OpenNMS Horizon 30.0.0 (Nutria)

Release 30.0.0 is the first in the Horizon 30 series, introducing a number of new features, most notably a preview of a new web UI, and the ability to back up infrastructure device configs.

For a high-level overview of what has changed in Horizon 30, see What’s New in OpenNMS Horizon 30.

The codename for Horizon 30.0.0 is Nutria.

OpenNMS Horizon 29.0.10 (Duck)

Release 29.0.10 contains a number of security dependency updates, plus a bunch of other bug fixes and documentation improvements.

While the dependency changes should not affect how the OpenNMS runtime works, this release contains a larger than usual number of changes to "plumbing" to facilitate these dependency updates. We strongly recommend that you do more than the usual amount of testing before deploying this update to a production environment.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.10 is Duck.

Bug

• install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14032)
• Provisiond Fails to Start when wrong data is successfully POSTed via REST to hardwareInventory endpoint (Issue NMS-14085)
• Grafana box renders raw JS when Grafana behind reverse proxy with SSO (Issue NMS-14109)
• CVE-2022-22965: Spring RCE in Data Bindings (Issue NMS-14134)
• Minions Trapd Listener Fails to Bind to udp/162 when broker is down (Issue NMS-14148)
• Fix formatting in alarmd documentation (Issue NMS-14182)
• Dependabot: update Vaadin to the latest 8.x (Issue NMS-14192)
• Upgrade groovy-all dependency (Issue NMS-14208)
• make sure license-maven-plugin is re-enabled in foundation and release branches (Issue NMS-14217)
• Upgrade jackson-mapper-asl dependency (Issue NMS-14252)

Enhancement

• Basic upgrade procedure (Issue NMS-13971)
• Document housekeeping tasks before upgrade (Issue NMS-13972)
• IPFIX: Also support ingressPhysicalInterface and egressPhysicalInterface for input and output ifIndex (Issue NMS-14169)
• Cleanup Ticketer docs formatting (Issue NMS-14172)
• Expand XmlCollector documented parameters (Issue NMS-14256)
• Restructure Collector docs file path (Issue NMS-14258)

OpenNMS Horizon 29.0.9 (Kiwi)

Release 29.0.9 contains a bunch of bug fixes and enhancements, including improvements for running in containers, code cleanups, and improved documentation.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.9 is Kiwi.

Bug

• Documentation for all pollers misses RRD config parameter (Issue NMS-11747)
• Resolve SonarCloud High priority Security Hotspots (Issue NMS-14002)
• Can’t set capabilities in Minion systemd unit (Issue NMS-14016)
• Scriptd helpers ignore community setting (Issue NMS-14045)
• Wrong wiki URL in debian installer (Issue NMS-14053)
• Build from source documentation needs a minor correction (Issue NMS-14088)
• Hostname command is missing when running in a container (Issue NMS-14100)
• Fix for NMS-13887 did not make it to Core (Issue NMS-14117)
• Update docs for binding ports <1024 (Issue NMS-14162)

Enhancement

• Switch to using a java e-mail library instead of system mail (Issue NMS-14015)
• Misspelling in SystemExecuteMonitor error text (Issue NMS-14091)
• relicense rancid-api to LGPL, change dependency to match (Issue NMS-14093)
• clean up JAXB dependencies (Issue NMS-14105)

OpenNMS Horizon 29.0.8 (Chickadee)

Release 29.0.8 contains a few small bug fixes mostly relating to upgrades, as well as a bug in graphing, and an improvement to support pre-auth HTTP headers.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.8 is Chickadee.

Bug

• Upgrading opennms ignores RUNAS when setting ownership on logs directory (Issue NMS-14000)
• Minion installation from Debian packages failed with missing dir /var/lib/minion/data/tmp (Issue NMS-14019)
• OpenNMS points to the wrong URL when trying to generate graphs (Issue NMS-14057)

Enhancement

• Add support for pre-authorization via HTTP header (to be used with pre-authentication) (Issue NMS-14059)

OpenNMS Horizon 29.0.7 (Pileated Woodpecker)

Release 29.0.7 contains a bunch of bug and security fixes, plus a few small enhancements and documentation improvements.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.7 is Pileated Woodpecker.

Bug

• opennms user credentials wrongly exposed (Issue NMS-12146)
• show-event-config displays unexpected content after adding new event definitions (Issue NMS-12863)
• Install script fails when using Azure PostgreSQL Services (Issue NMS-13715)
• In default installation the ActiveMQ Total Enqueued Messages throw divde error exceptions (Issue NMS-13737)
• Remove requirements/logic from Dockerfile/Entrypoint/Confd about the OpenNMS HTTP URL from the Minion and Sentinel due to Twin API (Issue NMS-13768)
• Systemd startup uses legacy SysV init script (Issue NMS-13783)
• Telemetryd error occurring when testing with hsflowd (Issue NMS-13795)
• OpenNMS Availability Chart Shouldn’t Include Time Before Connected (Issue NMS-13822)
• Support → System Report exposes credentials in plain text (Issue NMS-13831)
• Cross site scripting - Reflected (Issue NMS-13835)
• TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability (Issue NMS-13845)
• Password field with autocomplete enabled (Issue NMS-13847)
• Remote RMI is broken in 29.0.x (Issue NMS-13887)
• Unable to modify node/interface/service metadata through requisition after initial synchronization (Issue NMS-13890)
• When examining the service status of the opennms -v, the service is stopped. (Issue NMS-13900)
• Web UI redirects to http even with base-url set to https (Issue NMS-13901)
• Prevent REST API from allowing multiple primary SNMP interfaces on a single node (Issue NMS-13939)
• Instrument Provisiond Thread Pools (Issue NMS-13969)
• SNMP Detector configuration page excludes useSnmpProfiles and ttl options (Issue NMS-13997)
• install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14032)
• Web UI copyright year needs updating (Issue NMS-14037)

Enhancement

• Releases should document third party libraries and their licenses (Issue NMS-14004)
• Delete BSM window should name the BSM (Issue NMS-14026)
• Expand newts converter documentation (Issue NMS-14073)
• Add TcpDetector documentation (Issue NMS-14074)

OpenNMS Horizon 29.0.6 (Dodo)

Release 29.0.6 contains a number of bug fixes, including security fixes related to Grafana PDF reports and Protobuf, as well as a few enhancements.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

Thanks to Sahil Tikoo from Etisalat for reporting the Grafana endpoint issue.

A note about security issues: we have traditionally created CVEs in a pretty ad-hoc manner. We are in the process of formalizing how we’ll be doing so going into the future.

The codename for Horizon 29.0.6 is Dodo.

Bug

• config-tester doesn’t find malformed resourceTypes (Issue NMS-13723)
• Event configuration UI fails to persist logmsg dest changes (Issue NMS-13729)
• Outdated javascript library (Issue NMS-13848)
• fix-karaf-setup.sh should honor RUNAS (Issue NMS-13881)
• Remote RMI is broken in 29.0.x (Issue NMS-13887)
• org.opennms.core.commands never got added to Karaf build (Issue NMS-13910)
• grafana endpoint can be used to port-scan internal resources (Issue NMS-13917)
• Minion fails to marshall requisition with JAXB error: Class [org.opennms.netmgt.model.PrimaryTypeAdapter] not found (Issue NMS-13927)
• Kafka Minions with JMS disabled log errors loading JMS bundles (Issue NMS-13929)
• "full" report type in Support → System Report inserts "%n%n" between entries instead of newlines (Issue NMS-13948)
• Unsynchronized access to service factories in TelemetryServiceRegistryImpl (Issue NMS-13961)

Enhancement

• Split SNMP Property Extenders into multiple pages (Issue NMS-13760)
• Upgrade protobuf-java version (Issue NMS-13889)
• Agg Flow via Nephron showing gaps/drops since upgrading to 29.0.4 (Issue NMS-13926)

OpenNMS Horizon 29.0.5 (Kingfisher)

Release 29.0.5 contains a number of bug and security fixes, as well as a few enhancements.

It include an update to the latest Log4j2 release. It is not believed that we are vulnerable to the Log4j issues fixed in these newer releases, but are updating anyway just to be sure.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.5 is Kingfisher.

Bug

• TimescaleDB extension can’t added to existing opennms DB. (Issue NMS-13441)
• Enlinkd API response extremely slow for some nodes (Issue NMS-13507)
• Customer is not able to view Topology (Issue NMS-13851)
• Javascript security updates (December, 2021) (Issue NMS-13857)
• Very large node caches can cause telemetry adapters to fail on Sentinel (Issue NMS-13859)
• Permission check in ./install -dis flags unwriteable files in the .git directory - redux (Issue NMS-13860)
• CVE-2021-45105: Update to Log4j 2.17.0 (Issue NMS-13868)
• upgrade to log4j2 2.17.1 and pax-logging 1.11.13/2.0.14 (Issue NMS-13878)

Enhancement

• Consolidate all IPC features into one / need conf.d changes (Issue NMS-13610)
• Add metrics about twin communication (Issue NMS-13649)
• Extend SnmpMetadataProvisioningAdapter configuration to support exact OID matches (Issue NMS-13842)
• Support an endpoint that allows to access parts of resources (Issue NMS-13863)
• Minion Kafka docs missing reference to custom.system.properties (Issue NMS-13885)

OpenNMS Horizon 29.0.4 (The Bird)

Release 29.0.4 is a re-release of 29.0.3 with additional fixes relating to Log4j2 vulnerabilities.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.4 is The Bird.

Bug

• CVE-2021-45046: incomplete Log4j2 vulnerability mitigation (Issue NMS-13858)

OpenNMS Horizon 29.0.3 (Penguin)

Release 29.0.3 is an out-of-band release with a fix for the Log4j2 security issue, plus an enhancement to support exclude-url in discovery’s configuration.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.3 is Penguin.

Bug

• Log4j2 0-day: CVE-2021-44228 (Issue NMS-13850)

Enhancement

• Update VMWare import documentation regarding multiple parameters (Issue NMS-9889)
• Add "exclude-url" to Discoverd’s configuration (Issue NMS-13718)

OpenNMS Horizon 29.0.2 (Satanic Nightjar)

Release 29.0.2 contains a fix for a Jetty CVE, plus a number of bug fixes and small enhancements, including changes to user auth, Twin API, VMware, and running as non-root.

For a high-level overview of what has changed in Horizon 29, see What’s New in OpenNMS Horizon 29.

The codename for Horizon 29.0.2 is Satanic Nightjar.

Bug

• Update labelling in Configure Discover screen (Issue NMS-12992)
• Link to release notes in web Help / About needs updating (Issue NMS-13579)
• Twin logs doesn’t appear in ipc.log (Issue NMS-13731)
• Authorization changes not taking immediate effect (Issue NMS-13761)
• VMware sessions not correctly closed in all cases (Issue NMS-13774)
• Permission check in ./install -dis flags unwriteable files in the .git directory (Issue NMS-13778)
• Uncatched exception when importing a VMware virtual machine without an IP interface (Issue NMS-13781)
• opennms-webapp-hawtio %post chown errors (Issue NMS-13788)
• 29.0.1 minion should be RUNAS=minion (Issue NMS-13789)
• Missing RRD package definition in BMP persisting adapter (Issue NMS-13812)
• CVE-2021-28164: access to WEB-INF (Issue NMS-13832)

Enhancement

• Dynamic Configuration of Trap Listener (Issue NMS-13564)
• Tracing support for twin communication (Issue NMS-13650)
• Document how to install from source (Issue NMS-13685)
• Improve Related Events box in Alarm detail page (Issue NMS-13749)
• Optionally include a table of event parameters on the event detail page (Issue NMS-13765)
• Remove link to wiki from the landing page (Issue NMS-13779)
• Add support for VMware 7.0.3 performance data collection (Issue NMS-13780)