- Issued:
- 2017-06-19
- Updated:
- 2017-06-19
RHBA-2017:1503 - Bug Fix Advisory
Synopsis
openstack-neutron bug fix advisory
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat OpenStack Platform 9.0 (Mitaka) for RHEL 7.
Description
Red Hat OpenStack Platform provides the facilities for building a private
or public infrastructure-as-a-service (IaaS) cloud running on commonly
available physical hardware. This advisory includes packages for:
- OpenStack Networking service
OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)
Changes to the openstack-neutron component:
- Cause: The default L3 HA implementation, keepalived, sometimes flips the master router instance to backup if it receives multiple SIGHUP signals in quick succession.
Consequence: The HA master router may be flipped to backup, disrupting L3 connectivity until the previous backup keepalived instance takes over.
Fix: To work around this keepalived behavior, Neutron L3 agent now throttles SIGHUP signals sent to keepalived to make sure keepalived has enough time to reload configuration without being disrupted with failovers.
Result: L3 connectivity implemented via HA routers is not disrupted on router updates in quick succession (for example, floating IP updates). (BZ#1398286)
- Feature:
This build makes L3 High Availability (HA) failover not dependent on Networking (neutron) components. It also reduces HA failover time since we are not depending on neutron to create any OVS flows during failover.
With this build, when both l2pop and arp_responder are enabled for the linuxbridge agent, the VM will fail to communicate with router. Temporary workaround is to set arp_responder=false. This is only a linuxbridge agent issue and the OVS agent works as expected. (BZ#1395533)
- Previously, it was possible for the OpenStack networking OVS agent to compare non-translated strings to translated, UTF-16 strings when a subprocess didn't run properly. On non-English locales, this could result in an exception, thereby preventing instances from booting.
To address this, failure checks were updated to depend on the actual return value of failed subprocesses instead of strings. This ensures that subprocess failures are handled properly under non-English locales. (BZ#1418329)
- Add http_proxy_to_wsgi to api-paste
This sets up the HTTPProxyToWSGI middleware in front of the Neutron-API. The purpose of this middleware is to set up the request URL correctly in case there is a proxy (for example, a loadbalancer such as HAProxy) in front of Neutron.
For example, when TLS connections are being terminated in the proxy, and you attempt to get the versions from the / resource of Neutron, the protocol is incorrect and reports as 'http' instead of 'https'. The HTTPProxyToWSGI middleware handles such cases and helps Keystone discovery work correctly. HTTPProxyToWSGI is off by default and needs to be enabled with a configuration value. (BZ#1451508)
- When HA routers are deleted, the L3 agent uses SIGKILL to kill the neutron-keepalived-state-change process and orphan its child process, 'ip -o monitor'. This would make memory consumption grow and, eventually, OOM killers to show up.
This fix implements a way to use SIGTERM to kill keepalived-state-change process gracefully and kill ip monitor on its cleanup. This ensures that there are no ip monitors being leaked when HA routers are deleted. (BZ#1383448)
Solution
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
Red Hat OpenStack Platform 9 runs on Red Hat Enterprise Linux 7.3.
The Red Hat OpenStack Platform 9 Release Notes contain the following:
- An explanation of the way in which the provided components interact to
form a working cloud computing environment.
- Technology Previews, Recommended Practices, and Known Issues.
- The channels required for Red Hat OpenStack Platform 9, including which
channels need to be enabled and disabled.
The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/release-notes
This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:
https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html
Affected Products
- Red Hat OpenStack 9 x86_64
Fixes
- BZ - 1383448 - Neutron L3 HA - stop of neutron-keepalived-state-change leaves stale "ip -o monitor address" processes
- BZ - 1395533 - l2pop fdb flows for HA router ports
- BZ - 1446169 - missing patch from mitaka upstream causes issues with updates/upgrades later
CVEs
(none)
References
(none)
Red Hat OpenStack 9
SRPM | |
---|---|
openstack-neutron-8.3.0-9.el7ost.src.rpm | SHA-256: f68deb3292a28b4b815a7c777440c60a557e9ae2540e88fdfccf5d9e748eafea |
python-networking-bigswitch-8.40.7-1.el7ost.src.rpm | SHA-256: 37aafa58d37bb5848ded4147b3d14467e126abbabfe99f4d597cb1975d42bb15 |
x86_64 | |
openstack-neutron-8.3.0-9.el7ost.noarch.rpm | SHA-256: bef2ea4d0a7693e6f082e22e4db4b938d6646ddbd44577094002d6e2a20248d5 |
openstack-neutron-bgp-dragent-8.3.0-9.el7ost.noarch.rpm | SHA-256: 3cef537bd4cb0943da449db8196bb2b23335a875b8185a4016ce1f766cbac5c6 |
openstack-neutron-bigswitch-agent-8.40.7-1.el7ost.noarch.rpm | SHA-256: 70747a96a1e54283ff7480a1754d903107454c31f5b5184e6588784860f97597 |
openstack-neutron-bigswitch-lldp-8.40.7-1.el7ost.noarch.rpm | SHA-256: cf4d0e37fb8917b683705b0517027762aafe1daf195989bf71a3990c19824d2a |
openstack-neutron-common-8.3.0-9.el7ost.noarch.rpm | SHA-256: 1ca0e96687c381ece7cfda61a2be08d8e76a8665d2839f5c085d4b0b82792acb |
openstack-neutron-linuxbridge-8.3.0-9.el7ost.noarch.rpm | SHA-256: 01d3f9b657f5eb301cc157309dce03be4ef5cf1ddbedd01bf890dc1beedb41fb |
openstack-neutron-macvtap-agent-8.3.0-9.el7ost.noarch.rpm | SHA-256: c9c746197674cadb7ad393e7299f96e5fb90b54f6377188a8fdc246a0c807432 |
openstack-neutron-metering-agent-8.3.0-9.el7ost.noarch.rpm | SHA-256: 7995fccb97cfebf59285dc40e48a6afb4d7b48b382d7796c6c49901014f73f90 |
openstack-neutron-ml2-8.3.0-9.el7ost.noarch.rpm | SHA-256: 12bcc05380d9df47492f853b8cab37ad93415734573c85ecaf0a77f7117eae9d |
openstack-neutron-openvswitch-8.3.0-9.el7ost.noarch.rpm | SHA-256: 41d284c236a431881a0670d0b2aae8044d46046154104302c631905f80d5a9ca |
openstack-neutron-rpc-server-8.3.0-9.el7ost.noarch.rpm | SHA-256: 187f906763efe41df05e075e73ad15af78e93322e283bcea8b794087dc96a688 |
openstack-neutron-sriov-nic-agent-8.3.0-9.el7ost.noarch.rpm | SHA-256: 78df4b34a447321e71e9af0307189a326037dd5388b15f8b80c4e079c2a95984 |
python-networking-bigswitch-8.40.7-1.el7ost.noarch.rpm | SHA-256: a4f1c386c9c4facdaf104de8e4505a3810c5ceedce7018f89ae3ddc661b77080 |
python-neutron-8.3.0-9.el7ost.noarch.rpm | SHA-256: 7089c5227d6a6c4567a6f30243c913be060cdc64b8a4b2c6873be006d9e0fe5d |
python-neutron-tests-8.3.0-9.el7ost.noarch.rpm | SHA-256: d7e712f80d59c9031586fb347f8553b48553945886ffabc5a14d0b494b3a4cc0 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.