v4.14 [December 2024]

Release Date: Q4 2024 Release Updates: Release v4.14

Release Themes: Eikon Preview, OpenShift Preview, and Security Updates

Executive Summary

In this release, RackN provides a preview into a new image-deploy tool, eikon. Eikon will one day replace the curtin-based image-deploy plugin. Eikon provides a more robust extensible method for deploying images to machines. See more at Eikon Tech Preview.

Another focus of this release addresses security concerns around the Machine tokens used for executing tasks within the Machine runners. After customer input and internal review, it was decided to alter the scope and functionality of a machine token to reduce potential exploits. See more at Machine Token Update.

OpenShift is becoming a leading platform for container and virtualization management. With this release, RackN introduces a preview into an OpenShift deployment process. This preview is early, but introduces users to clustering concepts and a starting point for extending and customizing OpenShift deployments. See more at OpenShift Preview

Important Notices

Note

• Update sledgehammer and ubuntuhammer (if used) Updating Sledgehammer
• Update containers (if used) Install Context Containers with 'drpcli'
• Update all content to v4.14 to get completed security fixes

Release Information

New for this release:

• v4.14 Eikon Tech Preview
• v4.14 Machine Token Update
• v4.14 OpenShift Preview
• v4.14 Provision / Bootstrap UX Wizard
• v4.14 Content Pack Generation Tools
• v4.14 Event Processing Performance and Filtering Enhancements
• v4.14 Python Client Library
• v4.14 Sledgehammer Update
• v4.14 Machine Migration Workflows
• v4.14 Agent User Deescalation

Vulnerabilities

Machine Token Update

The Machine and Create tokens generated by DRP have too many privileges and can lead to security issues. More information can found at CVE-2024-RKN0002.

v4.14 updates the Machine token used by the runner to have less privileges than before. This requires runners to be updated and tokens to be reset. The drpcli program will self update on the next restart. This ensures that it gets the latest code.

A new workflow rotate-token is provided to replace the existing bad token on the system with a more secure token. Machines in sledgehammer or ubuntuhammer only have to be rebooted.

Once updated to v4.14 and the workflow executed on all machines, the system will use restricted machine tokens going forward.

The system has additional security changes related to these changes:

• Parameters have been reviewed and some parameters have been converted to secure parameters. These will be auto-encrypted on restart.

• Preferences have been added to control the token behavior and static firewall

  • staticFirewall - defaults to false - when set to true, the system will only allow fileserver requests from defined subnets.
  • strictMachineToken - defaults to false - when set to true, this removes old token generation functions from the system.

  Warning

  RackN content has been updated to not use GenerateToken and GenerateInfiniteToken. These must be changed to GenerateMachineToken and GenerateInfiniteMachineToken in your content packs. This preference will default to true in future release.

Sledgehammer / Ubuntuhammer Updates

In order to avoid underlying security issues, sledgehammer and ubuntuhammer have been updated. Additional profiles have been added to enable backwards compatability if you need to use the previous sledgehammer or ubuntuhammer. These are preventative.

Golang Updates

In order to reduce and attempt to prevent supply-chain attacks, RackN watches that golang security streams and updates the components that have issues. This release continues those updates.

Deprecations

Image-deploy plugin

While not deprecated in this release, the image-deploy plugin will eventually be deprecated by eikon. Users should plan to explore the new functions of eikon while planning removal of image-deploy. RackN is looking for feedback on usage and issues.

Render Funcions .GenerateToken and .GenerateInfiniteToken

For security reasons, these functions are being deprecated and will be removed in a future release. The next release will make them generate Machine tokens instead of their current broad token. After the following release, they will be removed.

To update your content packs, you will need to:

• Replace .GenerateToken with .GenerateMachineToken
• Replace .GenerateInfiniteToken with .GenerateInfiniteMachineToken

Removals

None known

FEATURES

Eikon Tech Preview

Eikon is a replacement for the image-deploy plugin using RackN's own deployment tooling and removes the need for curtin. Additional information can be found in Eikon Image Deploy and Eikon Architecture.

Eikon can be configured to us existing image-deploy parameters or new richer parameters directly for eikon.

Content Pack Generation Tools

drpcli has been enhanced with a set of features to help learn and understand Objects Models.

This includes:

• Better documented objects - Helpful Tips and Tricks
• Object generation from the command line - Object Generation
• Content generation from the command line - File Content Generation

Event Processing Performance and Filtering Enhancements

In order to scale event processing, plugins and websockets can now register filters with the server to reduce transmitting and marshalling overhead. Additional information is in Websocket Access and Plugin Build Quickstart.

Python Client Library

With this release, RackN is providing a python client library for building scripts and automation against the DRP API. This augments our existing golang library. For more information, see Python Client Library and Go Client Library.

OpenShift Preview

Initial work has been do to start working on an OpenShift deployment process. This preview allows for deploying OpenShift clusters using DRP. More information can be found at OpenShift Architecture and OpenShift Content Pack Operator Guide.

Sledgehammer Update

Sledgehammer has been updated to Alma 9.5 to ensure maximal hardware support and security updates. Additionally, an Alma 8.10 sledgehammer is provided as well, in case a fallback is needed.

Ubuntuhammer has been updated to 24.10 to ensure maximal hardware support and security updates.

Previous releases are provided as bootenv overrides as well.

Machine Migration Workflows

In previous releases, machine migration apis were added to enable moving machines from one DRP endpoint to another. With this release, a Machine Migration workflow has been added to enable automated migration with optional removal and clean up steps. More info at Automated Machine Migration.

Agent User Deescalation

At some points, the Adminitstrator may wish the agent to continue running in the system, but with less privileges. While not recommended, some security postures require the agent to execute at a lower user. This function works post installation and configuration. This function also only works for linux. See more at Agent Deescalation.

UX Improvements

UX Provision View

The UX has a Provision view in the left Navigation bar that allows users to focus on provisioning discovered machines.

UX PXE Bootstrap View

The UX provides a PXE booting bootstrap helper view in the left Navigation bar that walks through all the components and configuration need to setup a PXE boot environment.

Other Items of Note

• General install.sh clean-up and improvements
• Improve device blacklisting in sledgehammer to work around attached devices
• Add drpcli license subcommands for getting license info
• Fix a couple of content pack loading issues with read-write and duplicate objects
• Fix multiple race conditions on object writes when under heavy load
• Swagger UI has been updated with better interface and information
• Performance improvements around job processing
• Reduce memory in object marshalling
• Sledgehammer can boot in bonded networking environments.
• Continued bootenv updates for latest support.
• Added haproxy content pack for managing ha-proxy servers
• Update hardware tooling references
• Docs have been reorganized and continued to be filled out. Search is still a work in progress.
• UX log view performance has been improved.
• In the UX, many tables and editors were updated to reflect new object features and improvements.
• All the incremental fixes to previous releases. See Release Changes

Previous Release Feature

• v4.13 Sledgehammer update is required for this release
• v4.13 Improvements in Media Attached Boot (no DHCP & PXE required)
• v4.13 DNS service (aka Zones) natively integrated into Digital Rebar
• v4.13 Audit Create and Update times for objects will be populated going forward. Existing objects will not be updated until new actions are taken.
• v4.13 Demotion of Runner to a non-root user permitted. See release note for WARNINGS!
• v4.13 Notice: ESXI bootenvs may fail with errors. Change the kernel line from "../../chain.c32" to "../../../chain.c32"
• v4.13 IP allocation management (IPAM) allows operators to better define and manage pools of IP addresses through the subnet definition system.
• v4.13 On-Demand Template Rendering for testing and development
• v4.13 HTTP/HTTPS Network Boot
• v4.13 ESXi8 support. NOTE: Access to signed VIB for SecureBoot requires permission from Broadcom/VMware.
• v4.13 Tech preview of monitoring services: Prometheus, Grafana, and Nagios
• v4.12 Sledgehammer has been updated for multiple platforms including ARM and Ubuntu and requires an updated ISO
• v4.12 Billing Plugin integrated into Core. If installed, it can be safely removed
• v4.12 ISOs storage is now in a Digital Rebar managed read only file system instead of being mapped to the endpoint's local storage. If needed, it can be disabled by setting RS_USE_ISOFS to false.
• v4.11 Discovery image now defaults to Alma Linux. Users upgrading Digital Rebar should also install and migrate to this new Sledgehammer.
• v4.11 Client certificate authentication is now off by default in v4.10 and v4.11. To enable, add the --client-cert-auth flag or the RS_CLIENT_CERT_AUTH=true flag to the systemd configuration space. install.sh has been updated for these options.
• v4.10 Debian-8 has been removed from the content pack.
• v4.10 To enable/disable read only Triggers, add the parameter trigger/\<name of trigger>-[enabled|disabled]: true in the global profile. Search workorder trigger.
• v4.10 Fixed critical bug in event registration that caused system crash if request is malformed. This is a recommended dot upgrade for previous releases and was back ported to v4.6 and later releases.
• v4.10 Interactive labs can be used to explore and learn the latest Digital Rebar features.
• v4.10 EventToAudit plugin allows any event to be mapped to an audit log item.
• v4.9 Digital Rebar cannot run in a container when using features including Contexts, Brokers, Clusters, Multi-Site Manager and High Availability. These features all rely on Digital Rebar managing both its own lifecycle and driving containers. Running in a container prevents Digital Rebar from performing operations required for these features.
• v4.9 work_order_templates (preview in v4.8) have been renamed to be blueprints.
• v4.9 removal of the Centos mirrors require users to use an archival Centos8 mirror for Sledgehammer8.
• v4.9 format for content pack meta data changed, you must use the v4.9 drpcli to bundle v4.9 content.
• v4.8 Workflows relating to Clusters and Cloud_Wrappers have been significantly changed. Operators using those patterns should carefully review their implementation before upgrading.
• v4.8 Cleanup operation offers safer option than destroy by enabling pre-destroy actions by defining on-delete-workflow. Operators should migrate destroy to cleanup where possible.
• v4.8 Portal UX editing panels on several screens have been significantly changed. UXViews ability to limit machine field view/edit is no longer enabled in v4.8.
• v4.8 Context Containers need to be rebuilt for v4.8+ Docker Context so as to NOT inject a DRPCLI copy. To ensure that the DRPCLI version matches the DRP endpoint, the Docker Context will now automatically attach the correct DRPCLI to containers during the starting process. Search 4.8 contexts.
• v4.8 added Workflows relating to Clusters and Cloud_Wrappers have been significantly changed. Operators using those patterns should carefully review their implementation before upgrading.
• v4.7 added port 8090 to the list of ports required for provisioning operations. Please verify that port 8090 (default, this can be changed) is accessible for Digital Rebar endpoints.
• v4.7 changed the install zip format, the API-based upgrade of DRP to v4.7+ requires usage of most recent https://portal.RackN.io (v4.7 for self-hosted UX users) or the use of DRPCLI v4.6.7+. The v4.7 install.sh upgrade process also includes these changes.
• v4.6 changed managing of signed certificates, the process for updating and importing certificates has changed to require using the DRPCLI or API to update certificates. See Certificate Operations for details.

Roadmap Items (unprioritized, planned for future release)

• Airgap Operational Improvments
• Improvements to managing and controlling DRP endpoints
• BootC installs
• Agentless ESXi Install - Required for ESXi v8, This will replaces of the existing ESXi agent (drpy).
• IPv6 DHCP - provide DHCP services for IPv6 networks
• Restricted Access ISOs - allow authenticated users to download non-public ISOs managed by RackN