Last Modified: Aug 10, 2024
Affected Product(s):
F5OS F5OS-A, F5OS-C
Known Affected Versions:
F5OS-A 1.5.1
Fixed In:
F5OS-A 1.5.2
Opened: Jan 29, 2024 Severity: 1-Blocking
After repeating the change of network type and device reboot, the device goes into a state where the user-manager is not interacting with ConfD.
Any ConfD configuration change that goes through user-manager fails. This includes any of the user’s password changes, or remote GID changes.
- Change remote GID role and check '/etc/gid-map.txt' file if the value is reflected. - Switch network type and reboot the device. Repeat the above process until '/etc/gid-map.txt' file is not been updated correctly.
Rebooting the system will get the correct GID value from the ConfD and update the '/etc/gid-map.txt' file.
The user-manager has no reason to use NSS to lookup any PW/group info, as it deals exclusively with the local user database. Additionally, there is a ZMQ service that belongs in authentication-mgr (which understands remote authentication) that is in the user-manager container. It forces user-manager to use an ‘/etc/resolv.conf’ that can reference remote sources. If the user-manager trips over a lookup that goes to LDAP (usually a local-db miss), it can be very slow and time out. The ConfD->user-manager channel is sensitive of slow responses, and shuts down subscriber/callpoint handler/daemon that takes over 15 to 30 seconds to respond. When this happens, the user-manager is going to see an EOF on its ConfD sockets. This fix forces the user-manager to only lookup on local databases.