SL1 PowerFlow Platform Release Notes, version 2.4.0

SL1 PowerFlow Platform version 2.4.0 includes updates to the PowerFlow Control Tower page and the PowerFlow builder page, and new authentication and authorization options for PowerFlow services, including Couchbase and RabbitMQ.

Unless mentioned elsewhere in the documentation, PowerFlow SyncPacks do not require a specific version of the PowerFlow Platform.

Features

This section covers the features that were included in "PowerFlow Platform" version 2.4.0.

PowerFlow Control Tower

  • You can customize the content that displays in the Favorite Application widgets on the PowerFlow Control Tower page.
    • When you click the Favorite icon for a PowerFlow application, you can select one or more Favorite Applications widgets to display the selected application.
    • If you hover over the Run button for a favorite application in a Favorite Application widget, you can select Custom Run to open the Custom Run dialog, where you can specify logging levels, the configuration object, and custom parameters for the run.
    • The  Info button at the top right of the Favorite Applications widget displays a pop-up message with data for the Timestamp, Number of Runs to Display, and the Queue for the widget.
    • If you want to display more than one set of favorite applications, you can click the Duplicate the Widget button at the top of the Favorite Applications widget to make a copy.
    • If you have a favorite application in more than one set of favorite applications, when you run that application, the animations for the run display in all of the relevant widgets.
    • You can update the widget name, size, number of runs to display, and other data for a Favorite Applications widget by clicking the  Actions button at the top right of the Favorite Applications widget and selecting Configure. You can also specify a queue for running the applications on the Configuration pane.
    • To reorder the applications in the Favorite Applications widget, click the  Actions button at the top right of the widget and select Reorder Items. Use the up and down arrows to arrange the applications, and click Save when you are done.
  • The System Health widget displays an image that shows the progress of data loading in the widget.
  • If the newest data is unavailable, the System Health widget displays the last available data.
  • A message will display in the PowerFlow user interface if the Workflow Health and Interconnectivity widget or the System Health widget detect a missing or misconfigured SyncPack. For more information, see Configuring the System Health Widget.
  • The "PowerFlow Control Tower Healthcheck" Application supports using SSH keys for collecting data from a PowerFlow node. You must select the use_ssh_key option on the Configuration pane for the HealthCheck application to use the ssh_key application variable that is defined in the aligned configuration object.
  • The /api/v1/me/widgets endpoint was added to the PowerFlow API. This endpoint supports the following methods:
    • GET /widgets. Returns a list of all installed widgets used on the PowerFlow Control Tower page.
    • GET /widgets/{widget_id}. Returns a specific widget using the specified widget ID.
    • POST /widgets/{widget_id}. Creates a new widget or updates a existing one.
    • DELETE /widgets/{widget_id}. Deletes the specified widget.

  • The new Workflow Health and Interconnectivity widget on the PowerFlow Control Tower page lets you monitor the connectivity of the third-party applications that you are integrating with SL1.

  • On the Workflow Health and Interconnectivity widget, you can hover over an endpoint on the widget to view additional information, including the health, last run and the SyncPacks used by the endpoint.

  • You can customize the All Tasks, Workers, and Applications charts on the PowerFlow Control Tower page to change the type of chart, status type, data type, and timeframe for each set of charts.

    Due to a compatibility issue, do not use Base Steps SyncPack version 1.4.1 with System Utils SyncPack version 1.1.2.

    If you are using SSH keys to connect to the PowerFlow Control Tower, you will need Base Steps SyncPack version 1.4.1 or later.

  • The PowerFlow Control Tower requires the following SyncPack versions:
    • Base Steps SyncPack version 1.4.2 or later.
    • System Utils SyncPack version 1.1.3 or later. The System Health and other widgets will not be populated until the System Utils SyncPack is installed.
    • Flow Control SyncPack version 1.0.1 or later.

Authentication and Authorization for Services Used by PowerFlow

  • The PowerFlow administrator can control the level of access to the specific PowerFlow services, including Couchbase and RabbitMQ. Authentication for these services is provided by Dex authentication, which is already used for role-based access control (RBAC) in PowerFlow.
  • Couchbase authentication. To access the Couchbase user interface, a user must log in to PowerFlow first, using his or her PowerFlow credentials. If the user is authorized to access the Couchbase user interface, the user can add port "8091" to the PowerFlow URL, and the user will be automatically redirected to the Couchbase user interface.
  • Couchbase authorization. The roles and user groups defined in PowerFlow are applied to the Couchbase user interface based on the default user group policies. The PowerFlow administrator can update these user policies to specify which groups can access Couchbase. Couchbase authorization uses the following default permissions:
  • Administrator. The user has access to all resources at all levels.
  • Developer. The user can add and edit buckets and documents, but the user cannot delete anything.
  • Configuration. The user can add and delete indexes and add nodes to Couchbase.
  • Execute. The user has read-only access.
  • View. The user cannot login to the Couchbase user interface. This was explicitly set that way as Couchbase is the main database for PowerFlow.
  • RabbitMQ authentication. RabbitMQ authentication works the same as PowerFlow authentication and Couchbase authentication.
  • RabbitMQ authorization. RabbitMQ authorization uses the following default permissions:
  • Administrator: The user has access to all resources, at all levels, and the user can create internal users and policies. These policies do not impact PowerFlow users.
  • Developer: The user can create resources and read all resources on all vhosts.
  • Configuration: The user can create queues and exchanges only in the default vhost, but the user can read queues and exchanges on all vhosts.
  • Execute: The user can read queues and exchanges on all vhosts, but the user cannot create or configure any resources.
  • View: The user can only view queues and exchanges on the default vhost.
  • If you want to disable the auto-login feature for RabbitMQ and Couchbase, you can set the force_auth_validation environment variable to "true" under the GUI container configurations in the docker-compose file. Setting this variable to "true" allows you to access the Couchbase or RabbitMQ user interface to address issues without needed to authorize. If the flag is missing or set to "false", the auto-login feature continues to work.

Updates to the PowerFlow User Interface

  • The flowcharts in the PowerFlow builder were updated to include new drop-down menus in steps and a "picture-in-picture" (PIP) feature for Trigger steps that displays the flowchart for a child application in a small pop-up window.
  • You can now clear specific pop-up notifications in the PowerFlow user interface.

Additional Features

  • When installing PowerFlow from an ISO, you can now install open-vm-tools by selecting Yes to "Installing Into a Vmware Environment" option during the installation wizard.

  • For large environments, you can replicate the PowerFlow Devpi Server, which is the internal Python package repository. Creating Devpi Server replicas prevents multiple syncpacks_steprunners from attempting to access a single Devpi Server at the same time, which might cause failures when creating or recreating SyncPack virtual environments. For more information, see the "Scaling the PowerFlow Devpi Server" topic in Appendix B: Configuring the PowerFlow System for Multi-tenant Environments in the SL1 PowerFlow Platform manual. (Case: 00195538)

    The Devpi Server is deployed as the pypiserver service on a PowerFlow stack.

  • You can request cache documents using the API endpoint GET /api/v1/cache/{cache_key}, but only if this cache document was explicitly saved to be exposed to the API. You will need to save the cache document using the latest version of the "SaveToCache" step in the Base Steps SyncPack. This step has a new step_parameter called "read_from_api" that lets you decide whether the cache document can be requested from the API.
  • This release includes updates that address the common vulnerabilities and exposures (CVEs) identified since the last release of PowerFlow.
  • The following services are included in this release of PowerFlow:
  • contentapi. sciencelogic/pf-api:rhelrelease-2.4.0
  • couchbase. image: sciencelogic/pf-couchbase:6.0.2-7
  • dexserver. image: sciencelogic/pf-dex:2.22.0-4
  • flower. image: sciencelogic/pf-worker:rhelrelease-2.4.0
  • gui. image: sciencelogic/pf-gui:release-2.4.0-ubi7
  • pypiserver. image: sciencelogic/pf-pypi:6.3.1-7
  • rabbitmq. image: sciencelogic/pf-rabbit:3.8.28-3
  • redis. image: sciencelogic/pf-redis:6.0.4-2
  • scheduler. image: sciencelogic/pf-worker:rhelrelease-2.4.0
  • steprunner. image: sciencelogic/pf-worker:rhelrelease-2.4.0
  • syncpacks_steprunner. image: sciencelogic/pf-worker:rhelrelease-2.4.0

Issues Addressed

The following issues were addressed in version 2.4.0:

  • Updated the PowerFlow builder to prevent users from editing a step in a published SyncPack. If you want to edit a step in a published SyncPack, you can create a new step using the code from the existing step. (Case: 00192292)

  • Addressed an issue where PowerFlow could not get step data from the "Pull and Process SL1 Orgs" step. (Case: 00194044)
  • Addressed an issue where the self.version function did not always return the correct version when it was called in a step that was not part of a SyncPack. (Case: 00194044. Jira ID: EM-45576)
  • Addressed an issue where the Timeline filter in the PowerFlow user interface did not reset properly when you navigated away from a specific PowerFlow application. (Case: 00205625)
  • Addressed an issue where RabbitMQ did not auto cluster properly. RabbitMQ can now accept configuration variables to avoid a startup race condition between nodes. You can set the TIMEOUT: 30 environment variable for RabbitMQ secondary nodes. You can also set the stop_grace_period: 20s for the RabbitMQ service to make sure that the cluster always starts with the first node, which prevents the following scenario from occurring: https://www.rabbitmq.com/cluster-formation.html#discovery-retries. (Case: 00257504)

  • To address an issue where the number of tasks listed in the PowerFlow and Flower dashboards do not match the Task List, you can set the FLOWER_MAX_TASKS environment variable in the PowerFlow docker-compose file to 20,000 tasks or higher. (Case: 00201243)

    For example:

    flower:

    environment:

    ... ....

    worker_type: flower

    FLOWER_MAX_TASKS: 20000

  • Addressed an issue where you could not delete a PowerFlow schedule that had a forward slash "/" in its name. (Case: 00213109)
  • Updated the SL1 PowerFlow Platform manual with more information about installing SSL certificates in an environment with a load balancer and more information about the fields needed in the certificates. (Cases: 00236969, 00232993, 00230645)
  • Added a new topic about replica settings to the "Configuring the PowerFlow System for High Availability" Appendix in the SL1 PowerFlow Platform manual. (Case: 00231885)
  • Addressed an issue where Boolean (True/False) values were not successfully toggled to False in the PowerFlow user interface.
  • The Configuration pane for a PowerFlow application can now display the "\n" character.

Known Issues

This release contains the following known issues:

  • When attempting to upgrade PowerFlow to version 2.2.x, 2.3.x, or 2.4.x, the RabbitMQ user interface might become inaccessible due to an incorrect RabbitMQ version in the docker-compose.yml file. This issue is addressed in PowerFlow version 2.5.0, so ScienceLogic recommends that you upgrade to version 2.5.0.
  • For Military Unique Deployments of PowerFlow only, an encrypted password that is longer than 24 characters will generate an error. This issue is addressed in the PowerFlow Platform version 2.6.0.

  • In PowerFlow version 2.4.0 and later, if you enabled the latest authentication updates for the backend services, the RabbitMQ API is no longer available externally from the cluster. As a result, remote API requests directly to RabbitMQ might not work (the RabbitMQ user interface is still completely operational). As a workaround, if you require remote access to the RabbitMQ API, you can return to legacy behavior by setting the following gui environment variable: force_auth_validation: true. Alternatively, you may perform any api requests to rabbit directly from within the container. Remote RabbitMQ API access for internal authentication users will be enabled in a future release of PowerFlow.

  • The Workflow Health and Interconnectivity widget on the PowerFlow Control Tower page displays diagrams for PowerFlow applications and SyncPacks that have been deleted. To work around this issue, run the "PowerFlow Control Tower HealthCheck" application or wait for the next scheduled run of the application.

  • If your PowerFlow system uses self-signed certificates, you will need to manually accept the certificate before you can upload SyncPacks. Go to https://<IP address of PowerFlow>:3141/isadmin, accept the certificate, and then log into PowerFlow. After you log in, you will be able to upload SyncPacks.

  • The latest tag does not exist after the initial ISO installation. This situation only affects users with custom services that point to the latest tag. To work around this issue, run the tag latest script manually after running the ./pull_start_iservices.sh command:

    python /opt/iservices/scripts/system_updates/tag_latest.py /opt/iservices/scripts/docker-compose.yml

System Requirements

PowerFlow Platform version 2.2.1 and later requires version 1.3.1 or later of the Base Steps SyncPack. This version includes an update to the "Query REST" step that prevents issues with scheduled PowerFlow applications. You can download the latest version of this SyncPack from the PowerPacks page of the ScienceLogic Support Site.

The PowerFlow builder is available as part of an SL1 Premium solution. To upgrade, contact ScienceLogic Customer Support. For more information, see https://sciencelogic.com/pricing.

The PowerFlow platform does not have a specific minimum required version for SL1 or AP2. However, certain SyncPacks for PowerFlow have minimum version dependencies, which are listed on the Dependencies for SL1 PowerFlow SyncPacks page.

Ports

The following table lists the PowerFlow ingress requirements:

Source Port Purpose

SL1 host

443

SL1 run book actions and connections to PowerFlow

User client

3141

Devpi access

User client

443

PowerFlow API

User client

5556

Dex Server: enable authentication for PowerFlow

User client

8091

Couchbase Dashboard

User client

15672

RabbitMQ Dashboard

User client

22

SSH access

The following table lists the PowerFlow egress requirements:

Destination Port Purpose

SL1 host

7706

Connecting PowerFlow to SL1Database Server

SL1 host

443

Connecting PowerFlow to SL1 API

Additional Considerations

Review the following list of considerations and settings before installing PowerFlow:

  • ScienceLogic highly recommends that you disable all firewall session-limiting policies. Firewalls will drop HTTPS requests, which results in data loss.
  • Starting with PowerFlow version 3.0.0, the minimum storage size for the initial partitions is 60 GB. Anything less will cause the automated installation to stop and wait for user input. You can use the tmux application to navigate to the other panes and view the logs. In addition, at 100 GB and above, PowerFlow will no longer allocate all of the storage space, so you will need to allocate the rest of the space based on your specific needs.
  • PowerFlow clusters do not support vMotion or snapshots while the cluster is running. Performing a vMotion or snapshot on a running PowerFlow cluster will cause network interrupts between nodes, and will render clusters inoperable.
  • The site administrator is responsible for configuring the host, hardware, and virtualization configuration for the PowerFlow server or cluster. If you are running a cluster in a VMware environment, be sure to install open-vm-tools and disable vMotion.
  • You can configure one or more SL1 systems to use PowerFlow to sync with a single instance of a third-party application like ServiceNow or Cherwell. You cannot configure one SL1 system to use PowerFlow to sync with multiple instances of a third-party application like ServiceNow or Cherwell. The relationship between SL1 and the third-party application can be either one-to-one or many-to-one, but not one-to-many.
  • The default internal network used by PowerFlow services is 172.21.0.1/16. Please ensure that this range does not conflict with any other IP addresses on your network. If needed, you can change this subnet in the docker-compose.yml file.

For more information about system requirements for your PowerFlow environment, see the System Requirements page at the ScienceLogic Support site at https://support.sciencelogic.com/s/system-requirements.

Installing or Upgrading PowerFlow

For detailed steps about installing or upgrading to this version of PowerFlow, see Installing PowerFlow or Upgrading PowerFlow.