SL1 PowerFlow Platform Release Notes, version 3.0.0

SL1 PowerFlow Platform version 3.0.0 includes updates and enhancements to certify the platform as compliant for Military Unique Deployment (MUD). This release also enables you to migrate the operating system to Oracle Linux 8 (OL8).

Features

This section covers the features that are included in SL1 PowerFlow Platform version 3.0.0:

  • This release adds support for Oracle Linux 8 (OL8) in PowerFlow. Based on your PowerFlow configuration, you will need to perform a series of updates to convert your PowerFlow system to use OL8. These steps include running an automation script to convert your system to OL8 before upgrading to this release of PowerFlow. For more information, see Converting PowerFlow to Oracle Linux 8 in the SL1 PowerFlow Platform manual.
  • Updated the installation steps for installing PowerFlow to a cloud-based environment. For more information, see Installing PowerFlow via RPM to a Cloud-based Environment in the SL1 PowerFlow Platform manual.
  • Updated the SL1 PowerFlow: System Security Plan for Docker Enterprise and Configuring SL1 PowerFlow for Military Unique Deployment (MUD) documents to include updated configurations for Department of Defense Information Network (DoDIN) for this release of PowerFlow.
  • Enabled the ability for full-disk encryption for Military Unique Deployment (MUD) deployments of PowerFlow. To enable this feature, you will need to be able to access the physical machine where PowerFlow is running, or the virtual console in the case of a VMWare-type deployment. You will need to enter the disk encryption password before the actual operating system boots. You can only enable this feature through a console, not using SSH. The minimum password length is the same as the MUD minimum length of 15 characters.
  • Added user and session termination options for when a user that has valid access to PowerFlow is deleted or revoked. For more information, see Configuring Authentication Settings in PowerFlow in the SL1 PowerFlow Platform manual.
  • Updated the powerflowcontrol (pfctl) command-line utility with updated healthcheck actions and autoheal actions to support Oracle Linux 8 (OL8) and MUD. Version 2.7.9 of the pfctl utility is included in PowerFlow version 3.0.0.
  • The ispasswd script for changing passwords was deprecated and replaced by the new pfctl password set command. If you use the old ispasswd script, you will get a message telling you to use the new pfctl password set command instead.
  • Added a log message when a PowerFlow user encounters a session timeout.
  • This release supports Transport Layer Security (TLS) protocol version 1.3.
  • Updated and hardened the use of encryption protocols.
  • The following services are included in this release of PowerFlow:
  • contentapi. image: registry.scilo.tools/sciencelogic/pf-api:rhel3.0.0
  • couchbase. image: image: registry.scilo.tools/sciencelogic/pf-couchbase:6.6.0-11
  • dexserver. image: registry.scilo.tools/sciencelogic/pf-dex:2.37.1-8
  • flower. image: registry.scilo.tools/sciencelogic/pf-worker:rhel3.0.0
  • gui. image: registry.scilo.tools/sciencelogic/pf-gui:3.0.0
  • pypiserver. image: registry.scilo.tools/sciencelogic/pf-pypi:6.3.1-12
  • rabbitmq. image: registry.scilo.tools/sciencelogic/pf-rabbit:3.8.35-4
  • redis. image: registry.scilo.tools/sciencelogic/pf-redis:6.2.14-3
  • scheduler. image: registry.scilo.tools/sciencelogic/pf-worker:rhel3.0.0
  • steprunner. image: registry.scilo.tools/sciencelogic/pf-worker:rhel3.0.0
  • syncpacks_steprunner. image: registry.scilo.tools/sciencelogic/pf-worker:rhel3.0.0

Issues Addressed

The following issues were addressed in this release:

  • Updated the default sizes of the initial partitions: the new minimum storage size is 60 GB. Anything less will cause the automated installation to stop and wait for user input. Users can use the tmux application to navigate to the other panes and view the logs. In addition, at 100 GB and above, PowerFlow will no longer allocate all of the storage space, so you will need to allocate the rest of the space based on your specific needs. (Case: 00422394)

  • Updated the PyCryptodome Python library to version 3.20, which has a fix for CVE-2023-52323. (Case: 00412492)
  • Addressed an issue where some dialogs in the PowerFlow user interface did not display properly.

Known Issues

This release contains the following known issues:

  • The journald volatile storage takes part of the memory based on the environment memory size, which might cause undesired behavior in environments where the memory is highly used by PowerFlow services. PowerFlow uses journald volatile storage, which means that all logs are kept only in memory. (Case: 00347339)

    Total Memory Maximum memory used by journald
    16 GB About 800 MB
    24 GB About 1.2 GB
    32 GB About 1.6 GB
    64 GB About 3.2 GB

  • To check the size of journal logs on any PowerFlow version 2.2.x or later single node, run the following command:

    du -sh /run/log/journal

    For PowerFlow version 2.2.x, you can control those settings by updating the /etc/docker/daemon/json file and setting the log-opts max size in the json-file logging driver. For more information, see https://docs.docker.com/config/containers/logging/json-file/.

    For PowerFlow version 2.3 or later nodes, you can clear logs with the following command (this is automatically done when you run the healthcheck action):

    journalctl --vacuum-time=7d

    You can also configure journald logs settings by using the following command to enforce small size and time limits:

    sudo sed -i -e '/RuntimeMaxUse=/s/.*/RuntimeMaxUse=800M/' -e '/MaxRetentionSec/s/.*/MaxRetentionSec=2week/' /etc/systemd/journald.conf && sudo systemctl restart systemd-journald

    PowerFlow updates journald volatile limits to the following values, which can be changed if you want retain fewer or more logs:

    RuntimeMaxUse=800M

    MaxRetentionSec=2week

  • When upgrading to Couchbase version 6.6.0, the number of documents in the logs bucket could make the upgrade take longer, as a namespace upgrade is needed. ScienceLogic recommends that you flush the logs bucket if there are more than 300,000 documents that are taking up close to 2 GB of space in every node. Flushing the logs bucket will speed up the upgrade process. Otherwise, migrating a logs bucket of that size would take two to three minutes per node.

    Run the following command to flush the logs bucket after the PowerFlow version 2.6.0 RPM was installed, but before redeploying the PowerFlow Stack:

    pfctl --host <hostname><username>:<password> node-action --action flush_logs_bucket

    Alternately, you can flush the logs bucket manually using the Couchbase user interface.

  • If you get the "Error: No such option: --version Did you mean --json?" error message when running the pfctl --version command, you might have an older version of pfctl that was installed as a different user. To resolve this, be sure to install the powerflowcontrol (pfctl) utility version 3.0.7 as root with sudo, and remove any other versions installed by other users (isadmin or ec2-user): (Case: 00360512) 

    su isadmin

    pip3 uninstall -y iservicecontrol

  • For upgrades from PowerFlow version 2.2.x systems that have the localpkg_gpgcheck=1option enabled in /etc/yum.conf, the SL RPM Public Key is required. Please contact your ScienceLogic Customer Success Manager (CSM) or create a new Service Request case at https://support.sciencelogic.com/s in the "PowerFlow" category to request access to that key.
  • To avoid authentication issues, do not use the dollar sign ($) character as the first character in any of the passwords related to PowerFlow. You can use the $ character elsewhere in the password if needed.
  • In PowerFlow version 2.4.0 and later, if you enabled the latest authentication updates for the backend services, the RabbitMQ API is no longer available externally from the cluster. As a result, remote API requests directly to RabbitMQ might not work (the RabbitMQ user interface is still completely operational). As a workaround, if you require remote access to the RabbitMQ API, you can return to legacy behavior by setting the following gui environment variable: force_auth_validation: true. Alternatively, you may perform any api requests to rabbit directly from within the container. Remote RabbitMQ API access for internal authentication users will be enabled in a future release of PowerFlow.
  • The Workflow Health and Interconnectivity widget on the PowerFlow Control Tower page displays diagrams for PowerFlow applications and SyncPacks that have been deleted. To work around this issue, run the "PowerFlow Control Tower HealthCheck" application or wait for the next scheduled run of the application.
  • If your PowerFlow system uses self-signed certificates, you will need to manually accept the certificate before you can upload SyncPacks. Go to https://<IP address of PowerFlow>:3141/isadmin, accept the certificate, and then log into PowerFlow. After you log in, you will be able to upload SyncPacks.
  • The latest tag does not exist after the initial ISO installation. This situation only affects users with custom services that point to the latest tag. To work around this issue, run the tag latest script manually after running the ./pull_start_iservices.sh command:

python /opt/iservices/scripts/system_updates/tag_latest.py /opt/iservices/scripts/docker-compose.yml

System Requirements

The PowerFlow platform does not have a specific minimum required version for SL1 or AP2. However, certain SyncPacks for PowerFlow have minimum version dependencies, which are listed on the Dependencies for SL1 PowerFlow SyncPacks page.

Ports

The following table lists the PowerFlow ingress requirements:

Source Port Purpose

SL1 host

443

SL1 run book actions and connections to PowerFlow

User client

3141

Devpi access

User client

443

PowerFlow API

User client

5556

Dex Server: enable authentication for PowerFlow

User client

8091

Couchbase Dashboard

User client

15672

RabbitMQ Dashboard

User client

22

SSH access

The following table lists the PowerFlow egress requirements:

Destination Port Purpose

SL1 host

7706

Connecting PowerFlow to SL1Database Server

SL1 host

443

Connecting PowerFlow to SL1 API

Additional Considerations

Review the following list of considerations and settings before installing PowerFlow:

  • ScienceLogic highly recommends that you disable all firewall session-limiting policies. Firewalls will drop HTTPS requests, which results in data loss.
  • Starting with PowerFlow version 3.0.0, the minimum storage size for the initial partitions is 60 GB. Anything less will cause the automated installation to stop and wait for user input. You can use the tmux application to navigate to the other panes and view the logs. In addition, at 100 GB and above, PowerFlow will no longer allocate all of the storage space, so you will need to allocate the rest of the space based on your specific needs.
  • PowerFlow clusters do not support vMotion or snapshots while the cluster is running. Performing a vMotion or snapshot on a running PowerFlow cluster will cause network interrupts between nodes, and will render clusters inoperable.
  • The site administrator is responsible for configuring the host, hardware, and virtualization configuration for the PowerFlow server or cluster. If you are running a cluster in a VMware environment, be sure to install open-vm-tools and disable vMotion.
  • You can configure one or more SL1 systems to use PowerFlow to sync with a single instance of a third-party application like ServiceNow or Cherwell. You cannot configure one SL1 system to use PowerFlow to sync with multiple instances of a third-party application like ServiceNow or Cherwell. The relationship between SL1 and the third-party application can be either one-to-one or many-to-one, but not one-to-many.
  • The default internal network used by PowerFlow services is 172.21.0.1/16. Please ensure that this range does not conflict with any other IP addresses on your network. If needed, you can change this subnet in the docker-compose.yml file.

For more information about system requirements for your PowerFlow environment, see the System Requirements page at the ScienceLogic Support site at https://support.sciencelogic.com/s/system-requirements.

Installing or Upgrading PowerFlow

For detailed steps about installing or upgrading to this version of PowerFlow, see Installing and Configuring PowerFlow.

Due to the upcoming end of support for Oracle Linux 7, ScienceLogic strongly urges users to upgrade to Oracle Linux 8 (OL8). As such, only the OL8-based package and upgrade path is defined and provided. If you have extenuating circumstances and want to obtain an OL7-based install for PowerFlow 3.0.0, please contact your CSM or ScienceLogic support.

You should always upgrade to the most recent release of PowerFlow.