Mount And Blade Bannerlord Patch Notes

[Leonides Suttle]

SymptomsWhen BIG-IP Next tenant is installed, a default route rule is added on host. If tenant management and host management IPs are on same subnet, then two similar rules are created with destination as same subnet.

The tenant route rule is created with higher priority (metric 0) resulting any management egress traffic destination belonging to same subnet is going through tenant management interface instead of host management interface.

Impact:

End users receiving traffic from appliance, will observe sender IP as tenant management interface instead of host management interface.

Note:

a. This issue will be observed only when host management & tenant management subnet is same and also destination to which data is sent is on same subnet.

b. This impacts management plane traffic within the appliance's management subnets.

Symptoms:

At times, the partition HA cluster fails to start up correctly, leading to issues with database replicas and the secondary controller instance not reaching "standby".

The "show system redundancy" command at the partition CLI can confirm this issue. Blades will be either "offline" or "failed", with a reason of "reconnecting" or "database disconnected" for an extended period (more than a few seconds).

Conditions:

Write transactions occurring during HA cluster formation can sometimes interfere with database initialization/replication, most often observed when multiple blades reboot together during a rolling upgrade.

Conditions:

The normal state of the primary key is to not change unless there is an error in reading the key incorrectly.

Attempting multiple reboots where there is a possibility of interruption with the key storage access can cause the key logic to create a new key.

Symptoms:

When performing the partition database compatibility upgrade check (check-version/set-version), the check logic does not always use the correct target version. This potentially can cause the compatibility check to pass, but the actual database upgrade can fail and automatically roll back.

Symptoms:

If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.

Fix:

A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.

Symptoms:

When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.

The migration failure may cause configuration database corruption for the entire system.

Workaround:

Mitigation to prevent failure:

- Change all tenants to the configured state

- Set a new primary key

- Wait for key migration to complete

- Return tenants to deployed state.

Recovery for corruption:

- Reset device to default configuration

- Set the primary key to the known primary key for a known-good backup

- Restore with known-good backup

Fix:

Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.

Symptoms:

When logging into an F5OS or BIG-IP system that is in FIPS mode, RSA-1024 SSH public keys should not be allowed to make the connection. Users should instead be prompted for a password.

Symptoms:

The tenant service-instances IDs are not matching with the fdb mac-table service-ids. This happens when the system attempted to read a field that does not exist in the /services table.

Symptoms:

Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.

Symptoms:

When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Symptoms:

Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partitions or appliances from 1.6.0+ to versions below 1.6.0. If there are running tenants at the time the downgrade is attempted, it will be blocked.

Symptoms:

qkview captures log files, but may truncate them if too large (greater than 100 MB). A regression was introduced such that the most recent log entries would be truncated rather than the oldest.

Symptoms:

After blades are added to the Openshift cluster, Multus is installed on the blades via an ansible-playbook. If the blade/blades are rebooted during the playbook run, it is possible that the playbook run could hang, possibly for several hours. During this time, the blade will not be available in the Openshift cluster.

Workaround:

If the blades are rebooted during the Multus install and they do not finishing joining the cluster after reboot, the active CC can fail over, which will cause the blade to be added to the cluster again.

Fix:

With the fix, the user will be able to view and remove the VLAN in the Add/Edit Interface/LAG screen even if the VLAN was deleted, and thus will be able to detach it from the interface/LAG.

Conditions:

Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:

Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Symptoms:

An error on the ConfD CLI occurs when the user tries to enable Client Certificate Authentication before setting Client Certificate Verification to true. The error message given by this condition is not correct.

Symptoms:

When requesting a self-signed-cert, if the key-type is encrypted, then a passphrase is required. However, if no parameters are supplied, the key-type is then requested as a mandatory parameter, but won't ask for passphrase if encrypted type is selected.

Conditions:

The initial discovery of platform-stat had a logic flaw which prevented drive information from being correctly discovered. This caused the rest of the JSON object from being populated.

Symptoms:

Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:

- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Fix:

Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

Symptoms:

After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Symptoms:

Currently, we are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.

Fix:

We are restricting special characters /*!^,/ (identified as invalid input) as SNMP community/target/user name configuration.

Note: Upgrade will fail if user already has SNMP configuration with restricting special characters /*!^,/

Symptoms:

User is allowed to set path cost as 0 but it does participate in port role selection.

> Port role is dependent on path cost; port with lesser path cost becomes root.

> In the current issue, though port has a lesser value of path cost (0), it is not becoming root.

Fix:

LopBladePresentNotification is sending slotID as 1 based index, which causes the monitoring of the subsequent blade, as diag-agent expects it to be 0 based index.

Updated LopBladePresentNotification to 0 based index.

Symptoms:

The two PSU controllers in a VELOS 8-slot chassis are redundant. Both PSU controllers have access to a shared I2C bus connected to the 4 power supplies. The AOM on the active controller selects one of the 2 PSU controllers to use for PSU management and directs all PSU accesses through that PSU controller.

When a PSU controller indicates a runtime fault, then the AOM fails over to using the other PSU controller. The PSU controller runtime status fault is recorded in the event log and asserts an alarm.

Unfortunately, this behavior leaves an active alarm for the PSU controller reporting a runtime status fault once it occurs. That PSU controller is no longer being used for PSU management, thus there is no opportunity for it to clear its own reported PSU I2C fault. The associated alarm remains active indefinitely.

3a8082e126