. For example, both 2620:149:43:c109:0:0:0:5 and 2001:DB8::1/126 are valid. - Cumulus Linux assigns the IPv6 address with all zeroes in the interface identifier (2001:DB8::/126) for each subnet; connected hosts cannot use this address. The following example commands configure three IP addresses for swp1; two IPv4 addresses and one IPv6 address. diff --git a/content/cumulus-linux-51/Layer-2/IGMP-and-MLD-Snooping.md b/content/cumulus-linux-51/Layer-2/IGMP-and-MLD-Snooping.md index ae1c27c772..b9776badea 100644 --- a/content/cumulus-linux-51/Layer-2/IGMP-and-MLD-Snooping.md +++ b/content/cumulus-linux-51/Layer-2/IGMP-and-MLD-Snooping.md @@ -85,7 +85,7 @@ cumulus@switch:~$ sudo ifreload -a ## Optimized Multicast Flooding (OMF) -IGMP snooping restricts multicast forwarding only to the ports that receive IGMP report messages. If the ports do not receive IGMP reports, multicast traffic floods to all ports in the bridge domain (also know as unregistered multicast (URMC) traffic). To restrict this flooding to only mrouter ports, you can enable OMF. +IGMP snooping restricts multicast forwarding only to the ports that receive IGMP report messages. If the ports do not receive IGMP reports, multicast traffic floods to all ports in the bridge domain (also known as unregistered multicast (URMC) traffic). To restrict this flooding to only mrouter ports, you can enable OMF. To enable OMF: diff --git a/content/cumulus-linux-51/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md b/content/cumulus-linux-51/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md index 84e9fe2727..045c633d05 100644 --- a/content/cumulus-linux-51/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md +++ b/content/cumulus-linux-51/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md @@ -832,7 +832,7 @@ The following table shows the conflict types and actions that Cumulus Linux take | LACP partner MAC address | Interface | Protodown the MLAG bonds on the MLAG switch if there is an LACP partner MAC address mismatch or if there is a duplicate LACP partner MAC address. | | MLAG VLANs| Interface | Suspend the inconsistent VLANs on either MLAG peer if the VLANs are not part of the peer link or if there is mismatch of VLANs configured on the MLAG bonds between the MLAG peers. | | Peer link VLANs| Global | Suspend the inconsistent VLANs on either MLAG peer on all the dual-connected MLAG bonds and VXLAN interfaces. | -| MLAG protocol version | Global | The consistency check records an MLAG protocol version mismatch between the MLAG peers. Cumulus Linux does not take any distruptive action. | +| MLAG protocol version | Global | The consistency check records an MLAG protocol version mismatch between the MLAG peers. Cumulus Linux does not take any disruptive action. | | MLAG package version | Global| The consistency check records an MLAG package version mismatch between the MLAG peers. Cumulus Linux does not take any disruptive action.| You can also manually check for MLAG inconsistencies with the following commands: @@ -996,7 +996,7 @@ bridge-learning yes yes - {{< /tab >}} {{< /tabs >}} -The actions that Cumulus Linux takes when there is a conflict are distruptive. If you prefer, you can configure the switch to not take any action when there is a conflict. Edit the `/etc/network/interfaces` file to add the `clagd-args --gracefulConsistencyCheck FALSE` parameter in the peer link stanza. +The actions that Cumulus Linux takes when there is a conflict are disruptive. If you prefer, you can configure the switch to not take any action when there is a conflict. Edit the `/etc/network/interfaces` file to add the `clagd-args --gracefulConsistencyCheck FALSE` parameter in the peer link stanza. ``` cumulus@leaf01:~$ sudo nano /etc/network/interfaces diff --git a/content/cumulus-linux-51/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md b/content/cumulus-linux-51/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md index b941a5612f..65397eafa0 100644 --- a/content/cumulus-linux-51/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md +++ b/content/cumulus-linux-51/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md @@ -164,8 +164,8 @@ The following example commands configure both 10.1.10.1/24 and 10.1.11.1/24 on V {{< tab "NVUE Commands ">}} ``` -cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr adress 10.1.10.1/24 -cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr adress 10.1.11.1/24 +cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr address 10.1.10.1/24 +cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr address 10.1.11.1/24 cumulus@switch:mgmt:~$ nv config apply ``` diff --git a/content/cumulus-linux-51/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-51/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md index 2e4971ef31..8168473201 100644 --- a/content/cumulus-linux-51/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md +++ b/content/cumulus-linux-51/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md @@ -944,7 +944,7 @@ BGP add-path RX enables BGP to receive multiple paths for the same prefix. A pat To view the existing capabilities, run the vtysh `show ip bgp neighbors` command. You can see the existing capabilities in the subsection *Add Path*, below *Neighbor capabilities.* -The following example output shows that BGP can sent and receive additional BGP paths, and that the BGP neighbor on swp51 supports both. +The following example output shows that BGP can send and receive additional BGP paths, and that the BGP neighbor on swp51 supports both. ``` cumulus@leaf01:~$ sudo vtysh diff --git a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index 8102a9ced5..a56ab4dd11 100644 --- a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -13,13 +13,13 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | Babel | HIGH | 16777218 | BABEL Packet Error | Babel has detected a packet encode/decode problem. | Collect the relevant log files and report the issue for troubleshooting.| | Babel | HIGH | 16777219 | BABEL Configuration Error | Babel has detected a configuration error of some sort. | Ensure that the configuration is correct. | | Babel | HIGH | 16777220 | BABEL Route Error | Babel has detected a routing error and is in an inconsistent state. | Gather data to report the issue for troubleshooting. Restart FRR. | -| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the soure of the attribute and determine why the attribute flag has been set incorrectly. | -| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the soure of the attribute and determine why the attribute length has been set incorrectly. | -| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the soure of the attribute and determine why the origin attribute has been set incorrectly. | -| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the soure of the update and determine why the AS path has been set incorrectly. | -| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the soure of the update and determine why the AS path first AS value has been set incorrectly. | -| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | -| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | +| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the source of the attribute and determine why the attribute flag has been set incorrectly. | +| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the source of the attribute and determine why the attribute length has been set incorrectly. | +| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the source of the attribute and determine why the origin attribute has been set incorrectly. | +| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the source of the update and determine why the AS path has been set incorrectly. | +| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the source of the update and determine why the AS path first AS value has been set incorrectly. | +| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | +| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | | BGP | HIGH | 33554442 | BGP peergroup operated on in error | BGP operating on peer-group instead of peers included. | Ensure the configuration doesn't contain peer-groups contained within peer-groups. | | BGP | HIGH | 33554443 | BGP failed to delete peer structure | BGP was unable to delete the peer structure when the address-family was removed. | Determine if all expected peers are removed and restart FRR if not. This is most likely a bug. | | BGP | HIGH | 33554444 | BGP failed to get table chunk memory | BGP unable to get chunk memory for table manager. | Ensure there is adequate memory on the device to support the table requirements. | @@ -38,8 +38,8 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | BGP | HIGH | 33554457 | BGP error receiving keepalive packet | BGP unable to process a keepalive packet. | BGP keepalive received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554458 | BGP error receiving route refresh message | BGP unable to process route refresh message. | BGP route refresh received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554459 | BGP error capability message | BGP unable to process received capability. | BGP capability message received while in a stopped state. If the problem persists, report it for troubleshooting. | -| BGP | HIGH | 33554460 | BGP error with nexthopo update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | -| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | +| BGP | HIGH | 33554460 | BGP error with nexthop update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | +| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554462 | Multipath specified is invalid | BGP was started with an invalid ECMP/multipath value. | Correct the ECMP/multipath value supplied when starting the BGP daemon. | | BGP | HIGH | 33554463 | Failure to process a packet | BGP attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554464 | Failure to connect to peer | BGP attempted to send open to a peer but couldn't connect. | This is most likely a bug. If the problem persists, report it for troubleshooting. | @@ -62,7 +62,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | EIGRP | HIGH | 50331650 | EIGRP Configuration Error | EIGRP has detected a configuration error.| Correct the configuration issue. If it still persists, report the issue for troubleshooting.| | General | HIGH | 100663297 | Failure to raise or lower privileges | FRR attempted to raise or lower its privileges and was unable to do so. | Ensure that you are running FRR as the frr user and that the user has sufficient privileges to properly access root privileges. | | General | HIGH | 100663298 | VRF Failure on Start | Upon startup, FRR failed to properly initialize and start up the VRF subsystem. | Ensure that there is sufficient memory to start processes, then restart FRR. | -| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occured and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permisions to work. | +| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occurred and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permissions to work. | | General | HIGH | 100663303 | System Call Error | FRR has detected an error from using a vital system call and has probably already exited. | Ensure permissions are correct for FRR users and groups. Additionally, check that sufficient system resources are available. | | General | HIGH | 100663304 | VTY Subsystem Error | FRR has detected a problem with the specified configuration file. | Ensure the configuration file exists and has the correct permissions for operations. Additionally, ensure that all config lines are correct as well. | | General | HIGH | 100663305 | SNMP Subsystem Error | FRR has detected a problem with the SNMP library it uses. A callback from this subsystem has indicated some error. | Examine the callback message and ensure SNMP is properly set up and working. | diff --git a/content/cumulus-linux-51/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-51/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 73c0548539..c354b90666 100644 --- a/content/cumulus-linux-51/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-51/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -202,7 +202,7 @@ delay_mechanism E2E network_transport UDPv4 ``` -For a trunk VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `trunk`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP adress of the VLAN interface: +For a trunk VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `trunk`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP address of the VLAN interface: ``` [swp1] @@ -220,7 +220,7 @@ network_transport UDPv4 For a switch VLAN, add ``` -For a switch port VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `access`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP adress of the VLAN interface: +For a switch port VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `access`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP address of the VLAN interface: ``` [swp2] @@ -1168,9 +1168,9 @@ The following example shows that there are no violations: cumulus@switch:~$ nv show service ptp 1 monitor violations operational applied description ---------------- ----------- ------- ----------------------------------------------- -last-max-offset Time at which last max offest violation occured -last-min-offset Time at which last min offest violation occured -last-path-delay Time at which last path delay violation occured +last-max-offset Time at which last max offest violation occurred +last-min-offset Time at which last min offest violation occurred +last-path-delay Time at which last path delay violation occurred max-offset-count 0 Number of maximum offset violations min-offset-count 0 Number of min offset violations path-delay-count 0 Number of Path delay violations diff --git a/content/cumulus-linux-52/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md b/content/cumulus-linux-52/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md index a3c23daa98..1acb19595c 100644 --- a/content/cumulus-linux-52/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md +++ b/content/cumulus-linux-52/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md @@ -323,7 +323,7 @@ You can run several installer command line options from ONIE to perform basic sw - Execute a ZTP script to perform necessary configuration {{%notice note%}} -The `onie-nos-install` command does *not* allow you specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use. +The `onie-nos-install` command does *not* allow you to specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use. The following example commands transfer a disk image to the switch, make the image executable, and install the image with the `--password` option to change the default cumulus user password: diff --git a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md index 994e48072e..301dff91d4 100644 --- a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md +++ b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md @@ -103,7 +103,7 @@ cumulus@leaf01:~$ nv config apply ## Optional Configuration -This section describes optional DHCP relay configuration. The steps provided in this section assume that you already done basic DHCP relay configuration, described above. +This section describes optional DHCP relay configurations. The steps provided in this section assume that you have already configured basic DHCP relay, as described above. ### DHCP Agent Information Option (Option 82) diff --git a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md index ffba3b2125..e26683de5b 100644 --- a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md +++ b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md @@ -1066,7 +1066,7 @@ SN4600 64xQSFP56 (200GbE) interfaces support both PAM4 and NRZ encodings with al For lower speeds, PAM4 is automatically converted to NRZ encoding. -Only 32xQSFP56 ports can brea kout into 4xSFP56 (4x50GbE). But, in this case, the adjacent QSFP56 port are blocked (only the first and third or second and fourth rows can break out into 4xSFP56). +Only 32xQSFP56 ports can break out into 4xSFP56 (4x50GbE). But, in this case, the adjacent QSFP56 port are blocked (only the first and third or second and fourth rows can break out into 4xSFP56). All 64xQSFP56 ports can break out into 2xQSFP56 (2x100GbE) without blocking ports. diff --git a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md index 70231eb3b8..95c53870e3 100644 --- a/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md +++ b/content/cumulus-linux-52/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md @@ -412,7 +412,7 @@ If you specify a subinterface, such as swp1.100, then run `ifup swp1.100`, Cumul You can specify both IPv4 and IPv6 addresses for the same interface. For IPv6 addresses: -- You can create or modify the IP address for an interface using either `::` or `0:0:0` notation. For example,both 2620:149:43:c109:0:0:0:5 and 2001:DB8::1/126 are valid. +- You can create or modify the IP address for an interface using either `::` or `0:0:0` notation. For example, both 2620:149:43:c109:0:0:0:5 and 2001:DB8::1/126 are valid. - Cumulus Linux assigns the IPv6 address with all zeroes in the interface identifier (2001:DB8::/126) for each subnet; connected hosts cannot use this address. The following example commands configure three IP addresses for swp1; two IPv4 addresses and one IPv6 address. diff --git a/content/cumulus-linux-52/Layer-2/IGMP-and-MLD-Snooping.md b/content/cumulus-linux-52/Layer-2/IGMP-and-MLD-Snooping.md index aad7f770b0..a21a74e1d6 100644 --- a/content/cumulus-linux-52/Layer-2/IGMP-and-MLD-Snooping.md +++ b/content/cumulus-linux-52/Layer-2/IGMP-and-MLD-Snooping.md @@ -85,7 +85,7 @@ cumulus@switch:~$ sudo ifreload -a ## Optimized Multicast Flooding (OMF) -IGMP snooping restricts multicast forwarding only to the ports that receive IGMP report messages. If the ports do not receive IGMP reports, multicast traffic floods to all ports in the bridge domain (also know as unregistered multicast (URMC) traffic). To restrict this flooding to only mrouter ports, you can enable OMF. +IGMP snooping restricts multicast forwarding only to the ports that receive IGMP report messages. If the ports do not receive IGMP reports, multicast traffic floods to all ports in the bridge domain (also known as unregistered multicast (URMC) traffic). To restrict this flooding to only mrouter ports, you can enable OMF. To enable OMF: diff --git a/content/cumulus-linux-52/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md b/content/cumulus-linux-52/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md index c7232d3095..275e96e4b2 100644 --- a/content/cumulus-linux-52/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md +++ b/content/cumulus-linux-52/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md @@ -832,7 +832,7 @@ The following table shows the conflict types and actions that Cumulus Linux take | LACP partner MAC address | Interface | Protodown the MLAG bonds on the MLAG switch if there is an LACP partner MAC address mismatch or if there is a duplicate LACP partner MAC address. | | MLAG VLANs| Interface | Suspend the inconsistent VLANs on either MLAG peer if the VLANs are not part of the peer link or if there is mismatch of VLANs configured on the MLAG bonds between the MLAG peers. | | Peer link VLANs| Global | Suspend the inconsistent VLANs on either MLAG peer on all the dual-connected MLAG bonds and VXLAN interfaces. | -| MLAG protocol version | Global | The consistency check records an MLAG protocol version mismatch between the MLAG peers. Cumulus Linux does not take any distruptive action. | +| MLAG protocol version | Global | The consistency check records an MLAG protocol version mismatch between the MLAG peers. Cumulus Linux does not take any disruptive action. | | MLAG package version | Global| The consistency check records an MLAG package version mismatch between the MLAG peers. Cumulus Linux does not take any disruptive action.| You can also manually check for MLAG inconsistencies with the following commands: @@ -996,7 +996,7 @@ bridge-learning yes yes - {{< /tab >}} {{< /tabs >}} -The actions that Cumulus Linux takes when there is a conflict are distruptive. If you prefer, you can configure the switch to not take any action when there is a conflict. Edit the `/etc/network/interfaces` file to add the `clagd-args --gracefulConsistencyCheck FALSE` parameter in the peer link stanza. +The actions that Cumulus Linux takes when there is a conflict are disruptive. If you prefer, you can configure the switch to not take any action when there is a conflict. Edit the `/etc/network/interfaces` file to add the `clagd-args --gracefulConsistencyCheck FALSE` parameter in the peer link stanza. ``` cumulus@leaf01:~$ sudo nano /etc/network/interfaces diff --git a/content/cumulus-linux-52/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md b/content/cumulus-linux-52/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md index cd76bb24bb..3cb2d462b9 100644 --- a/content/cumulus-linux-52/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md +++ b/content/cumulus-linux-52/Layer-2/Virtual-Router-Redundancy-VRR-and-VRRP.md @@ -164,8 +164,8 @@ The following example commands configure both 10.1.10.1/24 and 10.1.11.1/24 on V {{< tab "NVUE Commands ">}} ``` -cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr adress 10.1.10.1/24 -cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr adress 10.1.11.1/24 +cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr address 10.1.10.1/24 +cumulus@switch:mgmt:~$ nv set interface vlan10 ip vrr address 10.1.11.1/24 cumulus@switch:mgmt:~$ nv config apply ``` diff --git a/content/cumulus-linux-52/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-52/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md index 2e4971ef31..8168473201 100644 --- a/content/cumulus-linux-52/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md +++ b/content/cumulus-linux-52/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md @@ -944,7 +944,7 @@ BGP add-path RX enables BGP to receive multiple paths for the same prefix. A pat To view the existing capabilities, run the vtysh `show ip bgp neighbors` command. You can see the existing capabilities in the subsection *Add Path*, below *Neighbor capabilities.* -The following example output shows that BGP can sent and receive additional BGP paths, and that the BGP neighbor on swp51 supports both. +The following example output shows that BGP can send and receive additional BGP paths, and that the BGP neighbor on swp51 supports both. ``` cumulus@leaf01:~$ sudo vtysh diff --git a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index 8102a9ced5..a56ab4dd11 100644 --- a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -13,13 +13,13 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | Babel | HIGH | 16777218 | BABEL Packet Error | Babel has detected a packet encode/decode problem. | Collect the relevant log files and report the issue for troubleshooting.| | Babel | HIGH | 16777219 | BABEL Configuration Error | Babel has detected a configuration error of some sort. | Ensure that the configuration is correct. | | Babel | HIGH | 16777220 | BABEL Route Error | Babel has detected a routing error and is in an inconsistent state. | Gather data to report the issue for troubleshooting. Restart FRR. | -| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the soure of the attribute and determine why the attribute flag has been set incorrectly. | -| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the soure of the attribute and determine why the attribute length has been set incorrectly. | -| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the soure of the attribute and determine why the origin attribute has been set incorrectly. | -| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the soure of the update and determine why the AS path has been set incorrectly. | -| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the soure of the update and determine why the AS path first AS value has been set incorrectly. | -| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | -| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the soure of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | +| BGP | HIGH | 33554433 | BGP attribute flag is incorrect | BGP attribute flag is set to the wrong value (Optional/Transitive/Partial). | Determine the source of the attribute and determine why the attribute flag has been set incorrectly. | +| BGP | HIGH | 33554434 | BGP attribute length is incorrect | BGP attribute length is incorrect. | Determine the source of the attribute and determine why the attribute length has been set incorrectly. | +| BGP | HIGH | 33554435 | BGP attribute origin value invalid | BGP attribute origin value is invalid. | Determine the source of the attribute and determine why the origin attribute has been set incorrectly. | +| BGP | HIGH | 33554436 | BGP as path is invalid | BGP AS path has been malformed. | Determine the source of the update and determine why the AS path has been set incorrectly. | +| BGP | HIGH | 33554437 | BGP as path first as is invalid | BGP update has invalid first AS in AS path. | Determine the source of the update and determine why the AS path first AS value has been set incorrectly. | +| BGP | HIGH | 33554439 | BGP PMSI tunnel attribute type is invalid | BGP update has invalid type for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute type has been set incorrectly. | +| BGP | HIGH | 33554440 | BGP PMSI tunnel attribute length is invalid | BGP update has invalid length for PMSI tunnel. | Determine the source of the update and determine why the PMSI tunnel attribute length has been set incorrectly. | | BGP | HIGH | 33554442 | BGP peergroup operated on in error | BGP operating on peer-group instead of peers included. | Ensure the configuration doesn't contain peer-groups contained within peer-groups. | | BGP | HIGH | 33554443 | BGP failed to delete peer structure | BGP was unable to delete the peer structure when the address-family was removed. | Determine if all expected peers are removed and restart FRR if not. This is most likely a bug. | | BGP | HIGH | 33554444 | BGP failed to get table chunk memory | BGP unable to get chunk memory for table manager. | Ensure there is adequate memory on the device to support the table requirements. | @@ -38,8 +38,8 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | BGP | HIGH | 33554457 | BGP error receiving keepalive packet | BGP unable to process a keepalive packet. | BGP keepalive received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554458 | BGP error receiving route refresh message | BGP unable to process route refresh message. | BGP route refresh received while in a stopped state. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554459 | BGP error capability message | BGP unable to process received capability. | BGP capability message received while in a stopped state. If the problem persists, report it for troubleshooting. | -| BGP | HIGH | 33554460 | BGP error with nexthopo update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | -| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | +| BGP | HIGH | 33554460 | BGP error with nexthop update | BGP unable to process nexthop update. | BGP received the nexthop update but the nexthop is not reachable in this BGP instance. Report the problem for troubleshooting. | +| BGP | HIGH | 33554461 | Failure to apply label | BGP attempted to apply a label but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554462 | Multipath specified is invalid | BGP was started with an invalid ECMP/multipath value. | Correct the ECMP/multipath value supplied when starting the BGP daemon. | | BGP | HIGH | 33554463 | Failure to process a packet | BGP attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | BGP | HIGH | 33554464 | Failure to connect to peer | BGP attempted to send open to a peer but couldn't connect. | This is most likely a bug. If the problem persists, report it for troubleshooting. | @@ -62,7 +62,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | EIGRP | HIGH | 50331650 | EIGRP Configuration Error | EIGRP has detected a configuration error.| Correct the configuration issue. If it still persists, report the issue for troubleshooting.| | General | HIGH | 100663297 | Failure to raise or lower privileges | FRR attempted to raise or lower its privileges and was unable to do so. | Ensure that you are running FRR as the frr user and that the user has sufficient privileges to properly access root privileges. | | General | HIGH | 100663298 | VRF Failure on Start | Upon startup, FRR failed to properly initialize and start up the VRF subsystem. | Ensure that there is sufficient memory to start processes, then restart FRR. | -| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occured and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permisions to work. | +| General | HIGH | 100663299 | Socket Error | When attempting to access a socket, a system error occurred and FRR was unable to properly complete the request. | Ensure that there are sufficient system resources available and ensure that the frr user has sufficient permissions to work. | | General | HIGH | 100663303 | System Call Error | FRR has detected an error from using a vital system call and has probably already exited. | Ensure permissions are correct for FRR users and groups. Additionally, check that sufficient system resources are available. | | General | HIGH | 100663304 | VTY Subsystem Error | FRR has detected a problem with the specified configuration file. | Ensure the configuration file exists and has the correct permissions for operations. Additionally, ensure that all config lines are correct as well. | | General | HIGH | 100663305 | SNMP Subsystem Error | FRR has detected a problem with the SNMP library it uses. A callback from this subsystem has indicated some error. | Examine the callback message and ensure SNMP is properly set up and working. | diff --git a/content/cumulus-linux-52/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-52/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 555909956f..af27d6671e 100644 --- a/content/cumulus-linux-52/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-52/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -210,7 +210,7 @@ delay_mechanism E2E network_transport UDPv4 ``` -For a trunk VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `trunk`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP adress of the VLAN interface: +For a trunk VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `trunk`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP address of the VLAN interface: ``` [swp1] @@ -223,7 +223,7 @@ delay_mechanism E2E network_transport UDPv4 ``` -For a switch port VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `access`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP adress of the VLAN interface: +For a switch port VLAN, add the VLAN configuration to the switch port stanza: set `l2_mode` to `access`, `vlan_intf` to the VLAN interface, and `src_ip` to the IP address of the VLAN interface: ``` [swp2] @@ -489,7 +489,7 @@ To create a custom profile: - Update any of the profile settings you want to change (`announce-interval`, `delay-req-interval`, `priority1`, `sync-interval`, `announce-timeout`, `domain`, `priority2`, `transport`, `delay-mechanism`, `local-priority`). - Set the custom profile to be the current profile. -The following example commands create a custom profile called CUSTOM1 based on the predifined profile ITU 8275-1. The commands set the `domain` to 3 and the `announce-timeout` to 5, then set `CUSTOM1` to be the current profile: +The following example commands create a custom profile called CUSTOM1 based on the predefined profile ITU 8275-1. The commands set the `domain` to 3 and the `announce-timeout` to 5, then set `CUSTOM1` to be the current profile: ``` cumulus@switch:~$ nv set service ptp 1 profile CUSTOM1 @@ -503,7 +503,7 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -The following example `/etc/ptp4l.conf` file creates a custom profile based on the predifined profile ITU 8275-1 and sets the `domain` to 3 and the `announce-timeout` to 5. +The following example `/etc/ptp4l.conf` file creates a custom profile based on the predefined profile ITU 8275-1 and sets the `domain` to 3 and the `announce-timeout` to 5. ``` cumulus@switch:~$ sudo nano /etc/ptp4l.conf @@ -983,7 +983,7 @@ To configure a PTP interface to be the unicast *client*: - Optional: Set the unicast request duration; the service time in seconds requested during discovery. The default value is 300 seconds. {{%notice note%}} -A PTP interface as a unicast client or server only supports a single communictation mode and does not work with multicast servers or clients. Make sure that both sides of a PTP link are in unicast mode. +A PTP interface as a unicast client or server only supports a single communication mode and does not work with multicast servers or clients. Make sure that both sides of a PTP link are in unicast mode. {{%/notice%}} The following example commands configure a unicast master table with ID 1. The commands set the unicast master address and the peer address to 10.10.10.1, the query interval to 4, the unicast service mode to `client`, and the unicast request duration to 20 in the unicast master table. @@ -1653,9 +1653,9 @@ The following example shows that there are no violations: cumulus@switch:~$ nv show service ptp 1 monitor violations operational applied description ---------------- ----------- ------- ----------------------------------------------- -last-max-offset Time at which last max offest violation occured -last-min-offset Time at which last min offest violation occured -last-path-delay Time at which last path delay violation occured +last-max-offset Time at which last max offest violation occurred +last-min-offset Time at which last min offest violation occurred +last-path-delay Time at which last path delay violation occurred max-offset-count 0 Number of maximum offset violations min-offset-count 0 Number of min offset violations path-delay-count 0 Number of Path delay violations diff --git a/content/cumulus-linux-53/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md b/content/cumulus-linux-53/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md index bbc62c5a9b..bf5c6eeb58 100644 --- a/content/cumulus-linux-53/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md +++ b/content/cumulus-linux-53/Installation-Management/Installing-a-New-Cumulus-Linux-Image.md @@ -323,7 +323,7 @@ You can run several installer command line options from ONIE to perform basic sw - Execute a ZTP script to perform necessary configuration {{%notice note%}} -The `onie-nos-install` command does *not* allow you specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use. +The `onie-nos-install` command does *not* allow you to specify command line parameters. You must access the switch from the console and transfer a disk image to the switch. You must then make the disk image executable and install the image directly from the ONIE command line with the options you want to use. The following example commands transfer a disk image to the switch, make the image executable, and install the image with the `--password` option to change the default cumulus user password: diff --git a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md index a41dddf8d1..b915921c01 100644 --- a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md +++ b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/DHCP/DHCP-Relays.md @@ -103,7 +103,7 @@ cumulus@leaf01:~$ nv config apply ## Optional Configuration -This section describes optional DHCP relay configuration. The steps provided in this section assume that you already done basic DHCP relay configuration, described above. +This section describes optional DHCP relay configurations. The steps provided in this section assume that you have already configured basic DHCP relay, as described above. ### DHCP Agent Information Option (Option 82) diff --git a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md index a61de0d387..3a698170f3 100644 --- a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md +++ b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/Switch-Port-Attributes.md @@ -1120,7 +1120,7 @@ SN4600 64xQSFP56 (200GbE) interfaces support both PAM4 and NRZ encodings with al For lower speeds, PAM4 is automatically converted to NRZ encoding. -Only 32xQSFP56 ports can brea kout into 4xSFP56 (4x50GbE). But, in this case, the adjacent QSFP56 port are blocked (only the first and third or second and fourth rows can break out into 4xSFP56). +Only 32xQSFP56 ports can break out into 4xSFP56 (4x50GbE). But, in this case, the adjacent QSFP56 port are blocked (only the first and third or second and fourth rows can break out into 4xSFP56). All 64xQSFP56 ports can break out into 2xQSFP56 (2x100GbE) without blocking ports. diff --git a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md index f4b230b4de..b7804343ef 100644 --- a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md +++ b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md @@ -412,7 +412,7 @@ If you specify a subinterface, such as swp1.100, then run `ifup swp1.100`, Cumul You can specify both IPv4 and IPv6 addresses for the same interface. For IPv6 addresses: -- You can create or modify the IP address for an interface using either `::` or `0:0:0` notation. For example,both 2620:149:43:c109:0:0:0:5 and 2001:DB8::1/126 are valid. +- You can create or modify the IP address for an interface using either `::` or `0:0:0` notation. For example, both 2620:149:43:c109:0:0:0:5 and 2001:DB8::1/126 are valid. - Cumulus Linux assigns the IPv6 address with all zeroes in the interface identifier (2001:DB8::/126) for each subnet; connected hosts cannot use this address. The following example commands configure three IP addresses for swp1; two IPv4 addresses and one IPv6 address. diff --git a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Quality-of-Service/_index.md b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Quality-of-Service/_index.md index ff55a904a4..41aa191906 100644 --- a/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Quality-of-Service/_index.md +++ b/content/cumulus-linux-53/Layer-1-and-Switch-Ports/Quality-of-Service/_index.md @@ -896,7 +896,7 @@ If you define a queue minimum shaping value of `0`, there is no bandwidth guaran -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-44/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-44/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index 90666e3458..66fb438835 100644 --- a/content/cumulus-linux-44/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-44/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -86,7 +86,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRRo | OSPF | HIGH | 134217729 | Failure to process a packet | OSPF attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217730 | Failure to process Router LSA | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check the OSPF network configuration for any configuration issue. If the problem persists, report it for troubleshooting.| | OSPF | HIGH | 134217731 | OSPF Domain Corruption | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check OSPF network database for a corrupted LSA. If the problem persists, shut down the OSPF domain and report the problem for troubleshooting. | -| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialized the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | +| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialize the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217733 | OSPF SR Invalid DB | OSPF segment routing database is invalid. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217734 | OSPF SR hash node creation failed | OSPF segment routing node creation failed. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217735 | OSPF SR Invalid lsa id | OSPF segment routing invalid LSA ID. | Restart the OSPF instance. If the problem persists, report it for troubleshooting. | diff --git a/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index 0e1530dc82..46da455d79 100644 --- a/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -188,7 +188,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NCLU Commands" >}} diff --git a/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index 6dc9ef7c82..928d6a0b2a 100644 --- a/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-44/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -761,7 +761,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index c8f3a6324b..7dd43bfff0 100644 --- a/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-44/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -145,7 +145,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp peer swp51 address-family l2vpn- cumulus@leaf01:~$ nv config apply ``` -Unlike with NCLU, you do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +Unlike with NCLU, you do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. The NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-44/System-Configuration/Netfilter-ACLs/_index.md b/content/cumulus-linux-44/System-Configuration/Netfilter-ACLs/_index.md index eab48c2bbf..93f81769e1 100644 --- a/content/cumulus-linux-44/System-Configuration/Netfilter-ACLs/_index.md +++ b/content/cumulus-linux-44/System-Configuration/Netfilter-ACLs/_index.md @@ -144,7 +144,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always start `switchd` with nonatomic updates: @@ -1058,7 +1058,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1077,7 +1077,7 @@ failed. ### INPUT Chain Rules -Cumulus Linux implements INPUT chain rules using a trap mechanism and assigns trap IDs to packets that go to the CPU. The default INPUT chain rules map to these trap IDs. However, if a packet matches multiple traps, an internal priority mechanism resolves them. which can be different from the rule priorities. The default expected rule does not police the packet but another rule polices it instead. For example, the LOCAL rule polices ICMP packets that go to the CPU instead of the ICMP rule. Also, multiple rules can share the same trap, where the largest of the policer values applies. +Cumulus Linux implements INPUT chain rules using a trap mechanism and assigns trap IDs to packets that go to the CPU. The default INPUT chain rules map to these trap IDs. However, if a packet matches multiple traps, an internal priority mechanism resolves them which can be different from the rule priorities. The default expected rule does not police the packet but another rule polices it instead. For example, the LOCAL rule polices ICMP packets that go to the CPU instead of the ICMP rule. Also, multiple rules can share the same trap, where the largest of the policer values applies. To work around this issue, create rules on the INPUT and FORWARD chains (INPUT,FORWARD). diff --git a/content/cumulus-linux-50/Layer-3/Routing/Policy-based-Routing.md b/content/cumulus-linux-50/Layer-3/Routing/Policy-based-Routing.md index 692fc3c66f..50a1368480 100644 --- a/content/cumulus-linux-50/Layer-3/Routing/Policy-based-Routing.md +++ b/content/cumulus-linux-50/Layer-3/Routing/Policy-based-Routing.md @@ -28,7 +28,7 @@ A PBR policy contains one or more policy maps. Each policy map: - To match on a source and destination address, a policy map can contain both match source and match destination IP rules. - A set rule determines the PBR next hop for the policy. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index a56ab4dd11..5ec1b97caf 100644 --- a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -86,7 +86,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | OSPF | HIGH | 134217729 | Failure to process a packet | OSPF attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217730 | Failure to process Router LSA | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check the OSPF network configuration for any configuration issue. If the problem persists, report it for troubleshooting.| | OSPF | HIGH | 134217731 | OSPF Domain Corruption | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check OSPF network database for a corrupted LSA. If the problem persists, shut down the OSPF domain and report the problem for troubleshooting. | -| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialized the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | +| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialize the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217733 | OSPF SR Invalid DB | OSPF segment routing database is invalid. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217734 | OSPF SR hash node creation failed | OSPF segment routing node creation failed. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217735 | OSPF SR Invalid lsa id | OSPF segment routing invalid LSA ID. | Restart the OSPF instance. If the problem persists, report it for troubleshooting. | diff --git a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index 92c3e67c5c..21b0dde209 100644 --- a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -158,7 +158,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index d312fa72e4..8400d928ba 100644 --- a/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-50/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -761,7 +761,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index e831a6eaea..6e2169f328 100644 --- a/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-50/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-50/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-50/System-Configuration/Netfilter-ACLs.md index 5a8a8278b5..499fd82951 100644 --- a/content/cumulus-linux-50/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-50/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always start `switchd` with nonatomic updates: @@ -1309,7 +1309,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1328,7 +1328,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index a56ab4dd11..5ec1b97caf 100644 --- a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -86,7 +86,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | OSPF | HIGH | 134217729 | Failure to process a packet | OSPF attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217730 | Failure to process Router LSA | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check the OSPF network configuration for any configuration issue. If the problem persists, report it for troubleshooting.| | OSPF | HIGH | 134217731 | OSPF Domain Corruption | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check OSPF network database for a corrupted LSA. If the problem persists, shut down the OSPF domain and report the problem for troubleshooting. | -| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialized the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | +| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialize the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217733 | OSPF SR Invalid DB | OSPF segment routing database is invalid. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217734 | OSPF SR hash node creation failed | OSPF segment routing node creation failed. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217735 | OSPF SR Invalid lsa id | OSPF segment routing invalid LSA ID. | Restart the OSPF instance. If the problem persists, report it for troubleshooting. | diff --git a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index 59c31968b1..678c2aaf4f 100644 --- a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -158,7 +158,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index 3b541932ad..c094340e7e 100644 --- a/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-51/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -761,7 +761,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index e831a6eaea..6e2169f328 100644 --- a/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-51/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-51/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-51/Network-Virtualization/VXLAN-Devices.md index d52c02c702..040b2cf916 100644 --- a/content/cumulus-linux-51/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-51/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-51/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-51/System-Configuration/Netfilter-ACLs.md index d79ea2a0b9..e67a51177f 100644 --- a/content/cumulus-linux-51/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-51/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always start `switchd` with nonatomic updates: @@ -1309,7 +1309,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1328,7 +1328,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md index a56ab4dd11..5ec1b97caf 100644 --- a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md +++ b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/FRRouting-Log-Message-Reference.md @@ -86,7 +86,7 @@ The following table lists the HIGH severity ERROR log messages generated by FRR. | OSPF | HIGH | 134217729 | Failure to process a packet | OSPF attempted to process a received packet but could not do so. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217730 | Failure to process Router LSA | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check the OSPF network configuration for any configuration issue. If the problem persists, report it for troubleshooting.| | OSPF | HIGH | 134217731 | OSPF Domain Corruption | OSPF attempted to process a router LSA, but there was an advertising ID mismtach with the link ID. | Check OSPF network database for a corrupted LSA. If the problem persists, shut down the OSPF domain and report the problem for troubleshooting. | -| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialized the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | +| OSPF | HIGH | 134217732 | OSPF Initialization failure | OSPF failed to initialize the OSPF default instance. | Ensure there is adequate memory on the device. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217733 | OSPF SR Invalid DB | OSPF segment routing database is invalid. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217734 | OSPF SR hash node creation failed | OSPF segment routing node creation failed. | This is most likely a bug. If the problem persists, report it for troubleshooting. | | OSPF | HIGH | 134217735 | OSPF SR Invalid lsa id | OSPF segment routing invalid LSA ID. | Restart the OSPF instance. If the problem persists, report it for troubleshooting. | diff --git a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index 1e121873ab..063b92a763 100644 --- a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -154,7 +154,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index 3b541932ad..c094340e7e 100644 --- a/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-52/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -761,7 +761,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index e831a6eaea..6e2169f328 100644 --- a/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-52/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-52/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-52/Network-Virtualization/VXLAN-Devices.md index d52c02c702..040b2cf916 100644 --- a/content/cumulus-linux-52/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-52/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-52/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-52/System-Configuration/Netfilter-ACLs.md index 44bb73577d..cf960aa292 100644 --- a/content/cumulus-linux-52/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-52/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always start `switchd` with nonatomic updates: @@ -1315,7 +1315,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1334,7 +1334,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-53/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-53/Layer-3/Routing/Route-Filtering-and-Redistribution.md index 8b6470c9cc..d3589cd833 100644 --- a/content/cumulus-linux-53/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-53/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -281,7 +281,7 @@ The `source-protocol` match statement is only supported in {{}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-53/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-53/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index 3b541932ad..c094340e7e 100644 --- a/content/cumulus-linux-53/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-53/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -761,7 +761,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index d7142cd91c..7a89e69c79 100644 --- a/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-53/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-53/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-53/Network-Virtualization/VXLAN-Devices.md index 6a657fa6f5..7d418bbc0a 100644 --- a/content/cumulus-linux-53/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-53/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-53/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-53/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index c8694ec01e..4056bf4982 100644 --- a/content/cumulus-linux-53/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-53/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1418,7 +1418,7 @@ Cumulus Linux monitors clock correction and path delay against thresholds, and g | ----- | ----------- | | `nv set service ptp monitor min-offset-threshold` | Sets the minimum difference allowed between the master and slave time. You can set a value between -1000000000 and 0 nanoseconds. The default value is -50 nanoseconds.| | `nv set service ptp monitor max-offset-threshold` | Sets the maximum difference allowed between the master and slave time. You can set a value between 0 and 1000000000 nanoseconds. The default value is 50 nanoseconds.| -| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds . The default value is 200 nanoseconds. | +| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds. The default value is 200 nanoseconds. | | `nv set service ptp monitor max-timestamp-entries` | Sets the maximum number of timestamp entries allowed. Cumulus Linux updates the timestamps continuously. You can specify a value between 100 and 200. The default value is 100 entries.| | `nv set service ptp monitor max-violation-log-sets` | Sets the maximum number of violation log sets allowed. You can specify a value between 2 and 4. The default value is 2 sets.| | `nv set service ptp monitor max-violation-log-entries` | Sets the maximum number of violation log entries allowed for each set. You can specify a value between 4 and 8. The default value is 8 entries.| diff --git a/content/cumulus-linux-53/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-53/System-Configuration/Netfilter-ACLs.md index dca72bbbbf..ebb5509bd8 100644 --- a/content/cumulus-linux-53/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-53/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always reload `switchd` with nonatomic updates: @@ -1313,7 +1313,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1332,7 +1332,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md index 8b6470c9cc..d3589cd833 100644 --- a/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-54/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -281,7 +281,7 @@ The `source-protocol` match statement is only supported in {{}}, including the {{}}, follow {{}} for configuring the service. -You do not need to run SNMP in the management VRF if you just want to allow SNMP communicaton through the managment VRF interfaces; see {{}}. +You do not need to run SNMP in the management VRF if you just want to allow SNMP communication through the management VRF interfaces; see {{}}. {{%/notice%}} 1. Start the `snmpd` service: @@ -194,7 +194,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-54/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-54/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index d0a06811f4..01f2b6addf 100644 --- a/content/cumulus-linux-54/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-54/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -760,7 +760,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index d7142cd91c..7a89e69c79 100644 --- a/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-54/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-54/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-54/Network-Virtualization/VXLAN-Devices.md index 6a657fa6f5..7d418bbc0a 100644 --- a/content/cumulus-linux-54/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-54/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index eb3d55218d..cec76d64d6 100644 --- a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -50,7 +50,7 @@ If you use NVUE commands to configure TACACS+, you must also set the priority fo NVUE commands require you to specify the priority for each TACACS+ server. You must set a priority even if you only specify one server. -The following example commmands set: +The following example commands set: - The TACACS+ server priority to 5. - The IP address of the server to 192.168.0.30. - The secret to `mytacac$key`. diff --git a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index 3bf43711c8..ac4ff385fe 100644 --- a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -53,7 +53,7 @@ cumulus@switch:~$ nv config apply You can also run the `nv set system aaa user password ` command to specify the plain text password inline. This command bypasses the `Enter new password` and `Confirm password` prompts but displays the plain text password as you type it. {{%notice note%}} -If you are an NVUE-mangaged user, you can update your own password with the Linux `passwd` command. +If you are an NVUE-managed user, you can update your own password with the Linux `passwd` command. {{%/notice%}} {{< /tab >}} @@ -218,7 +218,7 @@ admin2 FIRST LAST system-admin on ... ``` -To show information about a specific user account, run the run the NVUE `nv show system aaa user ` command: +To show information about a specific user account, run the NVUE `nv show system aaa user ` command: ``` cumulus@switch:~$ nv show system aaa user admin2 diff --git a/content/cumulus-linux-54/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-54/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 976edb6665..5fcc7bf757 100644 --- a/content/cumulus-linux-54/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-54/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1418,7 +1418,7 @@ Cumulus Linux monitors clock correction and path delay against thresholds, and g | ----- | ----------- | | `nv set service ptp monitor min-offset-threshold` | Sets the minimum difference allowed between the master and slave time. You can set a value between -1000000000 and 0 nanoseconds. The default value is -50 nanoseconds.| | `nv set service ptp monitor max-offset-threshold` | Sets the maximum difference allowed between the master and slave time. You can set a value between 0 and 1000000000 nanoseconds. The default value is 50 nanoseconds.| -| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds . The default value is 200 nanoseconds. | +| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds. The default value is 200 nanoseconds. | | `nv set service ptp monitor max-timestamp-entries` | Sets the maximum number of timestamp entries allowed. Cumulus Linux updates the timestamps continuously. You can specify a value between 100 and 200. The default value is 100 entries.| | `nv set service ptp monitor max-violation-log-sets` | Sets the maximum number of violation log sets allowed. You can specify a value between 2 and 4. The default value is 2 sets.| | `nv set service ptp monitor max-violation-log-entries` | Sets the maximum number of violation log entries allowed for each set. You can specify a value between 4 and 8. The default value is 8 entries.| diff --git a/content/cumulus-linux-54/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-54/System-Configuration/Netfilter-ACLs.md index dca72bbbbf..ebb5509bd8 100644 --- a/content/cumulus-linux-54/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-54/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always reload `switchd` with nonatomic updates: @@ -1313,7 +1313,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1332,7 +1332,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md index 9a2db84756..38f873d1a2 100644 --- a/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-55/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -281,7 +281,7 @@ The `source-protocol` match statement is only supported in {{}}, including the {{}}, follow {{}} for configuring the service. -You do not need to run SNMP in the management VRF if you just want to allow SNMP communicaton through the managment VRF interfaces; see {{}}. +You do not need to run SNMP in the management VRF if you just want to allow SNMP communication through the management VRF interfaces; see {{}}. {{%/notice%}} 1. Start the `snmpd` service: @@ -194,7 +194,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-55/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-55/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index d0a06811f4..01f2b6addf 100644 --- a/content/cumulus-linux-55/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-55/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -760,7 +760,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index d7142cd91c..7a89e69c79 100644 --- a/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-55/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-55/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-55/Network-Virtualization/VXLAN-Devices.md index 6a657fa6f5..7d418bbc0a 100644 --- a/content/cumulus-linux-55/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-55/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 72ac0d99c7..2f9edc2ff5 100644 --- a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -46,7 +46,7 @@ If you use NVUE commands to configure TACACS+, you must also set the priority fo NVUE commands require you to specify the priority for each TACACS+ server. You must set a priority even if you only specify one server. -The following example commmands set: +The following example commands set: - The TACACS+ server priority to 5. - The IP address of the server to 192.168.0.30. - The secret to `mytacac$key`. diff --git a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index 3bf43711c8..ac4ff385fe 100644 --- a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -53,7 +53,7 @@ cumulus@switch:~$ nv config apply You can also run the `nv set system aaa user password ` command to specify the plain text password inline. This command bypasses the `Enter new password` and `Confirm password` prompts but displays the plain text password as you type it. {{%notice note%}} -If you are an NVUE-mangaged user, you can update your own password with the Linux `passwd` command. +If you are an NVUE-managed user, you can update your own password with the Linux `passwd` command. {{%/notice%}} {{< /tab >}} @@ -218,7 +218,7 @@ admin2 FIRST LAST system-admin on ... ``` -To show information about a specific user account, run the run the NVUE `nv show system aaa user ` command: +To show information about a specific user account, run the NVUE `nv show system aaa user ` command: ``` cumulus@switch:~$ nv show system aaa user admin2 diff --git a/content/cumulus-linux-55/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-55/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 3e5ca8fc06..dac7527860 100644 --- a/content/cumulus-linux-55/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-55/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1366,7 +1366,7 @@ You can configure the following monitor settings: | ----- | ----------- | | `nv set service ptp monitor min-offset-threshold` | Sets the minimum difference allowed between the master and slave time. You can set a value between -1000000000 and 0 nanoseconds. The default value is -50 nanoseconds.| | `nv set service ptp monitor max-offset-threshold` | Sets the maximum difference allowed between the master and slave time. You can set a value between 0 and 1000000000 nanoseconds. The default value is 50 nanoseconds.| -| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds . The default value is 200 nanoseconds. | +| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds. The default value is 200 nanoseconds. | | `nv set service ptp monitor max-timestamp-entries` | Sets the maximum number of timestamp entries allowed. Cumulus Linux updates the timestamps continuously. You can specify a value between 100 and 200. The default value is 100 entries.| The following example sets the minimum offset threshold to -1000, the maximum offset threshold to 1000, and the path delay threshold to 300: diff --git a/content/cumulus-linux-55/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-55/System-Configuration/Netfilter-ACLs.md index df04c8ed8e..ddf878d74f 100644 --- a/content/cumulus-linux-55/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-55/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always reload `switchd` with nonatomic updates: @@ -1359,7 +1359,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1378,7 +1378,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md index 90b3423873..17606f5087 100644 --- a/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-56/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -305,7 +305,7 @@ The `source-protocol` match statement is only supported in {{}}). +- The WJH agent enables you to stream detailed and contextual telemetry for off-switch analysis with tools such as [NVIDIA NetQ]({{}}). - The WJH service (`what-just-happened`) enables you to diagnose network problems by looking at dropped packets. WJH can monitor layer 1, layer 2, layer 3, tunnel, buffer and ACL related issues. Cumulus Linux enables and runs the WJH service by default. ## Configure WJH diff --git a/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index 1aef38eb96..ddf1de11fd 100644 --- a/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -32,7 +32,7 @@ cumulus@switch:~$ nv config apply {{%notice note%}} If you intend to run this service within a {{}}, including the {{}}, follow {{}} for configuring the service. -You do not need to run SNMP in the management VRF if you just want to allow SNMP communicaton through the managment VRF interfaces; see {{}}. +You do not need to run SNMP in the management VRF if you just want to allow SNMP communication through the management VRF interfaces; see {{}}. {{%/notice%}} 1. Start the `snmpd` service: diff --git a/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index d0a06811f4..01f2b6addf 100644 --- a/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-56/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -760,7 +760,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index d7142cd91c..7a89e69c79 100644 --- a/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-56/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-56/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-56/Network-Virtualization/VXLAN-Devices.md index cb05b24e77..2a30a04a58 100644 --- a/content/cumulus-linux-56/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-56/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 72ac0d99c7..2f9edc2ff5 100644 --- a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -46,7 +46,7 @@ If you use NVUE commands to configure TACACS+, you must also set the priority fo NVUE commands require you to specify the priority for each TACACS+ server. You must set a priority even if you only specify one server. -The following example commmands set: +The following example commands set: - The TACACS+ server priority to 5. - The IP address of the server to 192.168.0.30. - The secret to `mytacac$key`. diff --git a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index 3bf43711c8..ac4ff385fe 100644 --- a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -53,7 +53,7 @@ cumulus@switch:~$ nv config apply You can also run the `nv set system aaa user password ` command to specify the plain text password inline. This command bypasses the `Enter new password` and `Confirm password` prompts but displays the plain text password as you type it. {{%notice note%}} -If you are an NVUE-mangaged user, you can update your own password with the Linux `passwd` command. +If you are an NVUE-managed user, you can update your own password with the Linux `passwd` command. {{%/notice%}} {{< /tab >}} @@ -218,7 +218,7 @@ admin2 FIRST LAST system-admin on ... ``` -To show information about a specific user account, run the run the NVUE `nv show system aaa user ` command: +To show information about a specific user account, run the NVUE `nv show system aaa user ` command: ``` cumulus@switch:~$ nv show system aaa user admin2 diff --git a/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index ad97248c9c..12628c255c 100644 --- a/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-56/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1429,7 +1429,7 @@ You can configure the following monitor settings: | ----- | ----------- | | `nv set service ptp monitor min-offset-threshold` | Sets the minimum difference allowed between the master and slave time. You can set a value between -1000000000 and 0 nanoseconds. The default value is -50 nanoseconds.| | `nv set service ptp monitor max-offset-threshold` | Sets the maximum difference allowed between the master and slave time. You can set a value between 0 and 1000000000 nanoseconds. The default value is 50 nanoseconds.| -| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds . The default value is 200 nanoseconds. | +| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds. The default value is 200 nanoseconds. | | `nv set service ptp monitor max-timestamp-entries` | Sets the maximum number of timestamp entries allowed. Cumulus Linux updates the timestamps continuously. You can specify a value between 100 and 200. The default value is 100 entries.| The following example sets the minimum offset threshold to -1000, the maximum offset threshold to 1000, and the path delay threshold to 300: diff --git a/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md index d9187d4357..c5eb8f0ff4 100644 --- a/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-56/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always reload `switchd` with nonatomic updates: @@ -1360,7 +1360,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1379,7 +1379,7 @@ failed. -To use PBR in Cumulus linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. +To use PBR in Cumulus Linux, you define a PBR policy and apply it to the ingress interface (the interface must already have an IP address assigned). Cumulus Linux matches traffic against the match rules in sequential order and forwards the traffic according to the set rule in the first match. Traffic that does not match any rule passes on to the normal destination based routing mechanism. To configure a PBR policy: diff --git a/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md b/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md index 90b3423873..17606f5087 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Route-Filtering-and-Redistribution.md @@ -305,7 +305,7 @@ The `source-protocol` match statement is only supported in {{}}). +- The WJH agent enables you to stream detailed and contextual telemetry for off-switch analysis with tools such as [NVIDIA NetQ]({{}}). - The WJH service (`what-just-happened`) enables you to diagnose network problems by looking at dropped packets. WJH can monitor layer 1, layer 2, layer 3, tunnel, buffer and ACL related issues. Cumulus Linux enables and runs the WJH service by default. ## Configure WJH diff --git a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md index df275e7fb3..68bd61dd1f 100644 --- a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md +++ b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Simple-Network-Management-Protocol-SNMP/Configure-SNMP.md @@ -36,7 +36,7 @@ If you disable the `snmpd` service with the `nv set service snmp-server enable o {{%notice note%}} If you intend to run this service within a {{}}, including the {{}}, follow {{}} for configuring the service. -You do not need to run SNMP in the management VRF if you just want to allow SNMP communicaton through the managment VRF interfaces; see {{}}. +You do not need to run SNMP in the management VRF if you just want to allow SNMP communication through the management VRF interfaces; see {{}}. {{%/notice%}} 1. Start the `snmpd` service: @@ -198,7 +198,7 @@ You can authenticate the user in the following ways: - With no authentication password (if you specify `auth-none`) - With an MD5 password -- With a SHA password +- With an SHA password {{< tabs "username" >}} {{< tab "NVUE Commands" >}} diff --git a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md index d0a06811f4..01f2b6addf 100644 --- a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md +++ b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/Troubleshooting-Network-Interfaces/Troubleshoot-Layer-1.md @@ -760,7 +760,7 @@ Because I2C problems can be very pernicious, often showing up again much later a To verify that an I2C failure is occurring, run `sudo tail -F /var/log/syslog` and look for `smbus` or `i2c` or `EEPROM read` errors that continue to appear or appear in bursts. -Based on the failure scenario when tyou discover the issue, choose when to address this issue; immediately or during a maintenance window. +Based on the failure scenario when you discover the issue, choose when to address this issue; immediately or during a maintenance window. - If traffic or the switch operates negatively and you cannot route traffic through a redundant network, you must do something immediately. - If you can route traffic around the failing switch, allowing troubleshooting to proceed on the failed switch, proceed to reroute traffic to find an appropriate time to troubleshoot the failing switch. diff --git a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md index 80e6a158c8..d96e18cbbb 100644 --- a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md +++ b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Basic-Configuration.md @@ -70,7 +70,7 @@ cumulus@leaf01:~$ nv set vrf default router bgp neighbor swp51 address-family l2 cumulus@leaf01:~$ nv config apply ``` -You do not need enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. +You do not need to enable the BGP control plane for all VNIs configured on the switch with NVUE with the `advertise-all-vni` option. FRR **is** aware of any local VNIs and MACs, and hosts (neighbors) associated with those VNIs. After you run `nv config save`, the NVUE Commands create the following configuration snippet in the `/etc/nvue.d/startup.yaml` file: diff --git a/content/cumulus-linux-57/Network-Virtualization/VXLAN-Devices.md b/content/cumulus-linux-57/Network-Virtualization/VXLAN-Devices.md index cb05b24e77..2a30a04a58 100644 --- a/content/cumulus-linux-57/Network-Virtualization/VXLAN-Devices.md +++ b/content/cumulus-linux-57/Network-Virtualization/VXLAN-Devices.md @@ -197,7 +197,7 @@ cumulus@leaf01:~$ ifreload -a ## Automatic VLAN to VNI Mapping -In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a seperate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: +In an EVPN VXLAN environment, you need to map individual VLANs to VNIs. For a single VXLAN device, you can do this with a separate NVUE command per VLAN; however, this can be cumbersome if you have to configure many VLANS or need to isolate tenants and reuse VLANs. To simplify the configuration, you can use these two commands instead: - `nv set bridge domain vlan vni auto` configures the specified VLANs to use automatic mapping. - `nv set bridge domain vlan-vni-offset` configures the offset you want to use for the VNIs. For example, if you specify an offset of 10000, the VNI is the VLAN plus 10000. diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index 1bd9937997..3ffcd66514 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -34,7 +34,7 @@ After you install the required RADIUS packages, configure the following required {{< tabs "TabID41 ">}} {{< tab "NVUE Commands ">}} -The following example commmands set: +The following example commands set: - The IP address of the RADIUS server to 192.168.0.254 and the port to 42. - The secret to `'myradius$key'`. - The priority at which Cumulus Linux contacts the RADIUS server to 10. diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index eea5b4c315..71ffdfdb35 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -129,7 +129,7 @@ uuidd Unknown system www-data www-data Unknown system ``` -To show information about a specific user account including the role assigned to the user, run the run the NVUE `nv show system aaa user ` command: +To show information about a specific user account including the role assigned to the user, run the NVUE `nv show system aaa user ` command: ``` cumulus@switch:~$ nv show system aaa user user2 diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 72ac0d99c7..2f9edc2ff5 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -46,7 +46,7 @@ If you use NVUE commands to configure TACACS+, you must also set the priority fo NVUE commands require you to specify the priority for each TACACS+ server. You must set a priority even if you only specify one server. -The following example commmands set: +The following example commands set: - The TACACS+ server priority to 5. - The IP address of the server to 192.168.0.30. - The secret to `mytacac$key`. diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md index a837758e06..18c951152f 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/User-Accounts.md @@ -73,7 +73,7 @@ cumulus@switch:~$ nv config apply You can also run the `nv set system aaa user password ` command to specify the plain text password inline. This command bypasses the `Enter new password` and `Confirm password` prompts but displays the plain text password as you type it. {{%notice note%}} -If you are an NVUE-mangaged user, you can update your own password with the Linux `passwd` command. +If you are an NVUE-managed user, you can update your own password with the Linux `passwd` command. {{%/notice%}} {{< /tab >}} @@ -260,7 +260,7 @@ uucp uucp Unknown system uuidd Unknown system ``` -To show information about a specific user account, run the run the NVUE `nv show system aaa user ` command: +To show information about a specific user account, run the NVUE `nv show system aaa user ` command: ``` cumulus@switch:~$ nv show system aaa user cumulus diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index 8fc6af9184..8e5337d80d 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1665,7 +1665,7 @@ You can configure the following monitor settings: | ----- | ----------- | | `nv set service ptp monitor min-offset-threshold` | Sets the minimum difference allowed between the master and slave time. You can set a value between -1000000000 and 0 nanoseconds. The default value is -50 nanoseconds.| | `nv set service ptp monitor max-offset-threshold` | Sets the maximum difference allowed between the master and slave time. You can set a value between 0 and 1000000000 nanoseconds. The default value is 50 nanoseconds.| -| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds . The default value is 200 nanoseconds. | +| `nv set service ptp monitor path-delay-threshold` | Sets the mean time that PTP packets take to travel between the master and slave. You can set a value between 0 and 1000000000 nanoseconds. The default value is 200 nanoseconds. | | `nv set service ptp monitor max-timestamp-entries` | Sets the maximum number of timestamp entries allowed. Cumulus Linux updates the timestamps continuously. You can specify a value between 100 and 200. The default value is 100 entries.| The following example sets the minimum offset threshold to -1000, the maximum offset threshold to 1000, and the path delay threshold to 300: diff --git a/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md b/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md index d65dc44c62..c353fe7ef0 100644 --- a/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md +++ b/content/cumulus-linux-57/System-Configuration/Netfilter-ACLs.md @@ -138,7 +138,7 @@ The incremental nonatomic update operation follows this order: 2. Cumulus Linux checks if the rules in a table are different from installation time; if a table does not have any changes, it does not reinstall the rules. 3. If there are changes in a table, the new rules populate in new groups or slices in hardware, then that table switches over to the new groups or slices. 4. Finally, old resources for that table free up. This process repeats for each of the tables listed above. -5. If there are isufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. +5. If there are insufficient resources to hold both the new rule set and old rule set, Cumulus Linux tries the regular nonatomic mode, which interrupts network traffic. 6. If the regular nonatomic update fails, Cumulus Linux reverts back to the previous rules. To always reload `switchd` with nonatomic updates: @@ -1360,7 +1360,7 @@ To work around this limitation, set the rate and burst for all these rules to th ### Where to Assign Rules - If you assign a switch port to a bond, you must assign any egress rules to the bond. -- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must applied the rule to the bridge. +- When using the OUTPUT chain, you must assign rules to the source. For example, if you assign a rule to the switch port in the direction of traffic but the source is a bridge (VLAN), the rule does not affect the traffic and you must apply the rule to the bridge. - If you need to apply a rule to all transit traffic, use the FORWARD chain, not the OUTPUT chain. ### ACL Rule Installation Failure @@ -1379,7 +1379,7 @@ failed. ## Route Reflectors diff --git a/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md b/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md index 1115a8a178..64243e1a9a 100644 --- a/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md +++ b/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md @@ -483,7 +483,7 @@ cumulus@leaf01:mgmt:~$ nv config apply You can also set a flag to indicate that the neighbour is a router (`is-router`) or learned externally (`ext_learn`) and set the neighbor state (`delay`, `failed`, `incomplete`, `noarp`, `permanent`, `probe`, `reachable`, or `stale`). ``` -cumulus@leaf01:mgmt:~$ nv set interface swp51 neighbor ipv6 fe80::4ab0:2dff:fea2:4c79 lladdr 00:00:5E:00:53:51 flag in-router +cumulus@leaf01:mgmt:~$ nv set interface swp51 neighbor ipv6 fe80::4ab0:2dff:fea2:4c79 lladdr 00:00:5E:00:53:51 flag is-router cumulus@leaf01:mgmt:~$ nv set interface swp51 neighbor ipv6 fe80::4ab0:2dff:fea2:4c79 lladdr 00:00:5E:00:53:51 state permanent cumulus@leaf01:mgmt:~$ nv config apply ``` diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index d3c9b1d87c..43c50e7c2f 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -30,7 +30,6 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} commands - {{}} - {{}} - - {{}} - {{}} - Commands to {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. From 6b5cf7f7ac9d7c2fc681a2f4e8bff1f8f37ea4aa Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 14:25:04 -0800 Subject: [PATCH 085/204] updates to what's new --- content/cumulus-linux-57/Whats-New/_index.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 43c50e7c2f..4dfa6e8e10 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -19,21 +19,21 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im ### New Features and Enhancements - {{}} -- {{}} -- {{}} -- {{}} +- {{}} +- {{}} +- {{}} - NVUE enhancements include: - {{}} - {{}} - {{}} - {{}} - - {{}} commands + - {{}} - {{}} - {{}} - {{}} - - Commands to {{}} for the NVUE REST API + - {{}} for the NVUE REST API - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. - - Show commands to see the {{}} and {{}} + - Commands to show {{}} and {{}} - Commands to show the {{}} and {{}} and to add static entries to the {{}} and {{}} - Enhanced {{}} command output now in table format - Improvements to {{}} From eec9b53a818ebc4d1c5c503bcdb635919050bcd5 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 22:28:29 +0000 Subject: [PATCH 086/204] Automated release note commit --- content/cumulus-linux-52/Whats-New/rn.md | 2 -- content/cumulus-linux-52/rn.xml | 12 ------------ content/cumulus-linux-53/Whats-New/rn.md | 2 -- content/cumulus-linux-53/rn.xml | 12 ------------ content/cumulus-linux-54/Whats-New/rn.md | 1 - content/cumulus-linux-54/rn.xml | 6 ------ content/cumulus-linux-55/Whats-New/rn.md | 2 -- content/cumulus-linux-55/rn.xml | 12 ------------ content/cumulus-linux-56/Whats-New/rn.md | 1 - content/cumulus-linux-56/rn.xml | 6 ------ 10 files changed, 56 deletions(-) diff --git a/content/cumulus-linux-52/Whats-New/rn.md b/content/cumulus-linux-52/Whats-New/rn.md index 404d90c0a0..d6df4dd517 100644 --- a/content/cumulus-linux-52/Whats-New/rn.md +++ b/content/cumulus-linux-52/Whats-New/rn.md @@ -40,7 +40,6 @@ pdfhidden: True | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | 5.4.0-5.6.0| @@ -173,7 +172,6 @@ pdfhidden: True | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | 5.4.0-5.6.0| diff --git a/content/cumulus-linux-52/rn.xml b/content/cumulus-linux-52/rn.xml index 2ed5df0357..fd926348d8 100644 --- a/content/cumulus-linux-52/rn.xml +++ b/content/cumulus-linux-52/rn.xml @@ -176,12 +176,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.4.0-5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 @@ -1022,12 +1016,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.4.0-5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 diff --git a/content/cumulus-linux-53/Whats-New/rn.md b/content/cumulus-linux-53/Whats-New/rn.md index d91da49a53..00b3749e14 100644 --- a/content/cumulus-linux-53/Whats-New/rn.md +++ b/content/cumulus-linux-53/Whats-New/rn.md @@ -59,7 +59,6 @@ pdfhidden: True | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.6.0| | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | 5.5.0-5.6.0| @@ -178,7 +177,6 @@ pdfhidden: True | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.6.0| | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | diff --git a/content/cumulus-linux-53/rn.xml b/content/cumulus-linux-53/rn.xml index d5024ad972..24a335aa64 100644 --- a/content/cumulus-linux-53/rn.xml +++ b/content/cumulus-linux-53/rn.xml @@ -304,12 +304,6 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 @@ -1039,12 +1033,6 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 diff --git a/content/cumulus-linux-54/Whats-New/rn.md b/content/cumulus-linux-54/Whats-New/rn.md index e7b5d4a0c0..6078e2b861 100644 --- a/content/cumulus-linux-54/Whats-New/rn.md +++ b/content/cumulus-linux-54/Whats-New/rn.md @@ -88,7 +88,6 @@ pdfhidden: True | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.6.0| | [3339278](#3339278)
| When you use the NVUE REST API with a TACACS+ user account, you see authentication failures. To work around this issue, replace the /etc/pam.d/nvueapi file with the following content:
@include common-auth@include common-account@include common-session-noninteractive
After you replace the content, run these two commands:
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map
| 5.4.0 | 5.5.0-5.6.0| | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | 5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | 5.5.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | diff --git a/content/cumulus-linux-54/rn.xml b/content/cumulus-linux-54/rn.xml index e2728d4cd8..ffbf6903a1 100644 --- a/content/cumulus-linux-54/rn.xml +++ b/content/cumulus-linux-54/rn.xml @@ -504,12 +504,6 @@ cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map 5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 diff --git a/content/cumulus-linux-55/Whats-New/rn.md b/content/cumulus-linux-55/Whats-New/rn.md index 7417b18391..14568b4886 100644 --- a/content/cumulus-linux-55/Whats-New/rn.md +++ b/content/cumulus-linux-55/Whats-New/rn.md @@ -87,7 +87,6 @@ pdfhidden: True | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | 5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | @@ -209,7 +208,6 @@ pdfhidden: True | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | 5.6.0| -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | diff --git a/content/cumulus-linux-55/rn.xml b/content/cumulus-linux-55/rn.xml index faad14d573..bc9e5660c4 100644 --- a/content/cumulus-linux-55/rn.xml +++ b/content/cumulus-linux-55/rn.xml @@ -507,12 +507,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 @@ -1281,12 +1275,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.6.0 -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index eb6f8e9e74..6fa94d5d99 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -66,7 +66,6 @@ pdfhidden: True | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.6.0 | | | [3345054](#3345054)
| The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command. | 5.4.0-5.6.0 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | -| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index 15e704bb37..82e37d6837 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -367,12 +367,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3334275 -The {{sensors.conf}} files in Cumulus Linux are out of date. -5.2.0-5.6.0 - - - 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 From 5386d0f00a6c3689951b1a155a37e37dc13b19ed Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 15:09:53 -0800 Subject: [PATCH 087/204] changes --- .../Layer-3/Address-Resolution-Protocol-ARP.md | 2 +- content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md | 4 ++-- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md b/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md index 1ee03a2c86..2152ac60f7 100644 --- a/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md +++ b/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md @@ -390,7 +390,7 @@ ipv6 fe80::4ab0:2dff:fea2:4c79 48:b0:2d:a2:4c:79 reachable is-router ``` -To show table entries for an interface with a specific IPv4 address: +To show table entries for an interface with a specific IPv4 address, run the `nv show interface neighbor ipv4 ` command: ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor ipv4 169.254.0.1 diff --git a/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md b/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md index 64243e1a9a..b64cc418d5 100644 --- a/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md +++ b/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md @@ -557,7 +557,7 @@ fe80::4ab0:2dff:fe3f:69d6 dev peerlink.4094 lladdr 48:b0:2d:3f:69:d6 router REAC ... ``` -To show table entries for a specific interface, run the `nv show interface neighbor` command: +To show table entries for a specific interface, run the `nv show interface neighbor` command: ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor @@ -574,7 +574,7 @@ ipv6 fe80::4ab0:2dff:fea2:4c79 48:b0:2d:a2:4c:79 reachable is-router ``` -To show table entries for an interface with a specific IPv6 address: +To show table entries for an interface with a specific IPv6 address, run the `nv show interface neighbor ipv6 ` command: ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor ipv6 fe80::4ab0:2dff:fea2:4c79 diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 949a4c502b..6da1c52721 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -61,10 +61,10 @@ To import a certificate, run the following commands. If the certificate is passp You must provide a certificate ID (``) to uniquely identify the certificate being imported. -The following example imports a CA certificate with the public key `AFCB12334…==` and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `hell0$`. The public key is a Base64 ASCII encoded PEM string. +The following example imports a CA certificate with the public key `AFCB12334SUSnDy8cArHfRf3sFcHgEhW5L0rLwno` and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `hell0$`. The public key is a Base64 ASCII encoded PEM string. ``` -cumulus@switch:~$ nv action import system security ca-certificate tls-cert-1 data "AFCB12334…==" passphrase hell0$ +cumulus@switch:~$ nv action import system security ca-certificate tls-cert-1 data "AFCB12334SUSnDy8cArHfRf3sFcHgEhW5L0rLwno" passphrase hell0$ cumulus@switch:~$ nv config apply ``` From ecdd41107f07d38cbe24262cafe1a894b2e14a41 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 29 Nov 2023 15:18:48 -0800 Subject: [PATCH 088/204] fix certificates --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 6da1c52721..2224d81870 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -143,7 +143,7 @@ To delete a certificate and the key data stored on the switch: - To delete an entity certificate and the key data stored on the switch, run the `nv action delete system security certificate ` command. - To delete a CA certificate and the key data stored on the switch, run the `nv action delete system security ca-certificate ` command. -The following command deletes the CA certificate `tls-cert-1`: +The following command deletes the certificate `tls-cert-1`: ``` cumulus@switch:~$ nv action delete system security certificate tls-cert-1 From 194972bf9eb5ace118ad656b10a1167a0fd46441 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Thu, 30 Nov 2023 14:13:52 -0500 Subject: [PATCH 089/204] changed "above" to "later" --- content/cumulus-netq-48/Flow-Analysis/_index.md | 2 +- .../Install-NetQ/Install-NIC-and-DPU-Agents.md | 2 +- .../Installation-Management/Install-NetQ/Install-NetQ-CLI.md | 2 +- .../Install-NetQ/In\342\200\214stall-NetQ-Agents.md" | 2 +- .../Install-NetQ/In\342\200\214stall-On-switch-OPTA.md" | 2 +- content/cumulus-netq-48/Lifecycle-Management/CL-Upgrade-LCM.md | 2 +- .../Manage-Events-and-Notifications/Monitor-WJH-Events.md | 2 +- .../Monitor-Operations/Monitor-Adaptive-Routing.md | 2 +- content/cumulus-netq-48/Monitor-Operations/Monitor-PTP.md | 2 +- content/cumulus-netq-48/Monitor-Operations/Monitor-Switches.md | 2 +- content/cumulus-netq-48/Whats-New/_index.md | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/content/cumulus-netq-48/Flow-Analysis/_index.md b/content/cumulus-netq-48/Flow-Analysis/_index.md index 241c53e0c8..ed0d2e4cb9 100644 --- a/content/cumulus-netq-48/Flow-Analysis/_index.md +++ b/content/cumulus-netq-48/Flow-Analysis/_index.md @@ -9,7 +9,7 @@ Create a flow analysis to sample data from TCP and UDP flows in your environment {{}} -Flow analysis is supported on NVIDIA Spectrum-2 switches and above. It requires a switch fabric running Cumulus Linux version 5.0 or above. +Flow analysis is supported on NVIDIA Spectrum-2 switches and later. It requires a switch fabric running Cumulus Linux version 5.0 or later. You must enable {{}} (LCM) to run a flow analysis. If LCM is disabled, you will not see the flow analysis icon in the UI. LCM is enabled for on-premises deployments by default and disabled for cloud deployments by default. Contact your local NVIDIA sales representative or submit a support ticket to activate LCM on cloud deployments. diff --git a/content/cumulus-netq-48/Installation-Management/Install-NetQ/Install-NIC-and-DPU-Agents.md b/content/cumulus-netq-48/Installation-Management/Install-NetQ/Install-NIC-and-DPU-Agents.md index e65130fe53..0b14defb3b 100644 --- a/content/cumulus-netq-48/Installation-Management/Install-NetQ/Install-NIC-and-DPU-Agents.md +++ b/content/cumulus-netq-48/Installation-Management/Install-NetQ/Install-NIC-and-DPU-Agents.md @@ -9,7 +9,7 @@ Installing NetQ telemetry agents on your hosts with {{}} for lifecycle management to work properly. {{}} -LCM with the on-switch OPTA service is supported on NVIDIA Spectrum-2 platforms and above. +LCM with the on-switch OPTA service is supported on NVIDIA Spectrum-2 platforms and later. {{}} After installing and configuring the `netq-opta` package, enable the LCM executor with the following commands: diff --git a/content/cumulus-netq-48/Lifecycle-Management/CL-Upgrade-LCM.md b/content/cumulus-netq-48/Lifecycle-Management/CL-Upgrade-LCM.md index 6a860da9e4..f2086c2989 100644 --- a/content/cumulus-netq-48/Lifecycle-Management/CL-Upgrade-LCM.md +++ b/content/cumulus-netq-48/Lifecycle-Management/CL-Upgrade-LCM.md @@ -9,7 +9,7 @@ toc: 4 You can upgrade Cumulus Linux from: - Cumulus Linux 4.3.0 and 4.3.1 (Broadcom switches) -- Cumulus Linux 5.0.0 and above (Spectrum switches) +- Cumulus Linux 5.0.0 and later (Spectrum switches) You can upgrade switches running Cumulus Linux 5.0.0 or later that are managed with flat configuration files or with NVUE. diff --git a/content/cumulus-netq-48/Manage-Events-and-Notifications/Monitor-WJH-Events.md b/content/cumulus-netq-48/Manage-Events-and-Notifications/Monitor-WJH-Events.md index fe5bdffe87..29113b5cc4 100644 --- a/content/cumulus-netq-48/Manage-Events-and-Notifications/Monitor-WJH-Events.md +++ b/content/cumulus-netq-48/Manage-Events-and-Notifications/Monitor-WJH-Events.md @@ -18,7 +18,7 @@ To use a gNMI client to export WJH data to a collector, refer to {{}} documentation. +Queue length monitoring is supported on Spectrum switches running Cumulus Linux 5.1 and later. To display queue histogram data, you must set the snapshot file count to at least 120 when you are configuring ASIC monitoring, as described in step 9 in the {{}} documentation. {{}} diff --git a/content/cumulus-netq-48/Whats-New/_index.md b/content/cumulus-netq-48/Whats-New/_index.md index e3e7848482..ac4221d9db 100644 --- a/content/cumulus-netq-48/Whats-New/_index.md +++ b/content/cumulus-netq-48/Whats-New/_index.md @@ -39,7 +39,7 @@ Enabling {{ Date: Thu, 30 Nov 2023 19:31:53 +0000 Subject: [PATCH 090/204] Automated release note commit --- content/cumulus-linux-43/Whats-New/rn.md | 2 ++ content/cumulus-linux-43/rn.xml | 12 ++++++++++ content/cumulus-linux-44/Whats-New/rn.md | 5 ++++ content/cumulus-linux-44/rn.xml | 30 ++++++++++++++++++++++++ content/cumulus-linux-52/Whats-New/rn.md | 2 ++ content/cumulus-linux-52/rn.xml | 12 ++++++++++ content/cumulus-linux-53/Whats-New/rn.md | 2 ++ content/cumulus-linux-53/rn.xml | 12 ++++++++++ content/cumulus-linux-54/Whats-New/rn.md | 1 + content/cumulus-linux-54/rn.xml | 6 +++++ content/cumulus-linux-55/Whats-New/rn.md | 2 ++ content/cumulus-linux-55/rn.xml | 12 ++++++++++ content/cumulus-linux-56/Whats-New/rn.md | 1 + content/cumulus-linux-56/rn.xml | 6 +++++ 14 files changed, 105 insertions(+) diff --git a/content/cumulus-linux-43/Whats-New/rn.md b/content/cumulus-linux-43/Whats-New/rn.md index 72ad8c779b..1b89e2b9cf 100644 --- a/content/cumulus-linux-43/Whats-New/rn.md +++ b/content/cumulus-linux-43/Whats-New/rn.md @@ -15,6 +15,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-5.5.1 | 5.6.0| +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| @@ -316,6 +317,7 @@ pdfhidden: True |--- |--- |--- |--- | | [3647731](#3647731)
None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that "agent forwarding should be enabled with caution"), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P '')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5| | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3534654](#3534654)
| On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart switchd after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. | 4.3.1 | 4.3.2-4.4.5| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3486888](#3486888)
None | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 4.3.0-4.3.1 | 4.3.2-4.4.5, 5.6.0| diff --git a/content/cumulus-linux-43/rn.xml b/content/cumulus-linux-43/rn.xml index c649894bb7..92b9262385 100644 --- a/content/cumulus-linux-43/rn.xml +++ b/content/cumulus-linux-43/rn.xml @@ -13,6 +13,12 @@ 5.6.0 +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 @@ -2220,6 +2226,12 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3534654 On a Broadcom switch, Q-in-Q VLAN operations do not clear when you remove a bridge port from a VXLAN-enabled bridge. This can result in unexpected double tagged packets if the outer VLAN is still used on the bridge. To work around this issue, restart {{switchd}} after you modify or remove double tagged bridge ports from a VXLAN-enabled bridge. 4.3.1 diff --git a/content/cumulus-linux-44/Whats-New/rn.md b/content/cumulus-linux-44/Whats-New/rn.md index 864aff6b0c..7f7edd66e6 100644 --- a/content/cumulus-linux-44/Whats-New/rn.md +++ b/content/cumulus-linux-44/Whats-New/rn.md @@ -15,6 +15,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| @@ -306,6 +307,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| @@ -621,6 +623,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| @@ -927,6 +930,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| @@ -1258,6 +1262,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [3647424](#3647424)
None | When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 4.3.0-4.4.5 | | +| [3600912](#3600912)
| In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. | 4.3.1-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0| | [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.6.0| diff --git a/content/cumulus-linux-44/rn.xml b/content/cumulus-linux-44/rn.xml index 08528bd25a..4783d287b1 100644 --- a/content/cumulus-linux-44/rn.xml +++ b/content/cumulus-linux-44/rn.xml @@ -13,6 +13,12 @@ +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 @@ -2108,6 +2114,12 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 @@ -4332,6 +4344,12 @@ To work around this issue, restart {{switchd}} with the {{sudo systemctl restart +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 @@ -6520,6 +6538,12 @@ Fixed: 9.27~dfsg-2+deb10u5 +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 @@ -8890,6 +8914,12 @@ The minimum supported size of the reserved VLAN range in the {{/etc/cumulus/swit +3600912 +In an MLAG EVPN configuration, if host mobility occurs multiple times at high frequency, the host MAC might point to an incorrect VTEP; it might be local behind the VTEP. +4.3.1-4.4.5 + + + 3488136 When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the {{nv action clear vrf <vrf> router bgp neighbor <neighbor> address-family <address-family> in}} command. 4.2.1-5.5.1 diff --git a/content/cumulus-linux-52/Whats-New/rn.md b/content/cumulus-linux-52/Whats-New/rn.md index d6df4dd517..404d90c0a0 100644 --- a/content/cumulus-linux-52/Whats-New/rn.md +++ b/content/cumulus-linux-52/Whats-New/rn.md @@ -40,6 +40,7 @@ pdfhidden: True | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | 5.4.0-5.6.0| @@ -172,6 +173,7 @@ pdfhidden: True | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.6.0| | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | 5.4.0-5.6.0| diff --git a/content/cumulus-linux-52/rn.xml b/content/cumulus-linux-52/rn.xml index fd926348d8..2ed5df0357 100644 --- a/content/cumulus-linux-52/rn.xml +++ b/content/cumulus-linux-52/rn.xml @@ -176,6 +176,12 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.4.0-5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 @@ -1016,6 +1022,12 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.4.0-5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 diff --git a/content/cumulus-linux-53/Whats-New/rn.md b/content/cumulus-linux-53/Whats-New/rn.md index 00b3749e14..d91da49a53 100644 --- a/content/cumulus-linux-53/Whats-New/rn.md +++ b/content/cumulus-linux-53/Whats-New/rn.md @@ -59,6 +59,7 @@ pdfhidden: True | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.6.0| | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | 5.5.0-5.6.0| @@ -177,6 +178,7 @@ pdfhidden: True | [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown
In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on secondary clag device on peerlink down trigger. This ensures smooth traffic flow and no convergence issue seen in system test bed with this fix. | 5.1.0-5.6.0 | | | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.6.0| | [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.6.0| | [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | diff --git a/content/cumulus-linux-53/rn.xml b/content/cumulus-linux-53/rn.xml index 24a335aa64..d5024ad972 100644 --- a/content/cumulus-linux-53/rn.xml +++ b/content/cumulus-linux-53/rn.xml @@ -304,6 +304,12 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 @@ -1033,6 +1039,12 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3330705 When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the {{prefer_ip_version}} configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. 3.7.0-5.3.1 diff --git a/content/cumulus-linux-54/Whats-New/rn.md b/content/cumulus-linux-54/Whats-New/rn.md index 6078e2b861..e7b5d4a0c0 100644 --- a/content/cumulus-linux-54/Whats-New/rn.md +++ b/content/cumulus-linux-54/Whats-New/rn.md @@ -88,6 +88,7 @@ pdfhidden: True | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.6.0| | [3339278](#3339278)
| When you use the NVUE REST API with a TACACS+ user account, you see authentication failures. To work around this issue, replace the /etc/pam.d/nvueapi file with the following content:
@include common-auth@include common-account@include common-session-noninteractive
After you replace the content, run these two commands:
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map
| 5.4.0 | 5.5.0-5.6.0| | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | 5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | 5.5.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | diff --git a/content/cumulus-linux-54/rn.xml b/content/cumulus-linux-54/rn.xml index ffbf6903a1..e2728d4cd8 100644 --- a/content/cumulus-linux-54/rn.xml +++ b/content/cumulus-linux-54/rn.xml @@ -504,6 +504,12 @@ cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map 5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 diff --git a/content/cumulus-linux-55/Whats-New/rn.md b/content/cumulus-linux-55/Whats-New/rn.md index 14568b4886..7417b18391 100644 --- a/content/cumulus-linux-55/Whats-New/rn.md +++ b/content/cumulus-linux-55/Whats-New/rn.md @@ -87,6 +87,7 @@ pdfhidden: True | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | 5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | @@ -208,6 +209,7 @@ pdfhidden: True | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | 5.6.0| +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | diff --git a/content/cumulus-linux-55/rn.xml b/content/cumulus-linux-55/rn.xml index bc9e5660c4..faad14d573 100644 --- a/content/cumulus-linux-55/rn.xml +++ b/content/cumulus-linux-55/rn.xml @@ -507,6 +507,12 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 @@ -1275,6 +1281,12 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on 5.6.0 +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index 6fa94d5d99..eb6f8e9e74 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -66,6 +66,7 @@ pdfhidden: True | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.6.0 | | | [3345054](#3345054)
| The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command. | 5.4.0-5.6.0 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.6.0 | | +| [3334275](#3334275)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.6.0 | | | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index 82e37d6837..15e704bb37 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -367,6 +367,12 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on +3334275 +The {{sensors.conf}} files in Cumulus Linux are out of date. +5.2.0-5.6.0 + + + 3329518 When using TACACS+, if the {{/etc/nsswitch.conf}} file specifies {{passwd: files tacplus}} (files is listed before tacplus), a user that is present in both the local {{/etc/passwd}} file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list {{tacplus}} before {{files}} in {{/etc/nsswitch.conf}}. When using NVUE, ensure that {{tacacs}} has priority over {{local}}. 5.4.0-5.6.0 From a7fdc5b5c9ae1bc0be7c60917cce0bc706775dc1 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 30 Nov 2023 15:59:44 -0800 Subject: [PATCH 091/204] updates to role-based access --- .../Layer-2/MAC-Address-Translation.md | 2 +- .../Role-Based-Access-Control.md | 60 +++++++++++++++++-- .../Precision Time Protocol-PTP.md | 28 ++++----- 3 files changed, 70 insertions(+), 20 deletions(-) diff --git a/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md b/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md index af3e3f5a2e..a8f1be64b3 100644 --- a/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md +++ b/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md @@ -49,7 +49,7 @@ cumulus@switch:~$ nv config apply  To create rules, use `cl-acltool`. -To add rules using cl-acltool, either edit an existing file in the `/etc/cumulus/acl/policy.d` directory and add rules under `[ebtables]` or create a new file in the `/etc/cumulus/acl/policy.d` directory and add rules under an `[ebtables]` section. For example: +To add rules using `cl-acltool`, either edit an existing file in the `/etc/cumulus/acl/policy.d` directory and add rules under `[ebtables]` or create a new file in the `/etc/cumulus/acl/policy.d` directory and add rules under an `[ebtables]` section. For example: ``` cumulus@switch:~$ sudo nano /etc/cumulus/acl/policy.d/60_mac.rules diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index eea5b4c315..07fe1fce86 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -20,13 +20,63 @@ Custom role-based access control consists of the following elements: - When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to QoS egress scheduler commands. {{%/notice%}} +The following example describes the permissions for a role (ROLE1) that consists of three classes: +- Class1 has the allow action +- Class2 has the allow action +- Class3 has the deny action + +Class1 + +| Command Path | Permissions | +| ------------ | ----------- | +| `/interface/` | `all`| +| `/interface/*/acl/` | `ro` | +| `/interface/*/ptp/` | `ro` | + +Class2 + +| Command Path | Permissions | +| ------------ | ----------- | +| `/system/` | `ro` | +| `/vrf/` | `rw` | + +Class3 + +| Command Path | Permissions | +| ------------ | ----------- | +| `/interface/*/evpn/`| `rw` | +| `/interface/*/qos/` | `rw` | + +The following table shows the permissions for a user assigned the role ROLE1. In the table, R is read only (RO), W is write, and X is action (ACT). + +| Path | Allow | Deny | Permissions | +| -------- | --------- | ---------- | ----------- | +| `/acl/` | | RWX | Implicit deny | +| `/qos/` | | RWX | Implicit deny | +| All unspecified paths are implicit deny | | | | +| `/interface/` | RWX | | The permissions specified | +| `/interface/*` (* matches all interfaces) | | RWX | Inherited from parent | +| `/interface/*/bond/` | RWX | | Inherited from parent | +| `/interface/*/ip/` | RWX | | Inherited from parent | +| All unspecified children of `/interface/` inherit parent permissions | RWX| | | +| `/interface/*/acl/` | R | WX | The permissions specified | +| `/interface/*/ptp/` | R | WX | The permissions specified | +| `/interface/*/evpn/` | | RWX | The permissions specified | +| `/interface/*/qos/` | | RWX | The permissions specified | +| `/system/` | R | WX | The permissions specified | +| `/system/aaa/` | R | WX |Inherited from parent| +| `/system/api/` | R | WX |Inherited from parent| +| All unspecified children of `/system/` inherit parent permissions | R | | | +| `/vrf/` | RW | X | The permissions specified | +| All unspecified children of `/vrf/` inherit parent permissions| RW | X | | + ## Assign a Custom Role to a User Account To assign a custom role to a user account: -- Assign a role to a user. -- Create classes for the role. +- Create a role and classes for the role. - Add command paths and permissions for each class. -- Assign the action (`allow` or `deny`) for each class. +- Assign the action (allow or deny) for each class. +- Assign a role to a user. {{%notice note%}} You assign a custom role to an existing user account. For information about creating user accounts, see {{}} commands. @@ -35,10 +85,10 @@ You assign a custom role to an existing user account. For information about crea The following example assigns user1 the role of `switch-admin`. user1 can manage the entire switch except for authentication, authorization, and accounting settings (`system aaa`). ``` -cumulus@switch:~$ nv set system aaa user user1 role switch-admin cumulus@switch:~$ nv set system aaa role switch-admin class RESTRICT cumulus@switch:~$ nv set system aaa class restrict action deny cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/*/ +cumulus@switch:~$ nv set system aaa user user1 role switch-admin cumulus@switch:~$ nv config apply ``` @@ -86,7 +136,7 @@ cumulus@switch:~$ nv config apply ## Show Custom Role Information -To show the user accounts configured on the system, run the NVUE `nv show system aaa user` command or the linux `sudo cat /etc/passwd` command. +To show the user accounts configured on the system, run the NVUE `nv show system aaa user` command or the Linux `sudo cat /etc/passwd` command. ``` cumulus@switch:~$ nv show system aaa user diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index d1c2adf100..ec3c51ca98 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -488,8 +488,8 @@ cumulus@switch:~$ sudo systemctl restart ptp4l.service [PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a high precision signal each second, which can synchronize a system clock. The switch can receive PPS from an accurate PPS source as a slave to use for frequency synchronization of its clock and can also generate PPS as a master to other devices. Cumulus Linux supports two PPS modes: -- PPS Out is a signal that is generated every time the [PHC](## "Physical Hardware Clock") reaches 1-rounded second. This signal can provide synchronization to other PHC devices and to check if the clock is synchronized by comparing this signal with other outputs in the network. -- PPS In is a signal that is pushed to the switch from an external device. This allows the PHC to be synchronized to an external source capable of providing a PPS signal. +- PPS Out is a signal that generates every time the [PHC](## "Physical Hardware Clock") reaches 1-rounded second. This signal can provide synchronization to other PHC devices and to check if the clock is synchronized by comparing this signal with other outputs in the network. +- PPS In is a signal that an external device pushes to the switch. This allows the PHC to be synchronized to an external source capable of providing a PPS signal. #### Enable PPS Synchronization @@ -498,17 +498,17 @@ To enable PPS synchronization: {{< tabs "TabID541 ">}} {{< tab "NVUE Commands ">}} -To enable PPS out: +To enable PPS In: ``` -cumulus@switch:~$ nv set platform pulse-per-second out state enabled +cumulus@switch:~$ nv set platform pulse-per-second in state enabled cumulus@switch:~$ nv config apply ``` -To enable PPS In: +To enable PPS out: ``` -cumulus@switch:~$ nv set platform pulse-per-second in state enabled +cumulus@switch:~$ nv set platform pulse-per-second out state enabled cumulus@switch:~$ nv config apply ``` @@ -560,7 +560,7 @@ To enable PPS In: To enable PPS Out: -1.Edit the `/etc/linuxptp/pps_out.conf` file to set the following parameters. +1. Edit the `/etc/linuxptp/pps_out.conf` file to set the following parameters. ``` # Configuration file used for the pps_out.service @@ -601,7 +601,7 @@ You can configure these PPS settings: | PPS In Setting | Description | | ------- | ----------- | | `channel-index` | Sets the channel index. You can set a value of 1 or 0. The default value is 0.| -| `logging-level` | Sets the logging level for PPS In. You can specify `emergency`, `alert`, `critical`, `error`, `warning`, `notice`, `info`,or `debug`. The default logging level is `info`.| +| `logging-level` | Sets the logging level for PPS In. You can specify `emergency`, `alert`, `critical`, `error`, `warning`, `notice`, `info`, or `debug`. The default logging level is `info`.| | `pin-index` | Sets the pin index. You can set a value of 1 or 0. The default value is 0.| | `signal-polarity` | Sets the polarity of the PPS IN signal. You can specify `rising-edge`, `falling-edge`, or `both`. The default setting is `rising-edge`.| | `signal-width` | Sets the pulse width of the PPS IN signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| @@ -612,15 +612,15 @@ You can configure these PPS settings: | `channel-index`| Sets the channel index. You can set a value of 1 or 0. The default value is 0.| | `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| | `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| -| `pin-index` | Sets the pin index. The default value is 1. NVIDIA switches only support pin 1.| +| `pin-index` | Sets the pin index. The default value is 0.| | `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| {{< tabs "TabID592 ">}} {{< tab "NVUE Commands ">}} The following example configures PPS In and sets: -- The channel index to 1 -- The pin index to 1 +- The channel index to 1. +- The pin index to 1. - The signal width to 999000000. - The time stamp correction to 1000000000. - The logging level to `warning`. @@ -662,8 +662,8 @@ The following example configures PPS In and sets: - The pin index to 1 - The signal width to 999000000. - The time stamp correction to 1000000000. -- The logging level to `warning`. -- The polarity of the PPS IN signal to `falling-edge`. +- The logging level to 4 (warning). +- The polarity of the PPS IN signal to falling edge (`falling`). ``` # ts2phc is enabled @@ -671,7 +671,7 @@ The following example configures PPS In and sets: use_syslog 0 verbose 1 slave_event_monitor /var/run/ptp_sem.sock -logging_level 3 +logging_level 4 ts2phc.pulsewidth 999000000 ts2phc.tod_source ptp domainNumber 0 From 1674428b1b9afd36c6434e17f25c763853b049a7 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Fri, 1 Dec 2023 11:20:36 -0500 Subject: [PATCH 092/204] deleted certificate KB article --- ...cate-Warning-when-Connecting-to-NetQ-UI.md | 81 ------------------- 1 file changed, 81 deletions(-) delete mode 100644 content/knowledge-base/Configuration-and-Usage/Cumulus-NetQ/Unsigned-Certificate-Warning-when-Connecting-to-NetQ-UI.md diff --git a/content/knowledge-base/Configuration-and-Usage/Cumulus-NetQ/Unsigned-Certificate-Warning-when-Connecting-to-NetQ-UI.md b/content/knowledge-base/Configuration-and-Usage/Cumulus-NetQ/Unsigned-Certificate-Warning-when-Connecting-to-NetQ-UI.md deleted file mode 100644 index 3da302109c..0000000000 --- a/content/knowledge-base/Configuration-and-Usage/Cumulus-NetQ/Unsigned-Certificate-Warning-when-Connecting-to-NetQ-UI.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Unsigned Certificate Warning when Connecting to NetQ UI -author: NVIDIA -weight: 344 -toc: 4 ---- - -## Issue - -When I try to connect to the NetQ UI to configure my on-premises setup, I get a warning from my browser that the certificate is untrusted. - -## Environment - -- NetQ 3.0.0 - 3.1.0 - -## Resolution - -The NetQ UI ships with a self-signed certificate, which is why your browser issues a warning. You can avoid seeing this issue by installing your own signed certificate. - -To use a custom certificate, you need the following: - -- A valid X509 certificate. -- A private key file for the certificate. -- A DNS record name configured to access the NetQ UI. The FQDN should match the common name of the certificate. If you use a wild card in the common name — for example, if the common name of the certificate is _*.example.com_ — then the NetQ telemetry server should reside on a subdomain of that domain, accessible via a URL like _netq.example.com_. -- You must install and run NetQ. You can verify this by running the `netq show opta-health` command. - -To install a custom certificate: - -1. Log in to the NetQ telemetry server via SSH and copy your certificate and key file there. -1. Generate a Kubernetes secret called `netq-gui-ingress-tls` using following command: - - cumulus@netq-ts:~$ kubectl create secret tls netq-gui-ingress-tls \ - --namespace default \ - --key .key \ - --cert .crt - -1. Verify that you created the secret: - - cumulus@netq-ts:~$ kubectl get secret - - NAME TYPE DATA AGE - netq-gui-ingress-tls kubernetes.io/tls 2 5s - -1. Update the ingress rule file to install self signed certificates. Create a new file called `ingress.yaml` with following content. Make sure to replace `` with the FQDN of the NetQ server. - - apiVersion: extensions/v1beta1 - kind: Ingress - metadata: - annotations: - kubernetes.io/ingress.class: "ingress-nginx" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-body-size: 10g - nginx.ingress.kubernetes.io/proxy-request-buffering: "off" - name: netq-gui-ingress-external - namespace: default - spec: - rules: - - host: - http: - paths: - - backend: - serviceName: netq-gui - servicePort: 80 - tls: - - hosts: - - - secretName: netq-gui-ingress-tls - -1. Run the following command: - - cumulus@netq-ts:~$ kubectl apply -f ingress.yaml - - If your ingress rule is successfully configured, a message like the following appears: - - ingress.extensions/netq-gui-ingress-external configured - -Your custom certificate should now be working. Verify it in the UI by visiting `https://` in your browser. From 605e1880351513307972b30d2c7f129a1a48a1fe Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 08:32:45 -0800 Subject: [PATCH 093/204] updates to port security --- .../Layer-1-and-Switch-Ports/Port-Security.md | 26 ++++++++++--------- .../Role-Based-Access-Control.md | 24 ++++++++--------- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index f3ea8a5c73..ab35eef30a 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -22,13 +22,15 @@ To configure port security: {{< tabs "TabID22 ">}} {{< tab "NVUE Commands ">}} -To enable security on a port, run the `nv set interface port-security enabled` command: +To enable security on a port, run the `nv set interface port-security enable on` command: ``` -cumulus@switch:~$ nv set interface swp1 port-security enable +cumulus@switch:~$ nv set interface swp1 port-security enable on cumulus@switch:~$ nv config apply ``` +You can disable port security on an interface with the `nv set interface port-security enable off` command + To configure the maximum number of MAC addresses allowed to access the port, run the `nv set interface port-security mac-limit` command. You can specify a value between 1 and 512. The default value is 32. ``` @@ -65,17 +67,17 @@ cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enable cumulus@switch:~$ nv config apply ``` -To configure the violation mode: `protodown` to put a port into ADMIN down state or `restrict` to drop packets, run the `nv set interface port-security violation-mode shutdown` command. +To configure violation mode, either run the `nv set interface port-security violation-mode protodown` command to put a port into ADMIN down state or run the `nv set interface port-security violation-mode restrict` command to drop packets. ``` cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown cumulus@switch:~$ nv config apply ``` -To configure the number of seconds after which the violation mode times out, run the `nv set interface port-security violation-timeout` command. You can specify a value between 0 and 3600 seconds. The default value is 1800 seconds. +To configure the number of seconds after which the violation mode times out, run the `nv set interface port-security violation-timeout` command. You can specify a value between 0 and 60 minutes. The default value is 30 seconds. ``` -cumulus@switch:~$ nv set interface swp1 port-security violation-timeout 3600 +cumulus@switch:~$ nv set interface swp1 port-security violation-timeout 60 cumulus@switch:~$ nv config apply ``` @@ -86,13 +88,13 @@ Add the configuration settings you want to use to the `/etc/cumulus/switchd.d/po |
Setting | Description| | --------| -----------| -| `interface..port_security.enable` | Enables and disables port security. 1 enables security on the port. 0 disables security on the port.| -| `interface..port_security.mac_limit` | Configures the maximum number of MAC addresses allowed to access the port. You can specify a number between 0 and 512. The default is 32.| +| `interface..port_security.enable` | Enables and disables port security. 1 enables security on the port. 0 disables security on the port. By default, port security is disabled.| +| `interface..port_security.mac_limit` | Configures the maximum number of MAC addresses allowed to access the port. You can specify a number between 0 and 512. The default value is 32.| | `interface..port_security.static_mac` | Configures the specific MAC addresses allowed to access the port. To specify multiple MAC addresses, separate each MAC address with a space.| | `interface..port_security.sticky_mac` | Enables and disables sticky MAC. 1 enables sticky MAC, where the first learned MAC address on the port is the only MAC address allowed. 0 disables sticky MAC. | -| `interface..port_security.sticky_timeout` | The time period after which the first learned MAC address ages out and no longer has access to the port. The default aging timeout value is 30 minutes. You can specify a value between 0 and 60 minutes.| +| `interface..port_security.sticky_timeout` | The time period after which the first learned MAC address ages out and no longer has access to the port. The default aging timeout value is 1800 seconds (30 minutes). You can specify a value between 0 and 3600 seconds (60 minutes).| | `interface..port_security.sticky_aging` | Enables and disables sticky MAC aging. 1 enables sticky MAC aging. 0 disables sticky MAC aging.| -| `interface..port_security.violation_mode` | Configures the violation mode: 0 (shutdown) puts a port into ADMIN down state. 1 (restrict) drops packets.| +| `interface..port_security.violation_mode` | Configures the violation mode: 0 (protodown) puts a port into ADMIN down state. 1 (restrict) drops packets.| | `interface..port_security.violation_timeout` | Configures the number of seconds after which the violation mode times out. You can specify a value between 0 and 3600 seconds. The default value is 1800 seconds.| The following shows an example `/etc/cumulus/switchd.d/port_security.conf` configuration file: @@ -128,7 +130,7 @@ sticky-mac enabled sticky-timeout 2000 sticky-ageing enabled violation-mode protodown -violation-timeout 3600 +violation-timeout 60 Static MAC ============= @@ -140,13 +142,13 @@ mac-addresses No Data ``` -To show the port security static MAC addresses, run the `nv show interface port-security static-mac` command: +To show port security static MAC address information, run the `nv show interface port-security static-mac` command: ``` cumulus@switch:~$ nv show interface swp1 port-security static-mac ``` -To show the port security MAC addresses, run the `nv show interface port-security mac-addresses` command: +To show port security MAC address information, run the `nv show interface port-security mac-addresses` command: ``` cumulus@switch:~$ nv show interface swp1 port-security mac-addresses diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index 07fe1fce86..bf5b8047b6 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -25,7 +25,7 @@ The following example describes the permissions for a role (ROLE1) that consists - Class2 has the allow action - Class3 has the deny action -Class1 +**Class1** | Command Path | Permissions | | ------------ | ----------- | @@ -33,21 +33,21 @@ Class1 | `/interface/*/acl/` | `ro` | | `/interface/*/ptp/` | `ro` | -Class2 +**Class2** | Command Path | Permissions | | ------------ | ----------- | | `/system/` | `ro` | | `/vrf/` | `rw` | -Class3 +**Class3** | Command Path | Permissions | | ------------ | ----------- | | `/interface/*/evpn/`| `rw` | | `/interface/*/qos/` | `rw` | -The following table shows the permissions for a user assigned the role ROLE1. In the table, R is read only (RO), W is write, and X is action (ACT). +The following table shows the permissions for a user assigned the role ROLE1, which has the three classes Class1, Class2, and Class3. In the table, R is read only (RO), W is write, and X is action (ACT). | Path | Allow | Deny | Permissions | | -------- | --------- | ---------- | ----------- | @@ -74,8 +74,8 @@ The following table shows the permissions for a user assigned the role ROLE1. In To assign a custom role to a user account: - Create a role and classes for the role. -- Add command paths and permissions for each class. - Assign the action (allow or deny) for each class. +- Add command paths and permissions for each class. - Assign a role to a user. {{%notice note%}} @@ -95,7 +95,6 @@ cumulus@switch:~$ nv config apply The following example assigns user2 the role of `IFMgr`. user2 can manage the loopback, management, eth0, and swp1 through 3 interfaces. ``` -cumulus@switch:~$ nv set system aaa user user2 role IFMgr cumulus@switch:~$ nv set system aaa role IFMgr class InterfaceMgmt_1 cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action allow cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/lo permission all @@ -104,16 +103,17 @@ cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interfac cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp1 permission all cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp2 permission all cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp3 permission all +cumulus@switch:~$ nv set system aaa user user2 role IFMgr cumulus@switch:~$ nv config apply ``` The following example assigns user3 the role of `OSPF`. user3 does **not** have permissions to manage OSPF on an interface. ``` -cumulus@switch:~$ nv set system aaa user user3 role OSPF cumulus@switch:~$ nv set system aaa role OSPF class OSPF-DENY cumulus@switch:~$ nv set system aaa class OSPF-DENY action deny cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all +cumulus@switch:~$ nv set system aaa user user3 role OSPF cumulus@switch:~$ nv config apply ``` @@ -179,7 +179,7 @@ uuidd Unknown system www-data www-data Unknown system ``` -To show information about a specific user account including the role assigned to the user, run the run the NVUE `nv show system aaa user ` command: +To show information about a specific user account including the role assigned to the user, run the NVUE `nv show system aaa user ` command: ``` cumulus@switch:~$ nv show system aaa user user2 @@ -190,7 +190,7 @@ full-name enable on on ``` -To show all the roles configured on the switch: +To show all the roles configured on the switch, run the NVUE `nv show system aaa role` command: ``` cumulus@switch:~$ nv show system aaa role @@ -204,7 +204,7 @@ system-admin nvapply sudo ``` -To show the classes applied to specific role: +To show the classes applied to specific role, run the `nv show system aaa role ` command: ``` cumulus@switch:~$ nv show system aaa role IFMgr @@ -213,7 +213,7 @@ cumulus@switch:~$ nv show system aaa role IFMgr [class] InterfaceMgmt_1 ``` -To show all the classes configured on the switch: +To show all the classes configured on the switch, run the `nv show system aaa class` command: ``` cumulus@switch:~$ nv show system aaa class @@ -231,7 +231,7 @@ nvshow / ro allow sudo / all allow ``` -To show the configuration and state of the command-paths for a class: +To show the configuration and state of the command-paths for a class, run the `nv show system aaa class ` command: ``` cumulus@switch:~$ nv show system aaa class OSPF-DENY From d712b1a5d24e14ec757e73b0d850cbbe6fe7f943 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 08:38:01 -0800 Subject: [PATCH 094/204] minor updates --- .../Layer-1-and-Switch-Ports/Port-Security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index ab35eef30a..6449f07ecb 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -74,7 +74,7 @@ cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown cumulus@switch:~$ nv config apply ``` -To configure the number of seconds after which the violation mode times out, run the `nv set interface port-security violation-timeout` command. You can specify a value between 0 and 60 minutes. The default value is 30 seconds. +To configure the number of seconds after which the violation mode times out, run the `nv set interface port-security violation-timeout` command. You can specify a value between 0 and 60 minutes. The default value is 30 minutes. ``` cumulus@switch:~$ nv set interface swp1 port-security violation-timeout 60 @@ -92,9 +92,9 @@ Add the configuration settings you want to use to the `/etc/cumulus/switchd.d/po | `interface..port_security.mac_limit` | Configures the maximum number of MAC addresses allowed to access the port. You can specify a number between 0 and 512. The default value is 32.| | `interface..port_security.static_mac` | Configures the specific MAC addresses allowed to access the port. To specify multiple MAC addresses, separate each MAC address with a space.| | `interface..port_security.sticky_mac` | Enables and disables sticky MAC. 1 enables sticky MAC, where the first learned MAC address on the port is the only MAC address allowed. 0 disables sticky MAC. | -| `interface..port_security.sticky_timeout` | The time period after which the first learned MAC address ages out and no longer has access to the port. The default aging timeout value is 1800 seconds (30 minutes). You can specify a value between 0 and 3600 seconds (60 minutes).| +| `interface..port_security.sticky_timeout` | The time period after which the first learned MAC address ages out and no longer has access to the port. You can specify a value between 0 and 3600 seconds (60 minutes). The default aging timeout value is 1800 seconds (30 minutes). | | `interface..port_security.sticky_aging` | Enables and disables sticky MAC aging. 1 enables sticky MAC aging. 0 disables sticky MAC aging.| -| `interface..port_security.violation_mode` | Configures the violation mode: 0 (protodown) puts a port into ADMIN down state. 1 (restrict) drops packets.| +| `interface..port_security.violation_mode` | Configures the violation mode: 0 (protodown) puts a port into ADMIN down state. 1 (restrict) drops packets. The default setting is 0.| | `interface..port_security.violation_timeout` | Configures the number of seconds after which the violation mode times out. You can specify a value between 0 and 3600 seconds. The default value is 1800 seconds.| The following shows an example `/etc/cumulus/switchd.d/port_security.conf` configuration file: From 8dd2b651f7f7bb73025fc98361df39c541af0ec7 Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Fri, 1 Dec 2023 12:26:45 -0500 Subject: [PATCH 095/204] deleted 5000 support note in 4.0 and 4.1 --- .../Manage-Deployment/Install-NetQ/Post-Config.md | 4 ---- .../Manage-Deployment/Install-NetQ/Post-Config.md | 4 ---- 2 files changed, 8 deletions(-) diff --git a/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/Post-Config.md b/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/Post-Config.md index e3f1506a31..d0768fd3de 100644 --- a/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/Post-Config.md +++ b/content/cumulus-netq-40/Manage-Deployment/Install-NetQ/Post-Config.md @@ -159,10 +159,6 @@ cumulus@:~$ netq install standalone activate-job config-key }} -Adding additional worker nodes increases availability, but does not increase scalability currently. NetQ supports a maximum of 5000 nodes regardless of the number of worker nodes in your cluster. -{{}} - To add more worker nodes: 1. Prepare the nodes. Refer to the relevant server cluster instructions in {{}}. diff --git a/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/Post-Config.md b/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/Post-Config.md index 89a462e154..df3d11e9ca 100644 --- a/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/Post-Config.md +++ b/content/cumulus-netq-41/Manage-Deployment/Install-NetQ/Post-Config.md @@ -161,10 +161,6 @@ cumulus@:~$ netq install standalone activate-job config-key }} -Adding additional worker nodes increases availability, but does not increase scalability currently. NetQ supports a maximum of 5000 nodes regardless of the number of worker nodes in your cluster. -{{}} - To add more worker nodes: 1. Prepare the nodes. Refer to the relevant server cluster instructions in {{}}. From cc612b3026b296e9f716148e34edb586506c25e8 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 09:46:51 -0800 Subject: [PATCH 096/204] updated port security output --- .../Layer-1-and-Switch-Ports/Port-Security.md | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index 6449f07ecb..7d99522eda 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -122,15 +122,15 @@ To show port security configuration, run the `nv show interface p ``` cumulus@switch:~$ nv show interface swp1 port-security - operational applied ------------------ ----------- --------- -enable off on -mac-limit 100 -sticky-mac enabled -sticky-timeout 2000 -sticky-ageing enabled -violation-mode protodown -violation-timeout 60 + operational applied +----------------- ----------- -------- +enable on on +mac-limit 32 32 +sticky-mac disabled disabled +sticky-timeout 1800 1800 +sticky-ageing disabled disabled +violation-mode restrict restrict +violation-timeout 30 30 Static MAC ============= @@ -139,17 +139,18 @@ Static MAC mac-addresses ================ -No Data + entry-id MAC address Type Status + -------- ----------------- ------- --------- + 1 00:01:02:03:04:05 + 2 00:02:00:00:00:ab Static + 3 00:02:00:00:00:05 Static + 4 00:02:00:00:01:05 Static + 5 00:02:00:00:01:06 Static + 6 00:02:01:00:01:06 Static + 7 01:02:01:00:01:06 Static + 8 00:02:00:00:00:11 Dynamic Installed ``` To show port security static MAC address information, run the `nv show interface port-security static-mac` command: -``` -cumulus@switch:~$ nv show interface swp1 port-security static-mac -``` - -To show port security MAC address information, run the `nv show interface port-security mac-addresses` command: - -``` -cumulus@switch:~$ nv show interface swp1 port-security mac-addresses -``` +To show port security MAC address information, run the `nv show interface port-security mac-addresses` command From 9dfea70d4b3b42372b11f01823fe56d6dbd28731 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 10:39:58 -0800 Subject: [PATCH 097/204] updates to rbac --- .../Role-Based-Access-Control.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index bf5b8047b6..efd59a5098 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -21,9 +21,9 @@ Custom role-based access control consists of the following elements: {{%/notice%}} The following example describes the permissions for a role (ROLE1) that consists of three classes: -- Class1 has the allow action -- Class2 has the allow action -- Class3 has the deny action +- Class1 has the `allow` class action +- Class2 has the `allow` class action +- Class3 has the `deny` class action **Class1** @@ -47,7 +47,7 @@ The following example describes the permissions for a role (ROLE1) that consists | `/interface/*/evpn/`| `rw` | | `/interface/*/qos/` | `rw` | -The following table shows the permissions for a user assigned the role ROLE1, which has the three classes Class1, Class2, and Class3. In the table, R is read only (RO), W is write, and X is action (ACT). +The following table shows the permissions for a user assigned the role ROLE1, which has the three classes Class1, Class2, and Class3. In the table, R is read only (RO), W is write, and X is action commands (ACT). | Path | Allow | Deny | Permissions | | -------- | --------- | ---------- | ----------- | From 293581b0ee5d5c2cb09f205d48d33d8530ce44e6 Mon Sep 17 00:00:00 2001 From: Stu Clark Date: Fri, 1 Dec 2023 14:50:34 -0500 Subject: [PATCH 098/204] update google verification static files --- static/google414dccb230580839.html | 1 - static/googlea2d8a5588b2e7043.html | 1 + static/googleaf79eef54594f29e.html | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) delete mode 100644 static/google414dccb230580839.html create mode 100644 static/googlea2d8a5588b2e7043.html create mode 100644 static/googleaf79eef54594f29e.html diff --git a/static/google414dccb230580839.html b/static/google414dccb230580839.html deleted file mode 100644 index 216688944e..0000000000 --- a/static/google414dccb230580839.html +++ /dev/null @@ -1 +0,0 @@ -google-site-verification: google414dccb230580839.html \ No newline at end of file diff --git a/static/googlea2d8a5588b2e7043.html b/static/googlea2d8a5588b2e7043.html new file mode 100644 index 0000000000..ec4714b886 --- /dev/null +++ b/static/googlea2d8a5588b2e7043.html @@ -0,0 +1 @@ +google-site-verification: googlea2d8a5588b2e7043.html \ No newline at end of file diff --git a/static/googleaf79eef54594f29e.html b/static/googleaf79eef54594f29e.html new file mode 100644 index 0000000000..9e64a58fcc --- /dev/null +++ b/static/googleaf79eef54594f29e.html @@ -0,0 +1 @@ +google-site-verification: googleaf79eef54594f29e.html \ No newline at end of file From 4b31e44b8b2441ed86f5c5c166e823d7a0e96cf6 Mon Sep 17 00:00:00 2001 From: Stu Clark Date: Fri, 1 Dec 2023 14:59:47 -0500 Subject: [PATCH 099/204] remove NetQ 4.7 RN gen exception --- utils/build_rns.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/build_rns.py b/utils/build_rns.py index a21b247f0d..be02ccc7b1 100644 --- a/utils/build_rns.py +++ b/utils/build_rns.py @@ -420,8 +420,8 @@ def build_rn_markdown_files(product, version_list): #### Temporarily skip NetQ 4.8.0 until Redmine updates complete - Nov 11 2023 # if version == "4.6.0": # continue - if version == "4.8.0": - continue + # if version == "4.8.0": + # continue if version_string(version) in major_minor: major_minor[version_string(version)].append(version) else: From b19b943c4bcab41089dbb34c6838e765d176eefe Mon Sep 17 00:00:00 2001 From: stu-clark Date: Fri, 1 Dec 2023 20:01:18 +0000 Subject: [PATCH 100/204] Automated release note commit --- content/cumulus-netq-48/Whats-New/rn.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/cumulus-netq-48/Whats-New/rn.md b/content/cumulus-netq-48/Whats-New/rn.md index 24a5b622a9..b80ca557c4 100644 --- a/content/cumulus-netq-48/Whats-New/rn.md +++ b/content/cumulus-netq-48/Whats-New/rn.md @@ -17,14 +17,16 @@ pdfhidden: True | [3649630](#3649630)
| LCM discovery might fail in a NetQ on-premises cluster deployment with the message Error: Connection failure: ('The read operation timed out',). To validate this issue is occurring, run the sudo kubectl get pods -o wide \| grep lcm-executor command and confirm the lcm-executor pod is deployed on a worker node instead of the expected master node. To work around this issue:
1. Retrieve your worker node names:
$ sudo kubectl get nodes
NAME               STATUS   ROLES                  AGE   VERSION
master1  Ready    control-plane,master   18d   v1.27.2
worker1  Ready        18d   v1.27.2
worker2  Ready        18d   v1.27.2
2. Disable pod scheduling on the worker nodes with the sudo kubectl cordon command.

3. Verify pod scheduling is disabled on the worker nodes:
$ sudo kubectl get nodes
NAME               STATUS   ROLES                  AGE   VERSION
master1  Ready    control-plane,master   18d   v1.27.2
worker1  Ready,SchedulingDisabled        18d   v1.27.2
worker2  Ready,SchedulingDisabled        18d   v1.27.2
4. Delete the lcm-executor pod with the delete pod netq-lcm-executor-deploy- command, retrieving the full lcm-executor pod name from the output of sudo kubectl get pods -o wide \| grep lcm-executor

5. Verify the lcm-executor pod is now scheduled on the master node with the sudo kubectl get pods -o wide \| grep lcm-executor command

6. Reenable scheduling on worker nodes with the sudo kubectl cordon command

7. Run your LCM discovery again. | 4.7.0-4.8.0 | | | [3649629](#3649629)
| When you upgrade an on-premises NetQ VM from version 4.7.0 to 4.8.0, the upgrade process might take longer than 4 hours. | 4.8.0 | | | [3644644](#3644644)
| When you perform an LCM upgrade of Cumulus Linux on a switch using the netq lcm upgrade cl-image CLI command, an error message of NetQ cloud token invalid is displayed though the upgrade completes successfully. This issue is not encountered when using the NetQ LCM UI to perform the upgrade. | 4.8.0 | | +| [3638703](#3638703)
| Upgrading to NetQ 4.8.0 might fail with the message Error: web socket connection broken to master. To work around this problem:
For standalone on-premises deployments:
1. Run the sudo netq bootstrap reset keep-db purge-images command
2. Run the install command using the NetQ 4.8.0 tarball: sudo netq install standalone full interface bundle /mnt/installables/NetQ-4.8.0.tgz
For cluster on-premises deployments:
1. Run the sudo netq bootstrap reset keep-db purge-images command
2. Run the sudo netq install cluster master-init command
3. Take the command output from step 2 and run it on each worker node
4. Run the install command using the NetQ 4.8.0 tarball: sudo netq install cluster full interface bundle /mnt/installables/NetQ-4.8.0.tgz workers | 4.8.0 | | +| [3634648](#3634648)
| The topology graph might show unexpected connections when devices in the topology do not have LLDP adjacencies. | 4.8.0 | | | [3633458](#3633458)
| The legacy topology diagram might categorize devices into tiers incorrectly. To work around this issue, use the updated topology diagram by selecting Topology Beta in the NetQ 4.8.0 UI. | 4.7.0-4.8.0 | | | [3632783](#3632783)
| LCM upgrades of Cumulus Linux fail when using an on-switch OPTA and in-band management. | 4.8.0 | | | [3632378](#3632378)
| After you upgrade your on-premises NetQ VM from version 4.7.0 to 4.8.0, NIC telemetry using the Prometheus adapter is not collected. To work around this issue, run the following commands on your NetQ VM:
sudo kubectl set image deployment/netq-prom-adapter netq-prom-adapter=docker-registry:5000/netq-prom-adapter:4.8.0
sudo kubectl set image deployment/netq-prom-adapter prometheus=docker-registry:5000/prometheus-v2.41.0:4.8.0
| 4.8.0 | | | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0 | | +| [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.8.0 | | | [3435373](#3435373)
| If your NetQ on-premises VM is not configured with at least 16 vCPUs, upgrades might fail with the following message: 
Job upgrade failed or timed out
To work around this issue, reconfigure your VM to use 16 vCPUs before upgrading. | 4.5.0-4.8.0 | | | [3429528](#3429528)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | | | [2885312](#2885312)
| EVPN Validation Type 2 checks might show false Duplicate MAC events for MAC addresses that are not duplicated. An example of this is shown below:
EVPN Type 2 Test details:
  Hostname          Peer Name         Peer Hostname     Reason                                        Last Changed
  ----------------- ----------------- ----------------- --------------------------------------------- -------------------------
  torc-11           -                 -                 Duplicate Mac 00:02:00:00:00:55 VLAN 1249 at  Sun Dec  5 18:26:14 2021
                                                        torc-21:vx-282 and torc-11:peerlink-3
| 4.1.0-4.8.0 | | -| [3634648](#3634648)
| The topology graph might show unexpected connections when devices in the topology do not have LLDP adjacencies. | 4.8.0 | | ### Fixed Issues in 4.8.0 | Issue ID | Description | Affects | @@ -32,5 +34,5 @@ pdfhidden: True | [3575935](#3575935)
| When you upgrade to NetQ 4.7.0, configured premises names might get reset to the default name OPID0. | 4.7.0 | | | [3575934](#3575934)
| When you upgrade to NetQ 4.7.0, the password for the admin user is reset to the default password. | 4.7.0 | | | [3555031](#3555031)
| NetQ incorrectly reports a low health SSD event on SN5600 switches. To work around this issue, configure an event suppression rule for ssdutil messages from SN5600 switches in your network. | 4.7.0 | | -| [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.7.0 | | -| [3530739](#3530739)
| Queue histogram data received from switches might encounter a delay before appearing in the NetQ UI. | 4.7.0 | | \ No newline at end of file +| [3530739](#3530739)
| Queue histogram data received from switches might encounter a delay before appearing in the NetQ UI. | 4.7.0 | | + From e2a7a542d629e887d45d65bb6d73d2e114c67597 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 12:18:33 -0800 Subject: [PATCH 101/204] updates to rbac --- .../Role-Based-Access-Control.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index efd59a5098..5b5d233e69 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -20,12 +20,9 @@ Custom role-based access control consists of the following elements: - When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to QoS egress scheduler commands. {{%/notice%}} -The following example describes the permissions for a role (ROLE1) that consists of three classes: -- Class1 has the `allow` class action -- Class2 has the `allow` class action -- Class3 has the `deny` class action +The following example describes the permissions for a role (ROLE1) that consists of three classes: Class1, Class2, Class3 -**Class1** +**Class1** has the `allow` class action and the following command path permissions: | Command Path | Permissions | | ------------ | ----------- | @@ -33,21 +30,21 @@ The following example describes the permissions for a role (ROLE1) that consists | `/interface/*/acl/` | `ro` | | `/interface/*/ptp/` | `ro` | -**Class2** +**Class2** has the `allow` class action and the following command path permissions: | Command Path | Permissions | | ------------ | ----------- | | `/system/` | `ro` | | `/vrf/` | `rw` | -**Class3** +**Class3** has the `deny` class action and the following command path permissions: | Command Path | Permissions | | ------------ | ----------- | | `/interface/*/evpn/`| `rw` | | `/interface/*/qos/` | `rw` | -The following table shows the permissions for a user assigned the role ROLE1, which has the three classes Class1, Class2, and Class3. In the table, R is read only (RO), W is write, and X is action commands (ACT). +The following table shows the permissions for a user assigned the role ROLE1. In the table, R is read only (RO), W is write, and X is action (ACT). | Path | Allow | Deny | Permissions | | -------- | --------- | ---------- | ----------- | From 2a392cd8dc9090317ef5aae7734c43eb4892f1af Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 13:46:39 -0800 Subject: [PATCH 102/204] updated certificates --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 33 +++++++++++++++---- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 2224d81870..c937028af0 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -61,20 +61,18 @@ To import a certificate, run the following commands. If the certificate is passp You must provide a certificate ID (``) to uniquely identify the certificate being imported. -The following example imports a CA certificate with the public key `AFCB12334SUSnDy8cArHfRf3sFcHgEhW5L0rLwno` and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `hell0$`. The public key is a Base64 ASCII encoded PEM string. +The following example imports a CA certificate with a public key and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `mypassphrase`. The public key is a Base64 ASCII encoded PEM string. ``` -cumulus@switch:~$ nv action import system security ca-certificate tls-cert-1 data "AFCB12334SUSnDy8cArHfRf3sFcHgEhW5L0rLwno" passphrase hell0$ -cumulus@switch:~$ nv config apply +cumulus@switch:~$ nv action import system security ca-certificate tls-cert-1 passphrase mypassphrase data ""  ``` -The following example imports an entity certificate bundle and calls the certificate `tls-cert-1`. The certificate bundle is passphrase protected with `hell0$`. +The following example imports an entity certificate bundle and calls the certificate `tls-cert-1`. The certificate bundle is passphrase protected with `mypassphrase`. A certificate bundle must be in .PFX or .P12 format. ``` -cumulus@switch:~$ nv action import system security certificate tls-cert-1 uri-bundle scp://user@pass:1.2.3.4:/opt/certs/cert.p12 passphrase hell0$ -cumulus@switch:~$ nv config apply +cumulus@switch:~$ nv action import system security certificate tls-cert-1 passphrase mypassphrase uri-bundle scp://user@pass:1.2.3.4:/opt/certs/cert.p12  ``` The following example imports an entity certificate with the public key URI `scp://user@pass:1.2.3.4` and private key URI `scp://user@pass:1.2.3.4`, and calls the certificate `tls-cert-1`. The certificate is not passphrase protected. @@ -83,12 +81,33 @@ A CA certificate must be in .pem, .p7a, or .p7c format. ``` cumulus@switch:~$ nv action import system security certificate tls-cert-1 uri-public-key scp://user@pass:1.2.3.4 uri-private-key scp://user@pass:1.2.3.4 -cumulus@switch:~$ nv config apply ``` {{< /tab >}} {{< tab "Curl Commands ">}} +The following example imports a CA certificate with a public key and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `mypassphrase`. The public key is a Base64 ASCII encoded PEM string. + +``` +cumulus@switch:~$ cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "????": "??????", "passphrase": "mypassphrase"}}}' +``` + +The following example imports an entity certificate bundle and calls the certificate `tls-cert-1`. The certificate bundle is passphrase protected with `mypassphrase`. + +A certificate bundle must be in .PFX or .P12 format. + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "uri-bundle": "scp://user@pass:1.2.3.4:/opt/certs/cert.p12", "passphrase": "mypassphrase"}}}' +``` + +The following example imports an entity certificate with the public key URI `scp://user@pass:1.2.3.4` and private key URI `scp://user@pass:1.2.3.4`, and calls the certificate `tls-cert-1`. The certificate is not passphrase protected. + +A CA certificate must be in .pem, .p7a, or .p7c format. + +``` +cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "uri-public-key": "scp://user@pass:1.2.3.4", "uri-private-key": "scp://user@pass:1.2.3.4"}}}' +``` + {{< /tab >}} {{< /tabs >}} From e00ec8f74f2d4a3c444c734a16685eef005b633d Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 14:10:58 -0800 Subject: [PATCH 103/204] updates --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index c937028af0..e88e7e1a4f 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -44,7 +44,7 @@ NVIDIA recommends you use your own certificates and keys. For the steps to gener Cumulus Linux lets you manage CA certificates (such as DigiCert or Verisign) and entity (end-point) certificates. Both a CA certificate and an entity certificate can contain a chain of certificates. -You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use with the NVUE REST API, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid. +You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid. To import a certificate, run the following commands. If the certificate is passphrase protected, you need to include the passphrase. From bcefe88a1cb5f93cdccc0614e5acc49733c7d232 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 15:39:58 -0800 Subject: [PATCH 104/204] updates to PPS in and out --- .../Precision Time Protocol-PTP.md | 59 +++++++++++++------ 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index ec3c51ca98..c8675d086f 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -495,27 +495,33 @@ Cumulus Linux supports two PPS modes: To enable PPS synchronization: -{{< tabs "TabID541 ">}} +{{< tabs "TabID498 ">}} {{< tab "NVUE Commands ">}} -To enable PPS In: +{{< tabs "TabID501 ">}} +{{< tab "Enable PPS In ">}} ``` cumulus@switch:~$ nv set platform pulse-per-second in state enabled cumulus@switch:~$ nv config apply ``` -To enable PPS out: +{{< /tab >}} +{{< tab "Enable PPS Out ">}} ``` cumulus@switch:~$ nv set platform pulse-per-second out state enabled cumulus@switch:~$ nv config apply ``` +{{< /tab >}} +{{< /tabs >}} + {{< /tab >}} {{< tab "Linux Commands ">}} -To enable PPS In: +{{< tabs "TabID522 ">}} +{{< tab "Enable PPS In ">}} 1. Edit the `/etc/linuxptp/ts2phc.conf` file to set the following parameters. @@ -553,31 +559,28 @@ To enable PPS In: 2. Enable and start the `ptp4l` and `phc2sys` services: - ``` - cumulus@switch:~$ sudo systemctl enable ptp4l.service phc2sys.service - cumulus@switch:~$ sudo systemctl start ptp4l.service phc2sys.service - ``` + ``` + cumulus@switch:~$ sudo systemctl enable ptp4l.service phc2sys.service + cumulus@switch:~$ sudo systemctl start ptp4l.service phc2sys.service + ``` -To enable PPS Out: +{{< /tab >}} +{{< tab "Enable PPS Out ">}} 1. Edit the `/etc/linuxptp/pps_out.conf` file to set the following parameters. ``` # Configuration file used for the pps_out.service # It is shell formatted and the file is source'd by the service - # Set the PTP device to source our PPS from. # If not specified, the service will find the first device with a clock name "sx_ptp". PTP_DEV=/dev/ptp1 - # Set the pin index on the PPS device to send on. # On the NVIDIA systems, only pin 1 (0-based) is supported OUT_PIN=1 - # Set the file where to cache the last started values. # This is used primarily in the "stop" operation to know what to clean up. CACHE_FILE=/var/run/pps_out - # Set the out pulse charateristics for frequency and width PULSE_FREQ=1000000000 PULSE_WIDTH=500000000 @@ -594,6 +597,9 @@ To enable PPS Out: {{< /tab >}} {{< /tabs >}} +{{< /tab >}} +{{< /tabs >}} + #### PPS Synchronization Settings You can configure these PPS settings: @@ -612,12 +618,15 @@ You can configure these PPS settings: | `channel-index`| Sets the channel index. You can set a value of 1 or 0. The default value is 0.| | `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| | `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| -| `pin-index` | Sets the pin index. The default value is 0.| +| `pin-index` | Sets the pin index. Cumulus Linux supports only pin 1.| | `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| {{< tabs "TabID592 ">}} {{< tab "NVUE Commands ">}} +{{< tabs "TabID621 ">}} +{{< tab "PPS In ">}} + The following example configures PPS In and sets: - The channel index to 1. - The pin index to 1. @@ -636,25 +645,32 @@ cumulus@switch:~$ nv set platform pulse-per-second in signal-polarity falling-ed cumulus@switch:~$ nv config apply ``` +{{< /tab >}} +{{< tab "PPS Out ">}} + The following example configures PPS Out and sets: - The channel index to 1. -- The pin index to 1. - The signal width to 999000000. - The phase adjustment of the PPS Out signal to 1000000000. - The frequency-adjustment of the PPS Out signal to 2147483647. ``` cumulus@switch:~$ nv set platform pulse-per-second out channel-index 1 -cumulus@switch:~$ nv set platform pulse-per-second out pin-index 1 cumulus@switch:~$ nv set platform pulse-per-second out signal-width 999000000 cumulus@switch:~$ nv set platform pulse-per-second out phase-adjustment 1000000000 cumulus@switch:~$ nv set platform pulse-per-second out frequency-adjustment 2147483647 cumulus@switch:~$ nv config apply ``` +{{< /tab >}} +{{< /tabs >}} + {{< /tab >}} {{< tab "Linux Commands ">}} +{{< tabs "TabID665 ">}} +{{< tab "PPS In ">}} + To configure PPS In, edit the `/etc/linuxptp/ts2phc.conf` file, then restart the PPS In service with the `sudo systemctl restart ts2phc.service` command. The following example configures PPS In and sets: @@ -683,11 +699,13 @@ ts2phc.extts_polarity falling ts2phc.extts_correction 0 ``` +{{< /tab >}} +{{< tab "PPS Out ">}} + To configure PPS Out, edit the `/etc/linuxptp/pps_out.conf.conf` file, then restart the PPS Out service with the `sudo systemctl restart pps_out.service` command. The following example configures PPS Out and sets: - The channel index to 1. -- The pin index to 1. - The signal width to 999000000. - The phase adjustment of the PPS Out signal to 1000000000. - The frequency-adjustment of the PPS Out signal to 2147483647. @@ -719,6 +737,13 @@ PULSE_PHASE=1000000000 {{< /tab >}} {{< /tabs >}} +{{< /tab >}} +{{< /tabs >}} + +- To show a summary of the PPS In and PPS out configuration settings, run the `nv show platform pulse-per-second` command. +- To show only PPS In configuration settings, run the `nv show platform pulse-per-second in` command. +- To show only PPS Out configuration settings, run the `nv show platform pulse-per-second out` command. + ## Optional Global Configuration Optional global PTP configuration includes configuring the DiffServ code point (DSCP). You can configure the DSCP value for all PTP IPv4 packets originated locally. You can set a value between 0 and 63. From 7e6e859845131b4d86cb4a1db3105bcb06cdad25 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 17:20:49 -0800 Subject: [PATCH 105/204] update NAT --- .../Network-Address-Translation-NAT.md | 126 ++++++++++-------- 1 file changed, 67 insertions(+), 59 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index df81df7e0a..ac247f276e 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -48,62 +48,66 @@ Cumulus Linux also support MAC address translation, which operates on Ethernet p The following rule matches TCP packets with source IP address 10.0.0.1 and translates the IP address to 172.30.58.80: ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol tcp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.1 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.80 +cumulus@switch:~$ nv set acl acl_1 type ipv4 +cumulus@switch:~$ nv set acl acl_1 rule 1 match ip protocol tcp +cumulus@switch:~$ nv set acl acl_1 rule 1 match ip source-ip 10.0.0.1 +cumulus@switch:~$ nv set acl acl_1 rule 1 action source-nat translate-ip 172.30.58.80 cumulus@switch:~$ nv config apply ``` The following rule matches ICMP packets with destination IP address 172.30.58.80 on interface swp51 and translates the IP address to 10.0.0.1 ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol icmp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip dest-ip 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-ip 10.0.0.1 -cumulus@switch:~$ nv config apply -cumulus@switch:~$ nv set interface swp5 acl acl_1 inbound +cumulus@switch:~$ nv set acl acl_2 type ipv4 +cumulus@switch:~$ nv set acl acl_2 rule 1 match ip protocol icmp +cumulus@switch:~$ nv set acl acl_2 rule 1 match ip dest-ip 172.30.58.80 +cumulus@switch:~$ nv set acl acl_2 rule 1 action dest-nat translate-ip 10.0.0.1 +cumulus@switch:~$ nv set interface swp5 acl acl_2 inbound cumulus@switch:~$ nv config apply ``` The following rule matches UDP packets with source IP address 10.0.0.1 and source port 5000, and translates the IP address to 172.30.58.80 and the port to 6000. ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.1 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip udp source-port 5000 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-port 6000 +cumulus@switch:~$ nv set acl acl_3 type ipv4 +cumulus@switch:~$ nv set acl acl_3 rule 1 match ip protocol udp +cumulus@switch:~$ nv set acl acl_3 rule 1 match ip source-ip 10.0.0.1 +cumulus@switch:~$ nv set acl acl_3 rule 1 match ip udp source-port 5000 +cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-ip 172.30.58.80 +cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-port 6000 cumulus@switch:~$ nv config apply ``` The following rule matches UDP packets with destination IP address 172.30.58.80 and destination port 6000 on interface swp51, and translates the IP address to 10.0.0.1 and the port to 5000. ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip dest-ip 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip udp dest-port 6000 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-ip 10.0.0.1 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-port 5000 +cumulus@switch:~$ nv set acl acl_4 type ipv4 +cumulus@switch:~$ nv set acl acl_4 rule 1 match ip protocol udp +cumulus@switch:~$ nv set acl acl_4 rule 1 match ip dest-ip 172.30.58.80 +cumulus@switch:~$ nv set acl acl_4 rule 1 match ip udp dest-port 6000 +cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-ip 10.0.0.1 +cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-port 5000 cumulus@switch:~$ nv config apply ``` - + {{< /tab >}} {{< tab "Linux Commands ">}} @@ -169,17 +173,17 @@ To delete a static NAT rule: {{< tabs "TabID141 ">}} {{< tab "NVUE Commands ">}} +Run the `nv unset acl ` command. + ``` -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip protocol udp -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip dest-ip 172.30.58.80 -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip udp dest-port 6000 +cumulus@switch:~$ nv unset acl acl_1 cumulus@switch:~$ nv config apply ``` {{< /tab >}} {{< tab "Linux Commands ">}} -Remove the rule from the policy file in the `/etc/cumulus/acl/policy.d` directory, then run the `sudo cl-acltool -i command`. +Remove the rule from the policy file in the `/etc/cumulus/acl/policy.d` directory, then run the `sudo cl-acltool -i command`. {{< /tab >}} {{< /tabs >}} @@ -230,7 +234,7 @@ You can customize the following dynamic NAT settings. |
Setting | Description | | ------- | ----------- | | `age-poll-interval` | The period of inactivity (in minutes) before Cumulus Linux releases a NAT entry from the translation table. You can set a value between 1 and 1440. The default value is 5.| -| `translate-table-size` | The maximum number of dynamic `snat` and `dnat` entries in the translation table. You can set a value between 512 and 8192. The default value is 1024.| +| `translate-table-size` | The maximum number of dynamic `snat` and `dnat` entries in the translation table. You can set a value between 1024 and 8192. The default value is 1024.| | `rule-table-size` | The maximum number of rules allowed. You can set a value between 64 and 1024. The default value is 64.| The following example sets: @@ -280,10 +284,10 @@ For an NVIDIA switch with Spectrum-2 or later, you can include the outgoing or i The following rule matches TCP packets with source IP address in the range 10.0.0.0/24 on outbound interface swp5 and translates the address dynamically to an IP address in the range 172.30.58.0-172.30.58.80. ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol tcp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80 -cumulus@switch:~$ nv config apply +cumulus@switch:~$ nv set acl acl_1 type ipv4 +cumulus@switch:~$ nv set acl acl_1 rule 1 match ip protocol tcp +cumulus@switch:~$ nv set acl acl_1 rule 1 match ip source-ip 10.0.0.0/24 +cumulus@switch:~$ nv set acl acl_1 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80 cumulus@switch:~$ nv set interface swp5 acl acl_1 outbound cumulus@switch:~$ nv config apply ``` @@ -291,42 +295,46 @@ cumulus@switch:~$ nv config apply The following rule matches UDP packets with source IP address in the range 10.0.0.0/24 and translates the addresses dynamically to IP address 172.30.58.80 with layer 4 ports in the range 1024-1200: ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-port 1024-1200 +cumulus@switch:~$ nv set acl acl_2 type ipv4 +cumulus@switch:~$ nv set acl acl_2 rule 1 match ip protocol udp +cumulus@switch:~$ nv set acl acl_2 rule 1 match ip source-ip 10.0.0.0/24 +cumulus@switch:~$ nv set acl acl_2 rule 1 action source-nat translate-ip 172.30.58.80 +cumulus@switch:~$ nv set acl acl_2 rule 1 action source-nat translate-port 1024-1200 cumulus@switch:~$ nv config apply ``` The following rule matches UDP packets with source IP address in the range 10.0.0.0/24 on source port 5000 and translates the addresses dynamically to IP address 172.30.58.80 with layer 4 ports in the range 1024-1200: ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol udp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip udp source-port 5000 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-port 1024-1200 +cumulus@switch:~$ nv set acl acl_3 type ipv4 +cumulus@switch:~$ nv set acl acl_3 rule 1 match ip protocol udp +cumulus@switch:~$ nv set acl acl_3 rule 1 match ip source-ip 10.0.0.0/24 +cumulus@switch:~$ nv set acl acl_3 rule 1 match ip udp source-port 5000 +cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-ip 172.30.58.80 +cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-port 1024-1200 cumulus@switch:~$ nv config apply ``` The following rule matches TCP packets with destination IP address in the range 10.1.0.0/24 and translates the address dynamically to IP address range 172.30.58.0-172.30.58.80 with layer 4 ports in the range 1024-1200: ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol tcp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip dest-ip 10.1.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action dest-nat translate-port 1024-1200 +cumulus@switch:~$ nv set acl acl_4 type ipv4 +cumulus@switch:~$ nv set acl acl_4 rule 1 match ip protocol tcp +cumulus@switch:~$ nv set acl acl_4 rule 1 match ip dest-ip 10.1.0.0/24 +cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80 +cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-port 1024-1200 cumulus@switch:~$ nv config apply ``` The following rule matches ICMP packets with source IP address in the range 10.0.0.0/24 and destination IP address in the range 10.1.0.0/24. The rule translates the address dynamically to IP address range 172.30.58.0-172.30.58.80 with layer 4 ports in the range 1024-1200: ``` -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip protocol icmp -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 match ip dest-ip 10.1.0.0/24 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80 -cumulus@switch:~$ nv set acl acl_1 type ipv4 rule 1 action source-nat translate-port 1024-1200 +cumulus@switch:~$ nv set acl acl_5 type ipv4 +cumulus@switch:~$ nv set acl acl_5 rule 1 match ip protocol icmp +cumulus@switch:~$ nv set acl acl_5 rule 1 match ip source-ip 10.0.0.0/24 +cumulus@switch:~$ nv set acl acl_5 rule 1 match ip dest-ip 10.1.0.0/24 +cumulus@switch:~$ nv set acl acl_5 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80 +cumulus@switch:~$ nv set acl acl_5 rule 1 action source-nat translate-port 1024-1200 cumulus@switch:~$ nv config apply ``` @@ -384,10 +392,10 @@ To delete a dynamic NAT rule: {{< tabs "TabID311 ">}} {{< tab "NVUE Commands ">}} +Run the `nv unset acl ` command: + ``` -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip protocol tcp -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 match ip source-ip 10.0.0.0/24 -cumulus@switch:~$ nv unset acl acl_1 type ipv4 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80 +cumulus@switch:~$ nv unset acl acl_1 cumulus@switch:~$ nv config apply ``` From 0d3983298a004305385535484015474628b0649e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 17:24:40 -0800 Subject: [PATCH 106/204] update NAT --- .../cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index ac247f276e..f327c06ae0 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -55,7 +55,7 @@ cumulus@switch:~$ nv set acl acl_1 rule 1 action source-nat translate-ip 172.30. cumulus@switch:~$ nv config apply ``` -The following rule matches ICMP packets with destination IP address 172.30.58.80 on interface swp51 and translates the IP address to 10.0.0.1 +The following rule matches ICMP packets with destination IP address 172.30.58.80 coming in on interface swp51 and translates the IP address to 10.0.0.1 ``` cumulus@switch:~$ nv set acl acl_2 type ipv4 From 7ab308d806246c9be4aacebd56f76606907fc5e6 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Fri, 1 Dec 2023 17:54:25 -0800 Subject: [PATCH 107/204] updates to NAT --- .../Network-Address-Translation-NAT.md | 41 +++++++++++++------ 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index f327c06ae0..fae0d3d8c6 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -42,16 +42,21 @@ Cumulus Linux also support MAC address translation, which operates on Ethernet p - For static **NAT**, create a rule that matches a source or destination IP address and translate the IP address to a public IP address. - For static **PAT**, create a rule that matches a source or destination IP address together with the layer 4 port and translate the IP address and port to a public IP address and port. You can include the outgoing or incoming interface. +{{%notice note%}} +NVUE commands require you configure an inbound or outbound interface for static NAT rules. However, rules you configure in a rules file in the `/etc/cumulus/acl/policy.d/` directory do not require an inbound or outbound interface. +{{%/notice%}} + {{< tabs "TabID44 ">}} {{< tab "NVUE Commands ">}} -The following rule matches TCP packets with source IP address 10.0.0.1 and translates the IP address to 172.30.58.80: +The following rule matches TCP packets with source IP address 10.0.0.1 coming in on interface swp51 and translates the IP address to 172.30.58.80: ``` cumulus@switch:~$ nv set acl acl_1 type ipv4 cumulus@switch:~$ nv set acl acl_1 rule 1 match ip protocol tcp cumulus@switch:~$ nv set acl acl_1 rule 1 match ip source-ip 10.0.0.1 cumulus@switch:~$ nv set acl acl_1 rule 1 action source-nat translate-ip 172.30.58.80 +cumulus@switch:~$ nv set interface swp51 acl acl_1 inbound cumulus@switch:~$ nv config apply ``` @@ -62,11 +67,11 @@ cumulus@switch:~$ nv set acl acl_2 type ipv4 cumulus@switch:~$ nv set acl acl_2 rule 1 match ip protocol icmp cumulus@switch:~$ nv set acl acl_2 rule 1 match ip dest-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_2 rule 1 action dest-nat translate-ip 10.0.0.1 -cumulus@switch:~$ nv set interface swp5 acl acl_2 inbound +cumulus@switch:~$ nv set interface swp51 acl acl_2 inbound cumulus@switch:~$ nv config apply ``` -The following rule matches UDP packets with source IP address 10.0.0.1 and source port 5000, and translates the IP address to 172.30.58.80 and the port to 6000. +The following rule matches UDP packets with source IP address 10.0.0.1 and source port 5000 going out of swp6, and translates the IP address to 172.30.58.80 and the port to 6000. ``` cumulus@switch:~$ nv set acl acl_3 type ipv4 @@ -75,10 +80,11 @@ cumulus@switch:~$ nv set acl acl_3 rule 1 match ip source-ip 10.0.0.1 cumulus@switch:~$ nv set acl acl_3 rule 1 match ip udp source-port 5000 cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-port 6000 +cumulus@switch:~$ nv set interface swp6 acl acl_3 outbound cumulus@switch:~$ nv config apply ``` -The following rule matches UDP packets with destination IP address 172.30.58.80 and destination port 6000 on interface swp51, and translates the IP address to 10.0.0.1 and the port to 5000. +The following rule matches UDP packets with destination IP address 172.30.58.80 and destination port 6000 coming in on interface swp51, and translates the IP address to 10.0.0.1 and the port to 5000. ``` cumulus@switch:~$ nv set acl acl_4 type ipv4 @@ -87,6 +93,7 @@ cumulus@switch:~$ nv set acl acl_4 rule 1 match ip dest-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_4 rule 1 match ip udp dest-port 6000 cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-ip 10.0.0.1 cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-port 5000 +cumulus@switch:~$ nv set interface swp51 acl acl_4 inbound cumulus@switch:~$ nv config apply ``` @@ -270,18 +279,20 @@ After you change any of the dynamic NAT configuration options, restart `switchd` ### Configure Dynamic NAT -For dynamic **NAT**, create a rule that matches a IP address in CIDR notation and translates the address to a public IP address or IP address range. +For dynamic **NAT**, create a rule that matches an IP address in CIDR notation and translates the address to a public IP address or IP address range. For dynamic **PAT**, create a rule that matches an IP address in CIDR notation and translates the address to a public IP address and port range or an IP address range and port range. You can also match on an IP address in CIDR notation and port. -For an NVIDIA switch with Spectrum-2 or later, you can include the outgoing or incoming interface in the rule. See the examples below. +{{%notice note%}} +NVUE commands require you configure an inbound or outbound interface for dynamic NAT rules. However, rules you configure in a rules file in the `/etc/cumulus/acl/policy.d/` directory do not require an inbound or outbound interface. +{{%/notice%}} {{< tabs "TabID227 ">}} {{< tab "NVUE Commands ">}} **Example Rules** -The following rule matches TCP packets with source IP address in the range 10.0.0.0/24 on outbound interface swp5 and translates the address dynamically to an IP address in the range 172.30.58.0-172.30.58.80. +The following rule matches TCP packets with source IP address in the range 10.0.0.0/24 going out of swp5 and translates the address dynamically to an IP address in the range 172.30.58.0-172.30.58.80. ``` cumulus@switch:~$ nv set acl acl_1 type ipv4 @@ -292,7 +303,7 @@ cumulus@switch:~$ nv set interface swp5 acl acl_1 outbound cumulus@switch:~$ nv config apply ``` -The following rule matches UDP packets with source IP address in the range 10.0.0.0/24 and translates the addresses dynamically to IP address 172.30.58.80 with layer 4 ports in the range 1024-1200: +The following rule matches UDP packets with source IP address in the range 10.0.0.0/24 going out of swp5 and translates the addresses dynamically to IP address 172.30.58.80 with layer 4 ports in the range 1024-1200: ``` cumulus@switch:~$ nv set acl acl_2 type ipv4 @@ -300,10 +311,11 @@ cumulus@switch:~$ nv set acl acl_2 rule 1 match ip protocol udp cumulus@switch:~$ nv set acl acl_2 rule 1 match ip source-ip 10.0.0.0/24 cumulus@switch:~$ nv set acl acl_2 rule 1 action source-nat translate-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_2 rule 1 action source-nat translate-port 1024-1200 +cumulus@switch:~$ nv set interface swp5 acl acl_2 outbound cumulus@switch:~$ nv config apply ``` -The following rule matches UDP packets with source IP address in the range 10.0.0.0/24 on source port 5000 and translates the addresses dynamically to IP address 172.30.58.80 with layer 4 ports in the range 1024-1200: +The following rule matches UDP packets with source IP address in the range 10.0.0.0/24 on source port 5000 coming in on swp6 and translates the addresses dynamically to IP address 172.30.58.80 with layer 4 ports in the range 1024-1200: ``` cumulus@switch:~$ nv set acl acl_3 type ipv4 @@ -312,10 +324,11 @@ cumulus@switch:~$ nv set acl acl_3 rule 1 match ip source-ip 10.0.0.0/24 cumulus@switch:~$ nv set acl acl_3 rule 1 match ip udp source-port 5000 cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-ip 172.30.58.80 cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-port 1024-1200 +cumulus@switch:~$ nv set interface swp6 acl acl_3 inbound cumulus@switch:~$ nv config apply ``` -The following rule matches TCP packets with destination IP address in the range 10.1.0.0/24 and translates the address dynamically to IP address range 172.30.58.0-172.30.58.80 with layer 4 ports in the range 1024-1200: +The following rule matches TCP packets with destination IP address in the range 10.1.0.0/24 coming in on swp6 and translates the address dynamically to IP address range 172.30.58.0-172.30.58.80 with layer 4 ports in the range 1024-1200: ``` cumulus@switch:~$ nv set acl acl_4 type ipv4 @@ -323,10 +336,11 @@ cumulus@switch:~$ nv set acl acl_4 rule 1 match ip protocol tcp cumulus@switch:~$ nv set acl acl_4 rule 1 match ip dest-ip 10.1.0.0/24 cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80 cumulus@switch:~$ nv set acl acl_4 rule 1 action dest-nat translate-port 1024-1200 +cumulus@switch:~$ nv set interface swp6 acl acl_4 inbound cumulus@switch:~$ nv config apply ``` -The following rule matches ICMP packets with source IP address in the range 10.0.0.0/24 and destination IP address in the range 10.1.0.0/24. The rule translates the address dynamically to IP address range 172.30.58.0-172.30.58.80 with layer 4 ports in the range 1024-1200: +The following rule matches ICMP packets with source IP address in the range 10.0.0.0/24 and destination IP address in the range 10.1.0.0/24 coming in on swp6. The rule translates the address dynamically to IP address range 172.30.58.0-172.30.58.80 with layer 4 ports in the range 1024-1200: ``` cumulus@switch:~$ nv set acl acl_5 type ipv4 @@ -335,6 +349,7 @@ cumulus@switch:~$ nv set acl acl_5 rule 1 match ip source-ip 10.0.0.0/24 cumulus@switch:~$ nv set acl acl_5 rule 1 match ip dest-ip 10.1.0.0/24 cumulus@switch:~$ nv set acl acl_5 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80 cumulus@switch:~$ nv set acl acl_5 rule 1 action source-nat translate-port 1024-1200 +cumulus@switch:~$ nv set interface swp6 acl acl_5 inbound cumulus@switch:~$ nv config apply ``` @@ -416,8 +431,8 @@ To see the NAT rules configured on the switch, run the `sudo iptables -t nat -v cumulus@switch:~$ sudo iptables -t nat -v -L -n ... Chain POSTROUTING (policy ACCEPT 27 packets, 3249 bytes) - pkts bytes target prot opt in out source destination - 0 0 SNAT tcp -- any any 10.0.0.1 anywhere to:172.30.58.80 + pkts bytes target prot opt in out source destination + 0 0 SNAT tcp -- any any 10.0.0.1 anywhere to:172.30.58.80 ``` ## Show Conntrack Flows From eb87291ec5102c4f33ccb6d646bfb191c62475c6 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 10:09:53 -0800 Subject: [PATCH 108/204] updates to PPS in and out --- .../Network-Time-Protocol-NTP.md | 2 +- .../Precision Time Protocol-PTP.md | 2 +- .../Date-and-Time/Pulse-Per-Second-PPS.md | 285 ++++++++++++++++++ .../Date-and-Time/Setting-Date-and-Time.md | 2 +- ...SyncE.md => Synchronous-Ethernet-SyncE.md} | 6 +- 5 files changed, 291 insertions(+), 6 deletions(-) create mode 100644 content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md rename content/cumulus-linux-57/System-Configuration/Date-and-Time/{SyncE.md => Synchronous-Ethernet-SyncE.md} (94%) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Network-Time-Protocol-NTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Network-Time-Protocol-NTP.md index 717233ddc0..94f007c447 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Network-Time-Protocol-NTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Network-Time-Protocol-NTP.md @@ -1,7 +1,7 @@ --- title: Network Time Protocol - NTP author: NVIDIA -weight: 126 +weight: 124 toc: 3 --- The `ntpd` daemon running on the switch implements the NTP protocol. It synchronizes the system time with time servers in the `/etc/ntp.conf` file. The `ntpd` daemon starts at boot by default. diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md index c8675d086f..8550d44c42 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Precision Time Protocol-PTP.md @@ -1,7 +1,7 @@ --- title: Precision Time Protocol - PTP author: NVIDIA -weight: 128 +weight: 126 toc: 3 --- Cumulus Linux supports IEEE 1588-2008 Precision Timing Protocol (PTPv2), which defines the algorithm and method for synchronizing clocks of various devices across packet-based networks, including Ethernet switches and IP routers. diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md new file mode 100644 index 0000000000..a459cc9669 --- /dev/null +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md @@ -0,0 +1,285 @@ +--- +title: Pulse Per Second - PPS +author: NVIDIA +weight: 127 +toc: 3 +--- +[PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a signal precisely every second. The NVIDIA Spectrum switch is capable of using an external PPS signal to synchronize its [PHC](## "Physical Hardware Clock") (for PPS In) and can also generate the PPS signal that other devices can use to synchronize their clocks (for PPS Out). +- In PPS Out mode, the switch can output the PPS signal. The switch can use this signal to check the accuracy of its PHC frequency and other devices can use this signal to synchronize their PHC. +- In PPS In mode, the switch can use an external PPS signal to synchronize the frequency of its PHC. The PPS signal provides frequency synchronization for the clock but does not provide the [ToD](## "Time Of Day"). Cumulus Linux uses PTP for the ToD; you must have a PTP slave port configured on the switch for PPS In. + +{{%notice note%}} +Cumulus Linux supports PPS for the NVIDIA SN3750-SX switch only. +{{%/notice%}} + +## Enable PPS Synchronization + +To enable PPS synchronization: + +{{< tabs "TabID498 ">}} +{{< tab "NVUE Commands ">}} + +{{< tabs "TabID501 ">}} +{{< tab "Enable PPS In ">}} + +Before you enable PPS In, make sure to configure a PTP slave port on the switch. See {{}} + +``` +cumulus@switch:~$ nv set platform pulse-per-second in state enabled +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< tab "Enable PPS Out ">}} + +``` +cumulus@switch:~$ nv set platform pulse-per-second out state enabled +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< /tabs >}} + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +{{< tabs "TabID522 ">}} +{{< tab "Enable PPS In ">}} + +1. Edit the `/etc/linuxptp/ts2phc.conf` file to set the following parameters. + + ``` + cumulus@switch:~$ sudo nano /etc/linuxptp/ts2phc.conf + # Default configurations + [global] + use_syslog 0 + verbose 1 + logging_level 6 + slave_event_monitor /var/run/ptp_sem.sock + ts2phc.pulsewidth 500000000 + ts2phc.tod_source ptp + # + # servo parameters + # + pi_proportional_const 0.000000 + pi_integral_const 0.000000 + pi_proportional_scale 0.700000 + pi_proportional_exponent -0.300000 + pi_proportional_norm_max 0.700000 + pi_integral_scale 0.300000 + pi_integral_exponent 0.400000 + pi_integral_norm_max 0.300000 + step_threshold 0.000000050 + first_step_threshold 0.000000001 + max_frequency 500000000 + sanity_freq_limit 0 + + [/dev/ptp1] + ts2phc.pin_index 0 + ts2phc.channel 0 + ts2phc.extts_polarity rising + ts2phc.extts_correction 0 + ``` + +2. Edit the `Default interface options` section of the `/etc/ptp4l.conf` file to configure the PTP slave port on the switch, which is required for PPS In. + + ``` + cumulus@switch:~$ sudo nano /etc/linuxptp/pps_out.conf + ... + # Default interface options + # + time_stamping hardware + [swp29] + udp_ttl 1 + masterOnly 0 + delay_mechanism E2E + network_transport UDPv4 + ``` + +3. Enable and start the `ptp4l` and `phc2sys` services: + + ``` + cumulus@switch:~$ sudo systemctl enable ptp4l.service phc2sys.service + cumulus@switch:~$ sudo systemctl start ptp4l.service phc2sys.service + ``` + +{{< /tab >}} +{{< tab "Enable PPS Out ">}} + +1. Edit the `/etc/linuxptp/pps_out.conf` file to set the following parameters. + + ``` + cumulus@switch:~$ sudo nano /etc/linuxptp/pps_out.conf + # Configuration file used for the pps_out.service + # It is shell formatted and the file is source'd by the service + # Set the PTP device to source our PPS from. + # If not specified, the service will find the first device with a clock name "sx_ptp". + PTP_DEV=/dev/ptp1 + # Set the pin index on the PPS device to send on. + # On the NVIDIA systems, only pin 1 (0-based) is supported + OUT_PIN=1 + # Set the file where to cache the last started values. + # This is used primarily in the "stop" operation to know what to clean up. + CACHE_FILE=/var/run/pps_out + # Set the out pulse charateristics for frequency and width + PULSE_FREQ=1000000000 + PULSE_WIDTH=500000000 + PULSE_PHASE=0 + ``` + +2. Enable and start the `pps_out` service: + + ``` + cumulus@switch:~$ sudo systemctl enable pps_out.service + cumulus@switch:~$ sudo systemctl start pps_out.service + ``` + +{{< /tab >}} +{{< /tabs >}} + +{{< /tab >}} +{{< /tabs >}} + +## PPS Synchronization Settings + +You can configure these PPS settings: + +| PPS In Setting | Description | +| ------- | ----------- | +| `channel-index` | Sets the channel index. You can set a value of 1 or 0. The default value is 0.| +| `logging-level` | Sets the logging level for PPS In. You can specify `emergency`, `alert`, `critical`, `error`, `warning`, `notice`, `info`, or `debug`. The default logging level is `info`.| +| `pin-index` | Sets the pin index. You can set a value of 1 or 0. The default value is 0.| +| `signal-polarity` | Sets the polarity of the PPS IN signal. You can specify `rising-edge`, `falling-edge`, or `both`. The default setting is `rising-edge`.| +| `signal-width` | Sets the pulse width of the PPS IN signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| +| `timestamp-correction` | Sets the value, in nanoseconds, to add to each PPS time stamp. You can set a value between -1000000000 and 1000000000. The default value is 0. | + +| PPS Out Setting | Description | +| ------- | ----------- | +| `channel-index`| Sets the channel index. You can set a value of 1 or 0. The default value is 0.| +| `frequency-adjustment` | Sets the frequency adjustment of the PPS Out signal. You can set a value between 1000000000 and 2147483647. The default value is 1000000000.| +| `phase-adjustment` | Sets the phase adjustment of the PPS Out signal. You can set a value between 0 and 1000000000. The default value is 0.| +| `pin-index` | Sets the pin index. Cumulus Linux supports only pin 1.| +| `signal-width` | Sets the pulse width of the PPS OUT signal. You can set a value between 1000000 and 999000000. The default value is 500000000.| + +{{< tabs "TabID592 ">}} +{{< tab "NVUE Commands ">}} + +{{< tabs "TabID621 ">}} +{{< tab "PPS In ">}} + +The following example configures PPS In and sets: +- The channel index to 1. +- The pin index to 1. +- The signal width to 999000000. +- The time stamp correction to 1000000000. +- The logging level to `warning`. +- The polarity of the PPS IN signal to `falling-edge`. + +``` +cumulus@switch:~$ nv set platform pulse-per-second in channel-index 1 +cumulus@switch:~$ nv set platform pulse-per-second in pin-index 1 +cumulus@switch:~$ nv set platform pulse-per-second in signal-width 999000000 +cumulus@switch:~$ nv set platform pulse-per-second in timestamp-correction 1000000000 +cumulus@switch:~$ nv set platform pulse-per-second in logging-level warning +cumulus@switch:~$ nv set platform pulse-per-second in signal-polarity falling-edge +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< tab "PPS Out ">}} + +The following example configures PPS Out and sets: +- The channel index to 1. +- The signal width to 999000000. +- The phase adjustment of the PPS Out signal to 1000000000. +- The frequency-adjustment of the PPS Out signal to 2147483647. + +``` +cumulus@switch:~$ nv set platform pulse-per-second out channel-index 1 +cumulus@switch:~$ nv set platform pulse-per-second out signal-width 999000000 +cumulus@switch:~$ nv set platform pulse-per-second out phase-adjustment 1000000000 +cumulus@switch:~$ nv set platform pulse-per-second out frequency-adjustment 2147483647 +cumulus@switch:~$ nv config apply +``` + +{{< /tab >}} +{{< /tabs >}} + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +{{< tabs "TabID665 ">}} +{{< tab "PPS In ">}} + +To configure PPS In, edit the `/etc/linuxptp/ts2phc.conf` file, then restart the PPS In service with the `sudo systemctl restart ts2phc.service` command. + +The following example configures PPS In and sets: +- The channel index to 1 +- The pin index to 1 +- The signal width to 999000000. +- The time stamp correction to 1000000000. +- The logging level to 4 (warning). +- The polarity of the PPS IN signal to falling edge (`falling`). + +``` +# ts2phc is enabled +[global] +use_syslog 0 +verbose 1 +slave_event_monitor /var/run/ptp_sem.sock +logging_level 4 +ts2phc.pulsewidth 999000000 +ts2phc.tod_source ptp +domainNumber 0 +... +[/dev/ptp1] +ts2phc.pin_index 1 +ts2phc.channel 1 +ts2phc.extts_polarity falling +ts2phc.extts_correction 0 +``` + +{{< /tab >}} +{{< tab "PPS Out ">}} + +To configure PPS Out, edit the `/etc/linuxptp/pps_out.conf.conf` file, then restart the PPS Out service with the `sudo systemctl restart pps_out.service` command. + +The following example configures PPS Out and sets: +- The channel index to 1. +- The signal width to 999000000. +- The phase adjustment of the PPS Out signal to 1000000000. +- The frequency-adjustment of the PPS Out signal to 2147483647. + +``` +# Configuration file used for the pps_out.service +# It is shell formatted and the file is source'd by the service + +# Set the PTP device to source our PPS from. +# If not specified, the service will find the first device with a clock name "sx_ptp". +PTP_DEV=/dev/ptp1 + +# Set the pin index on the PPS device to send on. +# On the NVIDIA systems, only pin 1 (0-based) is supported +OUT_PIN=1 + +OUT_CHANNEL=1 + +# Set the file where to cache the last started values. +# This is used primarily in the "stop" operation to know what to clean up. +CACHE_FILE=/var/run/pps_out + +# Set the out pulse charateristics for frequency and width +PULSE_FREQ=2147483647 +PULSE_WIDTH=999000000 +PULSE_PHASE=1000000000 +``` + +{{< /tab >}} +{{< /tabs >}} + +{{< /tab >}} +{{< /tabs >}} + +- To show a summary of the PPS In and PPS out configuration settings, run the `nv show platform pulse-per-second` command. +- To show only PPS In configuration settings, run the `nv show platform pulse-per-second in` command. +- To show only PPS Out configuration settings, run the `nv show platform pulse-per-second out` command. diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md index 3a4845f631..6e1550e734 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md @@ -1,7 +1,7 @@ --- title: Setting the Date and Time author: NVIDIA -weight: 124 +weight: 122 toc: 3 --- diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/SyncE.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md similarity index 94% rename from content/cumulus-linux-57/System-Configuration/Date-and-Time/SyncE.md rename to content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md index 240b7e39f4..a467f1ba6b 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/SyncE.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md @@ -1,7 +1,7 @@ --- -title: SyncE +title: Synchronous Ethernet - SyncE author: NVIDIA -weight: 129 +weight: 128 toc: 3 draft: true @@ -10,7 +10,7 @@ draft: true SyncE is currently in Beta. {{%/notice%}} -[SyncE](## "Synchronous Ethernet") is a standard for transmitting clock signals over the Ethernet physical layer to synchronize clocks across the network by propagating frequency using the transmission rate of symbols in the network. A dedicated Ethernet channel manages this synchronization. +[SyncE](## "Synchronous Ethernet") is an ITU-T standard for transmitting clock signals over the Ethernet physical layer to synchronize clocks across the network by propagating frequency using the transmission rate of symbols in the network. A dedicated channel, [ESMC](## "Ethernet Synchronization Messaging Channel") manages this synchronization, as specified by the ITU-T Rec. G.8264 standard. The Cumulus Linux switch includes a SyncE controller and a SyncE daemon. - The SyncE controller reads performance counters to calculate the differences between transmit and receive ethernet symbols on the physical layer to fine tune the clock frequency. From 6e517a38ed50b84d793138b66566c139de9a0032 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 10:13:49 -0800 Subject: [PATCH 109/204] updates to PPS in and out --- .../Date-and-Time/Pulse-Per-Second-PPS.md | 56 ++++++++++++++++++- content/cumulus-linux-57/Whats-New/_index.md | 2 +- 2 files changed, 54 insertions(+), 4 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md index a459cc9669..12a15cc24f 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md @@ -222,6 +222,7 @@ The following example configures PPS In and sets: - The polarity of the PPS IN signal to falling edge (`falling`). ``` +cumulus@switch:~$ sudo nano /etc/linuxptp/ts2phc.conf # ts2phc is enabled [global] use_syslog 0 @@ -251,6 +252,7 @@ The following example configures PPS Out and sets: - The frequency-adjustment of the PPS Out signal to 2147483647. ``` +cumulus@switch:~$ sudo nano /etc/linuxptp/pps_out.conf.conf # Configuration file used for the pps_out.service # It is shell formatted and the file is source'd by the service @@ -280,6 +282,54 @@ PULSE_PHASE=1000000000 {{< /tab >}} {{< /tabs >}} -- To show a summary of the PPS In and PPS out configuration settings, run the `nv show platform pulse-per-second` command. -- To show only PPS In configuration settings, run the `nv show platform pulse-per-second in` command. -- To show only PPS Out configuration settings, run the `nv show platform pulse-per-second out` command. +To show a summary of the PPS In and PPS out configuration settings, run the `nv show platform pulse-per-second` command. + +``` +cumulus@switch:~$ nv show platform pulse-per-second + applied +---------------------- ----------- +in + state enabled + pin-index 0 + channel-index 0 + signal-width 500000000 + signal-polarity rising-edge + timestamp-correction 0 + logging-level info +out + state disabled + pin-index 1 + channel-index 0 + frequency-adjustment 1000000000 + phase-adjustment 0 + signal-width 500000000 +``` + +To show only PPS In configuration settings, run the `nv show platform pulse-per-second in` command: + +``` +cumulus@switch:~$ nv show platform pulse-per-second in + applied +-------------------- ----------- +state enabled +pin-index 0 +channel-index 0 +signal-width 500000000 +signal-polarity rising-edge +timestamp-correction 0 +logging-level info +``` + +To show only PPS Out configuration settings, run the `nv show platform pulse-per-second out` command: + +``` +cumulus@switch:~$ nv show platform pulse-per-second out + applied +-------------------- ---------- +state disabled +pin-index 1 +channel-index 0 +frequency-adjustment 1000000000 +phase-adjustment 0 +signal-width 500000000 +``` diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 4dfa6e8e10..3897d7d180 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -21,7 +21,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} -- {{}} +- {{}} - NVUE enhancements include: - {{}} - {{}} From e403f36f84af0fce43bbd7a16876ac62c8d75400 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 18:16:14 +0000 Subject: [PATCH 110/204] Automated release note commit --- content/cumulus-linux-54/Whats-New/rn.md | 1 - content/cumulus-linux-54/rn.xml | 6 ------ content/cumulus-linux-55/Whats-New/rn.md | 2 -- content/cumulus-linux-55/rn.xml | 12 ------------ content/cumulus-linux-56/Whats-New/rn.md | 2 -- content/cumulus-linux-56/rn.xml | 12 ------------ 6 files changed, 35 deletions(-) diff --git a/content/cumulus-linux-54/Whats-New/rn.md b/content/cumulus-linux-54/Whats-New/rn.md index e7b5d4a0c0..dabef30624 100644 --- a/content/cumulus-linux-54/Whats-New/rn.md +++ b/content/cumulus-linux-54/Whats-New/rn.md @@ -93,7 +93,6 @@ pdfhidden: True | [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | 5.5.0-5.6.0| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | -| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | | [3293560](#3293560)
| If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. | 5.4.0 | 5.5.0-5.6.0| | [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | diff --git a/content/cumulus-linux-54/rn.xml b/content/cumulus-linux-54/rn.xml index e2728d4cd8..13be4eb081 100644 --- a/content/cumulus-linux-54/rn.xml +++ b/content/cumulus-linux-54/rn.xml @@ -534,12 +534,6 @@ cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map -3308191 -If you try to set an unsupported interface speed together with FEC, the {{nv config apply}} command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. -5.4.0-5.6.0 - - - 3293560 If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. 5.4.0 diff --git a/content/cumulus-linux-55/Whats-New/rn.md b/content/cumulus-linux-55/Whats-New/rn.md index 7417b18391..6f92421762 100644 --- a/content/cumulus-linux-55/Whats-New/rn.md +++ b/content/cumulus-linux-55/Whats-New/rn.md @@ -91,7 +91,6 @@ pdfhidden: True | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | -| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | | [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | @@ -213,7 +212,6 @@ pdfhidden: True | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | -| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | | [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | diff --git a/content/cumulus-linux-55/rn.xml b/content/cumulus-linux-55/rn.xml index faad14d573..774b1645fb 100644 --- a/content/cumulus-linux-55/rn.xml +++ b/content/cumulus-linux-55/rn.xml @@ -531,12 +531,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3308191 -If you try to set an unsupported interface speed together with FEC, the {{nv config apply}} command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. -5.4.0-5.6.0 - - - 3293114 In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. 5.3.0-5.5.1 @@ -1305,12 +1299,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3308191 -If you try to set an unsupported interface speed together with FEC, the {{nv config apply}} command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. -5.4.0-5.6.0 - - - 3293114 In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; {{nv set interface <interface> ip neighbor-discovery router-advertisement enable off}}. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to {{nv set interface <interface> ip neighbor-discovery router-advertisement enable on}}. 5.3.0-5.5.1 diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index eb6f8e9e74..da6a009529 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -34,7 +34,6 @@ pdfhidden: True | [3600588](#3600588)
| You can't reset the root password by booting into Cumulus Linux single-user recovery mode. To work around this issue, follow the steps in https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-56/Monitoring-and-Troubleshooting/Single-User-Mode-Password-Recovery/. | 5.6.0 | | | [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address
command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | | [3597456](#3597456)
| NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 | | -| [3590053](#3590053)
| If you connect a 1G BaseT module to the service port on the NVIDIA SN5600 switch when its peer is down, the link shows as active on one side while its peer is disabled. | 5.6.0 | | | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | | [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | | | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | @@ -70,7 +69,6 @@ pdfhidden: True | [3329518](#3329518)
| When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.6.0 | | | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.6.0 | | | [3326659](#3326659)
| If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds to allow for the MAC addresses to age out and be deleted from the hardware. | 5.4.0-5.6.0 | | -| [3308191](#3308191)
| If you try to set an unsupported interface speed together with FEC, the nv config apply command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. | 5.4.0-5.6.0 | | | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index 15e704bb37..a90e96ed4c 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -144,12 +144,6 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines -3590053 -If you connect a 1G BaseT module to the service port on the NVIDIA SN5600 switch when its peer is down, the link shows as active on one side while its peer is disabled. -5.6.0 - - - 3585467 NVUE and {{ip link}} show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. 5.0.0-5.6.0 @@ -391,12 +385,6 @@ In a proposed fix in the MR !226, we are not flapping the IP on vxlan device on -3308191 -If you try to set an unsupported interface speed together with FEC, the {{nv config apply}} command succeeds but Cumulus Linux ignores the FEC configuration and configures the default FEC setting for the chosen speed. There is no warning or error message. -5.4.0-5.6.0 - - - 3266197 When you disable BGP globally with the {{nv set router bgp enable off}} command, applying the configuration with NVUE might fail due to an FRR reload failure. 5.2.0-5.6.0 From b84fb6f8bc00c193df971de45072e96a34cdde4a Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 11:34:55 -0800 Subject: [PATCH 111/204] review feedback for PPS --- .../Date-and-Time/Pulse-Per-Second-PPS.md | 52 ++++++++++--------- content/cumulus-linux-57/Whats-New/_index.md | 2 +- 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md index 12a15cc24f..a542f8fa13 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Pulse-Per-Second-PPS.md @@ -4,9 +4,9 @@ author: NVIDIA weight: 127 toc: 3 --- -[PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a signal precisely every second. The NVIDIA Spectrum switch is capable of using an external PPS signal to synchronize its [PHC](## "Physical Hardware Clock") (for PPS In) and can also generate the PPS signal that other devices can use to synchronize their clocks (for PPS Out). -- In PPS Out mode, the switch can output the PPS signal. The switch can use this signal to check the accuracy of its PHC frequency and other devices can use this signal to synchronize their PHC. +[PPS](## "Pulse per second") is the simplest form of synchronization. The PPS source provides a signal precisely every second. The switch is capable of using an external PPS signal to synchronize its [PHC](## "Physical Hardware Clock") (for PPS In) and can also generate the PPS signal that other devices can use to synchronize their clocks (for PPS Out). - In PPS In mode, the switch can use an external PPS signal to synchronize the frequency of its PHC. The PPS signal provides frequency synchronization for the clock but does not provide the [ToD](## "Time Of Day"). Cumulus Linux uses PTP for the ToD; you must have a PTP slave port configured on the switch for PPS In. +- In PPS Out mode, the switch can output the PPS signal. The switch can use this signal to check the accuracy of its PHC frequency and other devices can use this signal to synchronize their PHC. {{%notice note%}} Cumulus Linux supports PPS for the NVIDIA SN3750-SX switch only. @@ -46,7 +46,22 @@ cumulus@switch:~$ nv config apply {{< tabs "TabID522 ">}} {{< tab "Enable PPS In ">}} -1. Edit the `/etc/linuxptp/ts2phc.conf` file to set the following parameters. +1. Edit the `Default interface options` section of the `/etc/ptp4l.conf` file to configure the PTP slave port on the switch, which is required for PPS In. See {{}} for information about PTP. + + ``` + cumulus@switch:~$ sudo nano /etc/linuxptp/pps_out.conf + ... + # Default interface options + # + time_stamping hardware + [swp29] + udp_ttl 1 + masterOnly 0 + delay_mechanism E2E + network_transport UDPv4 + ``` + +2. Edit the `/etc/linuxptp/ts2phc.conf` file to set the following parameters to enable PPS In. ``` cumulus@switch:~$ sudo nano /etc/linuxptp/ts2phc.conf @@ -73,7 +88,7 @@ cumulus@switch:~$ nv config apply first_step_threshold 0.000000001 max_frequency 500000000 sanity_freq_limit 0 - + # [/dev/ptp1] ts2phc.pin_index 0 ts2phc.channel 0 @@ -81,21 +96,6 @@ cumulus@switch:~$ nv config apply ts2phc.extts_correction 0 ``` -2. Edit the `Default interface options` section of the `/etc/ptp4l.conf` file to configure the PTP slave port on the switch, which is required for PPS In. - - ``` - cumulus@switch:~$ sudo nano /etc/linuxptp/pps_out.conf - ... - # Default interface options - # - time_stamping hardware - [swp29] - udp_ttl 1 - masterOnly 0 - delay_mechanism E2E - network_transport UDPv4 - ``` - 3. Enable and start the `ptp4l` and `phc2sys` services: ``` @@ -255,21 +255,21 @@ The following example configures PPS Out and sets: cumulus@switch:~$ sudo nano /etc/linuxptp/pps_out.conf.conf # Configuration file used for the pps_out.service # It is shell formatted and the file is source'd by the service - +# # Set the PTP device to source our PPS from. # If not specified, the service will find the first device with a clock name "sx_ptp". PTP_DEV=/dev/ptp1 - +# # Set the pin index on the PPS device to send on. # On the NVIDIA systems, only pin 1 (0-based) is supported OUT_PIN=1 - +# OUT_CHANNEL=1 - +# # Set the file where to cache the last started values. # This is used primarily in the "stop" operation to know what to clean up. CACHE_FILE=/var/run/pps_out - +# # Set the out pulse charateristics for frequency and width PULSE_FREQ=2147483647 PULSE_WIDTH=999000000 @@ -282,7 +282,9 @@ PULSE_PHASE=1000000000 {{< /tab >}} {{< /tabs >}} -To show a summary of the PPS In and PPS out configuration settings, run the `nv show platform pulse-per-second` command. +## Show PPS Configuration Settings + +To show a summary of the PPS In and PPS out configuration settings, run the `nv show platform pulse-per-second` command: ``` cumulus@switch:~$ nv show platform pulse-per-second diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 3897d7d180..7eddb36c1b 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -21,7 +21,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} -- {{}} +- {{}} - NVUE enhancements include: - {{}} - {{}} From b43d0165273eb001c5e482dca0dd913c56866745 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 11:50:56 -0800 Subject: [PATCH 112/204] review feedback for MAC address translation --- .../Layer-2/MAC-Address-Translation.md | 50 +++++++++++++++---- 1 file changed, 41 insertions(+), 9 deletions(-) diff --git a/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md b/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md index a8f1be64b3..316bf96c8e 100644 --- a/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md +++ b/content/cumulus-linux-57/Layer-2/MAC-Address-Translation.md @@ -79,7 +79,7 @@ The following example matches Ethernet packets with destination MAC address 01:1 {{< /tab >}} {{< /tabs >}} -## Show MAC Address Translation Configuration +## Show MAC Address Translation Configuration and Statistics To show the current MAC address translation configuration: @@ -91,15 +91,47 @@ MACL1 mac rule: 1 MACL2 mac rule: 1 ``` -To show information about a specific MAC address translation rule, run the `nv show acl `: command +To show information about a specific MAC address translation rule, run the `nv show acl --applied -o=json` command: ``` -cumulus@switch:~$ nv show acl MACL1 - operational applied ----- ----------- ------- -type mac +cumulus@switch:~$ nv show acl MACL1 --applied -o=json +{ + "rule": { + "1": { + "action": { + "source-nat": { + "translate-ip": {}, + "translate-mac": "99:de:fc:32:11:01", + "translate-port": {} + } + }, + "match": { + "mac": { + "dest-mac-mask": "ff:ff:ff:ff:ff:ff", + "source-mac": "b8:ce:f6:3c:62:06", + "source-mac-mask": "ff:ff:ff:ff:ff:ff" + } + } + } + }, + "type": "mac" +} +``` + +To show statistics for MAC address translation, such as the number of packets that match the rules and the number of bytes in the matched packets, run the NVUE `nv show interface acl-statistics` command or the Linux `cl-acltool -L eb` command: -rule -======= -No Data ``` +cumulus@switch:~$ nv show interface acl-statistics +Interface ACL Name Rule ID In Packets In Bytes Out Packets Out Bytes +--------- --------- ------- ---------- -------- ----------- --------- +swp2 macl_snat 10 14 1.13 KB +``` + +``` +cumulus@switch:~$ sudo cl-acltool -L eb +-s ec:d:9a:84:8b:82 -o swp2 --comment rule_id:10 -j snat --to-src 0:0:0:0:0:2 --snat-target ACCEPT, pcnt = 14 -- bcnt = 1162 +``` + +In the above example Linux command output: +- `pcnt` shows how many packets matched this rule (14 packets). +- `bcnt` shows the total number of bytes in the matched packets (1162 bytes). From c1149809140f06c827a42d1c6bdc9baf5ad4bb88 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 13:00:54 -0800 Subject: [PATCH 113/204] 802.1X review feedback --- .../802.1X-Interfaces.md | 174 +++++++++++------- 1 file changed, 112 insertions(+), 62 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index e9b2c36a9c..ec9899cf2b 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -13,11 +13,13 @@ A Cumulus Linux switch acts as an intermediary between the clients connected to Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity") and supports parking VLANs, dynamic VLANs, and [MAB](## "MAC-based authentication bypass") on 802.1X interfaces. {{%notice note%}} -- Cumulus Linux supports 802.1X on routed interfaces and physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. +- Cumulus Linux supports 802.1X on physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. +- Routed interfaces, bond interfaces, and bridged trunk ports do not support 802.1X. +- To enable 802.1X on an access-port, it must be a member of the default NVUE bridge `br_default`. - eth0 does not support 802.1X. - 802.1X on Cumulus Linux is tested with only a few `wpa_supplicant` (Debian), Windows 10 and Windows 7 supplicants. - RADIUS authentication is supported with FreeRADIUS and Cisco ACS. -- 802.1X supports simple login and password, PEAP/MSCHAPv2 (Win7) and EAP-TLS (Debian). +- 802.1X supports simple login and password and EAP-TLS (Debian). - 802.1X supports {{}} for EAP-TTLS, which provides more secure transport layer security. Mako template-based configurations do not support 802.1X. @@ -437,7 +439,7 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} - + ## EAP Requests Cumulus Linux provides the `eap_send_identity` option, which you can use to trigger EAP packets to be sent from the host side of a connection. For example, this option is required in a configuration where a PC connected to a phone attempts to send EAP packets to the switch via the phone but the PC does not receive a response from the switch (the phone might not be ready to forward packets to the switch after a reboot). Because the switch does not receive EAP packets, it attempts to authorize the PC with MAB instead of waiting for the packets. In this case, the PC might be placed into a parking VLAN to isolate it. To remove the PC from the parking VLAN, the switch needs to send an EAP request to the PC to trigger EAP. @@ -780,7 +782,7 @@ cumulus@switch:~$ sudo systemctl restart hostapd - Only run this command if MAB is configured on an interface. - The PC might attempt 802.1X authorization through the bridged connection in the back of the phone before the phone completes MAB authorization. In this case, 802.1X authorization fails. {{%/notice%}} - + ## NAS IP Address in Access Request and Accounting Packets You can send the NAS IPv4 or IPv6 address in access request and accounting packets. You can only configure one NAS IP address on the switch, which is used for all interface authorizations. @@ -951,6 +953,8 @@ cumulus@switch:~$ sudo systemctl restart hostapd ## Troubleshooting +### Check Connectivity Between Supplicants + To check connectivity between two supplicants, ping one host from the other: ``` @@ -964,6 +968,8 @@ PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. rtt min/avg/max/mdev = 0.552/0.578/0 ``` +### Show RADIUS Server Configuration + To show the list of RADIUS servers, run the `nv show system dot1x radius` command: ``` @@ -986,74 +992,118 @@ authentication-port 2812 shared-secret mysecret ``` +### Show 802.1X Configuration and Authorization Information + To check which MAC addresses RADIUS has authorized: ``` -cumulus@switch:~$ nv show interface dot1x-summary -Interface MAC Address Username State Authentication Type MAB VLAN DACL Active ---------- ----------------- ------------ ---------- ------------------- --- ---- ----------- -swp4 00:00:00:00:99:44 000000009944 AUTHORIZED unknown YES NO - 00:00:00:00:99:55 000000009955 AUTHORIZED unknown YES NO - 00:00:00:00:99:66 000000009966 AUTHORIZED unknown YES NO - 00:00:00:00:99:77 000000009977 AUTHORIZED unknown YES NO - 00:00:00:00:99:88 000000009988 AUTHORIZED unknown YES NO - 00:00:00:00:99:99 000000009999 AUTHORIZED unknown YES NO - 00:02:00:00:00:09 000200000009 AUTHORIZED unknown YES NO -swp53s0 00:02:00:00:00:0a 00020000000a AUTHORIZED unknown YES NO -``` - -To check RADIUS counters, run the `nv show interface swp1 dot1x counters` command: - -``` -cumulus@switch:~$ nv show interface swp1 dot1x counters -Interface Eapol Tx Eapol Rx Summary ---------- -------- ---------- ---------- -swp1 20 20 eapol-len-err-frames-tx : 0 - eapol-req-frames-tx : 5 - eapol-resp-frames-rx : 5 - eapol-start-frames-tx : 5 - eapol-req-id-frames-tx : 5 - eapol-resp-id-frames-rx : 5 - eapol-invalid-frames-rx : 0 - eapol-logoff-frames-rx : 0 -swp2 10 10 eapol-len-err-frames-tx : 0 - eapol-req-frames-tx : 3 - eapol-resp-frames-rx : 3 - eapol-start-frames-tx : 3 - eapol-req-id-frames-tx : 3 - eapol-resp-id-frames-rx : 3 - eapol-invalid-frames-rx : 0 - eapol-logoff-frames-rx : 0 -... -``` - -You can also check logging with the `journalctl` command: +cumulus@switch:~$ nv show interface --view=dot1x-summary +Interface Mac-Address Status Auth-Type Username Vlan Session-id +--------- ----------------- ---------- --------- ------------ ---- ---------------- +eth0 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan100 10 9EA1784C12F4E646 +lo 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +mgmt 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +swp1 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +swp2 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +swp3 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +swp4 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +swp5 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +swp6 00:55:00:00:00:09 AUTHORIZED MBA 005500000009 10 946E00ED478CC8D3 + 00:02:00:00:00:09 AUTHORIZED MD5 vlan10 10 9EA1784C12F4E646 +``` + +To show 802.1X configuration settings and authenticated session information for an interface, run the `nv show interface dot1x` command: ``` -cumulus@switch:~$ sudo journalctl -f -u hostapd -Apr 19 22:17:11 switch hostapd[12462]: swp1: interface state UNINITIALIZED->ENABLED -Apr 19 22:17:11 switch hostapd[12462]: swp1: AP-ENABLED -Apr 19 22:17:11 switch hostapd[12462]: Reading rule file /etc/cumulus/acl/policy.d/00control_ps ... -Apr 19 22:17:11 switch hostapd[12462]: Processing rules in file /etc/cumulus/acl/policy.d/00... -Apr 19 22:17:12 switch hostapd[12462]: Reading rule file /etc/cumulus/acl/policy.d/100_dot1x... -Apr 19 22:17:12 switch hostapd[12462]: Processing rules in file /etc/cumulus/acl/policy.d/ .. -Apr 19 22:17:12 switch hostapd[12462]: Reading rule file /etc/cumulus/acl/policy.d/99control -Apr 19 22:17:12 switch hostapd[12462]: Processing rules in file /etc/cumulus/acl/policy.d/99 -Apr 19 22:17:12 switch hostapd[12462]: Installing acl policy -Apr 19 22:17:12 switch hostapd[12462]: done. +cumulus@switch:~$ nv show interface swp1 dot1x + operational applied +-------------- ----------- -------- +eap enabled +mba disabled +auth-fail-vlan disabled + +Authenticated Sessions +========================= + Mac Auth-Type Session-id Status Username Vlan Eapol TX Eapol RX Err RX Req TX Resp RX Start RX Req-id TX Resp-id RX Invalid RX Logoff RX + ----------------- --------- ---------------- ---------- ------------ ---- -------- -------- ------ ------ ------- -------- --------- ---------- ---------- --------- + 00:02:00:00:00:09 MD5 9EA1784C12F4E646 AUTHORIZED vlan10 10 3 3 0 2 2 1 1 1 0 0 + 00:55:00:00:00:09 MBA 946E00ED478CC8D3 AUTHORIZED 005500000009 10 0 3 0 0 0 0 0 0 0 0 ``` -To show the authenticated sessions for an interface, run the `nv show interface dot1x authenticated-sessions` command: +To show the authenticated sessions and statistics for an interface, run the `nv show interface dot1x authenticated-sessions` command: ``` cumulus@switch:~$ nv show interface swp1 dot1x authenticated-sessions +(env) [dev] vagrant@cumulus:mgmt:/vagrant$ nv show interface swp1 dot1x authenticated-sessions +Mac Auth-Type Session-id Status Username Vlan Eapol TX Eapol RX Err RX Req TX Resp RX Start RX Req-id TX Resp-id RX Invalid RX Logoff RX +----------------- --------- ---------------- ---------- ------------ ---- -------- -------- ------ ------ ------- -------- --------- ---------- ---------- --------- +00:02:00:00:00:09 MD5 9EA1784C12F4E646 AUTHORIZED vlan10 10 3 3 0 2 2 1 1 1 0 0 +00:55:00:00:00:09 MBA 946E00ED478CC8D3 AUTHORIZED 005500000009 10 0 3 0 0 0 0 0 0 0 0 +``` + +To show the authenticated sessions and statistics for a specific MAC address, run the `nv show interface dot1x authenticated-sessions ` command: + +``` +cumulus@switch:~$ nv show interface swp1 dot1x authenticated-sessions 00:02:00:00:00:09 + operational +------------------------- ----------------- +username vlan100 +auth-type MD5 +status AUTHORIZED +vlan 10 +mac-address 00:02:00:00:00:09 +session-id 9EA1784C12F4E646 +counters + eapol-frames-tx 3 + eapol-frames-rx 3 + eapol-len-err-frames-rx 0 + eapol-req-frames-tx 2 + eapol-resp-frames-rx 2 + eapol-start-frames-rx 1 + eapol-req-id-frames-tx 1 + eapol-resp-id-frames-rx 1 + eapol-invalid-frames-rx 0 + eapol-logoff-frames-rx 0 +``` + +## Show 802.1X Statistics + +To check statistics for all interfaces, run the `nv show interface --view=dot1x-counters` command: + +``` +cumulus@switch:~$ nv show interface --view=dot1x-counters +Interface Mac-Address Eapol TX Eapol RX Req TX Resp RX Err RX Start RX Req-id TX Resp-id RX Invalid RX Logoff RX +--------- ----------------- -------- -------- ------ ------- ------ -------- --------- ---------- ---------- --------- +eth0 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +lo 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +mgmt 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +swp1 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +swp2 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +swp3 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +swp4 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +swp5 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 0 0 +swp6 00:55:00:00:00:09 0 3 0 0 0 0 0 0 0 0 + 00:02:00:00:00:09 3 3 2 2 0 1 1 1 +... ``` -To show the authenticated sessions for a specific MAC address, run the `nv show interface dot1x authenticated-sessions ` command: - -``` -cumulus@switch:~$ nv show interface swp1 dot1x authenticated-sessions 00:00:00:00:99:44 -``` +### Advanced Troubleshooting You can perform more advanced troubleshooting with the following commands. From 48b1254b056a6b2fb0edbc6a8f43ab8b2f58c45e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 13:37:48 -0800 Subject: [PATCH 114/204] port swcurity review feedback updates --- .../Layer-1-and-Switch-Ports/Port-Security.md | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index 7d99522eda..2ef6549660 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -9,7 +9,7 @@ Port security is a layer 2 traffic control feature that enables you to limit por - Specific MAC addresses so that the port does not forward ingress traffic from undefined source addresses. - The first learned MAC address on the port (sticky MAC) so that the device with that MAC address has full bandwidth. You can provide a timeout so that the MAC address on that port no longer has access after a certain time. -You can configure what action to take when there is a port security violation (drop packets or put the port into ADMIN down state) and add a timeout for the action to take effect. +You can configure what action to take when there is a port security violation (drop packets or put the port into protodown state) and add a timeout for the action to take effect. The default violation mode is protodown. {{%notice note%}} Port security supports layer 2 interfaces in trunk or access mode but **not** interfaces in a bond. @@ -38,7 +38,7 @@ cumulus@switch:~$ nv set interface swp1 port-security mac-limit 100 cumulus@switch:~$ nv config apply ``` -To configure specific MAC addresses allowed to access the port, run the `nv set interface port-security static-mac` command. +To configure specific MAC addresses allowed to access the port, run the `nv set interface port-security static-mac` command. You can configure a maximum of 450 static MAC addresses per interface. ``` cumulus@switch:~$ nv set interface swp1 port-security static-mac 00:02:00:00:00:05 @@ -46,34 +46,39 @@ cumulus@switch:~$ nv set interface swp1 port-security static-mac 00:02:00:00:00: cumulus@switch:~$ nv config apply ``` -To enable sticky MAC, where the first learned MAC address on the port is the only MAC address allowed, run the `nv set interface port-security sticky-mac enabled` command. +To enable sticky MAC aging, run the `nv set interface port-security sticky-aging enabled` command. ``` -cumulus@switch:~$ nv set interface swp1 port-security sticky-mac enabled +cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enable cumulus@switch:~$ nv config apply ``` -To configure the time period after which the first learned MAC address ages out and no longer has access to the port, run the `nv set interface port-security sticky-timeout` command. You can specify a value between 0 and 3600 seconds. The default setting is 1800 seconds. +To enable sticky MAC, where the first learned MAC address on the port is the only MAC address allowed, run the `nv set interface port-security sticky-mac enabled` command. ``` -cumulus@switch:~$ nv set interface swp1 port-security sticky-timeout 2000 +cumulus@switch:~$ nv set interface swp1 port-security sticky-mac enabled cumulus@switch:~$ nv config apply ``` -To enable sticky MAC aging, run the `nv set interface port-security sticky-aging enabled` command. +To configure the time period after which a learned sticky MAC address ages out and no longer has access to the port, run the `nv set interface port-security sticky-timeout` command. You can specify a value between 0 and 3600 seconds. The default setting is 1800 seconds. ``` -cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enable +cumulus@switch:~$ nv set interface swp1 port-security sticky-timeout 2000 cumulus@switch:~$ nv config apply ``` -To configure violation mode, either run the `nv set interface port-security violation-mode protodown` command to put a port into ADMIN down state or run the `nv set interface port-security violation-mode restrict` command to drop packets. +To configure violation mode, either run the `nv set interface port-security violation-mode protodown` command to put a port into a protodown state or run the `nv set interface port-security violation-mode restrict` command to drop packets. ``` cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown cumulus@switch:~$ nv config apply ``` +``` +cumulus@switch:~$ sudo ip link set swp2 protodown_reason portsecurity off +cumulus@switch:~$ sudo ip link set swp2 protodown off +``` + To configure the number of seconds after which the violation mode times out, run the `nv set interface port-security violation-timeout` command. You can specify a value between 0 and 60 minutes. The default value is 30 minutes. ``` @@ -92,9 +97,9 @@ Add the configuration settings you want to use to the `/etc/cumulus/switchd.d/po | `interface..port_security.mac_limit` | Configures the maximum number of MAC addresses allowed to access the port. You can specify a number between 0 and 512. The default value is 32.| | `interface..port_security.static_mac` | Configures the specific MAC addresses allowed to access the port. To specify multiple MAC addresses, separate each MAC address with a space.| | `interface..port_security.sticky_mac` | Enables and disables sticky MAC. 1 enables sticky MAC, where the first learned MAC address on the port is the only MAC address allowed. 0 disables sticky MAC. | -| `interface..port_security.sticky_timeout` | The time period after which the first learned MAC address ages out and no longer has access to the port. You can specify a value between 0 and 3600 seconds (60 minutes). The default aging timeout value is 1800 seconds (30 minutes). | +| `interface..port_security.sticky_timeout` | The time period after which a learned sticky MAC address ages out and no longer has access to the port. You can specify a value between 0 and 3600 seconds (60 minutes). The default aging timeout value is 1800 seconds (30 minutes). | | `interface..port_security.sticky_aging` | Enables and disables sticky MAC aging. 1 enables sticky MAC aging. 0 disables sticky MAC aging.| -| `interface..port_security.violation_mode` | Configures the violation mode: 0 (protodown) puts a port into ADMIN down state. 1 (restrict) drops packets. The default setting is 0.| +| `interface..port_security.violation_mode` | Configures the violation mode: 0 (protodown) puts a port into a protodown state. 1 (restrict) drops packets. The default setting is 0.| | `interface..port_security.violation_timeout` | Configures the number of seconds after which the violation mode times out. You can specify a value between 0 and 3600 seconds. The default value is 1800 seconds.| The following shows an example `/etc/cumulus/switchd.d/port_security.conf` configuration file: @@ -116,6 +121,15 @@ interface.swp1.port_security.static_mac = 00:02:00:00:00:05 00:02:00:00:00:06 {{< /tab >}} {{< /tabs >}} +## Clear the Protodown State + +If there is a port security violation and the port goes into a protodown state, you can clear the protodown state after you mitigate the MAC address causing the violation with the following commands: + +``` +cumulus@switch:~$ sudo ip link set swp1 protodown_reason portsecurity off +cumulus@switch:~$ sudo ip link set swp1 protodown off +``` + ## Troubleshooting To show port security configuration, run the `nv show interface port-security` command: From 3846b871cdd11ab240c595fadcf142dc30f7bfcc Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 13:42:55 -0800 Subject: [PATCH 115/204] updates to port security --- .../Layer-1-and-Switch-Ports/Port-Security.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md index 2ef6549660..824962200c 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Port-Security.md @@ -144,12 +144,7 @@ sticky-mac disabled disabled sticky-timeout 1800 1800 sticky-ageing disabled disabled violation-mode restrict restrict -violation-timeout 30 30 - -Static MAC -============= -00:02:00:00:00:05 -00:02:00:00:00:06 +violation-timeout 30 30 mac-addresses ================ @@ -165,6 +160,5 @@ mac-addresses 8 00:02:00:00:00:11 Dynamic Installed ``` -To show port security static MAC address information, run the `nv show interface port-security static-mac` command: - -To show port security MAC address information, run the `nv show interface port-security mac-addresses` command +- To show port security static MAC address information, run the `nv show interface port-security static-mac` command. +- To show port security MAC address information, run the `nv show interface port-security mac-addresses` command. From 8bf4c580aff863371baa2137f03e2bfe226811c5 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 14:29:58 -0800 Subject: [PATCH 116/204] updates to NAT --- .../Network-Address-Translation-NAT.md | 38 ++++++++++++++++--- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index fae0d3d8c6..8e7bf5a7ac 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -424,15 +424,43 @@ Remove the rule from the policy file in the `/etc/cumulus/acl/policy.d` director ## Show Configured NAT Rules -To see the NAT rules configured on the switch, run the `sudo iptables -t nat -v -L` or the -`sudo cl-acltool -L ip -v` command. For example: +To see the NAT rules configured on the switch, run the NVUE `nv show acl --applied -o=json` command or the Linux `sudo iptables -t nat -v -L` or `sudo cl-acltool -L ip -v` commands. For example: + +``` +cumulus@switch:~$ nv show acl acl_5 --applied -o=json +{ + "rule": { + "1": { + "action": { + "source-nat": { + "translate-ip": { + "172.30.58.0": { + "to": "172.30.58.80" + } + }, + "translate-port": { + "1024-1200": {} + } + } + }, + "match": { + "ip": { + "dest-ip": "10.1.0.0/24", + "protocol": "icmp", + "source-ip": "10.0.0.0/24" + } + } + } + }, + "type": "ipv4" +} +``` ``` cumulus@switch:~$ sudo iptables -t nat -v -L -n ... -Chain POSTROUTING (policy ACCEPT 27 packets, 3249 bytes) - pkts bytes target prot opt in out source destination - 0 0 SNAT tcp -- any any 10.0.0.1 anywhere to:172.30.58.80 + pkts bytes target prot opt in out source destination + 0 0 SNAT icmp -- * swp6 10.0.0.0/24 10.1.0.0/24 /* rule_id:1,acl_name:acl_5,dir:outbound,interface_id:swp6 */ to:172.30.58.0-172.30.58.80:1024-1200 ``` ## Show Conntrack Flows From b31a4e4c480c5050aee89df281078cb07a4c2861 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 14:34:53 -0800 Subject: [PATCH 117/204] update date and time --- .../Date-and-Time/Setting-Date-and-Time.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md index 6e1550e734..ca3365a49e 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Setting-Date-and-Time.md @@ -123,7 +123,10 @@ To set the software clock according to the configured time zone: Run the `nv action change system date-time ` command. Specify `` in YYYY-MM-DD format and `` in HH:MM:SS format. ``` -cumulus@switch:~$ nv action change system date-time 2023-10-31 12:20:30 +cumulus@switch:~$ nv action change system date-time 2023-12-04 2:33:30 +System Date-time changed successfully +Local Time is now Mon 2023-12-04 02:33:30 UTC +Action succeeded ``` {{< /tab >}} From 4ac1bb45d26e70954b0952a701e1834fe996a184 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 16:09:51 -0800 Subject: [PATCH 118/204] update AAA restarts --- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 16 ++++++++++++++-- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 16 ++++++++++++++-- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 16 ++++++++++++++-- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 16 ++++++++++++++-- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 16 ++++++++++++++-- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 16 ++++++++++++++-- .../LDAP-Authentication-and-Authorization.md | 5 +++-- .../RADIUS-AAA.md | 13 ++++++++++++- .../TACACS.md | 11 +++++++++++ .../TACACS.md | 4 ++++ .../RADIUS-AAA.md | 6 +++++- .../TACACS.md | 4 ++++ 24 files changed, 213 insertions(+), 34 deletions(-) diff --git a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index 040ecef7c0..193aa21dbc 100644 --- a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index cacf03ccaf..51446f2b50 100644 --- a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 7b544e92aa..35914b6722 100644 --- a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -27,6 +27,17 @@ cumulus@switch:~$ sudo -E apt-get install tacplus-client ## Configure the TACACS+ Client +{{%notice note%}} + +After you configure TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + After installing TACACS+, edit the `/etc/tacplus_servers` file to add at least one server and one shared secret (key). You can specify the server and secret parameters in any order anywhere in the file. Whitespace (spaces or tabs) are not allowed. For example, if your TACACS+ server IP address is `192.168.0.30` and your shared secret is `tacacskey`, add these parameters to the `/etc/tacplus_servers` file: ``` @@ -126,10 +137,11 @@ The first `adduser` command prompts for information and a password. You can skip 3. Edit the `/etc/nsswitch.conf` file to add the keyword `tacplus` back to the line starting with `passwd` (the keyword you removed in the first step). -4. Restart the `netd` service with the following command: +4. Restart the `nvued` service and the `nginx-authenticator` service with the following commands: ``` - cumulus@switch:~$ sudo systemctl restart netd + cumulus@switch:~$ sudo systemctl restart nvued.service + cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` ## TACACS+ Accounting diff --git a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..a8e78923d6 100644 --- a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..f5306769cf 100644 --- a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index a2dbd68ee5..32aa90ad69 100644 --- a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -27,6 +27,17 @@ cumulus@switch:~$ sudo -E apt-get install tacplus-client ## Configure the TACACS+ Client +{{%notice note%}} + +After you configure TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + After installing TACACS+, edit the `/etc/tacplus_servers` file to add at least one server and one shared secret (key). You can specify the server and secret parameters in any order anywhere in the file. Whitespace (spaces or tabs) are not allowed. For example, if your TACACS+ server IP address is `192.168.0.30` and your shared secret is `tacacskey`, add these parameters to the `/etc/tacplus_servers` file: ``` @@ -127,10 +138,11 @@ The first `adduser` command prompts for information and a password. You can skip 3. Edit the `/etc/nsswitch.conf` file to add the keyword `tacplus` back to the line starting with `passwd` (the keyword you removed in the first step). -4. Restart the `nvued` service with the following command: +4. Restart the `nvued` service and the `nginx-authenticator` service with the following commands: ``` - cumulus@switch:~$ sudo systemctl restart nvued + cumulus@switch:~$ sudo systemctl restart nvued.service + cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` ## TACACS+ Accounting diff --git a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..a8e78923d6 100644 --- a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..f5306769cf 100644 --- a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 83d28024be..57f0456284 100644 --- a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -27,6 +27,17 @@ cumulus@switch:~$ sudo -E apt-get install tacplus-client ## Configure the TACACS+ Client +{{%notice note%}} + +After you configure TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + After installing TACACS+, edit the `/etc/tacplus_servers` file to add at least one server and one shared secret (key). You can specify the server and secret parameters in any order anywhere in the file. Whitespace (spaces or tabs) are not allowed. For example, if your TACACS+ server IP address is `192.168.0.30` and your shared secret is `tacacskey`, add these parameters to the `/etc/tacplus_servers` file: ``` @@ -127,10 +138,11 @@ The first `adduser` command prompts for information and a password. You can skip 3. Edit the `/etc/nsswitch.conf` file to add the keyword `tacplus` back to the line starting with `passwd` (the keyword you removed in the first step). -4. Restart the `nvued` service with the following command: +4. Restart the `nvued` service and the `nginx-authenticator` service with the following commands: ``` - cumulus@switch:~$ sudo systemctl restart nvued + cumulus@switch:~$ sudo systemctl restart nvued.service + cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` ## TACACS+ Accounting diff --git a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..a8e78923d6 100644 --- a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..f5306769cf 100644 --- a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 83d28024be..57f0456284 100644 --- a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -27,6 +27,17 @@ cumulus@switch:~$ sudo -E apt-get install tacplus-client ## Configure the TACACS+ Client +{{%notice note%}} + +After you configure TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + After installing TACACS+, edit the `/etc/tacplus_servers` file to add at least one server and one shared secret (key). You can specify the server and secret parameters in any order anywhere in the file. Whitespace (spaces or tabs) are not allowed. For example, if your TACACS+ server IP address is `192.168.0.30` and your shared secret is `tacacskey`, add these parameters to the `/etc/tacplus_servers` file: ``` @@ -127,10 +138,11 @@ The first `adduser` command prompts for information and a password. You can skip 3. Edit the `/etc/nsswitch.conf` file to add the keyword `tacplus` back to the line starting with `passwd` (the keyword you removed in the first step). -4. Restart the `nvued` service with the following command: +4. Restart the `nvued` service and the `nginx-authenticator` service with the following commands: ``` - cumulus@switch:~$ sudo systemctl restart nvued + cumulus@switch:~$ sudo systemctl restart nvued.service + cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` ## TACACS+ Accounting diff --git a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..a8e78923d6 100644 --- a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..f5306769cf 100644 --- a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 83d28024be..57f0456284 100644 --- a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -27,6 +27,17 @@ cumulus@switch:~$ sudo -E apt-get install tacplus-client ## Configure the TACACS+ Client +{{%notice note%}} + +After you configure TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + After installing TACACS+, edit the `/etc/tacplus_servers` file to add at least one server and one shared secret (key). You can specify the server and secret parameters in any order anywhere in the file. Whitespace (spaces or tabs) are not allowed. For example, if your TACACS+ server IP address is `192.168.0.30` and your shared secret is `tacacskey`, add these parameters to the `/etc/tacplus_servers` file: ``` @@ -127,10 +138,11 @@ The first `adduser` command prompts for information and a password. You can skip 3. Edit the `/etc/nsswitch.conf` file to add the keyword `tacplus` back to the line starting with `passwd` (the keyword you removed in the first step). -4. Restart the `nvued` service with the following command: +4. Restart the `nvued` service and the `nginx-authenticator` service with the following commands: ``` - cumulus@switch:~$ sudo systemctl restart nvued + cumulus@switch:~$ sudo systemctl restart nvued.service + cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` ## TACACS+ Accounting diff --git a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..a8e78923d6 100644 --- a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..f5306769cf 100644 --- a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index cec76d64d6..84e6357438 100644 --- a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -45,6 +45,17 @@ After you install the required TACACS+ packages, configure the following require If you use NVUE commands to configure TACACS+, you must also set the priority for the authentication order for local and TACACS+ users, and enable TACACS+. +{{%notice note%}} + +After you change TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + {{< tabs "TabID31 ">}} {{< tab "NVUE Commands ">}} @@ -357,10 +368,11 @@ The first `adduser` command prompts for information and a password. You can skip 3. Edit the `/etc/nsswitch.conf` file to add the keyword `tacplus` back to the line starting with `passwd` (the keyword you removed in the first step). -4. Restart the `nvued` service with the following command: +4. Restart the `nvued` service and the `nginx-authenticator` service with the following commands: ``` - cumulus@switch:~$ sudo systemctl restart nvued + cumulus@switch:~$ sudo systemctl restart nvued.service + cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` ## TACACS+ Per-command Authorization diff --git a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..a8e78923d6 100644 --- a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,11 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} diff --git a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..f5306769cf 100644 --- a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,7 +31,18 @@ During package installation: ## Configure the RADIUS Client -To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: +To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file. + +{{%notice note%}} + +After editing the `/etc/pam_radius_auth.conf` file, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. diff --git a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 2f9edc2ff5..4ee547101a 100644 --- a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -41,6 +41,17 @@ After you install the required TACACS+ packages, configure the following require If you use NVUE commands to configure TACACS+, you must also set the priority for the authentication order for local and TACACS+ users, and enable TACACS+. +{{%notice note%}} + +After you change TACACS+ settings, you must restart both `nvued.service` and `nginx-authenticator.service`: + +``` +cumulus@switch:~$ sudo systemctl restart nvued.service +cumulus@switch:~$ sudo systemctl restart nginx-authenticator.service +``` + +{{%/notice%}} + {{< tabs "TabID31 ">}} {{< tab "NVUE Commands ">}} diff --git a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 2f9edc2ff5..505b386579 100644 --- a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -41,6 +41,10 @@ After you install the required TACACS+ packages, configure the following require If you use NVUE commands to configure TACACS+, you must also set the priority for the authentication order for local and TACACS+ users, and enable TACACS+. +{{%notice note%}} +After you configure any TACACS+ settings with NVUE and you run `nv config apply`, you must restart the NVUE service with the `sudo systemctl restart nvued.service` command. +{{%/notice%}} + {{< tabs "TabID31 ">}} {{< tab "NVUE Commands ">}} diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index 3ffcd66514..e457dde26b 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,6 +31,10 @@ After you install the required RADIUS packages, configure the following required - Set the priority for the authentication order for local and RADIUS users. You can set a value between 1 and 100. The lower value is the higher priority. - Enable RADIUS. +{{%notice note%}} +After you configure any RADIUS settings with NVUE and you run `nv config apply`, you must restart the NVUE service with the `sudo systemctl restart nvued.service` command. +{{%/notice%}} + {{< tabs "TabID41 ">}} {{< tab "NVUE Commands ">}} @@ -38,7 +42,7 @@ The following example commands set: - The IP address of the RADIUS server to 192.168.0.254 and the port to 42. - The secret to `'myradius$key'`. - The priority at which Cumulus Linux contacts the RADIUS server to 10. -- The authentication order to 10 for Radiuso that RADIUS authentication has priority over local. +- The authentication order to 10 so that RADIUS authentication has priority over local. - The RADIUS option to `enable`. ``` diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md index 2f9edc2ff5..505b386579 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md @@ -41,6 +41,10 @@ After you install the required TACACS+ packages, configure the following require If you use NVUE commands to configure TACACS+, you must also set the priority for the authentication order for local and TACACS+ users, and enable TACACS+. +{{%notice note%}} +After you configure any TACACS+ settings with NVUE and you run `nv config apply`, you must restart the NVUE service with the `sudo systemctl restart nvued.service` command. +{{%/notice%}} + {{< tabs "TabID31 ">}} {{< tab "NVUE Commands ">}} From f22f5f96e05130a8fec7f031ea4619f0cf998dee Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 16:35:18 -0800 Subject: [PATCH 119/204] updates to AAA --- .../LDAP-Authentication-and-Authorization.md | 4 ++-- .../LDAP-Authentication-and-Authorization.md | 4 ++-- .../LDAP-Authentication-and-Authorization.md | 4 ++-- .../LDAP-Authentication-and-Authorization.md | 4 ++-- .../LDAP-Authentication-and-Authorization.md | 4 ++-- .../LDAP-Authentication-and-Authorization.md | 5 ++--- .../LDAP-Authentication-and-Authorization.md | 4 ++-- .../LDAP-Authentication-and-Authorization.md | 6 +++--- .../RADIUS-AAA.md | 4 ++++ 9 files changed, 21 insertions(+), 18 deletions(-) diff --git a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index 193aa21dbc..87038fbe81 100644 --- a/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-44/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,7 +132,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index a8e78923d6..64a23c02c6 100644 --- a/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-50/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,7 +132,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index a8e78923d6..64a23c02c6 100644 --- a/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-51/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,7 +132,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index a8e78923d6..64a23c02c6 100644 --- a/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-52/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,7 +132,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index a8e78923d6..64a23c02c6 100644 --- a/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-53/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,7 +132,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index a8e78923d6..fd85bc19a3 100644 --- a/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-54/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,9 +132,8 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} - ### Connection The LDAP client starts a session by connecting to the LDAP server on TCP and UDP port 389 or on port 636 for LDAPS. Depending on the configuration, this connection establishes without authentication (anonymous bind); otherwise, the client must provide a bind user and password. The variables you use to define the connection to the LDAP server are the URI and bind credentials. diff --git a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index a8e78923d6..64a23c02c6 100644 --- a/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-55/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,7 +57,7 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `nvued.service` and `nginx-authenticator.service` after editing the files. +Restart `nvued.service` and `nginx-authenticator.service` after editing the files. ``` cumulus@switch:~$ sudo systemctl restart nvued.service @@ -132,7 +132,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md index fbe8e4e8d7..9937ec1a95 100644 --- a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md +++ b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/LDAP-Authentication-and-Authorization.md @@ -57,10 +57,10 @@ Entering incorrect information during the installation process produces configur - Edit the `/etc/nslcd.conf` file to update the LDAP URI and search base DN (see {{}}, below). - Edit the `/etc/nssswitch.conf` file to update the service selections. -Be sure to restart `netd` after editing the files. +After editing the files, restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. ``` -cumulus@switch:~$ sudo systemctl restart netd.service +cumulus@switch:~$ sudo systemctl restart nvued.service ``` {{< expand "Alternative Installation Method Using debconf-utils " >}} @@ -131,7 +131,7 @@ After installation, update the main configuration file (`/etc/nslcd.conf`) to ac This section documents some of the more important options that relate to security and queries. For details on all the available configuration options, read the {{}}. {{%notice note%}} -After first editing the `/etc/nslcd.conf` file and/or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart `netd` with the `sudo systemctl restart netd` command. If you disable LDAP, you need to restart the `netd` service. +After editing the `/etc/nslcd.conf` file or enabling LDAP in the `/etc/nsswitch.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. If you disable LDAP, you must also restart these two services. {{%/notice%}} ### Connection diff --git a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index d12209dd9d..15b4781d11 100644 --- a/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-56/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -31,6 +31,10 @@ During package installation: ## Configure the RADIUS Client +{{%notice note%}} +After editing the `/etc/pam_radius_auth.conf` file, you must restart the NVUE and nginx-authenticator services with the `sudo systemctl restart nvued.service` command and the `sudo systemctl restart nginx-authenticator.service` command. +{{%/notice%}} + To configure the RADIUS client, edit the `/etc/pam_radius_auth.conf` file: 1. Add the hostname or IP address of at least one RADIUS server (such as a *{{}}* server on Linux), and the shared secret used to authenticate and encrypt communication with each server. From 64ff1ffbb09afe5155c8ee4279e7a303d2218de9 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Mon, 4 Dec 2023 17:35:04 -0800 Subject: [PATCH 120/204] fix heading for dot1x --- .../Layer-1-and-Switch-Ports/802.1X-Interfaces.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index ec9899cf2b..71ca5062ad 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -1074,7 +1074,7 @@ counters eapol-logoff-frames-rx 0 ``` -## Show 802.1X Statistics +### Show 802.1X Statistics To check statistics for all interfaces, run the `nv show interface --view=dot1x-counters` command: From 2f3350cfd00298c5158531c9c50dc0d6ccc47e87 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 09:10:34 -0800 Subject: [PATCH 121/204] updates to dot1x --- .../802.1X-Interfaces.md | 611 ++---------------- 1 file changed, 62 insertions(+), 549 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index 71ca5062ad..ce5ba2c0e9 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -10,7 +10,7 @@ A Cumulus Linux switch acts as an intermediary between the clients connected to {{< img src = "/images/cumulus-linux/802.1X.png" >}} -Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity") and supports parking VLANs, dynamic VLANs, and [MAB](## "MAC-based authentication bypass") on 802.1X interfaces. +Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity") and supports Auth-fail VLANs, dynamic VLANs, and [MBA](## "MAC-based authentication bypass") on 802.1X interfaces. {{%notice note%}} - Cumulus Linux supports 802.1X on physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. @@ -47,9 +47,9 @@ After you install and configure FreeRADIUS, the FreeRADIUS server can serve Cumu ## Configure 802.1X Interfaces -All the 802.1X interfaces share the same RADIUS server settings. Make sure you configure the RADIUS server before you configure the 802.1X interfaces. See {{}} above. - -You must configure 802.1X on a bridged port. To configure a bridge, refer to {{}}. +- All the 802.1X interfaces share the same RADIUS server settings. Make sure you configure the RADIUS server before you configure the 802.1X interfaces. See {{}} above. +- You must configure 802.1X on a bridged port. To configure a bridge, refer to {{}}. +- NVUE enables BPDU guard when you enable 802.1X on an interface; the interface goes into a protodown state if it receives BPDU packets. To configure an 802.1X interface: - **Required**: Provide the 802.1X RADIUS server IPv4 or IPv6 address. If you want to specify more than one server, provide the priority for each server (a value between 1 and 3). If you specify just one server, Cumulus Linux sets the priority to 1. You can also specify a VRF for outgoing RADIUS accounting and authorization packets. A VRF is optional. @@ -57,11 +57,11 @@ To configure an 802.1X interface: - **Required**: Enable 802.1X on an interface. - Optional: Change the default 802.1X RADIUS accounting port. You can specify a port value between 1000 and 65535. The default port is 1813. - Optional: Change the default 802.1X RADIUS authentication port. You can specify a port value between 1000 and 65535. The default port is 1812. -- Optional: Provide the reauthentication period for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. +- Optional: Provide the reauthentication interval for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. - Optional: Set a fixed IP address for the RADIUS client to receive requests. {{%notice note%}} -Changing the 802.1X interface settings does *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, accounting port, or EAP reauthentication period restarts `hostapd`, which forces existing, authorized users to re-authenticate. +Changing the 802.1X interface settings does *not* reset existing authorized user ports. However, removing all 802.1X interfaces or changing the RADIUS server IP address, shared secret, authentication port, accounting port, or EAP reauthentication interval restarts `hostapd`, which forces existing, authorized users to reauthenticate. {{%/notice%}} {{< tabs "TabID64 ">}} @@ -69,30 +69,30 @@ Changing the 802.1X interface settings does *not* reset existing authorized user The following example: -- Sets the 802.1X RADIUS server IP address to 127.0.0.1 and the shared secret to `mysecret`. +- Sets the 802.1X RADIUS server IP address to 10.10.10.1 and the shared secret to `mysecret`. - Enables 802.1X on swp1 through swp3. ``` -cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret +cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 shared-secret mysecret cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled cumulus@switch:~$ nv config apply ``` The following example: -- Sets the 802.1X RADIUS server IP address to 127.0.0.1 and the VRF to BLUE. +- Sets the 802.1X RADIUS server IP address to 10.10.10.1 and the VRF to BLUE. - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. - Sets the fixed IP address for the RADIUS client to receive requests to 10.10.10.6. -- Sets the EAP reauthentication period to 40. +- Sets the EAP reauthentication interval to 40. - Enables 802.1X on swp1, swp2, and swp3. ``` -cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 vrf BLUE -cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 shared-secret mysecret -cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 authentication-port 2812 -cumulus@switch:~$ nv set system dot1x radius server 127.0.0.1 accounting-port 2813 +cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 vrf BLUE +cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 shared-secret mysecret +cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 authentication-port 2812 +cumulus@switch:~$ nv set system dot1x radius server 10.10.10.1 accounting-port 2813 cumulus@switch:~$ nv set system dot1x radius client-src-ip 10.10.10.6 cumulus@switch:~$ nv set system dot1x reauthentication-interval 40 cumulus@switch:~$ nv set interface swp1,swp2,swp3 dot1x eap enabled @@ -116,7 +116,7 @@ When you enable or disable 802.1X on a port, `hostapd` reloads; however, existin Edit the `/etc/hostapd.conf` file to configure 802.1X settings, then restart the `hostapd` service. The following example: -- Sets the 802.1X RADIUS server IP address to 127.0.0.1. +- Sets the 802.1X RADIUS server IP address to 10.10.10.1. - Sets the 802.1X RADIUS shared secret to mysecret. - Enables 802.1X on swp1 through swp3. @@ -125,7 +125,7 @@ cumulus@switch:~$ sudo nano /etc/hostapd.conf ... interfaces=swp1,swp2,swp3 ... -auth_server_addr=127.0.0.1 +auth_server_addr=10.10.10.1 auth_server_port=1812 auth_server_shared_secret=mysecret ... @@ -133,12 +133,12 @@ auth_server_shared_secret=mysecret The following example: -- Sets the 802.1X RADIUS server IP address to 127.0.0.1 and the VRF to BLUE. +- Sets the 802.1X RADIUS server IP address to 10.10.10.1 and the VRF to BLUE. - Sets the 802.1X RADIUS shared secret to mysecret. - Sets the 802.1X RADIUS authentication port to 2812. - Sets the 802.1X RADIUS accounting port to 2813. - Sets the fixed IP address for the RADIUS client to receive requests to 10.10.10.6. -- Sets the EAP re-authentication period to 40. +- Sets the EAP reauthentication interval to 40. - Enables 802.1X on swp1 through swp3. ``` @@ -148,10 +148,10 @@ interfaces=swp1,swp2,swp3 ... eap_reauth_period=40 ... -auth_server_addr=127.0.0.1%BLUE +auth_server_addr=10.10.10.1%BLUE auth_server_port=1812 auth_server_shared_secret=mysecret -acct_server_addr=127.0.0.1%BLUE +acct_server_addr=10.10.10.1%BLUE acct_server_port=2813 acct_server_shared_secret=mysecret radius_client_addr=10.10.10.6 @@ -165,25 +165,49 @@ cumulus@switch:~$ sudo systemctl enable hostapd cumulus@switch:~$ sudo systemctl restart hostapd ``` +NVIDIA recommends you set the following configuration in the `/etc/network/interfaces` file for the 802.1X enabled interfaces: + +``` +... +auto swp1 +iface swp1 + bridge-access + bridge-learning off + mstpctl-bpduguard yes + mstpctl-portadminedge yes +auto swp2 +iface swp2 + bridge-access + bridge-learning off + mstpctl-bpduguard yes + mstpctl-portadminedge ye +auto swp3 +iface swp3 + bridge-access + bridge-learning off + mstpctl-bpduguard yes + mstpctl-portadminedge yes +``` + {{< /tab >}} {{< /tabs >}} ## MAC Authentication Bypass -MAC Authentication Bypass (MAB) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support [PAE](## "Port Access Entity"), such as printers or phones. +MAC Authentication Bypass (MBA) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support [PAE](## "Port Access Entity"), such as printers or phones. -You must configure MAB on both the RADIUS server and the RADIUS client (the Cumulus Linux switch). +You must configure MBA on both the RADIUS server and the RADIUS client (the Cumulus Linux switch). {{%notice note%}} -Changing the MAB settings do *not* reset existing authorized user ports. However, changing the MAB activation delay restarts `hostapd`, which forces existing, authorized users to re-authenticate. +Changing the MBA settings do *not* reset existing authorized user ports. However, changing the MBA activation delay restarts `hostapd`, which forces existing, authorized users to reauthenticate. {{%/notice%}} -To configure MAB: +To configure MBA: {{< tabs "TabID453 ">}} {{< tab "NVUE Commands ">}} -Enable a bridge port for MAB. The following example enables MAB on swp1: +Enable a bridge port for MBA. The following example enables MBA on swp1: ``` cumulus@switch:~$ nv set interface swp1 dot1x mba enabled @@ -193,7 +217,7 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `/etc/hostapd.conf` file. The following example enables MAB on swp1. +Edit the `/etc/hostapd.conf` file. The following example enables MBA on swp1. ``` cumulus@switch:~$ sudo nano hostapd.conf @@ -211,15 +235,15 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} -## Parking VLAN +## Auth-fail VLAN -If a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant is attached. Cumulus Linux assigns the parking VLAN by manipulating the PVID of the switch port. +If a non-authorized supplicant tries to communicate with the switch, you can route traffic from that device to a different VLAN and associate that VLAN with one of the switch ports to which the supplicant is attached. Cumulus Linux assigns the Auth-fail VLAN by manipulating the PVID of the switch port. {{%notice note%}} -Changing the parking VLAN settings do *not* reset existing authorized user ports. However, changing the parking VLAN ID restarts `hostapd`, which forces existing, authorized users to re-authenticate. +Changing the Auth-fail VLAN settings do *not* reset existing authorized user ports. However, changing the Auth-fail VLAN ID restarts `hostapd`, which forces existing, authorized users to reauthenticate. {{%/notice%}} -The following example sets the parking VLAN ID to 777 and enables parking VLAN on swp1. +The following example sets the Auth-fail VLAN ID to 777 and enables Auth-fail VLAN on swp1. {{< tabs "TabID498 ">}} {{< tab "NVUE Commands ">}} @@ -230,7 +254,7 @@ cumulus@switch:~$ nv set interface swp1 dot1x auth-fail-vlan enabled cumulus@switch:~$ nv config apply ``` -If the authentication for swp1 fails, the port is moved to the parking VLAN: +If the authentication for swp1 fails, the port is moved to the Auth-fail VLAN: ``` cumulus@switch:~$ nv show interface swp1 dot1x @@ -261,7 +285,7 @@ swp1 00:02:00:00:00:08 Status Flags [PARKED_VLAN] {{< /tab >}} {{< tab "Linux Commands ">}} -Edit the `/etc/hostapd.conf` file to add the parking VLAN ID and port: +Edit the `/etc/hostapd.conf` file to add the Auth-fail VLAN ID and port: ``` cumulus@switch:~$ sudo nano hostapd.conf @@ -277,7 +301,7 @@ Restart the `hostapd` service: cumulus@switch:~$ sudo systemctl restart hostapd ``` -If the authentication for swp1 fails, the port is moved to the parking VLAN. +If the authentication for swp1 fails, the port is moved to the Auth-fail VLAN. {{< /tab >}} {{< /tabs >}} @@ -291,7 +315,7 @@ To enable dynamic VLAN assignment globally, where VLAN attributes from the RADIU {{< tabs "TabID595 ">}} {{< tab "NVUE Commands ">}} -Run the `nv set system dot1x dynamic-vlan optional` or `nv set system dot1x dynamic-vlan required` command. If you run the `nv set system dot1x dynamic-vlan required` command, when VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN (if you configure parking VLAN). +Run the `nv set system dot1x dynamic-vlan optional` or `nv set system dot1x dynamic-vlan required` command. If you run the `nv set system dot1x dynamic-vlan required` command, when VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the Auth-fail VLAN (if you configure Auth-fail VLAN). ``` cumulus@switch:~$ nv set system dot1x dynamic-vlan optional @@ -348,7 +372,7 @@ swp1 00:02:00:00:00:08 Status Flags [DYNAMIC_VLAN][AUTHO 1. Edit the `/etc/hostapd.conf` file to set the `dynamic_vlan` option. - Specify 1 for VLAN attributes to be optional. - - Specify 2 to require VLAN attributes; if VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the parking VLAN, if you have configured parking VLAN. + - Specify 2 to require VLAN attributes; if VLAN attributes do not exist in the access response packet returned from the RADIUS server, the user is not authorized and has no connectivity. If the RADIUS server returns VLAN attributes but the user has an incorrect password, the user is placed in the Auth-fail VLAN, if you have configured Auth-fail VLAN. ``` cumulus@switch:~$ sudo nano /etc/hostapd.conf @@ -399,7 +423,7 @@ Edit the `/etc/hostapd.conf` file to set the `eap_send_identity` option to 0, th {{< /tabs >}} {{%notice note%}} -Enabling or disabling dynamic VLAN assignment restarts `hostapd`, which forces existing, authorized users to re-authenticate. +Enabling or disabling dynamic VLAN assignment restarts `hostapd`, which forces existing, authorized users to reauthenticate. {{%/notice%}} ## MAC Addresses per Port @@ -439,517 +463,6 @@ cumulus@switch:~$ sudo systemctl restart hostapd {{< /tab >}} {{< /tabs >}} - -## EAP Requests - -Cumulus Linux provides the `eap_send_identity` option, which you can use to trigger EAP packets to be sent from the host side of a connection. For example, this option is required in a configuration where a PC connected to a phone attempts to send EAP packets to the switch via the phone but the PC does not receive a response from the switch (the phone might not be ready to forward packets to the switch after a reboot). Because the switch does not receive EAP packets, it attempts to authorize the PC with MAB instead of waiting for the packets. In this case, the PC might be placed into a parking VLAN to isolate it. To remove the PC from the parking VLAN, the switch needs to send an EAP request to the PC to trigger EAP. - -{{%notice note%}} -NVUE does not provide commands to configure EAP requests from the switch. -{{%/notice%}} - -To configure the switch to send an EAP request, set the `eap_send_identity` option to 1 in the `/etc/hostapd.conf` file, then resptart the `hostapd` service: - -``` -cumulus@switch:~$ sudo nano /etc/hostapd.conf -.. -eap_server=0 -ieee8021x=1 -driver=wired -dynamic_vlan=0 -eap_send_identity=1 -... -``` - -Restart the `hostapd` service: - -``` -cumulus@switch:~$ sudo systemctl restart hostapd -``` - -{{%notice note%}} -- Only run this command if MAB is configured on an interface. -- The PC might attempt 802.1X authorization through the bridged connection in the back of the phone before the phone completes MAB authorization. In this case, 802.1X authorization fails. -{{%/notice%}} - -## NAS IP Address in Access Request and Accounting Packets - -You can send the NAS IPv4 or IPv6 address in access request and accounting packets. You can only configure one NAS IP address on the switch, which is used for all interface authorizations. - -To configure the NAS IP address, edit the `/etc/hostapd.conf` file and configure the `nas_identifier` setting with the NAS IP address: - -``` -cumulus@switch:~$ sudo nano /etc/hostapd.conf -... -nas_identifier=10.10.10.1 -... -``` - -Rstart the `hostapd` service so that the configuration persists between reboots: - -``` -cumulus@switch:~$ sudo systemctl restart hostapd -``` ## Troubleshooting @@ -976,13 +489,13 @@ To show the list of RADIUS servers, run the `nv show system dot1x radius` comman cumulus@switch:~$ nv show system dot1x radius operational applied -------- ----------- --------- -[server] 127.0.0.1 +[server] 10.10.10.1 ``` To show configuration information for a RADIUS server, run the `nv show system dot1x radius server ` command: ``` -cumulus@switch:~$ nv show system dot1x radius server 127.0.0.1 +cumulus@switch:~$ nv show system dot1x radius server 10.10.10.1 operational applied ------------------- ----------- -------- priority 1 From 1240a5a9e4a0588227f8f74ef11b30665292b2ed Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 10:18:55 -0800 Subject: [PATCH 122/204] 802.1x updates --- .../Layer-1-and-Switch-Ports/802.1X-Interfaces.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index ce5ba2c0e9..ded21230ec 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -10,7 +10,7 @@ A Cumulus Linux switch acts as an intermediary between the clients connected to {{< img src = "/images/cumulus-linux/802.1X.png" >}} -Cumulus Linux implements 802.1X through the Debian `hostapd` package, with modifications to provide the [PAE](## "Port Access Entity") and supports Auth-fail VLANs, dynamic VLANs, and [MBA](## "MAC-based authentication bypass") on 802.1X interfaces. +Cumulus Linux implements 802.1x using a modified version of the Debian `hostapd` package to support auth-fail and dynamic VLANS with [MBA](## "MAC-based authentication bypass") and EAP authentication for 802.1x interfaces. {{%notice note%}} - Cumulus Linux supports 802.1X on physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. @@ -194,7 +194,7 @@ iface swp3 ## MAC Authentication Bypass -MAC Authentication Bypass (MBA) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support [PAE](## "Port Access Entity"), such as printers or phones. +MAC Authentication Bypass (MBA) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support EAP, such as printers or phones. You must configure MBA on both the RADIUS server and the RADIUS client (the Cumulus Linux switch). From a09dfbaa8aa926ab1bec9de1af8736fb1b3a1adb Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 10:31:06 -0800 Subject: [PATCH 123/204] 802.1x updates --- .../Layer-1-and-Switch-Ports/802.1X-Interfaces.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index ded21230ec..293d7586cd 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -57,7 +57,7 @@ To configure an 802.1X interface: - **Required**: Enable 802.1X on an interface. - Optional: Change the default 802.1X RADIUS accounting port. You can specify a port value between 1000 and 65535. The default port is 1813. - Optional: Change the default 802.1X RADIUS authentication port. You can specify a port value between 1000 and 65535. The default port is 1812. -- Optional: Provide the reauthentication interval for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. +- Optional: Provide the reauthentication interval for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. This setting only applies to EAP-based authentication; it does not apply to [MBA](## "MAC Authentication Bypass"). - Optional: Set a fixed IP address for the RADIUS client to receive requests. {{%notice note%}} From 73e9d88c992ad2799b7c774d216255532fdc7490 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 10:57:04 -0800 Subject: [PATCH 124/204] updates to RADIUS --- .../RADIUS-AAA.md | 46 +++++++------------ 1 file changed, 17 insertions(+), 29 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index 3ffcd66514..af2c9ef294 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -38,7 +38,7 @@ The following example commands set: - The IP address of the RADIUS server to 192.168.0.254 and the port to 42. - The secret to `'myradius$key'`. - The priority at which Cumulus Linux contacts the RADIUS server to 10. -- The authentication order to 10 for Radiuso that RADIUS authentication has priority over local. +- The authentication order to 10 for RADIUS that RADIUS authentication has priority over local. - The RADIUS option to `enable`. ``` @@ -61,11 +61,11 @@ Edit the `/etc/pam_radius_auth.conf` file to specify the hostname or IP address mapped_priv_user radius_priv_user # server[:port] shared_secret timeout (secs) src_ip -192.168.0.254 secretkey 3 +192.168.0.254:42 myradius$key 3 ... ``` -You must be able to resolve the hostname of the switch to an IP address. If for some reason you cannot find the hostname in DNS, you can add the hostname to the `/etc/hosts` file manually. Be aware that adding the hostname to the `/etc/hosts` file manually can cause problems because DHCP assigns the IP address, which can change at any time. +You must be able to resolve the hostname of the switch to an IP address. If you cannot find the hostname in DNS, you can add the hostname to the `/etc/hosts` file manually. Be aware that adding the hostname to the `/etc/hosts` file manually can cause problems because DHCP assigns the IP address, which can change at any time. Cumulus Linux verifies multiple server configuration lines in the order listed. Other than memory, there is no limit to the number of RADIUS servers you can use. @@ -76,7 +76,7 @@ The server port number is optional. The system looks up the port in the `/etc/se ## Optional RADIUS Configuration -You can configure the following optional settings global RADIUS settings and server specific settings. +You can configure the following global RADIUS settings and server specific settings. {{< tabs "TabID34 ">}} {{< tab "NVUE Commands ">}} @@ -117,43 +117,31 @@ cumulus@switch:~$ nv config apply | Setting | Description | | ------ | ----------- | | `vrf` | The VRF you want to use to communicate with the RADIUS servers. This is typically the management VRF (`mgmt`), which is the default VRF on the switch. You cannot specify more than one VRF. | -| `shell:priv-lvl` | Determines the privilege level for the user on the switch.| +| `privilege-level` | Determines the privilege level for the user on the switch.| | `timeout` | The timeout value when a server is slow or latencies are high. You can set a value between 1 and 60. The default timeout is 3 seconds. If you configure multiple RADIUS servers, you can set a global timeout for all servers. | -| `source-ip`
| A specific IPv4 or IPv6 interface to reach the RADIUS server. If you configure multiple RADIUS servers, you can configure a specific interface to reach all RADIUS servers. | +| `src_ip`
| A specific IPv4 or IPv6 interface to reach the RADIUS server. If you configure multiple RADIUS servers, you can configure a specific interface to reach all RADIUS servers. | | `debug` | The debug option for troubleshooting. The debugging messages write to `/var/log/syslog`. When the RADIUS client is working correctly, you can disable the debug option. If you configure multiple RADIUS servers, you can enable the debug option globally for all the servers.| Edit the `/etc/pam_radius_auth.conf` file. An example is shown below. ``` ... -server[:port] shared_secret timeout (secs) src_ip -127.0.0.1 secret 1 -other-server other-secret 3 192.168.3.4 -[2001:0db8:85a3::4]:1812 other6-secret 1 +# Set the minimum privilege level in VSA attribute shell:privilege-level=VALUE +# default is 15, range is 0-15. +privilege-level 10 # -# This allows the radius client to work when a management VRF is in use. -# The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt" -# Since the keyword has an illegal character for a hostname ('-'), this can't -# conflict with a valid hostname -vrf-name mgmt -# -# Set the minimum privilege level in VSA attribute shell:priv-lvl=VALUE -# to be considered a # privileged login (ability to configure via -# nclu 'net' commands, and able to sudo). The default is 15, range is 0-15. -priv-lvl 10 # Uncomment to enable debugging, can be used instead of altering pam files debug -``` +# +# Account for privileged radius user mapping. If you change it here, you need +# to change /etc/nss_mapuser.conf as well +mapped_priv_user radius_priv_user -You can set the value of the VSA (Vendor Specific Attribute) `shell:priv-lvl`, which determines the privilege level for the user on the switch. If the attribute does not return, the user does not have privileges. The following shows an example using the `freeradius` server for a fully privileged user. The VSA vendor name (Cisco-AVPair in the example below) can have any content. The RADIUS client only checks for the string `shell:priv-lvl`. +# server[:port] shared_secret timeout (secs) src_ip +192.168.0.254:42 myradius$key 10 192.168.1.10 +vrf-name mgmt ``` -Service-Type = Administrative-User, -Cisco-AVPair = "shell:roles=network-administrator", -Cisco-AVPair += "shell:priv-lvl=15" -``` - -To set PAM configuration keywords, edit the `/usr/share/pam-configs/radius` file. After you edit the file, you must run the `pam-auth-update --package` command. The `pam_radius_auth (8)` man page describes the PAM configuration keywords. {{< /tab >}} {{< /tabs >}} @@ -231,7 +219,7 @@ To configure local fallback authentication: ## Verify RADIUS Client Configuration -To verify the RADIUS client configuration, log in as a non-privileged user and run an `nv set interface` command. +To verify the RADIUS client configuration, log in as a non-privileged user and run the `nv set interface` command. In this example, the `ops` user is not a privileged RADIUS user so the `ops` user cannot add an interface. From 961cc5e7a0ac89ca2eec3f7ff5697799389dc672 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 10:59:47 -0800 Subject: [PATCH 125/204] update to radius --- .../Authentication-Authorization-and-Accounting/RADIUS-AAA.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index af2c9ef294..41312fe392 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -38,7 +38,7 @@ The following example commands set: - The IP address of the RADIUS server to 192.168.0.254 and the port to 42. - The secret to `'myradius$key'`. - The priority at which Cumulus Linux contacts the RADIUS server to 10. -- The authentication order to 10 for RADIUS that RADIUS authentication has priority over local. +- The authentication order to 10 so that RADIUS authentication has priority over local. - The RADIUS option to `enable`. ``` From c87e23dc00fcd15e002ed8ec9c24492c3c00af69 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 11:19:49 -0800 Subject: [PATCH 126/204] typos --- .../Layer-1-and-Switch-Ports/802.1X-Interfaces.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md index 293d7586cd..b3dbdecf35 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/802.1X-Interfaces.md @@ -10,7 +10,7 @@ A Cumulus Linux switch acts as an intermediary between the clients connected to {{< img src = "/images/cumulus-linux/802.1X.png" >}} -Cumulus Linux implements 802.1x using a modified version of the Debian `hostapd` package to support auth-fail and dynamic VLANS with [MBA](## "MAC-based authentication bypass") and EAP authentication for 802.1x interfaces. +Cumulus Linux implements 802.1x using a modified version of the Debian `hostapd` package to support auth-fail and dynamic VLANS with [MBA](## "MAC-based authentication") and EAP authentication for 802.1x interfaces. {{%notice note%}} - Cumulus Linux supports 802.1X on physical interfaces (such as swp1 or swp2s0) that are bridged access ports; the interfaces cannot be part of a bond. @@ -57,7 +57,7 @@ To configure an 802.1X interface: - **Required**: Enable 802.1X on an interface. - Optional: Change the default 802.1X RADIUS accounting port. You can specify a port value between 1000 and 65535. The default port is 1813. - Optional: Change the default 802.1X RADIUS authentication port. You can specify a port value between 1000 and 65535. The default port is 1812. -- Optional: Provide the reauthentication interval for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. This setting only applies to EAP-based authentication; it does not apply to [MBA](## "MAC Authentication Bypass"). +- Optional: Provide the reauthentication interval for [EAP](## "Extensible Authentication Protocol"). By default, reauthentication is disabled. You can set a value between 0-86640. This setting only applies to EAP-based authentication; it does not apply to [MBA](## "MAC-bsed Authentication"). - Optional: Set a fixed IP address for the RADIUS client to receive requests. {{%notice note%}} @@ -192,9 +192,9 @@ iface swp3 {{< /tab >}} {{< /tabs >}} -## MAC Authentication Bypass +## MAC-based Authentication -MAC Authentication Bypass (MBA) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support EAP, such as printers or phones. +MAC-based authentication (MBA) enables bridge ports to allow devices to bypass authentication based on their MAC address. This is useful for devices that do not support EAP, such as printers or phones. You must configure MBA on both the RADIUS server and the RADIUS client (the Cumulus Linux switch). From 10bfa10f7eaa8e3e61eb79e7007d268f0abf407d Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 12:47:47 -0800 Subject: [PATCH 127/204] NAT updates --- .../Layer-3/Network-Address-Translation-NAT.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index 8e7bf5a7ac..495b40c976 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -156,7 +156,7 @@ The following rule matches UDP packets with destination IP address 172.30.58.80 ``` -t nat -A PREROUTING -d 172.30.58.80 -p udp --dport 6000 --in-interface swp51 -j DNAT --to-destination 10.0.0.1:5000 ``` - + {{< /tab >}} {{< /tabs >}} From 661b27762216efeb3acab5e81d9e2132b06adbc2 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 13:34:41 -0800 Subject: [PATCH 128/204] updates to NAT --- .../Layer-3/Network-Address-Translation-NAT.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md index 495b40c976..a8dff1e53a 100644 --- a/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md +++ b/content/cumulus-linux-57/Layer-3/Network-Address-Translation-NAT.md @@ -168,13 +168,13 @@ The following *double NAT* rule translates both the source and destination IP ad -t nat -A PREROUTING -d 26.26.26.26 -p icmp -j DNAT --to-destination 140.1.1.2 ``` --> -{{< /tab >}} -{{< /tabs >}} - {{%notice note%}} When you configure a static SNAT rule for outgoing traffic, you must also configure a static DNAT rule for the reverse traffic so that traffic goes in both directions. {{%/notice%}} +{{< /tab >}} +{{< /tabs >}} + ### Delete a Static NAT Rule To delete a static NAT rule: @@ -424,7 +424,7 @@ Remove the rule from the policy file in the `/etc/cumulus/acl/policy.d` director ## Show Configured NAT Rules -To see the NAT rules configured on the switch, run the NVUE `nv show acl --applied -o=json` command or the Linux `sudo iptables -t nat -v -L` or `sudo cl-acltool -L ip -v` commands. For example: +To see the NAT rules configured on the switch, run the NVUE `nv show acl --applied -o=json` command, or the Linux `sudo iptables -t nat -v -L` or `sudo cl-acltool -L ip -v` commands. For example: ``` cumulus@switch:~$ nv show acl acl_5 --applied -o=json From 7065e95a9eea8da4e8188f832c055dad17ae3232 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 15:10:27 -0800 Subject: [PATCH 129/204] updates to API --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index e88e7e1a4f..7d50ca542a 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -89,7 +89,7 @@ cumulus@switch:~$ nv action import system security certificate tls-cert-1 uri-pu The following example imports a CA certificate with a public key and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `mypassphrase`. The public key is a Base64 ASCII encoded PEM string. ``` -cumulus@switch:~$ cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "????": "??????", "passphrase": "mypassphrase"}}}' +cumulus@switch:~$ cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/ca-certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "????": "??????", "passphrase": "mypassphrase"}}}' ``` The following example imports an entity certificate bundle and calls the certificate `tls-cert-1`. The certificate bundle is passphrase protected with `mypassphrase`. @@ -172,7 +172,7 @@ cumulus@switch:~$ nv action delete system security certificate tls-cert-1 {{< tab "Curl Commands ">}} ``` -cumulus@switch:~$ +cumulus@switch:~$ curl -u 'cumulus:cumulus' https://127.0.0.1:8765/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@delete": { "state": "start"}}' ``` {{< /tab >}} @@ -220,7 +220,7 @@ cumulus@switch:~$ nv show system security ca-certificate tls-cert-1 dump {{< tab "Curl Commands ">}} ``` -cumulus@switch:~$ +cumulus@switch:~$ curl -u 'cumulus:cumulus' -X GET https://127.0.0.1:8765/system/security/certificate/tls-cert-1 ``` {{< /tab >}} From 23c06b50e576e46726c7a547b08c4146041b0f64 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Tue, 5 Dec 2023 23:12:26 +0000 Subject: [PATCH 130/204] Automated release note commit --- content/cumulus-linux-56/Whats-New/rn.md | 2 +- content/cumulus-linux-56/rn.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index da6a009529..a0735d6b9f 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -49,7 +49,7 @@ pdfhidden: True | [3533272](#3533272)
| If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can't unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network. | 5.6.0 | | | [3517739](#3517739)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | -| [3463827](#3463827)
| In an EVPN configuration with PIM-SM for BUM handling, the host behind the DUT does not receive the expected number of BUM packets. Cumulus Linux 5.6 only supports Head-End Replication (HREP) for handling BUM traffic in an EVPN configuration. BUM handling using a PIM-SM Multicast tree is not supported. | 5.6.0 | | +| [3463827](#3463827)
| Rarely, SPT switchover may not happen cleanly in PIM, resulting in some dropped packets. In the scenario where PIM-SM is used to replicate EVPN BUM traffic, there could be brief drop of multicast traffic before it recovers due to normal PIM-SM traffic timeout. | 5.6.0 | | | [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | | | [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see the following error:
cumulus@switch:~$ nv show system aaa tacacs authorization 1Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND
| 5.5.0-5.6.0 | | | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index a90e96ed4c..561b31aa15 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -241,7 +241,7 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 3463827 -In an EVPN configuration with PIM-SM for BUM handling, the host behind the DUT does not receive the expected number of BUM packets. Cumulus Linux 5.6 only supports Head-End Replication (HREP) for handling BUM traffic in an EVPN configuration. BUM handling using a PIM-SM Multicast tree is not supported. +Rarely, SPT switchover may not happen cleanly in PIM, resulting in some dropped packets. In the scenario where PIM-SM is used to replicate EVPN BUM traffic, there could be brief drop of multicast traffic before it recovers due to normal PIM-SM traffic timeout. 5.6.0 From 16f7f6744438b796fcf97c7b810341d9d8f3f2b1 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 07:56:55 -0800 Subject: [PATCH 131/204] updates to 57 --- .../_index.md | 19 ++++++++++++++++++- .../Optional-BGP-Configuration.md | 2 ++ .../Equal-Cost-Multipath-Load-Sharing.md | 6 +++--- .../Configuring-switchd.md | 4 ++-- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 2 +- content/cumulus-linux-57/Whats-New/_index.md | 4 +--- 6 files changed, 27 insertions(+), 10 deletions(-) diff --git a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md index a372d1a7cc..4b98730c92 100644 --- a/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md +++ b/content/cumulus-linux-57/Layer-1-and-Switch-Ports/Interface-Configuration-and-Management/_index.md @@ -639,7 +639,24 @@ Cumulus Linux enables link flap detection by default. Link flap detection trigge 2023-02-10T17:53:21.264621+00:00 cumulus switchd[10109]: sync_port.c:2263 ERR swp2 link flapped more than 3 times in the last 60 seconds, setting protodown ``` -To show interfaces with the protodown flag, run the Linux `ip link` command: +To show interfaces with the protodown flag, run the NVUE `nv show interface` command or the Linux `ip link` command. To check a specific interface, run the `nv show interface link` command. + +``` +cumulus@switch:~$ nv show interface +Interface State Speed MTU Type Remote Host Remote Port Summary +--------- ----- ----- ----- -------- --------------- ----------- ---------------------------------------- +eth0 up 1G 1500 eth oob-mgmt-switch swp10 IP Address: 192.168.200.11/24 + IP Address: fe80::4638:39ff:fe22:17a/64 +lo up 65536 loopback IP Address: 127.0.0.1/8 + IP Address: ::1/128 +mgmt up 65575 vrf IP Address: 127.0.0.1/8 + IP Address: ::1/128 +swp1 up 1500 swp +swp2 protodown 9178 swp +swp3 up 1500 swp +swp4 up 1500 swp +... +``` ``` cumulus@switch:~$ ip link diff --git a/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md index 5166cfa493..22f6ee30c8 100644 --- a/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md +++ b/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md @@ -979,6 +979,8 @@ cumulus@leaf01:~$ nv set router bgp wait-for-install on cumulus@leaf01:~$ nv config apply ``` +When you configure suppress route advertisement, NVUE reloads `switchd`. + {{< /tab >}} {{< tab "vtysh Commands ">}} diff --git a/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md b/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md index 035dd5c39b..dc85923b64 100644 --- a/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md +++ b/content/cumulus-linux-57/Layer-3/Routing/Equal-Cost-Multipath-Load-Sharing.md @@ -565,7 +565,7 @@ interface.swp52.adaptive_routing.link_util_thresh = 70 ... ``` -Reload `switchd` with the `sudo systemctl reload switchd.service` command. +Restart `switchd` with the `sudo systemctl restart switchd.service` command. - To disable adaptive routing, set the `adaptive_routing.enable` parameter to `FALSE` in the `/etc/cumulus/switchd.d/adaptive_routing.conf` file. - To disable adaptive routing on a specific port, set the `interface..adaptive_routing.enable` parameter to `FALSE` in the `/etc/cumulus/switchd.d/adaptive_routing.conf` file. @@ -636,7 +636,7 @@ Reload `switchd` with the `sudo systemctl reload switchd.service` command. {{%notice note%}} If you modify the `adaptive_routing.ecmp_size` parameter in the custom profile, then revert to the default profile for the switch, you must restart `switchd`. {{%/notice%}} - +--> ### Link Utilization Link utilization, when crossing a threshold, is one of the parameters in the adaptive routing decision. The default link utilization threshold percentage on an interface is 70. You can change the percentage to a value between 1 and 100. @@ -644,7 +644,7 @@ Link utilization, when crossing a threshold, is one of the parameters in the ada Link utilization is off by default; you must enable the global link utilization setting to use the link utilization thresholds set on adaptive routing interfaces. You cannot enable or disable link utilization per interface. {{%notice note%}} -In Cumulus Linux 5.5 and earlier, link utilization is on by default. If you configured link utilization in a previous release, be sure to enable link utilization after you upgrade to Cumulus Linux 5.6. +In Cumulus Linux 5.5 and earlier, link utilization is on by default. If you configured link utilization in a previous release, be sure to enable link utilization after you upgrade to Cumulus Linux 5.7. {{%/notice%}} {{< tabs "TabID624 ">}} diff --git a/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md b/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md index 3536cb338e..52ff80f0a9 100644 --- a/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md +++ b/content/cumulus-linux-57/System-Configuration/Configuring-switchd.md @@ -31,7 +31,7 @@ A low setting, such as 1, might affect system performance. - The log level to debug the data plane programming related code. You can specify `debug`, `info`, `notice`, `warning`, or `error`. The default setting is `info`. NVIDIA recommends that you do not set the log level to debug in a production environment. - The DSCP action and value for encapsulation. You can set the DSCP action to `copy` (to copy the value from the IP header of the packet), `set` (to specify a specific value), or `derive` (to obtain the value from the switch priority). The default action is `derive`. Only specify a value if the action is `set`. - The DSCP action for decapsulation in VXLAN outer headers. You can specify `copy` (to copy the value from the IP header of the packet), `preserve` (to keep the inner DSCP value), or `derive` (to obtain the value from the switch priority). The default action is `derive`. -- The preference between a route and neighbor with the same IP address and mask. You can specify `route`, `neighbor`, or `route-and-neighbour`. The default setting is `route`. +- The preference between a route and neighbor with the same IP address and mask. You can specify `route`, `neighbor`, or `route-and-neighbor`. The default setting is `route`. - The ACL mode (atomic or non-atomic). The default setting is `atomic`. - The reserved VLAN range. The default setting is 3725-3999. @@ -71,7 +71,7 @@ cumulus@switch:~$ nv set nve vxlan decapsulation dscp action preserve cumulus@switch:~$ nv config apply ``` -The following command example sets the route or neighbour preference to both route and neighbour: +The following command example sets the route or neighbor preference to both route and neighbor: ``` cumulus@switch:~$ nv set system forwarding host-route-preference route-and-neighbour diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index 7d50ca542a..b58b3a5c6e 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -172,7 +172,7 @@ cumulus@switch:~$ nv action delete system security certificate tls-cert-1 {{< tab "Curl Commands ">}} ``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' https://127.0.0.1:8765/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@delete": { "state": "start"}}' +cumulus@switch:~$ curl -u 'cumulus:cumulus' https://127.0.0.1:8765/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@delete": { "state": "start"}}' ``` {{< /tab >}} diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 7eddb36c1b..4bacd73e11 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -50,10 +50,8 @@ nv set/unset system forwarding host-route-preference route-and-neighbour nv set/unset nve vxlan encapsulation dscp action nv set/unset nve vxlan encapsulation dscp value nv set/unset nve vxlan decapsulation dscp action -nv set/unset interface router +nv set/unset interface router adaptive-routing link-utilization-threshold nv set/unset router bgp wait-for-install -nv set/unset router adaptive-routing enable -nv set/unset interface router adaptive-routing enable ``` {{< /expand >}} From 3e5d6fb6e52c51d759e7f071ecdd4ca1d37b34df Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 08:56:02 -0800 Subject: [PATCH 132/204] ptp and SyncE in beta --- .../Date-and-Time/Synchronous-Ethernet-SyncE.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md index a467f1ba6b..988c03fc84 100644 --- a/content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md +++ b/content/cumulus-linux-57/System-Configuration/Date-and-Time/Synchronous-Ethernet-SyncE.md @@ -6,10 +6,6 @@ toc: 3 draft: true --- -{{%notice note%}} -SyncE is currently in Beta. -{{%/notice%}} - [SyncE](## "Synchronous Ethernet") is an ITU-T standard for transmitting clock signals over the Ethernet physical layer to synchronize clocks across the network by propagating frequency using the transmission rate of symbols in the network. A dedicated channel, [ESMC](## "Ethernet Synchronization Messaging Channel") manages this synchronization, as specified by the ITU-T Rec. G.8264 standard. The Cumulus Linux switch includes a SyncE controller and a SyncE daemon. @@ -19,7 +15,8 @@ The Cumulus Linux switch includes a SyncE controller and a SyncE daemon. - Manages the synchronization hierarchy and runs the master selection algorithm to choose the best reference clock from the [QL](## "Quality Level") in the SSM. {{%notice note%}} -Cumulus Linux supports SyncE for the NVIDIA SN3750-SX switch only. +- Cumulus Linux supports SyncE for the NVIDIA SN3750-SX switch only. +- SyncE with PTP is currently in Beta {{%/notice%}} ## Basic Configuration From 9046426ff4fee0d91794b01e2524e2d872da19a8 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 09:01:04 -0800 Subject: [PATCH 133/204] updates to whats new --- content/cumulus-linux-57/Whats-New/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 4bacd73e11..c5e791f8e4 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -52,6 +52,7 @@ nv set/unset nve vxlan encapsulation dscp value nv set/unset nve vxlan decapsulation dscp action nv set/unset interface router adaptive-routing link-utilization-threshold nv set/unset router bgp wait-for-install +nv set/unset interface router ``` {{< /expand >}} From 7eced7c886c8c9cd136af055646a89863e8f1d86 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 09:01:42 -0800 Subject: [PATCH 134/204] updates --- content/cumulus-linux-57/Whats-New/_index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index c5e791f8e4..4bacd73e11 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -52,7 +52,6 @@ nv set/unset nve vxlan encapsulation dscp value nv set/unset nve vxlan decapsulation dscp action nv set/unset interface router adaptive-routing link-utilization-threshold nv set/unset router bgp wait-for-install -nv set/unset interface router ``` {{< /expand >}} From d620b26c580f0dc6b2a14e9e0a3c3ca3a4f4fd57 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 10:27:18 -0800 Subject: [PATCH 135/204] updates to net show commands --- .../Upgrading-Cumulus-Linux.md | 1 - .../Multi-Chassis-Link-Aggregation-MLAG.md | 96 +++++++++---------- .../Layer-2/Virtual-Router-Redundancy-VRR.md | 54 +++++------ .../Address-Resolution-Protocol-ARP.md | 4 +- .../Troubleshooting-EVPN.md | 70 ++++++++------ .../NVIDIA-User-Experience-NVUE/NVUE-CLI.md | 2 +- 6 files changed, 116 insertions(+), 111 deletions(-) diff --git a/content/cumulus-linux-57/Installation-Management/Upgrading-Cumulus-Linux.md b/content/cumulus-linux-57/Installation-Management/Upgrading-Cumulus-Linux.md index 9b8e437027..d60a22ac11 100644 --- a/content/cumulus-linux-57/Installation-Management/Upgrading-Cumulus-Linux.md +++ b/content/cumulus-linux-57/Installation-Management/Upgrading-Cumulus-Linux.md @@ -61,7 +61,6 @@ Understanding the location of configuration data is important for successful upg {{%notice note%}} - If you are using the root user account, consider including `/root/`. - If you have custom user accounts, consider including `/home//`. -- Run the `net show configuration files | grep -B 1 "==="` command and back up the files listed in the command output. {{%/notice%}} {{< /tab >}} diff --git a/content/cumulus-linux-57/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md b/content/cumulus-linux-57/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md index 6e7a496737..d4c0d64bdc 100644 --- a/content/cumulus-linux-57/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md +++ b/content/cumulus-linux-57/Layer-2/Multi-Chassis-Link-Aggregation-MLAG.md @@ -792,7 +792,7 @@ peer-priority 32768 Mlag Peer Priority peer-role secondary Mlag Peer Role ``` -Run the `net show mlag` command or the `clagctl` command to show the MLAG interface information: +Run the `net show clag` command or the `clagctl` command to show the MLAG interface information: ``` cumulus@leaf01:mgmt:~$ net show clag @@ -813,35 +813,29 @@ Our Interface Peer Interface CLAG Id Conflicts Proto-Dow ### Show All MLAG Settings -To see all MLAG settings, run the `clagctl params` command: - -``` -cumulus@leaf01:~$ clagctl params -clagVersion = 1.4.0 -clagDataVersion = 1.4.0 -clagCmdVersion = 1.1.0 -peerIp = linklocal -peerIf = peerlink.4094 -sysMac = 44:38:39:be:ef:aa -lacpPoll = 2 -currLacpPoll = 2 -peerConnect = 1 -cmdConnect = 1 -peerLinkPoll = 1 -switchdReadyTimeout = 120 -reloadTimer = 300 -periodicRun = 4 -priority = 32768 -quiet = False -debug = 0x0 -verbose = False -log = syslog -vm = True -peerPort = 5342 -peerTimeout = 20 -initDelay = 100 -sendTimeout = 30 -... +To see all MLAG settings, run the `nv show mlag` command: + +``` +cumulus@leaf01:~$ nv show mlag + operational applied +-------------- ------------------------- ---------- +enable on on +mac-address 44:38:39:be:ef:aa auto +peer-ip fe80::4ab0:2dff:fe52:1190 linklocal +priority 1000 1000 +init-delay 10 10 +debug off off +[backup] 10.10.10.2 10.10.10.2 +peer-priority 2000 +backup-active True +local-id 48:b0:2d:d1:e4:e1 +peer-id 48:b0:2d:52:11:90 +local-role primary +peer-role secondary +peer-interface peerlink.4094 +peer-alive True +backup-reason +anycast-ip 10.0.1.12 ``` ### View the MLAG Log File @@ -1108,27 +1102,27 @@ NIC statistics: tx_queue_0_kicks: 195 ``` -You can also run the `net show counters` command. The number of dropped packets shows in the `RX_DRP` column. - -``` -cumulus@leaf01:mgmt:~$ net show counters - -Kernel Interface table -Iface MTU RX_OK RX_ERR RX_DRP RX_OVR TX_OK TX_ERR TX_DRP TX_OVR Flg -------------- ----- ------- -------- -------- -------- ------- -------- -------- -------- ----- -bond1 9216 0 0 0 0 542 0 0 0 BMmU -bond2 9216 0 0 0 0 542 0 0 0 BMmU -bridge 9216 0 0 0 0 17 0 0 0 BMRU -eth0 1500 5497 0 0 0 933 0 0 0 BMRU -lo 65536 1328 0 0 0 1328 0 0 0 LRU -mgmt 65536 790 0 0 0 0 0 33 0 OmRU -peerlink 9216 23626 0 520 0 23665 0 0 0 BMmRU -peerlink.4094 9216 8013 0 0 0 8017 0 0 0 BMRU -swp1 9216 5 0 0 0 553 0 0 0 BMsRU -swp2 9216 3 0 0 0 552 0 0 0 BMsRU -swp49 9216 11822 0 0 0 11852 0 0 0 BMsRU -swp50 9216 11804 0 0 0 11841 0 0 0 BMsRU -swp51 9216 0 0 0 0 292 0 0 0 BMRU +You can also run the `nv show interface counters` command. The number of dropped packets shows in the `RX_DRP` column. + +``` +cumulus@leaf01:mgmt:~$ nv show interface counters +Interface MTU RX_OK RX_ERR RX_DRP RX_OVR TX_OK TX_ERR TX_DRP TX_OVR Flg +-------------- ----- ----- ------ ------ ------ ----- ------ ------ ------ ----- +BLUE 65575 0 0 0 0 0 0 1 0 OmRU +RED 65575 0 0 0 0 0 0 1 0 OmRU +bond1 9000 0 0 0 0 1336 0 0 0 BMmRU +bond2 9000 0 0 0 0 1337 0 0 0 BMmRU +bond3 9000 0 0 0 0 1336 0 0 0 BMmRU +br_default 9216 69 0 0 0 191 0 0 0 BMRU +eth0 1500 6184 0 0 0 3384 0 0 0 BMRU +lo 65536 3835 0 0 0 3835 0 0 0 LRU +mgmt 65575 4098 0 0 0 0 0 13 0 OmRU +peerlink 9216 14604 0 0 0 14134 0 0 0 BMmRU +peerlink.4094 9216 9923 0 0 0 9423 0 0 0 BMRU +swp1 9000 5 0 5 0 1336 0 0 0 BMsRU +swp2 9000 5 0 5 0 1337 0 0 0 BMsRU +swp3 9000 5 0 5 0 1336 0 0 0 BMsRU +swp4 1500 ``` ### Peer Link Interfaces and the protodown State diff --git a/content/cumulus-linux-57/Layer-2/Virtual-Router-Redundancy-VRR.md b/content/cumulus-linux-57/Layer-2/Virtual-Router-Redundancy-VRR.md index 00732798d1..bb9ac86148 100644 --- a/content/cumulus-linux-57/Layer-2/Virtual-Router-Redundancy-VRR.md +++ b/content/cumulus-linux-57/Layer-2/Virtual-Router-Redundancy-VRR.md @@ -194,35 +194,31 @@ Configure the links between the servers and the switches in *active-active* mode ### Troubleshooting -To verify the configuration on the switch, run the `net show interface` command: - -``` -cumulus@leaf01:mgmt:~$ net show interface -State Name Spd MTU Mode LLDP Summary ------ ------------- --- ----- ------------ ----------------------- ----------------------- -UP lo N/A 65536 Loopback IP: 127.0.0.1/8 - lo IP: 10.10.10.1/32 - lo IP: ::1/128 -UP eth0 1G 1500 Mgmt oob-mgmt-switch (swp10) Master: mgmt(UP) - eth0 IP: 192.168.200.11/24 -UP swp1 1G 9216 BondMember Master: bond1(UP) -UP swp2 1G 9216 BondMember Master: bond2(UP) -UP swp49 1G 9216 BondMember Master: peerlink(UP) -UP swp50 1G 9216 BondMember Master: peerlink(UP) -UP swp51 1G 9216 Default -UP bond1 1G 9216 802.3ad Master: br_default(UP) - bond1 Bond Members: swp1(UP) -UP bond2 1G 9216 802.3ad Master: br_default(UP) - bond2 Bond Members: swp2(UP) -UP br_default N/A 9216 Bridge/L2 -UP mgmt N/A 65536 VRF IP: 127.0.0.1/8 - mgmt IP: ::1/128 -UP peerlink 2G 9216 802.3ad Master: br_default(UP) - peerlink Bond Members: swp49(UP) - peerlink Bond Members: swp50(UP) -UP peerlink.4094 2G 9216 Default -UP vlan10 N/A 9216 Interface/L3 IP: 10.1.10.2/24 -UP vlan10-v0 N/A 9216 Interface/L3 IP: 10.1.10.1/24 +To verify the configuration on the switch, run the `nv show interface` command: + +``` +cumulus@leaf01:mgmt:~$ nv show interface +Interface State Speed MTU Type Remote Host Remote Port Summary +-------------- ----- ----- ----- -------- --------------- ----------- ---------------------------------------- +BLUE up 65575 vrf IP Address: 127.0.0.1/8 + IP Address: ::1/128 +RED up 65575 vrf IP Address: 127.0.0.1/8 + IP Address: ::1/128 +bond1 up 1G 9000 bond +bond2 up 1G 9000 bond +bond3 up 1G 9000 bond +br_default up 9216 bridge IP Address: fe80::4638:39ff:fe22:17a/64 +eth0 up 1G 1500 eth oob-mgmt-switch swp10 IP Address: 192.168.200.11/24 + IP Address: fe80::4638:39ff:fe22:17a/64 +lo up 65536 loopback IP Address: 10.0.1.12/32 + IP Address: 10.10.10.1/32 + IP Address: 127.0.0.1/8 + IP Address: ::1/128 +mgmt up 65575 vrf IP Address: 127.0.0.1/8 + IP Address: ::1/128 +peerlink up 2G 9216 bond +peerlink.4094 up 9216 sub IP Address: fe80::4ab0:2dff:fed1:e4e1/64 +swp1 up 1G 9000 swp ... ``` diff --git a/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md b/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md index 2152ac60f7..a7234cd48e 100644 --- a/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md +++ b/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md @@ -350,7 +350,7 @@ vlan20 10.1.20.105 48:b0:2d:75:bf:9e noarp |ext_lea To show IPv4 entries only, run the Linux `ip -4 neighbor` command: ``` -cumulus@leaf01:mgmt:~$ +cumulus@leaf01:mgmt:~$ ip -4 neighbor 169.254.0.1 dev swp54 lladdr 48:b0:2d:80:8c:21 PERMANENT proto zebra 169.254.0.1 dev peerlink.4094 lladdr 48:b0:2d:3f:69:d6 PERMANENT proto zebra 10.10.10.3 dev vxlan48 lladdr 44:38:39:22:01:84 extern_learn NOARP proto zebra @@ -373,7 +373,7 @@ cumulus@leaf01:mgmt:~$ ... ``` -To show table entries for a specific interface, run the `nv show interface neighbor` command: +To show table entries for a specific interface, run the `nv show interface neighbor` command: ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor diff --git a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Troubleshooting-EVPN.md b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Troubleshooting-EVPN.md index 0bc3d74b9d..b0ed2be6c6 100644 --- a/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Troubleshooting-EVPN.md +++ b/content/cumulus-linux-57/Network-Virtualization/Ethernet-Virtual-Private-Network-EVPN/Troubleshooting-EVPN.md @@ -15,7 +15,7 @@ You can use various NVUE or Linux commands to examine interfaces, VLAN mappings - `nv show bridge domain vlan` (NVUE) or `bridge vlan show` (Linux) - `nv show bridge vlan-vni-map` (NVUE) - `nv show bridge domain vlan-vni-map` (NVUE) -- `ip neighbor show` (Linux) +- `nv show interface neighbor` (NVUE) or `ip neighbor show` (Linux) - `ip route show [table ]` (Linux) The sample output below shows `ip -d link show type vxlan` command output for one VXLAN interface. Relevant parameters are the VNI value, the state, the local IP address for the VXLAN tunnel, the UDP port number (4789) and the bridge of which the interface is part (*bridge* in the example below). The output also shows that MAC learning is *off* on the VXLAN interface. @@ -83,32 +83,48 @@ entry-id age bridge-domain entry-type interface last-update MAC addre ... ``` -The following example output for the `net show neighbor` command shows: - -- 10.1.10.101 is a locally attached host server01 on VLAN 10. Interface `vlan10-v0` is the virtual VRR address for VLAN10. -- 10.1.10.104 is remote-host, server04 on VLAN10. The STATE `zebra` shows that it is an EVPN learned entry. Use `net show bridge macs` to see information about which VTEP the host is behind. -- 10.1.20.105 is remote-host, server05 on VLAN 20. - -``` -cumulus@leaf01:mgmt:~$ net show neighbor -Neighbor MAC Interface AF STATE -------------------------- ----------------- ------------- ---- --------- -10.1.10.104 68:0f:31:ae:3d:7a vlan10 IPv4 zebra -10.1.10.101 26:76:e6:93:32:78 vlan10-v0 IPv4 REACHABLE -169.254.0.1 c0:8a:e6:03:96:d0 peerlink.4094 IPv4 zebra -10.0.1.2 44:38:39:be:ef:bb vlan4001 IPv4 zebra -169.254.0.1 c0:99:6b:c0:e1:ca swp52 IPv4 zebra -10.1.20.3 c0:8a:e6:03:96:d0 vlan20 IPv4 PERMANENT -169.254.0.1 ac:56:f0:f3:59:0c swp54 IPv4 zebra -10.1.20.105 12:15:9a:9c:f2:e1 vlan20 IPv4 zebra -169.254.0.1 2c:f3:45:f4:6f:5f swp53 IPv4 zebra -192.168.200.1 12:72:bc:4c:e1:83 eth0 IPv4 REACHABLE -169.254.0.1 f0:08:5f:12:cc:8c swp51 IPv4 zebra -192.168.200.250 44:38:39:00:01:80 eth0 IPv4 REACHABLE -10.1.30.3 c0:8a:e6:03:96:d0 vlan30 IPv4 PERMANENT -192.168.200.2 02:7a:19:45:66:48 eth0 IPv4 STALE -10.1.10.101 26:76:e6:93:32:78 vlan10 IPv4 REACHABLE -10.1.10.3 c0:8a:e6:03:96:d0 vlan10 IPv4 PERMANENT +The following example shows the `nv show interface neighbor` command output: + +``` +cumulus@leaf01:mgmt:~$ nv show interface neighbor +Interface IP/IPV6 LLADR(MAC) State Flag +------------- ------------------------- ----------------- --------- ---------- +eth0 192.168.200.1 48:b0:2d:82:3b:b3 reachable + 192.168.200.251 48:b0:2d:00:00:01 stale + fe80::4ab0:2dff:fe00:1 48:b0:2d:00:00:01 reachable router +peerlink.4094 169.254.0.1 48:b0:2d:52:11:90 permanent + fe80::4ab0:2dff:fe52:1190 48:b0:2d:52:11:90 reachable router +swp51 169.254.0.1 48:b0:2d:b8:2b:bc permanent + fe80::4ab0:2dff:feb8:2bbc 48:b0:2d:b8:2b:bc reachable router +swp52 169.254.0.1 48:b0:2d:e1:08:f7 permanent + fe80::4ab0:2dff:fee1:8f7 48:b0:2d:e1:08:f7 reachable router +swp53 169.254.0.1 48:b0:2d:c0:71:8b permanent + fe80::4ab0:2dff:fec0:718b 48:b0:2d:c0:71:8b reachable router +swp54 169.254.0.1 48:b0:2d:18:f4:68 permanent + fe80::4ab0:2dff:fe18:f468 48:b0:2d:18:f4:68 reachable router +vlan10 10.1.10.3 44:38:39:22:01:78 permanent + fe80::4638:39ff:fe22:178 44:38:39:22:01:78 permanent +vlan20 10.1.20.3 44:38:39:22:01:78 permanent + fe80::4638:39ff:fe22:178 44:38:39:22:01:78 permanent +vlan30 10.1.30.3 44:38:39:22:01:78 permanent + fe80::4638:39ff:fe22:178 44:38:39:22:01:78 permanent +vlan4024_l3 10.10.10.63 44:38:39:22:01:74 noarp |ext_learn + 10.10.10.64 44:38:39:22:01:7c noarp |ext_learn + 10.10.10.4 44:38:39:22:01:8a noarp |ext_learn + 10.10.10.3 44:38:39:22:01:84 noarp |ext_learn + 10.10.10.2 44:38:39:22:01:78 noarp |ext_learn + fe80::4638:39ff:fe22:178 44:38:39:22:01:78 permanent +vlan4036_l3 10.10.10.63 44:38:39:22:01:74 noarp |ext_learn + 10.10.10.64 44:38:39:22:01:7c noarp |ext_learn + 10.10.10.4 44:38:39:22:01:8a noarp |ext_learn + 10.10.10.3 44:38:39:22:01:84 noarp |ext_learn + 10.10.10.2 44:38:39:22:01:78 noarp |ext_learn + fe80::4638:39ff:fe22:178 44:38:39:22:01:78 permanent +vxlan48 10.10.10.63 44:38:39:22:01:74 noarp |ext_learn + 10.10.10.4 44:38:39:22:01:8a noarp |ext_learn + 10.10.10.3 44:38:39:22:01:84 noarp |ext_learn + 10.10.10.2 44:38:39:22:01:78 noarp |ext_learn + 10.10.10.64 44:38:39:22:01:7c noarp |ext_learn ... ``` diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md index acb9ad941c..4295150546 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md @@ -224,7 +224,7 @@ If you run an NVUE show command but the corresponding FRR routing daemons are no In addition to the `nv show` commands, Cumulus Linux continues to provide a subset of the NCLU `net show` commands. Use these commands to get additional views of various parts of your network configuration. ``` -cumulus@leaf01:mgmt:~$ net show +cumulus@leaf01:mgmt:~$ net show <> bfd : Bidirectional forwarding detection bgp : Border Gateway Protocol bridge : a layer2 bridge From 80ff9b71293cd63eb013d763502548f4a84978f9 Mon Sep 17 00:00:00 2001 From: Stu Clark Date: Wed, 6 Dec 2023 14:48:49 -0500 Subject: [PATCH 136/204] Fix NetQ 4.7-4.8 install KVM config drop-down shortcode --- .../shortcodes/netq-install/vm-setup.html | 194 +++++++++++++++--- 1 file changed, 168 insertions(+), 26 deletions(-) diff --git a/themes/netDocs/layouts/shortcodes/netq-install/vm-setup.html b/themes/netDocs/layouts/shortcodes/netq-install/vm-setup.html index f434804553..c965fd4426 100644 --- a/themes/netDocs/layouts/shortcodes/netq-install/vm-setup.html +++ b/themes/netDocs/layouts/shortcodes/netq-install/vm-setup.html @@ -11,7 +11,7 @@
  1. -

    Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

    +

    Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

    $ sha256sum ./Downloads/cumulus-netq-server-2.4.1-ts-amd64-qemu.qcow2
    $ E93617F1DB5AB3BA597B0EC0C9CFE4CB5AA435245BF62A04769D2A806DA12BE7  ./Downloads/cumulus-netq-server-2.4.1-ts-amd64-qemu.qcow2
  2. Copy the QCOW2 image to a directory where you want to run it. @@ -44,7 +44,7 @@
    1. -

      Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

      +

      Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

      $ sha256sum ./Downloads/cumulus-netq-server-2.4.1-ts-amd64-qemu.qcow2
      $ 383E976F1A0572B9556B3A93FC790222C3A278CA04D96360AC9F3878704F4371  ./Downloads/cumulus-netq-server-2.4.1-ts-amd64-qemu.qcow2
    2. Copy the QCOW2 image to a directory where you want to run it. @@ -81,7 +81,7 @@
      1. -

        Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

        +

        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

        $ sha256sum ./Downloads/cumulus-netq-server-3.0.0-ts-amd64-qemu.qcow2
        $ 58EC6D6B4F2C6D377B3CD7C6E36792C6E2C89B06069561C50F316EA01F8A2ED2  ./Downloads/cumulus-netq-server-3.0.0-ts-amd64-qemu.qcow2
      2. Copy the QCOW2 image to a directory where you want to run it. @@ -114,7 +114,7 @@
        1. -

          Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

          +

          Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

          $ sha256sum ./Downloads/cumulus-netq-server-3.0.0-ts-amd64-qemu.qcow2
          $ 599C3AA617937156D38A2205B4D111F83EBCFD63EDA7A791060375B30CB1DA90  ./Downloads/cumulus-netq-server-3.0.0-ts-amd64-qemu.qcow2
        2. Copy the QCOW2 image to a directory where you want to run it. @@ -151,7 +151,7 @@
          1. -

            Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

            +

            Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

            $ sha256sum ./Downloads/cumulus-netq-server-3.1.0-ts-amd64-qemu.qcow2
            $ 58EC6D6B4F2C6D377B3CD7C6E36792C6E2C89B06069561C50F316EA01F8A2ED2  ./Downloads/cumulus-netq-server-3.1.0-ts-amd64-qemu.qcow2
          2. Copy the QCOW2 image to a directory where you want to run it. @@ -184,7 +184,7 @@
            1. -

              Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

              +

              Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

              $ sha256sum ./Downloads/cumulus-netq-server-3.1.0-ts-amd64-qemu.qcow2
              $ 599C3AA617937156D38A2205B4D111F83EBCFD63EDA7A791060375B30CB1DA90  ./Downloads/cumulus-netq-server-3.1.0-ts-amd64-qemu.qcow2
            2. Copy the QCOW2 image to a directory where you want to run it. @@ -221,7 +221,7 @@
              1. -

                Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                +

                Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                $ sha256sum ./Downloads/netq-3.2.0-ubuntu-18.04-ts-qemu.qcow2
                $ 7772531F02B932B0B35CA74E710341BEC6428CD2B089A3C3C6EFE25D2F668AD5  ./Downloads/netq-3.2.0-ubuntu-18.04-ts-qemu.qcow2
              2. Copy the QCOW2 image to a directory where you want to run it. @@ -254,7 +254,7 @@
                1. -

                  Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                  +

                  Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                  $ sha256sum ./Downloads/netq-3.2.0-ubuntu-18.04-tscloud-qemu.qcow2
                  $ DDC24C25CD50DF5C6F1C0D7070ACA8317A6C4AB52F3A95EA005BA9777849981E  ./Downloads/netq-3.2.0-ubuntu-18.04-tscloud-qemu.qcow2
                2. Copy the QCOW2 image to a directory where you want to run it. @@ -291,7 +291,7 @@
                  1. -

                    Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                    +

                    Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                    $ sha256sum ./Downloads/netq-3.2.1-ubuntu-18.04-ts-qemu.qcow2
                    $ F4EF2B16C41EBF92ECCECD0A6094A49EB30AD59508F027B18B9DDAE7E57F0A6F  ./Downloads/netq-3.2.1-ubuntu-18.04-ts-qemu.qcow2
                  2. Copy the QCOW2 image to a directory where you want to run it. @@ -324,7 +324,7 @@
                    1. -

                      Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                      +

                      Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                      $ sha256sum ./Downloads/netq-3.2.1-ubuntu-18.04-tscloud-qemu.qcow2
                      $ DDC24C25CD50DF5C6F1C0D7070ACA8317A6C4AB52F3A95EA005BA9777849981E  ./Downloads/netq-3.2.1-ubuntu-18.04-tscloud-qemu.qcow2
                    2. Copy the QCOW2 image to a directory where you want to run it. @@ -361,7 +361,7 @@
                      1. -

                        Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                        +

                        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                        $ sha256sum ./Downloads/netq-3.3.0-ubuntu-18.04-ts-qemu.qcow2
                        $ 69D2A4A010229AC4A8C11FC6E3621648FBB3D725B095A0A29EFCF937FA38B44F  ./Downloads/netq-3.3.0-ubuntu-18.04-ts-qemu.qcow2
                      2. Copy the QCOW2 image to a directory where you want to run it. @@ -394,7 +394,7 @@
                        1. -

                          Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                          +

                          Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                          $ sha256sum ./Downloads/netq-3.3.0-ubuntu-18.04-tscloud-qemu.qcow2
                          $ 8ADF1CBBE48DC57E22C6081CF6AB59127B4613C9BCDEE0BBB5A11DE1347B725D  ./Downloads/netq-3.3.0-ubuntu-18.04-tscloud-qemu.qcow2
                        2. Copy the QCOW2 image to a directory where you want to run it. @@ -431,7 +431,7 @@
                          1. -

                            Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                            +

                            Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                            $ sha256sum ./Downloads/netq-3.3.1-ubuntu-18.04-ts-qemu.qcow2
                            $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-3.3.1-ubuntu-18.04-ts-qemu.qcow2
                          2. Copy the QCOW2 image to a directory where you want to run it. @@ -464,7 +464,7 @@
                            1. -

                              Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                              +

                              Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                              $ sha256sum ./Downloads/netq-3.3.1-ubuntu-18.04-tscloud-qemu.qcow2
                              $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-3.3.1-ubuntu-18.04-tscloud-qemu.qcow2
                            2. Copy the QCOW2 image to a directory where you want to run it. @@ -507,7 +507,7 @@
                              1. -

                                Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                +

                                Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                $ sha256sum ./Downloads/netq-4.0.0-ubuntu-18.04-ts-qemu.qcow2
                                $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.0.0-ubuntu-18.04-ts-qemu.qcow2
                              2. Copy the QCOW2 image to a directory where you want to run it. @@ -540,7 +540,7 @@
                                1. -

                                  Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                  +

                                  Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                  $ sha256sum ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                  $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                2. Copy the QCOW2 image to a directory where you want to run it. @@ -577,7 +577,7 @@
                                  1. -

                                    Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                    +

                                    Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                    $ sha256sum ./Downloads/netq-4.2.0-ubuntu-18.04-ts-qemu.qcow2
                                    $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.0.0-ubuntu-18.04-ts-qemu.qcow2
                                  2. Copy the QCOW2 image to a directory where you want to run it. @@ -610,7 +610,7 @@
                                    1. -

                                      Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                      +

                                      Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                      $ sha256sum ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                      $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                    2. Copy the QCOW2 image to a directory where you want to run it. @@ -647,7 +647,7 @@
                                      1. -

                                        Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                        +

                                        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                        $ sha256sum ./Downloads/netq-4.3.0-ubuntu-18.04-ts-qemu.qcow2
                                        $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.3.0-ubuntu-18.04-ts-qemu.qcow2
                                      2. Copy the QCOW2 image to a directory where you want to run it. @@ -680,7 +680,7 @@
                                        1. -

                                          Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                          +

                                          Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                          $ sha256sum ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                          $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                        2. Copy the QCOW2 image to a directory where you want to run it. @@ -717,7 +717,7 @@
                                          1. -

                                            Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                            +

                                            Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                            $ sha256sum ./Downloads/netq-4.4.0-ubuntu-18.04-ts-qemu.qcow2
                                            $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.4.0-ubuntu-18.04-ts-qemu.qcow2
                                          2. Copy the QCOW2 image to a directory where you want to run it. @@ -750,7 +750,7 @@
                                            1. -

                                              Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                              +

                                              Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                              $ sha256sum ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                              $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.0.0-ubuntu-18.04-tscloud-qemu.qcow2
                                            2. Copy the QCOW2 image to a directory where you want to run it. @@ -787,7 +787,7 @@
                                              1. -

                                                Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                                +

                                                Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                $ sha256sum ./Downloads/netq-4.5.0-ubuntu-18.04-ts-qemu.qcow2
                                                $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.5.0-ubuntu-20.04-ts-qemu.qcow2
                                              2. Copy the QCOW2 image to a directory where you want to run it. @@ -820,7 +820,7 @@
                                                1. -

                                                  Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                                  +

                                                  Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                  $ sha256sum ./Downloads/netq-4.5.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                  $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.5.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                2. Copy the QCOW2 image to a directory where you want to run it. @@ -857,7 +857,7 @@
                                                  1. -

                                                    Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                                    +

                                                    Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                    $ sha256sum ./Downloads/netq-4.6.0-ubuntu-18.04-ts-qemu.qcow2
                                                    $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.6.0-ubuntu-20.04-ts-qemu.qcow2
                                                  2. Copy the QCOW2 image to a directory where you want to run it. @@ -890,7 +890,7 @@
                                                    1. -

                                                      Confirm that the SHA256 checksum matches the one posted on the Cumulus Downloads website to ensure the image download has not been corrupted.

                                                      +

                                                      Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                      $ sha256sum ./Downloads/netq-4.6.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                      $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.6.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                    2. Copy the QCOW2 image to a directory where you want to run it. @@ -920,6 +920,148 @@ {{ end }} {{ end }} + + {{- if eq (.Get "version") "4.7" -}} + + {{- if eq (.Get "deployment") "onprem" -}} + +
                                                        +
                                                      1. +

                                                        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                        + 
                                                        $ sha256sum ./Downloads/netq-4.7.0-ubuntu-18.04-ts-qemu.qcow2
                                                        $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.7.0-ubuntu-20.04-ts-qemu.qcow2
                                                        +
                                                        2. +
                                                      2. Copy the QCOW2 image to a directory where you want to run it. +

                                                        Tip: Copy, instead of moving, the original QCOW2 image that was downloaded to avoid re-downloading it again later should you need to perform this process again.

                                                        + 
                                                        $ sudo mkdir /vms
                                                        $ sudo cp ./Downloads/netq-4.7.0-ubuntu-20.04-ts-qemu.qcow2 /vms/ts.qcow2
                                                        +
                                                        3. +
                                                      3. Create the VM. +

                                                        For a Direct VM, where the VM uses a MACVLAN interface to sit on the host interface for its connectivity:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=16 --memory=65536 --os-type=linux --os-variant=generic --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=type=direct,source=eth0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace the disk path value with the location where the QCOW2 image is to reside. Replace network model value (eth0 in the above example) with the name of the interface where the VM is connected to the external network.

                                                        + +

                                                        Or, for a Bridged VM, where the VM attaches to a bridge which has already been setup to allow for external access:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=16 --memory=65536 --os-type=linux --os-variant=generic \ --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=bridge=br0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace network bridge value (br0 in the above example) with the name of the (pre-existing) bridge interface where the VM is connected to the external network.

                                                        + +

                                                        Make note of the name used during install as this is needed in a later step.

                                                        +
                                                        4. +
                                                      4. Watch the boot process in another terminal window. + 
                                                        $ virsh console netq_ts
                                                        +
                                                        5. +
                                                      + + {{ end }} + + {{- if eq (.Get "deployment") "cloud" -}} + +
                                                        +
                                                      1. +

                                                        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                        + 
                                                        $ sha256sum ./Downloads/netq-4.7.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                        $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.7.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                        +
                                                        2. +
                                                      2. Copy the QCOW2 image to a directory where you want to run it. +

                                                        Tip: Copy, instead of moving, the original QCOW2 image that was downloaded to avoid re-downloading it again later should you need to perform this process again.

                                                        + 
                                                        $ sudo mkdir /vms
                                                        $ sudo cp ./Downloads/netq-4.7.0-ubuntu-20.04-tscloud-qemu.qcow2 /vms/ts.qcow2
                                                        +
                                                        3. +
                                                      3. Create the VM. +

                                                        For a Direct VM, where the VM uses a MACVLAN interface to sit on the host interface for its connectivity:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=4 --memory=8192 --os-type=linux --os-variant=generic --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=type=direct,source=eth0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace the disk path value with the location where the QCOW2 image is to reside. Replace network model value (eth0 in the above example) with the name of the interface where the VM is connected to the external network.

                                                        + +

                                                        Or, for a Bridged VM, where the VM attaches to a bridge which has already been setup to allow for external access:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=4 --memory=8192 --os-type=linux --os-variant=generic \ --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=bridge=br0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace network bridge value (br0 in the above example) with the name of the (pre-existing) bridge interface where the VM is connected to the external network.

                                                        + +

                                                        Make note of the name used during install as this is needed in a later step.

                                                        +
                                                        4. +
                                                      4. Watch the boot process in another terminal window. + 
                                                        $ virsh console netq_ts
                                                        +
                                                        5. +
                                                      + + {{ end }} + + {{ end }} + + {{- if eq (.Get "version") "4.8" -}} + + {{- if eq (.Get "deployment") "onprem" -}} + +
                                                        +
                                                      1. +

                                                        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                        + 
                                                        $ sha256sum ./Downloads/netq-4.8.0-ubuntu-18.04-ts-qemu.qcow2
                                                        $ 0A00383666376471A8190E2367B27068B81D6EE00FDE885C68F4E3B3025A00B6  ./Downloads/netq-4.8.0-ubuntu-20.04-ts-qemu.qcow2
                                                        +
                                                        2. +
                                                      2. Copy the QCOW2 image to a directory where you want to run it. +

                                                        Tip: Copy, instead of moving, the original QCOW2 image that was downloaded to avoid re-downloading it again later should you need to perform this process again.

                                                        + 
                                                        $ sudo mkdir /vms
                                                        $ sudo cp ./Downloads/netq-4.8.0-ubuntu-20.04-ts-qemu.qcow2 /vms/ts.qcow2
                                                        +
                                                        3. +
                                                      3. Create the VM. +

                                                        For a Direct VM, where the VM uses a MACVLAN interface to sit on the host interface for its connectivity:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=16 --memory=65536 --os-type=linux --os-variant=generic --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=type=direct,source=eth0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace the disk path value with the location where the QCOW2 image is to reside. Replace network model value (eth0 in the above example) with the name of the interface where the VM is connected to the external network.

                                                        + +

                                                        Or, for a Bridged VM, where the VM attaches to a bridge which has already been setup to allow for external access:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=16 --memory=65536 --os-type=linux --os-variant=generic \ --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=bridge=br0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace network bridge value (br0 in the above example) with the name of the (pre-existing) bridge interface where the VM is connected to the external network.

                                                        + +

                                                        Make note of the name used during install as this is needed in a later step.

                                                        +
                                                        4. +
                                                      4. Watch the boot process in another terminal window. + 
                                                        $ virsh console netq_ts
                                                        +
                                                        5. +
                                                      + + {{ end }} + + {{- if eq (.Get "deployment") "cloud" -}} + +
                                                        +
                                                      1. +

                                                        Confirm that the SHA256 checksum matches the one posted on the NVIDIA Application Hub to ensure the image download has not been corrupted.

                                                        + 
                                                        $ sha256sum ./Downloads/netq-4.8.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                        $ FE353FC06D3F843F4041D74C853D38B0A56036C5886F6233A3ED1A9464AEB783  ./Downloads/netq-4.8.0-ubuntu-20.04-tscloud-qemu.qcow2
                                                        +
                                                        2. +
                                                      2. Copy the QCOW2 image to a directory where you want to run it. +

                                                        Tip: Copy, instead of moving, the original QCOW2 image that was downloaded to avoid re-downloading it again later should you need to perform this process again.

                                                        + 
                                                        $ sudo mkdir /vms
                                                        $ sudo cp ./Downloads/netq-4.8.0-ubuntu-20.04-tscloud-qemu.qcow2 /vms/ts.qcow2
                                                        +
                                                        3. +
                                                      3. Create the VM. +

                                                        For a Direct VM, where the VM uses a MACVLAN interface to sit on the host interface for its connectivity:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=4 --memory=8192 --os-type=linux --os-variant=generic --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=type=direct,source=eth0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace the disk path value with the location where the QCOW2 image is to reside. Replace network model value (eth0 in the above example) with the name of the interface where the VM is connected to the external network.

                                                        + +

                                                        Or, for a Bridged VM, where the VM attaches to a bridge which has already been setup to allow for external access:

                                                        + + 
                                                        $ virt-install --name=netq_ts --vcpus=4 --memory=8192 --os-type=linux --os-variant=generic \ --disk path=/vms/ts.qcow2,format=qcow2,bus=virtio,cache=none --network=bridge=br0,model=virtio --import --noautoconsole
                                                        + +

                                                        Replace network bridge value (br0 in the above example) with the name of the (pre-existing) bridge interface where the VM is connected to the external network.

                                                        + +

                                                        Make note of the name used during install as this is needed in a later step.

                                                        +
                                                        4. +
                                                      4. Watch the boot process in another terminal window. + 
                                                        $ virsh console netq_ts
                                                        +
                                                        5. +
                                                      + + {{ end }} + + {{ end }} + + {{ end }} From b77914ae5356553ce83a8da2f065778474f2013b Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 12:01:57 -0800 Subject: [PATCH 137/204] updates to rbac --- .../Role-Based-Access-Control.md | 134 ++++++++++-------- 1 file changed, 71 insertions(+), 63 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index 5b5d233e69..01b418ecb6 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -20,9 +20,9 @@ Custom role-based access control consists of the following elements: - When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to QoS egress scheduler commands. {{%/notice%}} -The following example describes the permissions for a role (ROLE1) that consists of three classes: Class1, Class2, Class3 +The following example describes the permissions for a role (`role1`) that consists of three classes: `class1`, `class2`, `class3` -**Class1** has the `allow` class action and the following command path permissions: +**class1** has the `allow` class action and the following command path permissions: | Command Path | Permissions | | ------------ | ----------- | @@ -30,21 +30,21 @@ The following example describes the permissions for a role (ROLE1) that consists | `/interface/*/acl/` | `ro` | | `/interface/*/ptp/` | `ro` | -**Class2** has the `allow` class action and the following command path permissions: +**class2** has the `allow` class action and the following command path permissions: | Command Path | Permissions | | ------------ | ----------- | | `/system/` | `ro` | | `/vrf/` | `rw` | -**Class3** has the `deny` class action and the following command path permissions: +**class3** has the `deny` class action and the following command path permissions: | Command Path | Permissions | | ------------ | ----------- | | `/interface/*/evpn/`| `rw` | | `/interface/*/qos/` | `rw` | -The following table shows the permissions for a user assigned the role ROLE1. In the table, R is read only (RO), W is write, and X is action (ACT). +The following table shows the permissions for a user assigned the role `role1`. In the table, R is read only (RO), W is write, and X is action (ACT). | Path | Allow | Deny | Permissions | | -------- | --------- | ---------- | ----------- | @@ -79,39 +79,44 @@ To assign a custom role to a user account: You assign a custom role to an existing user account. For information about creating user accounts, see {{}} commands. {{%/notice%}} -The following example assigns user1 the role of `switch-admin`. user1 can manage the entire switch except for authentication, authorization, and accounting settings (`system aaa`). +The following example creates the three classes described above for role `role1`. + +`class1` has permissions to manage all interfaces except for ACL and PTP interfaces, which only have `show` permissions: ``` -cumulus@switch:~$ nv set system aaa role switch-admin class RESTRICT -cumulus@switch:~$ nv set system aaa class restrict action deny -cumulus@switch:~$ nv set system aaa class restrict command-path /system/aaa/*/ -cumulus@switch:~$ nv set system aaa user user1 role switch-admin -cumulus@switch:~$ nv config apply +cumulus@leaf01:mgmt:~$ nv set system aaa role ROLE1 class class1 +cumulus@leaf01:mgmt:~$ nv set system aaa class class1 action allow +cumulus@leaf01:mgmt:~$ nv set system aaa class class1 command-path /interface/ permission all +cumulus@leaf01:mgmt:~$ nv set system aaa class class1 command-path /interface/*/acl/ permission ro +cumulus@leaf01:mgmt:~$ nv set system aaa class class1 command-path /interface/*/ptp/ permission ro +cumulus@leaf01:mgmt:~$ nv config apply ``` -The following example assigns user2 the role of `IFMgr`. user2 can manage the loopback, management, eth0, and swp1 through 3 interfaces. +`class2` has permissions to only show system commands and to set, unset, and apply VRF commands: ``` -cumulus@switch:~$ nv set system aaa role IFMgr class InterfaceMgmt_1 -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 action allow -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/lo permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/mgmt permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/eth0 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp1 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp2 permission all -cumulus@switch:~$ nv set system aaa class InterfaceMgmt_1 command-path /interface/swp3 permission all -cumulus@switch:~$ nv set system aaa user user2 role IFMgr -cumulus@switch:~$ nv config apply +cumulus@leaf01:mgmt:~$ nv set system aaa role ROLE1 class class2 +cumulus@leaf01:mgmt:~$ nv set system aaa class class2 action allow +cumulus@leaf01:mgmt:~$ nv set system aaa class class2 command-path /system/ permission ro +cumulus@leaf01:mgmt:~$ nv set system aaa class class2 command-path /vrf/ permission rw +cumulus@leaf01:mgmt:~$ nv config apply ``` -The following example assigns user3 the role of `OSPF`. user3 does **not** have permissions to manage OSPF on an interface. +`class3` prevents setting, unsetting, and applying interface commands for EVPN and QOS: ``` -cumulus@switch:~$ nv set system aaa role OSPF class OSPF-DENY -cumulus@switch:~$ nv set system aaa class OSPF-DENY action deny -cumulus@switch:~$ nv set system aaa class OSPF-DENY command-path /interface/*/router/ospf/ permission all -cumulus@switch:~$ nv set system aaa user user3 role OSPF -cumulus@switch:~$ nv config apply +cumulus@leaf01:mgmt:~$ nv set system aaa role ROLE1 class class3 +cumulus@leaf01:mgmt:~$ nv set system aaa class class3 action deny +cumulus@leaf01:mgmt:~$ nv set system aaa class class3 command-path /interface/*/evpn/ permission rw +cumulus@leaf01:mgmt:~$ nv set system aaa class class3 command-path /interface/*/qos/ permission rw +cumulus@leaf01:mgmt:~$ nv config apply +``` + +The following command assigns user `admin2` the role `role1`: + +``` +cumulus@leaf01:mgmt:~$ nv set system aaa user admin2 role role1 +cumulus@leaf01:mgmt:~$ nv config apply ``` ## Delete Custom Roles @@ -119,15 +124,15 @@ cumulus@switch:~$ nv config apply To delete a custom role and all its classes, you must first unassign the role from the user, then delete the role: ``` -cumulus@switch:~$ nv unset system aaa user user1 role OSPF -cumulus@switch:~$ nv unset system aaa role OSPF +cumulus@switch:~$ nv unset system aaa user admin2 role role1 +cumulus@switch:~$ nv unset system aaa role role1 cumulus@switch:~$ nv config apply ``` To delete a class from a role, run the `nv unset system aaa role class ` command: ``` -cumulus@switch:~$ nv unset system aaa role OSPF class OSPF-DENY +cumulus@switch:~$ nv unset system aaa role role1 class class2 cumulus@switch:~$ nv config apply ``` @@ -169,8 +174,7 @@ systemd-coredump systemd Core Dumper Unknown system systemd-network systemd Network Management,,, Unknown system systemd-resolve systemd Resolver,,, Unknown system systemd-timesync systemd Time Synchronization,,, Unknown system -user1 OSPF on -user2 IFMgr on +admin2 role1 on uucp uucp Unknown system uuidd Unknown system www-data www-data Unknown system @@ -179,10 +183,10 @@ www-data www-data Unknown system To show information about a specific user account including the role assigned to the user, run the NVUE `nv show system aaa user ` command: ``` -cumulus@switch:~$ nv show system aaa user user2 +cumulus@switch:~$ nv show system aaa user admin2 operational applied --------- ----------- ------- -role IFMgr IFMgr +role role1 role1 full-name enable on on ``` @@ -191,49 +195,53 @@ To show all the roles configured on the switch, run the NVUE `nv show system aaa ``` cumulus@switch:~$ nv show system aaa role -Role Class ------------- --------------- -IFMgr InterfaceMgmt_1 -OSPF OSPF-DENY -nvue-admin nvapply -nvue-monitor nvshow -system-admin nvapply +Role Class +------------ ------- +nvue-admin nvapply +nvue-monitor nvshow +role1 class1 + class2 + class3 +system-admin nvapply sudo ``` To show the classes applied to specific role, run the `nv show system aaa role ` command: ``` -cumulus@switch:~$ nv show system aaa role IFMgr - applied -------- --------------- -[class] InterfaceMgmt_1 +cumulus@switch:~$ nv show system aaa role role1 + applied +------- ------- +[class] class1 +[class] class2 +[class] class3 ``` To show all the classes configured on the switch, run the `nv show system aaa class` command: ``` cumulus@switch:~$ nv show system aaa class -Class Name Command Path Permission Action ---------------- ------------------------- ---------- ------ -InterfaceMgmt_1 /interface/eth0/ all allow - /interface/lo/ all - /interface/mgmt/ all - /interface/swp1/ all - /interface/swp2/ all - /interface/swp3/ all -OSPF-DENY /interface/*/router/ospf/ all deny -nvapply / all allow -nvshow / ro allow -sudo / all allow +Class Name Command Path Permission Action +---------- ------------------ ---------- ------ +class1 /interface/ all allow + /interface/*/acl/ ro + /interface/*/ptp/ ro +class2 /system/ ro allow + /vrf/ rw +class3 /interface/*/evpn/ rw deny + /interface/*/qos/ rw +nvapply / all allow +nvshow / ro allow +sudo / all allow ``` To show the configuration and state of the command-paths for a class, run the `nv show system aaa class ` command: ``` -cumulus@switch:~$ nv show system aaa class OSPF-DENY - applied --------------- ------------------------- -action deny -[command-path] /interface/*/router/ospf/ +cumulus@switch:~$ nv show system aaa class class3 + applied +-------------- ------------------ +action deny +[command-path] /interface/*/evpn/ +[command-path] /interface/*/qos/ ``` From 835cf171833cd8080ce98847b8ad778e515e12a3 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 14:37:51 -0800 Subject: [PATCH 138/204] updates to certificates --- .../NVIDIA-User-Experience-NVUE/NVUE-API.md | 108 +++--------------- 1 file changed, 14 insertions(+), 94 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md index b58b3a5c6e..4889048db4 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-API.md @@ -46,18 +46,17 @@ Cumulus Linux lets you manage CA certificates (such as DigiCert or Verisign) and You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid. -To import a certificate, run the following commands. If the certificate is passphrase protected, you need to include the passphrase. +#### Import a Certificate {{%notice note%}} - You can import a maximum of 25 entity certificates and a maximum of 50 CA certificates. - The certificate you import contains sensitive private key information. NVIDIA recommends that you use a secure transport such as SFTP, SCP, or HTTPS. {{%/notice%}} -{{< tabs "TabID53 ">}} -{{< tab "NVUE Commands ">}} +- To import an entity certificate, run an `nv action import system security certificate `command. +- To import a CA certificate, run an `nv action import system security ca-certificate ` command. -- To import an entity certificate, run the `nv action import system security certificate [options]`command. -- To import a CA certificate, run the `nv action import system security ca-certificate [options]` command. +If the certificate is passphrase protected, you need to include the passphrase. You must provide a certificate ID (``) to uniquely identify the certificate being imported. @@ -83,47 +82,18 @@ A CA certificate must be in .pem, .p7a, or .p7c format. cumulus@switch:~$ nv action import system security certificate tls-cert-1 uri-public-key scp://user@pass:1.2.3.4 uri-private-key scp://user@pass:1.2.3.4 ``` -{{< /tab >}} -{{< tab "Curl Commands ">}} - -The following example imports a CA certificate with a public key and calls the certificate `tls-cert-1`. The certificate is passphrase protected with `mypassphrase`. The public key is a Base64 ASCII encoded PEM string. - -``` -cumulus@switch:~$ cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/ca-certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "????": "??????", "passphrase": "mypassphrase"}}}' -``` - -The following example imports an entity certificate bundle and calls the certificate `tls-cert-1`. The certificate bundle is passphrase protected with `mypassphrase`. - -A certificate bundle must be in .PFX or .P12 format. - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "uri-bundle": "scp://user@pass:1.2.3.4:/opt/certs/cert.p12", "passphrase": "mypassphrase"}}}' -``` - -The following example imports an entity certificate with the public key URI `scp://user@pass:1.2.3.4` and private key URI `scp://user@pass:1.2.3.4`, and calls the certificate `tls-cert-1`. The certificate is not passphrase protected. - -A CA certificate must be in .pem, .p7a, or .p7c format. - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' 127.0.0.1:8765/nvue_v1/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@import": { "state": "start", "parameters": { "uri-public-key": "scp://user@pass:1.2.3.4", "uri-private-key": "scp://user@pass:1.2.3.4"}}}' -``` - -{{< /tab >}} -{{< /tabs >}} - -To set the certificate you want to use with the REST API: +#### Set the Certificate to Use -{{< tabs "TabID92 ">}} -{{< tab "NVUE Commands ">}} +You can configure the NVUE REST API to use a specific certificate. -The following example configures the NVUE REST API to use the certificate `tls-cert-1`: +The following example configures the API to use the certificate `tls-cert-1`: ``` cumulus@switch:~$ nv set system api certificate tls-cert-1 cumulus@switch:~$ nv config apply ``` -Set the certificate to `auto` to let the system determine which certificate to use. For example, you can set the certificate to `auto` if you want to use a previously installed certificate (either the default self-signed or your own installed certificate). +Set the certificate to `auto` to let the system determine which certificate to use; for example, if you want to use a previously installed certificate (either the default self-signed or your own installed certificate). ``` cumulus@switch:~$ nv set system api certificate auto @@ -133,31 +103,10 @@ cumulus@switch:~$ nv config apply To unset the certificate to use with the NVUE REST API: ``` -cumulus@switch:~$ nv unset system api certificate -``` - -{{< /tab >}} -{{< tab "Curl Commands ">}} - -The following example configures the NVUE REST API to use the certificate `tls-cert-1`: - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' -d '{"set": {"system": {"api": {"certificate": "cert1","port": 8888}}}}'-k -X PATCH https://127.0.0.1:8765/nvue_v1/?rev=2 +cumulus@switch:~$ nv unset system api certificate tls-cert-1 ``` -Set the certificate to `auto` to let the system determine which certificate to use. For example, you can set the certificate to `auto` if you want to use a previously installed certificate (either the default self-signed or your own installed certificate). - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' -d '{"set": {"system": {"api": {"certificate": "auto","port": 8888}}}}' -k -X PATCH https://127.0.0.1:8765/nvue_v1/?rev=2 -``` - -{{< /tab >}} -{{< /tabs >}} - -To delete a certificate and the key data stored on the switch: - -{{< tabs "TabID125 ">}} -{{< tab "NVUE Commands ">}} +#### Delete Certificates - To delete an entity certificate and the key data stored on the switch, run the `nv action delete system security certificate ` command. - To delete a CA certificate and the key data stored on the switch, run the `nv action delete system security ca-certificate ` command. @@ -168,20 +117,7 @@ The following command deletes the certificate `tls-cert-1`: cumulus@switch:~$ nv action delete system security certificate tls-cert-1 ``` -{{< /tab >}} -{{< tab "Curl Commands ">}} - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' https://127.0.0.1:8765/system/security/certificate/tls-cert-1 -X POST -H 'Content-Type:application/json' -d '{"@delete": { "state": "start"}}' -``` - -{{< /tab >}} -{{< /tabs >}} - -To show certificate information: - -{{< tabs "TabID145 ">}} -{{< tab "NVUE Commands ">}} +#### Show Certificate Information - To show all the entity certificates on the switch, run the `nv show system security certificate` command. - To show all the CA certificates on the switch, run the `nv show system security ca-certificate` command. @@ -192,16 +128,10 @@ The following example shows all the entity certificates on the switch: cumulus@switch:~$ nv show system security certificate ``` -- To show information about a specific entity certificate, run the `nv show system security certificate ` command. -- To show information about a specific CA certificate, run the `nv show system security ca-certificate ` command. - -The following example shows information about the CA certificate `tls-cert-1`: +- To show the applications that are using a specific entity certificate, run the `nv show system security certificate installed` command. +- To show the applications that are using a specific CA certificate, run the `nv show system security ca-certificate installed` command. -``` -cumulus@switch:~$ nv show system security certificate ca-certificate tls-cert-1 -``` - -To show the applications that are using a certificate, run the `nv show system security certificate installed` command: +The following example shows the applications that are using a specific entity certificate. ``` cumulus@switch:~$ nv show system security certificate tls-cert-1 installed @@ -216,16 +146,6 @@ The following example shows detailed information about the CA certificate `tls-c cumulus@switch:~$ nv show system security ca-certificate tls-cert-1 dump ``` -{{< /tab >}} -{{< tab "Curl Commands ">}} - -``` -cumulus@switch:~$ curl -u 'cumulus:cumulus' -X GET https://127.0.0.1:8765/system/security/certificate/tls-cert-1 -``` - -{{< /tab >}} -{{< /tabs >}} - ### API-only User From b507efad0914c1b263a87f389508187806ef8c7a Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 15:30:03 -0800 Subject: [PATCH 139/204] add action commands to CLI section --- .../NVIDIA-User-Experience-NVUE/NVUE-CLI.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md index 4295150546..91b03ffd79 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md @@ -290,11 +290,20 @@ You can use the NVUE configuration management commands to back up and restore co The NVUE action commands clear counters, and provide system reboot and TACACS user disconnect options. -| Command | Description | +|
                                                      Command | Description | | ------- | ----------- | -| `nv action clear` | Provides commands to clear {{}}, {{}}, {{}}, {{}}, {{}}, and remove {{}}. | -| `nv action disconnect system aaa user`| Disconnects a TACACs user. | +| `nv action change `| Sets the software clock date and time. | +| `nv action clear` | Provides commands to clear ACL statistics, {{}}, {{}}, {{}}, {{}}, {{}}, {{}}, {{}}, {{}}, and remove {{}}. | +| `nv action delete` | Provides commands to delete system configuration files, and CA and entity certificates. | +| `nv action disable system maintenance mode`
                                                      `nv action disable system maintenance ports`| Disables system maintenance mode
                                                      Brings up the ports.| +| `nv action disconnect system aaa user`| Provides commands to disconnect users logged into the switch. | +| `nv action enable system maintenance mode`
                                                      `nv action enable system maintenance ports`| Enables system maintenance mode.
                                                      Brings all the ports down for maintenance. | +| `nv action export system config` | Exports a configuration file. | +| `nv action fetch system config` | Fetches a configuration file.| +| `nv action import system security` | Provides commands to import CA and entity certificates. | | `nv action reboot system` | Reboots the switch in the configured restart mode ({{}}). You must specify the `no-confirm` option with this command. | +| `nv action rename system config files`| Renames system configuration files. | +| `nv action upload system config files`| Uploads system configuration files. | ### List All NVUE Commands From 9dfb57433eec7698a8aa6d172ae219de1a33d169 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 15:46:20 -0800 Subject: [PATCH 140/204] updates to action commands --- .../NVIDIA-User-Experience-NVUE/NVUE-CLI.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md index 91b03ffd79..65cbb092ac 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md @@ -290,7 +290,7 @@ You can use the NVUE configuration management commands to back up and restore co The NVUE action commands clear counters, and provide system reboot and TACACS user disconnect options. -|
                                                      Command | Description | +|
                                                      Command | Description | | ------- | ----------- | | `nv action change `| Sets the software clock date and time. | | `nv action clear` | Provides commands to clear ACL statistics, {{}}, {{}}, {{}}, {{}}, {{}}, {{}}, {{}}, {{}}, and remove {{}}. | From e2f4e69e46c14a2e4b4ec894c9cc44484dd497c8 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Wed, 6 Dec 2023 16:14:07 -0800 Subject: [PATCH 141/204] add stp force version --- .../Spanning-Tree-and-Rapid-Spanning-Tree.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/content/cumulus-linux-57/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md b/content/cumulus-linux-57/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md index b8599308f8..a53fbcd3e9 100644 --- a/content/cumulus-linux-57/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md +++ b/content/cumulus-linux-57/Layer-2/Spanning-Tree-and-Rapid-Spanning-Tree.md @@ -897,6 +897,50 @@ cumulus@switch:~$ sudo ifreload -a {{< /tab >}} {{< /tabs >}} +### Force Version Setting + +By default, the switch sends RSTP type 2 BPDUs. You can configure the switch to send BPDU type 0 STP configuration BPDUs when you need to interoperate with other systems. + +{{< tabs "TabID904 ">}} +{{< tab "NVUE Commands ">}} + +``` +cumulus@switch:~$ nv set bridge domain br_default stp force-protocol-version stp +cumulus@switch:~$ nv config apply +``` + +To change the setting back to the default, run the `nv set bridge domain stp force-protocol-version rstp` command. + +{{< /tab >}} +{{< tab "Linux Commands ">}} + +Edit the bridge stanza in the `/etc/network/interfaces` file to add the `mstpctl-forcevers stp` line, then run the `ifreload -a` command. + +``` +cumulus@switch:~$ sudo nano /etc/network/interfaces +... +auto br_default +iface br_default + hwaddress 08:00:27:60:36:0b + bridge-vlan-aware yes + bridge-vids 10 + bridge-pvid 1 + bridge-stp yes + bridge-mcsnoop no + mstpctl-forcevers stp + mstpctl-pvrst-mode yes +... +``` + +``` +cumulus@switch:~$ sudo ifreload -a +``` + +To change the setting back to the default, change the line in the bridge stanza to `mstpctl-forcevers rstp`, then run the `ifreload -a` command. + +{{< /tab >}} +{{< /tabs >}} + ### Additional STP Settings The table below describes additional STP configuration parameters available in Cumulus Linux. You can set these optional parameters manually by editing the `/etc/network/interfaces` file. Cumulus Linux does not provide NVUE commands for these parameters. From 000c3c889c149b8a2ffa981c37d78f6a91c04255 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 07:38:12 -0800 Subject: [PATCH 142/204] add ibgp nput queue --- .../Optional-BGP-Configuration.md | 7 +++++-- content/cumulus-linux-57/Whats-New/_index.md | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md b/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md index 22f6ee30c8..41ca76223f 100644 --- a/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md +++ b/content/cumulus-linux-57/Layer-3/Border-Gateway-Protocol-BGP/Optional-BGP-Configuration.md @@ -1470,11 +1470,15 @@ router bgp 65101 {{< /tab >}} {{< /tabs >}} - ## Route Reflectors diff --git a/content/cumulus-linux-57/Whats-New/_index.md b/content/cumulus-linux-57/Whats-New/_index.md index 4bacd73e11..e7b300cd21 100644 --- a/content/cumulus-linux-57/Whats-New/_index.md +++ b/content/cumulus-linux-57/Whats-New/_index.md @@ -32,6 +32,7 @@ Cumulus Linux 5.7.0 supports new platforms, contains several new features and im - {{}} - {{}} - {{}} for the NVUE REST API + - {{}} commands - Enhanced {{}} command output to show the certificate used for the API and additional {{}} commands to show information about the certificates installed on the switch. - Commands to show {{}} and {{}} - Commands to show the {{}} and {{}} and to add static entries to the {{}} and {{}} From e4bfd900b8470207784c8979d40f498c752ccf89 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 15:39:49 +0000 Subject: [PATCH 143/204] Automated release note commit --- content/cumulus-linux-55/Whats-New/rn.md | 4 ++ content/cumulus-linux-55/rn.xml | 26 ++++++++++ content/cumulus-linux-56/Whats-New/rn.md | 8 ++++ content/cumulus-linux-56/rn.xml | 61 ++++++++++++++++++++++++ 4 files changed, 99 insertions(+) diff --git a/content/cumulus-linux-55/Whats-New/rn.md b/content/cumulus-linux-55/Whats-New/rn.md index 6f92421762..d35f313c61 100644 --- a/content/cumulus-linux-55/Whats-New/rn.md +++ b/content/cumulus-linux-55/Whats-New/rn.md @@ -14,6 +14,8 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | +| [3695541](#3695541)
                                                      | When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. | 5.5.1 | 5.6.0| +| [3668939](#3668939)
                                                      | When you enable MIB 1.3.6.1.4.1.40310.1 in the snmpd.conf file, you might see high CPU usage by the snmpd service. | 5.5.1-5.6.0 | | | [3663182](#3663182)
                                                      | Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | | [3647426](#3647426)
                                                      None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
                                                      % AS specified for local as is the same as the remote as and this is not allowed
                                                      This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0| | [3630492](#3630492)
                                                      | On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.6.0 | | @@ -42,6 +44,7 @@ pdfhidden: True | [3534718](#3534718)
                                                      | The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
                                                      summary-only or vtysh router bgp aggregate-address
                                                      summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | | | [3528359](#3528359)
                                                      | A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. | 5.5.0-5.5.1 | 5.6.0| | [3526004](#3526004)
                                                      | For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. | 5.5.0-5.5.1 | 5.6.0| +| [3522524](#3522524)
                                                      | FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | | | [3520511](#3520511)
                                                      | If you apply EVPN multihoming configuration such as es-df-pref, es-id and es-sys-mac with vtysh after you remove a bond interface that is part of a bridge and run ifreload -a, FRR crashes. To work around this issue, do not remove a bond from a bridge before you configure EVPN multihoming with vtysh. | 5.5.1 | 5.6.0| | [3517376](#3517376)
                                                      | When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or --cable --ddm flags. | 5.5.0-5.5.1 | 5.6.0| | [3509445](#3509445)
                                                      | If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | 5.6.0| @@ -163,6 +166,7 @@ pdfhidden: True | [3534718](#3534718)
                                                      | The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
                                                      summary-only or vtysh router bgp aggregate-address
                                                      summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | | | [3528359](#3528359)
                                                      | A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. | 5.5.0-5.5.1 | 5.6.0| | [3526004](#3526004)
                                                      | For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. | 5.5.0-5.5.1 | 5.6.0| +| [3522524](#3522524)
                                                      | FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | | | [3517376](#3517376)
                                                      | When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or --cable --ddm flags. | 5.5.0-5.5.1 | 5.6.0| | [3509445](#3509445)
                                                      | If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | 5.6.0| | [3498939](#3498939)
                                                      | In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. | 5.4.0-5.5.1 | 5.6.0| diff --git a/content/cumulus-linux-55/rn.xml b/content/cumulus-linux-55/rn.xml index 774b1645fb..9d76eaffcd 100644 --- a/content/cumulus-linux-55/rn.xml +++ b/content/cumulus-linux-55/rn.xml @@ -7,6 +7,18 @@ Fixed +3695541 +When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run {{nv config apply}}. BGP routes might also be missing. This issue only happens during the initial {{nv config apply}} of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. +5.5.1 +5.6.0 + + +3668939 +When you enable MIB 1.3.6.1.4.1.40310.1 in the {{snmpd.conf}} file, you might see high CPU usage by the {{snmpd}} service. +5.5.1-5.6.0 + + + 3663182 Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the {{sudo systemctl restart frr.service}} command. 5.3.1-5.6.0 @@ -187,6 +199,13 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 5.6.0 +3522524 +FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. + +5.5.0-5.6.0 + + + 3520511 If you apply EVPN multihoming configuration such as {{es-df-pref}}, {{es-id}} and {{es-sys-mac}} with vtysh after you remove a bond interface that is part of a bridge and run {{ifreload -a}}, FRR crashes. To work around this issue, do not remove a bond from a bridge before you configure EVPN multihoming with vtysh. 5.5.1 @@ -955,6 +974,13 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn 5.6.0 +3522524 +FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. + +5.5.0-5.6.0 + + + 3517376 When you use CMIS specification based optics, the {{l1-show}} command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the {{mlxlink}} command with either the {{-m}} or {{--cable --ddm}} flags. 5.5.0-5.5.1 diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index a0735d6b9f..1c67f6d39f 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -14,16 +14,22 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | +| [3686260](#3686260)
                                                      | In an EVPN configuration when you reuse IPv6 addresses on SVIs in different sites and ND suppression is disabled, IPv6 duplicate address detection fails with an error similar to the following:
                                                      inet6 2001:0DB8::2/64 scope global dadfailed tentative
                                                      To work around this issue, reenable IPv6 ND suppression or disable IPv6 duplicate address detection on the interfaces that reuse IPv6 addresses in different sites. For example, to disable IPv6 duplicate address detection on vlan100, add the following values to the /etc/sysctl.conf file:
                                                       sysctl net.ipv6.conf.vlan100.accept_dad=0sysctl net.ipv6.conf.vlan100.dad_transmits=0
                                                      | 5.6.0 | | +| [3684268](#3684268)
                                                      | When multiple interfaces have addresses in the same network, deleting one of them might cause the wrong connected route from being deleted. | 5.6.0 | | +| [3683166](#3683166)
                                                      | A statistics issue in the I2C interface to modules is locked and might cause the switch to hang. | 5.6.0 | | | [3669935](#3669935)
                                                      | When you add or delete VXLAN VNI and VLAN interfaces, a memory leak might occur in switchd. | 5.6.0 | | +| [3668939](#3668939)
                                                      | When you enable MIB 1.3.6.1.4.1.40310.1 in the snmpd.conf file, you might see high CPU usage by the snmpd service. | 5.5.1-5.6.0 | | | [3668809](#3668809)
                                                      | SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log:/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not existsmond has been modified to determine dynamically (at run-time) if the fan has the capability or not
                                                      To drop the messages before they get to the log, create a file, such as /etc/rsyslog.d/18-drop_fan_dir_msgs.conf with the following contents, then restart rsyslogd with the systemctl restart rsyslog command
                                                      # The lines below cause the offending message to be dropped from all logs:msg, ereregex, ".*Path /run/hw-management/thermal/fan[1-8]_dir does not exist" stop | 5.6.0 | | | [3664986](#3664986)
                                                      | If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem. | 5.6.0 | | | [3663182](#3663182)
                                                      | Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | | [3662354](#3662354)
                                                      | When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 | | +| [3655043](#3655043)
                                                      | After you upgrade to Cumulus Linux 5.6.0 with package upgrade, configuration changes you make with NVUE commands do not apply and you see the following error message:
                                                      SW01@cumulus:~$ nv config applyInvalid config [rev_id: 4]
                                                       Default profile parameters can not be modified. Modification allowed on user created profiles
                                                      | 5.6.0 | | | [3646119](#3646119)
                                                      | If you have VRFs configured and you change the global ASN in FRR, BGP crashes. To work around this issue, don't unset more than one BGP instance at a time if one of the router bgp instances has VRF leaking configured. | 5.6.0 | | | [3643624](#3643624)
                                                      | The help text for the NVUE policer command nv set acl rule action police mode incorrectly indicates that the policer mode units are in bits per second. NVUE configures policers using bytes per second. | 5.6.0 | | | [3639058](#3639058)
                                                      | When you run the nv show service ntp command, you see an error message instead of the expected output. | 5.6.0 | | | [3630492](#3630492)
                                                      | On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.6.0 | | | [3627913](#3627913)
                                                      | The switch drops untagged VLAN traffic on single VXLAN bridge ports. | 5.6.0 | | +| [3616643](#3616643)
                                                      | NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file. | 5.6.0 | | | [3616338](#3616338)
                                                      | When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 | | | [3612959](#3612959)
                                                      | The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again. | 5.6.0 | | | [3611215](#3611215)
                                                      | In an EVPN multihoming configuration, the switchd service produces error messages similar to the following:
                                                      2023-09-07T15:45:56.055477+02:00 switch1 switchd7903: hal_mlx_flx_acl.c:2388 hal_mlx_flx_region_pull_bulk_counters failed
                                                      These error messages do not affect how the switch functions; however the messages fill up the switchd logs, which is not desirable. | 5.6.0 | | @@ -47,6 +53,7 @@ pdfhidden: True | [3538321](#3538321)
                                                      | In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the Slave state and one of the ports might remain in an Uncalibrated state. To work around this issue, toggle the port that is in the Uncalibrated state up and down to recover the PTP state so that one of the ports is selected as the Slave. | 5.6.0 | | | [3534718](#3534718)
                                                      | The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
                                                      summary-only or vtysh router bgp aggregate-address
                                                      summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | | | [3533272](#3533272)
                                                      | If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can't unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network. | 5.6.0 | | +| [3522524](#3522524)
                                                      | FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | | | [3517739](#3517739)
                                                      | When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | | [3484058](#3484058)
                                                      | When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.6.0 | | | [3463827](#3463827)
                                                      | Rarely, SPT switchover may not happen cleanly in PIM, resulting in some dropped packets. In the scenario where PIM-SM is used to replicate EVPN BUM traffic, there could be brief drop of multicast traffic before it recovers due to normal PIM-SM traffic timeout. | 5.6.0 | | @@ -108,6 +115,7 @@ pdfhidden: True ### Fixed Issues in 5.6.0 | Issue ID | Description | Affects | |--- |--- |--- | +| [3695541](#3695541)
                                                      | When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. | 5.5.1 | | | [3647426](#3647426)
                                                      None | If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
                                                      % AS specified for local as is the same as the remote as and this is not allowed
                                                      This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 5.0.0-5.5.1 | | | [3572580](#3572580)
                                                      | You cannot set a VLAN match and a MAC protocol IPv4 match in a MAC type ACL rule. To apply ACLs with a VLAN match and layer 3 header matches ( IPV4/IPV6), you need to use type ipv4 or ipv6 ACLs with the VLAN match specified. | 5.5.1 | | | [3572566](#3572566)
                                                      | The NVUE nv action commands are missing from nv list-commands output. | 5.5.1 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index 561b31aa15..f17c317338 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -7,12 +7,44 @@ Fixed +3686260 +In an EVPN configuration when you reuse IPv6 addresses on SVIs in different sites and ND suppression is disabled, IPv6 duplicate address detection fails with an error similar to the following: + +inet6 2001:0DB8::2/64 scope global dadfailed tentative + +To work around this issue, reenable IPv6 ND suppression or disable IPv6 duplicate address detection on the interfaces that reuse IPv6 addresses in different sites. For example, to disable IPv6 duplicate address detection on vlan100, add the following values to the {{/etc/sysctl.conf}} file: + +sysctl net.ipv6.conf.vlan100.accept_dad=0 +sysctl net.ipv6.conf.vlan100.dad_transmits=0 + +5.6.0 + + + +3684268 +When multiple interfaces have addresses in the same network, deleting one of them might cause the wrong connected route from being deleted. +5.6.0 + + + +3683166 +A statistics issue in the I2C interface to modules is locked and might cause the switch to hang. +5.6.0 + + + 3669935 When you add or delete VXLAN VNI and VLAN interfaces, a memory leak might occur in {{switchd}}. 5.6.0 +3668939 +When you enable MIB 1.3.6.1.4.1.40310.1 in the {{snmpd.conf}} file, you might see high CPU usage by the {{snmpd}} service. +5.5.1-5.6.0 + + + 3668809 SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log: <noformat> @@ -48,6 +80,17 @@ To drop the messages before they get to the log, create a file, such as {{/etc/r +3655043 +After you upgrade to Cumulus Linux 5.6.0 with package upgrade, configuration changes you make with NVUE commands do not apply and you see the following error message: + +SW01@cumulus:~$ nv config apply +Invalid config [rev_id: 4] + Default profile parameters can not be modified. Modification allowed on user created profiles. + +5.6.0 + + + 3646119 If you have VRFs configured and you change the global ASN in FRR, BGP crashes. To work around this issue, don't unset more than one BGP instance at a time if one of the {{router bgp}} instances has VRF leaking configured. 5.6.0 @@ -78,6 +121,12 @@ To drop the messages before they get to the log, create a file, such as {{/etc/r +3616643 +NVUE commands to set a route map exit policy match produce incorrect configuration in the {{/etc/frr/frr.conf}} file. +5.6.0 + + + 3616338 When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the {{clagd}} service {{initDelay}} to 300 seconds with the {{nv set mlag init-delay 300}} command. 5.5.1-5.6.0 @@ -228,6 +277,13 @@ For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turn +3522524 +FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. + +5.5.0-5.6.0 + + + 3517739 When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. 5.6.0 @@ -628,6 +684,11 @@ You can safely ignore this warning. Affects +3695541 +When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run {{nv config apply}}. BGP routes might also be missing. This issue only happens during the initial {{nv config apply}} of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. +5.5.1 + + 3647426 If BGP {{remote-as}} is set to an integer and you try to configure the {{local-as}} for a BGP instance, you see the following error: From 176e019633669a735b839da09b146600d36c4ee1 Mon Sep 17 00:00:00 2001 From: Stu Clark Date: Thu, 7 Dec 2023 12:26:37 -0500 Subject: [PATCH 144/204] cl57 ASIC monitoring example, counter restriction updates --- .../ASIC-Monitoring.md | 60 ++++++++++--------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md index c7ddc124bc..08b543bc33 100644 --- a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md +++ b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md @@ -62,7 +62,7 @@ To enable ASIC monitoring: {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set service telemetry enable +cumulus@switch:~$ nv set service telemetry enable on cumulus@switch:~$ nv config apply ``` @@ -83,7 +83,15 @@ Restarting the `asic-monitor` service does not disrupt traffic or require you to Histogram settings include the type of data you want to collect, the ports you want the histogram to monitor, the sampling time of the histogram, the histogram size, and the minimum boundary size for the histogram. - The ingress queue length histogram can monitor a specific priority group for a port or range of ports. - The egress queue length histogram can monitor a specific traffic class for a port or range of ports. -- The counter histogram can monitor transmitted packets or bytes, or received packets or bytes for a port or range of ports. +- The counter histogram can monitor the following counter types: + - Received packet counters (`rx-packet`) + - Transmitted packet counters (`tx-packet`) + - Received byte counters (`rx-byte`) + - Transmitted byte counters (`tx-byte`) + - CRC counters (`crc`) + - L1 received byte counters (`l1-rx-byte`) + - L1 transmitted byte counters (`l1-tx-byte`) +- You can enable up to two counter histogram counter types per physical interface. The counter histogram is not supported on bonds or virtual interfaces. - The value for the minimum boundary size must be a multiple of 96. Adding this number to the size of the histogram produces the maximum boundary size. These values represent the range of queue lengths per bin. The default minimum boundary size is 960 bytes. - The default value for the sampling time is 1024 nanoseconds. {{< tabs "TabID81 ">}} @@ -91,12 +99,12 @@ Histogram settings include the type of data you want to collect, the ports you w The histogram type can be `egress-buffer`, `ingress-buffer`, or `counter`. -To monitor all ports, run the nv `set service telemetry histogram ` command. To specify a port or range of ports, run the `nv set interface telemetry histogram ` command. +To change global histogram settings, run the `nv set service telemetry histogram ` command. To enable histograms on interfaces or to change interface level settings, run the `nv set interface telemetry histogram ` command. {{< tabs "TabID93 ">}} {{< tab "Egress Queue Length Examples ">}} -The following example configures the egress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram collects data every second for all traffic classes on all ports: +The following example configures the egress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. These settings will apply to interfaces that have the egress-buffer histogram enabled and do not have different values configured for these settings at the interface level: ``` cumulus@switch:~$ nv set service telemetry histogram egress-buffer bin-min-boundary 960 @@ -105,62 +113,56 @@ cumulus@switch:~$ nv set service telemetry histogram egress-buffer sample-interv cumulus@switch:~$ nv config apply ``` -The following example configures the egress queue length histogram and sets the minimum boundary to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. The histogram collects data every second for traffic class 0 on swp1 through swp8, and for traffic class 1 on swp9 through swp16. +The following example enables the egress queue length histogram for traffic class 0 on swp1 through swp8 with the globally applied minimum boundary, histogram size, and sample interval. It also enables the egress queue length histogram for traffic class 1 on swp9 through swp16 and sets the minimum boundary to 768 bytes, the histogram size to 9600 bytes, and the sampling interval to 2048 nanoseconds. ``` -cumulus@switch:~$ nv set service telemetry enable -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram egress-buffer traffic-class 0 bin-min-boundary 960 -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram egress-buffer traffic-class 0 histogram-size 12288 -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram egress-buffer traffic-class 0 sample-interval 1024 -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram egress-buffer traffic-class 1 bin-min-boundary 960 -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram egress-buffer traffic-class 1 histogram-size 12288 -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram egress-buffer traffic-class 1 sample-interval 1024 +cumulus@switch:~$ nv set service telemetry enable on +cumulus@switch:~$ nv set interface swp1-8 telemetry histogram egress-buffer traffic-class 0 +cumulus@switch:~$ nv set interface swp9-16 telemetry histogram egress-buffer traffic-class 1 bin-min-boundary 768 +cumulus@switch:~$ nv set interface swp9-16 telemetry histogram egress-buffer traffic-class 1 histogram-size 9600 +cumulus@switch:~$ nv set interface swp9-16 telemetry histogram egress-buffer traffic-class 1 sample-interval 2048 cumulus@switch:~$ nv config apply ``` {{< /tab >}} {{< tab "Ingress Queue Length Examples ">}} -The following example configures the ingress queue length histogram and sets the minimum boundary size to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. The histogram collects data every second for all priority groups on all ports. +The following example configures the ingress queue length histogram and sets the minimum boundary size to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. These settings will apply to interfaces that have the ingress-buffer histogram enabled and do not have different values configured for these settings at the interface level: ``` -cumulus@switch:~$ nv set service telemetry enable +cumulus@switch:~$ nv set service telemetry enable on cumulus@switch:~$ nv set service telemetry histogram ingress-buffer bin-min-boundary 960 cumulus@switch:~$ nv set service telemetry histogram ingress-buffer histogram-size 12288 cumulus@switch:~$ nv set service telemetry histogram ingress-buffer sample-interval 1024 cumulus@switch:~$ nv config apply ``` -The following example configures the ingress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram monitors priority group 0 on ports 1 through 8 and priority group 1 on ports 9 through 16: +The following example enables the ingress queue length histogram for priority group 0 on swp1 through swp8 with the globally applied minimum boundary, histogram size, and sample interval. It also enables the ingress queue length histogram for priority group 1 on swp9 through swp16 and sets the minimum boundary to 768 bytes, the histogram size to 9600 bytes, and the sampling interval to 2048 nanoseconds. ``` -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram ingress-buffer priority-group 0 bin-min-boundary 960 -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram ingress-buffer priority-group 0 histogram-size 12288 -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram ingress-buffer priority-group 0 sample-interval 1024 -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram ingress-buffer priority-group 1 bin-min-boundary 960 -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram ingress-buffer priority-group 1 histogram-size 12288 -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram ingress-buffer priority-group 1 sample-interval 1024 +cumulus@switch:~$ nv set interface swp1-8 telemetry histogram ingress-buffer priority-group 0 +cumulus@switch:~$ nv set interface swp9-16 telemetry histogram ingress-buffer priority-group 1 bin-min-boundary 768 +cumulus@switch:~$ nv set interface swp9-16 telemetry histogram ingress-buffer priority-group 1 histogram-size 9600 +cumulus@switch:~$ nv set interface swp9-16 telemetry histogram ingress-buffer priority-group 1 sample-interval 2048 cumulus@switch:~$ nv config apply ``` {{< /tab >}} {{< tab "Counter Histogram Examples ">}} -The following example configures the counter histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram monitors all counter types: +The following example configures the counter histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram monitors all counter types. These settings will apply to interfaces that have the counter histogram enabled and do not have different values configured for these settings at the interface level: ``` -cumulus@switch:~$ nv set service telemetry histogram counter bin-min-boundary 1000 -cumulus@switch:~$ nv set service telemetry histogram counter histogram-size 1000 -cumulus@switch:~$ nv set service telemetry histogram countersample-interval 1024 +cumulus@switch:~$ nv set service telemetry histogram counter bin-min-boundary 960 +cumulus@switch:~$ nv set service telemetry histogram counter histogram-size 12288 +cumulus@switch:~$ nv set service telemetry histogram counter sample-interval 1024 cumulus@switch:~$ nv config apply ``` -The following example configures the counter histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram monitors all received packets on ports 1 through 8: +The following example enables the counter histogram on swp1 through swp8 and uses the global settings for the minimum boundary size, histogram size, and the sampling interval. The histogram monitors all received packet counters on ports 1 through 8: ``` -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram counter counter-type rx-packet bin-min-boundary 1000 -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram counter counter-type rx-packet histogram-size 1000 -cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram counter counter-type rx-packet sample-interval 1024 +cumulus@switch:~$ nv set interface swp1-swp8 telemetry histogram counter counter-type rx-packet cumulus@switch:~$ nv config apply ``` From fe3b8ba593085e568215fe86697f1b995800e59e Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 11:53:17 -0800 Subject: [PATCH 145/204] updates --- .../Role-Based-Access-Control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md index 01b418ecb6..b3e423da9c 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/Role-Based-Access-Control.md @@ -16,7 +16,7 @@ Custom role-based access control consists of the following elements: {{%notice note%}} - You can assign a maximum of 64 classes to a role. -- You can configure a maximum of 128 command paths. +- You can configure a maximum of 128 command paths for a class. - When you configure a command path, you allow or deny a specific schema path and its children. For example the command path `/qos/` allows or denies access to QoS commands, whereas the command path `/qos/egress-scheduler` allows or denies access to QoS egress scheduler commands. {{%/notice%}} From 723c48454c09c4f0781171b66a00cf5af844bed1 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 12:08:33 -0800 Subject: [PATCH 146/204] updates to arp and nd --- .../Layer-3/Address-Resolution-Protocol-ARP.md | 14 ++++++++++++-- .../Layer-3/Neighbor-Discovery-ND.md | 12 +++++++++++- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md b/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md index a7234cd48e..669cf1adcd 100644 --- a/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md +++ b/content/cumulus-linux-57/Layer-3/Address-Resolution-Protocol-ARP.md @@ -373,7 +373,7 @@ cumulus@leaf01:mgmt:~$ ip -4 neighbor ... ``` -To show table entries for a specific interface, run the `nv show interface neighbor` command: +To show all table entries for a specific interface, run the `nv show interface neighbor` command: ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor @@ -390,7 +390,17 @@ ipv6 fe80::4ab0:2dff:fea2:4c79 48:b0:2d:a2:4c:79 reachable is-router ``` -To show table entries for an interface with a specific IPv4 address, run the `nv show interface neighbor ipv4 ` command: +To show all IPv4 table entries for an interface, run the `nv sh interface neighbor ipv4` command: + +``` +cumulus@leaf01:mgmt:~$ nv sh interface swp1 neighbor ipv4 +IPV4 LLADR(MAC) State Flag +----------- ----------------- --------- ---- +10.188.52.1 00:00:5e:00:01:22 reachable +10.188.52.2 1c:34:da:e8:1d:c8 stale +``` + +To show table entries for an interface with a specific IPv4 address, run the `nv show interface neighbor ipv4 ` command. ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor ipv4 169.254.0.1 diff --git a/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md b/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md index b64cc418d5..dcb448be11 100644 --- a/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md +++ b/content/cumulus-linux-57/Layer-3/Neighbor-Discovery-ND.md @@ -557,7 +557,7 @@ fe80::4ab0:2dff:fe3f:69d6 dev peerlink.4094 lladdr 48:b0:2d:3f:69:d6 router REAC ... ``` -To show table entries for a specific interface, run the `nv show interface neighbor` command: +To all show table entries for a specific interface, run the `nv show interface neighbor` command: ``` cumulus@leaf01:mgmt:~$ nv show interface swp51 neighbor @@ -574,6 +574,16 @@ ipv6 fe80::4ab0:2dff:fea2:4c79 48:b0:2d:a2:4c:79 reachable is-router ``` +To show all IPv6 table entries for an interface, run the `nv show interface neighbor ipv6` command: + +``` +cumulus@leaf01:mgmt:~$ nv show interface swp1 neighbor ipv6 +IPV6 LLADR(MAC) State Flag +------------------------- ----------------- --------- --------- +fe80::1e34:daff:fe6c:dd8 1c:34:da:6c:0d:d8 stale +fe80::3e2c:30ff:fe4b:800 3c:2c:30:4b:08:00 reachable +``` + To show table entries for an interface with a specific IPv6 address, run the `nv show interface neighbor ipv6 ` command: ``` From bafa9273b5b514ec408890daace64c1897df1866 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 12:21:07 -0800 Subject: [PATCH 147/204] updates to RADIUS --- .../RADIUS-AAA.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md index 41312fe392..301a96af66 100644 --- a/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md +++ b/content/cumulus-linux-57/System-Configuration/Authentication-Authorization-and-Accounting/RADIUS-AAA.md @@ -8,7 +8,11 @@ Various add-on packages enable [RADIUS](## "Remote Authentication Dial-In User S ## Install the RADIUS Packages -The RADIUS packages are in the `cumulus-local-apt-archive` repository, which is {{}} in the Cumulus Linux image. You can install the packages even when the switch is not connected to the internet. +{{%notice note%}} +NVUE automatically installs the RADIUS AAA packages; you do **not** have to install the packages if you use NVUE commands to configure RADIUS AAA. +{{%/notice%}} + +If you use Linux commands to configure RADIUS AAA, you must install the RADIUS packages `libnss-mapuser` and `libpam-radius-auth` before you start configuration. The packages are in the `cumulus-local-apt-archive` repository, which is {{}} in the Cumulus Linux image. You can install the packages even when the switch is not connected to the internet. To install the RADIUS packages: From 659dfd54c00dc60959ff831a6cb3b1b3ce0c5b85 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 14:30:40 -0800 Subject: [PATCH 148/204] updates --- .../ASIC-Monitoring.md | 108 ++++++++++++++++-- 1 file changed, 96 insertions(+), 12 deletions(-) diff --git a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md index 08b543bc33..41d96c6e5e 100644 --- a/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md +++ b/content/cumulus-linux-57/Monitoring-and-Troubleshooting/ASIC-Monitoring.md @@ -14,6 +14,15 @@ Cumulus Linux provides: - The *egress queue length* histogram, which provides information about egress buffer utilization over time. - The *ingress queue lengths* histogram, which provides information about ingress buffer utilization over time. - The *counter* histogram, which provides information about bandwidth utilization for a port over time. +- Packet drops due to errors (Linux only). + +{{%notice note%}} +Cumulus Linux supports: +- The egress queue length histogram on Spectrum 1 and later. +- The ingress queue length histogram on Spectrum-2 and later. +- The counter histogram (transmitted packet, transmitted byte, received packet, received byte, and CRC counters) on Spectrum-2 and later. +- The counter histogram (layer 1 received byte counters and layer 1 transmitted byte counters) on Spectrum-4 only. +{{%/notice%}} ## Histogram Collection Example @@ -89,11 +98,12 @@ Histogram settings include the type of data you want to collect, the ports you w - Received byte counters (`rx-byte`) - Transmitted byte counters (`tx-byte`) - CRC counters (`crc`) - - L1 received byte counters (`l1-rx-byte`) - - L1 transmitted byte counters (`l1-tx-byte`) -- You can enable up to two counter histogram counter types per physical interface. The counter histogram is not supported on bonds or virtual interfaces. + - Layer 1 received byte counters (`l1-rx-byte`) + - Layer 1 transmitted byte counters (`l1-tx-byte`) +- You can enable up to two counter histogram counter types per physical interface. The counter histogram does not support bonds or virtual interfaces. - The value for the minimum boundary size must be a multiple of 96. Adding this number to the size of the histogram produces the maximum boundary size. These values represent the range of queue lengths per bin. The default minimum boundary size is 960 bytes. - The default value for the sampling time is 1024 nanoseconds. + {{< tabs "TabID81 ">}} {{< tab "NVUE Commands ">}} @@ -104,7 +114,7 @@ To change global histogram settings, run the `nv set service telemetry histogram {{< tabs "TabID93 ">}} {{< tab "Egress Queue Length Examples ">}} -The following example configures the egress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. These settings will apply to interfaces that have the egress-buffer histogram enabled and do not have different values configured for these settings at the interface level: +The following example configures the egress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. These settings apply to interfaces that have the `egress-buffer` histogram enabled and do not have different values configured for these settings at the interface level: ``` cumulus@switch:~$ nv set service telemetry histogram egress-buffer bin-min-boundary 960 @@ -113,7 +123,7 @@ cumulus@switch:~$ nv set service telemetry histogram egress-buffer sample-interv cumulus@switch:~$ nv config apply ``` -The following example enables the egress queue length histogram for traffic class 0 on swp1 through swp8 with the globally applied minimum boundary, histogram size, and sample interval. It also enables the egress queue length histogram for traffic class 1 on swp9 through swp16 and sets the minimum boundary to 768 bytes, the histogram size to 9600 bytes, and the sampling interval to 2048 nanoseconds. +The following example enables the egress queue length histogram for traffic class 0 on swp1 through swp8 with the globally applied minimum boundary, histogram size, and sample interval. The example also enables the egress queue length histogram for traffic class 1 on swp9 through swp16 and sets the minimum boundary to 768 bytes, the histogram size to 9600 bytes, and the sampling interval to 2048 nanoseconds. ``` cumulus@switch:~$ nv set service telemetry enable on @@ -127,7 +137,7 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Ingress Queue Length Examples ">}} -The following example configures the ingress queue length histogram and sets the minimum boundary size to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. These settings will apply to interfaces that have the ingress-buffer histogram enabled and do not have different values configured for these settings at the interface level: +The following example configures the ingress queue length histogram and sets the minimum boundary size to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. These settings apply to interfaces that have the `ingress-buffer` histogram enabled and do not have different values configured for these settings at the interface level: ``` cumulus@switch:~$ nv set service telemetry enable on @@ -137,7 +147,7 @@ cumulus@switch:~$ nv set service telemetry histogram ingress-buffer sample-inter cumulus@switch:~$ nv config apply ``` -The following example enables the ingress queue length histogram for priority group 0 on swp1 through swp8 with the globally applied minimum boundary, histogram size, and sample interval. It also enables the ingress queue length histogram for priority group 1 on swp9 through swp16 and sets the minimum boundary to 768 bytes, the histogram size to 9600 bytes, and the sampling interval to 2048 nanoseconds. +The following example enables the ingress queue length histogram for priority group 0 on swp1 through swp8 with the globally applied minimum boundary, histogram size, and sample interval. The example also enables the ingress queue length histogram for priority group 1 on swp9 through swp16 and sets the minimum boundary to 768 bytes, the histogram size to 9600 bytes, and the sampling interval to 2048 nanoseconds. ``` cumulus@switch:~$ nv set interface swp1-8 telemetry histogram ingress-buffer priority-group 0 @@ -150,7 +160,7 @@ cumulus@switch:~$ nv config apply {{< /tab >}} {{< tab "Counter Histogram Examples ">}} -The following example configures the counter histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram monitors all counter types. These settings will apply to interfaces that have the counter histogram enabled and do not have different values configured for these settings at the interface level: +The following example configures the counter histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram monitors all counter types. These settings apply to interfaces that have the `counter` histogram enabled and do not have different values configured for these settings at the interface level: ``` cumulus@switch:~$ nv set service telemetry histogram counter bin-min-boundary 960 @@ -192,7 +202,7 @@ The following table describes the ASIC monitor settings. {{< tabs "TabID184 ">}} {{< tab "Egress Queue Examples ">}} -The following example configures the egress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram collects data every second for all traffic classes on all ports: +The following example configures the egress queue length histogram and sets the minimum boundary size to 960, the histogram size to 12288, and the sampling interval to 1024. The histogram collects data every second for traffic class 0 through 15 on all ports: ``` cumulus@switch:~$ sudo nano /etc/cumulus/datapath/monitor.conf @@ -239,7 +249,7 @@ monitor.histogram_gr2.histogram.sample_time_ns = 1024 {{< /tab >}} {{< tab "Ingress Queue Examples ">}} -The following example configures the ingress queue length histogram and sets the minimum boundary size to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. The histogram collects data every second for all priority groups on all ports. +The following example configures the ingress queue length histogram and sets the minimum boundary size to 960 bytes, the histogram size to 12288 bytes, and the sampling interval to 1024 nanoseconds. The histogram collects data every second for priority group 1 through 15 on all ports. ``` cumulus@switch:~$ sudo nano /etc/cumulus/datapath/monitor.conf @@ -320,6 +330,79 @@ monitor.histogram_pg.histogram.histogram_size_bytes = 12288 monitor.histogram_pg.histogram.sample_time_ns = 1024 ``` +{{< /tab >}} +{{< tab "Packet Drops Due to Errors Example ">}} + +In the following example: +- Packet drops on swp1 through swp50 collect every two seconds. +- If the number of packet drops is greater than 100, the results write to the `/var/lib/cumulus/discard_stats` snapshot file and the system sends a message to the `/var/log/syslog` file. + +``` +monitor.port_group_list = [discards_pg] +monitor.discards_pg.port_set = swp1-swp50 +monitor.discards_pg.stat_type = packet +monitor.discards_pg.action_list = [snapshot,log] +monitor.discards_pg.trigger_type = timer +monitor.discards_pg.timer = 2s +monitor.discards_pg.log.packet_error_drops = 100 +monitor.discards_pg.snapshot.packet_error_drops = 100 +monitor.discards_pg.snapshot.file = /var/lib/cumulus/discard_stats +monitor.discards_pg.snapshot.file_count = 16 +``` + +{{< /tab >}} +{{< tab "Collect Actions ">}} + +A collect action triggers the collection of additional information. You can daisy chain multiple monitors (port groups) into a single collect action. + +In the following example: +- Queue length histograms collect for swp1 through swp50 every second. +- The results write to the `/var/lib/cumulus/histogram_stats` snapshot file. +- When the queue length reaches 500 bytes, the system sends a message to the /var/log/syslog file and collects additional data; buffer occupancy and all packets per port. +- Buffer occupancy data writes to the `/var/lib/cumulus/buffer_stats` snapshot file and all packets per port data writes to the `/var/lib/cumulus/all_packet_stats` snapshot file. +- In addition, packet drops on swp1 through swp50 collect every two seconds. If the number of packet drops is greater than 100, the monitor writes the results to the `/var/lib/cumulus/discard_stats` snapshot file and sends a message to the `/var/log/syslog` file. + +``` +monitor.port_group_list = [histogram_pg,discards_pg] + +monitor.histogram_pg.port_set = swp1-swp50 +monitor.histogram_pg.stat_type = buffer +monitor.histogram_pg.cos_list = [0] +monitor.histogram_pg.trigger_type = timer +monitor.histogram_pg.timer = 1s +monitor.histogram_pg.action_list = [snapshot,collect,log] +monitor.histogram_pg.snapshot.file = /var/lib/cumulus/histogram_stats +monitor.histogram_pg.snapshot.file_count = 64 +monitor.histogram_pg.histogram.minimum_bytes_boundary = 960 +monitor.histogram_pg.histogram.histogram_size_bytes = 12288 +monitor.histogram_pg.histogram.sample_time_ns = 1024 +monitor.histogram_pg.log.queue_bytes = 500 +monitor.histogram_pg.collect.queue_bytes = 500 +monitor.histogram_pg.collect.port_group_list = [buffers_pg,all_packet_pg] + +monitor.buffers_pg.port_set = swp1-swp50 +monitor.buffers_pg.stat_type = buffer +monitor.buffers_pg.action_list = [snapshot] +monitor.buffers_pg.snapshot.file = /var/lib/cumulus/buffer_stats +monitor.buffers_pg.snapshot.file_count = 8 + +monitor.all_packet_pg.port_set = swp1-swp50 +monitor.all_packet_pg.stat_type = packet_all +monitor.all_packet_pg.action_list = [snapshot] +monitor.all_packet_pg.snapshot.file = /var/lib/cumulus/all_packet_stats +monitor.all_packet_pg.snapshot.file_count = 8 + +monitor.discards_pg.port_set = swp1-swp50 +monitor.discards_pg.stat_type = packet +monitor.discards_pg.action_list = [snapshot,log] +monitor.discards_pg.trigger_type = timer +monitor.discards_pg.timer = 2s +monitor.discards_pg.log.packet_error_drops = 100 +monitor.discards_pg.snapshot.packet_error_drops = 100 +monitor.discards_pg.snapshot.file = /var/lib/cumulus/discard_stats +monitor.discards_pg.snapshot.file_count = 16 +``` + {{< /tab >}} {{< /tabs >}} @@ -334,7 +417,7 @@ To create a snapshot: - Configure the number of snapshots you can create before the first snapshot file is overwritten. For example, if you set the snapshot file count to 30, the first snapshot file is named `histogram_stats_0` and the 30th snapshot is named`histogram_stats_30`. When the 30th snapshot is taken, the original snapshot file (`histogram_stats_0`) is overwritten and the sequence restarts. The default value is 64. {{%notice note%}} -While more snapshots provide you with more data, they can occupy a lot of disk space on the switch. +Snapshots provide you with more data; however, they can occupy a lot of disk space on the switch. {{%/notice%}} The following example creates the `/var/lib/cumulus/histogram_stats` snapshot every 5 seconds. The number of snapshots that you can create before the first snapshot file is overwritten is set to 30. @@ -425,7 +508,8 @@ The following example sends a message to the `/var/log/syslog` file after the in {{< tab "NVUE Commands ">}} ``` -cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram ingress-buffer priority-group 1 log threshold 5000 +cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram ingress-buffer priority-group 1 threshold action log +cumulus@switch:~$ nv set interface swp9-swp16 telemetry histogram ingress-buffer priority-group 1 threshold value 5000 cumulus@switch:~$ nv config apply ``` From 8da2ed905f8ebf103549b558af19d209a9752f19 Mon Sep 17 00:00:00 2001 From: cumulusAnia Date: Thu, 7 Dec 2023 15:16:06 -0800 Subject: [PATCH 149/204] update nv config apply --- .../NVIDIA-User-Experience-NVUE/NVUE-CLI.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md index 65cbb092ac..b32efbfd59 100644 --- a/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md +++ b/content/cumulus-linux-57/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-CLI.md @@ -273,7 +273,7 @@ The NVUE configuration management commands manage and apply configurations. |
                                                      Command | Description | | ------- | ----------- | -| `nv config apply` | Applies the pending configuration to become the applied configuration.
                                                      You can also use these prompt options:
                                                      • `--y` or `--assume-yes` to automatically reply `yes` to all prompts.
                                                      • `--assume-no` to automatically reply `no` to all prompts.
                                                      {{%notice note%}}Cumulus Linux applies but does not save the configuration; the configuration does not persist after a reboot.{{%/notice%}}You can also use these apply options:
                                                      `--confirm` applies the configuration change but you must confirm the applied configuration. If you do not confirm within ten minutes, the configuration rolls back automatically. You can change the default time with the apply `--confirm