- Issued:
- 2017-02-23
- Updated:
- 2017-02-23
RHBA-2017:0314 - Bug Fix Advisory
Synopsis
openstack-neutron bug fix advisory
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat OpenStack Platform 10.0 (Newton) for RHEL 7.
Description
Red Hat OpenStack Platform provides the facilities for building, deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware. This advisory includes
packages for:
- OpenStack Networking service
OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)
This update includes the following enhancements and fixes:
- Previously, every time neutron-keepalived-state-change was killed, the IP monitor process it spawned remained in an orphaned state. This resulted in leaked memory over time and required manual actions from administrators.
With this update, the process is killed gracefully and its child IP monitor process will be killed as well, avoiding this memory leak. (BZ#1397418)
- Previously, when ports were created with port_security disabled, the explicit iptables rules were not applied to allow the traffic. This resulted in packets hitting a default REJECT rule, and all traffic was blocked.
With this fix, firewall rules are correctly installed on ports with port_security disabled and traffic is allowed. (BZ#1406263)
- This enhancement implements ProcessMonitor in the HaproxyNSDriver class (v2) to use the external_process module, which allows it to monitor and respawn the haproxy processes as needed. The LBaaS agent (v2) will load options related to external_process in order to take a configured action when the HAproxy process dies unexpectedly. (BZ#1415828)
- This enhancement adds the ability to automatically reschedule load balancers from dead LBaaS agents. Previously, load balancers could be scheduled across multiple LBaaS agents, however if a hypervisor died, the load balancers scheduled to that node would cease operation. With this update, these load balancers are automatically rescheduled to a different agent. This feature is turned off by default and controlled using `allow_automatic_lbaas_agent_failover`. (BZ#1415829)
- Previously, when a network was deleted, all ports and subnets were deleted before it could be determined if a metadata proxy had been spawned. Consequently, a false negative proxy was not killed, causing the system to eventually run out of memory. With this update, the metadata proxy process is killed unconditionally when the network is deleted. (BZ#1416265)
Solution
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
Red Hat OpenStack Platform 10 runs on Red Hat Enterprise Linux 7.3.
The Red Hat OpenStack Platform 10 Release Notes contain the following:
- An explanation of the way in which the provided components interact to
form a working cloud computing environment.
- Technology Previews, Recommended Practices, and Known Issues.
- The channels required for Red Hat OpenStack Platform 10, including which
channels need to be enabled and disabled.
The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/10/single/release-notes/
This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:
https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html
Affected Products
- Red Hat OpenStack 10 x86_64
Fixes
- BZ - 1377633 - OVS FW driver ignores all non tcp udp icmp protocol rules
- BZ - 1397418 - neutron-keepalived-state-change lives behind big processes
- BZ - 1401798 - All LBaaS tests fails when running with latest version of tempest
- BZ - 1406263 - iptables rule blocks traffic even with port_security_enabled set to False
- BZ - 1415828 - Backport: [RFE] [Neutron] [LBaaS v2] Add process monitor for haproxy
- BZ - 1415829 - Backport: [RFE] [Neutron] [LBaaS v2] Loadbalancers should be rescheduled when a LBaaS agent goes offline
- BZ - 1416265 - neutron-ns-metadata-proxy are not deleted after network is deleted
- BZ - 1421806 - Rebase openstack-neutron to 9.2.0
CVEs
(none)
References
(none)
Red Hat OpenStack 10
SRPM | |
---|---|
openstack-neutron-9.2.0-2.el7ost.src.rpm | SHA-256: 868753b3c7743bbf19f5562d7ce73921d79ef29f8a92b798f8de2e829fcc4879 |
openstack-neutron-lbaas-9.1.0-4.el7ost.src.rpm | SHA-256: ff1fe2dd1639d7d04adfed5be27dbd2905cc350d89f25af9ad893d9e613be53e |
x86_64 | |
openstack-neutron-9.2.0-2.el7ost.noarch.rpm | SHA-256: 3886c4c1092c4b45de8e4783aef13299de2184b91292058836a389110bfa21dc |
openstack-neutron-common-9.2.0-2.el7ost.noarch.rpm | SHA-256: 357d5cfc3a66054543e732b92acb4254088dc29fed80b1467a86a542e69fe75c |
openstack-neutron-lbaas-9.1.0-4.el7ost.noarch.rpm | SHA-256: 716749a0cc9af4a4ece5c93dd62c6596447c6bdaaa6ce45a5254c6178702a2b7 |
openstack-neutron-linuxbridge-9.2.0-2.el7ost.noarch.rpm | SHA-256: 85158357bdb0566ca6918907cd3644cb1bbb7084af002f364a01e760c376f9bc |
openstack-neutron-macvtap-agent-9.2.0-2.el7ost.noarch.rpm | SHA-256: 7262eaa93055b7407407f1952fcae8f2b0ca5fe9f73fd39361cef0cbbc361ae7 |
openstack-neutron-metering-agent-9.2.0-2.el7ost.noarch.rpm | SHA-256: 3e2e104aed43219762270c45595639b1db14f8c41096c41b2d5c8696739a1f50 |
openstack-neutron-ml2-9.2.0-2.el7ost.noarch.rpm | SHA-256: a9d2aee138b45af55f4fb6364bc634d90553f3f374c1658a1d5ef6a08367f709 |
openstack-neutron-openvswitch-9.2.0-2.el7ost.noarch.rpm | SHA-256: a58131acdacea352f31a3a20747e4c6c1feedf87b00f2728a8a7aa6133e1443e |
openstack-neutron-rpc-server-9.2.0-2.el7ost.noarch.rpm | SHA-256: 04836eff49659bccc3b49ed1fdfcffc360b1a9acd866cbb9d90a39c91e4807e0 |
openstack-neutron-sriov-nic-agent-9.2.0-2.el7ost.noarch.rpm | SHA-256: 6d2bdd73cc7f7005551be01e291d10fd148ffa9e4fdbf8a762bcad83943ec675 |
python-neutron-9.2.0-2.el7ost.noarch.rpm | SHA-256: 119c333929b8f5329bba838d32c87904a67d3101bba4c94776c81019e903d56d |
python-neutron-lbaas-9.1.0-4.el7ost.noarch.rpm | SHA-256: f0b33b2de22d7605016413bcf92677a5a77fea0a40c0990b1fca7eb89a74028f |
python-neutron-lbaas-tests-9.1.0-4.el7ost.noarch.rpm | SHA-256: 40c1da116e3092fe943caa81d522bc589f3c194f64ced4bd9c444a15fe748ca5 |
python-neutron-tests-9.2.0-2.el7ost.noarch.rpm | SHA-256: c3538b17f5654aeb16a1c0de237d17c39ad39a9e70f3ba2c67142fa53a85941d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.