Red Hat Enterprise Linux OpenStack Platform 6 Technical Notes

Red Hat Enterprise Linux
OpenStack Platform 6
Technical Notes
Technical Notes for Red Hat Enterprise Linux OpenStack
Platform and supporting packages.
OpenStack Documentation Team
Red Hat Enterprise Linux OpenStack Platform 6 Technical
Notes
Technical Notes for Red Hat Enterprise Linux OpenStack
Platform and supporting packages.
OpenStack Documentation Team
Red Hat Customer Content Services
[email protected]
Legal No tice
Copyright © 2015 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version
of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If
the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees
not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable
law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,
the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other
countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the
United States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European
Union and other countries.
Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not
formally related to or endorsed by the official Joyent Node.js open source or
commercial project.
The OpenStack ® Word Mark and OpenStack Logo are either registered
trademarks/service marks or trademarks/service marks of the OpenStack
Foundation, in the United States and other countries and are used with the
OpenStack Foundation's permission. We are not affiliated with, endorsed or
sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Abstract
These Technical Notes are provided to supplement the information contained in the
text of Red Hat Enterprise Linux OpenStack Platform errata advisories released
through Red Hat Network.
T able o f Co nt e nt s
T able o f Co ntents
. .hapt
⁠C
. . . .e.r. 1.
. .O
. .ve
. .r.vie
. .w
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . .
. .hapt
⁠C
. . . .e.r. 2.
. . RHEA-20
. . . . . . . .15:0
. . . 14
..8
. .—
. .o. pe
. . ns
. . .t ac
. . k-ne
. . . . ut
. . r. o
.n
. .e. nhanc
. . . . . .e.me
. . nt
. . .advis
....o
. .r y
. . . . . . . . .4. . . . . . . . .
⁠2.1. openstack-neutron
4
. .hapt
⁠C
. . . .e.r. 3.
. . RHEA-20
. . . . . . . .15:0
. . . 152
. . . .—. .o.pe
. . ns
. . t. ac
. . k-no
. . . . va
. . .e.nhanc
. . . . . e. me
. . .nt
. . advis
. . . . .o. r.y. . . . . . . . . . . .8. . . . . . . . .
⁠3 .1. openstack-nova
8
. .hapt
⁠C
. . . .e.r. 4. .. RHEA-20
. . . . . . . .15:0
. . . 154
. . . .—
. .pyt
. . .ho
. . n-django
. . . . . . . . -ho
. . . r. iz
. .o.n. e
. .nhanc
. . . . .e. me
. . .nt
. . advis
. . . . .o.r.y. . . .12
..........
⁠4 .1. python-django-horizon
12
. .hapt
⁠C
. . . .e.r. 5.
. . RHBA-20
. . . . . . . .15:0
. . . 157
. . . .—
. .Re
. .d
. .Hat
. . . Ent
. . .e
. r. pr
. . is
. .e. Linux
. . . . . .O.pe
. . ns
. . t. ac
. .k
. .6..0
. .bug
. . . .f.ix
..............
advis o r y
19
⁠5.1. ceph
19
⁠5.2. openstack-cinder
19
⁠5.3. openstack-nova
19
⁠5.4. openstack-puppet-m odules
20
⁠5.5. openstack-selinux
20
. .hapt
⁠C
. . . .e.r. 6. .. RHBA-20
. . . . . . . .15:0
. . . .6.33
. .—
. . pyt
. . . ho
. . n-django
. . . . . . . . -ho
. . . r. iz
. .o.n. .bug
. . . f. ix
. . advis
. . . . .o.r.y. . . . . . . . . .22
..........
⁠6 .1. python-django-horizon
22
⁠6 .2. python-django-openstack-auth
23
. .hapt
⁠C
. . . .e.r. 7.
. . RHBA-20
. . . . . . . .15:0
...6
. .39
. .—
. . o. pe
. . .ns
. .t.ac
. .k-ke
. . . ys
. . t. o
. ne
. . . bug
. . . .f.ix
. .advis
....o
. .r y
. . . . . . . . . . . . .24
..........
⁠7.1. openstack-keystone
24
. .hapt
⁠C
. . . .e.r. 8. .. RHBA-20
. . . . . . . .15:0
. . . .6.4.0. —
. . Re
. . .d. Hat
. . . .Ent
. . .e.r.pr
. .is
.e
. .Linux
. . . . .O
. .pe
. .nSt
. . .ac
. .k. Plat
. . . .f.o.r.m
. .Bug
.............
Fix and Enhanc e me nt Advis o r y
25
⁠8 .1. diskim age-builder
25
⁠8 .2. instack-undercloud
⁠8 .3. libguestfs
25
25
⁠8 .4. m ariadb-galera
⁠8 .5. openstack-selinux
26
26
. .hapt
⁠C
. . . .e.r. 9. .. RHSA-20
. . . . . . . .15:0
. . . .78
. .9. —
. . Impo
. . . . .r t. ant
. . . :. o
. pe
. . .ns
. .t.ac
. .k-pac
. . . . .ks
. .t ac
..k
. .and
. . . .o.pe
. .ns
. . t.ac
. .k.............
puppe t -mo dule s s e c ur it y and bug f ix updat e
27
⁠9 .1. openstack-packstack
⁠9 .2. openstack-selinux
27
28
⁠9 .3. vulnerability
29
. .hapt
⁠C
. . . .e.r. 10
. . .. RHSA-20
. . . . . . . .15:0
. . . .79
. .0. —
. . Impo
. . . . .r t. ant
. . . :. o
. pe
. . .ns
. .t.ac
. .k-no
. . . .va
. . s. e. c. ur
. . it
. .y,
. .bug
. . . .f ix,
. . .and
.............
e nhanc e me nt updat e
30
⁠1 0.1. openstack-nova
30
⁠1 0.2. vulnerability
32
. . .vis
Re
. . io
. .n. .His
. . t. o
. r. y
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
..........
1
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 1. Overview
The s e Te chnical Note s are provide d to s upple me nt the information containe d in the te xt of
Re d Hat Ente rpris e Linux Ope nStack Platform e rrata advis orie s re le as e d through Re d Hat
Ne twork. If the te xt for an advis ory's proble m de s cription is too le ngthy to fit into the
advis ory its e lf, bug lis tings for that advis ory are publis he d as a chapte r in this docume nt.
The following table contains the lis t of e rrata advis orie s for this ve rs ion.
T able 1.1. Errat a Adviso ries
Relea
se
Adviso ries
6.0
Errata chapte rs :
Chapte r 2,
Chapte r 3,
Chapte r 4,
Chapte r 5,
advisory
RHEA-2015:0148 — openstack-neutron enhancement advisory
RHEA-2015:0152 — openstack-nova enhancement advisory
RHEA-2015:0154 — python-django-horizon enhancement advisory
RHBA-2015:0157 — Red Hat Enterprise Linux Openstack 6.0 bug fix
Additional advis orie s include :
RHEA-2015:0144 - Re d Hat Ente rpris e Linux Ope nStack Platform 6.0
Enhance me nt Advis ory.
RHEA-2015:0145 - ope ns tack-s wift e nhance me nt advis ory.
RHEA-2015-0146 - ope ns tack-s ahara e nhance me nt update .
RHEA-2015-0147 - ope ns tack-he at e nhance me nt advis ory.
RHEA-2015:0149 - ope ns tack-ce ilome te r e nhance me nt advis ory.
RHEA-2015:0150 - ope ns tack-glance e nhance me nt advis ory.
RHEA-2015:0151 - ope ns tack-cinde r e nhance me nt advis ory.
RHEA-2015:0153 - ope ns tack-ke ys tone e nhance me nt advis ory.
RHEA-2015:0155 - ope ns tack-packs tack and ope ns tack-puppe t-module s
e nhance me nt advis ory.
2
⁠C hapt e r 1. O ve r vie w
Relea
se
Adviso ries
6.0.1
Errata chapte rs :
Chapte r 6, RHBA-2015:0633 — python-django-horizon bug fix advisory
Chapte r 7, RHBA-2015:0639 — openstack-keystone bug fix advisory
Chapte r 8, RHBA-2015:0640 — Red Hat Enterprise Linux OpenStack Platform
Bug Fix and Enhancement Advisory
Additional advis orie s include :
RHBA-2015:0630
RHBA-2015:0631
RHBA-2015:0632
RHBA-2015:0634
RHBA-2015:0635
RHBA-2015:0636
RHBA-2015:0637
RHBA-2015:0638
RHSA-2015:0643
RHSA-2015:0644
RHSA-2015:0645
- ope ns tack-packs tack bug fix advis ory
- ope ns tack-s wift bug fix advis ory
- ope ns tack-s ahara bug fix advis ory
- ope ns tack-he at bug fix advis ory
- ope ns tack-ne utron bug fix advis ory
- ope ns tack-ce ilome te r bug fix advis ory
- ope ns tack-cinde r bug fix advis ory
- ope ns tack-nova bug fix advis ory
- Important: qe mu-kvm-rhe v s e curity update
- Low: ope ns tack-glance s e curity and bug fix update
- Important: re dhat-acce s s -plugin-ope ns tack s e curity update
The s e package s include re bas e s to 2014.2.2 for the Block Storage , Compute ,
Das hboard, Ide ntity, Image , Ne tworking, Orche s tration, Sahara, Te le me try, and
Trove s e rvice s .
6.0.2
Errata chapte rs :
Chapte r 9, RHSA-2015:0789 — Important: openstack-packstack and openstackpuppet-modules security and bug fix update
Chapte r 10, RHSA-2015:0790 — Important: openstack-nova security, bug fix,
and enhancement update
Additional advis orie s include :
RHBA-2015:0784 - ope ns tack-cinde r bug fix advis ory
RHBA-2015:0785 - ope ns tack-ne utron bug fix advis ory
RHBA-2015:0786 - ope ns tack-ce ilome te r bug fix advis ory
RHBA-2015:0787 - Re d Hat Ente rpris e Linux Ope nStack Platform Bug Fix and
Enhance me nt Advis ory
RHSA-2015:0788 - Mode rate : novnc s e curity update
3
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 2. RHEA-2015:0148 — openst ack-neut ron
enhancement advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHEA-2015:0148. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHEA-20150148.html.
2.1. openst ack-neut ron
BZ#10 29871
This enhancement enables changes to a subnet's IP address
allocation pool using the update command. Previously,
administrators were unable to change the allocation pool range
for a subnet.
If shrinking the pool, consideration must be given to IP
addresses that have already been allocated.
BZ#10 42396
This enhancement adds high availability for OpenStack Networking
(neutron) virtual routers. This was added due to the impact of
virtual routers going down with a network node; instances would
lose external connectivity.
Virtual routers can now be created with the 'High availability'
flag, if the administrator sets it as the default. As a result,
routers will then be created on multiple network nodes, with a
designated single active instance node. The active node forwards
traffic while the standbys monitor the master. In the event of
failure impacting the active node, one of the standby will take
over as the new active node.
BZ#10 42550
This update enables OpenStack Networking (neutron) to create a
Provider Network that uses an upstream device with Router
Advertisement multicasts.
As a result, instances are able to use Stateless Address
Autoconfiguration (SLAAC) to configure their IPv6 networking.
BZ#10 44272
With this enhancement, Tenant networks can now be created that
use the 'dnsmasq' process inside the DHCP agent to serve
additional configuration to IPv6 DHCP clients, including support
for IPv6 stateless subnets.
BZ#10 46786
This enhancement allows the creation of Tenant networks that use
the 'radvd' process within the L3 agent for Router Advertisement
messages.
4
⁠C hapt e r 2. RHEA-20 15:0 14 8 — o pe ns t ac k-ne ut r o n e nhanc e me nt advis o r y
As a result, instances are able to use Stateless Address
Autoconfiguration (SLAAC) or DHCPv6 to configure their IPv6
networking.
BZ#10 85645
This enhancement enables ipset kernel groups to be used for
matching IP addresses in iptables security groups.
The previous implementation of security groups, which made
intensive use of iptable rules, resulted in an exponential growth
of iptable rules in some cases. Specifically, multiple IP
addresses previously needed to be added to the security groups of
each Compute node's network port.
As a result of this enhancement, the size of iptables rules on
Compute nodes are significantly reduced, resulting in a
performance increase in accepting new connections.
BZ#110 340 4
With this enhancement, all tables are now included during the
creation of the database schema. This behavior allows for easier
plugin management.
Consequently, all OpenStack Networking (neutron) tables are
present in the database after upgrading to Red Hat Enterprise
Linux OpenStack Platform 6.
BZ#1162698
Prior to this update, the DHCP server was not available from
inside instances attached to IPv6 DHCP subnets.
This update addresses this issue by creating a port in the DHCP
agent namespace. As a result, the DHCP server is accessible from
inside instances, and instances are able to receive DHCP
information.
BZ#1169125
Previously, Router Advertisements sent by the OpenStack
Networking (neutron) L3 agent had the 'Other (O)' flag unset for
DHCP stateless subnets.
Consequently, the DHCP client was not aware of additional
configuration options available from the DHCP server, so would
not attempt to request these.
This update addresses this issue by setting the 'Other (O)' flag
for Router Advertisements sent to DHCP stateless subnets.
As a result, the DHCP client is notified about additional DHCP
configuration options, and is able to request allocation.
BZ#1173987
In deployments using IPv6 networks with OpenStack Networking,
IPv6 subnets do not have a gateway set. As a result, IPv6
networks do not work as expected.
5
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
BZ#1177612
Prior to this update, Keepalived removed virtual routes if the
VIPs changed order and the VIP that was previously first changed
its position.
Consequently, as the router's default gateway is configured as a
virtual route, the router's default route may vanish, breaking
external connectivity for all instances.
This behaviour was due to Keepalived's requirement that the first
VIP in the keepalived configuration file remains first after
sending a HUP signal to keepalived.
This update addresses this issue by generating a fake address and
using it as the first VIP.
Consequently, the first VIP is a stable constant value and
remains fixed in place, and the router's default route no longer
vanishes as a result.
BZ#1177615
Prior to this update, all instances of a HA router (master and
slave) had IPv6 link local addresses configured on each
interface. As a result, IPv6 traffic was being generated once
every two minutes and each MAC address was identical between
different instances of a HA router.
Consequently, the interface's MAC address was re-learned by the
physical switches of the datacenter, thereby resultin in traffic
being sent to the incorrect node.
This update resolves this issue be removing IPv6 link local
addresses from slave instances of HA routers. As a result, the
IPv6 addresses only appear on the master instance, thereby
ensuring that slaves never generate traffic, and that the MAC
addresses appear only on the master node.
BZ#1177616
Prior to this update, when configuring a new floating IP on a HA
router, the L3 agent observed the state on the system in order to
decide if to write the new address to the keepalived.conf. If the
address was not configured on the external device of the router,
it was added to the configuration. Note that the agent never
appends to the keepalived conf but overwrites it on every
reconfiguration, this means that when restarting an agent and and
waiting for it to sync with the controller, there are varying
outcomes depending on the role of the instance:
* On a master instance, none of the floating IPs will be written
to the keepalived configuration file, as all of the pre-existing
floating IPs are already configured on the system and thus will
not be written to the new configuration file, in effect removing
them. As a result, master instances will delete previously
configured floating IPs whenever the L3 agent is restarted.
* On a slave instance, floating IPs are never configured on the
host, thus are always added to the configuration file. As a
result, slave instances will have multiple copies of every
floating IP in keepalived's configuration file. This has no
actual effect.
6
⁠C hapt e r 2. RHEA-20 15:0 14 8 — o pe ns t ac k-ne ut r o n e nhanc e me nt advis o r y
This update addresses this issue by configuring the L3 agent to
instead uses its in-memory cache of the keepalived configuration,
rather than state observation. Since the configuration is inmemory, after the agent restarts, it's cache is empty, thus all
floating IPs are added to the file. From that point on, a
floating IP is configured if it's not present in the
configuration.
Consequently, floating IP addresses are configured properly on HA
routers on both master and slave instances.
BZ#1177995
This enhancement allows SR-IOV virtual functions (VF) to
passthrough to 'flat' project network types. This is due to PCI
passthrough with SR-IOV not being VLAN-specific.
As a result, OpenStack Networking project networks with the
"flat" network type can now take advantage of SR-IOV networking
support.
7
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 3. RHEA-2015:0152 — openst ack-nova
enhancement advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHEA-2015:0152. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHEA-20150152.html.
3.1. openst ack-nova
BZ#9580 57
When Compute is configured to only set up VNC/SPICE servers on a
specific network interface, the host's IP address is recorded in
the libvirt guest XML. Previously, if the guest was migrated to a
different host, the IP address of the source host remained in the
guest XML and the guest failed to launch on the target host
because the IP address was incorrect.
With this update, the libvirt guest XML is now updated during
migration to refer to the IP address of the target host.
Migration can be performed for guests, even when the VNC/SPICE
servers are configured to only bind to the IP address of a
specific network interface.
BZ#974199
This feature exposes interactive web-based serial consoles to
openstack VMs through a websocket proxy. Generally used as a
debugging tool (for example, VMs can be accessed even if network
configuration fails).
A new service (websocket proxy) is now available that handles
websocket connections to the serial consoles of the VMs. The
websocket proxy can be deployed on a machine other than from the
hypervisor.
BZ#97850 0
The host argument for the 'nova evacuate' command has been made
optional. This means that the user no longer has to know the host
destination, simplifying evacuation in the case of an unplanned
failure.
BZ#10 410 54
Compute now automatically attempts a controlled shutdown for
stop, rescue, and delete instance actions. If the controlled
shutdown fails, Compute falls back to a forced shutdown.
BZ#10 41376
OpenStack Compute now supports associating SR-IOV PCI devices
8
⁠C hapt e r 3. RHEA-20 15:0 152 — o pe ns t ac k-no va e nhanc e me nt advis o r y
with networks and binding Neutron SR-IOV ports to them. PCIPassthrough to SR-IOV virtual functions provide direct access to
networking hardware specialized for virtualization with one
physical device supporting multiple virtual machines. By
supporting SR-IOV devices, virtual machines can now employ SR-IOV
hardware for networking.
BZ#10 90 269
OpenStack Compute can now optionally provide a config drive to
instances based on a property on the image in the OpenStack Image
service. Previously, Compute configuration determined whether a
config drive was used and what format to use for it. With this
update, users can now indicate config drive requirements using
image properties.
BZ#10 97514
In previous releases, every virtual CPU was configured as a
socket. Some guest operating systems have arbitrary limits on the
number of sockets they support, but are not limited in the number
of cores or threads. This prevented an instance's OS from taking
full advantage of the virtual CPUs configured.
With this release, the Compute service can now control an
instance's virtual CPU topology. This allows an administrator
and/or tenant users to specify constraints for the number of
threads, cores and sockets to use for a guest instance. The
Compute service will use the constraint information to configure
a suitable guest CPU topology. With this, a guest OS such as
Windows can take full advantage of all virtual CPUs without
encountering support limits.
BZ#10 97987
Compute can now provide dedicated CPU resources, where each guest
virtual CPU has full access to a specific host CPU.
Previous releases of Compute guest CPUswere permitted to float
across any host CPU. Even when the NUMA feature was enabled, the
CPUs could still float within a NUMA node. Host CPUs would also
overcommit so many virtual CPUs contended for the host resource.
This made it impossible to provide strong performance guarantees
to guest operating system workloads.
With this update, the cloud administrator now has the ability to
set up a host aggregate, which provides a pool of hosts that
supports guests with dedicated CPU resource assignment. The cloud
administrator or tenant user can make use of these pools to run
instances with guaranteed CPU resource.
BZ#10 97989
Previous Compute versions delegated all CPU placement to the
operating system kernel. Although the kernel attempted to keep
guest processes running on a single NUMA node, this was not
enforced. This meant that guests could drift across NUMA nodes,
9
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
resulting in an inefficient usage of host resources and limiting
guest performance.
With this update, Compute can now place guest instances on
specific host NUMA nodes. The cloud administrator or tenant user
can set preferences for the guest NUMA topology layout by
enabling a scheduler filter that performs intelligent NUMA
placement (affinity server group using hw:numa_policy=strict
metadata). Compute takes into account the guest topology and then
pins the guest instance to one or more host NUMA nodes, resulting
in a more consistent guest performance and efficient use of host
resources.
BZ#110 4924
A single guest can now have multiple network interfaces attached
to the same logical host network. Previous versions of OpenStack
Compute had an artificial restriction that a single guest cannot
have multiple network interfaces connected to the same host
network. There are, however, some valid use cases where this is
required and thus Compute could not satisfy those use cases. With
this update, the tenant user can now set up guest network
interfaces without any restrictions imposed by Compute.
BZ#112740 5
When using nova-network with multiple networks, it is now
possible to set the MTU, enable or disable DHCP, set the DHCP
server, and indicate whether the network shares addresses with
other networks. Previously, it was not possible to set these
parameters on a per-network basis, making it more difficult to
use nova-network with multiple networks. With this update,
administrators now have more flexibility with settings when using
multiple networks with nova-network.
BZ#1157742
Previously, if you created a server group with an anti-affinity
policy, the policy was honored only during the initial boot, and
not for a later VM migration (cold, live, or evacuate). Because
the request information is not persisted, migrations did not
honor anti-affinity policies, which could lead to inconsistencies
(for example, a non-affinity policy for a group with VM1 and VM2
could lead to both VMs being placed on the same host if VM2 was
migrated).
With this update, migrations now respect affinity policies. The
server group and group policy of the VM to be migrated is now
identified and checked before migration.
BZ#1160 40 5
RBD snapshots and cloning are now used for Ceph-based ephemeral
disk snapshots. With this update, data is manipulated within the
Ceph server, rather than transferred across nodes, resulting in
10
⁠C hapt e r 3. RHEA-20 15:0 152 — o pe ns t ac k-no va e nhanc e me nt advis o r y
better snapshotting performance for Ceph.
BZ#1180 60 7
RBD snapshots and cloning are now used for Ceph-based ephemeral
disk snapshots. With this update, data is manipulated within the
Ceph server, rather than transferred across nodes, resulting in
better snapshotting performance for Ceph.
11
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 4. RHEA-2015:0154 — pyt hon-django-horizon
enhancement advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHEA-2015:0154. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHEA-20150154.html.
4.1. pyt hon-django-horizon
BZ#8910 62
An admin user can now specify the Provider network type (the
physical mechanism by which the virtual network is implemented),
when creating a new network. Previously, the dashboard (horizon)
defaulted to the 'Local' provider network type, and it was not
possible to select another type. The types 'Flat', 'VLAN',
'GRE', and 'VXLAN', and 'Local' can now be selected in the new
'Provider Network Type' drop-down field. Depending on the type, a
segmentation ID, tunnel ID, or physical network name must be
additionally specified.
BZ#10 41966
Role-based access control (RBAC) checks are now supported for
actions that interact with the Compute service (nova); rules are
defined in the /etc/openstack-dashboard/nova_policy.json
configuration file. RBAC checks allow an administrator to finely
tune a user's access. For example, an administrator might allow
end users to view the complete flavor listing.
BZ#10 41967
Role-based access control (RBAC) checks are now supported for
actions calling the network service; rules are defined in the
/etc/openstack-dashboard/neutron_policy.json configuration file.
RBAC checks allow an administrator to finely tune a user's
access. For example, an administrator might prevent end users
from creating a subnet or changing a firewall policy.
BZ#10 41971
An admin user can now evacuate a compute host using the
dashboard. Two tabs now provide information for hypervisors:
'Hypervisor' and 'Compute Host' (Admin > Hypervisors). If a host
is down, an 'Evacuate Host' action is now visible for it on the
Compute Host tab (providing a modal window to perform the
evacuation).
BZ#10 41986
Support has been added for Block Storage volume backups in the
dashboard. Users can now create, view, delete, and restore volume
12
⁠C hapt e r 4 . RHEA-20 15:0 154 — pyt ho n-django -ho r iz o n e nhanc e me nt advis o r y
backups. Note: This functionality is not displayed by default. To
display volume-backup action items, update the /etc/openstackdashboard/local_settings file with:
OPENSTACK_CINDER_FEATURES = {
'enable_backup': True,
}
After updating the file, restart the httpd service with
'systemctl restart httpd'.
BZ#10 41991
There was a need to enable/disable Neutron related features based
on the extension list from Neutron and remove Neutron related
settings in local_settings.py.
-Neutron features like LBaaS, FWaaS or VPNaaS are provided as
extensions in Neutron. These features are now enabled
only when they are included in the extension list from Neutron.
Also, changed the default settings of enable_lb/firewall/vpn to
True. The default of these settings were set to False to avoid
confusion to users because LB/FW/VPNaaS are optional features in
Neutron. With this change, the corresponding features in Horizon
are enabled dynamically, so it was reasonable to change the
default to True.
BZ#10 420 23
An additional 'Action Log' tab is now available for specific
instances (Project > Compute > Instances > <instance>. The tab
lists all actions which have been carried out on that specific
instance. For example, a tenant user can now use the 'Action Log'
tab to see who created or shut down an instance.
BZ#10 420 28
With this feature, there is now a widget for managing Glance
metadata dictionary. The admin user is now able to edit
properties of images directly under admin/images/edit.
BZ#10 420 70
When using OpenStack Networking (neutron) with the
dhcp_agent_scheduler extension, it is now possible to add and
remove DHCP agents from networks using the dashboard. This makes
it easier to manage the high availability of DHCP agents for
OpenStack Networking.
When logged in as admin and navigating to the Admin Networks
panel, a new DHCP Agents column with the number of agents
associated with each network is now visible. Clicking on a
network name displays the network's details together with a new
'DHCP Agents' table where the admin can add and delete agents.
13
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
BZ#10 42113
Need for an interface to allow the user to assign domain role to
users.
-The Identity Dashboard has been extended to support managing
roles and users in different domains.
BZ#10 46790
Extra Specs support for volume types has been added to the
dashboard. An admin can now add additional keys and values to
volume types (GUI implementation of the 'cinder type-key'
command). To view extra specs, select Admin> Volumes > Volume
Types, and click the type's 'View Extra Specs' action.
BZ#10 530 88
OpenStack Networking (neutron) has introduced new attributes for
IPv6 networks: 'Router Advertisement' and 'Address Assignment',
which enables IPv6 subnets to be configured with more
granularity. If OpenStack Networking is in use and an IPv6 subnet
is being created, the dashboard now offers the following options
in the 'IPv6 Address Configuration Mode' drop-down field:
"SLAAC", "DHCPv6 stateful", "DHCPv6 stateless provided by
OpenStack." Providing no option means that addresses are
configured manually or by a non-OpenStack system.
BZ#10 56389
The ability for an administrator to manage image metadata (custom
properties) has been added to the dashboard. The admin user can
now add, update, or delete image metadata (implements the
'glance image-update <imageID> --property <key>=<value>'
command). To view or update an image's metadata, select Admin >
System > Images, and click the image's 'Update Metadata' action.
BZ#10 57828
Role-based access control (RBAC) checks are now supported for
actions that interact with the Orchestration service (heat);
rules are defined in the /etc/openstackdashboard/heat_policy.json configuration file. RBAC checks allow
an administrator to finely tune a user's access. For example, an
administrator might prevent end users from changing a stack
template.
BZ#10 58578
Add support for Datastores to Trove dashboard.
Basic support for Trove has been added to Horizon.
14
⁠C hapt e r 4 . RHEA-20 15:0 154 — pyt ho n-django -ho r iz o n e nhanc e me nt advis o r y
-Added Datastore type/version drop down in Launch Instance
-Added Datastore type/version in Instance List and Instance
Details
BZ#10 59472
JavaScript libraries have been separated out from the dashboard
(horizon) source code into separate, external packages. This
improves the maintanbility of the source code.
BZ#10 620 37
With this feature, there is now a separate Identity dashboard.
BZ#10 7630 7
The user can now sort tables by timestamp in the dashboard (a
timestamp parser has been added). For example, in the Project >
Compute > Overview window, the user can now sort instances by
'Time since created'.
BZ#10 7630 9
Table filtering has been updated in the dashboard to use API
query attributes. A drop-down box and an input field for
filtering have been added to tables for admin instances, admin
images, and project instances. For example, the admin instances
table might be filtered for 'Status=Active'.
BZ#10 80 743
Code for the Sahara dashboard has been merged into the dashboard
(horizon) code. If Sahara is correctly installed (openstacksahara) and configured, no further dashboard configuration is
necessary to display the 'Data Processing' tab for each region
(Project > Data Processing).
BZ#10 950 55
A 'Metadata' column has been added to the Flavors table (Admin >
System > Flavors) that displays whether extra specs have been
specified for a flavor ('Yes' or 'No'). The user can now click on
either the column value or the 'Update Metadata' action to view
or update defined metadata.
BZ#10 97517
Need for a feature to enable resetting the state of a volume
exposed in the administrator dashboard.
This functionality is currently available only through the CLI
command:
# cinder reset-state --state available <volume-id>
15
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
-Exposed the functionality of the 'cinder reset-state' command in
the UI. As is the case with the 'cinder reset-state' command,
this change permits an operator to select any valid status,
regardless of the current status of the volume.
BZ#10 97997
With this feature, administrators can now reset the state of a
snapshot.
BZ#110 1371
With this feature, basic support for Trove was added to Horizon.
Management of incremental backups is now supported.
BZ#110 3560
You can now perform a 'cinder retype' through the dashboard. This
allows you to migrate volumes or to change any volumes setting
(that are set from the volume's type) through the web interface.
BZ#110 7491
Functionality for Cinder Quality of Service (QoS) extra specs
management such as maximum IO/seconds (maxIOPS) is now available
in the administrator dashboard.
Currently qos specs must be managed via the cinder CLI commands:
- cinder-qos-create
- cinder-qos-delete
- cinder-qos-key
- cinder-qos-list
- cinder-qos-show
And their associations to volume types are handled with the
cinder CLI commands:
- cinder-qos-associate
- cinder-qos-get-association
- cinder-qos-disassociate
- cinder-qos-disassociate-all
BZ#110 7925
Cinder CLI has a upload-to-image function that supports uploading
a volume into glance as an image - this functionality needs to be
made available in Horizon.
-It is now possible to use a glance image as source to create a
cinder volume in Horizon.
BZ#110 8436
16
⁠C hapt e r 4 . RHEA-20 15:0 154 — pyt ho n-django -ho r iz o n e nhanc e me nt advis o r y
This enhancement adds MAC address learning management to the
Dashboard (horizon). Users are able to view and toggle the MAC
address learning state of a port, in environments where this
feature is supported.
BZ#110 940 9
The description for the 'Create Volume Type' dialogue has been
enhanced to make it clear that creating a type is equivalent to
the 'cinder type-create' command. After the volume type is
created, the user can then further define the type by adding
extra specs.
BZ#110 9420
In Horizon, there’s a feature need to automatically populate the
"Format" field in the Create Image modal after the user has
filled out the Image Source/Image File fields.
-Auto populate the image format field based on the file
extension.
BZ#1117613
Support for Neutron DVR (Distributed Virtual Router) has been
implemented in Horizon.
Neutron DVR includes new changes to neutron CLI specifically in
areas of router-creation, router-scheduling, show commands etc.,
while adding in admin functionality for distributed virtual
router (DVR) functionality to Horizon.
BZ#1118943
Need to be able to disable console access when not accessible
from outside a cloud-provider's infrastructure.
-A config option added to
/etc/openstack_dashboard/local_settings: CONSOLE_TYPE.
Valid options are "AUTO", "VNC", "SPICE", "RDP" or None. When
it's set to None, console access is disabled.
BZ#1124133
Add support for Spark jobs in Sahara data processing UI.
Support for Spark EDP jobs in the data processing dashboard has
been added.
The changes are:
-Added Spark as a job type when creating jobs
-Added some help text for Spark job creation
-Hide appropriate configuration fields when launching a Spark job
-Made job type drop down translatable
17
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
BZ#11250 93
There was a need to add the ability for admins to
create/update/delete custom properties and metadata for Images.
This is useful for admins and users to meaningfully describe
images by sharing key-value pairs and tag metadata.
A new "Update metadata" option is now visible in the Admin Images
panel that enables you to custom properties and metadada for
Images.
BZ#1128398
Need for a feature wherein operators can disable L3 Router
features by configuration options.
-New config
The default
deployments
this option
option 'enable_router' to OPENSTACK_NEUTRON_NETWORK.
is True as router feature is enabled in most
and it is the current default behavior of Horizon. If
is False, Router panel disappears.
-Network Topology panel shows routers in the topology map and
also has "Create Router" button. If "enable_router" is set to
False, routers in the topology map are not displayed, and "Create
Router" button is not shown.
-'enable_floatingip' option to OPENSTACK_NEUTRON_NETWORK.
Similar to the floating IP feature in Neutron provided by L3
router extension. If this option is set to False, "Floating IP"
tab and "Associate/Disassociate Floating IP" menu in the instance
table are not shown.
BZ#1141366
In previous versions, the dashboard displayed a column with the
header titled "Instance uptime", which implied that it listed the
uptime of an instance (Project > Compute > Overview or Admin >
System Instances). This title was not correct because Compute
(nova) simply returns a timestamp for when an instance is
created. The column header has been named to "Time since
created".
BZ#1170 348
Rebase python-django-horizon to 2014.2.1.
Highlights, important fixes, or notable enhancements:
- Overview page: OverflowError when cinder limits are negative
- Cinder API v2 support instance view
- Alternate navigation broken
- Default `target={}` value leaks into subsequent
`policy.check()` calls
18
⁠C hapt e r 5. RHBA-20 15:0 157 — Re d Hat Ent e r pr is e Linux O pe ns t ac k 6 .0 bug f ix advis o r y
Chapt er 5. RHBA-2015:0157 — Red Hat Ent erprise
Linux Openst ack 6.0 bug fix advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0157. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150157.html.
5.1. ceph
BZ#1181770
Previously, certain cleanup activities in librbd1 resulted in
'nova-compute' crashing with a segmentation fault, in specific
cases where a Ceph RBD backend was in use.
This fix ensures the context is correctly cleaned up before
returning. As a result, 'nova-compute' operates correctly with
Ceph RBD backends.
5.2. openst ack-cinder
BZ#1184455
At present, an unversioned requirement to 'python-taskflow', and
missing requirements to 'libcgroup-tools', 'pythonkeystonemiddleware', and 'openstack-cinder' means that upgrade
activities may not function as expected.
As a current workaround, you can install both 'openstack-cinder'
and its missing requirements by using the following command:
'yum install -y libcgroup-tools python-keystonemiddleware pythontaskflow openstack-cinder'
5.3. openst ack-nova
BZ#117110 8
Previously, using an unlimited quota value (-1) resulted in the
inability to start an instance, with a subsequent "HTTP 500 IndexError: list index out of range" error being raised.
This fix enables the ability to set an unlimited quota value in
'nova.conf', with the result that instances can now be started
using this configuration.
BZ#1177298
Previously, using a multibyte character in a flavor name would
result in a Python unicode exception.
This update addresses this issue by adding a unicode type string
test to ensure expected behavior from multibyte character names.
BZ#1181571
19
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Previously, when reverting an instance resize operation, Compute
(nova) would fail to consider the backing volume as shared
between the original and new instance.
Consequently, the resized volume would be deleted during the
operation; since RBD volumes are shared, this meant the original
volume was also removed, preventing the instance from booting.
With this fix, when the instance volume is of type RBD, Compute
now considers it to be shared and does not delete the volume
during revert/resize operations.
As a result, revert/resize operations succeed as expected.
BZ#1181673
Prior to this update, a number of unit tests were broken as a
result of backport activity. Consequently, not all unit tests
were able to complete without errors.
This update addresses this issue by using an object flavor
instead of a dict in 'test_driver.py'. As a result, all unit
tests now pass as expected.
5.4. openst ack-puppet -modules
BZ#1158942
There is currently no supported user-facing (dashboard or CLI )
mechanism for consuming the websocket URL exposed by the serial
console support.
A utility is available to test this feature at
https://github.com/larsks/novaconsole, however there should not
be an expectation that the virtual serial console will function
by default, as configuration steps are required.
BZ#118130 7
The python-pbr package required by Red Hat Enterprise Linux
OpenStack Platform puppet modules is not present in Red Hat
Enterprise Linux OpenStack Platform 6. Installation using
PackStack will fail if Ironic (a Technology Preview package) is
enabled. Manual installation is required for Ironic at the
moment.
5.5. openst ack-selinux
BZ#1186628
Previously, versions of the SELinux policies prior to 'selinuxpolicy-3.12.1-153.el7_0.13' were missing specific policies for
the Image Service (glance) API service.
As a result, attempting to install multi-node clouds with SELinux
in 'enforcing' mode would result in failure during installation
and configuration of the Image Service API service.
20
⁠C hapt e r 5. RHBA-20 15:0 157 — Re d Hat Ent e r pr is e Linux O pe ns t ac k 6 .0 bug f ix advis o r y
This update addresses this issue with the openstack-selinux
package now requiring 'selinux-policy-3.12.1-153.el7_0.13'.
Consequently, the correct policies are in place to allow a
complete installation with SELinux set to 'enforcing'.
21
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 6. RHBA-2015:0633 — pyt hon-django-horizon
bug fix advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0633. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150633.html.
6.1. pyt hon-django-horizon
BZ#10 78956
In some cases, such as environments where the Identity service
was backed by LDAP with specific policies, there were previous
restrictions as to how end-users could change their password.
This meant that end users were unable to change their password
through the dashboard and would receive an error message when
trying to do so.
A policy check for "identity:check_password" has been added to
the 'Change password' panel, so that when
"identity:change_password" is set to a more restrictive policy in
/etc/openstack-dashboard/keystone_policy.json, the 'Change
password' panel is no longer displayed. This change has now
resolved the issue.
BZ#11270 70
In the Router Network Profiles panel (available only when using
the Cisco N1K Neutron plug-in), many of the Network Profile
fields could not be updated but they were still shown in the
update form. Thereby, the update form was misleading, letting the
user modify fields when the changes couldn't be saved.
Code has been fixed to mark the fields that cannot be changed as
"read-only" in the form. Thus, when updating a network, only the
fields that can be updated are editable and the issue is now
resolved.
BZ#1188394
Rebase package(s) to version: 2014.2.2
Highlights and important bug fixes:
-Project limits don't update when using the input selector to
change instance count
-While the HA property is update-able, and resulting router-get
invocations suggest that the router is HA, the migration itself
fails on the agent. This is deceiving and confusing and should be
blocked until the migration itself is fixed in a future patch.
-Project Limits don't refresh while selecting Flavor
22
⁠C hapt e r 6 . RHBA-20 15:0 6 33 — pyt ho n-django -ho r iz o n bug f ix advis o r y
-Private flavor update with horizon will cause access issue of
existed instances
-Horizon crashed when parsing volume list including a volume
without name
6.2. pyt hon-django-openst ack-aut h
BZ#1174748
One needed to log in twice after a keystone token timed out.
Code has been updated and the issue is now fixed.
23
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 7. RHBA-2015:0639 — openst ack-keyst one
bug fix advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0639. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150639.html.
7.1. openst ack-keyst one
BZ#1130 726
With this release, keystone now emits CADF notifications for role
assignment events, providing a more complete audit trail. Role
assignment operations affect a user's access to cloud resources;
keeping an audit trail of these actions can be important to
detect malicious actions.
24
0 15:0 6 4 0 — Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m Bug Fix and Enhanc e me nt Advis o r y
Chapt er 8. RHBA-2015:0640 — Red Hat Ent erprise
Linux OpenSt ack Plat form Bug Fix and Enhancement
Advisory
The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0640. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150640.html.
8.1. diskimage-builder
BZ#1182642
When an overcloud node boots up, it runs os-collect-config as a
part of registration. The os-collect-config script saves data
from the Orchestration (heat) metadata API locally and then calls
os-refresh-config any time that metadata has changed.
Subsequent calls to the registration script call subscriptionmanager again and it returns a non-zero exit code. With the
return of a non-zero exit code, the script fails, the stack
results in a timeout, and multiple registrations can occur.
There is no current workaround.
BZ#118310 4
Previous to the Satellite 6 release, the katello-agent and its
dependencies needed the rhel-7-server-rh-common-beta-rpms
repository to be enabled. Since the Satellite 6 release,
necessary packages have been moved to the rhel-7-server-rhcommon-rpms repository. However, upstream code still references
the rhel-7-server-rh-common-beta-rpms repository which no longer
have the latest packages, causing Satellite instances to fail.
8.2. inst ack-undercloud
BZ#11830 99
An iptables setting in the undercloud causes overcloud nodes to
fail to register since the nodes have no external access. As a
workaround, run the following command on the undercloud image:
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
8.3. libguest fs
BZ#11860 70
This enhancement includes a feature, virt-v2v, which allows users
the ability to convert images from a variety of hypervisors to
run on OpenStack cloud.
25
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
8.4. mariadb-galera
BZ#1179360
Previously, mariadb-galera would generate an SSL certificate with
the parameter CN set to "$(hostname) mariadb-galera cluster".
Creating this SSL certificate would fail if the hostname was long
enough such that the resulting string was greater than 64
characters.
With this update, the certificate is generated with only the
hostname to avoid using a CN value that is too long.
8.5. openst ack-selinux
BZ#1185444
This update introduces the rabbitmq-cluster resource agent for
managing clustered RabbitMQ instances with the Pacemaker cluster
manager.
26
mpo r t ant : o pe ns t ac k-pac ks t ac k and o pe ns t ac k-puppe t -mo dule s s e c ur it y and bug f ix updat e
Chapt er 9. RHSA-2015:0789 — Import ant : openst ackpackst ack and openst ack-puppet -modules securit y and
bug fix updat e
The bugs containe d in this chapte r are addre s s e d by advis ory RHSA-2015:0789. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHSA-20150789.html.
9.1. openst ack-packst ack
BZ#1117277
With this enhancement, if OpenStack Networking is enabled,
Packstack will display a warning if the Network Manager service
is active on hosts.
BZ#1123117
With this update, a new feature has been added that enables to
install OpenStack Identity service to run via Apache httpd
processes. A new parameter 'CONFIG_KEYSTONE_SERVICE_NAME' has
been added. Value 'httpd' will switch on Apache support while
value 'keystone' allows Identity service run in it's own process
as was implemented in the previous versions.
BZ#1195258
When using Packstack in a multi-node configuration, VXLAN ports
(4789) on the firewall were not open for the other nodes. As a
result, openvswitch did not function properly.
With this update, this issue has been addressed by opening the
port 4789 on all compute and network nodes.
BZ#11990 47
A typo in the code caused Sahara option that uses OpenStack
Networking to be always false.
With this update, the error has been addresses. As a result,
Sahara now uses OpenStack Networking if the parameter
'CONFIG_NEUTRON_INSTALL is set to 'y'.
BZ#11990 72
Packstack set Ironic password to value "PW_PLACEHOLDER" instead
of real generated or user provided default password. This was
fixed by ensuring packstack has USE_DEFAULT set to false at
password option. Now packstack should configure ironic with the
predefined password.
27
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
BZ#11990 76
An error in the Packstack code was responsible for setting the
glance_image provider region value to RegionOne ignoring any
region setting updated by the user.
With this update, Packstack now allows the user to set a custom
region name for the glance_image provider parameter.
BZ#1199114
Prior to this update, users had to install the OpenStack Unified
Client separately after completing an installation of Packstack.
As the requirement for the OpenStack Unified Client is quite
common, Packstack now installs it by default.
BZ#1199562
This enhancement allows the passing of additional command-line
options when creating an answer file. Previously, '--gen-answerfile' did not allow the specification of additional options.
Instead, manual file editing was required to change any default
options.
With this update, it is now possible to combine '--gen-answerfile' with additional options, which are then included in the
subsequently generated answer file.
BZ#1199565
This enhancement updates Packstack to retain temporary
directories when running an installation in debug mode. This
assists with troubleshooting activities, as retaining the
temporary directories allows easier failure debugging.
As a result, temporary directories are not deleted when running
Packstack with the --debug command line option.
BZ#1199589
Prior to this update, some validators did not use
'validate_not_empty' to ensure that certain parameters contained
values.
As a result, a number of internal validations could not be
properly handled, leading to the possibility of unexpected
errors.
This update fixes validators to use validate_not_empty when
required, resulting in correct validation behavior from
validators.
9.2. openst ack-selinux
BZ#1195252
A quiet dependency on a newer version of selinux-policy causes
28
mpo r t ant : o pe ns t ac k-pac ks t ac k and o pe ns t ac k-puppe t -mo dule s s e c ur it y and bug f ix updat e
openstack-selinux 0.6.23 to fail to install modules when paired
with selinux-policy packages from Red Hat Enterprise Linux 7.0 or
7.0.z. This causes Identity and other OpenStack services to
receive 'AVC' denials under some circumstances, causing them to
malfunction.
The following workarounds allow the OpenStack services to
function correctly:
1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready
to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum
update' will resolve the issue.
2) Install the updated selinux-policy and selinux-policy-targeted
packages from Red Hat Enterprise Linux 7.1 (version selinuxpolicy-3.13.1-23.el7 or later), then update openstack-selinux to
version 0.6.23-1.el7ost.
9.3. vulnerabilit y
BZ#120 1875
It was discovered that the puppet manifests, as provided with the
openstack-puppet-modules package, would configure the pcsd daemon
with a known default password. If this password was not changed
and an attacker was able to gain access to pcsd, they could
potentially run shell commands as root.
29
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
Chapt er 10. RHSA-2015:0790 — Import ant : openst acknova securit y, bug fix, and enhancement updat e
The bugs containe d in this chapte r are addre s s e d by advis ory RHSA-2015:0790. Furthe r
information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHSA-20150790.html.
10.1. openst ack-nova
BZ#10 17288
libvirt did not previously support snapshot merge or delete
operations using libgfapi. This meant that the user could not
delete snapshots of a Red Hat Storage (glusterfs) Block Storage
volume attached to an instance when using libgfapi.
With this update, libvirt and the Compute service now correctly
handle Block Storage volume snapshots with libgfapi enabled, and
these snapshots can now be deleted.
BZ#110 0 535
OpenStack Bare Metal Provisioning (ironic) is now included in
this release as a Technology Preview. This service provisions
bare-metal machines using common technologies (such as PXE boot
and IPMI) to cover a wide range of hardware, while supporting
pluggable drivers to allow the addition of vendor-specific
functionality.
BZ#110 4926
Support has been added for intelligent NUMA node placement for
guests that have been assigned a host PCI device. PCI I/O
devices, such as Network Interface Cards (NICs), can be more
closely associated with one processor than another. This is
important because there are different memory performance and
latency characteristics when accessing memory directly attached
to one processor than when accessing memory directly attached to
another processor in the same server. With this update, Openstack
guest placement can be optimized by ensuring that a guest bound
to a PCI device is scheduled to run on a NUMA node that is
associated with the guest's pCPU and memory allocation. For
example, if a guest's resource requirements fit in a single NUMA
node, all guest resources will now be associated with the same
NUMA node.
BZ#1165961
An invalid template was previously supplied for network interface
injection (flat_injected=true in /etc/nova/nova.conf), which
meant that the network configuration of instance was incorrect.
With this fix, a valid Jinja2 network interface configuration
30
0 . RHSA-20 15:0 79 0 — Impo r t ant : o pe ns t ac k-no va s e c ur it y, bug f ix, and e nhanc e me nt updat e
template is now provided, and the networking of instances is
correctly configured.
BZ#1171454
Previously, you could not launch an instance with multiple
interfaces attached to the same network by using --nic net-id=
<id>; the instance would fail to boot. With this update, Compute
now checks for duplicate networks at the Compute API layer, and
an instance boot using a specific network ID with multiple vNICs
can succeed.
BZ#1175348
Previously, the Compute service did not follow live migration
status. As a result, if something wrong happened, the instance
status did not report the error and this could result in two
"same" instances running in the cloud (across the source and
target servers). With this update, a new object has been
introduced to follow each step until a live migration succeeds or
fails. This means that when a migration now fails, the error is
reported on the instance's status if necessary, and a rollback is
then done to avoid two "same" instances running in the cloud.
BZ#1190 719
Previously, emulator threads (for vCPUs) floated on the union of
the set of all NUMA CPUs, even if the CPUs were dedicated, which
meant that an emulator thread could consume CPU time from another
guest instance. With this fix, emulator threads now only use the
union of dedicated host CPUs, and that CPU's time, on which guest
vCPUs are running.
BZ#1191174
Previously, if multipathing was enabled for the Compute service
in /etc/nova/nova.conf and CHAP authentication was enabled in an
IBM Storwize backend, attaching an Block Storage volume to an
instance failed on boot ("Login I/O error, failed to receive a
PDU\niscsiadm"). That is, if the Block Storage server was
configured to protect the target-discovering phase using CHAP
authentication, the discovery command failed (because
authentication failed).
With this update, the Block Storage driver now sends
authentication properties (discovery_auth_method,
discovery_auth_username, discovery_auth_password) to CHAP, the
discovery command succeeds, and volume attachment succeeds.
BZ#1193737
Previously, when the primary path to a Cinder iSCSI volume was
down, a volume could not be attached to the instance, even if the
Compute and Block Storage backend driver's multipath feature was
31
Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s
enabled. This meant that users of the cloud system could fail to
attach a volume (or boot a server booted from a volume). With
this fix, the host can now have a separate configuration option
if the block traffic is on a separate network; the volume is then
attached using the secondary path.
BZ#11940 73
A previous overly restrictive ban on live migration of vfat
config drives, and the incorrect handling of config drives with
RBD storage, meant that the live migration of instances with
config drives was not supported.
With this update, vfat config drives can now be live migrated,
and config drive persistence is handled appropriately with RBD
storage. This means that live migration is now possible when
using vfat config drives with storage either local to the compute
node or remote with RBD storage. (To use vfat config drives, set
config_drive_format in /etc/nova/nova.conf to 'vfat'.)
BZ#1198429
The previous value of the Compute auth_version parameter in
/usr/share/nova/nova-dist.conf of 'v2.0' forced Identity's
auth_token middleware to use v2 authentication, which in turn
prevented multi-domain Identity service deployments. With this
update, the auth_version parameter now has a new default value of
'v3.0'; middleware authentication can now validate tokens outside
of the default domain.
10.2. vulnerabilit y
BZ#1190 112
It was discovered that the OpenStack Compute (nova) console
websocket did not correctly verify the origin header. An attacker
could use this flaw to conduct a cross-site websocket hijack
attack. Note that only Compute setups with VNC or SPICE enabled
were affected by this flaw.
32
Re vis io n His t o r y
Revision Hist ory
Revisio n 6.0 .2-0
T ue Apr 7 20 15
Summer Lo ng
Update d ove rvie w to include 6.0.2 chapte rs and advis orie s ; two e rrata chapte rs adde d.
Revisio n 6.0 .1-1
T hu Mar 5 20 15
Summer Lo ng
Update d ove rvie w to include 6.0.1 chapte rs and advis orie s ; thre e e rrata chapte rs adde d.
Revisio n 6.0 .0 -2
Mo n Feb 9 20 15
Summer Lo ng
Re le as e for Re d Hat Ente rpris e Linux Ope nStack Platform 6.
33