Menu Close
Settings Close

Language and Page Formatting Options

Technical Notes

Red Hat Virtualization 4.4

Technical notes for Red Hat Virtualization 4.4 and associated packages

Red Hat Virtualization Documentation Team

Red Hat Customer Content Services

Abstract

The Technical Notes document provides information about changes made between release 4.3 and release 4.4 of Red Hat Virtualization. This document is intended to supplement the information contained in the text of the relevant errata advisories available through the Content Delivery Network.

Preface

Red Hat Virtualization errata advisories are available on the Red Hat Customer Portal.

A more concise summary of the features added in Red Hat Virtualization 4.4 is available in the Red Hat Virtualization 4.4 Release Notes.

No additional information is available at this time. This document will be updated when more information becomes available.

Chapter 1. RHSA-2022:5555-09 Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update

The bugs in this chapter are addressed by advisory RHSA-2022:5555-09. Further information about this advisory is available at https://errata.devel.redhat.com/advisory/96099

1.1. ovirt-engine

BZ#2099650

A bug that caused the upgrade process to fail if the vdc_options table contained records with a NULL default value has been fixed.

BZ#2006625

Previously, memory allocated by hugepages was included in the host memory usage calculation, resulting in high memory usage in the Administration Portal, even with no running VMs, and false VDS_HIGH_MEM_USE warnings in the logs. In this release, hugepages are not included in the memory usage. VDS_HIGH_MEM_USE warnings are logged only when normal (not hugepages) memory usage is above a defined threshold. Memory usage in the Administration Portal is calculated from the normal and hugepages used memory, not from allocated memory.

BZ#2072626

The ovirt-engine-notifier correctly increments the SNMP EngineBoots value after restarts, which enables the ovirt-engine-notifier to work with the SNMPv3 authPriv security level.

BZ#1663217

The hostname and/or FQDN of the VM or VDSM host can change after a virtual machine (VM) is created. Previously, this change could prevent the VM from fetching errata from Red Hat Satellite/Foreman. With this enhancement, errata can be fetched even if the VM hostname or FQDN changes.

BZ#1994144

The email address for notifications is updated correctly on the ``Manage Events'' screen.

BZ#2001923

Previously, when a failed VM snapshot was removed from the Manager database while the volume remained on the storage, subsequent operations failed because there was a discrepancy between the storage and the database. Now, the VM snapshot is retained if the volume is not removed from the storage.

BZ#1782077

An ``isolated threads'' CPU pinning policy has been added. This policy pins a physical core exclusively to a virtual CPU, enabling a complete physical core to be used as the virtual core of a single virtual machine.

BZ#1958032

Previously, live storage migration could fail if the destination volume filled up before it was extended. In the current release, the initial size of the destination volume is larger and the extension is no longer required.

BZ#1976607

VGA has replaced QXL as the default video device for virtual machines. You can switch from QXL to VGA using the API by removing the graphic and video devices from the VM (creating a headless VM) and then adding a VNC graphic device.

BZ#2001574

Previously, when closing the ``Move/Copy disk'' dialog in the Administration Portal, some of the acquired resources were not released, causing browser slowness and high memory usage in environments with many disks. In this release, the memory leak has been fixed.

BZ#2030293

A VM no longer remains in a permanent locked state if the Manager is rebooted while exporting the VM as OVA.

BZ#2068270

Previously, when downloading snapshots, the disk_id was not set, which caused resumption of the transfer operation to fail because locking requires the disk_id to be set. In this release, the disk_id is always set so that the transfer operation recovers after restart.

BZ#2081241

Previously, VMs with one or more VFIO devices, Q35 chipset, and maximum number of vCPUs >= 256 might fail to start because of a memory allocation error reported by the QEMU guest agent. This error has been fixed.

BZ#2105296

Virtual machines with VNC created by earlier Manager versions sometimes failed to migrate to newer hosts because the VNC password was too long. This issue has been fixed.

BZ#1703153

There is a workaround for creating a RHV Manager hostname that is longer than 95 characters.

  1. Create a short FQDN, up to 63 characters, for the engine-setup tool.
  2. Create a custom certificate and put the short FQDN and a long FQDN (final hostname) into the certificate’s Subject Alternate Name field.
  3. Configure the Manager to use the custom certificate.
  4. Create an /etc/ovirt-engine/engine.conf.d/99-alternate-engine-fqdns.conf file with the following content: SSO_ALTERNATE_ENGINE_FQDNS=``long FQDN''
  5. Restart the ovirt-engine service.

If you cannot access the Manager and are using a very long FQDN: 1. Check for the following error message in /var/log/httpd/error_log: ajp_msg_check_header() incoming message is too big NNNN, max is MMMM 2. Add the following line to /etc/httpd/conf.d/z-ovirt-engine-proxy.conf: ProxyIOBufferSize PPPP where PPPP is greater than NNNN in the error message. Restart Apache.

1.2. ovirt-log-collector

BZ#2093795

Rebase package(s) to version: 4.4.6 This fixes an issue which prevented the collection of PostgreSQL data and the documentation of the –log-size option.

1.3. rhv-log-collector-analyzer

BZ#2081559

The rhv-log-collector-analyzer discrepancy tool now detects preallocated QCOW2 images that have been reduced.

1.4. rhvm-branding-rhv

BZ#2092885

The Welcome page of the Administration Portal now displays both the upstream and downstream version names.

1.5. vdsm

BZ#2070045

The host no longer enters a non-responsive state if the OVF store update operation times out because of network errors.

1.6. vulnerability

BZ#1966615

A flaw was found in nodejs-trim-newlines. Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

BZ#1981895

A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This flaw allows the mounting of a denial of service attack against services that use Compress’ SevenZ package. The highest threat from this vulnerability is to system availability.

BZ#1981900

A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for very small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress’ SevenZ package. The highest threat from this vulnerability is to system availability.

BZ#1981903

A flaw was found in apache-commons-compress. When reading a specially crafted TAR archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress’ TAR package. The highest threat from this vulnerability is to system availability.

BZ#1981909

A flaw was found in apache-commons-compress. When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs. This flaw allows the mounting of a denial of service attack against services that use Compress’ zip package. The highest threat from this vulnerability is to system availability.

BZ#2007557

A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.

BZ#2069414

A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service.

BZ#2097414

A vulnerability was found in semantic-release. Secrets that are normally masked are accidentally disclosed if they contain characters excluded from uri encoding by encodeURI(). The vulnerability is further limited to execution contexts where push access to the related repository is unavailable without modifying the repository URL to inject credentials.

Chapter 2. RHSA-2022:4712-04 Moderate: RHV Engine and Host Common Packages security update

The bugs in this chapter are addressed by advisory RHSA-2022:4712-04. Further information about this advisory is available at https://errata.devel.redhat.com/advisory/84835

2.1. distribution

BZ#2064795

python-passlib/python38-passlib are runtime dependencies for several RHV components. With this release, they are provided in the RHEL-8-RHEV-4, RHEL-8-RHEV-S-4.4 and RHEL-8-RHV-4-TOOLS channels.

BZ#2064798

python-pycurl/python38-pycurl are runtime dependencies for several RHV components. With this release, they are provided in the RHEL-8-RHEV-4, RHEL-8-RHEV-S-4.4 and RHEL-8-RHV-4-TOOLS channels.

BZ#2064799

python-jmespath/python38-jmespath are runtime dependencies for several RHV components. With this release, they are provided in the RHEL-8-RHEV-4, RHEL-8-RHEV-S-4.4 and RHEL-8-RHV-4-TOOLS channels.

BZ#2064801

python-netaddr/python38-netaddr are runtime dependencies for several RHV components. With this release, they are provided in the RHEL-8-RHEV-4, RHEL-8-RHEV-S-4.4 and RHEL-8-RHV-4-TOOLS channels.

2.2. otopi

BZ#2034313

Rebase package(s) to version: 1.10.0 Highlights, important fixes, or notable enhancements:

2.3. ovirt-ansible-collection

BZ#2006721

The ovirt_disk module released as a part of ovirt-ansible-collection 2.0.0 uses the imageio python client to upload images into Red Hat Virtualization Manager.

BZ#2017070

The manageiq role has been removed from oVirt Ansible Collection 2.0.0.

BZ#2071365

Red Hat Virtualization 4.4 SP1 now requires ansible-core [= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

2.4. ovirt-engine

BZ#2020620

In this release, support has been added for self-hosted engine deployment on a host with a DISA STIG profile.

BZ#2066811

Previously, DISA STIG profile used fapolicyd that blocked ansible command execution as non-root, and self-hosted engine deployment failed. In this release, calls to psql as postgres are replaced with engine_psql.sh, and deployment succeeds.

BZ#1883949

In this release,the following enhancements were made: 1. Adding 2 new backup phases: - SUCCEEDED - FAILED 2. Disable 'vm_backups' & 'image_transfers' DB tables cleanup after backup / image transfer operation is over. 3. Added DB cleanup scheduled thread to automatically clean backups and image transfers once in a while. 4. Minor user experience improvements.

BZ#1932149

Previously, 'hosted-engine --deploy' always created the hosted storage domain in the default format, which is the latest, and deployment failed. With this release, the process now checks the compatibility version of the cluster/DC we deploy/restore to, and creates the storage domain with a proper format for their version. As a result, deploy/restore does not fail while creating the storage.

BZ#2004018

With this release, an error message has been added to the ovirt_disk module, warning that the parameters 'interface', 'activate', 'bootable', 'uses_scsi_reservation' and 'pass_discard' cannot be used without specifying a VM.

BZ#2004852

The following parameters have been added to the ovirt_vm module: virtio_scsi_enabled - If true, it enables Virtio SCSI support. multi_queues_enabled - If true, each virtual interface will get the optimal number of queues, depending on the available virtual CPUs.

2.5. ovirt-provider-ovn

BZ#1940824

Upgrade from OvS/OVN 2.11 to OVN 2021 and OvS 2.15. The upgrade is transparent to the user as long as these conditions are met: 1. Upgrade the engine first. 2. Before you upgrade the hosts, disable the ovirt-provider-ovn security groups for all OVN networks that are expected to work between hosts with OVN/OvS version 2.11. 3. Upgrade the hosts to match the OVN version 2021 or higher and OvS version to 2.15. This step should be done with the web console, in order to reconfigure OVN and to refresh the certificates. 4. Reboot the host after upgrade. 5. Verify that the provider and OVN were configured successfully by launching the web console and checking the "OVN configured" field on the "General" tab for each host. (You can also obtain the value using the REST API.) Note that the value might be "No" if the host configuration has not been refreshed.

If the host’s OVN is not configured after refresh and you are using engine 4.5 or later, reinstalling the host will fix this issue.

2.6. ovirt-setup-lib

BZ#2044362

Rebase ovirt-setup-lib package to version: 1.3.3 Highlights, important fixes, or notable enhancements: BZ#1971863 - Queries of type 'ANY' are deprecated - RFC8482

2.7. python-ovirt-engine-sdk4

BZ#1933555

The Python SDK package for Red Hat Virtualization is now supported in RHEL 9.

2.8. vulnerability

BZ#2065665

A race condition was found in Paramiko. This flaw allows unauthorized information disclosure from an attacker with access to the write_private_key_file.

Chapter 3. RHSA-2022:4711-06 Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.0] security update

The bugs in this chapter are addressed by advisory RHSA-2022:4711-06. Further information about this advisory is available at https://errata.devel.redhat.com/advisory/84555

3.1. distribution

BZ#2065052

Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

BZ#2072637

python3-daemon/python38-daemon are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072639

ansible-runner-2.1.3-1.el8ev is a runtime dependency for the Red Hat Virtualization Manager. It needs to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072641

python3-docutils/python38-docutils are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072642

python3-lockfile/python38-lockfile are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072645

python3-pexpect/python38-pexpect are runtime dependencies for several Red Hat Virtualization Manager components. They need to be provided in the RHEL-8-RHEV-S-4.4 channel

BZ#2072646

ansible-core-2.12 requires all libraries used in Ansible modules/roles/playbooks to be built with Python 3.8. The python38-ptyprocess needs to be built and distributed in Red Hat Virtualization channels.

BZ#1608675

Red Hat Virtualization is compliant with USGv6 Revision 1 standards since version 4.4.6 of RHV. For more information, see https://www.iol.unh.edu/registry/usgv6?name=red+hat.

3.2. ovirt-engine

BZ#977379

With this release, it is now possible to edit and manage iSCSI storage domain connections using the Administration Portal. Users can now edit the logical domain to point to a different physical storage, which is useful if the underlying LUNs are replicated for backup purposes, or if the physical storage address has changed.

BZ#977778

In this release, support has been added for the conversion of a disk’s format and allocation policy. This can help reduce space usage and improve performance, as well as enabling incremental backup on existing raw disks.

BZ#2015796

Red Hat Virtualization Manager 4.4 SP1 is now capable of running on a host with the RHEL 8.6 DISA STIG OpenSCAP profile applied.

BZ#2023250

The Advanced Virtualization module (virt:av) has been merged into the standard RHEL virtualization module (virt:rhel) as part of the RHEL 8.6 release. Due to this change, the host deploy and host upgrade flows have been updated to properly enable the virt:rhel module during new installation of the RHEL 8.6 host and during upgrade of an existing RHEL 8.5 or earlier host to a RHEL 8.6 host.

BZ#2030596

The Red Hat Virtualization Manager is now capable of running on machine with the PCI-DSS security profile.

BZ#2035051

Red Hat Virtualization 4.4 SP1 uses the updated DISA STIG OpenSCAP profile from RHEL 8.6, which does not remove the gssproxy package.As a result, the Red Hat Virtualization host works correctly after applying the DISA STIG profile.

BZ#2052690

Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

BZ#2055136

With this release, the virt DNF module version is correctly set according to the RHEL version of the host during the host upgrade flow.

BZ#2056021

Previously, renewing of the libvirt-vnc certificate was omitted during the Enroll Certificate flow. With the release of RHV 4.4 SP1 and libvirt-vnc certificates are renewed during the Enroll Certificate flow.

BZ#2056126

With this release, the Red Hat Virtualization Manager 4.4 SP1 certificate expiration check will warn of upcoming certificate expiration earlier: 1. If a certificate is about to expire in the upcoming 120 days, a WARNING event is raised in the audit log. 2. If a certificate is about to expire in the upcoming 30 days, an ALERT event is raised in the audit log.

This checks for internal RHV certificates (for example certificate for RHVM <→ hypervisor communication), but it doesn’t check for custom certificates configured for HTTPS access to RHVM as configured according to Replacing the Manager CA Certificate.

BZ#2071468

If SSH soft fencing needs to be executed on a problematic host, The Red Hat Virtualization Manager now waits the expected time interval before it continues with fencing. As a result,the VDSM has enough time to start and respond to the Red Hat Virtualization Manager.

BZ#655153

Previously, no confirmation dialog was shown for the suspend VM operation. A virtual machine was suspended right after clicking the suspend-VM button. With this release, a confirmation dialog is presented by default when pressing the suspend-VM button. The user can choose not to show this confirmation dialog again. The setting can be reverted in the user preferences dialog.

BZ#1878930

Feature: Provide warning event if number of available MAC addresses in pool are below threshold. The threshold is configurable via engine-config. An event will be created per pool on engine start, and if the threshold is reached when consuming addresses from the pool.

Reason: Make it easier for the admin user to plan ahead.

Result: Admin will not be faced with an empty pool when creating VNICs on VMs.

BZ#1926625

With this release, you can now enable HTTP Strict Transport Security following Red Hat Virtualization Manager installation by following the instructions in this KCS article: https://access.redhat.com/solutions/1220063

BZ#1998255

Feature: Search box in VNIC profiles main page

Reason: Requested by customer

Result: It is now possible to search and filter the VNIC profiles by values of their attributes in the main VNIC profiles page.

BZ#1999698

In previous versions, engine-setup configured apache httpd’s SSLProtocol configuration option to be -all +TLSv1.2.

In RHEL 8, this isn’t needed, because this option is managed by crypto-policies.

With this version, engine-setup does not set this option, and removes it if it’s already set, letting it be managed by crypto-policies.

BZ#2000031

Previously, host non-reponding treatment coould be called multiple times simultaneously. In this release, multiple calls to non-reponding treatment are prevented, and the host comes up much faster.

BZ#2006745

Previously, when trying to copy a template disk from/to a Managed Block Storage domain, the operation failed due to an incorrect storage domain ID, saving the same image repeatedly in the images (and base disks) DB tables, and casting the disk to DiskImage when it is of type ManagedBlockStorageDisk. In this release, all of the above issues were fixed, and copying a template disk from/to a Managed Block Storage domain works as expected.

BZ#2007384

Previously high values of disk writeRate/readRate were not processed properly by the ovirt-engine. In this release, the type of writeRate/readRate in ovirt-engine has changed from integer to long to support values that are higher than integers.

BZ#2040361

Previously, when hot plugging multiple disks with VIRTIO SCSI interface to virtual machine that are defined with more than one IO thread, this would have failed due to allocation of a duplicate PCI address.

Now, each disk is assigned with a unique PCI address in this process, which enabled to plug multiple disks with VIRTIO SCSI to virtual machines also when they are set with more than one IO thread.

BZ#2043146

Previously, renewing of the libvirt-vnc certificate was omitted during the Enroll Certificate flow. With the release of RHV 4.4 SP1 and libvirt-vnc certificates are renewed during the Enroll Certificate flow.

BZ#1624015

Feature: Setting the default console type (for both new and existing VMs) can be done engine widely by using CLI for setting the following engine-config parameters: engine-config -s ClientModeVncDefault=NoVnc to prefer NoVnc instead of remote-viewer and engine-config -s ClientModeConsoleDefault=vnc to prefer VNC over SPICE in case the VM has both available.

If the actual console type for existed VMs was chosen manually via 'console options' dialog, cleaning the browser local storage is needed. So in caseit’s required to set console type globally for all existing VMs, please clear the browser local storage after running the engine.

Reason: An option for setting default console type for all provisioned VMs globally at once was not supported up till now. Needed to go one VM by one and set the console type via the 'console options' dialog.

Result: Support setting console type globally for all VMs, existed and new ones, by using the engine-config parameters.

BZ#1648985

A user with SuperUser role can connect to a virtual machine in a VM-pool without having the VM assigned. Previously, this did not prevent other users from taking that VM, which resulted in closing the connected console and assigning the VM to a user with UserRole instead. In this release, users cannot take VMs that other users are connected to via a console. This prevents users with UserRole permissions from hijacking a VM that a user with SuperUser role is connected to.

BZ#1687845

Previously, displaying notifications for hosts activated from maintenance mode was done when the actual job activation "end time" was after the last displayed notification. But if there was a time difference between server and the browser, the job "end time" could be in the future. In this release, notifications rely only on the server time, and the job’s "end time" is no longer compared to local browser time.As a result, only one "Finish activating host" notification appears.

BZ#1745141

With this release, SnowRidge Accelerator Interface Architecture (AIA) can be enabled by modifying the extra_cpu_flags custom property of a virtual machine (movdiri, movdir64b).

BZ#1782056

With this release, IPSec for the OVN feature is available on hosts with configured ovirt-provider-ovn, OVN version 2021 or later and OvS version 2.15 or later.

BZ#1849169

Feature: A new parameter was added to the evenly_distributed scheduling policy that takes into account the ratio between virtual and physical CPUs on the host. Reason: To prevent the host from over utilization of all physical CPUs. Result: When the ratio is set to 0, the evenly distributed policy works as before. If the value is greater than 0, the vCPU to physical CPU is considered as follows: a. when scheduling a VM, hosts with lower CPU utilization are preferred. However, if adding of the VM would cause the vCPU to physical ratio to be exceeded, the hosts vCPU to physical ratio AND cpu utilization are considered. b. in a running environment, if the host’s vCPU to physical ratio is above the limit, some of the VMs might be load balanced to the hosts with lower vCPU to physical CPU ratio.

BZ#1922977

With this release, shared disks are now a part of the 'OVF_STORE' configuration. This allows virtual machines to share disks, move a Storage Domain to another environment, and after importing VMs, the VMs correctly share the same disks without any additional manual configuration.

BZ#1927985

With this release, Padding between files has been added for exporting a virtual machine to an Open Virtual Appliance (OVA). The goal is to align disks in the OVA to the edge of a block of the underlying filesystem. As a result,disks are written faster during export, especially with an NFS partition.

BZ#1944290

Previously, when trying to log in to Red Hat Virtualization VM Portal or Administration Portal with an expired password, the URL to change the password was not shown properly. In this release, when there is an expired password error, the following clickable link appears beneath the error message: "Click here to change the password". This link will redirect the user to the change password page: "…​/ovirt-engine/sso/credentials-change.html".

BZ#1944834

This release adds a user specified delay to the 'Shutdown' Console Disconnect Action of a Virtual Machine. The shutdown will occur after the user specified delay interval, or will be cancelled if the user reconnects to the VM console. This prevents a user’s session loss after an accidental disconnect.

BZ#1959186

Previously, there was no way to set a quota different from that of the template from the VM portal. Thus, if the user had no access to the quota on the template, the user could not provision VMs from the template using the VM portal. In this release, the Red Hat Virtualization Manager selects a quota that the user has access to, and not necessarily from the template, when provisioning VMs from templates using the VM portal.

BZ#1964208

With this release, a screenshot API has been added that captures the current screen of a VM, and then returns a PPM file screenshot. The user can download the screenshot and view its content.

BZ#1971622

Previously, when displaying the Host’s Virtual Machines sub-tab, all virtual machines were marked with a warning sign. In this release, the warning sign is displayed correctly in the same way as on the Virtual Machines list page.

BZ#1974741

Previously, a bug in the finalization mechanism left the disk locked in the database. In this release, the finalization mechanism works correctly, and the disk remains unlocked in all scenarios.

BZ#1979441

Previously there was a warning that indicates the VM CPU is different than the cluster CPU for high performance virtual machines. With this release, the warning is not shown when CPU passthrough is configured, and as a result, not presented for high performance virtual machines.

BZ#1979797

In this release, a new warning message displays in the removing storage domain window if the selected domain has leases for entities that were raised on a different storage domain.

BZ#1986726

When importing VM from OVA and setting the allocation policy to Preallocated, the disks were imported as Thin provisioned. In this release, the selected allocation policy is followed.

BZ#1987121

The vGPU editing dialog was enhanced with an option to set driver parameters. The driver parameters are are specified as an arbitrary text, which is passed to NVidia drivers as it is, e.g. “enable_uvm=1”. The given text will be used for all the vGPUs of a given VM.

The vGPU editing dialog was moved from the host devices tab to the VM devices tab.

vGPU properties are no longer specified using mdev_type VM custom property. They are specified as VM devices now. This change is transparent when using the vGPU editing dialog. In the REST API, the vGPU properties can be manipulated using a newly introduced …​/vms/…​/mediateddevices endpoint. The new API permits setting "nodisplay" and driver parameters for each of the vGPUs individually, but note that this is not supported in the vGPU editing dialog where they can be set only to a single value common for all the vGPUs of a given VM.

BZ#1988496

Previously, the vmconsole-proxy-helper certificate was not renewed when needed. With this release, the certificate is renewed each time following the CA certificate update.

BZ#2002283

With this release, it is now possible to set the number of PCI Express ports for virtual machines by setting the NumOfPciExpressPorts configuration using engine-config.

BZ#2003996

Previously, snapshots that represent VM next-run configuration were reported by ovirt-ansible but their typewas missing and they could not be removed. In this release, snapshots that represent VM next-run configuration are not reported to clients, including ovirt-ansible.

BZ#2021217

Add Windows 2022 as a guest operating system

BZ#2023786

When a VM is set with the custom property sap_agent=true, it requires vhostmd hooks to be installed on the host to work correctly. Previously, if the hooks were missing, there was no warning to the user. In this release, when the required hooks are not installed and reported by the host, the host is filtered out by the scheduler when starting the VM.

BZ#2040474

The Administration Portal cluster upgrade interface has been improved to provide better error messaging and status and progress indications.

BZ#2041544

Previously,when selecting a host to upload in the Administration Portal (Storage > Domain > select domain > Disks > Upload), trying to select a host different from the first one on the list resulted in jumping back to the first host on the list. In this release, the storage domain and data center are only initialized once, and the list of hosts doesn’t need to be reloaded. As a result, a different host can be selected without being set back to the first one on the list.

BZ#2052557

Previously, vGPU devices were not released when stateless VMs or VMs that were started in run-once mode were shut down. This sometimes caused the system to forbid running the VMs again, although the vGPU devices were available. IN this release, vGPU devices are properly released when stateless VMs or VMs that were started in run-once mode are shut down.

BZ#2066084

Previously, the vmconsole-proxy-user and vmconsole-proxy-host certificates were not renewed when needed. With this release, the certificates are now renewed when executing engine-setup.

3.3. ovirt-engine-dwh

BZ#2014888

Dashboard field descriptions have been updated to match the real meanings of I/O operations data fields.

BZ#2010903

Database columns and dashboard field descriptions have been updated to match the real meanings in I/O operations data fields.

3.4. ovirt-engine-metrics

BZ#1990462

In this release, Elasticsearch username and password have been added for authentication from rsyslog. AS a result, rsyslog can now authenticate to Elasticsearch using a username and password.

BZ#2059521

Red Hat Virtualization 4.4 SP1 now requires ansible-core >= 2.12.0 to execute Ansible playbooks/roles internally from RHV components.

3.5. ovirt-engine-ui-extensions

BZ#2024202

Previously, the formatting of parameters passed to translated messages on ui-extensions dialogs (not just in the Red Hat Virtualization dashboard) was handled in 2 different layers: code and translations. That caused invalid formatting for a number of language. In this release, the formatting of translated messages parameters on ui-extensions is done only on one layer, the translation layer (formatting done on code layer is removed). As a result, translation strings on ui-extensions dialogs are now displayed properly for all languages.

3.6. ovirt-log-collector

BZ#2040402

The log_days option of the sos logs plugin has been removed. As a result, the command that used this option began to fail. In this release, the use of the option has been removed, and the program now functions as expected.

BZ#2048546

Previously, using the sosreport command in the log collector utility produced a warning. In this release, the utility was modified to use the sos report command instead of the sosreport command. As a result, the warning is no longer displayed. and the utility will continue to work even when the sosreport is deprecated in the future.

BZ#2050566

Rebase package(s) to version: 4.4.5

Highlights, important fixes, or notable enhancements:

3.7. ovirt-web-ui

BZ#1667517

With this release, new console options, including set screen mode have been added to the VM Portal UI. The following console options can now be set in the VM Portal (under Account Settings > Console options): - default console type to use (Spice, VNC, noVNC, RDP for Windows), - full screen mode (on/off) per console type, - smartcard enabled/disabled - Ctrl+Alt+Del mapping - SSH key

These console options settings are now persistent on the engine server, so deleting cookies and website data won’t reset those settings.

Limitations for these settings: 1. Console settings via VM Portal are global for all VMs and cannot be set per VM (as opposed to the Administration Portal, where console options are set per VM). 2. There is no sync between Administration Portal console options and VM Portal console options - The console options configuration done by Create/Edit VM/Pool dialog (supported console types and smartcard enabled) are synced, but the 'console options' run time settings done for running VMs via Console → Console options are not synced with Administration Portal. 3. Console settings are part of Account settings and therefore are set per user. Each user logged in to the VM Portal can have their own console settings, defaults are taken from the vdc_options config parameters.

BZ#1781241

With this release, support for automatically connecting to a Virtual Machine has been restored as a configurable option. This is enabled in the Account Settings > Console tab. This feature enables the user to connect automatically to a running Virtual Machine every time the user logs in to the VM Portal. - Each user can choose a VM to auto connect to from a list on a global level, in the Account Settings > Console tab. - Only if the chosen VM exists and is running, the auto connect will be enforced next time the user logs in. - The Console type for connecting will be chosen based on Account Settings > Console options. - This auto connect VM setting is persisted per user on the engine.

BZ#1991240

Previously, there was no way to set a quota different from that of the template from the VM portal. Thus, if the user had no access to the quota on the template, the user could not provision VMs from the template using the VM portal. In this release, the Red Hat Virtualization Manager selects a quota that the user has access to, and not necessarily from the template, when provisioning VMs from templates using the VM portal.

3.8. rhv-log-collector-analyzer

BZ#2010203

Previously, newlines included as part of the data were not handled properly, and as a result, the formatting of the table was wrong. In this release, the table format now is correct, even if the data contains newlines.

BZ#2013928

Previously if the data from the DB included special characters in the fields related to the vdc_options, i.e. the same ones that have special meaning in the ADOC format, they were used as is. This resulted in an incorrectly formatted HTML document. In this release, The code was modified to escape replacing some of the characters, and modified the code in a way that no longer translates some of the characters. AS a result, the information now properly presented, even if the DB fields contain special characters.

BZ#2051857

Rebase package(s) to version: 1.0.13

Highlights, important fixes, or notable enhancements:

BZ#2037121

rhv-image-discrepancies tools now shows Data Center and Storage Domain names in the output.

rhvm-branding-rhv

BZ#2054756

With this release, a link to the Migration Toolkit for Virtualization documentation has been added to the welcome page of the Red Hat Virtualization Manager.

3.9. rhvm-setup-plugins

BZ#2050614

Rebase package(s) to version: 4.5.0

Highlights, important fixes, or notable enhancements:

3.10. vdsm

BZ#2075352

The following changes have been made to the way certificates are generated: Internal CA is issued for 20 years. Internal certificates are valid for 5 years. Internal HTTPS certificates (apache, websocket proxy) are valid for 398 days.

CA is renewed 60 days before expiration. Certificates are renewed 365 days before expiration(CertExpirationWarnPeriodInDays configurable via engine-config). CertExpirationAlertPeriodInDays (defaulting to 30) is now also configurable by engine-config.

Note that engine certificates and CA are checked/renewed only during engine-setup. Certificates on hosts are renewed/checked during host upgrade or a manual Enroll certificates action.

3.11. vulnerability

BZ#1964461

A flaw was found in normalize-url. Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data.

BZ#1995793

A flaw was found in nodejs-trim-off-newlines. All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing. The highest threat from this vulnerability is to system availability.

BZ#2007557

A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.