Release Notes SevOne NMS 7.0.0
Browser Requirements
Minimum Resolution: 1200x768 Browsers:
- Modern, standards-compliant browser
- JavaScript enabled
- Pop-up blocker disabled for hostname/IP
The following browsers are supported in the current versions of SevOne. SevOne recommends use of the latest version of your preferred (supported) browser.
Vendor | Family | SevOne NMS 7.0 |
---|---|---|
Chrome | Tested & Supported | |
Mozilla | Firefox | Tested & Supported |
Microsoft | Edge | Tested & Supported (with limited testing performed) |
Apple | Safari | Supported |
Tested = Complete UI regression testing completed prior to release of updates.
Supported = Developer-led testing and resolution of any customer reported defects. No
complete UI regression test is performed.
NOTE: Please use the latest browser version of Chrome, Firefox, Edge, and Safari.
Compatibility Matrix
SevOne NMS | REST API | SevOne Data Insight | xStats Adapter |
---|---|---|---|
7.0.0 (RHEL) | 2.1.48 |
|
2.1.11 |
Containers
As of SevOne NMS 7.0.0, SevOne is distributed using container technology, allowing a more confident deployment of the software. To run administrative commands on a SevOne appliance, the administrator must now execute commands in the context of the intended container.
By default, the container deployment of SevOne is set to be read-only.
- The host and the container each has its own ssh config; both for the server and the client.
- To ssh as root, you must use the sudo command.
For additional details, please refer to SevOne NMS System Administration Guide and / or SevOne NMS User Guide.
Other Notices
Please ensure that SevOne NMS cluster is on the same SOA version.
/opt/patches is a reserved directory; please refrain from making any modifications.
During the initial deployment, when you execute SevOne-fix-ssh-keys, it produces /root/.ssh/authorized_keys file which contains your cluster's public keys.
If you have custom keys, the keys must be added to /root/.ssh/custom_keys.pub file.
- if /root/.ssh/custom_keys.pub file does not exist, using a text editor of your choice, add the new custom key(s) to it.
- if /root/.ssh/custom_keys.pub file already exists, concatenate the new custom key(s) after the existing custom keys in the file.
To persist the custom keys added in /root/.ssh/custom_keys.pub file, run SevOne-fix-ssh-keys script for the keys in /root/.ssh/custom_keys.pub file to be automatically added in /root/.ssh/authorized_keys file. The /root/.ssh/authorized_keys file will now contain your cluster's public keys along with a set of custom keys stored locally in /root/.ssh/custom_keys.pub file.
Retains 'all' keys - cluster's public keys & custom keys
$ SevOne-fix-ssh-keys
Third-party Packages
The following are third-party packages updated to address security.
Package | Version | |
---|---|---|
General |
Java | 17.0.10+7 (IBM Semeru Certified) |
Kafka | For SevOne Data Bus 7.0.0,
|
|
Kernel |
4.18.0-553.el8_10 NOTE: The kernel will automatically get installed as part of the upgrade and will be loaded after the reboot of the appliance. |
|
KVM |
9.9.0-1.el9 (libvirt-libs) |
|
MySQL | 10.6.12-MariaDB | |
Nginx | 1.25.2-0.el8 | |
PHP |
8.3.7-1.el8 NOTE: To consume PHP 8, please contact Expert Labs if assistance is needed. |
|
Signature Tools |
For example,
Important: The latest files can be downloaded from IBM Passport
Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via
Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do
not have access to IBM Passport Advantage but have an active Support contract, please contact
SevOne Support Team for the file.
|
|
Artifacts |
For new installs / upgrades, the latest TAR and CHECKSUM files can be downloaded from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do not have access to IBM Passport Advantage but have an active Support contract, please contact SevOne Support Team for the file. |
|
Fabric | Azure | Windows 2008 (modified) |
Hypervisor | OpenStack | >= 10.a |
VMware |
|
Planning & Preparation
- Prior to applying the patch, system creates a backup of the files and puts them into an archived file to be reverted.
-
Total Upgrade Time and Polling Outage: On a 20 Peer 200K cluster, upgrade takes approximately 1 hours 30 minutes. The polling outage on this cluster ranged from 3 minutes to 7 minutes. Polling outages can be slightly higher when a MySQL restart is required and it does not include the time it takes for the reboot of a new kernel. Depending on the cluster and load per appliance, times will vary. The total Netflow outage for this cluster ranged from 10 minutes to 15 minutes. Netflow outage can be up to 2 hours since the Netflow shortterm tables which hold 2 hours of data, do not get backed up when MySQL is restarted.
Important: When a new flow interface is setup with a DNC at capacity, the system collects all existing allowed flows and denies any new flows. - The number of peers in a cluster must not exceed 200 peers; this includes the HSAs. This limit is due to MySQL replication maintainer.
-
On large deployments, Object Groups may take 15 minutes to update.
Forward / Reverse Migrations
Please refer to SevOne NMS Upgrade Process Guide published with this release for details on forward / reverse (upgrade / downgrade) migrations. The latest tarball files can be downloaded from IBM Passport Advantage via Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do not have access to IBM Passport Advantage but have an active Support contract, please contact SevOne Support Team for the forward / reverse migration files.
Useful Guides
From IBM's Documentation Portal (https://www.ibm.com/docs/en/sevone-npm), please refer to NMS guides for this release for details.
Deprecated / Removed Features & Functions
Feature / Function | Reason Deprecated / Removed | Next Steps |
---|---|---|
ReiserFS in Linux Kernel | Do not upgrade to SevOne NMS 7.0 or higher if running ReiserFS.
ReiserFS has reached end of support and will be removed from Linux Kernel in 2025. Some customers might have migrated from ReiserFS to XFS type 0 during a past SevOne NPM upgrade, or are still running instances on ReiserFS and must move to XFS Type 1. |
If you are not using XFS type 1 for a file system, you must migrate before upgrading to IBM
SevOne NPM 7.0.0. There are two available options to migrate file systems.
If you use physical appliances, the recommendation is to move to virtual appliances. If you need assistance, IBM is ready to help you migrate any peers to the supported file system. For assistance, please reach out to your IBM Technical Account Team, IBM SevOne Support, or IBM Expert Labs. ftype Restriction: All appliances built as Gentoo have ftype=0 filesystem and are incompatible with SevOne NMS 7.0 unless rebuilt. To check, execute the following command.
|
JMX plugin | Limited use by clients. | Clients using this plugin should look for alternative solutions. |
Nokia-Nuage SD-WAN Support | Nokia has announced that it plans to significantly reduce development efforts on Nuage SD-WAN and move to a stop sell in the upcoming years. | Last Nokia-Nuage features and enhancements were delivered in IBM SevOne NPM 6.7.0. Clients using the solution should upgrade to and remain on IBM SevOne NPM 6.8 until they end their use of Nokia Nuage SD-WAN. SevOne NPM 6.8 will provide 2 years of base support starting February 29, 2024. |
Oracle DB Monitoring in DB plugin | DB plugin is not widely used to monitor Oracle databases. | Clients using the plugin to monitor Oracle database should look for alternative solutions. Clients using the DB plugin to monitor MySQL are not impacted. |
TACACS and RADIUS Authentication | SevOne NPM is investing in more modern and secure authentication methods following industry best practices. | Plan to transition to Active Directory. |
Data Miner | More modern data export techniques have adopted publish and subscribe data sharing for metrics. SevOne delivered SevOne Data Publisher as a replacement. | Replace Data Miner with SevOne Data Publisher to publish real time and historical data. |
WebKit PDF Generator | This feature was developed as a beta program that has been replaced. | SevOne NPM has delivered an integrated, modern, and proven ability to create PDF reports using IBM SevOne Data Insight. |
ioDrive | ioDrives have reached end of warranty and should be replaced with modern storage. | Clients should refresh their physical servers or move to virtual infrastructure. |
Config Shell / Cluster Firewall Manager | With the move to containers in SevOne NPM 7.0 and RHEL OS in SevOne NPM 6.8, IBM is deprecating Config Shell and Cluster Firewall Manager. | Upon upgrading to 7.0.0, use Red Hat Network Manager to configure network connections and Red Hat Firewall Manager to configure firewalls. Both tools are built into Red Hat RHEL OS. |
AS enrichment via direct BGP peering | As part of continuous product improvement, SevOne is depreciating a legacy method of enriching flow data with AS information via direct BGP peering. | SevOne currently ships a regularly updated AS database which automatically enriches flow with AS information. Therefore, the peering method is no longer required. |
New Features / Enhancements
- Containerization: As of SevOne NMS 7.0.0, SevOne is distributed using the container
technology, allowing a more confident deployment of the software with improved security as the
containers cannot be changed. It enables future product upgrades to be completed more quickly and
reliably. The upgraded containers can be installed and initialized in a fraction of the time of
RPM-based delivery on Linux.
Deploying SevOne as containers reduces reliance on initial state, meaning unexpected customer changes to the host are less likely to trigger pre-check errors or interrupt the upgrades.
By default, the container deployment of SevOne is set to be read-only which improves the pass rate for the security scans. - Platform: SevOne NMS clustering functions have been redesigned so that the initial cluster builds are more intuitive and faster to complete. Adding capacity to existing clusters takes less time and effort, especially for larger clusters. In an event when something goes wrong, clusters no longer require recovery and peers failed to add can return to initial state within seconds.
- Expanded Azure metric collection, including:
- Azure Virtual Machine Scale Sets Instances
- Azure ExpressRoute Circuits
- Azure ExpressRoute Direct
- Azure ExpressRoute Gateway
- Azure VPN Gateway
- Azure Load Balancer
- Azure Storage
- New Cisco SDN plugin added to reduce install and setup time.
- Extended support for Velocloud SD-WAN to collect quality of experience scores and object metadata using APIs.
If you want to upgrade SevOne NMS to SevOne NMS 6.8 or higher and you are currently on SevOne NMS version below SevOne NMS 6.1, you must:
- upgrade from SevOne NMS version below SevOne NMS 6.1 to SevOne NMS 6.7
- then, upgrade from SevOne NMS 6.7 to SevOne NMS 6.8 or higher
When SevOne NMS is upgraded from 6.x to 7.0, you many see double entries in flow reports spanning the time frame for when you were running 6.x and 7.0. The reason is that the SaaS data has been normalized for SevOne NMS 7.0 so that going forward, the data will remain constant from one release to the next. This normalization means that older data (stamped with older SaaS ids) may appear as double entries on the reports. This does not affect the accuracy of the reports. From SevOne NMS, Applications > FlowFalcon Reports > under Resolution Settings, fields App Profile and App Category can be set to Display Number or Display Both to view the underlying SaaS ids.
Resolved Issues
Component/s | Key | Resolved Issues |
---|---|---|
SDN | S1NPM-78003 | Device Manager: SDN Plugin can now be configured on devices. |
Analytic Threshold | S1NPM-78057 | Alerts: Count over threshold triggers at N events. |
Flow | S1NPM-78067 | FlowFalcon: The system now recognizes certain IBM enterprise fields related to Kubernetes (pods, nodes, and namespaces). |
Platform | S1NPM-91975 | Platform: Jaeger is updated to v1.50.0. |
Platform Operations | S1NPM-92014 | Device Discovery: $snmpHost is now a member function in DeviceDiscovery.inc. |
Platform | S1NPM-97485 | Platform: The following daemons can now be run with reduced privileges.
|
Reporting Other | S1NPM-97047 | Platform: mailSurfReports can correctly handle reports with invalid / incorrect email ids. |
Reporting Flow | S1NPM-97268 | Flow:
|
Reporting Flow | S1NPM-97285 | REST API: The following endpoints have been renamed from service_profiles to
app_profiles. GET /api/v3/flow/service_profiles > GET /api/v3/flow/app_profiles POST /api/v3/flow/service_profiles > POST /api/v3/flow/app_profiles PUT /api/v3/flow/service_profile_mapping > PUT /api/v3/flow/app_profile_mapping For FlowFalcon resolution settings, the endpoint is POST /api/v3/flow/flowreport. |
Reporting Flow | S1NPM-97286 | REST API: The following endpoints have been renamed from service_categories to
app_categories. GET /api/v3/flow/service_categories > GET /api/v3/flow/app_categories POST /api/v3/flow/service_categories > POST /api/v3/flow/app_categories PUT /api/v3/flow/service_categories/{id} > PUT /api/v3/flow/app_categories/{id} DELETE /api/v3/flow/service_categories/{id} > DELETE /api/v3/flow/app_categories/{id} POST /api/v3/flow/service_categories/create > POST /api/v3/flow/app_categories/create |
Platform Operations | S1NPM-97321 | Metadata Schema: Deprecated / removed Cisco ACI SevOne metadata attributes removed. |
Platform Operations | S1NPM-97329 | Platform: TACACS support removed from SevOne NMS. |
Integration | S1NPM-97354 | Platform: Failed webhook requests are now logged in messageswitch.log file. |
Platform Updates | S1NPM-97365 | REST API: com.ullink.slack support removed. |
Platform Operations | S1NPM-97450 | Platform: RADIUS support removed from SevOne NMS. |
Platform | S1NPM-108661 | REST API: /api/v3/data/performance_metrics prints the value as numIndicators. |
Platform Clustering | S1NPM-108715 | Cluster Manager: Peers tab >
|
Platform | S1NPM-108907 | Cluster Manager: SevOne NMS is tuned to store 365 days of data at 300s granularity when
operating at full capacity. Modifying data retention or polling frequency from their default values
can cause the indicators-per-second load to exceed rated capacity, which may result in service
disruption or data loss. For the following 2 scenarios, if field Data Retention is set to >365 days, you must contact Expert Labs for sizing guidance before modifying data retention settings.
In the warning message, if you answer Yes without obtaining the guidance from Expert Labs, you are proceeding at your own risk. |
Platform | S1NPM-108976 | Platform: Kernel upgraded to 4.18.0-553.el8_10. |
Platform | S1NPM-109416 | Platform: Post-upgrade,
|
Platform | S1NPM-109492 | Platform: Custom pages load as expected when SevOne NMS is upgraded to version 6.5.0 or higher using the Graphical User Interface.. |
Platform | S1NPM-109553 | Platform: Removed support for JMX and Oracle DB. |
Platform Clustering | S1NPM-109665 | Cluster Manager: Allows a new single peer to Join a cluster and Remove the peer from the cluster. |
Platform | S1NPM-109929 | Platform: All configurations are now placed in /config folder. |
Platform | S1NPM-109956 | Cluster Manager: Cluster Settings tab > Security subtab > in SevOne NMS 7.0.0, field Require Strong Passwords for mysql users is not supported. |
Platform | S1NPM-109065 | SDP: For both Gauge and Counter types, if data is polled as null, SDP sends NaN instead of 0. |
Platform | S1NPM-109651 | SDP: In /config/sdp/config.yml, can set bootstrap.servers with multiple ip:port pairs separated by commas. |
Platform | S1NPM-110061 | Platform:
|
Platform | S1NPM-110121 | SDP: When using Kerberos with Active Directory, SDP failed to create a Kafka producer. In /config/sdp/config.yml, enable DisablePAFXFAST to set FAST negotiation for SDP to successfully create the Kafka producer. |
Platform | S1NPM-110123 |
SDP: In /config/sdp/config.yml file, allows SDP with the principal to include the realm part. For example,
SDP no longer requires the realm part to be removed from the principal before it talks to Kerberos server.
|
30 issues
CVEs / CWEs / CESAs
CVEs | CVEs (continued) | CWEs / CESAs |
---|---|---|
CVE-2007-4559 | CVE-2023-28879 | CWE-121 |
CVE-2022-2127 | CVE-2023-31486 | CESA-2023:6943 |
CVE-2022-36944 | CVE-2023-33285 | CESA-2023:6967 |
CVE--2022-42003 | CVE-2023-33460 | CESA-2023:7010 |
CVE-2022-42004 | CVE-2023-34055 | CESA-2023:7015 |
CVE-2022-48560 | CVE-2023-34410 | CESA-2023:7029 |
CVE-2022-48564 | CVE-2023-34453 | CESA-2023:7053 |
CVE-2023-1786 | CVE-2023-34454 | CESA-2023:7055 |
CVE-2023-1981 | CVE-2023-34455 | CESA-2023:7057 |
CVE-2023-3138 | CVE-2023-34966 | CESA-2023:7112 |
CVE-2023-3446 | CVE-2023-34967 | CESA-2023:7139 |
CVE-2023-3817 | CVE-2023-34968 | CESA-2023:7166 |
CVE-2023-4016 | CVE-2023-37369 | CESA-2023:7174 |
CVE-2023-4641 | CVE-2023-38197 | CESA-2023:7176 |
CVE-2023-5072 | CVE-2023-38546 | CESA-2023:7187 |
CVE-2023-5678 | CVE-2023-39325 | CESA-2023:7190 |
CVE-2023-6378 | CVE-2023-44981 | CESA-2023:7877 |
CVE-2023-22745 | CVE-2023-46218 | CESA-2024:0114 |
CVE-2023-28322 | CVE-2024-22243 |
Known Issues
This section lists issues that SevOne is aware of in the 7.0.0 release. Most of these issues were discovered during quality assurance testing and are published here to provide you with information that may be relevant when you plan your update. This list does not include feature requests or low impact issues that do not affect functionality. If you have questions, comments, or concerns, please contact us.
- If you have a scenario where adding HSA has failed during the masterslave console, format slave
step, you may execute the following steps as a workaround.
- Using a text editor of your choice, edit /config/cron.d/mode file.
- Search for the line containing discover-netflow.
- Comment this line by adding a # at the start of this line.
- Save /config/cron.d/mode file.
- Add the HSA.
- Using a text editor of your choice, edit /config/cron.d/mode file again.
- Search for the line containing discover-netflow.
- Uncomment this line by removing the # that is at the start of this line.
- Save /config/cron.d/mode file.
- REST API docs are unavailable when the domain name has an underscore. For example, http://sevone_test1/api/docs/ or http://sevone_test1.sevone.com/api/docs/.
Component/s | Key | Known Issues |
---|---|---|
Collection xStats + Deferred | S1NPM-77884 | Platform: Evaluation of Synthetic Indicator does not happen when the data point goes into backfill task of process SevOne-ingestion-resolved. |
Platform Operations | S1NPM-77927 | Platform: SevOne import/export does not work with the AWS plugin device. |
Platform | S1NPM-109155 | REST API: The following endpoints are not working as expected.
|
Platform | S1NPM-109240 | REST API: Endpoints POST /api/v2/discovery/{id}/run and POST /api/v2/discovery/run are not working as expected. |
Platform | S1NPM-109725 | Platform: Does not allow removal of peer or HSA to be initiated from any peer. |
Platform | S1NPM-109920 | Platform: snmpd does not listen over IPv6 preventing the ability to self-monitor remotely over an IPv6 network. |
Platform | S1NPM-110046 | Platform: SevOne NMS container upgrades may require some features to be re-configured for them to work properly. |
Platform | S1NPM-110201 | SevOne Data Publisher: When configuring the kerberos config krb5.conf file, SDP will not work if variable dns_canonicalize_hostname is set. |
Platform | S1NPM-110280 | Platform:
|
Platform | S1NPM-110549 | xStats: In SevOne NMS 7.0 and above, the configuration of the xStats adapters
based on ADK is not migrated properly after the upgrade from a prior release.
Workaround: The following steps must be executed manually post-upgrade.
|
Platform | S1NPM-112275 | Platform: After deploying an appliance from vCenter using .ova file, you must select
your desired model.
Note: You may refer to Known Issue
DT396315 for details.
|
Platform | S1NPM-112463 | Platform: Peering does not properly distribute ssh keys in Hub-and-Spoke setup.
NMS supports a Hub-and-Spoke setup, where some peers cannot reach each other across the network, as long as the cluster master / cluster leader is fully reachable by all peers. The objective is to make a best-effort attempt to support functions that do not strictly require connectivity to other peers. One case where this standard is not reached is during peering. If a new peer is being added to the cluster which lacks connectivity to just one other peer (not even the cluster master / cluster leader) then, while peering will succeed, the distribution of ssh keys will fail, and no keys will be distributed.
This prevents ssh communication even between peers that are connected across the network, including the cluster master / cluster leader. Running SevOne-fix-ssh-keys manually from the new peer also fails. The reason is simply that the operation bails entirely if keys are failed to be
obtained from even a single peer. Workaround: Run SevOne-fix-ssh-keys manually on the Cluster Master / Cluster Leader after peering. |
12 issues