Version: 2.4

Cube.COS - Release Note

Abstract#

Bigstack CUBE.COS 2.4 is a major release for CUBE.COS cloud operating system. This release provides the following updates to Bigstack CUBE.COS version 2.4:

Based on CentOS Stream 9
Kernel version : 5.14.0-435
Nova version : 25.3.0 (Yoga)
Ovn version : 23.03
Ceph version : 17.2.6 (Quincy)
Rancher version : v2.7.9
Nvidia GPU driver to 535.104

New functionality#

Cloud Computing
- Added support of VFIO and GPU Passthrough
- Centralized GPU management across GPU nodes
- Added support of GPU / PCI devices auto orchestration
- Added CLI option to reset instance status for recovery
Storage
- Volume Mirror
  - Enhanced mirror management in a single view
  - Added support of journal or snapshot for each mirror rule
  - Added support of instance creation from target volume in backup site
  - Enhanced virtual machine power state aligned with mirror promotion/demotion process
- Object Storage - CLI options to manage bucket quota and IP filters
Networking and Network Security
- Added CLI option to fix errors on loadbalancer-as-a-service
Operation and Management
- New CLI options
  - to update license by node
  - to update license from ISO image
  - to check and repair filesystem on instances
  - to detect conflicts with IP addresses in the environment
- Benchmark tools for
  - Hard drives
  - Storage pools
- Added alert management for threshold adjustment
  - Global settings for all alerts
  - Individual setting for specific service
- Added support of
  - hard drive model and serial number detection
  - disk failure prediction
  - cluster check on disk failure (new error code)

Changed features#

There is no changed feature in this release.

Fixed defects#

Bug Fixes since Cube 2.3.0, including fixpacks and hotfixes.

Fixpacks#

Enhancements and fixes in Cube 2.4#

Patched Security Updates
- Information disclosure flaw found in ansible-core (CVE-2024-0690)
- A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record (CVE-2023-38469)
- A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function (CVE-2023-38471)
- A reachable assertion exists in the avahi_rdata_parse() function (CVE-2023-38472)
- A reachable assertion exists in the avahi_escape_label() function (CVE-2023-38470)
- A reachable assertion exists in the avahi_alternative_host_name() function (CVE-2023-38473)
- This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash (CVE-2023-1981)
- BIND9 bad allocation of resources that can affect the available memory of the system (CVE-2023-2828)
- Prevent possible endless loop when refreshing stale data (CVE-2023-2911)
- BIND9 limit the amount of recursion possible in the control channel (CVE-2023-3341)
- AutoTools does not set CARES_RANDOM_FILE during cross compilation (CVE-2023-31124)
- Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
- Insufficient randomness in the generation of DNS query IDs (CVE-2023-31147)
- 0-byte UDP payload Denial of Service (CVE-2023-32067)
- Exposure of resource to wrong sphere in runc (CVE-2024-21626)
- Improper Preservation of Permissions in runc (CVE-2023-25809)
- Use of Incorrectly-Resolved Name or Reference in runc (CVE-2023-27561)
- Improper Link Resolution Before File Access ('Link Following') in runc (CVE-2023-28642)
- Allocation of Resources Without Limits or Throttling in containerd (CVE-2023-25153)
- CVE-2023-25173
- Information leak through Cups-Get-Document operation (CVE-2023-32360)
- Use-after-free in scheduler/client.c (CVE-2023-34241)
- Heap buffer overflow may lead to DoS (CVE-2023-32324)
- Return error if the hostname is too long for remote resolve (CVE-2023-38545)
- Cookie injection with none file (CVE-2023-38546)
- Lowercase the domain names before PSL checks (CVE-2023-46218)
- Unify the upload/method handling (CVE-2023-28322)
- Hostname wildcard checking (CVE-2023-28321)
- FTP too eager connection reuse (CVE-2023-27535)
- SSH connection is too eager to reuse (CVE-2023-27538)
- GSS delegation too eager connection re-use (CVE-2023-27536)
- SFTP path resolving discrepancy (CVE-2023-27534)
- TELNET option IAC injection (CVE-2023-27533)
- HTTP multi-header compression denial of service (CVE-2023-23916)
- D-Bus unprivileged user to crash dbus-daemon issue (CVE-2023-34969)
- Limited offered EDNS0 size 1232 (CVE-2023-28450)
- Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message (CVE-2023-45229)
- Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)
- Out of Bounds read when handling an ND Redirect message with truncated options (CVE-2023-45231)
- Infinite loop when parsing unknown options in the Destination Options header (CVE-2023-45232)
- Infinite loop when parsing a PadN option in the Destination Options header (CVE-2023-45233)
- Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)
- Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)
- Openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
- Openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)
- Sensitive information disclosure due to improper HTTP body handling in urllib3 (CVE-2023-45803)
- PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack (CVE-2023-52323)
- Possible arbitrary HTML attribute injection leading to Cross-Site Scripting (XSS) in Jinja (CVE-2024-22195)
- Possible information leakage due to HTTP redirects when custom cookie headers are set in urllib3 (CVE-2023-43804)
- Removing insecure root certificate authority (CVE-2023-37920)
- The httpd-2.4.62-1.el9.x86_64 package now includes critical security enhancements, specifically addressing the recently identified vulnerability (CVE-2023-43622)

OpenStack Services#

Web Frontend#

Horizon (Dashboard)

Share Services#

Keystone (Identity)
Glance (Image)
Barbican (Key Store)

Compute#

Nova (Virtual Machine)
Ironic (Bare-metal)

Accelerator#

Cyborg (GPU, FPGA, ASIC, NP, SoCs, NVMe/NOF SSDs, ODP, DPDK/SPDK and so on)

Networking#

Neutron (SDN/NFV, VPN as a Service)
Octavia (Load Balance as a Service)
Designate (DNS as a Service)

Storage#

Cinder (Block Storage)
Manila (File Storage)
Swift (Object Storage)

Orchestration#

Heat (Orchestration)
Senlin (Auto-scaling)

Monitoring#

Monasca (Telemetry)

High Availability#

Masakari (Instance HA)

Resource Optimaztion#

Watcher (Infrastructure Optimization)

Cube Infrascope#

ELK
- ~~Elasticsearch (v7.10)~~ Opensearch (v2.10)
- ~~Kibana (v7.10)~~ Opensearch-dashboards (v2.10)
- Logstash (v8.9.0)
- Filebeat (v8.10.2)
- Auditbeat (v8.10.2)
TIGK
- Telegraf (v1.17)
- Influxdb (v1.8.10)
- ~~Grafana (v7.5.9)~~ Grafana-enterprise (v10.1.5)
- Kapacitor (v1.5.7)
Data Pipeline
- Zookeeper (v2.13)
- Monasca (v2.5.0)
- Kafka (v2.7)

Identity#

Keycloak (v17.0.1)

Announcements#

The Bigstack CUBE.COS cloud operating system version 2.4 is generally available in May, 2024.

Compatibilities#

The following Cube related products are currently supported by Cube 2.4 and can only be run against Cube 2.4 or above.

CUBE.CMP 1.7
- Prerequisites: Cube 2.4 with AppFramework deployed
CUBE.VDI Driver and integration
- Prerequisites: Cube 2.4 and Cube VDI essentials

Contact Bigstack: https://www.bigstack.co/contact/ for details of Cube products.

Installation and Configuration#

For CUBE.COS installation, see the following topics in Bigstack documentation.

To get started with CUBE.COS, see Quick Start in Bigstack documentation.

Getting Started Guide

Known issues#

After enable OTP login, Keycloak page show nothing.

Related information#

Bigstack Co., Ltd. is a software and consulting company, focused on open source, software-defined data center, cloud platforms, and security.

Contact Bigstack: https://www.bigstack.co/contact/