6.3. RHSA-2015:1862 — Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update

SSL configuration on the director caused the Automated Health Check (AHC) tools to fail due to not using internal endpoints for certain components. This fix changes the configuration to use internal endpoints. The AHC tools now run without SSL errors.

SSL configuration on the director caused the Automated Health Check (AHC) tools to fail due to not using internal endpoints for certain components. This fix changes the configuration to use internal endpoints. The AHC tools now run without SSL errors.

A missing firewall rule restricted access to the Ceilometer API. This fix adds the firewall rule. Users now have access to the Ceilometer API.

A missing firewall rule restricted access to the Ceilometer API. This fix adds the firewall rule. Users now have access to the Ceilometer API.

The director's iptables previously denied port 9696. This rejected all requests to the Neutron API except for those coming from localhost. This fix adds an iptables rule to accept TCP traffic for port 9696. Remote connections now have access to the Neutron API.

The director's iptables previously denied port 9696. This rejected all requests to the Neutron API except for those coming from localhost. This fix adds an iptables rule to accept TCP traffic for port 9696. Remote connections now have access to the Neutron API.

undercloud_heat_encryption_key was incorrectly documented in undercloud.conf.sample as accepting values of size 8, 16, or 32 characters. Only values of size 16, 24, or 32 characters are actually accepted. If a value that had the non-accepted size was used, the Undercloud configuration script would fail with an error similar to:

Error: 8 is not a correct size for auth_encryption_key parameter, it must be either 16, 24, 32 bytes long. at /etc/puppet/modules/heat/manifests/engine.pp:106 on node undercloud.local.dev

This fix updates the undercloud.conf.sample with the correct documentation to indicate the accepted sizes of this parameter.

undercloud_heat_encryption_key was incorrectly documented in undercloud.conf.sample as accepting values of size 8, 16, or 32 characters. Only values of size 16, 24, or 32 characters are actually accepted. If a value that had the non-accepted size was used, the Undercloud configuration script would fail with an error similar to:

Error: 8 is not a correct size for auth_encryption_key parameter, it must be either 16, 24, 32 bytes long. at /etc/puppet/modules/heat/manifests/engine.pp:106 on node undercloud.local.dev

This fix updates the undercloud.conf.sample with the correct documentation to indicate the accepted sizes of this parameter.

The Overcloud deployment used a default port quota of 50 for Neutron networking, which caused failures in larger deployments. This fix disables the port quota. Larger Overcloud deployments no longer fail from lack of Neutron ports.

The Overcloud deployment used a default port quota of 50 for Neutron networking, which caused failures in larger deployments. This fix disables the port quota. Larger Overcloud deployments no longer fail from lack of Neutron ports.

The Undercloud configuration script ignored rabbit user details in undercloud.conf and did not create the necessary user for rabbitmq. This caused a incorrect rabbitmq configuration that resulted in a failed Undercloud configuration. This fix adds code to the undercloud configuration script that creates the requested rabbitmq user with the requested password. All services now connect to rabbitmq using the requested username and password.

The Undercloud configuration script ignored rabbit user details in undercloud.conf and did not create the necessary user for rabbitmq. This caused a incorrect rabbitmq configuration that resulted in a failed Undercloud configuration. This fix adds code to the undercloud configuration script that creates the requested rabbitmq user with the requested password. All services now connect to rabbitmq using the requested username and password.

The director's database (MariaDB) only accept a maximum of 1024 connections. An Undercloud with a high number of CPU cores (typically 24 or more) exhausted these database connections due to the number of OpenStack API workers spawned. This fix configures the Undercloud to accept 4096 connections for MariaDB. All services now connect to MariaDB when needed.

The director's database (MariaDB) only accept a maximum of 1024 connections. An Undercloud with a high number of CPU cores (typically 24 or more) exhausted these database connections due to the number of OpenStack API workers spawned. This fix configures the Undercloud to accept 4096 connections for MariaDB. All services now connect to MariaDB when needed.

Nodes registered with an unresponsive IPMI IP address caused the sync power state periodic task to hang for a default 10 minutes. This resulted in unresponsive behavior from Ironic. This fix lowers the default IPMI retry timeout. Now unresponsive nodes report failures faster and do not hang on the sync power state periodic task.

Nodes registered with an unresponsive IPMI IP address caused the sync power state periodic task to hang for a default 10 minutes. This resulted in unresponsive behavior from Ironic. This fix lowers the default IPMI retry timeout. Now unresponsive nodes report failures faster and do not hang on the sync power state periodic task.

The inspection process picked a random root disk to report as local_gb. This often returned the wrong local_gb value, which would differ from run to run on machines with multiple hard disks. This fix sorts the order of the disks before picking the first one. The inspection process now provides a consistent local_gb value.

The inspection process picked a random root disk to report as local_gb. This often returned the wrong local_gb value, which would differ from run to run on machines with multiple hard disks. This fix sorts the order of the disks before picking the first one. The inspection process now provides a consistent local_gb value.

Updating an Overcloud set the UpdateIdentifier parameters for each node in the director's Overcloud plan. However, deleting the Overcloud stack and redeploying it resulted in failure if the UpdateIdentifier parameters were set due to no preset repositories upon deployment. This fix stops the Overcloud from setting the UpdateIdentifier parameter on each node. This results in a successful Overcloud deployment.

Updating an Overcloud set the UpdateIdentifier parameters for each node in the director's Overcloud plan. However, deleting the Overcloud stack and redeploying it resulted in failure if the UpdateIdentifier parameters were set due to no preset repositories upon deployment. This fix stops the Overcloud from setting the UpdateIdentifier parameter on each node. This results in a successful Overcloud deployment.

The "openstack overcloud update stack -i" command did not handle invalid regular expressions. This caused command termination with an error:

openstack unexpected end of regular expression

This fix detects invalid regular expressions and provides a warning to the user about the invalid value. The command now handles invalid expressions and prompts the user to enter a new value.

The "openstack overcloud update stack -i" command did not handle invalid regular expressions. This caused command termination with an error:

openstack unexpected end of regular expression

This fix detects invalid regular expressions and provides a warning to the user about the invalid value. The command now handles invalid expressions and prompts the user to enter a new value.

This enhancement adds support for the Nexus-9k ML2 Neutron plugin. This includes environment configuration in the TripleO Heat Template collection as well as configuration in the Openstack Puppet Module collection.

This enhancement adds support for the Nexus-9k ML2 Neutron plugin. This includes environment configuration in the TripleO Heat Template collection as well as configuration in the Openstack Puppet Module collection.

This enhancement adds support for the Cisco UCSM Neutron ML2 plugin. This includes environment configuration in the TripleO Heat Template collection as well as configuration in the Openstack Puppet Module collection.

This enhancement adds support for the Cisco UCSM Neutron ML2 plugin. This includes environment configuration in the TripleO Heat Template collection as well as configuration in the Openstack Puppet Module collection.

Load balancing for httpd was incorrectly configured on the Overcloud, which meant VIPs were not used when accessing Horizon. This fix properly enables the load balancing for httpd. Now Horizon is accessible through VIPs.

Load balancing for httpd was incorrectly configured on the Overcloud, which meant VIPs were not used when accessing Horizon. This fix properly enables the load balancing for httpd. Now Horizon is accessible through VIPs.

All keystone endpoints are on the External VIP. This means all API calls to keystone happen over the External VIP. There is no workaround at this time.

All keystone endpoints are on the External VIP. This means all API calls to keystone happen over the External VIP. There is no workaround at this time.

This enhancement increases the levels of configuration for the Overcloud's Neutron service. Customers can now configure values for core_plugin, type_drivers, and service_plugins through the director.

This enhancement increases the levels of configuration for the Overcloud's Neutron service. Customers can now configure values for core_plugin, type_drivers, and service_plugins through the director.

The bonded NIC templates use a specific parameter to name the main bridge that connects all VLANs on Controller and Compute nodes. The Overcloud's networking expects the same bridge name on both Controller and Compute nodes. However, the default bridge name is different for each node type (br-ex for Controller, br-bond for Compute). This results in missing packets on the bonded interface and a faulty Overcloud networking configration. This fix removes the hardcoded value for the bond name in the Compute node NIC configuration. Using the input value for bridge_name instead ensures the Controller and Compute nodes have the same bridge name (defaults to "br-ex").

The bonded NIC templates use a specific parameter to name the main bridge that connects all VLANs on Controller and Compute nodes. The Overcloud's networking expects the same bridge name on both Controller and Compute nodes. However, the default bridge name is different for each node type (br-ex for Controller, br-bond for Compute). This results in missing packets on the bonded interface and a faulty Overcloud networking configration. This fix removes the hardcoded value for the bond name in the Compute node NIC configuration. Using the input value for bridge_name instead ensures the Controller and Compute nodes have the same bridge name (defaults to "br-ex").

Overcloud deployments did not consume nor affect the Neutron mechanism driver parameter passed as hiera data from the corresponding Heat template. This meant Overcloud deployments contained an unexpected Neutron configuration, with both openvswitch and linuxbridge configured as mechanism_drivers in /etc/neutron/plugins/ml2/ml2_conf.ini as such:

mechanism_drivers = openvswitch,linuxbridge

This fix ensures the Overcloud deployment correctly consumes the neutron_mechanism_drivers hiera data item passed from the Heat templates and sets this in the Neutron ml2 configuration on the controller node. You can also specify the NeutronMechanismDrivers Heat template parameter as a custom parameter and expect the corresponding ml2 configuration for Neutron.

Overcloud deployments did not consume nor affect the Neutron mechanism driver parameter passed as hiera data from the corresponding Heat template. This meant Overcloud deployments contained an unexpected Neutron configuration, with both openvswitch and linuxbridge configured as mechanism_drivers in /etc/neutron/plugins/ml2/ml2_conf.ini as such:

mechanism_drivers = openvswitch,linuxbridge

This fix ensures the Overcloud deployment correctly consumes the neutron_mechanism_drivers hiera data item passed from the Heat templates and sets this in the Neutron ml2 configuration on the controller node. You can also specify the NeutronMechanismDrivers Heat template parameter as a custom parameter and expect the corresponding ml2 configuration for Neutron.

Missing constraints between Pacemaker resources caused issues when starting or stopping the Controller cluster. This fix adds these constraints. Pacemaker resources now have the necessary relationships to function.

Missing constraints between Pacemaker resources caused issues when starting or stopping the Controller cluster. This fix adds these constraints. Pacemaker resources now have the necessary relationships to function.

The default external network port was set to control plane VIP. This caused network validation to fail when running without network isolation enabled. This fix returns the correct default port when network isolation is not in use. The network validation now succeeds.

The default external network port was set to control plane VIP. This caused network validation to fail when running without network isolation enabled. This fix returns the correct default port when network isolation is not in use. The network validation now succeeds.

The collection of hostname to MAC mappings for Cisco ML2 Nexus support used the nameserver, which might be unavailable due to timing issues. This caused Overcloud configuration issues. This fix check if "hostname -f" fails. If it does, director appends the hostname explicitly with ".localdomain". Now the hostname look-up works regardless of nameserver timing issues.

The collection of hostname to MAC mappings for Cisco ML2 Nexus support used the nameserver, which might be unavailable due to timing issues. This caused Overcloud configuration issues. This fix check if "hostname -f" fails. If it does, director appends the hostname explicitly with ".localdomain". Now the hostname look-up works regardless of nameserver timing issues.

Incorrect data type handling between Heat and Puppet caused complex parameters, such as JSON hashes, to pass incorrectly from Heat to Puppet. This fix improves the data types handling in the component which writes Hiera data from values received from Heat. Now passing JSON hashes from Heat to Puppet functions correctly.

Incorrect data type handling between Heat and Puppet caused complex parameters, such as JSON hashes, to pass incorrectly from Heat to Puppet. This fix improves the data types handling in the component which writes Hiera data from values received from Heat. Now passing JSON hashes from Heat to Puppet functions correctly.

Support for using a pre-existing external Ceph Storage cluster with Overcloud deployments caused all deployments using a Tuskar plan to fail. This included deployments through the web UI and CLI when --plan is used instead of --templates. This was irrespective of whether any Ceph Storage nodes were deployed (external or otherwise). Failed deployments resulted in the following error:

ERROR: openstack ERROR: Property error : CephClusterConfig: ceph_storage_count The Parameter (Ceph-Storage-1::CephStorageCount) was not provided.

This fix modifies Tuskar so that it can work with nested references to the top level Heat templates scaling parameters (like CephStorageCount in this case). Deployments using Tuskar now function without encountering the CephStorageCount error.

Support for using a pre-existing external Ceph Storage cluster with Overcloud deployments caused all deployments using a Tuskar plan to fail. This included deployments through the web UI and CLI when --plan is used instead of --templates. This was irrespective of whether any Ceph Storage nodes were deployed (external or otherwise). Failed deployments resulted in the following error:

ERROR: openstack ERROR: Property error : CephClusterConfig: ceph_storage_count The Parameter (Ceph-Storage-1::CephStorageCount) was not provided.

This fix modifies Tuskar so that it can work with nested references to the top level Heat templates scaling parameters (like CephStorageCount in this case). Deployments using Tuskar now function without encountering the CephStorageCount error.

This fix adds support for Cisco UCS machines to Ironic's power management control in the director. Cisco UCS nodes are manageable using the IPMI protocol, but some customers might want to use the specific Cisco UCS driver to manage more advanced features. Now the director supports power management for Cisco UCS machines.

This fix adds support for Cisco UCS machines to Ironic's power management control in the director. Cisco UCS nodes are manageable using the IPMI protocol, but some customers might want to use the specific Cisco UCS driver to manage more advanced features. Now the director supports power management for Cisco UCS machines.

This enhancement adds support for the fake_pxe Ironic driver for registering machines without power management to the director. Use the fake_pxe driver as a fallback driver for machines without a power management system. Perform all power operations manually when using this driver.

This enhancement adds support for the fake_pxe Ironic driver for registering machines without power management to the director. Use the fake_pxe driver as a fallback driver for machines without a power management system. Perform all power operations manually when using this driver.

The director expected power management authentication details when using the fake_pxe driver. This caused failure when registering nodes. This fix updates the os-cloud-config tool to disregard pm_addr, pm_password, and pm_user when using the fake_pxe driver. The director now successfully registers nodes using the fake_pxe driver.

The director expected power management authentication details when using the fake_pxe driver. This caused failure when registering nodes. This fix updates the os-cloud-config tool to disregard pm_addr, pm_password, and pm_user when using the fake_pxe driver. The director now successfully registers nodes using the fake_pxe driver.

In the discovery ramdisk, the python-hardware module ran a utility that returned a string with invalid UTF-8 encoding. This caused the hardware-detect command to exit with an error. As a result, the discovery ramdisk dropped to a dracut shell. This fix modifies the module to mitigate and resolve the error, rather than exit from the hardware-detect command. The ramdisk no longer drops to a dracut shell in this situation.

In the discovery ramdisk, the python-hardware module ran a utility that returned a string with invalid UTF-8 encoding. This caused the hardware-detect command to exit with an error. As a result, the discovery ramdisk dropped to a dracut shell. This fix modifies the module to mitigate and resolve the error, rather than exit from the hardware-detect command. The ramdisk no longer drops to a dracut shell in this situation.

The iLO drivers lacked support for introspection cleaning tasks, which caused the ironic introspection to fail. A fix has been pushed to the proliantutils library to correct the iLO drivers. Alternatively, as a workaround, disable the cleaning task in /etc/ironic/ironic.conf:

[ilo]
...
clean_priority_reset_ilo=0
clean_priority_reset_bios_to_default=0
clean_priority_reset_secure_boot_keys_to_default=0
clean_priority_clear_secure_boot_keys=0
clean_priority_reset_ilo_credential=0

The iLO drivers lacked support for introspection cleaning tasks, which caused the ironic introspection to fail. A fix has been pushed to the proliantutils library to correct the iLO drivers. Alternatively, as a workaround, disable the cleaning task in /etc/ironic/ironic.conf:

[ilo]
...
clean_priority_reset_ilo=0
clean_priority_reset_bios_to_default=0
clean_priority_reset_secure_boot_keys_to_default=0
clean_priority_clear_secure_boot_keys=0
clean_priority_reset_ilo_credential=0

The "openstack overcloud deploy" command did not check available nodes for deployment. This caused failed deployments due if there were not enough nodes available. This fix adds a pre-deployment check to the CLI and checks the number of available nodes before creating or updating the Overcloud stack. Now if not enough nodes are available, users get an error message before Heat creates or updates the stack.

The "openstack overcloud deploy" command did not check available nodes for deployment. This caused failed deployments due if there were not enough nodes available. This fix adds a pre-deployment check to the CLI and checks the number of available nodes before creating or updating the Overcloud stack. Now if not enough nodes are available, users get an error message before Heat creates or updates the stack.

The "openstack baremetal configure boot" command attempted to configure nodes in maintenance mode. This caused boot configuration to fail. This fix skips nodes in maintenance mode. Now the boot configuration passes without error.

The "openstack baremetal configure boot" command attempted to configure nodes in maintenance mode. This caused boot configuration to fail. This fix skips nodes in maintenance mode. Now the boot configuration passes without error.

Running "openstack baremetal configure boot" overwrote the "capabilities" property of bare metal nodes. This removed the profile information for existing nodes. This fix changes the overwrite method to an append method. This no longer removes the profile information.

Running "openstack baremetal configure boot" overwrote the "capabilities" property of bare metal nodes. This removed the profile information for existing nodes. This fix changes the overwrite method to an append method. This no longer removes the profile information.

Network setup details were not passed to Tempest, which caused tests to fail when running "openstack overcloud validate". This fix generates deployer input at the end of deployment. However, you must now run Tempest manually. This fix also removes the "openstack overcloud validate" command from the director.

Network setup details were not passed to Tempest, which caused tests to fail when running "openstack overcloud validate". This fix generates deployer input at the end of deployment. However, you must now run Tempest manually. This fix also removes the "openstack overcloud validate" command from the director.

The "openstack overcloud image upload" command uploaded Overcloud images even if old versions existed in Glance. This resulted in images with duplicate names, which caused Overcloud creation to fail. This fix modifies the tool to skip existing images. The tool also includes an "--update-existing" option to update existing images. Overcloud creation now uses the new Overcloud images stored in Glance without failure.

The "openstack overcloud image upload" command uploaded Overcloud images even if old versions existed in Glance. This resulted in images with duplicate names, which caused Overcloud creation to fail. This fix modifies the tool to skip existing images. The tool also includes an "--update-existing" option to update existing images. Overcloud creation now uses the new Overcloud images stored in Glance without failure.

Bulk introspection applied to all nodes including active nodes. However, bulk introspection failed on active nodes. This fix no longer applies introspection to active nodes.

Bulk introspection applied to all nodes including active nodes. However, bulk introspection failed on active nodes. This fix no longer applies introspection to active nodes.

Unclear help text and bug in parameter passing for the "openstack overcloud update stack" operation meant users needed to specify both plan and stack names. This fix removes the need for the stack name. However, the update command now requires either the Tuskar plan ID or the Heat template collection location.

Unclear help text and bug in parameter passing for the "openstack overcloud update stack" operation meant users needed to specify both plan and stack names. This fix removes the need for the stack name. However, the update command now requires either the Tuskar plan ID or the Heat template collection location.

The director generated no deployer input for Tempest after deployment. This caused possible missing tempest configurations options which were not auto-detected. This fix generates deployer input at the end of deployment. However, you must now run Tempest manually. This fix also removes the overcloud validate command from the director.

The director generated no deployer input for Tempest after deployment. This caused possible missing tempest configurations options which were not auto-detected. This fix generates deployer input at the end of deployment. However, you must now run Tempest manually. This fix also removes the overcloud validate command from the director.

The "--ntp-server" option was not provided for some HA Overcloud deployments. This caused the clock on Controller nodes to drift, which caused problems in Keystone. This fix sets the "--ntp-server" option to mandatory for deployments with multiple Controller nodes. Clocks on Controller nodes are now synchronized.

The "--ntp-server" option was not provided for some HA Overcloud deployments. This caused the clock on Controller nodes to drift, which caused problems in Keystone. This fix sets the "--ntp-server" option to mandatory for deployments with multiple Controller nodes. Clocks on Controller nodes are now synchronized.

Overcloud updates passed default environment files to Heat. If the Overcloud creation used additional environment files that were not passed during the update, the Overcloud would update the resource registry definitions as per the default environment files, which in turn deleted some of the Overcloud's Heat resources. Now, the default environment files are no longer sent to Heat on update, and Heat does not delete the Overcloud resources.

Overcloud updates passed default environment files to Heat. If the Overcloud creation used additional environment files that were not passed during the update, the Overcloud would update the resource registry definitions as per the default environment files, which in turn deleted some of the Overcloud's Heat resources. Now, the default environment files are no longer sent to Heat on update, and Heat does not delete the Overcloud resources.

This enhancement adds support for the Cisco N1kV plugin. This includes environment configuration in the TripleO Heat Template collection.

This enhancement adds support for the Cisco N1kV plugin. This includes environment configuration in the TripleO Heat Template collection.

This enhancement adds support for the Cisco N1kV VEM module. This includes environment configuration in the TripleO Heat Template collection.

This enhancement adds support for the Cisco N1kV VEM module. This includes environment configuration in the TripleO Heat Template collection.

When deleting a node in the Overcloud, the Heat stack's ComputeCount parameter calculated the number of nodes. However, Heat did not update parameters if a scale up operation failed. This meant the number of nodes that Heat returned in parameters did not reflect the real number of nodes. This caused problems with the number of nodes deleted on a failed stack. This fix ensures Heat updates the parameters even if a scale operation failed previously. Now the director deletes the requested nodes when running "overcloud node delete" on a stack where scale up operation failed before.

When deleting a node in the Overcloud, the Heat stack's ComputeCount parameter calculated the number of nodes. However, Heat did not update parameters if a scale up operation failed. This meant the number of nodes that Heat returned in parameters did not reflect the real number of nodes. This caused problems with the number of nodes deleted on a failed stack. This fix ensures Heat updates the parameters even if a scale operation failed previously. Now the director deletes the requested nodes when running "overcloud node delete" on a stack where scale up operation failed before.

When using static IPs on the ctlpane network, DNS must be configured on the Overcloud nodes. Previously, DHCP provided the configured DNS servers for the Overcloud nodes.

To configure DNS when using static IPs set the new DnsServers parameter and include it in the Heat environment like so:

parameter_defaults:
  DnsServers:
    - <dns server ip address>
    - <dns server ip address 2>

Use IP addresses for the DNS servers to use. You can only specify either one or two DNS servers.

When using static IPs on the ctlpane network, DNS must be configured on the Overcloud nodes. Previously, DHCP provided the configured DNS servers for the Overcloud nodes.

To configure DNS when using static IPs set the new DnsServers parameter and include it in the Heat environment like so:

parameter_defaults:
  DnsServers:
    - <dns server ip address>
    - <dns server ip address 2>

Use IP addresses for the DNS servers to use. You can only specify either one or two DNS servers.

A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data.

A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data.