Release Meridian-2023.1.1

Release 2023.1.1 is a bugfix release that also incorporates several documentation improvements, upgrades a couple of library dependencies, and improves how plugins are included in the container images.

The codename for Meridian 2023.1.1 is Cookie Monster.


  • Upgrade ActiveMQ to 5.15 (Issue NMS-12089)

  • Add documentation for using Scheduled Outages (Issue NMS-12621)

  • Meridian 2023 Testing (Issue NMS-15152)


  • Replace wiki links across all codebase (Issue NMS-13912)

  • dependabot: mockito 3.4.6 to 4.6.1 (Issue NMS-14586)

  • DOC: Timeseries Documentation (Issue NMS-14959)

  • DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)

  • Update dual write docs to clarify configuration (Issue NMS-15425)

  • PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)


  • Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)

  • Minion on Ubuntu fails to start (Issue NMS-15160)

  • Upgrade HikariCP to 5.x (Issue NMS-15171)

  • Docs: The "Housekeeping Tasks" page should not tell the user to always run on upgrade (Issue NMS-15296)

  • Elevation on Feather nav bar header casts undesirable shadow (Issue NMS-15367)

  • Docs: Update path reference for PostgreSQL config files (Issue NMS-15381)

  • opennms-karaf-health is not last in featuresBoot — might miss status for a few features (Issue NMS-15407)

  • Invalid syntax due to typo in provisiond snmp graph (Issue NMS-15434)


  • Number examples in service monitor chapters (Issue NMS-15215)

  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

  • Move the logic for downloading plugins into the Dockerfile (Issue NMS-15401)

  • Disable DEBs packages for Meridian 2023 (Issue NMS-15412)


  • Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)

Release Meridian-2023.1.0

Release 2023.1.0 is the first of the Meridian 2023 series, based on Horizon 31 and incorporating work done in that series and in Horizon 30.

This new major-version release introduces several breaking changes (see below).

Breaking Changes

  • The GpDetector and ScriptPolicy now require that their scripts be located beneath $OPENNMS_HOME and beneath $OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.

  • The OpenNMS Plugin API (OPA) has been updated to 1.3.0. OPA plugins intended to run in Meridian 2023.1.0 must implement version 1.0.0 or higher.

  • The provisiond-configuration.xml file has been replaced with a new implementation based on the new configuration management API, which resides outside the filesystem. See What’s New in Meridian 2023 for more information.

  • Meridian Docker images are now based on a minimal install of Ubuntu, rather than CentOS. Symlinks are provided to match the old paths in /opt, but it’s possible you will run into subtle differences when transitioning.

  • The org.opennms.netmgt.collectd.strictInterval setting now defaults to true. See What’s New in Meridian 2023 for more information.

Known issues

The following known issues impact Meridian 2023.1.0; we expect all to be fixed in the next micro-version release:

  • Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding ROLE_REST to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention.

  • On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.

  • The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.


The codename for Meridian 2023.1.0 is Kermit the Frog.


  • Remove image-related defaults from Docker container makefile (Issue NMS-13583)

  • Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)

  • Include Minion version on "Manage Minions" page (Issue NMS-14493)

  • Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)

  • Error compiling Cisco MIB (Issue NMS-14640)

  • Make the cloud connect plugin available in container images (Issue NMS-15012)

  • Data collection and graph definitions for provisiond performance (Issue NMS-15018)

  • Update docs to include RHEL 9 install instructions (Issue NMS-15147)

  • Test and Document Support for PostgreSQL 15 (Issue NMS-15151)

  • Make the ALEC plugin available in container images (Issue NMS-15349)

  • Make the Cortex TSS plugin available in container images (Issue NMS-15350)

  • Smoke test improvements and small tweaks to help developers (Issue NMS-15387)


  • Geo Map: Add content to the map marker pop up (Issue NMS-13698)

  • Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)

  • CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)

  • CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)

  • Vulnerable JUnit dependency (Issue NMS-15074)

  • RHEL9 installation documentation tab (Issue NMS-15079)

  • Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)

  • Add flow version table to Flow Introduction (Issue NMS-15158)

  • Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)

  • Change OpenNMS Copyright from 2022 to 2023 in the documentation footer (Issue NMS-15212)

  • JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)

  • JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)

  • JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)

  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

  • Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)

  • Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)

  • Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)

Unexpected Behavior

  • RPM packages fail to install when FIPS Enabled (Issue NMS-14628)

  • Link on Netflow9 to main Netflow doc is broken (Issue NMS-15144)


  • Missing /run/opennms on Ubuntu (Issue NMS-14650)

  • RRD persistence with default configs in our Horizon OCI points to wrong (Issue NMS-14778)

  • Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)

  • OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)

  • Multiple stored and reflected XSS in webapp (Issue NMS-14854)

  • horizon.oci contains more than one container image (Issue NMS-14896)

  • Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)

  • Form Resubmission From Cache (Issue NMS-14933)

  • XML Entity Expansion Injection in geolocation API (Issue NMS-14988)

  • Remove reference to remote pollers (Issue NMS-15017)

  • RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)

  • Default limit of 10 is not working for event queries (Issue NMS-15123)

  • Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)

  • Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)

  • CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)

  • CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)

  • CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)

  • CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)

  • CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)

  • CVE-2021-21342 and 7 others for xstream (Issue NMS-15196)

  • CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)

  • CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)

  • CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)

  • CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)

  • CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)

  • CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)

  • CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)

  • CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)

  • CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)

  • Update docs TOC to include missing notification commands file (Issue NMS-15266)

  • Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)

  • NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)

  • Poor contrast in navigation menu of OG UI (Issue NMS-15283)

  • Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)

  • Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)

  • Sanitize request parameters in outage/list.htm (Issue NMS-15294)

  • Plaintext Password Present in the Web logs (Issue NMS-15305)

  • Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)

  • RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)

  • Dead transaction in flow thresholding on sentinel (Issue NMS-15340)

  • Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)

  • When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)

  • ALEC plugin dependency update (Issue NMS-15391)


  • Revive PoweredBy section in new docs (Issue NMS-14703)

  • Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)

  • SNMP Community retrieval through SCV on Minion (Issue NMS-15008)

  • Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)

  • Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)

  • Add KPI for Appliance count by model (Issue NMS-15051)

  • Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)

  • ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)

  • Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)

  • Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)

  • Geo Map node groups should split into individual markers (Issue NMS-15150)

  • Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)

  • Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)

  • Penetration testing for Meridian 2023 (Issue NMS-15225)

  • Meridian container images are signed (Issue NMS-15341)


  • Publish container images to a container registry other than DockerHub (Issue NMS-15091)

  • Meridian 2023 release testing (Issue NMS-15137)

  • Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)


  • Installation of Meridian Minion, Sentinel, Core and Node. (Issue NMS-15388)

  • Minion routes traffic to Core. (Issue NMS-15389)

  • Sentinel offloads flows from Core. (Issue NMS-15405)