Red Hat Enterprise Linux OpenStack Platform 6 Technical Notes Technical Notes for Red Hat Enterprise Linux OpenStack Platform and supporting packages. OpenStack Documentation Team Red Hat Enterprise Linux OpenStack Platform 6 Technical Notes Technical Notes for Red Hat Enterprise Linux OpenStack Platform and supporting packages. OpenStack Documentation Team Red Hat Customer Content Services [email protected] Legal No tice Copyright © 2015 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons AttributionShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. The OpenStack ® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. All other trademarks are the property of their respective owners. Abstract These Technical Notes are provided to supplement the information contained in the text of Red Hat Enterprise Linux OpenStack Platform errata advisories released through Red Hat Network. T able o f Co nt e nt s T able o f Co ntents . .hapt C . . . .e.r. 1. . .O . .ve . .r.vie . .w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . .hapt C . . . .e.r. 2. . . RHEA-20 . . . . . . . .15:0 . . . 14 ..8 . .— . .o. pe . . ns . . .t ac . . k-ne . . . . ut . . r. o .n . .e. nhanc . . . . . .e.me . . nt . . .advis ....o . .r y . . . . . . . . .4. . . . . . . . . 2.1. openstack-neutron 4 . .hapt C . . . .e.r. 3. . . RHEA-20 . . . . . . . .15:0 . . . 152 . . . .—. .o.pe . . ns . . t. ac . . k-no . . . . va . . .e.nhanc . . . . . e. me . . .nt . . advis . . . . .o. r.y. . . . . . . . . . . .8. . . . . . . . . 3 .1. openstack-nova 8 . .hapt C . . . .e.r. 4. .. RHEA-20 . . . . . . . .15:0 . . . 154 . . . .— . .pyt . . .ho . . n-django . . . . . . . . -ho . . . r. iz . .o.n. e . .nhanc . . . . .e. me . . .nt . . advis . . . . .o.r.y. . . .12 .......... 4 .1. python-django-horizon 12 . .hapt C . . . .e.r. 5. . . RHBA-20 . . . . . . . .15:0 . . . 157 . . . .— . .Re . .d . .Hat . . . Ent . . .e . r. pr . . is . .e. Linux . . . . . .O.pe . . ns . . t. ac . .k . .6..0 . .bug . . . .f.ix .............. advis o r y 19 5.1. ceph 19 5.2. openstack-cinder 19 5.3. openstack-nova 19 5.4. openstack-puppet-m odules 20 5.5. openstack-selinux 20 . .hapt C . . . .e.r. 6. .. RHBA-20 . . . . . . . .15:0 . . . .6.33 . .— . . pyt . . . ho . . n-django . . . . . . . . -ho . . . r. iz . .o.n. .bug . . . f. ix . . advis . . . . .o.r.y. . . . . . . . . .22 .......... 6 .1. python-django-horizon 22 6 .2. python-django-openstack-auth 23 . .hapt C . . . .e.r. 7. . . RHBA-20 . . . . . . . .15:0 ...6 . .39 . .— . . o. pe . . .ns . .t.ac . .k-ke . . . ys . . t. o . ne . . . bug . . . .f.ix . .advis ....o . .r y . . . . . . . . . . . . .24 .......... 7.1. openstack-keystone 24 . .hapt C . . . .e.r. 8. .. RHBA-20 . . . . . . . .15:0 . . . .6.4.0. — . . Re . . .d. Hat . . . .Ent . . .e.r.pr . .is .e . .Linux . . . . .O . .pe . .nSt . . .ac . .k. Plat . . . .f.o.r.m . .Bug ............. Fix and Enhanc e me nt Advis o r y 25 8 .1. diskim age-builder 25 8 .2. instack-undercloud 8 .3. libguestfs 25 25 8 .4. m ariadb-galera 8 .5. openstack-selinux 26 26 . .hapt C . . . .e.r. 9. .. RHSA-20 . . . . . . . .15:0 . . . .78 . .9. — . . Impo . . . . .r t. ant . . . :. o . pe . . .ns . .t.ac . .k-pac . . . . .ks . .t ac ..k . .and . . . .o.pe . .ns . . t.ac . .k............. puppe t -mo dule s s e c ur it y and bug f ix updat e 27 9 .1. openstack-packstack 9 .2. openstack-selinux 27 28 9 .3. vulnerability 29 . .hapt C . . . .e.r. 10 . . .. RHSA-20 . . . . . . . .15:0 . . . .79 . .0. — . . Impo . . . . .r t. ant . . . :. o . pe . . .ns . .t.ac . .k-no . . . .va . . s. e. c. ur . . it . .y, . .bug . . . .f ix, . . .and ............. e nhanc e me nt updat e 30 1 0.1. openstack-nova 30 1 0.2. vulnerability 32 . . .vis Re . . io . .n. .His . . t. o . r. y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 .......... 1 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 1. Overview The s e Te chnical Note s are provide d to s upple me nt the information containe d in the te xt of Re d Hat Ente rpris e Linux Ope nStack Platform e rrata advis orie s re le as e d through Re d Hat Ne twork. If the te xt for an advis ory's proble m de s cription is too le ngthy to fit into the advis ory its e lf, bug lis tings for that advis ory are publis he d as a chapte r in this docume nt. The following table contains the lis t of e rrata advis orie s for this ve rs ion. T able 1.1. Errat a Adviso ries Relea se Adviso ries 6.0 Errata chapte rs : Chapte r 2, Chapte r 3, Chapte r 4, Chapte r 5, advisory RHEA-2015:0148 — openstack-neutron enhancement advisory RHEA-2015:0152 — openstack-nova enhancement advisory RHEA-2015:0154 — python-django-horizon enhancement advisory RHBA-2015:0157 — Red Hat Enterprise Linux Openstack 6.0 bug fix Additional advis orie s include : RHEA-2015:0144 - Re d Hat Ente rpris e Linux Ope nStack Platform 6.0 Enhance me nt Advis ory. RHEA-2015:0145 - ope ns tack-s wift e nhance me nt advis ory. RHEA-2015-0146 - ope ns tack-s ahara e nhance me nt update . RHEA-2015-0147 - ope ns tack-he at e nhance me nt advis ory. RHEA-2015:0149 - ope ns tack-ce ilome te r e nhance me nt advis ory. RHEA-2015:0150 - ope ns tack-glance e nhance me nt advis ory. RHEA-2015:0151 - ope ns tack-cinde r e nhance me nt advis ory. RHEA-2015:0153 - ope ns tack-ke ys tone e nhance me nt advis ory. RHEA-2015:0155 - ope ns tack-packs tack and ope ns tack-puppe t-module s e nhance me nt advis ory. 2 C hapt e r 1. O ve r vie w Relea se Adviso ries 6.0.1 Errata chapte rs : Chapte r 6, RHBA-2015:0633 — python-django-horizon bug fix advisory Chapte r 7, RHBA-2015:0639 — openstack-keystone bug fix advisory Chapte r 8, RHBA-2015:0640 — Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory Additional advis orie s include : RHBA-2015:0630 RHBA-2015:0631 RHBA-2015:0632 RHBA-2015:0634 RHBA-2015:0635 RHBA-2015:0636 RHBA-2015:0637 RHBA-2015:0638 RHSA-2015:0643 RHSA-2015:0644 RHSA-2015:0645 - ope ns tack-packs tack bug fix advis ory - ope ns tack-s wift bug fix advis ory - ope ns tack-s ahara bug fix advis ory - ope ns tack-he at bug fix advis ory - ope ns tack-ne utron bug fix advis ory - ope ns tack-ce ilome te r bug fix advis ory - ope ns tack-cinde r bug fix advis ory - ope ns tack-nova bug fix advis ory - Important: qe mu-kvm-rhe v s e curity update - Low: ope ns tack-glance s e curity and bug fix update - Important: re dhat-acce s s -plugin-ope ns tack s e curity update The s e package s include re bas e s to 2014.2.2 for the Block Storage , Compute , Das hboard, Ide ntity, Image , Ne tworking, Orche s tration, Sahara, Te le me try, and Trove s e rvice s . 6.0.2 Errata chapte rs : Chapte r 9, RHSA-2015:0789 — Important: openstack-packstack and openstackpuppet-modules security and bug fix update Chapte r 10, RHSA-2015:0790 — Important: openstack-nova security, bug fix, and enhancement update Additional advis orie s include : RHBA-2015:0784 - ope ns tack-cinde r bug fix advis ory RHBA-2015:0785 - ope ns tack-ne utron bug fix advis ory RHBA-2015:0786 - ope ns tack-ce ilome te r bug fix advis ory RHBA-2015:0787 - Re d Hat Ente rpris e Linux Ope nStack Platform Bug Fix and Enhance me nt Advis ory RHSA-2015:0788 - Mode rate : novnc s e curity update 3 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 2. RHEA-2015:0148 — openst ack-neut ron enhancement advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHEA-2015:0148. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHEA-20150148.html. 2.1. openst ack-neut ron BZ#10 29871 This enhancement enables changes to a subnet's IP address allocation pool using the update command. Previously, administrators were unable to change the allocation pool range for a subnet. If shrinking the pool, consideration must be given to IP addresses that have already been allocated. BZ#10 42396 This enhancement adds high availability for OpenStack Networking (neutron) virtual routers. This was added due to the impact of virtual routers going down with a network node; instances would lose external connectivity. Virtual routers can now be created with the 'High availability' flag, if the administrator sets it as the default. As a result, routers will then be created on multiple network nodes, with a designated single active instance node. The active node forwards traffic while the standbys monitor the master. In the event of failure impacting the active node, one of the standby will take over as the new active node. BZ#10 42550 This update enables OpenStack Networking (neutron) to create a Provider Network that uses an upstream device with Router Advertisement multicasts. As a result, instances are able to use Stateless Address Autoconfiguration (SLAAC) to configure their IPv6 networking. BZ#10 44272 With this enhancement, Tenant networks can now be created that use the 'dnsmasq' process inside the DHCP agent to serve additional configuration to IPv6 DHCP clients, including support for IPv6 stateless subnets. BZ#10 46786 This enhancement allows the creation of Tenant networks that use the 'radvd' process within the L3 agent for Router Advertisement messages. 4 C hapt e r 2. RHEA-20 15:0 14 8 — o pe ns t ac k-ne ut r o n e nhanc e me nt advis o r y As a result, instances are able to use Stateless Address Autoconfiguration (SLAAC) or DHCPv6 to configure their IPv6 networking. BZ#10 85645 This enhancement enables ipset kernel groups to be used for matching IP addresses in iptables security groups. The previous implementation of security groups, which made intensive use of iptable rules, resulted in an exponential growth of iptable rules in some cases. Specifically, multiple IP addresses previously needed to be added to the security groups of each Compute node's network port. As a result of this enhancement, the size of iptables rules on Compute nodes are significantly reduced, resulting in a performance increase in accepting new connections. BZ#110 340 4 With this enhancement, all tables are now included during the creation of the database schema. This behavior allows for easier plugin management. Consequently, all OpenStack Networking (neutron) tables are present in the database after upgrading to Red Hat Enterprise Linux OpenStack Platform 6. BZ#1162698 Prior to this update, the DHCP server was not available from inside instances attached to IPv6 DHCP subnets. This update addresses this issue by creating a port in the DHCP agent namespace. As a result, the DHCP server is accessible from inside instances, and instances are able to receive DHCP information. BZ#1169125 Previously, Router Advertisements sent by the OpenStack Networking (neutron) L3 agent had the 'Other (O)' flag unset for DHCP stateless subnets. Consequently, the DHCP client was not aware of additional configuration options available from the DHCP server, so would not attempt to request these. This update addresses this issue by setting the 'Other (O)' flag for Router Advertisements sent to DHCP stateless subnets. As a result, the DHCP client is notified about additional DHCP configuration options, and is able to request allocation. BZ#1173987 In deployments using IPv6 networks with OpenStack Networking, IPv6 subnets do not have a gateway set. As a result, IPv6 networks do not work as expected. 5 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s BZ#1177612 Prior to this update, Keepalived removed virtual routes if the VIPs changed order and the VIP that was previously first changed its position. Consequently, as the router's default gateway is configured as a virtual route, the router's default route may vanish, breaking external connectivity for all instances. This behaviour was due to Keepalived's requirement that the first VIP in the keepalived configuration file remains first after sending a HUP signal to keepalived. This update addresses this issue by generating a fake address and using it as the first VIP. Consequently, the first VIP is a stable constant value and remains fixed in place, and the router's default route no longer vanishes as a result. BZ#1177615 Prior to this update, all instances of a HA router (master and slave) had IPv6 link local addresses configured on each interface. As a result, IPv6 traffic was being generated once every two minutes and each MAC address was identical between different instances of a HA router. Consequently, the interface's MAC address was re-learned by the physical switches of the datacenter, thereby resultin in traffic being sent to the incorrect node. This update resolves this issue be removing IPv6 link local addresses from slave instances of HA routers. As a result, the IPv6 addresses only appear on the master instance, thereby ensuring that slaves never generate traffic, and that the MAC addresses appear only on the master node. BZ#1177616 Prior to this update, when configuring a new floating IP on a HA router, the L3 agent observed the state on the system in order to decide if to write the new address to the keepalived.conf. If the address was not configured on the external device of the router, it was added to the configuration. Note that the agent never appends to the keepalived conf but overwrites it on every reconfiguration, this means that when restarting an agent and and waiting for it to sync with the controller, there are varying outcomes depending on the role of the instance: * On a master instance, none of the floating IPs will be written to the keepalived configuration file, as all of the pre-existing floating IPs are already configured on the system and thus will not be written to the new configuration file, in effect removing them. As a result, master instances will delete previously configured floating IPs whenever the L3 agent is restarted. * On a slave instance, floating IPs are never configured on the host, thus are always added to the configuration file. As a result, slave instances will have multiple copies of every floating IP in keepalived's configuration file. This has no actual effect. 6 C hapt e r 2. RHEA-20 15:0 14 8 — o pe ns t ac k-ne ut r o n e nhanc e me nt advis o r y This update addresses this issue by configuring the L3 agent to instead uses its in-memory cache of the keepalived configuration, rather than state observation. Since the configuration is inmemory, after the agent restarts, it's cache is empty, thus all floating IPs are added to the file. From that point on, a floating IP is configured if it's not present in the configuration. Consequently, floating IP addresses are configured properly on HA routers on both master and slave instances. BZ#1177995 This enhancement allows SR-IOV virtual functions (VF) to passthrough to 'flat' project network types. This is due to PCI passthrough with SR-IOV not being VLAN-specific. As a result, OpenStack Networking project networks with the "flat" network type can now take advantage of SR-IOV networking support. 7 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 3. RHEA-2015:0152 — openst ack-nova enhancement advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHEA-2015:0152. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHEA-20150152.html. 3.1. openst ack-nova BZ#9580 57 When Compute is configured to only set up VNC/SPICE servers on a specific network interface, the host's IP address is recorded in the libvirt guest XML. Previously, if the guest was migrated to a different host, the IP address of the source host remained in the guest XML and the guest failed to launch on the target host because the IP address was incorrect. With this update, the libvirt guest XML is now updated during migration to refer to the IP address of the target host. Migration can be performed for guests, even when the VNC/SPICE servers are configured to only bind to the IP address of a specific network interface. BZ#974199 This feature exposes interactive web-based serial consoles to openstack VMs through a websocket proxy. Generally used as a debugging tool (for example, VMs can be accessed even if network configuration fails). A new service (websocket proxy) is now available that handles websocket connections to the serial consoles of the VMs. The websocket proxy can be deployed on a machine other than from the hypervisor. BZ#97850 0 The host argument for the 'nova evacuate' command has been made optional. This means that the user no longer has to know the host destination, simplifying evacuation in the case of an unplanned failure. BZ#10 410 54 Compute now automatically attempts a controlled shutdown for stop, rescue, and delete instance actions. If the controlled shutdown fails, Compute falls back to a forced shutdown. BZ#10 41376 OpenStack Compute now supports associating SR-IOV PCI devices 8 C hapt e r 3. RHEA-20 15:0 152 — o pe ns t ac k-no va e nhanc e me nt advis o r y with networks and binding Neutron SR-IOV ports to them. PCIPassthrough to SR-IOV virtual functions provide direct access to networking hardware specialized for virtualization with one physical device supporting multiple virtual machines. By supporting SR-IOV devices, virtual machines can now employ SR-IOV hardware for networking. BZ#10 90 269 OpenStack Compute can now optionally provide a config drive to instances based on a property on the image in the OpenStack Image service. Previously, Compute configuration determined whether a config drive was used and what format to use for it. With this update, users can now indicate config drive requirements using image properties. BZ#10 97514 In previous releases, every virtual CPU was configured as a socket. Some guest operating systems have arbitrary limits on the number of sockets they support, but are not limited in the number of cores or threads. This prevented an instance's OS from taking full advantage of the virtual CPUs configured. With this release, the Compute service can now control an instance's virtual CPU topology. This allows an administrator and/or tenant users to specify constraints for the number of threads, cores and sockets to use for a guest instance. The Compute service will use the constraint information to configure a suitable guest CPU topology. With this, a guest OS such as Windows can take full advantage of all virtual CPUs without encountering support limits. BZ#10 97987 Compute can now provide dedicated CPU resources, where each guest virtual CPU has full access to a specific host CPU. Previous releases of Compute guest CPUswere permitted to float across any host CPU. Even when the NUMA feature was enabled, the CPUs could still float within a NUMA node. Host CPUs would also overcommit so many virtual CPUs contended for the host resource. This made it impossible to provide strong performance guarantees to guest operating system workloads. With this update, the cloud administrator now has the ability to set up a host aggregate, which provides a pool of hosts that supports guests with dedicated CPU resource assignment. The cloud administrator or tenant user can make use of these pools to run instances with guaranteed CPU resource. BZ#10 97989 Previous Compute versions delegated all CPU placement to the operating system kernel. Although the kernel attempted to keep guest processes running on a single NUMA node, this was not enforced. This meant that guests could drift across NUMA nodes, 9 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s resulting in an inefficient usage of host resources and limiting guest performance. With this update, Compute can now place guest instances on specific host NUMA nodes. The cloud administrator or tenant user can set preferences for the guest NUMA topology layout by enabling a scheduler filter that performs intelligent NUMA placement (affinity server group using hw:numa_policy=strict metadata). Compute takes into account the guest topology and then pins the guest instance to one or more host NUMA nodes, resulting in a more consistent guest performance and efficient use of host resources. BZ#110 4924 A single guest can now have multiple network interfaces attached to the same logical host network. Previous versions of OpenStack Compute had an artificial restriction that a single guest cannot have multiple network interfaces connected to the same host network. There are, however, some valid use cases where this is required and thus Compute could not satisfy those use cases. With this update, the tenant user can now set up guest network interfaces without any restrictions imposed by Compute. BZ#112740 5 When using nova-network with multiple networks, it is now possible to set the MTU, enable or disable DHCP, set the DHCP server, and indicate whether the network shares addresses with other networks. Previously, it was not possible to set these parameters on a per-network basis, making it more difficult to use nova-network with multiple networks. With this update, administrators now have more flexibility with settings when using multiple networks with nova-network. BZ#1157742 Previously, if you created a server group with an anti-affinity policy, the policy was honored only during the initial boot, and not for a later VM migration (cold, live, or evacuate). Because the request information is not persisted, migrations did not honor anti-affinity policies, which could lead to inconsistencies (for example, a non-affinity policy for a group with VM1 and VM2 could lead to both VMs being placed on the same host if VM2 was migrated). With this update, migrations now respect affinity policies. The server group and group policy of the VM to be migrated is now identified and checked before migration. BZ#1160 40 5 RBD snapshots and cloning are now used for Ceph-based ephemeral disk snapshots. With this update, data is manipulated within the Ceph server, rather than transferred across nodes, resulting in 10 C hapt e r 3. RHEA-20 15:0 152 — o pe ns t ac k-no va e nhanc e me nt advis o r y better snapshotting performance for Ceph. BZ#1180 60 7 RBD snapshots and cloning are now used for Ceph-based ephemeral disk snapshots. With this update, data is manipulated within the Ceph server, rather than transferred across nodes, resulting in better snapshotting performance for Ceph. 11 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 4. RHEA-2015:0154 — pyt hon-django-horizon enhancement advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHEA-2015:0154. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHEA-20150154.html. 4.1. pyt hon-django-horizon BZ#8910 62 An admin user can now specify the Provider network type (the physical mechanism by which the virtual network is implemented), when creating a new network. Previously, the dashboard (horizon) defaulted to the 'Local' provider network type, and it was not possible to select another type. The types 'Flat', 'VLAN', 'GRE', and 'VXLAN', and 'Local' can now be selected in the new 'Provider Network Type' drop-down field. Depending on the type, a segmentation ID, tunnel ID, or physical network name must be additionally specified. BZ#10 41966 Role-based access control (RBAC) checks are now supported for actions that interact with the Compute service (nova); rules are defined in the /etc/openstack-dashboard/nova_policy.json configuration file. RBAC checks allow an administrator to finely tune a user's access. For example, an administrator might allow end users to view the complete flavor listing. BZ#10 41967 Role-based access control (RBAC) checks are now supported for actions calling the network service; rules are defined in the /etc/openstack-dashboard/neutron_policy.json configuration file. RBAC checks allow an administrator to finely tune a user's access. For example, an administrator might prevent end users from creating a subnet or changing a firewall policy. BZ#10 41971 An admin user can now evacuate a compute host using the dashboard. Two tabs now provide information for hypervisors: 'Hypervisor' and 'Compute Host' (Admin > Hypervisors). If a host is down, an 'Evacuate Host' action is now visible for it on the Compute Host tab (providing a modal window to perform the evacuation). BZ#10 41986 Support has been added for Block Storage volume backups in the dashboard. Users can now create, view, delete, and restore volume 12 C hapt e r 4 . RHEA-20 15:0 154 — pyt ho n-django -ho r iz o n e nhanc e me nt advis o r y backups. Note: This functionality is not displayed by default. To display volume-backup action items, update the /etc/openstackdashboard/local_settings file with: OPENSTACK_CINDER_FEATURES = { 'enable_backup': True, } After updating the file, restart the httpd service with 'systemctl restart httpd'. BZ#10 41991 There was a need to enable/disable Neutron related features based on the extension list from Neutron and remove Neutron related settings in local_settings.py. -Neutron features like LBaaS, FWaaS or VPNaaS are provided as extensions in Neutron. These features are now enabled only when they are included in the extension list from Neutron. Also, changed the default settings of enable_lb/firewall/vpn to True. The default of these settings were set to False to avoid confusion to users because LB/FW/VPNaaS are optional features in Neutron. With this change, the corresponding features in Horizon are enabled dynamically, so it was reasonable to change the default to True. BZ#10 420 23 An additional 'Action Log' tab is now available for specific instances (Project > Compute > Instances > <instance>. The tab lists all actions which have been carried out on that specific instance. For example, a tenant user can now use the 'Action Log' tab to see who created or shut down an instance. BZ#10 420 28 With this feature, there is now a widget for managing Glance metadata dictionary. The admin user is now able to edit properties of images directly under admin/images/edit. BZ#10 420 70 When using OpenStack Networking (neutron) with the dhcp_agent_scheduler extension, it is now possible to add and remove DHCP agents from networks using the dashboard. This makes it easier to manage the high availability of DHCP agents for OpenStack Networking. When logged in as admin and navigating to the Admin Networks panel, a new DHCP Agents column with the number of agents associated with each network is now visible. Clicking on a network name displays the network's details together with a new 'DHCP Agents' table where the admin can add and delete agents. 13 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s BZ#10 42113 Need for an interface to allow the user to assign domain role to users. -The Identity Dashboard has been extended to support managing roles and users in different domains. BZ#10 46790 Extra Specs support for volume types has been added to the dashboard. An admin can now add additional keys and values to volume types (GUI implementation of the 'cinder type-key' command). To view extra specs, select Admin> Volumes > Volume Types, and click the type's 'View Extra Specs' action. BZ#10 530 88 OpenStack Networking (neutron) has introduced new attributes for IPv6 networks: 'Router Advertisement' and 'Address Assignment', which enables IPv6 subnets to be configured with more granularity. If OpenStack Networking is in use and an IPv6 subnet is being created, the dashboard now offers the following options in the 'IPv6 Address Configuration Mode' drop-down field: "SLAAC", "DHCPv6 stateful", "DHCPv6 stateless provided by OpenStack." Providing no option means that addresses are configured manually or by a non-OpenStack system. BZ#10 56389 The ability for an administrator to manage image metadata (custom properties) has been added to the dashboard. The admin user can now add, update, or delete image metadata (implements the 'glance image-update <imageID> --property <key>=<value>' command). To view or update an image's metadata, select Admin > System > Images, and click the image's 'Update Metadata' action. BZ#10 57828 Role-based access control (RBAC) checks are now supported for actions that interact with the Orchestration service (heat); rules are defined in the /etc/openstackdashboard/heat_policy.json configuration file. RBAC checks allow an administrator to finely tune a user's access. For example, an administrator might prevent end users from changing a stack template. BZ#10 58578 Add support for Datastores to Trove dashboard. Basic support for Trove has been added to Horizon. 14 C hapt e r 4 . RHEA-20 15:0 154 — pyt ho n-django -ho r iz o n e nhanc e me nt advis o r y -Added Datastore type/version drop down in Launch Instance -Added Datastore type/version in Instance List and Instance Details BZ#10 59472 JavaScript libraries have been separated out from the dashboard (horizon) source code into separate, external packages. This improves the maintanbility of the source code. BZ#10 620 37 With this feature, there is now a separate Identity dashboard. BZ#10 7630 7 The user can now sort tables by timestamp in the dashboard (a timestamp parser has been added). For example, in the Project > Compute > Overview window, the user can now sort instances by 'Time since created'. BZ#10 7630 9 Table filtering has been updated in the dashboard to use API query attributes. A drop-down box and an input field for filtering have been added to tables for admin instances, admin images, and project instances. For example, the admin instances table might be filtered for 'Status=Active'. BZ#10 80 743 Code for the Sahara dashboard has been merged into the dashboard (horizon) code. If Sahara is correctly installed (openstacksahara) and configured, no further dashboard configuration is necessary to display the 'Data Processing' tab for each region (Project > Data Processing). BZ#10 950 55 A 'Metadata' column has been added to the Flavors table (Admin > System > Flavors) that displays whether extra specs have been specified for a flavor ('Yes' or 'No'). The user can now click on either the column value or the 'Update Metadata' action to view or update defined metadata. BZ#10 97517 Need for a feature to enable resetting the state of a volume exposed in the administrator dashboard. This functionality is currently available only through the CLI command: # cinder reset-state --state available <volume-id> 15 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s -Exposed the functionality of the 'cinder reset-state' command in the UI. As is the case with the 'cinder reset-state' command, this change permits an operator to select any valid status, regardless of the current status of the volume. BZ#10 97997 With this feature, administrators can now reset the state of a snapshot. BZ#110 1371 With this feature, basic support for Trove was added to Horizon. Management of incremental backups is now supported. BZ#110 3560 You can now perform a 'cinder retype' through the dashboard. This allows you to migrate volumes or to change any volumes setting (that are set from the volume's type) through the web interface. BZ#110 7491 Functionality for Cinder Quality of Service (QoS) extra specs management such as maximum IO/seconds (maxIOPS) is now available in the administrator dashboard. Currently qos specs must be managed via the cinder CLI commands: - cinder-qos-create - cinder-qos-delete - cinder-qos-key - cinder-qos-list - cinder-qos-show And their associations to volume types are handled with the cinder CLI commands: - cinder-qos-associate - cinder-qos-get-association - cinder-qos-disassociate - cinder-qos-disassociate-all BZ#110 7925 Cinder CLI has a upload-to-image function that supports uploading a volume into glance as an image - this functionality needs to be made available in Horizon. -It is now possible to use a glance image as source to create a cinder volume in Horizon. BZ#110 8436 16 C hapt e r 4 . RHEA-20 15:0 154 — pyt ho n-django -ho r iz o n e nhanc e me nt advis o r y This enhancement adds MAC address learning management to the Dashboard (horizon). Users are able to view and toggle the MAC address learning state of a port, in environments where this feature is supported. BZ#110 940 9 The description for the 'Create Volume Type' dialogue has been enhanced to make it clear that creating a type is equivalent to the 'cinder type-create' command. After the volume type is created, the user can then further define the type by adding extra specs. BZ#110 9420 In Horizon, there’s a feature need to automatically populate the "Format" field in the Create Image modal after the user has filled out the Image Source/Image File fields. -Auto populate the image format field based on the file extension. BZ#1117613 Support for Neutron DVR (Distributed Virtual Router) has been implemented in Horizon. Neutron DVR includes new changes to neutron CLI specifically in areas of router-creation, router-scheduling, show commands etc., while adding in admin functionality for distributed virtual router (DVR) functionality to Horizon. BZ#1118943 Need to be able to disable console access when not accessible from outside a cloud-provider's infrastructure. -A config option added to /etc/openstack_dashboard/local_settings: CONSOLE_TYPE. Valid options are "AUTO", "VNC", "SPICE", "RDP" or None. When it's set to None, console access is disabled. BZ#1124133 Add support for Spark jobs in Sahara data processing UI. Support for Spark EDP jobs in the data processing dashboard has been added. The changes are: -Added Spark as a job type when creating jobs -Added some help text for Spark job creation -Hide appropriate configuration fields when launching a Spark job -Made job type drop down translatable 17 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s BZ#11250 93 There was a need to add the ability for admins to create/update/delete custom properties and metadata for Images. This is useful for admins and users to meaningfully describe images by sharing key-value pairs and tag metadata. A new "Update metadata" option is now visible in the Admin Images panel that enables you to custom properties and metadada for Images. BZ#1128398 Need for a feature wherein operators can disable L3 Router features by configuration options. -New config The default deployments this option option 'enable_router' to OPENSTACK_NEUTRON_NETWORK. is True as router feature is enabled in most and it is the current default behavior of Horizon. If is False, Router panel disappears. -Network Topology panel shows routers in the topology map and also has "Create Router" button. If "enable_router" is set to False, routers in the topology map are not displayed, and "Create Router" button is not shown. -'enable_floatingip' option to OPENSTACK_NEUTRON_NETWORK. Similar to the floating IP feature in Neutron provided by L3 router extension. If this option is set to False, "Floating IP" tab and "Associate/Disassociate Floating IP" menu in the instance table are not shown. BZ#1141366 In previous versions, the dashboard displayed a column with the header titled "Instance uptime", which implied that it listed the uptime of an instance (Project > Compute > Overview or Admin > System Instances). This title was not correct because Compute (nova) simply returns a timestamp for when an instance is created. The column header has been named to "Time since created". BZ#1170 348 Rebase python-django-horizon to 2014.2.1. Highlights, important fixes, or notable enhancements: - Overview page: OverflowError when cinder limits are negative - Cinder API v2 support instance view - Alternate navigation broken - Default `target={}` value leaks into subsequent `policy.check()` calls 18 C hapt e r 5. RHBA-20 15:0 157 — Re d Hat Ent e r pr is e Linux O pe ns t ac k 6 .0 bug f ix advis o r y Chapt er 5. RHBA-2015:0157 — Red Hat Ent erprise Linux Openst ack 6.0 bug fix advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0157. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150157.html. 5.1. ceph BZ#1181770 Previously, certain cleanup activities in librbd1 resulted in 'nova-compute' crashing with a segmentation fault, in specific cases where a Ceph RBD backend was in use. This fix ensures the context is correctly cleaned up before returning. As a result, 'nova-compute' operates correctly with Ceph RBD backends. 5.2. openst ack-cinder BZ#1184455 At present, an unversioned requirement to 'python-taskflow', and missing requirements to 'libcgroup-tools', 'pythonkeystonemiddleware', and 'openstack-cinder' means that upgrade activities may not function as expected. As a current workaround, you can install both 'openstack-cinder' and its missing requirements by using the following command: 'yum install -y libcgroup-tools python-keystonemiddleware pythontaskflow openstack-cinder' 5.3. openst ack-nova BZ#117110 8 Previously, using an unlimited quota value (-1) resulted in the inability to start an instance, with a subsequent "HTTP 500 IndexError: list index out of range" error being raised. This fix enables the ability to set an unlimited quota value in 'nova.conf', with the result that instances can now be started using this configuration. BZ#1177298 Previously, using a multibyte character in a flavor name would result in a Python unicode exception. This update addresses this issue by adding a unicode type string test to ensure expected behavior from multibyte character names. BZ#1181571 19 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Previously, when reverting an instance resize operation, Compute (nova) would fail to consider the backing volume as shared between the original and new instance. Consequently, the resized volume would be deleted during the operation; since RBD volumes are shared, this meant the original volume was also removed, preventing the instance from booting. With this fix, when the instance volume is of type RBD, Compute now considers it to be shared and does not delete the volume during revert/resize operations. As a result, revert/resize operations succeed as expected. BZ#1181673 Prior to this update, a number of unit tests were broken as a result of backport activity. Consequently, not all unit tests were able to complete without errors. This update addresses this issue by using an object flavor instead of a dict in 'test_driver.py'. As a result, all unit tests now pass as expected. 5.4. openst ack-puppet -modules BZ#1158942 There is currently no supported user-facing (dashboard or CLI ) mechanism for consuming the websocket URL exposed by the serial console support. A utility is available to test this feature at https://github.com/larsks/novaconsole, however there should not be an expectation that the virtual serial console will function by default, as configuration steps are required. BZ#118130 7 The python-pbr package required by Red Hat Enterprise Linux OpenStack Platform puppet modules is not present in Red Hat Enterprise Linux OpenStack Platform 6. Installation using PackStack will fail if Ironic (a Technology Preview package) is enabled. Manual installation is required for Ironic at the moment. 5.5. openst ack-selinux BZ#1186628 Previously, versions of the SELinux policies prior to 'selinuxpolicy-3.12.1-153.el7_0.13' were missing specific policies for the Image Service (glance) API service. As a result, attempting to install multi-node clouds with SELinux in 'enforcing' mode would result in failure during installation and configuration of the Image Service API service. 20 C hapt e r 5. RHBA-20 15:0 157 — Re d Hat Ent e r pr is e Linux O pe ns t ac k 6 .0 bug f ix advis o r y This update addresses this issue with the openstack-selinux package now requiring 'selinux-policy-3.12.1-153.el7_0.13'. Consequently, the correct policies are in place to allow a complete installation with SELinux set to 'enforcing'. 21 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 6. RHBA-2015:0633 — pyt hon-django-horizon bug fix advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0633. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150633.html. 6.1. pyt hon-django-horizon BZ#10 78956 In some cases, such as environments where the Identity service was backed by LDAP with specific policies, there were previous restrictions as to how end-users could change their password. This meant that end users were unable to change their password through the dashboard and would receive an error message when trying to do so. A policy check for "identity:check_password" has been added to the 'Change password' panel, so that when "identity:change_password" is set to a more restrictive policy in /etc/openstack-dashboard/keystone_policy.json, the 'Change password' panel is no longer displayed. This change has now resolved the issue. BZ#11270 70 In the Router Network Profiles panel (available only when using the Cisco N1K Neutron plug-in), many of the Network Profile fields could not be updated but they were still shown in the update form. Thereby, the update form was misleading, letting the user modify fields when the changes couldn't be saved. Code has been fixed to mark the fields that cannot be changed as "read-only" in the form. Thus, when updating a network, only the fields that can be updated are editable and the issue is now resolved. BZ#1188394 Rebase package(s) to version: 2014.2.2 Highlights and important bug fixes: -Project limits don't update when using the input selector to change instance count -While the HA property is update-able, and resulting router-get invocations suggest that the router is HA, the migration itself fails on the agent. This is deceiving and confusing and should be blocked until the migration itself is fixed in a future patch. -Project Limits don't refresh while selecting Flavor 22 C hapt e r 6 . RHBA-20 15:0 6 33 — pyt ho n-django -ho r iz o n bug f ix advis o r y -Private flavor update with horizon will cause access issue of existed instances -Horizon crashed when parsing volume list including a volume without name 6.2. pyt hon-django-openst ack-aut h BZ#1174748 One needed to log in twice after a keystone token timed out. Code has been updated and the issue is now fixed. 23 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 7. RHBA-2015:0639 — openst ack-keyst one bug fix advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0639. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150639.html. 7.1. openst ack-keyst one BZ#1130 726 With this release, keystone now emits CADF notifications for role assignment events, providing a more complete audit trail. Role assignment operations affect a user's access to cloud resources; keeping an audit trail of these actions can be important to detect malicious actions. 24 0 15:0 6 4 0 — Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m Bug Fix and Enhanc e me nt Advis o r y Chapt er 8. RHBA-2015:0640 — Red Hat Ent erprise Linux OpenSt ack Plat form Bug Fix and Enhancement Advisory The bugs containe d in this chapte r are addre s s e d by advis ory RHBA-2015:0640. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHBA-20150640.html. 8.1. diskimage-builder BZ#1182642 When an overcloud node boots up, it runs os-collect-config as a part of registration. The os-collect-config script saves data from the Orchestration (heat) metadata API locally and then calls os-refresh-config any time that metadata has changed. Subsequent calls to the registration script call subscriptionmanager again and it returns a non-zero exit code. With the return of a non-zero exit code, the script fails, the stack results in a timeout, and multiple registrations can occur. There is no current workaround. BZ#118310 4 Previous to the Satellite 6 release, the katello-agent and its dependencies needed the rhel-7-server-rh-common-beta-rpms repository to be enabled. Since the Satellite 6 release, necessary packages have been moved to the rhel-7-server-rhcommon-rpms repository. However, upstream code still references the rhel-7-server-rh-common-beta-rpms repository which no longer have the latest packages, causing Satellite instances to fail. 8.2. inst ack-undercloud BZ#11830 99 An iptables setting in the undercloud causes overcloud nodes to fail to register since the nodes have no external access. As a workaround, run the following command on the undercloud image: iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited 8.3. libguest fs BZ#11860 70 This enhancement includes a feature, virt-v2v, which allows users the ability to convert images from a variety of hypervisors to run on OpenStack cloud. 25 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s 8.4. mariadb-galera BZ#1179360 Previously, mariadb-galera would generate an SSL certificate with the parameter CN set to "$(hostname) mariadb-galera cluster". Creating this SSL certificate would fail if the hostname was long enough such that the resulting string was greater than 64 characters. With this update, the certificate is generated with only the hostname to avoid using a CN value that is too long. 8.5. openst ack-selinux BZ#1185444 This update introduces the rabbitmq-cluster resource agent for managing clustered RabbitMQ instances with the Pacemaker cluster manager. 26 mpo r t ant : o pe ns t ac k-pac ks t ac k and o pe ns t ac k-puppe t -mo dule s s e c ur it y and bug f ix updat e Chapt er 9. RHSA-2015:0789 — Import ant : openst ackpackst ack and openst ack-puppet -modules securit y and bug fix updat e The bugs containe d in this chapte r are addre s s e d by advis ory RHSA-2015:0789. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHSA-20150789.html. 9.1. openst ack-packst ack BZ#1117277 With this enhancement, if OpenStack Networking is enabled, Packstack will display a warning if the Network Manager service is active on hosts. BZ#1123117 With this update, a new feature has been added that enables to install OpenStack Identity service to run via Apache httpd processes. A new parameter 'CONFIG_KEYSTONE_SERVICE_NAME' has been added. Value 'httpd' will switch on Apache support while value 'keystone' allows Identity service run in it's own process as was implemented in the previous versions. BZ#1195258 When using Packstack in a multi-node configuration, VXLAN ports (4789) on the firewall were not open for the other nodes. As a result, openvswitch did not function properly. With this update, this issue has been addressed by opening the port 4789 on all compute and network nodes. BZ#11990 47 A typo in the code caused Sahara option that uses OpenStack Networking to be always false. With this update, the error has been addresses. As a result, Sahara now uses OpenStack Networking if the parameter 'CONFIG_NEUTRON_INSTALL is set to 'y'. BZ#11990 72 Packstack set Ironic password to value "PW_PLACEHOLDER" instead of real generated or user provided default password. This was fixed by ensuring packstack has USE_DEFAULT set to false at password option. Now packstack should configure ironic with the predefined password. 27 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s BZ#11990 76 An error in the Packstack code was responsible for setting the glance_image provider region value to RegionOne ignoring any region setting updated by the user. With this update, Packstack now allows the user to set a custom region name for the glance_image provider parameter. BZ#1199114 Prior to this update, users had to install the OpenStack Unified Client separately after completing an installation of Packstack. As the requirement for the OpenStack Unified Client is quite common, Packstack now installs it by default. BZ#1199562 This enhancement allows the passing of additional command-line options when creating an answer file. Previously, '--gen-answerfile' did not allow the specification of additional options. Instead, manual file editing was required to change any default options. With this update, it is now possible to combine '--gen-answerfile' with additional options, which are then included in the subsequently generated answer file. BZ#1199565 This enhancement updates Packstack to retain temporary directories when running an installation in debug mode. This assists with troubleshooting activities, as retaining the temporary directories allows easier failure debugging. As a result, temporary directories are not deleted when running Packstack with the --debug command line option. BZ#1199589 Prior to this update, some validators did not use 'validate_not_empty' to ensure that certain parameters contained values. As a result, a number of internal validations could not be properly handled, leading to the possibility of unexpected errors. This update fixes validators to use validate_not_empty when required, resulting in correct validation behavior from validators. 9.2. openst ack-selinux BZ#1195252 A quiet dependency on a newer version of selinux-policy causes 28 mpo r t ant : o pe ns t ac k-pac ks t ac k and o pe ns t ac k-puppe t -mo dule s s e c ur it y and bug f ix updat e openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z. This causes Identity and other OpenStack services to receive 'AVC' denials under some circumstances, causing them to malfunction. The following workarounds allow the OpenStack services to function correctly: 1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve the issue. 2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinuxpolicy-3.13.1-23.el7 or later), then update openstack-selinux to version 0.6.23-1.el7ost. 9.3. vulnerabilit y BZ#120 1875 It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root. 29 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s Chapt er 10. RHSA-2015:0790 — Import ant : openst acknova securit y, bug fix, and enhancement updat e The bugs containe d in this chapte r are addre s s e d by advis ory RHSA-2015:0790. Furthe r information about this advis ory is available at https ://rhn.re dhat.com/e rrata/RHSA-20150790.html. 10.1. openst ack-nova BZ#10 17288 libvirt did not previously support snapshot merge or delete operations using libgfapi. This meant that the user could not delete snapshots of a Red Hat Storage (glusterfs) Block Storage volume attached to an instance when using libgfapi. With this update, libvirt and the Compute service now correctly handle Block Storage volume snapshots with libgfapi enabled, and these snapshots can now be deleted. BZ#110 0 535 OpenStack Bare Metal Provisioning (ironic) is now included in this release as a Technology Preview. This service provisions bare-metal machines using common technologies (such as PXE boot and IPMI) to cover a wide range of hardware, while supporting pluggable drivers to allow the addition of vendor-specific functionality. BZ#110 4926 Support has been added for intelligent NUMA node placement for guests that have been assigned a host PCI device. PCI I/O devices, such as Network Interface Cards (NICs), can be more closely associated with one processor than another. This is important because there are different memory performance and latency characteristics when accessing memory directly attached to one processor than when accessing memory directly attached to another processor in the same server. With this update, Openstack guest placement can be optimized by ensuring that a guest bound to a PCI device is scheduled to run on a NUMA node that is associated with the guest's pCPU and memory allocation. For example, if a guest's resource requirements fit in a single NUMA node, all guest resources will now be associated with the same NUMA node. BZ#1165961 An invalid template was previously supplied for network interface injection (flat_injected=true in /etc/nova/nova.conf), which meant that the network configuration of instance was incorrect. With this fix, a valid Jinja2 network interface configuration 30 0 . RHSA-20 15:0 79 0 — Impo r t ant : o pe ns t ac k-no va s e c ur it y, bug f ix, and e nhanc e me nt updat e template is now provided, and the networking of instances is correctly configured. BZ#1171454 Previously, you could not launch an instance with multiple interfaces attached to the same network by using --nic net-id= <id>; the instance would fail to boot. With this update, Compute now checks for duplicate networks at the Compute API layer, and an instance boot using a specific network ID with multiple vNICs can succeed. BZ#1175348 Previously, the Compute service did not follow live migration status. As a result, if something wrong happened, the instance status did not report the error and this could result in two "same" instances running in the cloud (across the source and target servers). With this update, a new object has been introduced to follow each step until a live migration succeeds or fails. This means that when a migration now fails, the error is reported on the instance's status if necessary, and a rollback is then done to avoid two "same" instances running in the cloud. BZ#1190 719 Previously, emulator threads (for vCPUs) floated on the union of the set of all NUMA CPUs, even if the CPUs were dedicated, which meant that an emulator thread could consume CPU time from another guest instance. With this fix, emulator threads now only use the union of dedicated host CPUs, and that CPU's time, on which guest vCPUs are running. BZ#1191174 Previously, if multipathing was enabled for the Compute service in /etc/nova/nova.conf and CHAP authentication was enabled in an IBM Storwize backend, attaching an Block Storage volume to an instance failed on boot ("Login I/O error, failed to receive a PDU\niscsiadm"). That is, if the Block Storage server was configured to protect the target-discovering phase using CHAP authentication, the discovery command failed (because authentication failed). With this update, the Block Storage driver now sends authentication properties (discovery_auth_method, discovery_auth_username, discovery_auth_password) to CHAP, the discovery command succeeds, and volume attachment succeeds. BZ#1193737 Previously, when the primary path to a Cinder iSCSI volume was down, a volume could not be attached to the instance, even if the Compute and Block Storage backend driver's multipath feature was 31 Re d Hat Ent e r pr is e Linux O pe nSt ac k Plat f o r m 6 T e c hnic al No t e s enabled. This meant that users of the cloud system could fail to attach a volume (or boot a server booted from a volume). With this fix, the host can now have a separate configuration option if the block traffic is on a separate network; the volume is then attached using the secondary path. BZ#11940 73 A previous overly restrictive ban on live migration of vfat config drives, and the incorrect handling of config drives with RBD storage, meant that the live migration of instances with config drives was not supported. With this update, vfat config drives can now be live migrated, and config drive persistence is handled appropriately with RBD storage. This means that live migration is now possible when using vfat config drives with storage either local to the compute node or remote with RBD storage. (To use vfat config drives, set config_drive_format in /etc/nova/nova.conf to 'vfat'.) BZ#1198429 The previous value of the Compute auth_version parameter in /usr/share/nova/nova-dist.conf of 'v2.0' forced Identity's auth_token middleware to use v2 authentication, which in turn prevented multi-domain Identity service deployments. With this update, the auth_version parameter now has a new default value of 'v3.0'; middleware authentication can now validate tokens outside of the default domain. 10.2. vulnerabilit y BZ#1190 112 It was discovered that the OpenStack Compute (nova) console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw. 32 Re vis io n His t o r y Revision Hist ory Revisio n 6.0 .2-0 T ue Apr 7 20 15 Summer Lo ng Update d ove rvie w to include 6.0.2 chapte rs and advis orie s ; two e rrata chapte rs adde d. Revisio n 6.0 .1-1 T hu Mar 5 20 15 Summer Lo ng Update d ove rvie w to include 6.0.1 chapte rs and advis orie s ; thre e e rrata chapte rs adde d. Revisio n 6.0 .0 -2 Mo n Feb 9 20 15 Summer Lo ng Re le as e for Re d Hat Ente rpris e Linux Ope nStack Platform 6. 33
© Copyright 2024