technical notes openstack platform 6 red hat enterprise

OpenStack Documentation Team

Red Hat Enterprise LinuxOpenStack Platform 6Technical Notes

Technical Notes for Red Hat Enterprise Linux OpenStackPlatform and supporting packages.

Red Hat Enterprise Linux OpenStack Platform 6 TechnicalNotes

Technical Notes for Red Hat Enterprise Linux OpenStackPlatform and supporting packages.

OpenStack Documentation TeamRed Hat Customer Content [email protected]

Legal Notice

Copyright © 2015 Red Hat, Inc.

This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified versionof it, you must provide attribution to Red Hat, Inc. and provide a link to the original. Ifthe document is modified, all Red Hat trademarks must be removed.

Red Hat, as the licensor of this document, waives the right to enforce, and agreesnot to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicablelaw.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the UnitedStates and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and othercountries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in theUnited States and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the EuropeanUnion and other countries.

Node.js ® is an official trademark of Joyent. Red Hat Software Collections is notformally related to or endorsed by the official Joyent Node.js open source orcommercial project.

The OpenStack ® Word Mark and OpenStack Logo are either registeredtrademarks/service marks or trademarks/service marks of the OpenStackFoundation, in the United States and other countries and are used with theOpenStack Foundation's permission. We are not affiliated with, endorsed orsponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

AbstractThese Technical Notes are provided to supplement the information contained in thetext of Red Hat Enterprise Linux OpenStack Platform errata advisories releasedthrough Red Hat Network.

http://creativecommons.org/licenses/by-sa/3.0/

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of ContentsChapter 1. Overview

Chapter 2. RHEA-2015:0148 — openstack-neutron enhancement advisory2.1. openstack-neutron

Chapter 3. RHEA-2015:0152 — openstack-nova enhancement advisory3.1. openstack-nova

Chapter 4. RHEA-2015:0154 — python-django-horizon enhancement advisory4.1. python-django-horizon

Chapter 5. RHBA-2015:0157 — Red Hat Enterprise Linux Openstack Platform 6.0Bug Fix Advisory

5.1. ceph5.2. openstack-cinder5.3. openstack-nova5.4. openstack-puppet-modules5.5. openstack-selinux

Chapter 6. RHBA-2015:0640 — Red Hat Enterprise Linux OpenStack Platform BugFix and Enhancement Advisory

6.1. diskimage-builder6.2. instack-undercloud6.3. libguestfs6.4. mariadb-galera6.5. openstack-selinux

Chapter 7. RHSA-2015:0789 — Important: openstack-packstack and openstack-puppet-modules security and bug f ix update

7.1. openstack-packstack7.2. openstack-selinux7.3. vulnerability

Chapter 8. RHSA-2015:0790 — Important: openstack-nova security, bug f ix, andenhancement update

8.1. openstack-nova8.2. vulnerability

Chapter 9. RHBA-2015:0931 — openstack-nova bug f ix advisory9.1. openstack-nova9.2. python-novaclient

Chapter 10. RHBA-2015:0939 — Red Hat Enterprise Linux OpenStack PlatformInstaller update

10.1. foreman-installer10.2. openstack-foreman-installer10.3. rhel-osp-installer10.4. rubygem-staypuft

Appendix A. Revision History

2

55

99

1313

202020202121

232323232424

25252627

282830

313135

3636363737

38

T able of Contents

1

Chapter 1. Overview

These Technical Notes are provided to supplement the information contained in the text ofRed Hat Enterprise Linux OpenStack Platform errata advisories released through Red HatNetwork. If the text for an advisory's problem description is too lengthy to fit into theadvisory itself, bug listings for that advisory are published as a chapter in this document.

The following table contains the list of errata advisories for this vers ion.

Table 1.1. Errata Advisories

Release

Advisories

6.0 Errata chapters:

Chapter 2, RHEA-2015:0148 — openstack-neutron enhancement advisoryChapter 3, RHEA-2015:0152 — openstack-nova enhancement advisoryChapter 4, RHEA-2015:0154 — python-django-horizon enhancement advisoryChapter 5, RHBA-2015:0157 — Red Hat Enterprise Linux Openstack Platform6.0 Bug Fix Advisory

Additional advisories include:

RHEA-2015:0144 - Red Hat Enterprise Linux OpenStack Platform 6.0Enhancement Advisory.RHEA-2015:0145 - openstack-swift enhancement advisory.RHEA-2015-0146 - openstack-sahara enhancement update.RHEA-2015-0147 - openstack-heat enhancement advisory.RHEA-2015:0149 - openstack-ceilometer enhancement advisory.RHEA-2015:0150 - openstack-glance enhancement advisory.RHEA-2015:0151 - openstack-cinder enhancement advisory.RHEA-2015:0153 - openstack-keystone enhancement advisory.RHEA-2015:0155 - openstack-packstack and openstack-puppet-modulesenhancement advisory.

T echnical Notes

2

https://rhn.redhat.com/errata/RHEA-2015-0144.html









6.0.1 Errata chapter:

Chapter 6, RHBA-2015:0640 — Red Hat Enterprise Linux OpenStack PlatformBug Fix and Enhancement Advisory


RHBA-2015:0630 - openstack-packstack bug fix advisoryRHBA-2015:0631 - openstack-swift bug fix advisoryRHBA-2015:0632 - openstack-sahara bug fix advisoryRHBA-2015:0633 - python-django-horizon bug fix advisoryRHBA-2015:0634 - openstack-heat bug fix advisoryRHBA-2015:0635 - openstack-neutron bug fix advisoryRHBA-2015:0636 - openstack-ceilometer bug fix advisoryRHBA-2015:0637 - openstack-cinder bug fix advisoryRHBA-2015:0638 - openstack-nova bug fix advisoryRHBA-2015:0639 - openstack-keystone bug fix advisoryRHSA-2015:0643 - Important: qemu-kvm-rhev security updateRHSA-2015:0644 - Low: openstack-glance security and bug fix updateRHSA-2015:0645 - Important: redhat-access-plugin-openstack security update

These packages include rebases to 2014.2.2 for the Block Storage, Compute,Dashboard, Identity, Image, Networking, Orchestration, Sahara, Telemetry, andTrove services.

6.0.2 Errata chapters:

Chapter 7, RHSA-2015:0789 — Important: openstack-packstack and openstack-puppet-modules security and bug fix updateChapter 8, RHSA-2015:0790 — Important: openstack-nova security, bug fix,and enhancement update


RHBA-2015:0784 - openstack-cinder bug fix advisoryRHBA-2015:0785 - openstack-neutron bug fix advisoryRHBA-2015:0786 - openstack-ceilometer bug fix advisoryRHBA-2015:0787 - Red Hat Enterprise Linux OpenStack Platform Bug Fix andEnhancement AdvisoryRHSA-2015:0788 - Moderate: novnc security update

Release

Advisories

Chapter 1. Overview

3

https://rhn.redhat.com/errata/RHBA-2015-0630.html










https://rhn.redhat.com/errata/RHSA-2015-0643.html








6.0.3 Errata chapters:

Chapter 9, RHBA-2015:0931 — openstack-nova bug fix advisoryChapter 10, RHBA-2015:0939 — Red Hat Enterprise Linux OpenStack PlatformInstaller update


RHBA-2015:0928 - Red Hat Enterprise Linux OpenStack Platform Bug Fix andEnhancement AdvisoryRHBA-2015:0929 - openstack-heat bug fix advisoryRHBA-2015:0930 - openstack-ceilometer bug fix advisoryRHBA-2015:0932 - openstack-cinder bug fix advisoryRHBA-2015:0933 - python-django-horizon bug fix advisoryRHBA-2015:0934 - openstack-sahara bug fix advisoryRHBA-2015:0935 - openstack-packstack and openstack-puppet-modules bugfix advisoryRHBA-2015:0936 - openstack-neutron bug fix advisoryRHBA-2015:0937 - openstack-keystone bug fix advisoryRHSA-2015:0938 - Moderate: openstack-glance security and bug fix update

These packages include rebases to 2014.2.3 for the Block Storage, Compute,Dashboard, Identity, Image, OpenStack Networking, Orchestration, Sahara, andTelemetry services. Additionally, mariadb-galera has been rebased to vers ion5.5.41.

6.0.4 Advisories:

RHBA-2015-1658 - openstack-cinder bug fix advisoryRHBA-2015-1659 - Red Hat Enterprise Linux OpenStack Platform Bug Fix andEnhancement AdvisoryRHBA-2015-1660 - openstack-nova bug fix advisoryRHBA-2015-1661 - openstack-heat bug fix advisoryRHBA-2015-1662 - Red Hat Enterprise Linux OpenStack Platform InstallerupdateRHSA-2015-1674 - Moderate: qemu-kvm-rhev security updateRHSA-2015-1675 - Low: libunwind security updateRHSA-2015-1676 - Moderate: redis security advisoryRHSA-2015-1677 - Moderate: python-keystoneclient and python-keystonemiddlware security updateRHSA-2015-1678 - Moderate: python-django security updateRHSA-2015-1679 - Moderate: python-django-horizon security and bug fixupdateRHSA-2015-1680 - Moderate: openstack-neutron security and bug fix updateRHSA-2015-1681 - Moderate: openstack-swift security update

These packages include rebases to a more recent vers ion of 2014.2.3 for theBlock Storage, Compute, Dashboard, Identity, Image, OpenStack Networking,Orchestration, Sahara, and Telemetry services. Additionally, mariadb-galerahas been rebased to vers ion 5.5.42.

Release

Advisories

T echnical Notes

4



openstack-ceilometer bug fix advisory





















Chapter 2. RHEA-2015:0148 — openstack-neutronenhancement advisory

The bugs contained in this chapter are addressed by advisory RHEA-2015:0148. Furtherinformation about this advisory is available at https://rhn.redhat.com/errata/RHEA-2015-0148.html.

2.1. openstack-neutron

BZ#1029871

This enhancement enables changes to a subnet's IP address allocation pool using the update command. Previously, administrators were unable to change the allocation pool range for a subnet. If shrinking the pool, consideration must be given to IP addresses that have already been allocated.

BZ#1042396

This enhancement adds high availability for OpenStack Networking (neutron) virtual routers. This was added due to the impact of virtual routers going down with a network node; instances would lose external connectivity.Virtual routers can now be created with the 'High availability' flag, if the administrator sets it as the default. As a result, routers will then be created on multiple network nodes, with a designated single active instance node. The active node forwards traffic while the standbys monitor the master. In the event of failure impacting the active node, one of the standby will take over as the new active node.

BZ#1042550

This update enables OpenStack Networking (neutron) to create a Provider Network that uses an upstream device with Router Advertisement multicasts.As a result, instances are able to use Stateless Address Autoconfiguration (SLAAC) to configure their IPv6 networking.

BZ#1044272

With this enhancement, Tenant networks can now be created that use the 'dnsmasq' process inside the DHCP agent to serve additional configuration to IPv6 DHCP clients, including support for IPv6 stateless subnets.

BZ#1046786

This enhancement allows the creation of Tenant networks that use the 'radvd' process within the L3 agent for Router Advertisement messages.

Chapter 2. RHEA-2015:0148 — openstack-neutron enhancement advisory

5


https://bugzilla.redhat.com/1029871





As a result, instances are able to use Stateless Address Autoconfiguration (SLAAC) or DHCPv6 to configure their IPv6 networking.

BZ#1085645

This enhancement enables ipset kernel groups to be used for matching IP addresses in iptables security groups. The previous implementation of security groups, which made intensive use of iptable rules, resulted in an exponential growth of iptable rules in some cases. Specifically, multiple IP addresses previously needed to be added to the security groups of each Compute node's network port.As a result of this enhancement, the size of iptables rules on Compute nodes are significantly reduced, resulting in a performance increase in accepting new connections.

BZ#1103404

With this enhancement, all tables are now included during the creation of the database schema. This behavior allows for easier plugin management.Consequently, all OpenStack Networking (neutron) tables are present in the database after upgrading to Red Hat Enterprise Linux OpenStack Platform 6.

BZ#1162698

Prior to this update, the DHCP server was not available from inside instances attached to IPv6 DHCP subnets.This update addresses this issue by creating a port in the DHCP agent namespace. As a result, the DHCP server is accessible from inside instances, and instances are able to receive DHCP information.

BZ#1169125

Previously, Router Advertisements sent by the OpenStack Networking (neutron) L3 agent had the 'Other (O)' flag unset for DHCP stateless subnets.Consequently, the DHCP client was not aware of additional configuration options available from the DHCP server, so would not attempt to request these.This update addresses this issue by setting the 'Other (O)' flag for Router Advertisements sent to DHCP stateless subnets.As a result, the DHCP client is notified about additional DHCP configuration options, and is able to request allocation.

BZ#1173987

In deployments using IPv6 networks with OpenStack Networking, IPv6 subnets do not have a gateway set. As a result, IPv6 networks do not work as expected.

T echnical Notes

6






BZ#1177612

Prior to this update, Keepalived removed virtual routes if the VIPs changed order and the VIP that was previously first changed its position. Consequently, as the router's default gateway is configured as a virtual route, the router's default route may vanish, breaking external connectivity for all instances.This behaviour was due to Keepalived's requirement that the first VIP in the keepalived configuration file remains first after sending a HUP signal to keepalived.This update addresses this issue by generating a fake address and using it as the first VIP.Consequently, the first VIP is a stable constant value and remains fixed in place, and the router's default route no longer vanishes as a result.

BZ#1177615

Prior to this update, all instances of a HA router (master and slave) had IPv6 link local addresses configured on each interface. As a result, IPv6 traffic was being generated once every two minutes and each MAC address was identical between different instances of a HA router.Consequently, the interface's MAC address was re-learned by the physical switches of the datacenter, thereby resultin in traffic being sent to the incorrect node.This update resolves this issue be removing IPv6 link local addresses from slave instances of HA routers. As a result, the IPv6 addresses only appear on the master instance, thereby ensuring that slaves never generate traffic, and that the MAC addresses appear only on the master node.

BZ#1177616

Prior to this update, when configuring a new floating IP on a HA router, the L3 agent observed the state on the system in order to decide if to write the new address to the keepalived.conf. If the address was not configured on the external device of the router, it was added to the configuration. Note that the agent never appends to the keepalived conf but overwrites it on every reconfiguration, this means that when restarting an agent and and waiting for it to sync with the controller, there are varying outcomes depending on the role of the instance:* On a master instance, none of the floating IPs will be written to the keepalived configuration file, as all of the pre-existing floating IPs are already configured on the system and thus will not be written to the new configuration file, in effect removing them. As a result, master instances will delete previously configured floating IPs whenever the L3 agent is restarted.* On a slave instance, floating IPs are never configured on the host, thus are always added to the configuration file. As a result, slave instances will have multiple copies of every floating IP in keepalived's configuration file. This has no actual effect.

Chapter 2. RHEA-2015:0148 — openstack-neutron enhancement advisory

7




This update addresses this issue by configuring the L3 agent to instead uses its in-memory cache of the keepalived configuration, rather than state observation. Since the configuration is in-memory, after the agent restarts, it's cache is empty, thus all floating IPs are added to the file. From that point on, a floating IP is configured if it's not present in the configuration.Consequently, floating IP addresses are configured properly on HA routers on both master and slave instances.

BZ#1177995

This enhancement allows SR-IOV virtual functions (VF) to passthrough to 'flat' project network types. This is due to PCI passthrough with SR-IOV not being VLAN-specific.As a result, OpenStack Networking project networks with the "flat" network type can now take advantage of SR-IOV networking support.

T echnical Notes

8


Chapter 3. RHEA-2015:0152 — openstack-novaenhancement advisory


3.1. openstack-nova

BZ#958057

When Compute is configured to only set up VNC/SPICE servers on a specific network interface, the host's IP address is recorded in the libvirt guest XML. Previously, if the guest was migrated to a different host, the IP address of the source host remained in the guest XML and the guest failed to launch on the target host because the IP address was incorrect.

With this update, the libvirt guest XML is now updated during migration to refer to the IP address of the target host. Migration can be performed for guests, even when the VNC/SPICE servers are configured to only bind to the IP address of a specific network interface.

BZ#974199

This feature exposes interactive web-based serial consoles to openstack VMs through a websocket proxy. Generally used as a debugging tool (for example, VMs can be accessed even if network configuration fails).

A new service (websocket proxy) is now available that handles websocket connections to the serial consoles of the VMs. The websocket proxy can be deployed on a machine other than from the hypervisor.

BZ#978500

The host argument for the 'nova evacuate' command has been made optional. This means that the user no longer has to know the host destination, simplifying evacuation in the case of an unplanned failure.

BZ#1041054

Compute now automatically attempts a controlled shutdown for stop, rescue, and delete instance actions. If the controlled shutdown fails, Compute falls back to a forced shutdown.

BZ#1041376

OpenStack Compute now supports associating SR-IOV PCI devices

Chapter 3. RHEA-2015:0152 — openstack-nova enhancement advisory

9







with networks and binding Neutron SR-IOV ports to them. PCI-Passthrough to SR-IOV virtual functions provide direct access to networking hardware specialized for virtualization with one physical device supporting multiple virtual machines. By supporting SR-IOV devices, virtual machines can now employ SR-IOV hardware for networking.

BZ#1090269

OpenStack Compute can now optionally provide a config drive to instances based on a property on the image in the OpenStack Image service. Previously, Compute configuration determined whether a config drive was used and what format to use for it. With this update, users can now indicate config drive requirements using image properties.

BZ#1097514

In previous releases, every virtual CPU was configured as a socket. Some guest operating systems have arbitrary limits on the number of sockets they support, but are not limited in the number of cores or threads. This prevented an instance's OS from taking full advantage of the virtual CPUs configured.

With this release, the Compute service can now control an instance's virtual CPU topology. This allows an administrator and/or tenant users to specify constraints for the number of threads, cores and sockets to use for a guest instance. The Compute service will use the constraint information to configure a suitable guest CPU topology. With this, a guest OS such as Windows can take full advantage of all virtual CPUs without encountering support limits.

BZ#1097987

Compute can now provide dedicated CPU resources, where each guest virtual CPU has full access to a specific host CPU.Previous releases of Compute guest CPUswere permitted to float across any host CPU. Even when the NUMA feature was enabled, the CPUs could still float within a NUMA node. Host CPUs would also overcommit so many virtual CPUs contended for the host resource. This made it impossible to provide strong performance guarantees to guest operating system workloads.With this update, the cloud administrator now has the ability to set up a host aggregate, which provides a pool of hosts that supports guests with dedicated CPU resource assignment. The cloud administrator or tenant user can make use of these pools to run instances with guaranteed CPU resource.

BZ#1097989

Previous Compute versions delegated all CPU placement to the operating system kernel. Although the kernel attempted to keep guest processes running on a single NUMA node, this was not enforced. This meant that guests could drift across NUMA nodes,

T echnical Notes

10





resulting in an inefficient usage of host resources and limiting guest performance.

With this update, Compute can now place guest instances on specific host NUMA nodes. The cloud administrator or tenant user can set preferences for the guest NUMA topology layout by enabling a scheduler filter that performs intelligent NUMA placement (affinity server group using hw:numa_policy=strict metadata). Compute takes into account the guest topology and then pins the guest instance to one or more host NUMA nodes, resulting in a more consistent guest performance and efficient use of host resources.

BZ#1104924

A single guest can now have multiple network interfaces attached to the same logical host network. Previous versions of OpenStack Compute had an artificial restriction that a single guest cannot have multiple network interfaces connected to the same host network. There are, however, some valid use cases where this is required and thus Compute could not satisfy those use cases. With this update, the tenant user can now set up guest network interfaces without any restrictions imposed by Compute.

BZ#1127405

When using nova-network with multiple networks, it is now possible to set the MTU, enable or disable DHCP, set the DHCP server, and indicate whether the network shares addresses with other networks. Previously, it was not possible to set these parameters on a per-network basis, making it more difficult to use nova-network with multiple networks. With this update, administrators now have more flexibility with settings when using multiple networks with nova-network.

BZ#1157742

Previously, if you created a server group with an anti-affinity policy, the policy was honored only during the initial boot, and not for a later VM migration (cold, live, or evacuate). Because the request information is not persisted, migrations did not honor anti-affinity policies, which could lead to inconsistencies (for example, a non-affinity policy for a group with VM1 and VM2 could lead to both VMs being placed on the same host if VM2 was migrated).

With this update, migrations now respect affinity policies. The server group and group policy of the VM to be migrated is now identified and checked before migration.

BZ#1160405

RBD snapshots and cloning are now used for Ceph-based ephemeral disk snapshots. With this update, data is manipulated within the Ceph server, rather than transferred across nodes, resulting in

Chapter 3. RHEA-2015:0152 — openstack-nova enhancement advisory

11





better snapshotting performance for Ceph.

BZ#1180607

RBD snapshots and cloning are now used for Ceph-based ephemeral disk snapshots. With this update, data is manipulated within the Ceph server, rather than transferred across nodes, resulting in better snapshotting performance for Ceph.

T echnical Notes

12


Chapter 4. RHEA-2015:0154 — python-django-horizonenhancement advisory


4.1. python-django-horizon

BZ#891062

An admin user can now specify the Provider network type (the physical mechanism by which the virtual network is implemented), when creating a new network. Previously, the dashboard (horizon) defaulted to the 'Local' provider network type, and it was not possible to select another type. The types 'Flat', 'VLAN', 'GRE', and 'VXLAN', and 'Local' can now be selected in the new 'Provider Network Type' drop-down field. Depending on the type, a segmentation ID, tunnel ID, or physical network name must be additionally specified.

BZ#1041966

Role-based access control (RBAC) checks are now supported for actions that interact with the Compute service (nova); rules are defined in the /etc/openstack-dashboard/nova_policy.json configuration file. RBAC checks allow an administrator to finely tune a user's access. For example, an administrator might allow end users to view the complete flavor listing.

BZ#1041967

Role-based access control (RBAC) checks are now supported for actions calling the network service; rules are defined in the /etc/openstack-dashboard/neutron_policy.json configuration file. RBAC checks allow an administrator to finely tune a user's access. For example, an administrator might prevent end users from creating a subnet or changing a firewall policy.

BZ#1041971

An admin user can now evacuate a compute host using the dashboard. Two tabs now provide information for hypervisors: 'Hypervisor' and 'Compute Host' (Admin > Hypervisors). If a host is down, an 'Evacuate Host' action is now visible for it on the Compute Host tab (providing a modal window to perform the evacuation).

BZ#1041986

Support has been added for Block Storage volume backups in the dashboard. Users can now create, view, delete, and restore volume

Chapter 4. RHEA-2015:0154 — python-django-horizon enhancement advisory

13







backups. Note: This functionality is not displayed by default. To display volume-backup action items, update the /etc/openstack-dashboard/local_settings file with:OPENSTACK_CINDER_FEATURES = { 'enable_backup': True,}After updating the file, restart the httpd service with 'systemctl restart httpd'.

BZ#1041991

There was a need to enable/disable Neutron related features based on the extension list from Neutron and remove Neutron related settings in local_settings.py.

-Neutron features like LBaaS, FWaaS or VPNaaS are provided asextensions in Neutron. These features are now enabledonly when they are included in the extension list from Neutron.

Also, changed the default settings of enable_lb/firewall/vpn to True. The default of these settings were set to False to avoid confusion to users because LB/FW/VPNaaS are optional features in Neutron. With this change, the corresponding features in Horizon are enabled dynamically, so it was reasonable to change the default to True.

BZ#1042023

An additional 'Action Log' tab is now available for specific instances (Project > Compute > Instances > <instance>. The tab lists all actions which have been carried out on that specific instance. For example, a tenant user can now use the 'Action Log' tab to see who created or shut down an instance.

BZ#1042028

With this feature, there is now a widget for managing Glance metadata dictionary. The admin user is now able to edit properties of images directly under admin/images/edit.

BZ#1042070

When using OpenStack Networking (neutron) with the dhcp_agent_scheduler extension, it is now possible to add and remove DHCP agents from networks using the dashboard. This makes it easier to manage the high availability of DHCP agents for OpenStack Networking.When logged in as admin and navigating to the Admin Networks panel, a new DHCP Agents column with the number of agents associated with each network is now visible. Clicking on a network name displays the network's details together with a new 'DHCP Agents' table where the admin can add and delete agents.

T echnical Notes

14





BZ#1042113

Need for an interface to allow the user to assign domain role to users.

-The Identity Dashboard has been extended to support managing roles and users in different domains.

BZ#1046790

Extra Specs support for volume types has been added to the dashboard. An admin can now add additional keys and values to volume types (GUI implementation of the 'cinder type-key' command). To view extra specs, select Admin> Volumes > Volume Types, and click the type's 'View Extra Specs' action.

BZ#1053088

OpenStack Networking (neutron) has introduced new attributes for IPv6 networks: 'Router Advertisement' and 'Address Assignment', which enables IPv6 subnets to be configured with more granularity. If OpenStack Networking is in use and an IPv6 subnet is being created, the dashboard now offers the following options in the 'IPv6 Address Configuration Mode' drop-down field: "SLAAC", "DHCPv6 stateful", "DHCPv6 stateless provided by OpenStack." Providing no option means that addresses are configured manually or by a non-OpenStack system.

BZ#1056389

The ability for an administrator to manage image metadata (custom properties) has been added to the dashboard. The admin user can now add, update, or delete image metadata (implements the 'glance image-update <imageID> --property <key>=<value>' command). To view or update an image's metadata, select Admin > System > Images, and click the image's 'Update Metadata' action.

BZ#1057828

Role-based access control (RBAC) checks are now supported for actions that interact with the Orchestration service (heat); rules are defined in the /etc/openstack-dashboard/heat_policy.json configuration file. RBAC checks allow an administrator to finely tune a user's access. For example, an administrator might prevent end users from changing a stack template.

BZ#1058578

Add support for Datastores to Trove dashboard.

Basic support for Trove has been added to Horizon.


15







-Added Datastore type/version drop down in Launch Instance-Added Datastore type/version in Instance List and Instance Details

BZ#1059472

JavaScript libraries have been separated out from the dashboard (horizon) source code into separate, external packages. This improves the maintanbility of the source code.

BZ#1062037

With this feature, there is now a separate Identity dashboard.

BZ#1076307

The user can now sort tables by timestamp in the dashboard (a timestamp parser has been added). For example, in the Project > Compute > Overview window, the user can now sort instances by 'Time since created'.

BZ#1076309

Table filtering has been updated in the dashboard to use API query attributes. A drop-down box and an input field for filtering have been added to tables for admin instances, admin images, and project instances. For example, the admin instances table might be filtered for 'Status=Active'.

BZ#1080743

Code for the Sahara dashboard has been merged into the dashboard (horizon) code. If Sahara is correctly installed (openstack-sahara) and configured, no further dashboard configuration is necessary to display the 'Data Processing' tab for each region (Project > Data Processing).

BZ#1095055

A 'Metadata' column has been added to the Flavors table (Admin > System > Flavors) that displays whether extra specs have been specified for a flavor ('Yes' or 'No'). The user can now click on either the column value or the 'Update Metadata' action to view or update defined metadata.

BZ#1097517

Need for a feature to enable resetting the state of a volume exposed in the administrator dashboard.

This functionality is currently available only through the CLI command:# cinder reset-state --state available <volume-id>

T echnical Notes

16








-Exposed the functionality of the 'cinder reset-state' command in the UI. As is the case with the 'cinder reset-state' command, this change permits an operator to select any valid status, regardless of the current status of the volume.

BZ#1097997

With this feature, administrators can now reset the state of a snapshot.

BZ#1101371

With this feature, basic support for Trove was added to Horizon. Management of incremental backups is now supported.

BZ#1103560

You can now perform a 'cinder retype' through the dashboard. This allows you to migrate volumes or to change any volumes setting (that are set from the volume's type) through the web interface.

BZ#1107491

Functionality for Cinder Quality of Service (QoS) extra specs management such as maximum IO/seconds (maxIOPS) is now available in the administrator dashboard.

Currently qos specs must be managed via the cinder CLI commands:- cinder-qos-create- cinder-qos-delete- cinder-qos-key- cinder-qos-list- cinder-qos-show

And their associations to volume types are handled with the cinder CLI commands:- cinder-qos-associate- cinder-qos-get-association- cinder-qos-disassociate- cinder-qos-disassociate-all

BZ#1107925

Cinder CLI has a upload-to-image function that supports uploading a volume into glance as an image - this functionality needs to be made available in Horizon.

-It is now possible to use a glance image as source to create a cinder volume in Horizon.

BZ#1108436


17







This enhancement adds MAC address learning management to the Dashboard (horizon). Users are able to view and toggle the MAC address learning state of a port, in environments where this feature is supported.

BZ#1109409

The description for the 'Create Volume Type' dialogue has been enhanced to make it clear that creating a type is equivalent to the 'cinder type-create' command. After the volume type is created, the user can then further define the type by adding extra specs.

BZ#1109420

In Horizon, there’s a feature need to automatically populate the "Format" field in the Create Image modal after the user has filled out the Image Source/Image File fields.

-Auto populate the image format field based on the file extension.

BZ#1117613

Support for Neutron DVR (Distributed Virtual Router) has been implemented in Horizon.

Neutron DVR includes new changes to neutron CLI specifically in areas of router-creation, router-scheduling, show commands etc., while adding in admin functionality for distributed virtual router (DVR) functionality to Horizon.

BZ#1118943

Need to be able to disable console access when not accessible from outside a cloud-provider's infrastructure.

-A config option added to /etc/openstack_dashboard/local_settings: CONSOLE_TYPE.Valid options are "AUTO", "VNC", "SPICE", "RDP" or None. When it's set to None, console access is disabled.

BZ#1124133

Add support for Spark jobs in Sahara data processing UI.

Support for Spark EDP jobs in the data processing dashboard has been added. The changes are:-Added Spark as a job type when creating jobs-Added some help text for Spark job creation-Hide appropriate configuration fields when launching a Spark job-Made job type drop down translatable

T echnical Notes

18






BZ#1125093

There was a need to add the ability for admins to create/update/delete custom properties and metadata for Images. This is useful for admins and users to meaningfully describe images by sharing key-value pairs and tag metadata.

A new "Update metadata" option is now visible in the Admin Images panel that enables you to custom properties and metadada for Images.

BZ#1128398

Need for a feature wherein operators can disable L3 Router features by configuration options.

-New config option 'enable_router' to OPENSTACK_NEUTRON_NETWORK. The default is True as router feature is enabled in most deployments and it is the current default behavior of Horizon. If this option is False, Router panel disappears.

-Network Topology panel shows routers in the topology map and also has "Create Router" button. If "enable_router" is set to False, routers in the topology map are not displayed, and "Create Router" button is not shown.

-'enable_floatingip' option to OPENSTACK_NEUTRON_NETWORK.Similar to the floating IP feature in Neutron provided by L3 router extension. If this option is set to False, "Floating IP" tab and "Associate/Disassociate Floating IP" menu in the instance table are not shown.

BZ#1141366

In previous versions, the dashboard displayed a column with the header titled "Instance uptime", which implied that it listed the uptime of an instance (Project > Compute > Overview or Admin > System Instances). This title was not correct because Compute (nova) simply returns a timestamp for when an instance is created. The column header has been named to "Time since created".

BZ#1170348

Rebase python-django-horizon to 2014.2.1.

Highlights, important fixes, or notable enhancements: - Overview page: OverflowError when cinder limits are negative- Cinder API v2 support instance view- Alternate navigation broken- Default `target={}` value leaks into subsequent `policy.check()` calls


19





Chapter 5. RHBA-2015:0157 — Red Hat EnterpriseLinux Openstack Platform 6.0 Bug Fix Advisory

The bugs contained in this chapter are addressed by advisory RHBA-2015:0157. Furtherinformation about this advisory is available at https://rhn.redhat.com/errata/RHBA-2015-0157.html.

5.1. ceph

BZ#1181770

Previously, certain cleanup activities in librbd1 resulted in 'nova-compute' crashing with a segmentation fault, in specific cases where a Ceph RBD backend was in use.This fix ensures the context is correctly cleaned up before returning. As a result, 'nova-compute' operates correctly with Ceph RBD backends.

5.2. openstack-cinder

BZ#1184455

At present, an unversioned requirement to 'python-taskflow', and missing requirements to 'libcgroup-tools', 'python-keystonemiddleware', and 'openstack-cinder' means that upgrade activities may not function as expected. As a current workaround, you can install both 'openstack-cinder' and its missing requirements by using the following command:'yum install -y libcgroup-tools python-keystonemiddleware python-taskflow openstack-cinder'

5.3. openstack-nova

BZ#1171108

Previously, using an unlimited quota value (-1) resulted in the inability to start an instance, with a subsequent "HTTP 500 - IndexError: list index out of range" error being raised.This fix enables the ability to set an unlimited quota value in 'nova.conf', with the result that instances can now be started using this configuration.

BZ#1177298

Previously, using a multibyte character in a flavor name would result in a Python unicode exception.This update addresses this issue by adding a unicode type string test to ensure expected behavior from multibyte character names.

BZ#1181571

T echnical Notes

20







Previously, when reverting an instance resize operation, Compute (nova) would fail to consider the backing volume as shared between the original and new instance.Consequently, the resized volume would be deleted during the operation; since RBD volumes are shared, this meant the original volume was also removed, preventing the instance from booting.With this fix, when the instance volume is of type RBD, Compute now considers it to be shared and does not delete the volume during revert/resize operations.As a result, revert/resize operations succeed as expected.

BZ#1181673

Prior to this update, a number of unit tests were broken as a result of backport activity. Consequently, not all unit tests were able to complete without errors.This update addresses this issue by using an object flavor instead of a dict in 'test_driver.py'. As a result, all unit tests now pass as expected.

5.4. openstack-puppet-modules

BZ#1158942

There is currently no supported user-facing (dashboard or CLI ) mechanism for consuming the websocket URL exposed by the serial console support.A utility is available to test this feature at https://github.com/larsks/novaconsole, however there should not be an expectation that the virtual serial console will function by default, as configuration steps are required.

BZ#1181307

The python-pbr package required by Red Hat Enterprise Linux OpenStack Platform puppet modules is not present in Red Hat Enterprise Linux OpenStack Platform 6. Installation using PackStack will fail if Ironic (a Technology Preview package) is enabled. Manual installation is required for Ironic at the moment.

5.5. openstack-selinux

BZ#1186628

Previously, versions of the SELinux policies prior to 'selinux-policy-3.12.1-153.el7_0.13' were missing specific policies for the Image Service (glance) API service.As a result, attempting to install multi-node clouds with SELinux in 'enforcing' mode would result in failure during installation and configuration of the Image Service API service.

Chapter 5. RHBA-2015:0157 — Red Hat Enterprise Linux Openstack Platform 6.0 Bug Fix Advisory

21





This update addresses this issue with the openstack-selinux package now requiring 'selinux-policy-3.12.1-153.el7_0.13'.Consequently, the correct policies are in place to allow a complete installation with SELinux set to 'enforcing'.

T echnical Notes

22

Chapter 6. RHBA-2015:0640 — Red Hat EnterpriseLinux OpenStack Platform Bug Fix and EnhancementAdvisory


6.1. diskimage-builder

BZ#1182642

When an overcloud node boots up, it runs os-collect-config as a part of registration. The os-collect-config script saves data from the Orchestration (heat) metadata API locally and then calls os-refresh-config any time that metadata has changed. Subsequent calls to the registration script call subscription-manager again and it returns a non-zero exit code. With the return of a non-zero exit code, the script fails, the stack results in a timeout, and multiple registrations can occur.

There is no current workaround.

BZ#1183104

Previous to the Satellite 6 release, the katello-agent and its dependencies needed the rhel-7-server-rh-common-beta-rpms repository to be enabled. Since the Satellite 6 release, necessary packages have been moved to the rhel-7-server-rh-common-rpms repository. However, upstream code still references the rhel-7-server-rh-common-beta-rpms repository which no longer have the latest packages, causing Satellite instances to fail.

6.2. instack-undercloud

BZ#1183099

An iptables setting in the undercloud causes overcloud nodes to fail to register since the nodes have no external access. As a workaround, run the following command on the undercloud image:iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

6.3. libguestfs

BZ#1186070

This enhancement includes a feature, virt-v2v, which allows users the ability to convert images from a variety of hypervisors to run on OpenStack cloud.

Chapter 6. RHBA-2015:0640 — Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory

23






6.4. mariadb-galera

BZ#1179360

Previously, mariadb-galera would generate an SSL certificate with the parameter CN set to "$(hostname) mariadb-galera cluster". Creating this SSL certificate would fail if the hostname was long enough such that the resulting string was greater than 64 characters.

With this update, the certificate is generated with only the hostname to avoid using a CN value that is too long.


BZ#1185444

This update introduces the rabbitmq-cluster resource agent for managing clustered RabbitMQ instances with the Pacemaker cluster manager.

T echnical Notes

24



Chapter 7. RHSA-2015:0789 — Important: openstack-packstack and openstack-puppet-modules security andbug fix update

The bugs contained in this chapter are addressed by advisory RHSA-2015:0789. Furtherinformation about this advisory is available at https://rhn.redhat.com/errata/RHSA-2015-0789.html.

7.1. openstack-packstack

BZ#1117277

With this enhancement, if OpenStack Networking is enabled, Packstack will display a warning if the Network Manager service is active on hosts.

BZ#1123117

With this update, a new feature has been added that enables to install OpenStack Identity service to run via Apache httpd processes. A new parameter 'CONFIG_KEYSTONE_SERVICE_NAME' has been added. Value 'httpd' will switch on Apache support while value 'keystone' allows Identity service run in it's own process as was implemented in the previous versions.

BZ#1195258

When using Packstack in a multi-node configuration, VXLAN ports (4789) on the firewall were not open for the other nodes. As a result, openvswitch did not function properly.

With this update, this issue has been addressed by opening the port 4789 on all compute and network nodes.

BZ#1199047

A typo in the code caused Sahara option that uses OpenStack Networking to be always false.

With this update, the error has been addresses. As a result, Sahara now uses OpenStack Networking if the parameter 'CONFIG_NEUTRON_INSTALL is set to 'y'.

BZ#1199072

Packstack set Ironic password to value "PW_PLACEHOLDER" instead of real generated or user provided default password. This was fixed by ensuring packstack has USE_DEFAULT set to false at password option. Now packstack should configure ironic with the predefined password.


25







BZ#1199076

An error in the Packstack code was responsible for setting the glance_image provider region value to RegionOne ignoring any region setting updated by the user.

With this update, Packstack now allows the user to set a custom region name for the glance_image provider parameter.

BZ#1199114

Prior to this update, users had to install the OpenStack Unified Client separately after completing an installation of Packstack. As the requirement for the OpenStack Unified Client is quite common, Packstack now installs it by default.

BZ#1199562

This enhancement allows the passing of additional command-line options when creating an answer file. Previously, '--gen-answer-file' did not allow the specification of additional options. Instead, manual file editing was required to change any default options.With this update, it is now possible to combine '--gen-answer-file' with additional options, which are then included in the subsequently generated answer file.

BZ#1199565

This enhancement updates Packstack to retain temporary directories when running an installation in debug mode. This assists with troubleshooting activities, as retaining the temporary directories allows easier failure debugging.As a result, temporary directories are not deleted when running Packstack with the --debug command line option.

BZ#1199589

Prior to this update, some validators did not use 'validate_not_empty' to ensure that certain parameters contained values.As a result, a number of internal validations could not be properly handled, leading to the possibility of unexpected errors.This update fixes validators to use validate_not_empty when required, resulting in correct validation behavior from validators.


BZ#1195252

A quiet dependency on a newer version of selinux-policy causes

T echnical Notes

26







openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z. This causes Identity and other OpenStack services to receive 'AVC' denials under some circumstances, causing them to malfunction.

The following workarounds allow the OpenStack services to function correctly:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later), then update openstack-selinux to version 0.6.23-1.el7ost.

7.3. vulnerability

BZ#1201875

It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root.


27


Chapter 8. RHSA-2015:0790 — Important: openstack-nova security, bug fix, and enhancement update

The bugs contained in this chapter are addressed by advisory RHSA-2015:0790. Furtherinformation about this advisory is available at https://rhn.redhat.com/errata/RHSA-2015-0790.html.

8.1. openstack-nova

BZ#1017288

libvirt did not previously support snapshot merge or delete operations using libgfapi. This meant that the user could not delete snapshots of a Red Hat Storage (glusterfs) Block Storage volume attached to an instance when using libgfapi.

With this update, libvirt and the Compute service now correctly handle Block Storage volume snapshots with libgfapi enabled, and these snapshots can now be deleted.

BZ#1100535

OpenStack Bare Metal Provisioning (ironic) is now included in this release as a Technology Preview. This service provisions bare-metal machines using common technologies (such as PXE boot and IPMI) to cover a wide range of hardware, while supporting pluggable drivers to allow the addition of vendor-specific functionality.

BZ#1104926

Support has been added for intelligent NUMA node placement for guests that have been assigned a host PCI device. PCI I/O devices, such as Network Interface Cards (NICs), can be more closely associated with one processor than another. This is important because there are different memory performance and latency characteristics when accessing memory directly attached to one processor than when accessing memory directly attached to another processor in the same server. With this update, Openstack guest placement can be optimized by ensuring that a guest bound to a PCI device is scheduled to run on a NUMA node that is associated with the guest's pCPU and memory allocation. For example, if a guest's resource requirements fit in a single NUMA node, all guest resources will now be associated with the same NUMA node.

BZ#1165961

An invalid template was previously supplied for network interface injection (flat_injected=true in /etc/nova/nova.conf), which meant that the network configuration of instance was incorrect. With this fix, a valid Jinja2 network interface configuration

T echnical Notes

28






template is now provided, and the networking of instances is correctly configured.

BZ#1171454

Previously, you could not launch an instance with multiple interfaces attached to the same network by using --nic net-id=<id>; the instance would fail to boot. With this update, Compute now checks for duplicate networks at the Compute API layer, and an instance boot using a specific network ID with multiple vNICs can succeed.

BZ#1175348

Previously, the Compute service did not follow live migration status. As a result, if something wrong happened, the instance status did not report the error and this could result in two "same" instances running in the cloud (across the source and target servers). With this update, a new object has been introduced to follow each step until a live migration succeeds or fails. This means that when a migration now fails, the error is reported on the instance's status if necessary, and a rollback is then done to avoid two "same" instances running in the cloud.

BZ#1190719

Previously, emulator threads (for vCPUs) floated on the union of the set of all NUMA CPUs, even if the CPUs were dedicated, which meant that an emulator thread could consume CPU time from another guest instance. With this fix, emulator threads now only use the union of dedicated host CPUs, and that CPU's time, on which guest vCPUs are running.

BZ#1191174

Previously, if multipathing was enabled for the Compute service in /etc/nova/nova.conf and CHAP authentication was enabled in an IBM Storwize backend, attaching an Block Storage volume to an instance failed on boot ("Login I/O error, failed to receive a PDU\niscsiadm"). That is, if the Block Storage server was configured to protect the target-discovering phase using CHAP authentication, the discovery command failed (because authentication failed).

With this update, the Block Storage driver now sends authentication properties (discovery_auth_method, discovery_auth_username, discovery_auth_password) to CHAP, the discovery command succeeds, and volume attachment succeeds.

BZ#1193737

Previously, when the primary path to a Cinder iSCSI volume was down, a volume could not be attached to the instance, even if the Compute and Block Storage backend driver's multipath feature was

Chapter 8. RHSA-2015:0790 — Important: openstack-nova security, bug f ix, and enhancement update

29






enabled. This meant that users of the cloud system could fail to attach a volume (or boot a server booted from a volume). With this fix, the host can now have a separate configuration option if the block traffic is on a separate network; the volume is then attached using the secondary path.

BZ#1194073

A previous overly restrictive ban on live migration of vfat config drives, and the incorrect handling of config drives with RBD storage, meant that the live migration of instances with config drives was not supported.

With this update, vfat config drives can now be live migrated, and config drive persistence is handled appropriately with RBD storage. This means that live migration is now possible when using vfat config drives with storage either local to the compute node or remote with RBD storage. (To use vfat config drives, set config_drive_format in /etc/nova/nova.conf to 'vfat'.)

BZ#1198429

The previous value of the Compute auth_version parameter in /usr/share/nova/nova-dist.conf of 'v2.0' forced Identity's auth_token middleware to use v2 authentication, which in turn prevented multi-domain Identity service deployments. With this update, the auth_version parameter now has a new default value of 'v3.0'; middleware authentication can now validate tokens outside of the default domain.

8.2. vulnerability

BZ#1190112

It was discovered that the OpenStack Compute (nova) console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.

T echnical Notes

30




Chapter 9. RHBA-2015:0931 — openstack-nova bug fixadvisory


9.1. openstack-nova

BZ#1154737

The Compute service's pci_passthrough_whitelist configuration option (/etc/nova/nova.conf) is not compatible between the icehouse and juno releases. This resulted in an error being raised when a user migrated from icehouse to juno without updating the pci_passthrough_whitelist configuration. With this update, pci_passthrough_whitelist can now handle both icehouse and juno versions, and no migration errors are raised.

BZ#1163415

The specification file for openstack-nova previously set permissions for the /var/log/nova directory to 0755, which was world-readable. To maintain consistency, this is now set to 0750.

BZ#1170242

Previously, the availability-zone (AZ) information for an instance could be inconsistent when calling 'nova list' if the default zone had been replaced by another one. This meant that when calling 'nova show <inst_uuid>', the AZ information could switch intermittently between the default AZ and the host AZ. With this update, the AZ cache information is invalidated if the instance AZ is different from the cached AZ. As a result, the output for 'nova show <uuid>' is now consistent for AZ information.

BZ#1183510

When deploying too many instances at the same time, a race condition could be declared in the code and the network cache of some instance could be corrupted. This resulted in invalid network information for some instances. With this update, a lock is now added when refreshing the network cache of instances. As a result, the network caching of instances is no longer invalid.

BZ#1195067

The v4-fixed-ip option to the 'nova boot' command previously resulted in an instance booting to the ERROR state. This was caused by the IP address being represented as an IPAddress object

Chapter 9. RHBA-2015:0931 — openstack-nova bug f ix advisory

31







instead of a string. With this update, the IP address is now represented as a string to allow instances to boot with the v4-fixed-ip option.

BZ#1204867

The Compute service previously incorrectly treated Block Storage volumes as local storage during live migration. As a result, live migration would fail with an error stating that shared storage was required. Compute's live migration now correctly treats Block Storage volumes as non-local storage, which does not require shared storage; the live migration of volume-backed instances no longer fails.

BZ#1205808

Previously, the Compute service used incorrect size checks against the QCOW2 virtual size, which meant that the root-disk size for a flavor was not honored. With this fix, size checks have been reinstated, and instances are again restricted to the root-disk size of a flavor.

BZ#1206238

Due to an improper initialization order on service start-up, data about available PCI devices would get corrupted in the event of a openstack-nova-compute service restart, and the service would fail to start. This update ensures that all data about the compute node on which the nova-compute service is running is loaded before attempting to initialize data structures related to PCI devices on the node. The openstack-nova-compute service can now start and PCI device tracking remains consistent across service restarts.

BZ#1210455

The Compute service has been rebased to version: 2014.2.3

Live-migration bug fixes include:

* Re-open the function of live-migration with config drive of vfat format to admin users. The option 'config_drive_format=vfat' is required explicitly in nova.conf to allow such live-migration. Live-migration with config drive on local disk is forbidden due to the bug of libvirt of copying readonly disk. However, if you use vfat as the config drive's format, live-migration works well. https://bugs.launchpad.net/nova/+bug/1246201

* Fix live migration for volume backed instances. https://bugs.launchpad.net/nova/+bug/1392773

* Fix live migration when using block devices on shared storage (for example, NFS); make sure volumes are well detected during block migration. https://bugs.launchpad.net/nova/+bug/1356552

T echnical Notes

32





* [Hyper-V] Fix live migration for ISO config drives. If an instance has a ISO configdrive attached, the ISO file is also moved during live migration. https://bugs.launchpad.net/nova/+bug/1322096

* [Hyper-V] Fix retrieving console logs on live migration, log files were not copied properly. https://bugs.launchpad.net/nova/+bug/1399127

* Fix live migration RPC compatibility with older versions when upgrading from RHEL-OSP 5 to RHEL-OSP 6. https://bugs.launchpad.net/nova/+bug/1402813

Important bug fixes include:

* Add requirement on device-mapper-multipath - rhbz#1212558

* Allow disabling the evacuate cleanup mechanism in compute manager - rhbz#1190706

* Fix when nova-compute fails to start when guest uses passthrough - rhbz#1206238

* Fix race condition with the network cache - rhbz#1183510

* Fix inconsistent info of availability zone - rhbz#1170242

* Fix nova 'vendor' definition, impacting subscription management - rhbz#1212509

* Clean instance's directory when block migration fails - rhbz#1196364

* Fix instance root-disk size restriction with QCOW2 images - rhbz#1205808

* Fix upgrade from RHEL-OSP 5 to RHEL-OSP 6 of nova networks to handle correctly partial upgrade. https://bugs.launchpad.net/nova/+bug/1438920

* Fix nova object versioning for RHEL-OSP 6 with computes still running on RHEL-OSP 5. https://bugs.launchpad.net/nova/+bug/1408496

* [cells] Fix creating of block device mappings in the API cell, stop creating duplicates. https://bugs.launchpad.net/nova/+bug/1417239

* [numa] Correctly handle archictures having cells without memory or CPUs defined (fix the default value of config memory to 0). https://bugs.launchpad.net/nova/+bug/1418187 https://bugs.launchpad.net/nova/+bug/1385246

* Fix deletion of instances that have failed due to OpenStack Networking/Compute notification problems. https://bugs.launchpad.net/nova/+bug/1423952


33

* [VMware] Fix many operations when multiple compute nodes are running with different configurations (Example: each compute node is mapped to a different cluster.) https://bugs.launchpad.net/nova/+bug/1345460

* Handle correctly errors while unshelving an instance, instead of leaving the instance in an inconsistent state. https://bugs.launchpad.net/nova/+bug/1367186

* Fix handling of network interface binding failure when initializing an instance at startup. https://bugs.launchpad.net/nova/+bug/1324041

* Fix the creation of an instance with an fixed IP address. https://bugs.launchpad.net/nova/+bug/1408529

* [Hyper-V] Fix Hyper-V configdrive network injection issue fix static IP configuration. https://bugs.launchpad.net/nova/+bug/1400069

* [EC2] Make code compatible with the EC2 authentication version 4. https://bugs.launchpad.net/nova/+bug/1410622

* Fix booting an instance instance with the same network identifier for multiple NICs. https://bugs.launchpad.net/nova/+bug/1400037

* Allow non-admin tenants to attach instances to external networks from OpenStack Networking if the networks are also marked as shared. https://bugs.launchpad.net/nova/+bug/1413837

* Support macvtap for vif_type being "hw_veb". https://bugs.launchpad.net/nova/+bug/1370348

BZ#1212509

Previously, Compute's /etc/release file incorrectly listed the vendor as "Fedora Project" and the product as "OpenStack Nova", which then propagated into the SMBIOS for VMs. This meant that Satellite did not correctly recognize launched VMs, which meant that entitlements did not work correctly.

With this update, Compute's release information has been corrected to specify "Red Hat" and "OpenStack Compute", respectively. Satellite now correctly recognizes OpenStack VMs, and therefore entitlements now work as well.

BZ#1212558

openstack-nova did not previously require device-mapper-multipath even though the Compute service assumed the multipath binary was present on the system (leading to installations requiring troubleshooting). This update adds an explicit dependency on device-mapper-multipath to openstack-nova.

T echnical Notes

34



9.2. python-novaclient

BZ#1101293

Previously, only public flavours were considered when looking up a flavour based on name. It was therefore not possible to boot an image using a private flavour's name, even if it was accessible to the tenant user. The user had to boot the image using the flavour ID instead of its name.

With this update, the flavour name lookup has been changed to consider all accessible flavours, not just public ones. The name of any flavour to which the tenant user has permission to access can now be used when booting an instance.


35


Chapter 10. RHBA-2015:0939 — Red Hat EnterpriseLinux OpenStack Platform Installer update


10.1. foreman-installer

BZ#1209613

Parameters that were not passed correctly caused the installation of the RHEL-OSP installer to fail in some cases. This fix correctly wraps the parameters and the installation now succeeds.

10.2. openstack-foreman-installer

BZ#1149563

This enhancement adds support for keyboard layout configuration in the installer. Non-English keyboard layouts previously needed manual configuration of Nova configuration to allow native keyboard support in the VNC console. This update exposes a parameter to allow different keyboard language configurations for Compute nodes.

BZ#1180597

The default setting in pacemaker::keystone left Ceilometer configuration off. This resulted in no Ceiloemeter endpoint or user and caused the Ceilometer service to not function. This fix changes the default to enable keystone configuration for Ceilometer, which matches the default of configuring the Ceilometer service itself. This results in a correct default Ceilometer configuration.

BZ#1193448

Compute nodes require access to Admin and Public networks, which forced the user to either set up L3 access between Compute and Controller nodes, or add both Admin and Public networks to the Compute nodes. This fix enables configuration of private network communication between compute and control nodes, which means Compute nodes no longer require direct access to Public and Admin networks.

BZ#1197860

An ordering issue occasionally caused the /etc/nova/secret.xml file to not configure correctly on the first puppet run. As a result, the libvirt secret file failed to create because it

T echnical Notes

36







relies on this file. This fix enforces ordering so the required package is installed before writing the /etc/nova/secret.xml file. The error no longer occurs.

BZ#1207234

Stanzas for multiple NetApp Cinder back ends were incorrectly written to configuration files. This caused OpenStack to only use the first configured back end. This fix applies the correct logic to build configuration file correctly. Now multiple NetApp back ends work as expected.

BZ#1209099

The l2_population parameter was not set to True on control nodes in the ovs_neutron_plugin.ini file, which caused l2 networking to fail when enabled. This fix sets this value to True when l2 networking is enabled, which causes l2 configuration to complete successfully.

10.3. rhel-osp-installer

BZ#1208109

The default firewall for deployed hosts was not configured. This meant new rules would be added for each service but the chain contained no default REJECT rule at the end. This fix configures the firewall with the normal defaults including a REJECT rule at the end of the firewall chain.

BZ#1211634

Incompatibilities between l2pop and l3_ha drivers caused errors with networking when both were enabled. This fix sets the default to l3_ha as enabled and l2pop as disabled. In addition, this fix adds a warning to the user that l3_ha disables when l2pop is enabled.

10.4. rubygem-staypuft

BZ#1212937

The installer seeds file overrode the Ceilometer keystone Puppet parameter, which caused the creation of Ceilometer endpoint and Keystone configuration to fail. This fix stops the parameter from overrides and results in successful creation of endpoints and Keystone configuration for Ceilometer.

Chapter 10. RHBA-2015:0939 — Red Hat Enterprise Linux OpenStack Platform Installer update

37






Appendix A. Revision History

Revision 6.0.4-1 Mon Aug 24 2015 Andrew DahmsUpdated overview to include 6.0.4 advisories.

Revision 6.0.3-0 Tue May 5 2015 Summer LongUpdated overview to include 6.0.3 chapters and advisories; two errata chapters added.

Revision 6.0.2-1 Thu Apr 16 2015 Summer LongRHBA-2015-0633 and RHBA-2015-0639 6.0.1 chapters removed (now links).

Revision 6.0.2-0 Tue Apr 7 2015 Summer LongUpdated overview to include 6.0.2 chapters and advisories; two errata chapters added.

Revision 6.0.1-1 Thu Mar 5 2015 Summer LongUpdated overview to include 6.0.1 chapters and advisories; three errata chapter added.

Revision 6.0.0-2 Mon Feb 9 2015 Summer LongRelease for Red Hat Enterprise Linux OpenStack Platform 6.

T echnical Notes

38

technical notes openstack platform 6 red hat enterprise

Documents