Changelog
Release Meridian-2023.1.1
Release 2023.1.1 is a bugfix release that also incorporates several documentation improvements, upgrades a couple of library dependencies, and improves how plugins are included in the container images.
The codename for Meridian 2023.1.1 is Cookie Monster.
Enhancement
-
Replace wiki links across all codebase (Issue NMS-13912)
-
dependabot: mockito 3.4.6 to 4.6.1 (Issue NMS-14586)
-
DOC: Timeseries Documentation (Issue NMS-14959)
-
DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)
-
Update dual write docs to clarify configuration (Issue NMS-15425)
-
PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)
Bug
-
Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)
-
Minion on Ubuntu fails to start (Issue NMS-15160)
-
Upgrade HikariCP to 5.x (Issue NMS-15171)
-
Docs: The "Housekeeping Tasks" page should not tell the user to always run fix-karaf-setup.sh on upgrade (Issue NMS-15296)
-
Elevation on Feather nav bar header casts undesirable shadow (Issue NMS-15367)
-
Docs: Update path reference for PostgreSQL config files (Issue NMS-15381)
-
opennms-karaf-health is not last in featuresBoot — might miss status for a few features (Issue NMS-15407)
-
Invalid syntax due to typo in provisiond snmp graph (Issue NMS-15434)
Task
-
Number examples in service monitor chapters (Issue NMS-15215)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
-
Move the logic for downloading plugins into the Dockerfile (Issue NMS-15401)
-
Disable DEBs packages for Meridian 2023 (Issue NMS-15412)
Epic
-
Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)
Release Meridian-2023.1.0
Release 2023.1.0 is the first of the Meridian 2023 series, based on Horizon 31 and incorporating work done in that series and in Horizon 30.
This new major-version release introduces several breaking changes (see below).
Breaking Changes
-
The
GpDetector
andScriptPolicy
now require that their scripts be located beneath$OPENNMS_HOME
and beneath$OPENNMS_HOME/etc/script-policies
, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release. -
The OpenNMS Plugin API (OPA) has been updated to 1.3.0. OPA plugins intended to run in Meridian 2023.1.0 must implement version 1.0.0 or higher.
-
The
provisiond-configuration.xml
file has been replaced with a new implementation based on the new configuration management API, which resides outside the filesystem. See What’s New in Meridian 2023 for more information. -
Meridian Docker images are now based on a minimal install of Ubuntu, rather than CentOS. Symlinks are provided to match the old paths in /opt, but it’s possible you will run into subtle differences when transitioning.
-
The
org.opennms.netmgt.collectd.strictInterval
setting now defaults to true. See What’s New in Meridian 2023 for more information.
Known issues
The following known issues impact Meridian 2023.1.0; we expect all to be fixed in the next micro-version release:
-
Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding
ROLE_REST
to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention. -
On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.
-
The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.
Shout-outs
-
Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.
-
Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.
-
Thanks to Ricardo Monteiro for bringing the geo-map alarms problem NMS-15080 to our attention.
The codename for Meridian 2023.1.0 is Kermit the Frog.
Enhancement
-
Remove image-related defaults from Docker container makefile (Issue NMS-13583)
-
Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)
-
Include Minion version on "Manage Minions" page (Issue NMS-14493)
-
Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)
-
Error compiling Cisco MIB (Issue NMS-14640)
-
Make the cloud connect plugin available in container images (Issue NMS-15012)
-
Data collection and graph definitions for provisiond performance (Issue NMS-15018)
-
Update docs to include RHEL 9 install instructions (Issue NMS-15147)
-
Test and Document Support for PostgreSQL 15 (Issue NMS-15151)
-
Make the ALEC plugin available in container images (Issue NMS-15349)
-
Make the Cortex TSS plugin available in container images (Issue NMS-15350)
-
Smoke test improvements and small tweaks to help developers (Issue NMS-15387)
Task
-
Geo Map: Add content to the map marker pop up (Issue NMS-13698)
-
Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)
-
CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)
-
CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)
-
Vulnerable JUnit dependency (Issue NMS-15074)
-
RHEL9 installation documentation tab (Issue NMS-15079)
-
Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)
-
Add flow version table to Flow Introduction (Issue NMS-15158)
-
Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)
-
Change OpenNMS Copyright from 2022 to 2023 in the documentation footer (Issue NMS-15212)
-
JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)
-
JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)
-
JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
-
Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)
-
Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)
-
Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)
Bug
-
Missing /run/opennms on Ubuntu (Issue NMS-14650)
-
RRD persistence with default configs in our Horizon OCI points to wrong libjrrd2.so (Issue NMS-14778)
-
Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)
-
OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)
-
Multiple stored and reflected XSS in webapp (Issue NMS-14854)
-
horizon.oci contains more than one container image (Issue NMS-14896)
-
Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)
-
Form Resubmission From Cache (Issue NMS-14933)
-
XML Entity Expansion Injection in geolocation API (Issue NMS-14988)
-
Remove reference to remote pollers (Issue NMS-15017)
-
RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)
-
Default limit of 10 is not working for event queries (Issue NMS-15123)
-
Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)
-
Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)
-
CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)
-
CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)
-
CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)
-
CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)
-
CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)
-
CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)
-
CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)
-
CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)
-
CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)
-
CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)
-
CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)
-
CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)
-
CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)
-
CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)
-
CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)
-
Update docs TOC to include missing notification commands file (Issue NMS-15266)
-
Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)
-
NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)
-
Poor contrast in navigation menu of OG UI (Issue NMS-15283)
-
Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)
-
Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)
-
Sanitize request parameters in outage/list.htm (Issue NMS-15294)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
-
Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)
-
RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)
-
Dead transaction in flow thresholding on sentinel (Issue NMS-15340)
-
Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)
-
When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)
-
ALEC plugin dependency update (Issue NMS-15391)
Story
-
Revive PoweredBy section in new docs (Issue NMS-14703)
-
Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)
-
SNMP Community retrieval through SCV on Minion (Issue NMS-15008)
-
Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)
-
Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)
-
Add KPI for Appliance count by model (Issue NMS-15051)
-
Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)
-
ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)
-
Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)
-
Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)
-
Geo Map node groups should split into individual markers (Issue NMS-15150)
-
Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)
-
Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)
-
Penetration testing for Meridian 2023 (Issue NMS-15225)
-
Meridian container images are signed (Issue NMS-15341)