Chapter 3. RHSA-2022:4711-06 Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update

BZ#2065052

Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

BZ#2072637

python3-daemon/python38-daemon are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072639

ansible-runner-2.1.3-1.el8ev is a runtime dependency for the Red Hat Virtualization Manager. It needs to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072641

python3-docutils/python38-docutils are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072642

python3-lockfile/python38-lockfile are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072645

python3-pexpect/python38-pexpect are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072646

ansible-core-2.12 requires all libraries used in Ansible modules/roles/playbooks to be built with Python 3.8. The python38-ptyprocess needs to be built and distributed in Red Hat Virtualization channels.

BZ#1608675

Red Hat Virtualization is compliant with USGv6 Revision 1 standards since version 4.4.6 of RHV. For more information, see https://www.iol.unh.edu/registry/usgv6?name=red+hat.

BZ#977379

With this release, it is now possible to edit and manage iSCSI storage domain connections using the Administration Portal. Users can now edit the logical domain to point to a different physical storage, which is useful if the underlying LUNs are replicated for backup purposes, or if the physical storage address has changed.

BZ#977778

In this release, support has been added for the conversion of a disk’s format and allocation policy. This can help reduce space usage and improve performance, as well as enabling incremental backup on existing raw disks.

BZ#2015796

Red Hat Virtualization Manager 4.4 SP1 is now capable of running on a host with the RHEL 8.6 DISA STIG OpenSCAP profile applied.

BZ#2023250

The Advanced Virtualization module (virt:av) has been merged into the standard RHEL virtualization module (virt:rhel) as part of the RHEL 8.6 release. Due to this change, the host deploy and host upgrade flows have been updated to properly enable the virt:rhel module during new installation of the RHEL 8.6 host and during upgrade of an existing RHEL 8.5 or earlier host to a RHEL 8.6 host.

BZ#2030596

The Red Hat Virtualization Manager is now capable of running on machine with the PCI-DSS security profile.

BZ#2035051

Red Hat Virtualization 4.4 SP1 uses the updated DISA STIG OpenSCAP profile from RHEL 8.6, which does not remove the gssproxy package.As a result, the Red Hat Virtualization host works correctly after applying the DISA STIG profile.

BZ#2052690

Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

BZ#2055136

With this release, the virt DNF module version is correctly set according to the RHEL version of the host during the host upgrade flow.

BZ#2056021

Previously, renewing of the libvirt-vnc certificate was omitted during the Enroll Certificate flow. With the release of RHV 4.4 SP1 and libvirt-vnc certificates are renewed during the Enroll Certificate flow.

BZ#2056126

With this release, the Red Hat Virtualization Manager 4.4 SP1 certificate expiration check will warn of upcoming certificate expiration earlier: 1. If a certificate is about to expire in the upcoming 120 days, a WARNING event is raised in the audit log. 2. If a certificate is about to expire in the upcoming 30 days, an ALERT event is raised in the audit log.

BZ#2071468

If SSH soft fencing needs to be executed on a problematic host, The Red Hat Virtualization Manager now waits the expected time interval before it continues with fencing. As a result,the VDSM has enough time to start and respond to the Red Hat Virtualization Manager.

BZ#655153

Previously, no confirmation dialog was shown for the suspend VM operation. A virtual machine was suspended right after clicking the suspend-VM button. With this release, a confirmation dialog is presented by default when pressing the suspend-VM button. The user can choose not to show this confirmation dialog again. The setting can be reverted in the user preferences dialog.

BZ#1878930

Feature: Provide warning event if number of available MAC addresses in pool are below threshold. The threshold is configurable via engine-config. An event will be created per pool on engine start, and if the threshold is reached when consuming addresses from the pool.

BZ#1926625

With this release, you can now enable HTTP Strict Transport Security following Red Hat Virtualization Manager installation by following the instructions in this KCS article: https://access.redhat.com/solutions/1220063

BZ#1998255

Feature: Search box in VNIC profiles main page

BZ#1999698

In previous versions, engine-setup configured apache httpd’s SSLProtocol configuration option to be -all +TLSv1.2.

BZ#2000031

Previously, host non-reponding treatment coould be called multiple times simultaneously. In this release, multiple calls to non-reponding treatment are prevented, and the host comes up much faster.

BZ#2006745

Previously, when trying to copy a template disk from/to a Managed Block Storage domain, the operation failed due to an incorrect storage domain ID, saving the same image repeatedly in the images (and base disks) DB tables, and casting the disk to DiskImage when it is of type ManagedBlockStorageDisk. In this release, all of the above issues were fixed, and copying a template disk from/to a Managed Block Storage domain works as expected.

BZ#2007384

Previously high values of disk writeRate/readRate were not processed properly by the ovirt-engine. In this release, the type of writeRate/readRate in ovirt-engine has changed from integer to long to support values that are higher than integers.

BZ#2040361

Previously, when hot plugging multiple disks with VIRTIO SCSI interface to virtual machine that are defined with more than one IO thread, this would have failed due to allocation of a duplicate PCI address.

BZ#2043146

Previously, renewing of the libvirt-vnc certificate was omitted during the Enroll Certificate flow. With the release of RHV 4.4 SP1 and libvirt-vnc certificates are renewed during the Enroll Certificate flow.

BZ#1624015

Feature: Setting the default console type (for both new and existing VMs) can be done engine widely by using CLI for setting the following engine-config parameters: engine-config -s ClientModeVncDefault=NoVnc to prefer NoVnc instead of remote-viewer and engine-config -s ClientModeConsoleDefault=vnc to prefer VNC over SPICE in case the VM has both available.

BZ#1648985

A user with SuperUser role can connect to a virtual machine in a VM-pool without having the VM assigned. Previously, this did not prevent other users from taking that VM, which resulted in closing the connected console and assigning the VM to a user with UserRole instead. In this release, users cannot take VMs that other users are connected to via a console. This prevents users with UserRole permissions from hijacking a VM that a user with SuperUser role is connected to.

BZ#1687845

Previously, displaying notifications for hosts activated from maintenance mode was done when the actual job activation "end time" was after the last displayed notification. But if there was a time difference between server and the browser, the job "end time" could be in the future. In this release, notifications rely only on the server time, and the job’s "end time" is no longer compared to local browser time.As a result, only one "Finish activating host" notification appears.

BZ#1745141

With this release, SnowRidge Accelerator Interface Architecture (AIA) can be enabled by modifying the extra_cpu_flags custom property of a virtual machine (movdiri, movdir64b).

BZ#1782056

With this release, IPSec for the OVN feature is available on hosts with configured ovirt-provider-ovn, OVN version 2021 or later and OvS version 2.15 or later.

BZ#1849169

Feature: A new parameter was added to the evenly_distributed scheduling policy that takes into account the ratio between virtual and physical CPUs on the host. Reason: To prevent the host from over utilization of all physical CPUs. Result: When the ratio is set to 0, the evenly distributed policy works as before. If the value is greater than 0, the vCPU to physical CPU is considered as follows: a. when scheduling a VM, hosts with lower CPU utilization are preferred. However, if adding of the VM would cause the vCPU to physical ratio to be exceeded, the hosts vCPU to physical ratio AND cpu utilization are considered. b. in a running environment, if the host’s vCPU to physical ratio is above the limit, some of the VMs might be load balanced to the hosts with lower vCPU to physical CPU ratio.

BZ#1922977

With this release, shared disks are now a part of the 'OVF_STORE' configuration. This allows virtual machines to share disks, move a Storage Domain to another environment, and after importing VMs, the VMs correctly share the same disks without any additional manual configuration.

BZ#1927985

With this release, Padding between files has been added for exporting a virtual machine to an Open Virtual Appliance (OVA). The goal is to align disks in the OVA to the edge of a block of the underlying filesystem. As a result,disks are written faster during export, especially with an NFS partition.

BZ#1944290

Previously, when trying to log in to Red Hat Virtualization VM Portal or Administration Portal with an expired password, the URL to change the password was not shown properly. In this release, when there is an expired password error, the following clickable link appears beneath the error message: "Click here to change the password". This link will redirect the user to the change password page: "…​/ovirt-engine/sso/credentials-change.html".

BZ#1944834

This release adds a user specified delay to the 'Shutdown' Console Disconnect Action of a Virtual Machine. The shutdown will occur after the user specified delay interval, or will be cancelled if the user reconnects to the VM console. This prevents a user’s session loss after an accidental disconnect.

BZ#1959186

Previously, there was no way to set a quota different from that of the template from the VM portal. Thus, if the user had no access to the quota on the template, the user could not provision VMs from the template using the VM portal. In this release, the Red Hat Virtualization Manager selects a quota that the user has access to, and not necessarily from the template, when provisioning VMs from templates using the VM portal.

BZ#1964208

With this release, a screenshot API has been added that captures the current screen of a VM, and then returns a PPM file screenshot. The user can download the screenshot and view its content.

BZ#1971622

Previously, when displaying the Host’s Virtual Machines sub-tab, all virtual machines were marked with a warning sign. In this release, the warning sign is displayed correctly in the same way as on the Virtual Machines list page.

BZ#1974741

Previously, a bug in the finalization mechanism left the disk locked in the database. In this release, the finalization mechanism works correctly, and the disk remains unlocked in all scenarios.

BZ#1979441

Previously there was a warning that indicates the VM CPU is different than the cluster CPU for high performance virtual machines. With this release, the warning is not shown when CPU passthrough is configured, and as a result, not presented for high performance virtual machines.

BZ#1979797

In this release, a new warning message displays in the removing storage domain window if the selected domain has leases for entities that were raised on a different storage domain.

BZ#1986726

When importing VM from OVA and setting the allocation policy to Preallocated, the disks were imported as Thin provisioned. In this release, the selected allocation policy is followed.

BZ#1987121

The vGPU editing dialog was enhanced with an option to set driver parameters. The driver parameters are are specified as an arbitrary text, which is passed to NVidia drivers as it is, e.g. “enable_uvm=1”. The given text will be used for all the vGPUs of a given VM.

BZ#1988496

Previously, the vmconsole-proxy-helper certificate was not renewed when needed. With this release, the certificate is renewed each time following the CA certificate update.

BZ#2002283

With this release, it is now possible to set the number of PCI Express ports for virtual machines by setting the NumOfPciExpressPorts configuration using engine-config.

BZ#2003996

Previously, snapshots that represent VM next-run configuration were reported by ovirt-ansible but their typewas missing and they could not be removed. In this release, snapshots that represent VM next-run configuration are not reported to clients, including ovirt-ansible.

BZ#2021217

Add Windows 2022 as a guest operating system

BZ#2023786

When a VM is set with the custom property sap_agent=true, it requires vhostmd hooks to be installed on the host to work correctly. Previously, if the hooks were missing, there was no warning to the user. In this release, when the required hooks are not installed and reported by the host, the host is filtered out by the scheduler when starting the VM.

BZ#2040474

The Administration Portal cluster upgrade interface has been improved to provide better error messaging and status and progress indications.

BZ#2041544

Previously,when selecting a host to upload in the Administration Portal (Storage > Domain > select domain > Disks > Upload), trying to select a host different from the first one on the list resulted in jumping back to the first host on the list. In this release, the storage domain and data center are only initialized once, and the list of hosts doesn’t need to be reloaded. As a result, a different host can be selected without being set back to the first one on the list.

BZ#2052557

Previously, vGPU devices were not released when stateless VMs or VMs that were started in run-once mode were shut down. This sometimes caused the system to forbid running the VMs again, although the vGPU devices were available. IN this release, vGPU devices are properly released when stateless VMs or VMs that were started in run-once mode are shut down.

BZ#2066084

Previously, the vmconsole-proxy-user and vmconsole-proxy-host certificates were not renewed when needed. With this release, the certificates are now renewed when executing engine-setup.

BZ#2014888

Dashboard field descriptions have been updated to match the real meanings of I/O operations data fields.

BZ#2010903

Database columns and dashboard field descriptions have been updated to match the real meanings in I/O operations data fields.

BZ#1990462

In this release, Elasticsearch username and password have been added for authentication from rsyslog. AS a result, rsyslog can now authenticate to Elasticsearch using a username and password.

BZ#2059521

Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

BZ#2024202

Previously, the formatting of parameters passed to translated messages on ui-extensions dialogs (not just in the Red Hat Virtualization dashboard) was handled in 2 different layers: code and translations. That caused invalid formatting for a number of language. In this release, the formatting of translated messages parameters on ui-extensions is done only on one layer, the translation layer (formatting done on code layer is removed). As a result, translation strings on ui-extensions dialogs are now displayed properly for all languages.

BZ#2040402

The log_days option of the sos logs plugin has been removed. As a result, the command that used this option began to fail. In this release, the use of the option has been removed, and the program now functions as expected.

BZ#2048546

Previously, using the sosreport command in the log collector utility produced a warning. In this release, the utility was modified to use the sos report command instead of the sosreport command. As a result, the warning is no longer displayed. and the utility will continue to work even when the sosreport is deprecated in the future.

BZ#2050566

Rebase package(s) to version: 4.4.5

BZ#1667517

With this release, new console options, including set screen mode have been added to the VM Portal UI. The following console options can now be set in the VM Portal (under Account Settings > Console options): - default console type to use (Spice, VNC, noVNC, RDP for Windows), - full screen mode (on/off) per console type, - smartcard enabled/disabled - Ctrl+Alt+Del mapping - SSH key

BZ#1781241

With this release, support for automatically connecting to a Virtual Machine has been restored as a configurable option. This is enabled in the Account Settings > Console tab. This feature enables the user to connect automatically to a running Virtual Machine every time the user logs in to the VM Portal. - Each user can choose a VM to auto connect to from a list on a global level, in the Account Settings > Console tab. - Only if the chosen VM exists and is running, the auto connect will be enforced next time the user logs in. - The Console type for connecting will be chosen based on Account Settings > Console options. - This auto connect VM setting is persisted per user on the engine.

BZ#1991240

Previously, there was no way to set a quota different from that of the template from the VM portal. Thus, if the user had no access to the quota on the template, the user could not provision VMs from the template using the VM portal. In this release, the Red Hat Virtualization Manager selects a quota that the user has access to, and not necessarily from the template, when provisioning VMs from templates using the VM portal.

BZ#2010203

Previously, newlines included as part of the data were not handled properly, and as a result, the formatting of the table was wrong. In this release, the table format now is correct, even if the data contains newlines.

BZ#2013928

Previously if the data from the DB included special characters in the fields related to the vdc_options, i.e. the same ones that have special meaning in the ADOC format, they were used as is. This resulted in an incorrectly formatted HTML document. In this release, The code was modified to escape replacing some of the characters, and modified the code in a way that no longer translates some of the characters. AS a result, the information now properly presented, even if the DB fields contain special characters.

BZ#2051857

Rebase package(s) to version: 1.0.13

BZ#2037121

rhv-image-discrepancies tools now shows Data Center and Storage Domain names in the output.

BZ#2054756

With this release, a link to the Migration Toolkit for Virtualization documentation has been added to the welcome page of the Red Hat Virtualization Manager.

BZ#2050614

Rebase package(s) to version: 4.5.0

BZ#2075352

The following changes have been made to the way certificates are generated: Internal CA is issued for 20 years. Internal certificates are valid for 5 years. Internal HTTPS certificates (apache, websocket proxy) are valid for 398 days.

BZ#1964461

A flaw was found in normalize-url. Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data.

BZ#1995793

A flaw was found in nodejs-trim-off-newlines. All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing. The highest threat from this vulnerability is to system availability.

BZ#2007557

A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.