Pure Cloud Block Store 6.3.x Release Notes

Enhancements

 

Adds improvements to SAML2 SSO (PURE-246860)

• Adds support for the Okta, Duo Security, and Azure AD IdPs.
• Adds group to role mapping on IdPs. Each IdP has unique configuration steps to map the user groups to the Purity//FA admin roles. Contact Pure Storage Technical Services to create an SSO integration application on the IdP side and to configure group to role mapping for the specified IdP.
  Note: Directory service configuration is no longer necessary for role mapping on IdPs.

Allows multiple DNS configurations with the puredns CLI command (PURE-243492)

Allows multiple DNS configurations, supporting the scenario of one DNS configuration for the management network and a different DNS configuration for the file network.

 

Security Updates

Hardens Purity's security infrastructure

• Addresses several CVEs: CVE-2020-36518, CVE-2022-22965, CVE-2022-22978, CVE-2022-24785, CVE-2022-28391. 
  See the Pure Knowledge article CVE Security Fixes per Purity Release for CVEs in Purity//FA releases.

Fixes

These issues have been fixed.

Hardens upgrades on Cloud Block Store for Azure (PURE-250540)

Secondary controller CT1 replacement failed during a Cloud Block Store for Azure upgrade due to an unseen license activation error.

Implements more efficient handling of host connections and host array preferences (PURE-252691)

Reduces a bottleneck that could be experienced by replication customers with many host connections and host array preferences. After an upgrade, the bottleneck could lead to an I/O timeout on the peer array, causing the pod to go offline.

---

 

Security Updates

Hardens Purity's security infrastructure

• Routine library upgrades for security vulnerability fixes (PURE-252553)
• Hardened SSL sessions against impersonation (PURE-250418)
• Addresses CVE-2020-36518 and CVE-2022-28391. See the Pure Knowledge article CVE Security Fixes per Purity Release for CVEs in Purity//FA releases.

Fixes

These issues have been fixed.

Addresses S3 request time outs on slow connections (PURE-249265)

Optimizes network buffers to avoid incorrect detection of stale connections, which could lead to time outs.

Hardens volume copy operations (PURE-247335)

In some cases, a volume copy operation would fail due to the most recent pod snapshot being incomplete.

Enables the SNMP test function in the Purity GUI for the Ops Admin role (PURE-245370)

Previously, the test button was disabled for users with that role.

Addresses a case of an OpenLDAP user not being able to log into Purity (PURE-243414)

Previously, an OpenLDAP user with both the posixAccount and shadowAccount object classes, but without the group type posixGroup, could not log into the array.

Hardens ActiveCluster resync operations (PURE-235608)

Prevents a potential metadata inconsistency following recovery from an ActiveCluster resync operation failure.

Enhancements

Introduces Pure Storage Representational State Transfer (REST) API v2.14 (PURE-252392)

Access the Pure Cloud Block Store REST API 2.14 reference documentation from the Purity//FA GUI left navigation panel > Help > REST API 2.X Guide. See also the Purity//FA REST API 2.x Release Notes.

Introduces an alert when snapshot limits are reached (PURE-249844)

Alert 226 is generated if a protection group snapshot or volume snapshot limit is reached.

Provides an optimization to disable space usage logging in syslog (PURE-248049)

Customers who experience excessive space usage logging to syslog should contact Pure Technical Services for the optimization.

Optimizes the space reclamation service (PURE-240130)

Optimizes the space reclamation service based on needs of the workload conditions, in order to avoid system space buildup.

New Features

Introduces SafeMode support for protection groups (PURE-236177)

In addition to array wide SafeMode protection, SafeMode can now also be applied to a protection group. In the event of a ransomware attack, protection group SafeMode settings protect existing backups by enforcing restrictions on changes to protection group configuration, including snapshot and replication schedules.
Enabling SafeMode for a protection group is termed “ratcheting the retention lock" for the protection group. Protection group protections are the same when SafeMode is applied to the entire array and when SafeMode is applied only to a specific protection group (or groups). In both cases, when SafeMode is ratcheted on a protection group, the following potentially dangerous operations are prevented:

• Manually eradicating a protection group, its pod, or its snapshots
• Destroying the protection group
• Decreasing the array-wide eradication delay
• Removing a member of the protection group
• Removing a protection group target
• Reducing the protection group snapshot or replication frequency or retention period
• Disabling the protection group snapshot or replication schedule

SafeMode is applied to a protection group in the GUI (Protection > Protection Group > SafeMode pane) and the CLI (purepgroup retention-lock ratchet command).
Notes:

• The following types of protection group cannot be ratcheted:
  • An empty protection group
  • A protection group with host or host group members
  • A protection group with offload targets
• Destroying a pod with the option --destroy-contents implicitly destroys non-empty protection groups the pod contains, even when the retention lock is ratcheted.
• In this release, snapshots still may be eradicated on an NFS offload target even when the parent protection group is in SafeMode (the retention-lock applies only to the local machine).

Enhancements

Supports cloning a snapshot out of demoted pod (PURE-243541)

For a demoted pod that contains volume snapshots, this change allows use of the purevol copy command to create a volume outside the demoted pod from a snapshot in the demoted pod. For example: purevol copy demoted-pod::vol.1 vol-copy

Increases subnet management in the GUI (PURE-201933)

Now supports enabling or disabling a subnet that contains interfaces in the GUI (Settings > Network > Subnets & Interfaces). This functionality has been supported in the CLI (puresubnet command).

Adds logging of performance metrics for AWS resources (PURE-220595)

For Cloud Block Store for AWS, adds logging of performance metrics for AWS resources.
Requires that s3:PutMetricsConfiguration for All Resources be added in the customer's AWS service role.

Introduces Pure Storage Representational State Transfer (REST) API v2.13

Access the Pure Cloud Block Store REST API 2.13 reference documentation from the Purity//FA GUI left navigation panel > Help > REST API 2.X Guide. See also the Purity//FA REST API 2.x Release Notes.
Note: Previously, a PATCH protection-groups query with no body succeeded, even though a query body should have been required. In REST 2.13, the query correctly receives a 403 Forbidden error. To avoid the error, include the parameters to be updated in the JSON body of the query.

Fixes

These issues have been fixed.

Introduces an optimization to address a case of write latency (PURE-236381)

Write latency has been seen in a scenario of very heavy read workload with large block sizes (much larger than 32K), even when writes constitute a small percentage of the workload, as when a host is performing a large amount of WRITE SAME traffic.
Contact Pure Technical Services for an optimization to address the latency.

Adds restrictions to protection group membership (PURE-233004)

On ActiveDR arrays, this change disallows hosts with cross-pod volumes from adding those volumes to protection groups that do not protect those volumes. If a host contains a volume in a pod, and that pod is not protected by the protection group, then the host cannot be added to the protection group.

Changes the response to attempts to resize a volume to its current size (PURE-231102)

Such attempts now receive a Could not resize volume error message.

Corrects the purepod listobj CLI command (PURE-231051)

Previously in Purity 6.x releases, the purepod listobj --type command ignored array, protection group, or volume types and only reported pods.

Improves the efficiency of operations on protection groups with high numbers of snapshots (PURE-230176)

Some protection group operations, such as list and copy, could be slow for protection groups with a high number of snapshots.

Identifies the correct user in audit logs for operations on follower arrays (PURE-226512)

Previously on ActiveCluster or ActiveDR arrays, the audit log could incorrectly show changes made on the follower array as being performed by root.

Returns up to 1,000 objects on historical performance queries (PURE-223568)

The previous limit was 500 objects.

Corrects the Health page on low resolution displays (PURE-220777)

Ensures that the horizontal scroll bar is present and that each chart can be seen.

Hardens handling of offload 'Network unreachable' connection errors (PURE-219115)

Previously, offload could incorrectly retry failed connections using IPv6 addresses even on an IPv4 network.

Command Line Interface Changes

Purity 6.3.0 incurred the following CLI changes: