Chapter 4. Technical Notes

This chapter supplements the information contained in the text of Red Hat OpenStack Platform "Mitaka" errata advisories released through the Content Delivery Network.

4.1. RHEA-2016:1597 — Red Hat OpenStack Platform 9 Release Candidate Advisory

The bugs contained in this section are addressed by advisory RHEA-2016:1597. Further information about this advisory is available at

4.1.1. General

With this update, the LBaaS dashboard was moved out of horizon, and is now a separate plugin.
As a result, you can install the LBaaS dashboard using `yum install neutron-lbaas-ui`. You will need to restart httpd to apply the change.

4.1.2. keycloak-httpd-client-install

This release now includes a Technology Preview version of the keycloak-httpd-client-install package. This package provides a command-line tool that helps configure the Apache mod_auth_mellon SAML Service Provider as a client of the Keycloak SAML IdP.

4.1.3. mariadb-galera

Previously, the RPM for `mariadb-galera` included a step to generate TLS certificates for use in Galera SSL communication.  However, when the installed RPMs were used with containers that were then replicated, the TLS certificates themselves would be replicated as well. Consequently, copies of a container would contain a TLS certificate identical to the original, creating a security condition if these certificates were actually used. 
With this update, the RPM package no longer generates the certificates.  
As a result, no certificate is generated which may be present in a container. Certificates can be generated manually if SSL configuration of Galera is needed. Note that Red Hat OpenStack director currently does not configure Galera for SSL.

4.1.4. opendaylight

OpenDaylight Beryllium SR2 is now available on this release as a Technology Preview.

4.1.5. openstack-aodh

This rebase package includes aodh updates under version openstack-aodh-2.0.1-3.el7ost.
For the full list of changes, please refer to the upstream release notes:
This update provides a client for the Aodh API. The client consists of a Python API, which is available in the "aodhclient" module, and a command-line script, which is installed as the "aodh" command. Both the Python API and the command-line script implement the entire Aodh API.
This aodh rebase package includes a notable fix under version openstack-aodh-2.0.1-1.el7ost:

* Bug 1575530 - Update was added to fix and improve the partition coordinator, making sure that input tasks can be correctly distributed to partition members.
Previously, when creating an alarm of type `gnocchi_aggregation_by_metrics_threshold`, the evaluator would throw an error, causing an exception.
This update addresses this issue by setting `needed_overlap` to always apply on aggregation.
Prior to this update, composite alarms continued to send notifications on each refresh. This resulted in unnecessary notifications appearing in the log files.
This update addresses this by no longer sending notifications on each alarm refresh.

4.1.6. openstack-ceilometer

Previously, gnocchi-dispatcher options were not present in `ceilometer.conf` by default. Consequently, the options had to be manually added. With this update, the gnocchi-dispatcher options are included by default when ceilometer is installed.
Prior to this update, events could not be filtered by time-based fields.
Consequently, `le` and `ge` queries did not work on time-based fields.
This update adds new query operators, with the result that the `le` and `ge` operators should now work on time-based queries.
Telemetry (ceilometer) dbsync creates an old alarming table, as a result of still running the `sqlalchemy-migrate` code. Consequently, Aodh dbsync sees no reference to Alembic, and has SQLAlchemy create the necessary tables. However, the tables are already present, so nothing is done, and the database is stamped to the latest version of Aodh Alembic.
You can avoid this issue by not creating alarm tables in ceilometer dbsync.

4.1.7. openstack-cinder

This update adds RPM requirements to ensure that the required python libraries for the Google Cloud backup driver are present.
Previously, python-taskflow was missing a dependency on a suitable version of python-networkx.
Consequently, `cinder create volume` did not function as expected.
With this update, python-taskflow package has the correct dependencies, and `cinder create volume` works as expected.

4.1.8. openstack-gnocchi

This openstack-gnocchi rebase package adds notable updates under version: openstack-gnocchi-2.1.1-1.el7ost
For more information, see the upstream release milestone:

4.1.9. openstack-heat

When multiple environment files are specified, they are combined in the engine instead of the client. This provides heat enough information to correctly orchestrate a stack.
Using the resource registry in the environment, a user can set a hook which will pause delete actions on these resources. This allows users to take specific actions when a resource is deleted, and perform extra validation when critical elements are removed. As a result, when a resource with a pre-delete hook is about to be deleted, Heat will pause until the resource is signaled with {'unset_hook': 'pre-delete'} as data.

4.1.10. openstack-ironic

Previously, the iPXE driver had a conditional that prevented nodes from being configured with UEFI boot mode. Consequently, iPXE driver users could not configure their nodes with UEFI and were forced to use the BIOS instead.
With this update, the conditional was removed, and users of the iPXE driver can now deploy their nodes in UEFI mode.
This enhancement adds manual cleaning, which allows operators to move a node directly into a cleaning state, from a manageable state.
This was added because operators may run cleaning steps for various reasons, including: Building RAID, erasing devices, among others.
As a result, operators are now able to use the OpenStack Bare Metal (ironic) API to manually start the cleaning process for the ironic nodes, choosing exactly which steps should be run.
This enhancement adds support for in-band cleaning of the iSCSI drivers. Cleaning steps, such as disk erase, and in-band RAID configuration, among others, can now be performed on the nodes using the drivers. 
The running of cleaning steps allows for improved security when recycling the nodes in ironic, allowing you  to erase all the data from previous tenants and/or run checks to see if the machine wasn't compromised.
As a result, drivers, such as pxe_ipmitool, pxe_drac, pxe_iboot, pxe_ilo, pxe_amt, pxe_wol, among others, can now run in-band cleaning steps.

4.1.11. openstack-neutron

Previously, `ipset` was not declared as a dependency of the Open vSwitch (OVS) and Linux Bridge neutron agents. However, ipset is a dependency of the openstack-neutron package, and this would result in nodes that had the packages for the Open vSwitch or Linux Bridge agent installed, but did not have `openstack-neutron` installed. The L2 agents required ipset for configuration of security groups.
With this update, ipset is a dependency of the openstack-openvswitch-agent, and the openstack-linuxbridge-agent packages depend on ipset.
Previously, the openstack-neutron-common package did not require the shadow-utils package. This prevented the 'neutron' user from being created when the openstack-neutron-common package was installed, resulting in neutron being unable to execute commands on hypervisors. With this update, the openstack-neutron-common package now requires the shadow-utils package, and the 'neutron' user is correctly created.
Previously, when bridge ports were missing for br-int and br-tun during agent startup, it checked for the patch ports `int-br-ex` and `phy-br-ex` before adding them. However, the function used to check their existence was get_port_ofport(), which retried the check because of the @_ofport_retry decoration.
Consequently, this caused the restart to become unnecessarily slow because of the retries. 
With this update,  the existence of ports is checked with port_exists() instead of get_port_ofport(). As a result, no slowdown occurs on startup when the bridge ports are missing for br-int and br-tun.

4.1.12. openstack-nova

With this update, the openstack-nova package is now re-based to upstream version 13.1.0.
Previously, when booting instances, the nova API automatically added a default security group if nothing was specified, which should not be done on a network with option 'port_security_enabled=False'
Consequently, the boot process would fail for users booting an instance that was attached to a network with port security disabled. 
With this update, nova no longer adds a default security group to a port created for an instance on a network with port_security_enabled=False 
As a result, the boot process works as expected, and the port attached to the instance does not have a default security group attached.

NOTE: a known bug in the dashboard still indicates that a default security group is attached to the instance, but this only occurs during the first attempt at booting the instance.
With serial_console enabled, repeatedly starting and stopping an instance eventually caused the compute service to run out of ports. When this occurred, attempting to start an instance resulted in a 'SocketPortRangeExhaustedException' error, preventing instances from being started. This was because while the compute service creates a port when an instance is started (as opposed to created), it only releases a port when an instance is deleted (as opposed to stopped).

In this update, the method that destroys the guest from a libvirt perspective now also releases serial ports. This ensures that a serial port is released as soon as it is no longer required by an instance, thereby making the port available again.
When creating snapshots, the compute API now omits disk format and container format details from the image API request. This helps ensure that the driver will use the correct snapshot image format. This, in turn, prevents snapshots from failing with a BadRequest if its image is converted to a format other than what the base image uses.
Previously, under BZ#1332599, a regression was discovered which caused an instance to lose its serial ports after a hard-reboot Consequently, it was not possible to connect to the instance through a serial console. This issue occurred during a hard-reboot process, because the serial ports on a host were released, but since the domain XML was still defining them, the process to acquire ports on the host during the boot was not executed. 
To address this issue, nova will now undefine the domain from libvirt after having destroyed it.
When assigning an SR-IOV Virtual Function (VF) device to an instance, its corresponding Physical Function (PF) device is correctly masked as unavailable in the database. However, in past releases, deleting the instance did not update the PF as available. As a result, PCI devices were never released from the database after instances which used them were deleted. 

With this update, nova now maintains an in-memory tree of PCI devices, then periodically flushes it into the database. This helps update the database on information about available devices.
In previous releases, the systemd unit file for openstack-nova-compute was missing a required dependency on libvirtd. As such, restarting openstack-nova-compute failed whenever libvirtd was not already running. This update adds the dependency.
With this enhancement, the act of evacuating instances with pinned CPUs can result in these instances being hosted on a hypervisor which already handles instances with the same pinning configuration.
This was added because the resource tracker does not track CPU pinning for instances on hosts.
As a result, a condition has been added to the NUMATopologyFilter filter, which passes on hosts which already manage an instance with same CPU pinning configuration as the instance being evacuated.

4.1.13. openstack-packstack

Previously, Packstack tried to create a gnocchi database when ceilometer installation was disabled. As a result, disabling ceilometer caused Packstack installations to fail, as some parameters required for creating a gnocchi database were not passed. With this release, Packstack no longer attempts to create a gnocchi database if ceilometer is disabled.

4.1.14. openstack-puppet-modules

Previously, iPXE would freeze during HTTP download resulting in the Bare Metal Provisioning (ironic) service to hang. 

This update makes sure that iPXE retries to boot from the network in case of a failure. The '--timeout' option can be used to avoid an unlimited freeze. As a result, a freeze does not occur during the HTTP download.
The service providers responsible for configuring VPNaaS and LBaaS created additional files that were never included in the service startup. This prevented neutron-server from starting if LBaaS was enabled.

Previously, the LBaaS service config provider was updated to put service providers directly into /etc/neutron/neutron.conf. Updating VPNaaS to do the same would have caused it to overwrite the 'service_provider' value set by LBaaS, or vice-versa. So to address this, this update moves the 'neutron_config' provider from ini_setting to openstackconfig and adds a variable to neutron::server to manage service providers. This, in turn, prevents VPNaaS and LBaaS from overwriting each others' service_provider values. As a result, enabling LBaaS no longer prevents neutron-server from starting.
The Ceph puppet module (puppet-ceph) did not update CephX keyrings when the caps parameter for a key were changed. This caused overcloud upgrades to fail, as caps to operate on the new 'metrics' pool were not added to the CephX keyring. 

With this update, puppet-ceph regenerates the virsh secret or updates its key if either 'rbd_keyring' or 'linvirt_rbd_secret_uuid' change. This ensures that the CephX keyring is updated as required when secrets or caps change.

4.1.15. openstack-selinux

Previously, the absence of SELinux policy that allowed the Compute API to be started in WSGI with Apache resulted in an AVC in the audit.log.

With this update, Compute is able to bond to the HTTP's port and runs without errors when started in WSGI with Apache.
Previously, running the Block Storage API in WSGI with Apache and SELinux in the 'enforce' mode resulted in an AVC, as SELinux prevented the '/usr/sbin/httpd' from access to the '/var/log/cinder/cinder-api.log' file.

With this update, 'httpd' is allowed access to the Block Storage API log file. As a result, the Block Storage API in WSGI runs without AVCs.

4.1.16. openstack-swift

This enhancement adds improved replica placement, and protection from duplicated assignments.
This was added because, in the traditional Swift layout, the act of accidentally assigning two replicas of a partition to the same device resulted in a silent reduction of durability.
As a result, duplicate assignments are prevented, thereby adhering to calculated guarantees. However, since this requires the number of devices to be no less than the number of replicas, it is possible for certain incorrect old rings to be considered invalid. Consequently, it is still possible to have the number of zones be smaller than the number of replicas.
This enhancement adds the ability to tell the container or account server to reverse the object listings. This capability allows you to break out versioned objects in middleware. 
As a result, the internal architecture is reorganized for safety reasons; in addition, reverse listings are available to client applications, if needed.

4.1.17. python-ceilometerclient

Alarms created with the type 'gnocchi-resource-threshold' had empty fields for the 'project_id' and 'user_id' fields. 

With this update, when alarms are created with type 'gnocchi-resource-threshold', the 'project_id' and 'user_id' fields are populated.

4.1.18. python-colorama

The python-colorama package has been added to Red Hat OpenStack Platform 9.
This package is an install dependency for python-gabbi, which in turn is required by openstack-gnocchi.
As a result, openstack-gnocchi and python-gabbi install without dependency errors.

4.1.19. python-cradox

The Time Series Database-as-a-Service (gnocchi) Ceph storage driver had a dependency on the 'python-cradox' library, resulting in a gnocchi with a Ceph back end to fail. 

With this update, the 'python-cradox' is installed by the 'openstack-puppet-modules' package. The 'python-cradox' is a Python library for the Ceph librados library which uses 'cython' instead of 'ctypes'. As a result, the Time Series Database-as-a-Service with a Ceph back end will run without errors.

4.1.20. python-django-horizon

With this update, the API part for using the Ceilometer alarm API has been added to Horizon. It enables future developments to use the API. However, at present, there is no GUI front end for this API.
This update adds support for Cinder volume encryption to Horizon, which enables administrators to manage encrypted volume types from the GUI. As a result, volume types can now be added, modified, and deleted using Horizon.
With this update, the 'python-django-horizon' packages have been rebased to version 9.0.1. 

Some of the highlights addressed by this rebase are as follows:
* Fix workflow bug in "Create Network"
* Fix existing metadata display in metadata widget
* Various localisation fixes

4.1.21. python-heatclient

The 'stack-delete' command displayed information about the heat stack immediately after requesting the delete. Deleting a heat stack is an asynchronous operation so the display status may not have yet changed to 'DELETE_IN_PROGRESS', and users may find this confusing.

The 'stack-delete' command now returns nothing, which is consistent with other OpenStack services delete commands.

4.1.22. python-oslo-concurrency

This release includes updates from oslo.concurrency 3.7.1, which places new process limits required to address security vulnerability CVE-2015-5162. See for details about the vulnerability and fix.

4.1.23. python-wsgi_intercept

The python-wsgi_intercept package has been added to Red Hat OpenStack Platform 9.
This package is an install dependency for python-gabbi, which in turn is required by openstack-gnocchi. 
As a result, openstack-gnocchi and python-gabbi install without dependency errors.