Previously, a VNC console would fail to open when one tried to open the console from the URL provided by the command: nova get-vnc-console <INSTANCE_ID> novnc. This has been fixed and the console now opens.

Previously, multiple qpid exchanges were created by Ceilometer but not removed if not required, leading to system out of memory errors. This has been fixed by appropriate configuration so that unnecessary qpid exchanges are removed.

Previously, volumes created from Glance images were not being re-sized according to the passed parameters, when using NFS or GlusterFS backends, even though Cinder's DB reported the correct size. This has been fixed so that the backing file gets re-sized correctly as shown in Cinder DB.

Previously, multiple qpid exchanges were created by Cinder but not removed if not required, leading to system out of memory errors. This has been fixed by appropriate configuration so that unnecessary qpid exchanges are removed.

Previously, running Glance commands such as  “glance image-show” followed by non-ASCII arguments would cause an error. This has been fixed so that Unicode characters are also managed correctly.

Previously, multiple qpid exchanges were created by Heat but not removed if not required, leading to system out of memory errors. This has been fixed by appropriate configuration so that unnecessary qpid exchanges are removed

The Compute Conductor (openstack-nova-conductor) service was not correctly closing Qpid message exchanges. As a result after several hours of operations many open exchanges would remain in existence. The Compute Conductor service has been updated and now closes Qpid message exchanges correctly when they are no longer needed.

The Block Storage service (openstack-cinder-volumes) is initialized earlier in the boot process than items listed in the rc.local file.

On systems deployed by PackStack and configured to use a volume group backed by loopback device for block storage this meant that the volume group was not available when the Block Storage service was started on boot. As a result the service would fail to start.

PackStack has been updated and now ensures that the Block Storage service is restarted once the rc.local file is processed and the volume group is available. This ensures that the Block Storage service continues to function correctly following reboot.

The default PackStack configuration of Keystone generates UUID tokens. Administrators wishing to generate and use PKI tokens must:

1) Generate the PKI files using the keystone-manage command:

# keystone-manage pki_setup \
   --keystone-user keystone \
   --keystone-group keystone

2) Ensure that Keystone has ownership of the files in the /etc/keystone/ssl/ and /var/log/keystone/ directories:

# chown -R keystone:keystone /etc/keystone/ssl/ /var/log/keystone/

3) Update the value of the token_format configuration key in /etc/keystone/keystone.conf to PKI:

# openstack-config --set /etc/keystone/keystone.conf \
  token_format PKI

4) Restart the openstack-keystone service:

# service openstack-keystone restart

Previously, after using PackStack to install OpenStack, one could start Swift successfully the first time. However, attempting to restart Swift after the first start failed. This has been fixed and Swift restarts correctly.

Before OpenStack Networking had support for namespaces,  overlapping IP support was not enabled. Now that namespaces are supported, overlapping IPs are enabled by default.

Previously, the openvswitch service would not start automatically upon reboot. The service has now been added to the runlevel so openvswitch now starts automatically after a reboot, if enabled.

Previously, Ceilometer commands failed with a 404 Error unless the latest metering API was explicitly specified. This has been fixed by using the latest metering API by default, so Ceilometer commands work as expected.

Previously components that used AMQP for communication would log exceptions that occurred while the connection was being closed. Such components included the Compute service itself (openstack-nova-compute), the Compute Scheduler (openstack-nova-scheduler), and the Compute Conductor (openstack-nova-conductor).

These messages were spurious in that errors reading from or writing to the recently closed socket are expected and do not require administrator attention. As such logging of AMQP errors that occur while the connection is being closed is now disabled.

The "default" OpenStack Networking security group is created automatically when creating a tenant network. The Compute service previously always checked for the presence of this "default" security group when launching instances. As a result launching a virtual machine instance when no tenant network had been created ended in error:

SecurityGroupNotFound: Security group default not found.

The Compute service has been updated to only check for the existence of the "default" security group when a tenant network for the instance to use exists.

The "Help" link in the Dashboard (Horizon) directed users to the Red Hat OpenStack 2.0 (Folsom) documentation. The link has been updated to direct users to the Red Hat OpenStack 3.0 (Grizzly) documentation.

Attempts to re-authenticate on detecting possible token expiry actually re-used the expired token. As a result the novaclient instance would stop working once the original token had expired. By default tokens expire after 24 hours.

An update has been made to ensure the old authentication token has been discarded before attempting re-authentication. As a result the novaclient instance continues to work following expiry of the original token.

The python-quantumclient package did not include a dependency on version 1.3 of the python-cliff package. This version of python-cliff is required to maintain Python 2.6 compatibility. If python-cliff 1.3 was not installed on the system, some quantum client actions would end in error:

AttributeError: 'module' object has no attribute 'compress'
'module' object has no attribute 'compress'

The python-quantumclient package has been updated and now includes a dependency on python-cliff version 1.3.

The Foreman package specification previously attempted to modify the permissions of a non-existent file, "ocal_secret_token.rb". 

This resulted in an error message being displayed but no further negative consequences for the installation. The Foreman package specification has been updated to modify the permissions of the correct file, "local_secret_token.rb".

A new package, ruby193-foreman-selinux, has been added to Red Hat OpenStack. The ruby193-foreman-selinux package includes SELinux policies to support the installation and operation of Foreman on servers that run SELinux in enforcing mode.

When deploying the Dashboard (Horizon) Foreman was not importing all required Puppet modules. As a result an SELinux boolean required to allow the web server (httpd) to run with SELinux set to enforcing mode was not set correctly. The additional Puppet modules are now included and httpd is able to run when SELinux is set to enforcing mode on new deployments performed using Foreman.

Rebase package(s) to version: openstack-ceilometer-2013.1.3-1.el6ost

Important fixes: 

For large datasets, MongoDB failed to sort without an index, causing sample retrieval to fail. This has been fixed by creating an index on descending timestamp which allows sorting.

Due to compute agent polling logic not having access to the complete metadata, resource metadata for instances was nulled out after boot. This has been fixed so that resource metadata for instances is not incorrectly overwritten.

If instances were booted without ramdisk and kernel images, resource metadata was not gracefully handled. This has been fixed so that missing image data does not cause an exception.

Rebase package(s) to version: openstack-2013.1.3-1.el6ost

Important fixes or notable enhancements: 

Python-boto is an interface to Amazon Web Services. Recent versions of boto did not work with Heat due to a signature format change by AWS. This bug has now been fixed so that boto interfaces with Heat.

Previously, when an AWS::AutoScaling::LaunchConfiguration resource defined the SecurityGroups property, the creation of the instance group failed. This has been fixed so that the instance group is created correctly.

The RPC in Oslo has been replaced with the latest version to fix an exchange problem with Qpid.

Previously when using Quantum/Neutron with packstack, networks/subnets/routers had to be manually configured, a process that was complex and could lead to errors.

The packstack --allinone command has been modified and new answer file options have been added:

CONFIG_KEYSTONE_DEMO_PW
  The demo tenant password. Automatically configured/no prompting just like the ADMIN_PW. Only actually used if CONFIG_PROVISION_DEMO=y

CONFIG_PROVISION_DEMO
  Whether to provision demo quantum networks/subnets/routers
  Requires: CONFIG_QUANTUM_INSTALL=y and CONFIG_QUANTUM_USE_NAMESPACES=y

CONFIG_PROVISION_TEMPEST
  Whether to set up tempest for running tests against the Openstack install
  Requires: CONFIG_QUANTUM_INSTALL=y and CONFIG_QUANTUM_USE_NAMESPACES=y

CONFIG_PROVISION_ALL_IN_ONE_OVS_BRIDGE
  Whether to set up the L3 external bridge with the appropriate IP address to act as the gateway for VMs.

The --allinone option will automatically enable CONFIG_PROVISION_DEMO and CONFIG_PROVISION_ALL_IN_ONE_OVS_BRIDGE if CONFIG_QUANTUM_INSTALL=y (which it is by default). --allinone --os-quantum-install=n still works for installing without Quantum.

Additional changes:
1) A new 'demo' keystone tenant has been added along with a keystonerc_demo file which can be sourced like the existing keystonerc_admin. You should log into Horizon using the 'demo' account instead of the 'admin' account due to the ownership of the private and public networks.

2) When launching a VM via Horizon, you additionally need to go to the "Network" tab and select the "private" network.

3) Current instructions specify creating a security group rule to allow SSH traffic. An ICMP rule has been added as well.

Instructions for installing Neutron using PackStack are available at http://openstack.redhat.com/Neutron-Quickstart.

Previously, if linuxbridge was selected as the L2 agent during a PackStack interactive installation, PackStack would fail with the error:
ERROR : local variable 'iface_arr' referenced before assignment
    Please check log file /var/tmp/packstack/<timestamp>/openstack-setup.log for more information.
This has been fixed and linuxbridge can be set as the L2 agent.

Previously, when running "packstack --allinone", certain kernel parameters were not set. Without this configuration security groups did not work correctly. This has been fixed and security groups now work correctly.

Previously, when you added new servers to an existing cluster using PackStack, initialization was carried out on all nodes, including existing nodes where there were no changes required.

A new option has been added which allows you to use the same answerfile and exclude the existing servers from re-initialization when running PackStack on an existing cluster. This makes initialization faster.

The new option is "--exclude-server=EXCLUDE_SERVERS" where EXCLUDE_SERVERS is the comma separated list of IPs of nodes that must not be altered.

Previously, the inifile module did not manage empty values well. Empty values need to be able to be set for Neutron. This has been fixed and the inifile module now manages empty values correctly.

Rebase package(s) to version: openstack-quantum-2013.1.3-1.el6ost

Amongst several bugfixes, two critical bugs were fixed:

When a port had multiple IP addresses, the iptables security group implementation dropped all of the packets from that port. As a result, the port could not communicate. This has been fixed so that the port can communicate.

When a port was updated with an IP address that is not in any allocation pool, the port could no longer be updated. In addition, no new ports could be created. This has been fixed so that ports can be updated and hence new ports created.

There was a bug which caused Horizon to not display security rules after a new rule had been added using the command line interface. This bug has been fixed so that Horizon correctly displays rules added using the CLI.

Rebase package(s) to version: python-django-horizon-2013.1.3-1.el6ost

Four important fixes:

Previously, when trying to delete a Swift container that contains data (which cannot be done until the data is deleted), the user just received an unclear error message. Now the user gets a warning instead that explains the problem.

When using Quantum, it is now also possible to disassociate Floating IPs from the Instances page.

Previously, when multiple ports and/or CIDRs exist, the network topology diagram became hard to read due to inadequate spacing and text overlap. Now improvements have been made to the network topology diagram which make it more legible.

Localisation improvements: Previously, some variables and templates variables that should be translatable weren't marked as such. Now additional strings have been marked as translatable, and the translation files updated.

An additional tab has been added to the Horizon dashboard GUI. This tab, titled "Red Hat", is on the left of the dashboard next to the "Project" and "Admin" tabs. It will only be visible if the redhat-access-plugin-rhos package has also been installed. (and httpd restarted)

Selecting this tab enables access to Red Hat subscriber services from within the dashboard, such as:
- Knowledge base article/solution viewing.
- Diagnostic services on console logs.

Previously in Glance, the "openstack-db --init" command failed when using the default configuration with an "unable to open database file" error. This was due to the location of files being incorrectly specified. This has been fixed and the Glance database is now correctly created and initialized.

Previously, installation of an OpenStack controller node using the Foreman fails with an error of 'Invalid parameter glance_user_password at <filepath>/controller.pp:99'. 

This has been fixed so that the Foreman now correctly creates a controller.

The previous version of ruby 1.9.3 was outdated. However, the way it was packaged, it included wrapper scripts which were used by the Foreman. This meant that many bugfixes present in later patch levels of ruby 1.9.3 were not available.

This was fixed by separating the wrapper scripts into their own package. This allows later versions of ruby 1.9.3 to be provided (in this case, patch level 448), which contain numerous fixes. Now, when using the Foreman, you will see two packages (ruby193-ruby and ruby193-ruby-wrapper) instead of one.

Iproute is a collection of utilities for controlling TCP / IP networking and
traffic control. The iproute packages contain networking utilities
(for example, ip and rtmon), which are designed to use the advanced networking
capabilities of the Linux kernel.
These updated iproute packages include numerous bug fixes and enhancements.
Space precludes documenting all of these changes in this advisory. Users
are directed to the Red Hat Enterprise Linux 6.5 Technical Notes for
information on the most significant of these changes:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux
/6/html/6.5_Technical_Notes/index.html

Rebase package(s) to version: 2013.1.4

* Previously, Ceilometer could return stale status of resources in some 
circumstances. This was fixed so that Ceilometer always returns the current
state of resources.

* Previously, Swift replies were interpreted as empty. This has been fixed to
ensure correct communication through Swift middleware.

* Previously, outage of other services could crash Ceilometer's agents. This
has been fixed to ensure Ceilometer agents don't terminate on communications
issues.

* Previously, with default config, notifications were ignored. This has been
fixed to ensure Ceilometer consumes notifications from the default queue.

Previously, permissions for user access to  /var/log/cinder were set
incorrectly. This has been fixed so that only root and the Cinder user can access
/var/log/cinder.

Previously, connections created by Cinder while trying to reconnect to the qpid server
wouldn't be closed if an error was triggered during the process. As a result
the service had to be restarted to close unused connections. This has been
fixed so that, even on an error, qpid always closes the old connection before
trying to reconnect.

Due to a backported change for NFS/GlusterFS drivers, NetApp NFS
drivers failed to initialize when the Volume service was started. The Cinder
package has been patched to resolve this issue, and NetApp NFS drivers now
function correctly.

Rebase package(s) to version: 2013.1.4

Highlights and important bug fixes: See https://launchpad.net/cinder/+milestone/2013.1.4

* Previously some credentials were not encoded correctly before storage in
the database, resulting in errors during deferred operations relying on
the stored credentials.  This has been fixed so credentials are
correctly encoded before being encrypted and written to the database.

* Previously it was not possible to create an Instance resource attached to
a subnet which already exists. The SubnetId property has now been
implemented for the Instance resource, fixing the problem.

Previously, when a compute node changed its hostname (either deliberately or
or because of a broken DNS), the compute node was deleted from the resources
database. This prevented new instances being to scheduled on it. Now, the
compute node caches the hostname on startup and reports the same hostname on
all subsequent resource update calls. It also logs an error message if the
hostname changes.

A new configuration option, called "workers", has been added to the conductor
section in nova.conf, which specifies the number of workers the conductor will
start. This was added to enhance performance on big clusters, where having
just one conductor may cause performance issues due to only one service managing
all the requests to the database.

The version of qemu-img shipped in RHEL 6.4 mistakenly provided the
option -s (used to generate internal snapshots) which was ignored by the
qemu-img because its functionality was not implemented.

This caused the snapshot functionality of OpenStack to crash because it
relied on this option to be present.

This was fixed by ensuring the snapshots do not use internal snapshots any more
(that is, Nova doesn't need the -s option any more). Now, when performing a
snapshot in OpenStack the instance is put in a "shutdown" state which prevents
writes to disk during the process. An external snapshot is created directly
from disk without requiring a previous internal snapshot.

Previously, it was not possible to set the Keystone admin password and the
Keystone demo password via CLI parameters or in interactive mode. This has
been fixed and the passwords can now be set.

Support for GRE tunneling has been added. Two new settings have been added to
support GRE networks with OpenStack Networking:
packstack --allinone --quantum-ovs-tunnel-ranges=1:1000 \
--quantum-ovs-tenant-network-type=gre

Alternatively, you can add the following to the answer file:
CONFIG_QUANTUM_OVS_TUNNEL_RANGES=1:1000 #start:end of range
CONFIG_QUANTUM_OVS_TENANT_NETWORK_TYPE=gre

The parameter CONFIG_NOVA_NETWORK_HOST has been changed to
CONFIG_NOVA_NETWORK_HOSTS and now supports multi-host nova-network installations.
You can still install on a single host or you can list all compute hosts in
this parameter to have multi-host installation.

Previously, demo provisioning and tempest configuration were only possible
when OpenStack Networking was enabled, and not possible when Nova Network was enabled.
This has been fixed by updating demo provisioning and tempest configuration
to support Nova Network. Now, demo provisioning and tempest configuration are
supported when either OpenStack Networking or Nova Network is enabled.

Rebase package(s) to version: 2013.1.4

* Previously, the network namespace in which dnsmasq ran did not have a default
route. This did not allow dnsmasq to forward requests to an external name server.
This was fixed so that now, any time the DHCP server is updated, a default route
in the DHCP namespace will be maintained using the first available gateway_IP
attribute of the DHCP-enabled IPv4 subnets available for VMs on the network.

* There were also various fixes related to NVP, Hyper-V, NEC, Nicira, Brocade,
and Cisco plugins. For more information,
see: https://launchpad.net/neutron/grizzly/2013.1.

When using OpenStack Networking and logged in as an admin user on a project,
the user was able to also see IPs from their other projects. This made it
difficult for the user to find the correct IP to allocate from the list displayed
in the Dashboard. This has been fixed so that the floating IP lists are
restricted to the floating IPs belonging to the current project.

A Python library called python-boto is used to access OpenStack through the
EC2 compatibility API. A bugfix to python-boto 2.9.3 caused backward
incompatibility. As a result signature verification would fail with
python-boto versions from 2.9.3 on. A fix which takes into account the version
allows python-keystoneclient to work correctly with both pre and post 2.9.3
python-boto versions.

Previously, forms in OpenStack Dashboard could only be submitted once because
the buttons were deactivated after they had been clicked. This has been fixed
and the buttons are reset so that forms can be submitted multiple times.

Previously, a user who was logged into the Red Hat Customer Portal sometimes
received a notification that they had yet to sign in. This has been fixed so
a logged-in user no longer receives notifications to log in again.

Cause: Inconsistent case used in QPID driver when referring to the direct exchange type. 

Consequence: A spurious error is reported indicating the 'Direct' exchange type is unknown. 

Fix: The references to the direct exchange type were made consistently lower-case.

Result: The spurious error is no longer reported.

Cause: All potential errors were not explicitly handled in the QPID driver's consuming thread.

Consequence: Unhandled errors encountered by the QPID driver's consuming thread could cause it to die silently, so that no further incoming messages are received by that agent.

Fix: The consuming thread has been made more resilient to potential errors.

Result: Errors are now logged and the message consumption logic is then retried.

Cause: QPID direct publisher using the wrong exchange type 'Direct'

Consequence: If the exchange had not been created previously by a consumer, the publisher would crash because it couldn't find the specified exchange.

Fix: Change the exchange type in the Publisher to 'direct'

Result: The publisher operates as expected.

Cause: Unhandled errors in the QPID consuming thread.

Consequence: The thread was be silently killed, isolating the component from the rest of the system.

Fix: The consuming thread has been made more resilient to errors by ensuring it doesn't die on an unhandled error. 

Result: The error is now logged and the consuming thread operates as expected.

Cause: 

The Image Service configuration file exposed the wrong parameter name for qpid's host.
 
Consequence: 

The Image Service notification service wouldn't connect to qpid nodes.

Fix: 

Replaced qpid_host with qpid_hostname in glance-api.

Result:

The qpid nodes operate as expected.

Cause: All potential errors were not explicitly handled in the QPID driver's consuming thread.

Consequence: Unhandled errors encountered by the QPID driver's consuming thread could cause it to die silently, so that no further incoming messages are received by that agent.

Fix: The consuming thread has been made more resilient to potential errors.

Result: Errors are now logged and the message consumption logic is then retried.

By default, QPID uses TCP as a connection transport instead of a connection protocol. Previously, the procedure for enabling SSL in QPID connections was to set 'qpid_protocol = ssl' in /etc/glance/glance-api.conf. This setting, however, sets connection protocol; the python-qpid client, on the other hand, expects a connection transport type. The mismatch prevented QPID from actually establishing an SSL connection.

With this release, the 'qpid_protocol = ssl' setting now enables SSL for the connection transport instead of the connection protocol. As such, QPID can now successfully establish SSL connections.

Cause: The ovs cleanup script would exit before its operations finished.

Consequence: When restarting services, it was possible that OVS cleanup would remove devices needed by newly restarted services.

Fix: Ensure that the ovs cleanup script does not exit before completion.

Result: OVS cleanup does not delete devices that are created after it is run.

Cause: QPID direct publisher using the wrong exchange type 'Direct'

Consequence: If the exchange had not been created previously by a consumer, the publisher would crash because it couldn't find the specified exchange.

Fix: Change the exchange type in the Publisher to 'direct'.

Result: The publisher operates as expected.

Cause: Dashboard expects the 'email' attribute to exist when attempting to update an existing user.

Consequence: In environments that use the Identity service with a LDAP backend, it's possible that a user won't have the "email" attribute defined. The Dashboard then fails to display the "Update User" form for these users (error 500).

Fix: Gracefully handle the absence of an 'email' attribute.

Result: The "Update User" form displays correctly whether the user has an "email" attribute or not.

Rebase package(s) to version: 2013.1.5

Highlights, important fixes, or notable enhancements:

* Added X-Tenant-ID to metadata request - Previously, you could update a port's device_id to be that of another tenant's instance_id and then be able to retrieve that instance's metadata. In order to prevent this X-Tenant-ID is now passed in the metadata request to nova which then checks that the X-Tenant-ID also matches the tenant_id for the instance against it's database to ensure it's not being spoofed.

* Added 'allow all' IPv4/6 security group rule - Previously, if you tried to add a rule to allow all ingress IPv4, OpenStack Networking would respond that the rule was already part of the security group. This happened as the filter for querying the existing rules used a wildcard for remote_group_id thus returning a false match. This patch addresses this issue.

* Enhanced RPC thread robustness.