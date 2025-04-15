Description

A security scan of the DLS appliance reveals that the DLS appliance has an expired SSL certificate and weak message authentication code cipher suites.

By default, a DLS virtual appliance is configured with a self-signed X.509 SSL server certificate that is included in the DLS virtual appliance image from which the DLS virtual appliance is created. This certificate expired on November 14, 2023.

The DLS appliance supports Transport Layer Security (TLS) version 1.2 but the weak message authentication code cipher suites have not been removed. The TLS/SSL server in the DLS appliance also supports the use of static key ciphers.



Workaround

To address the issue of the expired SSL certificate, install a new SSL certificate. You can use a self-signed SSL certificate or a certificate that is signed by a third party, such as a certificate authority (CA), for this purpose.

To address the issue of weak code cipher suites, customize the ciphers that the DLS appliance should use.

Ensure that the sudo DLS user account rsu_admin has been created.

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS virtual appliance. As root, open the file /var/lib/docker/volumes/configurations/_data/ui/dls-web-ui.conf.template for editing in the nano plain-text editor. Copy Copied! $ sudo nano /var/lib/docker/volumes/configurations/_data/ui/dls-web-ui.conf.template In the file /var/lib/docker/volumes/configurations/_data/ui/dls-web-ui.conf.template, remove the weak message authentication code cipher suites and add the directive ssl_ciphers followed by the ciphers that you want to use. For example, to use the TLS_RSA_WITH_AES_128_CCM_8 cipher, add the following directive: Copy Copied! ssl_ciphers "TLS_RSA_WITH_AES_128_CCM_8"; Save your changes to the /var/lib/docker/volumes/configurations/_data/ui/dls-web-ui.conf.template file and quit the editor. Restart the DLS appliance.

Status

Open



Ref. #

4016523

Description

Cloud License Server (CLS) instances deny license requests from clients the host name of which is localhost . This behavior is the expected behavior for the CLS. For security reasons, the CLS denies requests from clients the host name of which is localhost .



Workaround

Avoid assigning the host name localhost to licensed clients of CLS instances.

to licensed clients of CLS instances. Use Delegated License Service (DLS) instances to serve licenses to clients that have the host name localhost .

Status

Not a bug



Ref. #

4036980

Description

If a Windows DNS server is used for name resolution, and the DLS instance is accessed through the fully qualified domain name of its VM, the internal DLS services of the instance cannot be restarted from the management interface of the NVIDIA Licensing application of the DLS instance. On the Service Instance page, the RESTART button remains deactivated even if the status of the services is displayed as inactive.

You can restart these services from the management interface only if you are logged in to the specific instance whose services must be restarted. The DLS determines the instance by matching the fully qualified domain name of the instance with browser's URL origin property.

This issue occurs when the case of the fully qualified domain name in the DNS entry that maps the default host name to the fully qualified domain name is different from the case of the browser's URL origin property. This issue occurs with Windows DNS servers because the fully qualified domain name is in uppercase but the browser's URL origin property is typically in lowercase.



Workaround

Use any one of the following workarounds for this issue.

When logging in to the DLS appliance, specify the IP address of the VM on which the DLS virtual appliance is installed instead of its fully qualified domain name or CNAME.

Modify the DNS entry that maps the default host name to the fully qualified domain name to use a lowercase fully qualified domain name.

Status

Open



Ref. #

4351000

Description

When the Network Time Protocol (NTP) configuration of a DLS instance is changed from the management interface of the NVIDIA Licensing application of the DLS instance, the changes are not applied to the instance. This issue occurs because both the systemd-chronyd service and the systemd-timesyncd service are active in the DLS instance and the instance uses the systemd-timesyncd service for synchronization with an NTP server. However, when NTP is configured from the DLS management interface, only the settings for the systemd-chronyd service are changed.



Workaround

Disable the systemd-timesyncd service or use standard OS interfaces to configure the systemd-timesyncd service.

Before attempting either workaround, ensure that the sudo DLS user account rsu_admin has been created.

To disable the systemd-timesyncd service:

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS instance. As root, run the systemctl command to disable the systemd-timesyncd service. Copy Copied! $ sudo systemctl disable systemd-timesyncd When the systemd-timesyncd service is disabled, the DLS instance uses the systemd-chronyd service for synchronization with an NTP server.

To use standard OS interfaces to configure systemd-timesyncd service:

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS instance. As root, open the file /etc/systemd/timesyncd.conf for editing in the nano plain-text editor. Copy Copied! $ sudo nano /etc/systemd/timesyncd.conf In the /etc/systemd/timesyncd.conf file, specify the NTP servers that you want to use. Save your changes to the /etc/systemd/timesyncd.conf file and quit the editor. As root, restart the systemd-timesyncd service. Copy Copied! $ sudo systemctl restart systemd-timesyncd

Status

Open



Ref. #

4399804

Description

When a lightweight directory access protocol (LDAP) directory is used for managing user access to a DLS appliance, user account names for logging in to the DLS appliance are case sensitive. However, this behavior is inconsistent with the default behavior of an LDAP directory: By default, LDAP distinguished names and attributes are case insensitive.



Status

Open



Ref. #

4399814

Description

Failover events are omitted in error from the Events page of the NVIDIA Licensing application on the DLS instances in a High Availability (HA) cluster of DLS instances. These events are generated by the Heartbeat service in the cluster and are written to the log files for the DLS appliance as expected.



Workaround

Configure email alerts for failover events from the Heartbeat service.

Examine the log files on the DLS appliance for failover events from the Heartbeat service.

Status

Open

Description

Critical security vulnerabilities in the Ubuntu package xxd_2:8.1.2269-1ubuntu5.17 affect VM-based DLS appliances. This issue does not affect the functionality of these DLS appliances. For more information, refer to the Ubuntu security notice USN-6420-1: Vim vulnerabilities.



Workaround

Install an updated version of the xxd package that addresses these vulnerabilities.

Note: All other packages that are affected by this issue have been removed from the DLS appliance image.

Ensure that the sudo DLS user account rsu_admin has been created.

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS appliance. Add the Ubuntu jammy software repositories to the list of configured APT resources in the main APT sources configuration file /etc/apt/sources.list. Copy Copied! $ sudo sh -c 'echo "deb http://us.archive.ubuntu.com/ubuntu/ jammy main restricted deb http://us.archive.ubuntu.com/ubuntu/ jammy-updates main restricted deb http://us.archive.ubuntu.com/ubuntu/ jammy universe deb http://us.archive.ubuntu.com/ubuntu/ jammy-updates universe deb http://us.archive.ubuntu.com/ubuntu/ jammy multiverse deb http://us.archive.ubuntu.com/ubuntu/ jammy-updates multiverse deb http://us.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu jammy-security main restricted deb http://security.ubuntu.com/ubuntu jammy-security universe deb http://security.ubuntu.com/ubuntu jammy-security multiverse" > /etc/apt/sources.list' Download information from all configured sources about the latest versions of the packages available from those sources. Copy Copied! $ sudo apt update Install the xxd package. Copy Copied! $ sudo apt install -yq xxd

Status

Open

Description

The self-signed SSL certificates that are installed on the DLS appliance expire on November 14, 2023. This issue does not affect the functionality of the DLS appliance.



Workaround

Optional: Replace the installed certificates with custom certificates.



Status

Open

Description

Due to heavy traffic on the CLS instance, the response time for some requests exceed the three-second timeout limit, resulting in network communication failures on the client. This issue happens intermittently for the lease operations because the subsequent service request launched by the retry logic from the client driver will be more likely to succeed.



Status

Open



Ref. #

4235254

Description

In a Unix environment, when you use the Log Archival feature to mount a network file share, the following error message is displayed on the Basics Setting page:

Copy Copied! Cannot mount the network file share, something went wrong, please check your credentials.

This issue occurs in the following situations:

If you are using DLS version 3.1 or an earlier version and you configure log archival for the Unix platform on the DLS virtual appliance.

If an in-place upgrade is performed from DLS version 3.1 or an earlier version to DLS version 3.2 and you configure Log Archival for the Unix platform on the DLS virtual appliance.

Workaround

The workaround is for the situation in which you want to perform an in-place upgrade on a Unix platform using Log Archival. Follow these instructions after an in-place upgrade:

Log in as the rsu_admin user. Run the sudo apt-get update command. Run the sudo apt-get install -yq nfs-common command.

Note: This workaround is applicable only after the in-place upgrade is complete.





Status

Open



Ref. #

4223357

Description

When a client with an invalid or empty MAC address requests a license, the service instance grants the request and locates the client through the client's IP address. In an environment where the clients are VM instances with reused MAC addresses, the service instance might have granted licenses to multiple clients with invalid or empty MAC addresses. If a client in such an environment is abruptly shut down and cannot return the license, the service instance cannot locate the VM to reclaim the unused license on it. The license remains checked out until it expires, when the service instance can reclaim it.



Workaround

Forcibly release licenses acquired by client VMs with invalid or empty MAC addresses that have greater than usual longevity.



Status

Open



Ref. #

4163388

Description

After a DLS instance has been integrated with an LDAP server, users configured in the Additional Details section of the LDAP configuration cannot log in to the VM that hosts DLS virtual appliance for the instance. This issue occurs whenever a search filter in the Additional Details section contains white space, for example, in the binddn value. When the DLS instance writes the search filter to the file /etc/ldap.conf, the search filter is split into two lines in /etc/ldap.conf. As a result, the LDAP server can no longer parse the file /etc/ldap.conf.



Workaround

Use the hypervisor management console of the appliance to log in as the user dls_admin to the VM that hosts the DLS virtual appliance. Open the file /etc/ldap.conf for editing in a plain-text editor, such as vi. Copy Copied! $ vi /etc/ldap.conf Remove all unwanted line breaks from the file /etc/ldap.conf. Save your changes and quit the editor. Restart the VM that hosts the DLS virtual appliance.

Status

Open



Ref. #

4135514

Description

In an environment where the clients are VM instances with reused MAC addresses, an issue with the NVIDIA vGPU software graphics driver might prevent clients with an invalid or empty MAC address from acquiring a license. Whenever this issue causes a VM to fail to acquire a license occurs, the following message is written to the licensing event logs on the client:

Copy Copied! Tue May 23 03:04:05 2023:<1>:Failed to acquire license from api.cls.licensing.nvidia.com Info: NVIDIA Virtual PC - Error: invalid origin environment)

Version

This issue affects the following releases of NVIDIA vGPU software:

NVIDIA vGPU software 13.0 through 13.8

NVIDIA vGPU software 15.0 through 15.3

Status

Resolved in NVIDIA vGPU software 16.0



Ref. #

4137753

Description

If a virtual network interface card (NIC) is removed from a node in an HA cluster or its network is partitioned, the node cannot reach other nodes in the cluster. The affected node handles the inability to reach other nodes as a failure of those nodes and assumes the primary role. While the NIC is removed or its network is partitioned, the node cannot be updated with information about operations that other nodes in the cluster have performed.



Workaround

After the virtual NIC is attached again or the network is no longer partitioned, the node assumes a role that depends on its uptime. When a node is restarted, it is synchronized with the primary node and assumes the secondary role. Therefore, how to synchronize the nodes in the cluster depends on the role that the node assumes when is able to reach other nodes in the cluster again:

Primary: All other nodes in the cluster must be restarted.

All other nodes in the cluster must be restarted. Secondary: The node itself must be restarted.

Status

Closed



Ref. #

4097705

Description

Windows clients cannot return leases to the upgraded DLS node. The failure happens only if the first operation performed by a Windows client is returning leases to an upgraded DLS node. Currently, the DLS upgrade operation does not maintain the auth tokens issued by the existing DLS node. As a result, when the client provides the auth token that was issued before the DLS upgrade, the upgraded node does not acknowledge that token and issues the following error message:

Copy Copied! Failed to return license to dhcp-10-24-129-182.nvidia.com (Error: invalid token: Signature verification failed.)

After a reboot of the Windows client, the lease that was not returned previously will be assigned to the client. This lease will be returned to the server if the client initiates a lease return after at least one successful lease renewal.

If the virtual machine is shut down, you can manually release the lease by choosing the Force Release option using the License Server GUI or wait until the license expires.



Status

Open



Ref. #

4092741

Description

The VM-based DLS appliance for each supported hypervisor has security vulnerabilities related to options set for file-system partitions and access permissions for some files.

The vulnerabilities are as follows:

The nodev option is not set on the /boot/efi partition.

set on the /boot/efi partition. Every time the VM that hosts the DLS appliance is started, Docker creates the following files with the mode -rwxrwxrwx , which allows write access by other users (world): /home/dls_admin/device /home/dls_admin/dns /home/dls_admin/gateway /home/dls_admin/ip_address /home/dls_admin/static-ip-ova-logs

, which allows write access by other users (world):

Workaround

You can mitigate these vulnerabilities by setting the nodev option on the affected file-system partition and restricting write access to the affected files.

You need to change the affected partition only once. The change persists when the VM that hosts the DLS appliance is restarted.

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS appliance. Add the nodev mount option to the entry in /etc/fstab for the /boot/efi partition. Restart the VM that hosts the DLS appliance.

Restrict write access to the affected files that are recreated after every reboot of the VM every time the VM is rebooted.

Use the hypervisor management console of the appliance to log in as the user rsu_admin to the VM that hosts the DLS appliance. Set the mode of the affected files that are recreated after every reboot of the VM to allow access only by owner and root. Change the mode of the affected files in this directory to -rwxr-xr-x . Copy Copied! sudo chmod 755 /home/dls_admin/ip_address sudo chmod 755 /home/dls_admin/gateway sudo chmod 755 /home/dls_admin/dns sudo chmod 755 /home/dls_admin/device

Status

Not a bug



Ref. #

3923943

Description

Clients are failing to renew due to errors in the log bundle class 'pg8000.exceptions.InterfaceError "network error on write" - fail to renew.



Workaround

Option 1: Restart Services using the DLS Console.

Log in as the rsu_admin user in the DLS console. Execute this command: Copy Copied! sudo docker exec -it config-nls-si-0-1 supervisorctl restart auth lease admin serviceInstance Wait for the services to start and verify that the UI is accessible.

Option 2: Restart the DLS Node .

This option can be used if enabling rsu_admin is not preferred.

Restart the DLS node from the hypervisor console. Wait for the DLS services and UI to start.

Note: For Container Deployments: The same steps apply to the containerized version of the DLS. The difference is that the container must be restarted instead of the entire DLS VM.





Status

Open



Ref. #

5019817

Description

When a licensed client that is configured with an offline license is rebooted, the client might fail to acquire a license. When this issue occurs, the following message is written to the licensing event log file on the client:

Copy Copied! Client fingerprint mismatch - No valid lease found in local trusted store

This issue occurs when the MAC addresses of the network adapters for a client change when the client is rebooted. When the MAC addresses change, the NVIDIA vGPU software graphics driver treats the client as a new client and the offline license in the client's trusted storage database is discarded.

Typically, the MAC addresses change because the network configuration of the client has been explicitly changed by an administrator. However, the MAC address of a client can unexpectedly change when the client is rebooted for several reasons, for example:

The client requests a license before the client's network interfaces are initialized.

Docker or the NVIDIA Container Runtime for Docker is installed on the client and the ifconfig command lists it as a network interface.

Status

Open



Ref. #

200665895