Last Modified: May 29, 2024
Affected Product(s):
F5OS (all modules)
Fixed In:
F5OS-C 1.6.0, F5OS-A 1.7.0, F5OS-A 1.5.0
Opened: Mar 17, 2023 Severity: 2-Critical
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.
Tenant becomes stuck in pending state.
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.
Two workarounds: 1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server. 2. Fix SELinux policy on the appliance: a. cp selinux module from /usr cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance b. Reboot the device reboot
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions. Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.