Delegated License Service Release Notes
NVIDIA Delegated License Service Release Notes
Release information for all users of NVIDIA Delegated License Service.
This document summarizes current status, information on supported platforms, and known issues with NVIDIA® License System release 3.1.0.
1.1. Updates in this Release
New Features in this Release
- Security updates
- Resolution of the issue that caused the withdrawal of NVIDIA Delegated License Service (DLS) 3.0.0 as listed in Resolved Issues
1.2. Supported Platforms
1.2.1. Supported Hypervisors
For deployment in a virtual machine, the Delegated License Server (DLS) component of the NVIDIA License System is supplied as a virtual appliance. The virtual appliance must be installed on a supported hypervisor software release.
The following hypervisor software releases are supported:
- Citrix Hypervisor 8.2
- Linux Kernel-based Virtual Machine (KVM) hypervisors with one of the following QEMU releases:
- QEMU 4.2.0
- QEMU 2.12.0 (qemu-kvm-2.12.0-64.el8.2.27782638)
- Microsoft Windows Server with Hyper-V 2019 Datacenter edition
- Red Hat Enterprise Linux Kernel-based Virtual Machine (KVM) 9.1 and 9.0
- Red Hat Virtualization 4.3
- Ubuntu Hypervisor 22.04
- VMware vSphere Hypervisor (ESXi) 8.0, 7.0.3, 7.0.2, and 7.0.1
1.2.2. Supported Container Orchestration Platforms
For deployment on a bare-metal OS, the Delegated License Server (DLS) component of the NVIDIA License System is supplied as a containerized software image. The containerized software image must be deployed on a supported container orchestration platform.
The following container orchestration platform releases are supported:
- Docker 20.10.17 with Docker Compose 2.6.0
- Kubernetes 1.23.8
- Red Hat OpenShift Container Platform 4.10.18 with Kubernetes 1.23.5
- Podman 4.4.2 with Podman Compose 1.0.7
- VMware Tanzu Application Platform 1.1 with Kubernetes 1.23.6
1.2.3. Licensed Client Support
NVIDIA License System supports specific releases of several NVIDIA software products as licensed clients.
Software Product | Supported Releases |
---|---|
NVIDIA® vGPU™ software graphics drivers | NVIDIA vGPU software starting with release 13.0
Note:
Support for node-locked licensing was introduced in NVIDIA vGPU software 15.0. It is not supported in earlier NVIDIA vGPU software releases. |
1.2.4. Web Browser Requirements
NVIDIA License System and NVIDIA Licensing Portal were tested with Google Chrome version 86.0.4240.111 (Official Build) (64-bit).
A container orchestration platform cannot control or restrict access to the OS on which the platform is running. Therefore, containerized DLS software images cannot support the features of VM-based DLS virtual appliances that rely on the ability of the appliance to control the underlying OS.
Containerized DLS software images do not support the following features, for which equivalent functionality is available through standard OS interfaces:
- Log archive settings
- NTP configuration
- Static IP address configuration
- DLS diagnostics user configuration
- Disk expansion
Because a container orchestration platform cannot control the underlying OS, the following limitations also apply to containerized DLS software images:
- Online migration from a VM-based DLS virtual appliance to a containerized DLS software image is not supported because the destination containerized DLS software image retains its IP address even after data migration.
Instead, you must use offline migration when migrating from a VM-based DLS virtual appliance to a containerized DLS software image.
- When the secondary node is removed from an HA cluster, the containerized DLS software image that hosts the node is not shut down.
Instead, you must shut down the DLS software container manually.
Only resolved issues that have been previously noted as known issues or had a noticeable user impact are listed. The summary and description for each resolved issue indicate the effect of the issue on NVIDIA License System before the issue was resolved.
Bug ID | Summary |
---|---|
4129859 | Multiple licensed clients fail to acquire license If the MAC address in the request from a licensed client for a license is invalid, the client fails to obtain a license. When this issue occurs, an error message similar to the following example is written to the licensing event log file:
|
4.1. DLS 3.1.x purging event logs prematurely
Description
The DLS 3.1.x VM based appliance purges the audit events for lease and other operations if the disk space reaches 60%. This causes the reset of the DLS Metrics.
Workaround
The Corrective Action is to Increase the disk space allocation for the DLS VM to 15 GB - Pl refer : https://docs.nvidia.com/license-system/dls/3.0.0/nvidia-dls-user-guide/#dls-disk-expansion
Status
Open
Ref. #
4541542
4.2. The DLS management interface is inaccessible after an in-place upgrade
Description
After an in-place upgrade of the instances in an HA cluster, the DLS management interface is inaccessible on the secondary node of the cluster.
Workaround
If you created a snapshot of your DLS appliance before migrating it, restore the appliance from the snapshot and then perform a portal-assisted migration as explained in Performing a Portal-Assisted Migration of a DLS Instance in NVIDIA Delegated License Service User Guide. If you do not have a snapshot of your DLS appliance and the appliance is a VM-based appliance, revert the HA cluster to its state from before the attempted in-place upgrade and perform a portal-assisted migration.
- For each node in the cluster, revert the DLS appliance to its previous version and reset the upgrade job for the node.
- Revert the appliance to its previous version.
$ sudo nls-version-bios/upgrade/reset_upgrade_jobs.sh"
- When the management interface has restarted, log in to the node as the dls_admin user.
- As root, run the reset_upgrade_jobs.sh script to reset the upgrade job.
$ sudo -u root /etc/dls/scripts/reset_upgrade_jobs.sh
Resetting the upgrade job for a node typically takes at least five minutes.
- Revert the appliance to its previous version.
- After the upgrade jobs for all nodes have been reset, perform a portal-assisted migration as explained in Performing a Portal-Assisted Migration of a DLS Instance in NVIDIA Delegated License Service User Guide.
Status
Open
Ref. #
4264166
4.3. DLS instance displays benign warning message about clients with an invalid or empty MAC address
Description
When a DLS instance detects one or more clients with an invalid or empty MAC address, the instance displays the following warning message in a banner on the web GUI of the instance's NVIDIA Licensing application:
The service instance instance-name has some clients in an unhealthy state.
View unhealthy clients to take corrective action on the listed clients
Workaround
Ignore this message as it is benign. These clients obtain the licenses that they request from the server and no corrective action is required.
Status
Open
4.4. Service instances might be unable to reclaim unused licenses on clients with an invalid or empty MAC address
Description
When a client with an invalid or empty MAC address requests a license, the service instance grants the request and locates the client through the client's IP address. In an environment where the clients are VM instances with reused MAC addresses, the service instance might have granted licenses to multiple clients with invalid or empty MAC addresses. If a client in such an environment is abruptly shut down and cannot return the license, the service instance cannot locate the VM to reclaim the unused license on it. The license remains checked out until it expires, when the service instance can reclaim it.
Workaround
Forcibly release licenses acquired by client VMs with invalid or empty MAC addresses that have greater than usual longevity.
Status
Open
Ref. #
4163388
4.5. Login access to a DLS instance cannot be restricted to specific LDAP users
Description
After a DLS instance has been integrated with an LDAP server, login access to the web GUI of the instance cannot be restricted to specific user accounts in the LDAP directory on the server. Even if an LDAP search filter is configured, all users in the LDAP directory can log in to the DLS instance. This issue occurs because the DLS instance ignores any LDAP search filter restrictions that might have been configured for the DLS.
Status
Open
Ref. #
4151346
4.6. Users configured in LDAP Additional Details cannot log in to a DLS virtual appliance VM
Description
After a DLS instance has been integrated with an LDAP server, users configured in the Additional Details section of the LDAP configuration cannot log in to the VM that hosts DLS virtual appliance for the instance. This issue occurs whenever a search filter in the Additional Details section contains white space, for example, in the binddn
value. When the DLS instance writes the search filter to the file /etc/ldap.conf, the search filter is split into two lines in /etc/ldap.conf. As a result, the LDAP server can no longer parse the file /etc/ldap.conf.
Workaround
-
Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS virtual appliance.
-
Open the file /etc/ldap.conf for editing in a plain-text editor, such as vi.
$ vi /etc/ldap.conf
-
Remove all unwanted line breaks from the file /etc/ldap.conf.
-
Save your changes and quit the editor.
- Restart the VM that hosts the DLS virtual appliance.
Status
Open
Ref. #
4135514
4.7. Multiple VMs fail to acquire license with an
invalid origin environment
error
Description
In an environment where the clients are VM instances with reused MAC addresses, an issue with the NVIDIA vGPU software graphics driver might prevent clients with an invalid or empty MAC address from acquiring a license. Whenever this issue causes a VM to fail to acquire a license occurs, the following message is written to the licensing event logs on the client:
Tue May 23 03:04:05 2023:<1>:Failed to acquire license from api.cls.licensing.nvidia.com
Info: NVIDIA Virtual PC - Error: invalid origin environment)
Version
This issue affects the following releases of NVIDIA vGPU software:
- NVIDIA vGPU software 13.0 through 13.8
- NVIDIA vGPU software 15.0 through 15.3
Status
Resolved in NVIDIA vGPU software 16.0
Ref. #
4137753
4.8. Name resolution fails during startup if a name is used instead of an address for an NTP or syslog server
Description
If a DLS virtual appliance is reconfigured to specify an external NTP server or syslog server through the server's fully qualified domain name instead of its IP address, name resolution fails during startup of the DLS virtual appliance or the rsyslog service. When this issue occurs for an external syslog server, the rsyslogd daemon displays the following message:
cannot resolve hostname host-name
Workaround
For an HA cluster of DLS instances, apply this workaround to both nodes in the cluster.
-
Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS virtual appliance.
-
Delete the file /etc/resolv.conf.
$ sudo rm /etc/resolv.conf
-
Restart the network manager service.
$ sudo systemctl restart NetworkManager
- Reconfigure NTP or the Rsyslog tool.
Status
Open
Ref. #
4101673
4.9. HA cluster node is not synchronized while its virtual NIC is removed or its network is partitioned
Description
If a virtual network interface card (NIC) is removed from a node in an HA cluster or its network is partitioned, the node cannot reach other nodes in the cluster. The affected node handles the inability to reach other nodes as a failure of those nodes and assumes the primary role. While the NIC is removed or its network is partitioned, the node cannot be updated with information about operations that other nodes in the cluster have performed.
Workaround
After the virtual NIC is attached again or the network is no longer partitioned, the node assumes a role that depends on its uptime. When a node is restarted, it is synchronized with the primary node and assumes the secondary role. Therefore, how to synchronize the nodes in the cluster depends on the role that the node assumes when is able to reach other nodes in the cluster again:
- Primary: All other nodes in the cluster must be restarted.
- Secondary: The node itself must be restarted.
Status
Closed
Ref. #
4097705
4.10. Migration of a DLS instance fails
Description
Migration of a DLS instance can fail if a large quantity of data is to be migrated. This issue affects both online and offline migration of a DLS instance. When this issue occurs, the NVIDIA Licensing application on the new DLS virtual appliance is affected in one of the following ways:
- The NVIDIA Licensing Dashboard does not show license server details.
- The ACKNOWLEDGE MIGRATION button is absent from Maintenance page.
Workaround
Contact NVIDIA Enterprise Support to obtain a workaround for this issue.
Status
Open
Ref. #
3961380
4.11. HA cluster creation fails after migration of a DLS instance
Description
HA cluster creation after migration of a DLS instance can fail if a large quantity of data is to be migrated.
Workaround
Contact NVIDIA Enterprise Support to obtain a workaround for this issue.
Status
Open
Ref. #
3931610
4.12.
BadRequestError
error is displayed on the
Events
page of a DLS instance
Description
When a licensed client requests a license from a DLS instance, the following error is displayed on the Events page of the DLS instance:
BadRequestError(origin reference reference already in use by different fingerprint)
Workaround
Ignore this error because it is a transient error. After the licensed client repeats the request, this issue is resolved.
Status
Not a bug
Ref. #
3966221
4.13. VM-based DLS appliance has security vulnerabilities
Description
The VM-based DLS appliance for each supported hypervisor has security vulnerabilities related to options set for file-system partitions and access permissions for some files. The vulnerabilities are as follows:
- The nodev option is not set on the /boot/efi partition.
- Every time the VM that hosts the DLS appliance is started, Docker creates the following files with the mode
-rwxrwxrwx
, which allows write access by other users (world):- /home/dls_admin/device
- /home/dls_admin/dns
- /home/dls_admin/gateway
- /home/dls_admin/ip_address
- /home/dls_admin/static-ip-ova-logs
Workaround
You can mitigate these vulnerabilities by setting the nodev option on the affected file-system partition and restricting write access to the affected files. You need to change the affected partition only once. The change persists when the VM that hosts the DLS appliance is restarted.
- Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS appliance.
- Add the nodev mount option to the entry in /etc/fstab for the /boot/efi partition.
- Restart the VM that hosts the DLS appliance.
Restrict write access to the affected files that are recreated after every reboot of the VM every time the VM is rebooted.
-
Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS appliance.
-
Set the mode of the affected files that are recreated after every reboot of the VM to allow access only by owner and root.
-
Change to the /home/dls_admin directory.
$ cd /home/dls_admin
-
Change the mode of the affected files in this directory to
-rwxr-xr-x
.$ sudo chmod 755 \ device dns gateway ip_address static-ip-ova-logs
-
Status
Not a bug
Ref. #
3923943
4.14. Events cannot be exported from a DLS instance on a Kubernetes platform
Description
Events cannot be exported from a DLS instance hosted by a container-based DLS appliance running on Kubernetes, Red Hat OpenShift Container Platform, or VMware Tanzu Application Platform. When a user tries to export events, the attempt fails and the error message Export file generation failed. Please try again.
is displayed.
This issue occurs because the user that is exporting events does not have the permissions required to create the directories to which the events are exported.
Workaround
Create the directories to which the events are exported and grant write access to all users to these directories.
-
Change to the directory where the configurations volume is mounted.
-
Create the enc and unenc directories.
-
Create the enc directory.
$ mkdir enc
-
Create the unenc directory.
$ mkdir unenc
-
-
Grant write access to all users to the directories that you created in the previous step.
-
Grant write access to all users to the enc directory.
$ chmod -R 707 enc
-
Grant write access to all users to the unenc directory.
$ chmod -R 707 unenc
-
Status
Open
Ref. #
3917695
4.15. Validation of the client configuration token fails
Description
When Network Time Protocol (NTP) servers are configured for a VM-based DLS instance, the system times on the DLS instance and the licensed client might still be different. In this situation, validation of the client configuration token fails. When the licensed client requests a license, the request fails and the following error message is displayed:
Client Configuration Token Validation Failed.
Either the token is not activated or system clock settings are tampered
Workaround
When configuring NTP servers on a DLS virtual appliance, specify the IP addresses, not the fully qualified domain names, of the NTP servers.
Status
Open
Ref. #
3718863
4.16. VM hosting a DLS appliance cannot be reached
Description
After a VM-based DLS appliance has been installed, the VM that is hosting the DLS appliance cannot be reached after it has been started. This issue occurs when a static IP address has been assigned to the VM that is hosting the DLS appliance and the subnet mask of the VM's network was specified in an incorrect format. The subnet mask of the VM's network must be specified in classless inter-domain routing (CIDR) format without the leading slash character (/).
Workaround
Reinstall the VM-based DLS appliance, specifying the subnet mask in the correct format, namely, CIDR format without the leading slash character (/).
To get a subnet mask in CIDR format from its decimal equivalent, refer to the table on page 2 of IETF RFC 1878: Variable Length Subnet Table For IPv4. For example, the subnet mask in CIDR format of the decimal equivalent 255.255.255.0 is 24.
Status
Not a bug
Ref. #
3741535
4.17. Client fails to acquire offline license when rebooted
Description
When a licensed client that is configured with an offline license is rebooted, the client might fail to acquire a license. When this issue occurs, the following message is written to the licensing event log file on the client:
Client fingerprint mismatch - No valid lease found in local trusted store
This issue occurs when the MAC addresses of the network adapters for a client change when the client is rebooted. When the MAC addresses change, the NVIDIA vGPU software graphics driver treats the client as a new client and the offline license in the client's trusted storage database is discarded.
Typically, the MAC addresses change because the network configuration of the client has been explicitly changed by an administrator. However, the MAC address of a client can unexpectedly change when the client is rebooted for several reasons, for example:
- The client requests a license before the client's network interfaces are initialized.
- Docker or the NVIDIA Container Runtime for Docker is installed on the client and the ifconfig command lists it as a network interface.
Status
Open
Ref. #
200665895
To comply with the terms of the GPL/LGPL v3 license under which the GPL/LGPL v3 licensed Open Source Software (OSS) libraries within the DLS virtual appliance are released, the rsu_admin
user has the elevated privileges required to update and upgrade these libraries.
Any changes to the Ubuntu GPL/LGPL v3 licensed OSS libraries within the DLS virtual appliance might impair the performance of the DLS virtual appliance or prevent it from functioning as required. If you make any changes to these libraries, the affected DLS instance is no longer eligible for support from NVIDIA. It is your responsibility to ensure that the DLS instance continues to perform and function as required.
Ensure that the sudo DLS user account rsu_admin
has been created.
- Log in as the
rsu_admin
user to the VM that hosts the DLS virtual appliance. - Determine whether your existing network configuration allows the DLS virtual appliance to reach the Ubuntu package repositories. For example, download information from all configured sources about the latest versions of the packages.
$ sudo apt update
- If the DLS virtual appliance cannot reach the Ubuntu package repositories, modify your network configuration to allow access to these repositories.
- Ensure that your DNS server has the entries required to resolve the domain names of the Ubuntu package repositories.
- Delete the symbolic link /etc/resolv.conf.
$ sudo rm -f /etc/resolv.conf
- Copy the default
resolv.conf
file at /run/NetworkManager to /etc/resolv.conf.$ sudo cp /run/NetworkManager/no-stub-resolv.conf /etc/resolv.conf
- Use the Advanced Packaging Tool (APT) of the Ubuntu OS to check for and install any available updates to the Ubuntu GPL/LGPL v3 licensed OSS libraries.
- After installing the updates, restore your original network configuration.
- Delete the /etc/resolv.conf file that you copied earlier.
$ sudo rm -f /etc/resolv.conf
- Re-create the symbolic link /etc/resolv.conf.
$ sudo ln -s /run/NetworkManager/no-stub-resolv.conf /etc/resolv.conf
- Delete the /etc/resolv.conf file that you copied earlier.
The file /var/dls/sudouser is created to indicate that the Ubuntu GPL/LGPL v3 licensed OSS libraries within the DLS virtual appliance have been updated or upgraded. If the DLS virtual appliance is hosting a node in an HA cluster, this file is automatically copied to the other node in the cluster.
Notice
This document is provided for information purposes only and shall not be regarded as a warranty of a certain functionality, condition, or quality of a product. NVIDIA Corporation (“NVIDIA”) makes no representations or warranties, expressed or implied, as to the accuracy or completeness of the information contained in this document and assumes no responsibility for any errors contained herein. NVIDIA shall have no liability for the consequences or use of such information or for any infringement of patents or other rights of third parties that may result from its use. This document is not a commitment to develop, release, or deliver any Material (defined below), code, or functionality.
NVIDIA reserves the right to make corrections, modifications, enhancements, improvements, and any other changes to this document, at any time without notice.
Customer should obtain the latest relevant information before placing orders and should verify that such information is current and complete.
NVIDIA products are sold subject to the NVIDIA standard terms and conditions of sale supplied at the time of order acknowledgement, unless otherwise agreed in an individual sales agreement signed by authorized representatives of NVIDIA and customer (“Terms of Sale”). NVIDIA hereby expressly objects to applying any customer general terms and conditions with regards to the purchase of the NVIDIA product referenced in this document. No contractual obligations are formed either directly or indirectly by this document.
NVIDIA products are not designed, authorized, or warranted to be suitable for use in medical, military, aircraft, space, or life support equipment, nor in applications where failure or malfunction of the NVIDIA product can reasonably be expected to result in personal injury, death, or property or environmental damage. NVIDIA accepts no liability for inclusion and/or use of NVIDIA products in such equipment or applications and therefore such inclusion and/or use is at customer’s own risk.
NVIDIA makes no representation or warranty that products based on this document will be suitable for any specified use. Testing of all parameters of each product is not necessarily performed by NVIDIA. It is customer’s sole responsibility to evaluate and determine the applicability of any information contained in this document, ensure the product is suitable and fit for the application planned by customer, and perform the necessary testing for the application in order to avoid a default of the application or the product. Weaknesses in customer’s product designs may affect the quality and reliability of the NVIDIA product and may result in additional or different conditions and/or requirements beyond those contained in this document. NVIDIA accepts no liability related to any default, damage, costs, or problem which may be based on or attributable to: (i) the use of the NVIDIA product in any manner that is contrary to this document or (ii) customer product designs.
No license, either expressed or implied, is granted under any NVIDIA patent right, copyright, or other NVIDIA intellectual property right under this document. Information published by NVIDIA regarding third-party products or services does not constitute a license from NVIDIA to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property rights of the third party, or a license from NVIDIA under the patents or other intellectual property rights of NVIDIA.
Reproduction of information in this document is permissible only if approved in advance by NVIDIA in writing, reproduced without alteration and in full compliance with all applicable export laws and regulations, and accompanied by all associated conditions, limitations, and notices.
THIS DOCUMENT AND ALL NVIDIA DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL NVIDIA BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF ANY USE OF THIS DOCUMENT, EVEN IF NVIDIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Notwithstanding any damages that customer might incur for any reason whatsoever, NVIDIA’s aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms of Sale for the product.
VESA DisplayPort
DisplayPort and DisplayPort Compliance Logo, DisplayPort Compliance Logo for Dual-mode Sources, and DisplayPort Compliance Logo for Active Cables are trademarks owned by the Video Electronics Standards Association in the United States and other countries.
HDMI
HDMI, the HDMI logo, and High-Definition Multimedia Interface are trademarks or registered trademarks of HDMI Licensing LLC.
OpenCL
OpenCL is a trademark of Apple Inc. used under license to the Khronos Group Inc.
Trademarks
NVIDIA, the NVIDIA logo, NVIDIA Maxwell, NVIDIA Pascal, NVIDIA Turing, NVIDIA Volta, Quadro, and Tesla are trademarks or registered trademarks of NVIDIA Corporation in the U.S. and other countries. Other company and product names may be trademarks of the respective companies with which they are associated.