{{indexmenu_n>20230210}}
====== NetYCE 8.2.0 Build_20230214 ======
====== Release notes ======
Date: 2023-02-14
\\
===== Enhancement =====
==== New Vendor-modules ====
Two new vendor-modules were added. Support for Gigamon GigaVUE and Meinberg LTOS was added bringing the total of supported Vendor device families up to 33.
==== Screen scraping ====
When retrieving the configuration for a node through screen scraping we wont check for error messages when screen scraping anymore, therefore avoiding false positives.
=== Backup node config after pushing startup config ===
When you push a startup config we make sure to first backup this config before rebooting the node so our config backup tool also has the most recent configuration stored as such.
=== Preventing false config deltas ===
When retrieving the configuration of a node using the nccm daemon, now also filtering out ever-changing lines before comparing it agains previously saved configuration to prevent false diff messages.
=== Syslog notification backup status ===
Sending a notification using syslog when the backup of config fails / succeeds either through filetransfer of screen scraping.
==== Configuration Upload ====
As was already available using the various API's, a 'new' configuration' for a device can now also be manually uploaded using the GUI. The new "Upload config" button can be found using the "Backups" form when opening the "details" of a node.
Note that the uploaded configuration will be added to the Nccm history as the 'latest' version.
==== Polling groups new layout ====
The polling groups form has been re-skinned with the new layout. Functionality remains virtually the same.
==== Config upload button ====
The backup details form has a button added that allows you to upload a configuration manually for a node.
==== Site countries and states ====
The dropdowns for countries and states in the sites edit form now contain data for a number of countries: United Kingdom, United States, Germany, France, Belgium, Luxembourg and Ireland.
==== Domain database field length ====
The domain name field in the database has been lengthened from 20 to 100 characters.
==== Config parsing deprecated ====
Config parsing has been deprecated. Every of its functions can be done using Command Parsing.
==== Compliance Rules Enable-Check ====
You can now enable and disable compliance rules.
==== Graphs Deprecated ====
The graph-button from the client and site grids have been removed.
==== Log rotation ====
A new method for log rotation, using the logrotate linux tool has been implemented.
==== Bop Service Order Delete Wait ====
When a delete BOP service order is processed, we now wait with deleting the data from NetYCE until BOP has confirmed that the order has actually succeeded.
==== BOP Line Transfer ====
Support has been built in for BOP Line Transfers. Node name changes are now properly handled with the right mapping files.
==== Extra BOP Error handling ====
The number of messages that we detect from BOP to determine if a request has gone wrong has been increased. We now also listen for if the service order cannot be found in bop, an error in routing policy, and if the service is already in use in the transport connection circuit.
==== BOP Migration ====
Support for the action 'migration', as next to 'modify' is now available for BOP service orders.
==== Job Logs Form Simplification ====
The job logs form now no longer expands a job's log when you click on it. Instead it just opens the full popup with all data.
==== Command job link to job files ====
The command job form now provides links for scheduled jobs, that immediately opens a popup for their job files.
==== Sidebar Renew ====
The sidebar on the GUI has been rewritten, as the original library used has been deprecated.
==== Config_diff scenario call simplification ====
The config_diff scenario call was outdated. It was originally meant to pull the config of a node and compare it to what we have in the database. However, beforehand we already always retrieve the config anyway, leading this function to always return true. The command has been simplified so that it won't compare anymore, but running this command will just pull the latest config from the node.
==== Backups node disabled syslog message ====
Whenever a node's backup polling status is set to disabled, a syslog message is sent.
==== Config restore unmark node ====
You can now toggle marked configs on or off in the config diff form.
==== Compliance email body ====
If an email is being sent after a compliance check, the email body now contains the report body. (Truncated for very long reports).
==== Backups config restore button enhancement ====
The config restore button in the backups form now reboots the node after successfully restoring the configuration. It also now comes with a warning for users that any unsaved changes on the node will be undone.
==== Node name change form simplification ====
The node name change form was needlessly complex. At the moment you can simply change the node name you want, without any restrictions from its node type.
\\
===== Change =====
==== Compliance condition options ====
Currently our conditions support a couple of options which only work when the Rule Start and/or Rule End are used. Therefore will now hide those options when one of those fields are blank.
We have hidden the must contain lines and order options from compliance conditions that deal with the full config. We have also hidden the comments for ConfigText conditions.
/*==== Xchrest new endpoints ====
The new XchRest API is extended with new endpoints. For the CMDB manipulations six actions are now available supporting the full CRUD (create, read, update, delete) functionality.
Additionally, the XchRest API also includes partial support for ServiceTypes. Listing (and finding) service-types and retrieving the required parameter set of each is now available. Executing a service-type will become available soon.
The XchRest documentation can be requested from the NetYCE server using the URL "https://:8880/schema". Modify https into http if no ssl/tls is used.
*/
==== SSL Ciphers ====
The 'yce_setup' allows for choosing a 'hardening' of the available SSL/TLS versions and ciphers. However, only the Apache server on port 443 would limit the ciphers validated as 'strong'. The backend API's on port 8080/8443 ('mojo' for the gui) and 8880 ('xchrest' generic api) still allowed weaker ciphers like RC4.
The configurations for the 'mojo' and 'xchrest' backend api's have been modified to use the same restricted 'strong' ciphers that were configured for the Apache web server.
==== Enabled tweaks: Export_action_logs, Export_config_logs, Export_task_logs by default ====
* Export_action_logs log file is /var/opt/yce/logs/yce_action.log
* Export_config_logs log file is /var/opt/yce/logs/yce_config.log
* Export_task_logs log file is /var/opt/yce/logs/yce_task.log
==== Special directory to serve files through http without authentication ====
http directory (/var/opt/shared/public/http/) to be used without authentication through download.pl.
The http directory is a special case, files in this directory can be accessed without authentication. Be aware that you should not put any sensitive data in this directory for this reason.
==== Config Search tool ====
The tool to search for a string in a large number of configurations, "Config Search", is now integrated in the "Backups" dashboard. The new boxes for the Config search and its Results can be found below the Nodes grid of this page.
Some simplifications could be made as the node selection is largely accomplished using the filters of the node grid, but otherwise the functionality of the tool is unchanged.
==== Command rule edit response behaviour ====
When you created or edited a command rule, the behaviour used to be that whenever the daemon made a compliance check before the new command had been retrieved, it would mark the conditions in the rule as temporarily non-compliant. This was very annoying if you had set signals on non-compliance, because it would flood your system with non-issue calls. We now treat a rule as compliant for the time being until its command rule has been retrieved, and when you edit a command rule its older outdated reply will be removed from the database, in order to mitigate this issue.
==== Template empty Client type ====
The template form is now blank until you select a client type somewhere, instead of showing a bunch of empty grids.
==== Infoblox static dhcps ====
Our infoblox adaptation has two new options: add_static-dhcp and clear_static_dhcp. These support Infoblox's statid dhcp objects.
\\
===== Fix =====
/*
==== XchRest intermittent fail ====
Intermittently a call to the XchRest API failed with an 'internal server error' (code 500).
The problem was caused by an invalid call to cleanup function that removes expired OAuth tokens. This function is invoked every tenth request. The issue is resolved.
*/
==== Compliance checks ====
When changing the Domain value of a node, this change did not result in a re-scheduling of a compliance check.
For most compliance policies the actual Domain assigned to a node is not relevant as the Domain is primarily used to retrieve the credentials needed to the configuration retrieval. But when policies use conditions where the configuration is tested against actual values associated with the Domain, a Domain change becomes very relevant for the compliance results.
Conditions in policies can access NetYCE variables using the syntax causing the condition to test against associated data. As the Domain is often used as such a source, compliance re-scheduling for the affected node is worthwhile. Therefore, the NCCM refresh flag now gets set when re-assigning a Domain of a node.
Of course, many other NetYCE objects other than Domain can be used in the conditions, and these will not trigger this compliance re-scheduling. For those cases the intended setup involves scheduled compliance policies that will be executed at fixed intervals regardless of changed variables or assigned objects.
==== Nccm submit ====
Configuration backups (Nccm) are normally retrieved from the network devices. For migration or integration purposes these configurations can also be submitted using the Xch api. However, when doing so for a new device, the new device and its config would not be displayed in the Backups form. Only after a different trigger to renew the polling selection (like adding a cmdb node manually) would the node show up in the grid.
Additionally, the Xch nccm submit call was extended to include a new optional attribute, ''nccm_polltime'', to override the polling timestamp of the submitted configuration. However, as with GIT and other 'diff' based storage engines, the NCCM cannot process submitted configurations out-of-order. The provided polling timestamps are mostly administrative and the submitted configuration is still considered the 'latest' superseding the previous. The option is useful mostly to submit a series of configurations taken at different historical moments.
/*
==== XchRest node list ====
The 'node' endpoint of the XchRest suffered from several shortcomings on its initial inclusion. This endpoint is intended to allow full create, read, update and delete (CRUD) functionality of the CMDB nodes, but will now support the read (list) function only. The filter, start and length attributes are included and the returned node records will no longer show error messages.
==== XchRest try-out ====
The Wiki article describing the [[guides:user:xchrest|XchRest API]] outlines the setup of a 'Postman' configuration to get familiar to with the use of this new API. It also refers to the on-line schema documentation but failed to point out that this documentation could not be used for actual transactions as the 'authorize' and 'Try it out' buttons advertize.
As it turns out, this on-line schema could be modified to support the required OAuth authorization and use the proper url's to get the 'try it out' functional. Using this interface to give the API a first look will be a helpful first step before experimenting with a Postman or Python approach.
On the subject of Python, a XchRest sample client will become available shortly thanks to the helpful submission by one of our customers.
*/
==== Jobs to trigger Compliance ====
Although executing a Command job on a node automatically creates configuration backups, the Nccm / Compliance was not triggered to re-evaluate any config changes this job accomplished.
Now, when a job completes, regardless of status, will cause the Nccm and Compliance to be triggered.
==== Config diff layout fix ====
The config diff form in the Backups section had some layout issues when viewed in an extra wide or extra small window. This has been fixed.
==== Old form login expired redirect ====
When you lost a session in a form in the old layout, you were still redirected to the old login page. You now will be redirected to the new login page.
==== CMPL Dashboard sort fix ====
The grids in the Compliance Dashboard section accidentally sorted their numerical columns as if they were strings. They are now sorted numerically.
==== XSS & SQL injection fixes ====
A number of forms were vulnerable to Cross-Site-Scripting and SQL Injection attacks. This has been fixed now.
==== Software Version Not Compliant ====
When a condition that checks on a Software Version, Hostname or Node Model is not compliant, its report mentioned ''. This now has been changed to '', '', and '' respectively.
==== Compliance trigger for node incomplete ====
When a lot of nodes had their backups changed at the same time, leading to subsequent compliance checks, there was a bug where not all of them would be scheduled for compliance, therefore leading to an outdated compliance set. This has been fixed now.
==== Compliance rule start case sensitivity ====
The rule start and rule end of a compliance rule sometimes were evaluated case sensitively, and sometimes not. They are now always evaluated case insensitive.
==== Custom Data 1st Column Search ====
The first column of the Custom Data form sometimes had its search field removed. This is fixed.
==== Run compliance on config change fix ====
The "Run compliance on config change"-checkbox has been fixed.
==== CMDB Region Relation fix ====
The CMDB Region relation had a bug in it where it always would use the default region, causing you to not be able to specify custom regions. This is fixed.
==== Relation text context functions ====
The relation test broke when trying to use a relation with context functions. This is fixed.
==== Compliance node group delete ====
When you delete a node group, its compliance node groups are now deleted as well.
==== Wiki link fix ====
The link to the wiki in the right sidebar accidentally opened two windows with the wiki. This has been reduced to one.
==== Max timeouts for backups ====
Setting the maximum number of timeouts for the backups daemon to put a node to disabled was wrong if it had a default value. This is fixed.
==== Compliance rule start fix ====
Compliance's block detection's rule start did not work with cleartext values. This is fixed.