Hitachi NAS Platform 13.9.7021.04 Release Notes
About this document
This document (RN-92HNAS051-01, December 2021) provides late-breaking information about NAS Platform 13.9. It includes information that was not available at the time the technical documentation for this product was published, as well as a list of known problems and solutions.
Intended audience
This document is intended for customers and Hitachi Vantara partners who license and use NAS Platform.
Accessing product documentation
Product user documentation is available on the Hitachi Vantara Support Website: https://knowledge.hitachivantara.com/Documents. Check this site for the most current documentation, including important updates that may have been made after the release of the product.
Accessing product downloads
Product software, drivers, and firmware downloads are available on the Hitachi Vantara Support Website: https://support.hitachivantara.com/.
Log in and select Product Downloads to access the most current downloads, including important updates that may have been made after the release of the product.
About this release
This release is a maintenance release that resolves multiple known problems.
The specific build is server update (SU) 13.9.7021.04, and system management unit (SMU) 13.9.7021.04.
NAS operating system, which includes server update 13.9.7021.04 and SMU 13.9.7021.04, supports the following models:
· Hitachi NAS Platform 5200, 5300
· Hitachi NAS Platform 4040, 4060, 4080, 4100
The topics in this document could also be relevant to VSP F/G Series (running SVOS 7.4.0), and VSP N Series (running SVOS 7.4.1), by taking note of the NAS module version.
| Note: When upgrading to 13.9, it is advisable to refer to the corresponding release notes of each intervening version to be aware of any new features, special notes and considerations. |
Document history
| Revision | Description |
| 92HNAS047-00 | Initial release of SU version 13.9.6420.10 (HNAS 5000 series only) |
| 92HNAS047-01 | Release of SU version 13.9.6420.13 (HNAS 5000 series only) |
| 92HNAS048-00 | Release of SU version 13.9.6628.07 |
| 92HNAS049-00 | Release of SU version 13.9.6815.02 |
| 92HNAS050-00 | Release of SU version 13.9.6918.02 |
| 92HNAS050-01 | Release of SU version 13.9.6918.05 |
| 92HNAS050-02 | Release of SU version 13.9.6918.09 |
| 92HNAS051-00 | Release of SU version 13.9.7021.01 |
| 92HNAS051-01 | Release of SU version 13.9.7021.04 |
New features
This section describes the key features in version 13.9, and other recently released features. Please refer to the NAS user guides for details on using these features.
For features introduced after the initial 13.9 release, which may not be covered in the published guides, documentation amendments can be found on the Additional Notes page. This page is linked to from the main NAS Platform documentation page (https://knowledge.hitachivantara.com/Documents/Storage/NAS_Platform).
TLS/SSL certificate changed
First available in 13.8.6320.10
The default self-signed TLS/SSL certificate has been enhanced to support https://support.apple.com/en-us/HT210176. To provoke the certificate to be recreated, for Bali’s SOAP and REST servers and the embedded SMU use the following command as supervisor at the Bali prompt:
tls-certificate-create-custom --confirm
And for the external SMU use the following command as root at the Linux prompt on the SMU:
cert-gencustom.sh
Hitting Enter to accept all the defaults will work, except at the two confirmation prompts. Do not be tempted to increase the "Number of days the certificate should be considered valid" beyond the limit in https://support.apple.com/en-us/HT210176.
Secure RPC for NetLogon connections
First available in 13.8.6320.10
Secure RPC for NetLogon has been introduced so that HNAS can interoperate with Microsoft's fix for CVE-2020-1472, "Netlogon Elevation of Privilege Vulnerability", which requires the use of secure RPC between domain members and DCs.
Please ensure the smb-max-supported-version is set to at least SMB2.
SMU hardening
First available in 13.9.6628.07
This release includes improvements related to hardening the SMU and SMU security.
No additional configuration is required in order to use the feature.
The feature is supported on both Internal and External SMUs.
Micro-pruning
First available in 13.9.6815.02
Micro-pruning is supported over SMB.
No additional configuration is required to use this feature. The feature allows existing files to be made sparse, i.e. to delete data and free space within them.
Operations to mark a file as sparse (FSCTL_SET_SPARSE), to prune a file (FSCTL_SET_ZERO_DATA) and to query allocated ranges of a file (FSCTL_QUERY_ALLOCATED_RANGES) are supported over SMB version 2 and above.
Native REST API
First available in 13.9.6815.02
A new native REST API mode has been introduced, and will be used for future API improvements and features, replacing the previous legacy REST API versions.
The maximum supported API version remains at version 7, and the new native API implements all the existing version 7 API calls. The native API introduces read-only access via API key and USER level management users, and some small detail changes, including bug fixes. The new rest-server-mode command allows switching between the legacy API and new native API.
More details can be found in the API document MK-92HNAS088-04.
Automatic barring of SMB clients repeatedly using incorrect passwords
First available in 13.9.6918.02
Provides a facility that maintains a list (per security context) of client IP addresses that are barred from SMB/SMB2.x/SMB3 access to the server. Clients that cause SMB NTLM authentication failures by providing an incorrect password are automatically added to the list if the rate of failure is sufficient. Automatic barring of clients is enabled by default, and a (paced) event is generated when a client is barred.
No initial configuration of the feature is required, however the barred clients list can be managed if necessary using the following Bali commands:
smb-barred-client-add
smb-barred-client-remove
smb-barred-clients-list
smb-barred-clients-clear
Clients are barred based on their IP address so each IPv4 and IPv6 (if configured) address will need to be considered a separate entry. Once a client is barred, it is not possible for that client to connect over SMB regardless of the credentials being used – manual removal from the ‘barred’ list would be required. Up to 512 client IP addresses per security context can be barred.
SMU support for CentOS Stream 8
First available in 13.9.6918.05
A virtual SMU can be deployed on a later version of the operating system, CentOS Stream 8. Use version 3.0 of the Hyper-V or VMware template in order to create a virtual SMU based on CentOS Stream 8.
A standard upgrade of an earlier virtual SMU to version 13.9.6918.05 or later will not upgrade the operating system version. If you want to upgrade an existing CentOS 6 SMU to run on CentOS Stream 8, while preserving the existing network address, it is necessary to deploy a new virtual SMU and migrate the settings from the existing SMU to the new one by performing a backup and restore.
More details can be found in the Virtual SMU Administration Guide MK-92HNAS074.
| Note: Both CentOS 6.2 and CentOS Stream 8 are supported in this version. |
| Note: CentOS Stream 8 is not currently supported when using HDRS. |
Support of HCP CloudScale
First available in 13.9.7021.04
HNAS has been compatibility tested with HCP-CS as a DM2C target; performance results will vary similarly as it does with HCP.
Hitachi NAS add-ons
There are several add-ins available for use with Hitachi NAS, as noted here.
The downloads can all be found by following section "Accessing product downloads" and navigating to "Hardware Download", "NAS Platform", and then selecting "Add-ons".
The documentation can be found on the "Solutions and Best Practices" page, which is linked from the main NAS Platform documentation page (https://knowledge.hitachivantara.com/Documents/Storage/NAS_Platform).
HNAS CSI Driver for Kubernetes
Version 1.1.1 (September 2021) - works with NAS 13.3 or later
The Hitachi NAS Container Storage Interface (CSI) Driver is a software component that contains libraries, settings, and commands that you can use to create persistent storage for your containers. It enables the stateful applications to persist and maintain data after the life cycle of the container has ended. The Hitachi NAS CSI Driver provides persistent volumes on Hitachi NAS server platforms (Hitachi NAS platform and NAS module) and is able to clone those volumes and take snapshots of them.
As the driver relies on the ability for containers/pods to access HNAS NFS exports, it can only be used on Linux based systems. This driver requires Kubernetes 1.20 or higher.
Version 1.00 (August 2020) still works, and can work with older Kubernetes versions, but contains less functionality.
Hitachi NAS Modules for Red Hat® Ansible®
Version 1.1.0 (September 2021) - works with NAS 13.5 or later
Hitachi NAS Modules for Red Hat® Ansible® allow IT and data center administrators to automate and manage some of the configuration of Hitachi NAS systems. An administrator can create playbooks together with logic and other Ansible modules to automate complex tasks. Administrators can filter, sort and group the information by piping the output from one module to another. Tasks are executed by running simple playbooks written in yaml syntax.
These modules require Ansible 2.9 or higher.
HNAS docker volume plugin
Version 1.00 (December 2019) - works with NAS 13.2 or later
The NAS server platform (Hitachi NAS platform and NAS module) can be used to provide remote storage for container images running within Docker.
As the plugin relies on the ability for containers to mount HNAS NFS exports, it can only be used on Linux based systems.
The plugin is supported on Docker version 18 and newer, and currently only on stand-alone systems, rather than clusters/docker swarm.
ELK integration for HNAS
Version 1.00 (September 2019)
The NAS server platform (Hitachi NAS platform and NAS module) can be integrated with Elasticsearch. Alert and audit logs can be collected, and then analyzed using Kibana, which helps to visualize data.
Elasticsearch is commonly referred to as the ELK stack or Elastic stack, which refers to Elasticsearch and associated components, which lets you reliably and securely take data from any source, in any format, and search, analyze, and visualize it in real time.
Splunk add-on for HNAS
Version 1.00 (November 2018)
The NAS server platform (Hitachi NAS platform and NAS module) can be integrated with Splunk®. Splunk can be configured to collect alert log and audit log events, in addition to the ability to gather statistics about the NAS server system performance.
Special notes on current NAS releases
Configuring external migration targets
Not specific to this release, but reiterating the need for adequate backup planning.
| Caution: Care should be taken when configuring systems with a single migration destination for both replication source and target (known as a triangular arrangement). Such arrangements should not be considered a valid solution in any disaster recovery (DR) or backup scenario, as there is only a single copy of the user data pointed to by XVLs at each end of the replication policy. |
Deduplication support for Object Replication Targets
Deduplication is supported on Object Replication target file systems, from release 13.6.
| Note: If, before 13.6.6016.05, a filesystem was created to support dedupe and it was later used as a replication target, there will be implications when upgrading to 13.6.6016.05 or later. In this case, deduplication of the replication target will start automatically without any additional action on the user's part. |
In order to avoid this happening, deduplication should be disabled, per filesystem, before upgrading.
NFS over UDP
If NFS over UDP is enabled, frequent warning messages are displayed on the console and in the dblog. As a workaround, disable UDP. Note that the messages will persist until the clients are remounted.
| Note: Using NFS over UDP has inherent risks and is, therefore, not recommended. |
Group Augmentation changes
A change in 13.5.5527.02 changed the format of the output that create-group-table-from-active-directory.rb presented to any customized massage-commands-for-managed-servers script.
If a customized massage-commands-for-managed-servers script is used to check the output against a whitelist, then it's likely that groups will be incorrectly excluded, and their old definitions will continue to be used by HNAS indefinitely. In this instance it is best to transform the whitelist to suit the output after the upgrade.
HDRS versions
A change in 13.8 necessitates that any instances of HDRS in use should be upgraded to at least v4.1.
Please do not upgrade the SMU software to 13.9.6628 or later on the VSP F/G/Nx00 platforms, or install a net new GEfN solution, until HDRS v4.2 or later is installed.
HDRS v5.1 supports a 4 node GEfN cluster on HNAS 5200/5300 in version 13.9.6918.09 or later, although it is preferred that 13.9.7021.01 or later is used. Do not attempt to install HDRS v5.1 on VSP-F/G/Nx00 GEfN deployments.
HNAS 5200/5300 clustering
There was a restriction for HNAS 5200/5300 in version 13.9.6420, to limit the cluster size to 2 nodes.
Version 13.9.6628.07 introduces support for 4 node clusters on HNAS 5200/5300.
| Note: Please note that the use of clustering in a production environment is required for data availability. |
Script output on HNAS 5200/5300
Due to a change in operating system behaviour, on Debian 10 (Buster) based systems such as HNAS 5200/5300, some scripts' output on invocation might not be displayed on the current console. The output can still be found by reviewing the syslog or using the journalctl command.
DSA host keys for SSH access
Since 13.9.6918.02 the HNAS 3000 and 4000 series and the VSP-F/G platforms no longer allow the ssh-dss host key algorithm (i.e., use of the DSA host key).
Notes on installing, upgrading, and downgrading
Notes on this release include:
· NAS platform models 4040 / 4060 have cluster support for up to two nodes.
· NAS platform model 4080 has cluster support for up to four nodes.
· NAS platform model 4100 has cluster support for up to eight nodes.
· NAS platform models 5200 / 5300 have cluster support for up to four nodes.
· The NAS Manager for the SMU uses cookies and sessions to remember user selections on various pages. Therefore, you should open only one web browser window, or tab, to the SMU from any given workstation.
| Note: When upgrading, remember to remove any avoidances already implemented for any of the defects that have been fixed in intermediate releases. |
Performing a rolling upgrade from older versions of HNAS
If you are upgrading from earlier versions of HNAS, note that there are critical steps which must be followed in a precise sequence to correctly upgrade to version 13.9. Refer to the corresponding release notes of each earlier version for details on rolling upgrades. Additionally, consult with your Hitachi Vantara representative for assistance in upgrading from earlier versions of HNAS.
| Note: For Rolling Upgrades, the latest version of any major code release will be able to roll to any version in the following major code release. As an example, a Rolling Upgrade can be performed from the latest 12.x code release to any version in the 13.x major code release without any intermediate code steps. |
| Caution: If upgrading from versions earlier than version 13.3, an additional step to version 13.6.6016.05 must be performed first, before upgrading to version 13.7.6233.01 or later. This is no longer necessary when upgrading to version 13.9.6815.02 or later. |
Please refer to FE-92HNAS050 if you are planning a hardware rolling upgrade from HNAS 30x0 / 4xx0 to HNAS 5200 / 5300.
| Note: If you are using Hitachi Operations Center, the HNAS 5000 series cannot be on-boarded into Analyzer. This is not an HNAS product issue - HOC Analyzer will fully support the HNAS 5000 series in a future release. In the interim, please contact product support for any potential work around until HNAS 5000 series is fully supported in HOC Analyzer. |
File-based replication between different HNAS software levels
The ability to replicate between systems is determined by the version of the software that is running on those systems. The model number of the server is not a factor for interoperability for replication purposes. If both the destination and target servers are running the same major software version (for example, 12.x), replication as ‘managed servers’ is fully supported. If the destination and target servers are running different major software versions (for example, 12.x to 13.x), one of the servers is configured as an ‘unmanaged’ server. Replication continues to be fully supported within the constraints of replication between managed and unmanaged servers.
Object-based replication between different HNAS software levels
Object replication was first introduced in HNAS software v8.0 and has been enhanced with each release. For example, version 10.1 was enhanced so that objects maintained their sparseness during incremental replication. Version 11.1 has the ability to preserve file clone states during replication. To ensure interoperability, feature flags are negotiated when object replication occurs between servers running at different version levels.
Object replication between servers is supported up to one major version away. For example, object replication between version 12.x and 13.x is supported.
| Note: Object replication between servers that are more than one major release apart may work (for example, between version 11.x and v13.x) – but this is not supported. |
| Note: When set to transfer XVLs as links, both source and target systems involved in the replication relationship must be running HNAS release v13.4 or later. |
Important considerations to read before installation
Please read the following sections before installing and using 13.9.
Special consideration should be taken when upgrading to the stated versions (or later) from an earlier version, or when planning a downgrade from the stated versions (or later) to an earlier version.
Changes in 13.0
· Support for WFS-1 is now completely removed. Before upgrading the customer MUST migrate any WFS-1 filesystems to new WFS-2 filesystems, as WFS-1 filesystems cannot be mounted.
· NAS Storage Pools (spans) are now limited to 32 filesystems.
· 12.7.4221.07 is the lowest version of code that the system can safely downgrade to.
Changes in 13.2
· Support added for increasing the number of filesystems in a cluster. This must be considered when planning a downgrade to an earlier version, if more than the previous default of 128 filesystems exist.
· Support for REST API v4 added, while still supporting v3.
· 13.2.4527.04 introduced a new command, krb5-nfs-principal-format. If the setting is changed to (the non-default value of) "only-primary", for any EVS, this must be considered when planning a downgrade to an earlier version.
Changes in 13.5
· Support for REST API v7 added, while still supporting v4, and deprecating v3.
The number of filesystems per span limit
By default, the number of filesystems that can be created in any span is limited to 32.
If an existing span has more than 32 filesystems, the span and filesystems are fully supported after upgrading to 13.0 or later. However, it is not possible to create any additional filesystems on the span, until enough filesystems have been deleted to bring the total number below 32.
It is possible to increase this default value using the filesystem-create CLI command with the --exceed-safe-count option. This option must not be used when creating up to 32 filesystems. It must only be used when creating filesystems beyond the 32nd one.
| Note: This option is only available on the CLI. The NAS Manager does not permit you to create more than 32 filesystems. |
For further information, see the File Services Administration Guide.
NFSv3 access during upgrade to 13.2 or later
When a cluster namespace (CNS) is in use on an NFSv3 filesystem, a rolling upgrade to version 13.2 can cause longer transient delays for NFSv3 accesses than normal. Customers using ordinary filesystem exports or other protocols (including NFSv4) do not experience these additional delays.
| Note: This issue only affects the upgrade from a pre-13.2 release to a 13.2-or-later release. Future upgrades will not experience any additional transient delays from this issue. |
The technical issue
Normally, during a rolling upgrade, access to filesystems through NFSv3 and CNS is available while EVSs are migrated between cluster nodes so that each node can be upgraded in turn. Clients can connect to an EVS on a node running older software and access filesystems belonging to an EVS on a node running newer software (or the other way around) because the NAS server uses a stable message format when forwarding the requests.
Software version 13.2 supports an increased number of filesystems and in order to provide this feature, modifies the message formats used to support CNS in a way that is incompatible with earlier releases.
During this rolling upgrade, clients cannot access filesystems that are hosted on a node running a different version of software to the currently connected node. As soon as the EVSs are migrated onto nodes running the same version of software, the clients can regain access to those filesystems.
Workaround
For 2-node clusters (including NAS Modules), follow the usual upgrade procedure. After the first node has been upgraded, and while EVSs are being migrated between the nodes, there is a longer interruption to client access than usual. The interruption ends as soon as all EVSs are migrated to the upgraded node. When the second node has been upgraded, the only disruption is from normal EVS migrations.
For clusters with three or more nodes, there could be a longer period when EVSs are hosted on nodes running different software versions. For these cases, use manual migrations to move all EVSs to nodes running the same software version. This minimizes the period during which the clients cannot access all filesystems.
For details of the manual migration process, or for upgrade procedures, please contact Customer Support.
SMU, server, and cluster compatibility
These release notes highlight SMU release version 13.9.7021.04.
The version of SMU should always be equal to, or newer than, the version of the server / cluster being managed. In the rare situation where such an SMU build is not released, the closest available one should be used.
Since SMU 13.9.6918.05, the following hypervisor images are supported for a virtual SMU
· Hyper-V : Virtual SMU OS 2.2 or 3.0
· VMware : Virtual SMU OS OVA 2.1, 2.2 or 3.0
· Use the 3.0 version to deploy a virtual SMU on CentOS Stream 8 instead of on CentOS 6.
| Note: In addition to VMware player, the virtual SMU (vSMU) is also compatible with the free version of ESXi. |
From SMU 12.7, a virtual SMU can support up to 10 servers / clusters. To manage more than 2 entities from a virtual SMU, the VM’s resources must be increased. One (1) GB memory and one virtual CPU is required per entity. An entity is defined as a single node or a cluster of nodes.
Licensing
New license keys are typically firmware-version specific. Upon upgrading firmware to this release, all previous licenses present on the system will remain in force.
Licensing as it pertains to node replacements
Clustered Node Replacement: Once the NAS cluster has been built, the Cluster MAC-ID will not change regardless which node in the cluster needs to be replaced, so there will not be any reason to request new license keys when replacing a node in a cluster.
Single Node Replacement: In a situation where a single node must be replaced, the original license keys will not be valid on the new node. Please contact TBkeys to transfer the license keys to the replacement node and issue a new permanent license. You will need to supply TBKeys with the MAC-ID of the Original Node and the MAC-ID of the Replacement node.
To request upgrade keys
When ordering license keys for new, licensed features, note that:
· New features with a sale price will be purchased by the customer per normal Hitachi Vantara channel policies and procedures.
· Non-sale feature requests will be routed based on server branding until such time as the relicensing process has been fully integrated.
· Hitachi Vantara Server Request Routing
o The emailed request shall include the following information:
- Customer Name
- MAC-ID of the HNAS Unit (the MAC-ID format is XX-XX-XX-XX-XX-XX), the serial # is not needed or acceptable to issue new keys.
- If you have not followed normal upgrade procedures, please indicate details of your current situation and indicate if a new full set of keys are required. Also, if your server is part of a cluster, please indicate if the MAC-ID is a "Primary" server of the cluster and how many units are in the cluster.
o All permanent upgrade key requests will be handled by way of email sent to TBKeys@hitachivantara.com. Turnaround time on all requests is targeted within 24 hours. Standard working hours for this distribution list (dlist) are 8am to 5pm Pacific Standard Time. See below for emergency situations.
o Should your need for upgrade keys be an emergency, please contact the Hitachi Vantara Support Centers, where Temporary Keys for these features can be provided.
o An email to TBKeys@hitachivantara.com should also be sent to receive your permanent keys.
Fixes and enhancements in version 13.9
| Note: When upgrading, remember to remove any avoidances already implemented for any of the defects that have been fixed in intermediate releases. |
Version 13.9.7021.04
| Issue ID | Severity | Description |
| D149667 | C | A problem causing the installation of the fix for systemd's CVE-2021-33910 to HNAS 5000 series models not to complete on one server in ten or twenty has been addressed. |
Version 13.9.7021.01
| Issue ID | Severity | Description |
| D86367 | C | Address a stability issue when an NDMP client issues SCSI commands with very large time-out values. |
| D87923 | C | If a filesystem has been allowed to become too full and the FSA FPGA needs to spend too long searching for free space, fail the file system in order to allow it to be rectified |
| D137611 | C | The console commands filesystem-persona-list, filesystem-persona-read, and filesystem-aux-persona-read have been converted from dev level to supervisor level. |
| D143940 | C | Fix an issue that can occur when doing two backups of a single object replication target at once. |
| D147790 | C | Fixed an issue that could occur following disruption to connectivity of fabric-attached storage on HNAS 5000 series servers. |
| D148301 | C | In a PIR, fix an issue in reporting how busy the WTREE main state machine is. |
| D148332 | C | Fixed a condition in which a failure to create SSH DSA host key at installation on VSP-N models prevented root password updates, and the wrong root password prevented fixing the host key. Also similar potential double failures on all models. |
| D148434 | C | Repsonses to SMB Write Requests on a named pipe no longer always report zero data count. |
| D148491 | C | Fix an issue that might extremely rarely result in instability due to a VLSI fatal assert caused by an illegal access. |
| D148493 | C | Fix a very low risk stability issue that could have occurred during normal use. |
| D148567 | C | On HNAS 3000 / HNAS 4000 series platforms, very old filesystems could be taken offline with a "ERR_OBJ_DIRECT_ONODE_BLOCK_PTR_DUFF_OFFSET" error when upgrading from a build before cornet-2, to a build after cornet-2 |
| D148573 | C | Installation of the embedded SMU on HNAS model 5000 series servers in a su rather than su - context now works. |
| D148735 | C | Fixed a Data Migrator to Cloud (DM2CD) migration issue so that NoHttpResponseException, SocketException and IOException exceptions should no longer abort it. |
| D148789 | C | A 15EB file's size issue, seen rarely on External Volume Link (XVL) files, has been fixed. |
| D69760 | D | Fixed VLSI stats from going negative and hence showing huge numbers. |
| D147806 | D | Fixed a problem that could make discovery of attached storage unreliable, particularly when connected by FC Fabric. |
| D147827 | D | Fix as issue that might cause the NVDIMM energy storage health check to report "None" inappropriately with the "nvdimm-status" command. |
| D148495 | D | The following vulnerabilities have been addressed for the HNAS 5000 series: CVE-2021-3520, CVE-2018-25009, CVE-2018-25010, CVE-2018-25011, CVE-2018-25013, CVE-2018-25014, CVE-2020-36328, CVE-2020-36329, CVE-2020-36330, CVE-2020-36331, CVE-2020-36332, CVE-2021-3580, CVE-2021-20305, CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513 |
| D148668 | D | Security patches have been applied for the HNAS 5000 series to cover: systemd: CVE-2021-33910 krb5: CVE-2021-36222 c-ares: CVE-2021-3672 |
| D148714 | D | The size limit for files in the SMU diags have been increased for CentOS Stream 8 SMUs in order to allow the 'system.journal' files to be included. |
| D148720 | D | Improved handling of SCSI commands issued by NDMP clients with very long time-out periods, on HNAS 5000 series. |
| D148760 | D | Remove the need to reboot when using the cluster-gefn-configure and cluster-gefn-unconfigure commands |
| D148792 | D | The Freeable Space is once more correctly reported for snapshots. |
| D148893 | D | Remove a bottleneck that may result in reduced performance and/or increased latency under certain extreme conditions |
| D148934 | D | Error handling for writing to DM2CD-migrated XVL files was improved. |
| D148954 | D | Data Migrator to Cloud (DM2CD) code was updated to use aws-java-sdk-s3 version 1.12.52 and Apache HTTPClient version 4.5.13. |
| D149024 | D | The snapshot-list --freeable-space command and its equivalent SMU screen are now quicker. |
| D146288 | E | Attempting to change the DNS domain name in a cluster would, less than 1% of the time, result in the domain name being wrong. |
| D147645 | E | Certain connections are not displayed by the "tcp-per-connection-statistics" commands, which means that their output may not match the output of other related commands. This defect adds extra output to the tcp-per-connection-statistics commands to show many connections were not displayed and why |
| D148099 | E | Correct the error code that is likely to be returned if cluster-extend-create is issued against a cluster that is already a stretch-cluster. |
| D148228 | E | The password of the first customer-created SMU CLI user can once again be changed. |
| D148364 | E | Corrected "Unknown command 'fc-link-congestion'" and "Unknown command 'throttle-stats'" that occurred while collecting diagnostics in some circumstances. |
| D148408 | E | Files from the manager directory on an embedded SMU are now being collated in the diagnostic logs. |
| D148674 | E | Minor issues on the SMU stats pages have been fixed. |
| D148716 | E | Fix minor out of spec NDMP behaviour |
| D148721 | E | Corrected a minor defect affecting certain information in Fibre Channel logs. |
| D148783 | E | If the freeable space is ever displayed as "NA" via the CLI the SMU will display the same ("NA") and not 16EB. |
| D148941 | E | Attempting to change the DNS domain name in a cluster would, less than 1% of the time, result in the domain name being wrong. |
| D149035 | E | Puma's snapshot-size request will no longer risk overloading four node HNAS clusters. |
Version 13.9.6918.09
| Issue ID | Severity | Description |
| D148422 | C | Provides support for encrypted dcerpc access so that Windows clients with CVE-2021-31958 installed can access the EVENTLOG. |
| D148939 | C | Addressed a Fibre Channel link instability problem with newer storage directly connected to HNAS 3000/4000 series |
| D149134 | C | Fix an issue that might cause bogus PCIe error reports of "Malformed TLP" and "Unsupported request" |
| D146739 | D | Added support for VSP 5200, 5200H, 5600 and 5600H. |
| D148908 | D | The number of apparently hard errors that will cause Data Migrator to Cloud (DM2C) to give up on a migration can now be configured. |
| D148841 | E | Some downgrade support for the upcoming fs (file system) packing feature has been corrected. |
Version 13.9.6918.05
| Issue ID | Severity | Description |
| D148489 | C | Fixed a problem that could cause I/O to one or more system drives to stall on a system with a large number of SDs in very rare circumstances following storage reconfiguration or disruption to connectivity. |
| D148592 | C | Fixes an issue where authentication failures and session deletion via Computer Manager could leak SMB2 state. |
| D148656 | C | The "restart" action of the SMU-hosted quorum device once again works. |
| D148909 | C | The appearance of a modern ACE type in a file's SACL is no longer sufficient to cause issues with the file system. |
| D134904 | D | vSMU base OS templates have been upgraded to CentOS Stream 8. |
| D145361 | D | Added support for VSP E590H and E790H. |
| D146469 | D | The command cluster-gefn-configure may be run by supervisor on HNAS 5000 series. |
| D147641 | D | Passwords for local users created on the SMU running on CentOS Stream 8 must be at least 8 characters long and contain at least 2 character classes (upper case, lower case, digit, symbol). |
| D147824 | D | Remove any ad.sssd.conf.ldap_use_tokengroups line from /var/opt/smu/conf/mgr/axalon.properties when migrating to a CentOS Stream 8 SMU. |
| D148435 | D | Customized edits to the "max_log_file_actions" in /etc/audit/auditd.conf can be preserved after an SMU upgrade. On CentOS 6 this happens by default. On CentOS Stream 8 to preserve the setting, add "audit.logs.rotate=false" to the /var/opt/smu/conf/mgr/axalon.properties file. |
| D148481 | D | The script recover-replaced-drive.sh now copes gracefully with being run without root's full environment. |
| D148575 | D | The SMU mail system is likely to be non-functional for up to 20 minutes on CentOS Stream 8 after the restore of a CentOS 6 configuration. |
Version 13.9.6918.02
| Issue ID | Severity | Description |
| D147371 | B | Fix the symlink library to stop resolving circular symbolic link chains and return a new server error code called CircularSymlinks instead of NotFound, and map CircularSymlinks to the same protocol client error code of NotFound. |
| D114427 | C | Provides a facility that maintains a list (per security context) of clients barred from SMB1|2|3 access to the server. The list can be configured via the cli. Clients that cause SMB NTLM authentication failures by providing an incorrect password are automatically added to the list if the rate of failure is sufficient. |
| D131476 | C | Correctly handle DMAs of heavily fragmented packets that are associated with handling TCP packets received from badly configured clients |
| D143553 | C | The OpenSSH server and client on HNAS 3xxx/4xxx and VSP-G/F systems were updated to version 7.4p1-10. |
| D145005 | C | Make the creation and administration of dedupe indexes on replication targets more tolerant of low level reporting failures by double checking that required states have been reached. |
| D146073 | C | Addressed an issue that could occur when reserving NVRAM. |
| D146278 | C | The server will now store more TCP packets that are received out-of-order for each connection (was limited to 64 per connection by default, default is now 256) |
| D146539 | C | Write throughput performance with standard sized Ethernet frames has been improved for HNAS 5200/5300. |
| D146639 | C | Write throughput performance with standard sized Ethernet frames has been improved for HNAS 5200/5300. |
| D146766 | C | Write throughput performance with standard sized Ethernet frames has been improved for HNAS 5200/5300. |
| D146794 | C | Write throughput performance with standard sized Ethernet frames has been improved for HNAS 5200/5300. |
| D146930 | C | Write throughput performance with standard sized Ethernet frames has been improved for HNAS 5200/5300. |
| D147110 | C | NV mirroring will no longer be attempted between an HNAS 4100 and an HNAS 5000 series. |
| D147142 | C | Fixed an issue that could lead to resource exhaustion in the storage code in the presence of other bugs. |
| D147224 | C | Fixed a rarely occurring issue with one of the FPGA transceivers. |
| D147246 | C | Fixed an issue with aborting Fibre Channel exchanges on HNAS 5000 series servers when a port is logged out. |
| D147342 | C | CVE-2021-3449, CVE-2021-3450 The OpenSSL libraries linked into Bali and Bart were upgraded to version 1.1.1k. |
| D147381 | C | Ensure that when booting two nodes of a four node cluster that the nodes boot correctly. |
| D147537 | C | Fixed a stability issue that could occasionally occur following Fibre Channel link trauma on an HNAS 5000 connected to a Fabric. |
| D147596 | C | Improved the handling of files that cannot be read from HNAS during the DM2CD migration process. |
| D147611 | C | Reverse-migration process has been improved to report an error for a case when a file's content on target is truncated. |
| D147618 | C | Fixed an issue that could occur following Fibre Channel disruption on an HNAS 5000 series server. |
| D147640 | C | Fixed an issue where a server restart was needed to restore connectivity to a Fibre Channel device. |
| D147957 | C | Rolling upgrade of a busy cluster is now more robust. |
| D147977 | C | Patches have been applied to exim on VSP-N to cover the 21nails vulnerabilities: CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28010, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28014, CVE-2020-28015, CVE-2020-28017, CVE-2020-28019, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026 And three other security issues: CVE-2019-10149, CVE-2019-13917, CVE-2019-15846 |
| D148185 | C | Add support for the network optic: FTLX8571D3BCL-HD |
| D144694 | D | Prevent dedupe jobs failing due to a low level retry attempt being reported as failed when it actually passed. |
| D145690 | D | The server's exim4 mail transport agent is now restricted to listening on the local host and, if valid, the private management interface. |
| D146535 | D | A single-node cluster (a.k.a. cluster-capable node) will no longer report spurious ICC link errors. |
| D146556 | D | Fix an issue that causes a dedupe job to retry opening the dedupe index database repeatedly while there are problems with the underlying file system. |
| D146818 | D | Add auditing to modifying cluster-extend-* and the cluster-gefn-* commands. |
| D147151 | D | In GEfN clusters fix the EVS migration target that is selected when a node fails. |
| D147291 | D | Eliminate a rare possible issue with configuration data (for example nas-preconfig settings) on HNAS 5000 series servers, if the server forces an administrative power-cycle shortly after it is changed. |
| D147315 | D | In order to facilitate passwords being passed in to 'smu-backup' or 'smu-restore' without the password being visible in either 'ps' or 'history' we have created new wrapper cli command, 'smu-backup-with-password' and 'smu-restore-with-password'. |
| D147980 | D | S3 providers are now supported by DM2CD (Data Migrator to Cloud). |
| D148309 | D | The fstrim timer service is now reactivated on USB reinstalled HNAS 5000 series servers. |
| D148355 | D | Fixed a regression in which SMU diags didn't contain pgdump.sql on an embedded SMU. |
| D148356 | D | Resolved an issue that meant performance data was not being collected on an embedded gateway SMU. |
| D147039 | E | These scripts are no longer installed on the SMU in /opt/smu/smu-scripts/: ax_bootp_unconfig.sh ax_check_bootp.sh ax_get_bootp_info.sh ax_get_bootp_requests.sh ax_set_bootp_info.sh ax_get_ntp_info.sh ax_set_ntp_info.sh |
| D147328 | E | In certain situations PCIe correctable errors were being incorrectly reported, which has now been fixed. |
| D147435 | E | For security reasons, it is now possible to disable the internal StatServer, or restrict access to a list of allowed hosts. This could impact gathering of statistics from external applications and tools. |
| D147461 | E | Security patches have been applied for the HNAS 5000 series to cover: bind9: CVE-2021-25214, CVE-2021-25215, CVE-2021-25216 curl: CVE-2020-8169, CVE-2020-8177, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2021-22876, CVE-2021-22890 exim4: CVE-2020-28007, CVE-2020-28008, CVE-2020-28009, CVE-2020-28010, CVE-2020-28011, CVE-2020-28012, CVE-2020-28013, CVE-2020-28014, CVE-2020-28015, CVE-2020-28017, CVE-2020-28019, CVE-2020-28021, CVE-2020-28022, CVE-2020-28023, CVE-2020-28024, CVE-2020-28025, CVE-2020-28026 |
| D147636 | E | The codconverter can once again parse span-dump-cod's output. |
| D147749 | E | Fix a rare issue that might occur at boot time of an HNAS 5000 series server, causing it to report that the product serial number is not programmed. |
Version 13.9.6815.02
| Issue ID | Severity | Description |
| D131093 | B | Fixes an issue that occurred when an SMB2 session setup requested to re-establish a previous session that had since timed out. |
| D146111 | B | Fixed a stability issue that could occur when aborting certain Fibre Channel requests. |
| D146335 | B | Fix a situation in which an HNAS 5x00 cluster of 3 or more nodes could continue file-serving with no working NVRAM backup capability. |
| D146389 | B | Fixed a potential instability on HNAS 5000 under certain error conditions in Fibre Channel login management. |
| D146716 | B | CVE-2021-3156 (Baron Samedit) has been addressed for HM800 VSP-G/F models. |
| D147066 | B | Fixed a very rare issue, which was triggered in the unlikely event of a DIMM failure. |
| D147380 | B | Fixed an issue that internally allowed two posted PCIe requests to be issued at the same time on the same tag number. |
| D147433 | B | Concurrent reverse migration and (initiation of) auto-recall of the same external file could result in truncation of the recalled file on HNAS. This has been fixed, in that either the migration is successful and the truncation does not happen, or the migration is aborted and a good link to the external file is preserved. |
| D139761 | C | Address a locking fairness issue with Fibre Channel connections. |
| D143460 | C | Prevent a potential instability when reading from an object replication target file system, perhaps for an NDMP backup, whilst replication completes. |
| D144644 | C | Fixed an issue that could arise when dedupe jobs are automatically triggered on replication target file systems at the same time that snapshots are being deleted. |
| D144813 | C | Fix an issue with registry file handling. |
| D145094 | C | When upgrading a cluster from HNAS 3xxx/4xxx to HNAS 5x00, the user is warned that management user passwords will need to be re-entered. That is because of the more secure password hashing method used in the newer models. |
| D145319 | C | The text field at the end of the URL of the SMU's management statistics page is now validated to remove an opportunity for cross-site scripting (XSS). |
| D145516 | C | Fixed an issue that could cause an instability following Fibre Channel link failure on HNAS 5000. |
| D145615 | C | Generate a severe event if unsupported storage is detected |
| D145703 | C | Fixed an issue that was caused by a disruption to Fibre Channel connectivity. |
| D145880 | C | Fixed an issue with storage discovery when replacing directly connected storage on HNAS 5000. |
| D146046 | C | Fixed a problem that could, rarely, prevent a Fibre Channel link coming up properly on HNAS 5000. |
| D146131 | C | Fixed an issue that internally allowed two posted PCIe requests to be issued at the same time on the same tag number. |
| D146266 | C | Azure accounts without geo-redundancy are supported again. |
| D146381 | C | Fixed an issue with SMU hardening such that HDRS is able to work again. |
| D146413 | C | Fixed an issue caused by an unusual combination of Fibre Channel errors. |
| D146500 | C | Fixed stability issues resulting from interactions between internal state machines TX_MUX and TCP_TUI, when very busy receiving network packets. |
| D146646 | C | Fixed a failure to upgrade HNAS 3xxx/4xxx from certain older releases. |
| D146745 | C | Fixed a potential stability issue when the scsi-clean command deleted a stale storage rack. |
| D146922 | C | The default fsi-cache-bound thresholds have been doubled for extra safety. |
| D147011 | C | Fixed a rare stability issue that occurred when dedupe logs the last occurrence of the same chunk error code that occurs in consecutive chunks. |
| D147034 | C | The tightening of external SMU file security in 13.9.6600 has been loosened in a few choice locations to accommodate Hitachi Ops Center (HOC) Analyzer. |
| D147035 | C | Mitigated a potential resource limitation in SCSI background polling on HNAS 3000/4000 systems with large numbers of system drives. |
| D147122 | C | Fixed a problem that could potentially cause a file system to be unmounted prematurely in the event of I/O errors. |
| D147317 | C | mercury-reinstall-main-partitions' help and warning output corrected. |
| D61202 | D | More detailed memory usage statistics are now tracked in the diagnostics' loggedstatistics.csv. |
| D64839 | D | Provides support for SMB2 query_info requests on named pipes. |
| D143018 | D | Added protection for the SMU from brute force attacks. Now if you get your password wrong 5 times you will be locked out of the SMU for 5 minutes. |
| D143019 | D | The bulk of the work for securing the postgres database was done here but it remains disabled at this time. |
| D143022 | D | A password can now be supplied when creating a backup from the SMU GUI or CLI script. This backup can be used to restore the SMU to a previous version from both the backup saved in the SMU and the file downloaded by entering the password used to create the backup.The password is optional and any backups created by the SMU itself are not password protected. |
| D143023 | D | Database backup files from old SMU upgrades are now deleted automatically. |
| D143618 | D | Shortcomings with the commands controlling TLS v1.3 and its cipher-suites have been addressed. |
| D146328 | D | A read-only user is no longer restricted to interacting with the first page of object replication policies and schedules. |
| D146420 | D | Bali REST API read-only access via API key. |
| D146421 | D | The existing CLI commands for controlling the Bali REST API now allow switching between the native and legacy APIs. |
| D146505 | D | An issue involving a race condition due to an illusory transient heap shortage, has been fixed. |
| D146667 | D | Three months' worth of Debian patches for security issues reported by the Nessus scanner for the HNAS 5000 series have been applied. |
| D146699 | D | Downgrade the warning assert SI/H1_PCIEX_HFOPRX:1/pciex_interface_paused that may appear in the log when the system is under high load. This is purely for VLSI debug, and thus an info assert is sufficient. |
| D146700 | D | A method of configuring sshd's AllowUsers setting that is persistent across external SMU upgrades is available on request. |
| D146701 | D | The external SMU's postfix configuration has been changed such that it will only relay email from any private network. |
| D146939 | D | An issue in stat reporting has been fixed. |
| D147193 | D | Made the fc-link-reset CLI command available on HNAS 5000. |
| D147214 | D | Fixed an issue, such that 'pir --to-ssc' will now keep the invoking ssh session active with a progress report every minute. |
| D147235 | D | Ensure an HNAS 5x00 GAD Enhanced for NAS (GEfN) cluster cannot be created unless it is licensed. |
| D147379 | D | Fixes applied for: openssl (CVE-2021-3449, CVE-2021-3450) grub (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233) libtiff5 (CVE-2020-35523, CVE-2020-35524) |
| D147562 | D | nas-connection-open-file-monitor.rb and nas-connection-request-monitor.rb are once again executable by the manager user on the SMU. |
| D147610 | D | The https://knowledge.hitachivantara.com...tation_Scripts now work again as "manager". |
| D145075 | E | The libxml2 and procmail packages on VSP-G/F have been patched to address security issues DLA-1060-1 and DLA-1173-1. |
| D145836 | E | Fixed an issue that was preventing delivery of total Fibre Channel error statistics to the SMU and other SOAP/REST clients. |
| D145847 | E | The "PAPI route configuration error" event (ID 1529) is no longer raised for transient errors. It is raised if the routing error persists. |
| D145930 | E | Remove the new-battery-fitted command that isn't supported on CapeHorn. |
| D146775 | E | Files created by the root user, notably including updated versions of the SMU code, are now secured as intended with the newly (13.9.6600) tightened default umask. |
| D147177 | E | The tls-cipher-suite-enable command no longer produces the spurious error message "No cipher suites enabled allow for GOST key exchange, certificates using this will not work". |
Version 13.9.6628.07
| Issue ID | Severity | Description |
| D139394 | B | Fixed an issue which could cause a dedupe job to become blocked, or cause issues with file system unmount, EVS migration, and spamming of the event log. |
| D146630 | B | CVE-2021-3156 (Baron Samedit) has been addressed for HNAS 5200/5300 and VSP-N. |
| D146643 | B | CVE-2021-3156 (Baron Samedit) has been addressed for external SMUs. |
| D112456 | C | Fixed a rare instability issue by improving the handling of internal data flow. |
| D136193 | C | Fixed a vulnerability when processing lockd/NLM traffic, generally seen while a file system is in the process of becoming unavailable. |
| D141925 | C | The hardware-based TCP/IP stack now conforms to RFC6528 |
| D142924 | C | Diagnostics for a particular type of metadata issue afflicting dedupe have been improved. |
| D144093 | C | Fixed an issue in ViVol space-tracking whereby use of dedupe could cause incorrect reporting. |
| D144180 | C | Improve diagnostics by retaining boot-time systemd journal content. |
| D144669 | C | An unlikely denial of authentication service to Active Directory users of the SMU CLI has been addressed. |
| D145230 | C | Embedded SMU install has been improved. |
| D145287 | C | Fixed a bug in the space-tracking code which could cause incorrect reporting. The fix does not correct reporting which has already gone awry - that requires administrator action. |
| D145594 | C | Sequential HSR dedupe writes are now aggregated to reduce stress on nbd (network block device). |
| D145596 | C | A disabled EVS can no longer be configured with a loopback address. |
| D145784 | C | CVE-2020-25709 and CVE-2020-25710 have been addressed on the HNAS 5000 series. |
| D145932 | C | Fixed a possible stability issue caused by Fibre Channel link trauma. |
| D140970 | D | The external SMU now uses CentOS's password strength checks. |
| D143214 | D | checkfs has been enhanced to be more responsive to the checkfs --abort command for dedupe-supported file systems. |
| D143257 | D | Improve diagnostics by collecting systemd journal content. |
| D143668 | D | Changed the way the SMU maps Active Directory user/group SIDs to UID/GIDs for CLI access in order to allow access for users from different sub-domains in an Active Directory forest. |
| D144205 | D | Tomcat version on the SMU upgraded from 8.5.16 to 8.5.58. |
| D144255 | D | SSH access for Active Directory users is now supported when Global Catalog is configured with Entire Directory search base. |
| D144388 | D | Fixed an issue that caused a slow login to SMU CLI for Active Directory users. |
| D144493 | D | Fixed an issue that caused a slow login to SMU CLI for Active Directory users. |
| D144510 | D | CLI access for Active Directory users is now supported for Global Catalog configuration. Access via primary group is not supported. |
| D144525 | D | Access to the SMU GUI can now be granted to Active Directory users using primary groups, both directly and indirectly. In most cases, primary groups are still not supported for SSH access. |
| D144540 | D | When configuring the SMU for Active Directory authentication, all valid punctuation is now supported in the user and group base DN (distinguished name) fields. |
| D144935 | D | In order to improve login performance for Active Directory users, files created by regular SMU CLI users like "manager" will not, by default, have group write permission. |
| D145111 | D | The erroneous quota-update event raised by DoFSDFailure has been fixed. |
| D145523 | D | TLS certificates with an externally generated private key, like wildcard certificates, can now be imported by the HNAS CLI. |
| D145699 | D | The performance-sapping warning "FSA/T2_FSA_MAP/dwb_failed_to_provide_tier0_read_ahead_cursor" no longer happens spuriously. If an avoidance has previously been applied, then "unset fsa-dont-fix-d138154" before upgrading to a fixed version to avoid a needless performance impact. |
| D145724 | D | The SMU no longer routinely gives away version information about its web server to a potential attacker. |
| D145747 | D | The SMU's protection against being attacked by an authenticated user's browser has been increased. |
| D145775 | D | Old ssh clients, in particular the one on HNAS 3000/4000 series servers, can no longer ssh to an external SMU in its default configuration, due to the retirement of hmac-sha1 through security concerns. |
| D145926 | D | When logging in to the external SMU, whether through the GUI or the CLI, a user is now presented with a default banner. |
| D145994 | D | The use of certain file system types are no longer allowed on the SMU. |
| D145999 | D | SMU passwords can now only be changed once per week (to prevent subversion of security policy by cycling through passwords quickly). |
| D146016 | D | Security has been tightened on the cron configuration on the external SMU, such that only root can access it. |
| D146102 | D | Enabled the HNAS 5200 and HNAS 5300 models to form clusters of up to 4 nodes, if licensed to do so. |
| D146352 | D | Security has been tightened on certain kernel parameters on the external SMU, including, for example, IPv4 network configuration. |
| D143084 | E | Active Directory users who are granted access to the SMU via a group whose name contains the '@' symbol, can now log in via SSH. |
| D145060 | E | Nessus is now happier with the external SMU. |
| D145308 | E | Corrected file extensions of the HBA debug dump files from ".txt" to ".bin" in diagnostic bundles. |
| D145519 | E | HTTP Strict Transport Security (HSTS) is now implemented in the SOAP server on port 8443. |
| D145520 | E | TLSv1.0 is disabled for the SOAP server on port 8443 for new installs. To take advantage of the new, recommended defaults, use tls-version-set --default --confirm after upgrading. |
| D145521 | E | SMU HTTPS protocol TLSv1.0 is now disabled by default. This means that if previously TLSv1.0 was enabled it is now disabled. If TLSv1.0 was the only protocol enabled run the script smu-reset-tls-options to restore the default and resume SMU GUI access. |
| D145562 | E | TLSv1.0 is unconditionally disabled for the REST server on port 8444. |
| D145618 | E | Files created on the external SMU are now created with the permissions set so that users not in the same group can't read the file. |
| D145746 | E | Security has been tightened on certain system files on the external SMU, like the password database, so that only root can access it. |
| D145781 | E | Setting a package as the default for a second time on a model 5000 server is now possible. |
| D145909 | E | Fixed an issue in 'ls -v' reporting. |
| D146109 | E | The etc-bashrc-tmout setting now logs out users of the SMU CLI after 10 minutes of inactivity. |
| D146120 | E | Correct the reporting of the server's serial number on HNAS 5000 series servers. |
Version 13.9.6420.13
| Issue ID | Severity | Description |
| D145923 | B | ECC is now enabled for the NV memory in HNAS 5000 series servers in all code paths. |
| D145818 | C | Enable the Power-On Self-Test (POST) on HNAS 5000 series servers. |
Version 13.9.6420.10
| Issue ID | Severity | Description |
| D144544 | B | Update for CVE-2020-1472 "Netlogon Elevation of Privilege Vulnerability". Add support for secure RPC for NetLogon connections. |
| D142004 | C | Updated the Debian operating system NTP service to resolve these vulnerabilities CVE-2016-7431 CVE-2016-7433 |
| D142488 | C | When restoring registry from an HNAS 3000/4000 series server onto an HNAS 5000 series server, incompatible management users are discarded and existing management users are preserved. |
| D143807 | C | Protection against stalled requests between the SMU and Bali components of HNAS has been restored. |
| D144183 | C | An issue causing slowness and timeouts in the SMU's NAS Manager, particularly on virtual SMUs with just 2 GiB of RAM, has been corrected. |
| D144188 | C | Fixed an incorrect source IP address in the Linux routing after migration of the Admin EVS. |
| D144511 | C | Fixed a warning event "PAPI housekeeping failed in MgmntUser" following installation. |
| D144530 | C | Fixed a failure to bring up a management network link in rare circumstances. |
| D144607 | C | The telnet server, already disabled by default, has been removed. |
| D145009 | C | Updated the Debian operating system GRUB packages to resolve security bug CVE-2020-10713. |
| D145684 | C | An extra warning assert added to the PCIe interface is being triggered erroneously by a bug in the Intel PCIe IP. The assert has been downgraded to a no_event warning, so it is no longer logged in the event log. |
| D141165 | D | Corrected a potential Fibre Channel protocol violation when aborting non-FPGA-accelerated exchanges. |
| D143226 | D | Added support for new storage platforms VSP E790 and VSP E590. |
| D143252 | D | CVE-2020-1967 has been addressed. |
| D143597 | D | The OpenSSL libraries linked into Bali and Bart were upgraded to version 1.1.1g. |
| D143649 | D | The SMU GUI may now allow login for Active Directory users that failed earlier with a referral error, by retrying using the next AD server. |
| D143755 | D | Some security vulnerabilities in the SMU's Linux distribution have been patched. (CESA-2020:2383) - CVE-2020-8616 - CVE-2020-8617 (CESA-2020:2430) - CVE-2017-12192 |
| D143913 | D | Fixed an issue to allow user to log in to SMU in a case where one of the Active Directory base DNs doesn't exist. |
| D143920 | D | Support added for the Finisar FTLX1475D3BCV optic. |
| D144561 | D | Upgrading the SMU to 13.9.6400 or higher is recommended before attempting to manage the new HNAS 5000 series. |
| D145066 | D | The default self-signed TLS/SSL certificate has been enhanced to support https://support.apple.com/en-us/HT210176. The certificate will need to be recreated. |
| D142175 | E | The ver command has been updated to ensure the server's WWN is reported. |
| D143521 | E | Fixed an issue that in rare cases could stop Data Migrator to cloud migrations prematurely. |
| D143956 | E | Changing the length of a file by more than 20 GiB once again records the IP address of the NFS or SMB client. |
| D143984 | E | Made improvements to fc-ports -v command, reporting the vendor name in more circumstances. |
| D144184 | E | Protection against stalled requests between the Cloud Gateway and Bali components of HNAS has been restored. |
| D144552 | E | On HNAS 5000 series servers, by default, the hostname is set to the server serial number. This will be reflected in the console prompt. |
New, modified, and deleted CLI commands
See the NAS man pages for details on the new commands.
New commands
The following commands have been added. See the NAS man pages for details on these commands.
· nvdimm-status - This Supervisor level command shows the NVDIMM status.
· nvi-load - This Supervisor level command shows information about the NVI FPGA load.
· nvi-profile - This Supervisor level command profiles the nvic1 state machines.
· nvi-stats-control - This Supervisor level command controls nvic1 statistics.
· rest-server-mode - This Supervisor level command allows switching between the legacy Metro/Puma REST API and the new native REST API.
· smb-barred-client-add - This command allows client addresses to be added to the list of clients barred from SMB access.
· smb-barred-client-remove - This command allows client addresses to be removed from the list of clients barred from SMB access.
· smb-barred-clients-list - This command displays the list of client addresses barred from SMB access.
· smb-barred-clients-clear - This command clears the list of client addresses barred from SMB access.
· set-smb-auto-barring-mean-interval-threshold-in-seconds - This command sets the SMB client auto-barring mean interval threshold - a given client attempting connections with an incorrect password more frequently than this will be barred.
· set-smb-auto-barring-sample-size - This command sets the SMB client auto-barring sample size - ie the number of instances a client can fail to connect with an incorrect password before it'll be evaluated against the above interval for barring
Modified commands
The following commands have been modified. See the NAS man pages for details on these commands.
· apikey-update - A new option --add-access allows specific access level to be associated with an API key. A new option --remove-access allows levels of access to be removed from an API key.
· migration-cloud-account-create - This command now accepts a provider of type S3. 'S3' is just an additional name to IBMCloud/CleverSafe provider.
· migration-cloud-account-list - IBMCloud or CleverSafe provider is now listed as S3 provider.
· tls-certificate-import-signed - A new option, --with-private-key, was added that allows a CA signed certificate with a trusted chain and with a private key to be added to HNAS server.
Deleted commands
None
Copyrights and licenses
© 2021 Hitachi Vantara LLC. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including copying and recording, or stored in a database or retrieval system for commercial purposes without the express written permission of Hitachi, Ltd., or Hitachi Vantara LLC (collectively "Hitachi"). Licensee may make copies of the Materials provided that any such copy is: (i) created as an essential step in utilization of the Software as licensed and is used in no other manner; or (ii) used for archival purposes. Licensee may not make any other copies of the Materials. "Materials" mean text, data, photographs, graphics, audio, video and documents.
Hitachi reserves the right to make changes to this Material at any time without notice and assumes no responsibility for its use. The Materials contain the most current information available at the time of publication.
Some of the features described in the Materials might not be currently available. Refer to the most recent product announcement for information about feature and product availability, or contact Hitachi Vantara LLC at https://support.hitachivantara.com/e...ontact-us.html.
Notice: Hitachi products and services can be ordered only under the terms and conditions of the applicable Hitachi agreements. The use of Hitachi products is governed by the terms of your agreements with Hitachi Vantara LLC.
By using this software, you agree that you are responsible for:
1) Acquiring the relevant consents as may be required under local privacy laws or otherwise from authorized employees and other individuals; and
2) Verifying that your data continues to be held, retrieved, deleted, or otherwise processed in accordance with relevant laws.
Notice on Export Controls. The technical data and technology inherent in this Document may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Reader agrees to comply strictly with all such regulations and acknowledges that Reader has the responsibility to obtain licenses to export, re-export, or import the Document and any Compliant Products.
Hitachi and Lumada are trademarks or registered trademarks of Hitachi, Ltd., in the United States and other countries.
AIX, AS/400e, DB2, Domino, DS6000, DS8000, Enterprise Storage Server, eServer, FICON, FlashCopy, GDPS, HyperSwap, IBM, Lotus, MVS, OS/390, PowerHA, PowerPC, RS/6000, S/390, System z9, System z10, Tivoli, z/OS, z9, z10, z13, z14, z/VM, and z/VSE are registered trademarks or trademarks of International Business Machines Corporation.
Active Directory, ActiveX, Bing, Edge, Excel, Hyper-V, Internet Explorer, the Internet Explorer logo, Microsoft, the Microsoft corporate logo, the Microsoft Edge logo, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SmartScreen, SQL Server, Visual Basic, Visual C++, Visual Studio, Windows, the Windows logo, Windows Azure, Windows PowerShell, Windows Server, the Windows start button, and Windows Vista are registered trademarks or trademarks of Microsoft Corporation. Microsoft product screen shots are reprinted with permission from Microsoft Corporation.
All other trademarks, service marks, and company names in this document or website are properties of their respective owners.
Copyright and license information for third-party and open source software used in Hitachi Vantara products can be found at https://www.hitachivantara.com/en-us...any/legal.html.