Technical Notes

Red Hat Virtualization 4.4

Technical notes for Red Hat Virtualization 4.4 and associated packages

Red Hat Virtualization Documentation Team

Red Hat Customer Content Services

Abstract

The Technical Notes document provides information about changes made between release 4.3 and release 4.4 of Red Hat Virtualization. This document is intended to supplement the information contained in the text of the relevant errata advisories available through the Content Delivery Network.

Preface

Red Hat Virtualization errata advisories are available at https://access.redhat.com/errata/.

A more concise summary of the features added in Red Hat Virtualization 4.4 is available in the Red Hat Virtualization 4.4 Release Notes.

No additional information is available at this time. This document will be updated when more information becomes available.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. Because of the enormity of this endeavor, these changes are being updated gradually and where possible. For more details, see our CTO Chris Wright’s message.

Chapter 1. RHEA-2020:3246-04 RHV RHEL Host (ovirt-host) 4.4

The bugs in this chapter are addressed by advisory RHEA-2020:3246-04. Further information about this advisory is available at https://access.redhat.com/errata/RHEA-2020:3246.

1.1. cockpit-ovirt

BZ#1676582

Previously, the user interface used the wrong unit of measure for the VM memory size in the VM settings of Hosted Engine deployment via cockpit: It showed MB instead of MiB. The current release fixes this issue: It uses MiB as the unit of measure.

1.2. ovirt-host

BZ#1725775

Previously, the screen package was deprecated in RHEL 7.6. With this update to RHEL 8-based hosts, the screen package is removed. The current release installs the tmux package on RHEL 8-based hosts instead of screen.

BZ#1741792

Previously, using LUKS alone was a problem because the RHV Manager could reboot a node using Power Management commands. However, the node would not reboot because it was waiting for the user to enter a decrypt/open/unlock passphrase. This release fixes the issue by adding clevis RPMs to the Red Hat Virtualization Host (RHVH) image. As a result, a Manager can automatically unlock/decrypt/open an RHVH using TPM or NBDE.

BZ#1698016

Previously, the cockpit-machines-ovirt package was deprecated in Red Hat Virtualization version 4.3 (reference bug #1698014). The current release removes the cockpit-machines-ovirt from the ovirt-host dependencies and RHV-H image.

BZ#1846596

In previous versions, the katello-agent package was automatically installed on all hosts as a dependency of the ovirt-host package. The current release, RHV 4.4 removes this dependency to reflect the removal of the katello-agent from Satellite 6.7. Instead, you can now use katello-host-tools, which enables users to install the correct agent for their version of Satellite.

1.3. ovirt-hosted-engine-ha

BZ#1720747

Previously, if ovirt-ha-broker restarted while the RHV Manager (engine) was querying the status of the self-hosted engine cluster, the query could get stuck. If that happened, the most straightforward workaround was to restart the RHV Manager.

This happened because the RHV Manager periodically checked the status of the self-hosted engine cluster by querying the VDSM daemon on the cluster host. With each query, VDSM checked the status of the ovirt-ha-broker daemon over a Unix Domain Socket. The communication between VDSM and ovirt-ha-broker wasn’t enforcing a timeout. If ovirt-ha-broker was restarting, such as trying to recover from a storage issue, the VDSM request could get lost, causing VDSM and the RHV Manager to wait indefinitely.

The current release fixes this issue. It enforces a timeout in the communication channel between the VDSM and ovirt-ha-broker. If ovirt-ha-broker cannot reply to VDSM within a certain timeout, VDSM reports a self-hosted engine error to the RHV Manager.

BZ#1830730

Previously, if the DNS query test timed out, it did not produce a log message. The current release fixes this issue: If a DNS query times out, it produces a "DNS query failed" message in the broker.log.

BZ#1821487

Previously, network tests timed out after 2 seconds. The current release increases the timeout period from 2 seconds to 5 seconds. This reduces unnecessary timeouts when the network tests require more than 2 seconds to pass.

1.4. ovirt-hosted-engine-setup

BZ#1602816

Previously, if you tried to deploy hosted-engine over a teaming device, it would try to proceed and then fail with an error. The current release fixes this issue. It filters out teaming devices. If only teaming devices are available, it rejects the deployment with a clear error message that describes the issue.

BZ#1641694

With this update, you can start the self-hosted engine virtual machine in a paused state. To do so, enter the following command:

# hosted-engine --vm-start-paused

To un-pause the virtual machine, enter the following command:

# hosted-engine --vm-start

BZ#1654555

Previously the / filesystem automatically grew to fit the whole disk, and the user could not increase the size of /var or /var/log. This happened because, if a customer specified a disk larger than 49 GB while installing the Hosted Engine, the whole logical volume was allocated to the root (/) filesystem. In contrast, for the RHVM machine, the critical filesystems are /var and /var/log.

The current release fixes this issue. Now, the RHV Manager appliance is based on the logical volume manager (LVM). At setup time, its PV and VG are automatically extended, but the logical volumes (LVs) are not. As a result, after installation is complete, you can extend all of the LVs in the Manager VM using the free space in the VG.

BZ#1686575

Previously, the self-hosted engine high availability host’s management network was configured during deployment. The VDSM took over the Network Manager and configured the selected network interface during initial deployment, while the Network Manager remained disabled. During restore, there was no option to attach additional (non-default) networks, and the restore process failed because the high-availability host had no connectivity to networks previously configured by the user that were listed in the backup file.

In this release, the user can pause the restore process, manually add the required networks, and resume the restore process to completion.

BZ#1756244

Previously, in an IPv4-only host with a .local FQDN, the deployment kept looping searching for an available IPv6 prefix until it failed. This was because the hosted-engine setup picked a link-local IP address for the host. The hosted-engine setup could not ensure that the Engine and the host are on the same subnet when one of them used a link-local address. The Engine must not use on a link-local address to be reachable through a routed network. The current release fixes this issue: Even if the hostname is resolved to a link-local IP address, the hosted-engine setup ignores the link-local IP addresses and tries to use another IP address as the address for the host. The hosted-engine can deploy on hosts, even if the hostname is resolved to a link-local address.

BZ#1603591

With this enhancement, while using cockpit or engine-setup to deploy RHV Manager as a Self-Hosted Engine, the options for specifying the NFS version include two additional versions, 4.0 and 4.2.

1.5. ovirt-imageio-daemon

BZ#1622946

With this update, the API reports extents information for sparse disks; which extents are data, read as zero, or unallocated (holes). This enhancement enables clients to use the imageio REST API to optimize image transfers and minimize storage requirements by skipping zero and unallocated extents.

1.6. redhat-virtualization-host

BZ#1794485

This enhancement adds the vdsm-hook-nestedvt rpm package to the Red Hat Virtualization Host (RHVH) optional channel. This package enables you to run virtual machines within virtual machines. It is only intended for evaluation purposes and not supported for production purposes.

1.7. v2v-conversion-host

BZ#1749347

Previously, systemd units from failed conversions were not removed from the host. These could cause collisions and prevent subsequent conversions from starting because the service name was already "in use." The current release fixes this issue. If the conversion fails, the units are explicitly removed so they cannot interfere with subsequent conversions.

1.8. vdsm

BZ#1684537

Previously, a virtual machine could crash with the message "qemu-kvm: Failed to lock byte 100" during a live migration with storage problems. The current release fixes this issue in the underlying platform so the issue no longer happens.

BZ#1700623

Previously, moving a disk resulted in the wrong SIZE/CAP key in the volume metadata. This happened because creating a volume that had a parent overwrote the size of the newly-created volume with the parent size. As a result, the volume metadata contained the wrong volume size value. The current release fixes this issue, so the volume metadata contains the correct value.

BZ#1746699

Before this update,copying disks created by virt-v2v failed with an Invalid Parameter Exception, Invalid parameter:'DiskType=1'. With this release, copying disks succeeds.

BZ#1818554

The current version of RHV removes libvirt packages that provided non-socket activation. Now it contains only libvirt versions that provide socket activation. Socket activation provides better resource handling: There is no dedicated active daemon; libvirt is activated for certain tasks and then exits.

BZ#1564280

This enhancement adds support for OVMF with SecureBoot, which enables UEFI support for Virtual Machines.

BZ#1598266

When a system had many FC LUNs with many paths per LUN, and a high I/O load, scanning of FC devices became slow, causing timeouts in monitoring VM disk size, and making VMs non-responsive. In this release, FC scans have been optimized for speed, and VMs are much less likely to become non-responsive.

BZ#1612152

Previously, Virtual Data Optimizer (VDO) statistics were not available for VDO volumes with an error, so VDO monitoring from VDSM caused a traceback. This update fixes the issue by correctly handling the different outputs from the VDO statistics tool.

BZ#1688159

Previously, when a virtual machine migration entered post-copy mode and remained in that mode for a long time, the migration sometimes failed and the migrated virtual machine was powered off. In this release, post-copy migrations are maintained to completion.

BZ#1711902

In a Red Hat Virtualization (RHV) environment with VDSM version 4.3 and Manager version 4.1, the DiskTypes are parsed as int values. However, in an RHV environment with Manager version > 4.1, the DiskTypes are parsed as strings. That compatibility mismatch produced an error: "VDSM error: Invalid parameter: 'DiskType=2'". The current release fixes this issue by changing the string value back to an int, so the operation succeeds with no error.

BZ#1759388

Previously, ExecStopPost was present in the VDSM service file. This meant that, after stopping VDSM, some of its child processes could continue and, in some cases, lead to data corruption. The current release fixes this issue. It removes ExecStopPost from the VDSM service. As a result, terminating VDSM also stops its child processes.

BZ#1771977

On RHV-4.4, NetworkManager manages the interface and static routes. As a result, you can make more robust modifications to static routes using Network Manager Stateful Configuration (nmstate).

BZ#1783180

Previously, a problem with AMD EPYC CPUs that were missing the virt-ssbd CPU flag prevented Hosted Engine installation. The current release fixes this issue.

BZ#1783815

Previously, if a virtual machine (VM) was forcibly shut down by SIGTERM, in some cases the VDSM did not handle the libvirt shutdown event that contained information about why the VM was shut down and evaluated it as if the guest had initiated a clean shutdown. The current release fixes this issue: VDSM handles the shutdown event, and the Manager restarts the high-availability VMs as expected.

BZ#1813028

Previously, if you exported a virtual machine (VM) as an Open Virtual Appliance (OVA) file from a host that was missing a loop device, and imported the OVA elsewhere, the resulting VM had an empty disk (no OS) and could not run. This was caused by a timing and permissions issue related to the missing loop device. The current release fixes the timing and permission issues. As a result, the VM to OVA export includes the guest OS. Now, when you create a VM from the OVA, the VM can run.

BZ#1816327

Previously, if you tried to start an already-running virtual machine (VM) on the same host, VDSM failed this operation too late and the VM on the host became hidden from the RHV Manager. The current release fixes the issue: VDSM immediately rejects attempts to start a running VM on the same host.

BZ#1834873

Previously, retrieving host capabilities failed for specific non-NUMA CPU topologies. The current release fixes this issue and correctly reports the host capabilities for those topologies.

BZ#1581417

All new clusters with x86 architecture and compatibility version 4.4 or higher now set the BIOS Type to the Q35 Chipset by default, instead of the i440FX chipset.

BZ#1595536

When a host is running in FIPS mode, VNC must use SASL authorization instead of regular passwords because of a weak algorithm inherent to the VNC protocol. The current release facilitates using SASL by providing an Ansible role, ovirt-host-setup-vnc-sasl, which you can run manually on FIPS-enabled hosts. This role does the following:

  • Creates an empty SASL password database.
  • Prepares the SASL config file for qemu.
  • Changes the libvirt config file for qemu.

BZ#1639360

Previously, mixing the Logical Volume Manager (LVM) activation and deactivation commands with other commands caused possible undefined LVM behavior and warnings in the logs. The current release fixes this issue. It runs the LVM activation and deactivation commands separately from other commands. This produces resulting well-defined LVM behavior and clear errors in case of failure.

BZ#1722854

Previously, while VDSM was starting, the definition of the network filter vdsm-no-mac-spoofing was removed and recreated to ensure the filter was up to date. This occasionally resulted in a timeout during the start of VDSM. The current release fixes this issue. Instead of removing and recreating of the filter, the vdsm-no-mac-spoofing filter is updated during the start of the VDSM. This update takes less than a second, regardless of the number of vNICs using this filter.

BZ#1723668

Previously, during virtual machine shut down, the VDSM command Get Host Statistics occasionally failed with an Internal JSON-RPC error {'reason': '[Errno 19] vnet<x> is not present in the system'}. This failure happened because the shutdown could make an interface disappear while statistics were being gathered. The current release fixes this issue. It prevents such failures from being reported.

BZ#1739557

With this update, you can enable encryption for live migration of virtual machines between hosts in the same cluster. This provides more protection to data transferred between hosts. You can enable or disable encryption in the Administration Portal, in the Edit Cluster dialog box, under Migration Policy > Additional Properties. Encryption is disabled by default.

BZ#1788783

Previously, when migrating a virtual machine, information about the running guest agent was not always passed to the destination host. In these cases, the migrated virtual machine on the destination host did not receive an after_migration life cycle event notification. This update fixes this issue. The after_migration notification works as expected now.

BZ#1659574

Previously, after upgrading RHV 4.1 to a later version, high-availability virtual machines (HA VMs) failed validation and did not run. To run the VMs, the user had to reset the lease Storage Domain ID. The current release fixes this issue: It removes the validation and regenerates the lease information data when the lease Storage Domain ID is set. After upgrading RHV 4.1, HA VMs with lease Storage Domain IDs run.

BZ#1684266

When a large disk is converted as part of VM export to OVA, it takes a long time. Previously, the SSH channel the export script timed out and closed due to the long period of inactivity, leaving an orphan volume. The current release fixes this issue: Now, the export script adds some traffic to the SSH channel during disk conversion to prevent the SSH channel from being closed.

BZ#1713724

Previously, converting a storage domain to the V5 format failed when, following an unsuccessful delete volume operation, partly-deleted volumes with cleared metadata remained in the storage domain. The current release fixes this issue. Converting a storage domain succeeds even when partly-deleted volumes with cleared metadata remain in the storage domain.

BZ#1724002

Previously, cloud-init could not be used on hosts with FIPS enabled. With this update, cloud-init can be used on hosts with FIPS enabled.

BZ#1749630

Previously, the Administration Portal showed very high memory usage for a host with no virtual machines running because it was not counting slab reclaimable memory. As a result, virtual machines could not be migrated to that host. The current release fixes that issue. The free host memory is evaluated correctly.

BZ#1688052

Previously, the gluster fencing policy check failed due to a non-iterable object and threw an exception. The code also contained a minor typo. The current release fixes these issues.

BZ#1836609

Previously, the slot parameter was parsed as a string, causing disk rollback to fail during the creation of a virtual machine from a template when using an Ansible script. Note that there was no such failure when using the Administration Portal to create a virtual machine from a template. With this update, the slot parameter is parsed as an int, so disk rollback and virtual machine creation succeed.

Chapter 2. RHSA-2020:3247-08 Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update

The bugs in this chapter are addressed by advisory RHSA-2020:3247-08. Further information about this advisory is available at https://access.redhat.com/errata/RHSA-2020:3247.

2.1. apache-commons-configuration

BZ#1798117

Rebase of the apache-commons-configuration package to version 1.10. This update includes minor bug fixes and enhancements. Apache release notes are available here: https://commons.apache.org/proper/commons-configuration/changes-report.html#a1.10

2.2. apache-commons-digester

BZ#1798114

Rebase of the apache-commons-digester package to version 2.1. This update is a minor release with new features. Apache release notes are available here: http://commons.apache.org/proper/commons-digester/commons-digester-2.1/RELEASE-NOTES.txt

2.3. apache-sshd

BZ#1796809

The apache-sshd library is not bundled anymore in the rhvm-dependencies package. The apache-sshd library is now packaged in its own rpm package.

2.4. distribution

BZ#1798127

apache-commons-collections4 has been packaged for Red Hat Virtualization Manager consumption. The package is an extension of the Java Collections Framework.

BZ#1807047

The m2crypto package has been built for use with the current version of RHV Manager. This package enables you to call OpenSSL functions from Python scripts.

2.5. makeself

BZ#1700867

The amkeself package has been rebased to version: 2.4.0. Highlights, important fixes, or notable enhancements:

  • v2.3.0: Support for archive encryption via GPG or OpenSSL. Added LZO and LZ4 compression support. Options to set the packaging date and stop the umask from being overridden. Optionally ignore check for available disk space when extracting. New option to check for root permissions before extracting.
  • v2.3.1: Various compatibility updates. Added unit tests for Travis CI in the GitHub repo. New --tar-extra, --untar-extra, --gpg-extra, --gpg-asymmetric-encrypt-sign options.
  • v2.4.0: Added optional support for SHA256 archive integrity checksums.

2.6. openstack-java-sdk

BZ#1698009

The openstack-java-sdk package has been rebased to version: 3.2.8. Highlights and notable enhancements: Refactored the package to use newer versions of these dependent libraries:

  • Upgraded jackson to com.fasterxml version 2.9.x
  • Upgraded commons-httpclient to org.apache.httpcomponents version 4.5

2.7. ovirt-cockpit-sso

BZ#1826248

Previously, the 'Host console SSO' feature did not work with python3, which is the default python on RHEL 8. The code was initially written for Python2 and was not properly modified for Python3. The current release fixes this issue: The 'Host console SSO' feature works with Python3.

BZ#1701530

Rebase package(s) to version: 0.1.2

With this update, the ovirt-cockpit-sso package supports RHEL 8.

2.8. ovirt-engine

BZ#1670102

Previously, to get the Cinder Library (cinderlib), you had to install the OpenStack repository. The current release fixes this issue by providing a separate repository for cinderlib.

To enable the repository, enter:

$ dnf config-manager --set-enabled rhel-8-openstack-cinderlib-rpms

To install cinderlib, enter:

$ sudo dnf install python3-cinderlib

BZ#1687345

Previously, RHV Manager created live virtual machine snapshots synchronously. If creating the snapshot exceeded the timeout period (default 180 seconds), the operation failed. These failures tended to happen with virtual machines that had large memory loads or clusters that had slow storage speeds.

With this enhancement, the live snapshot operation is asynchronous and runs until it is complete, regardless of how long it takes.

BZ#1797316

Upgrade package(s) to version: rhv-4.4.0-23

Highlights and important bug fixes: Enhancements to VM snapshots caused a regression due to inconsistencies between the VDSM and RHV Manager versions. This upgrade fixes the issue by synchronizing the RHV Manager version to match the VDSM version.

BZ#1806276

Previously, the ovirt-provider-ovn network provider was non-functional on RHV 4.3.9 Hosted-Engine. This happened because, with FDP 20.A (bug 1791388), the OVS/OVN service no longer had the permissions to read the private SSL/TLS key file. The current release fixes this issue: It updates the private SSL/TLS key file permissions. OVS/OVN reads the key file and works as expected.

BZ#1821164

While the RHV Manager is creating a virtual machine (VM) snapshot, it can time out and fail while trying to freeze the file system. If this happens, more than one VM can write data to the same logical volume and corrupt the data on it. In the current release, you can prevent this condition by configuring the Manager to freeze the VM’s guest filesystems before creating a snapshot. To enable this behavior, run the engine-config tool and set the LiveSnapshotPerformFreezeInEngine key-value pair to true.

BZ#1829656

Known issue: Unsubscribed RHVH hosts do not get package updates when you perform a 'Check for upgrade' operation. Instead, you get a 'no updates found' message. This happens because RHVH hosts that are not registered to Red Hat Subscription Management (RHSM) do not have repos enabled. Workaround: To get updates, register the RHVH host with Red Hat Subscription Management (RHSM).

BZ#1325468

After a high-availability virtual machine (HA VM) crashes, the RHV Manager tries to restart it indefinitely. At first, with a short delay between restarts. After a specified number of failed retries, the delay is longer.

Also, the Manager starts crashed HA VMs in order of priority, delaying lower-priority VMs until higher-priority VMs are 'Up.'

The current release adds new configuration options:

  • RetryToRunAutoStartVmShortIntervalInSeconds, the short delay, in seconds. The default value is 30.
  • RetryToRunAutoStartVmLongIntervalInSeconds, the long delay, in seconds. The default value is 1800, which equals 30 minutes.
  • NumOfTriesToRunFailedAutoStartVmInShortIntervals, the number of restart tries with short delays before switching to long delays. The default value is 10 tries.
  • MaxTimeAutoStartBlockedOnPriority, the maximum time, in minutes, before starting a lower-priority VM. The default value is 10 minutes.

BZ#1358501

Network operations that span multiple hosts may take a long time. This enhancement shows you when these operations finish: It records start and end events in the Events Tab of the Administration Portal and engine.log. If you use the Administration Portal to trigger the network operation, the portal also displays a pop-up notification when the operation is complete.

BZ#1547937

This release adds a progress bar for the disk synchronization stage of Live Storage Migration.

BZ#1593800

When creating a new MAC address pool, its ranges must not overlap with each other or with any ranges in existing MAC address pools.

BZ#1643886

This update adds support for Hyper V enlightenment for Windows virtual machines on hosts running RHEL 8.2 with cluster compatibility level set to 4.4. Specifically, Windows virtual machines now support the following Hyper V functionality:

  • reset
  • vpindex
  • runtime
  • frequencies
  • reenlightenment
  • tlbflush

BZ#1650505

Previously, after increasing the cluster compatibility version of a cluster with virtual machines that had outstanding configuration changes, those changes were reverted. The current release fixes this issue. It applies both the outstanding configuration changes and the new cluster compatibility version to the virtual machines.

BZ#1651406

The current release enables you to migrate a group of virtual machines (VMs) that are in positive enforcing affinity with each other.

BZ#1658101

In this release, when updating a Virtual Machine using a REST API, not specifying the console value now means that the console state should not be changed. As a result, the console keeps its previous state.

BZ#1664479

When you use the engine ("Master") to set the high-availability host running the engine virtual machine (VM) to maintenance mode, the ovirt-ha-agent migrates the engine VM to another host. Previously, in specific cases, such as when these VMs had an old compatibility version, this type of migration failed. The current release fixes this problem.

BZ#1700036

This enhancement adds support for DMTF Redfish to RHV. To use this functionality, you use the Administration Portal to edit a Host’s properties. On the Host’s Power Management tab, you click + to add a new power management device. In the Edit fence agent window, you set Type to redfish and fill-in additional details like login information and IP/FQDN of the agent.

BZ#1703112

In some scenarios, the PCI address of a hotplugged SR-IOV vNIC was overwritten by an empty value, and as a result, the NIC name in the virtual machine was changed following a reboot. In this release, the vNIC PCI address is stored in the database and the NIC name persists following a virtual machine reboot.

BZ#1707225

Before this update, there was no way to backup and restore the Cinderlib database. With this update, the engine-backup command includes the Cinderlib database.

For example, to backup the engine including the Cinderlib database:

# engine-backup --scope=all --mode=backup --file=cinderlib_from_old_engine --log=log_cinderlib_from_old_engine

To restore this same database:

# engine-backup --mode=restore --file=/root/cinderlib_from_old_engine --log=/root/log_cinderlib_from_old_engine --provision-all-databases --restore-permissions

BZ#1712890

With this update, when you upgrade RHV, engine-setup notifies you if virtual machines in the environment have snapshots whose cluster levels are incompatible with the RHV version you are upgrading to. It is safe to let it proceed, but it is not safe to use these snapshots after the upgrade. For example, it is not safe to preview these snapshots.

There is an exception to the above: engine-setup does not notify you if the virtual machine is running the Manager as a self-hosted engine. For hosted-engine, it provides an automatic "Yes" and upgrades the virtual machine without prompting or notifying you. It is unsafe to use snapshots of the hosted-engine virtual machine after the upgrade.

BZ#1718818

This enhancement enables you to attach a SCSI host device, scsi_hostdev, to a virtual machine and specify the optimal driver for the type of SCSI device:

  • scsi_generic: (Default) Enables the guest operating system to access OS-supported SCSI host devices attached to the host. Use this driver for SCSI media changers that require raw access, such as tape or CD changers.
  • scsi_block: Similar to scsi_generic but better speed and reliability. Use for SCSI disk devices. If trim or discard for the underlying device is desired, and it’s a hard disk, use this driver.
  • scsi_hd: Provides performance with lowered overhead. Supports large numbers of devices. Uses the standard SCSI device naming scheme. Can be used with aio-native. Use this driver for high-performance SSDs.
  • virtio_blk_pci: Provides the highest performance without the SCSI overhead. Supports identifying devices by their serial numbers.

BZ#1729511

During installation or upgrade to Red Had Virtualization 4.3, engine-setup failed if the PKI Organization Name in the CA certificate included non-ASCII characters. In this release, the upgrade engine-setup process completes successfully.

BZ#1729811

Previously, the guest_cur_user_name of the vm_dynamic database table was limited to 255 characters, not enough for more than approximately 100 user names. As a result, when too many users logged in, updating the table failed with an error. The current release fixes this issue by changing the field type from VARCHAR(255) to TEXT.

BZ#1731590

Before this update, previewing a snapshot of a virtual machine, where the snapshot of one or more of the machine’s disks did not exist or had no image with active set to "true", caused a null pointer exception to appear in the logs, and the virtual machine remained locked. With this update, before a snapshot preview occurs, a database query checks for any damaged images in the set of virtual machine images. If the query finds a damaged image, the preview operation is blocked. After you fix the damaged image, the preview operation should work.

BZ#1733031

To transfer virtual machines between data centers, you use data storage domains because export domains were deprecated. However, moving a data storage domain to a data center that has a higher compatibility level (DC level) can upgrade its storage format version, for example, from V3 to V5. This higher format version can prevent you from reattaching the data storage domain to the original data center and transferring additional virtual machines.

In the current release, if you encounter this situation, the Administration Portal asks you to confirm that you want to update the storage domain format, for example, from 'V3' to 'V5'. It also warns that you will not be able to attach it back to an older data center with a lower DC level.

To work around this issue, you can create a destination data center that has the same compatibility level as the source data center. When you finish transferring the virtual machines, you can increase the DC level.

BZ#1743269

Previously, upgrading RHV from version 4.2 to 4.3 made the 10-setup-ovirt-provider-ovn.conf file world-readable. The current release fixes this issue, so the file has no unnecessary permissions.

BZ#1745384

Previously, trying to update the IPv6 gateway in the Setup Networks dialog removed it from the network attachment. The current release fixes this issue: You can update the IPv6 gateway if the related network has the default route role.

BZ#1749284

Before this update, the live snapshot operation was synchronized, such that if VDSM required more than 180 seconds to create a snapshot, the operation failed, preventing snapshots of some virtual machines, such as those with large memory loads, or slow storage.

With this update, the live snapshot operation is asynchronous, so the operation runs until it ends successfully, regardless of how long it takes.

BZ#1750212

Previously, when you tried to delete the snapshot of a virtual machine with a LUN disk, RHV parsed its image ID incorrectly and used "mapper" as its value. This issue produced a null pointer error (NPE) and made the deletion fail. The current release fixes this issue, so the image ID parses correctly and the deletion succeeds.

BZ#1764943

Previously, while creating virtual machine snapshots, if the VDSM’s command to freeze a virtual machines' file systems exceeded the snapshot command’s 3-minute timeout period, creating snapshots failed, causing virtual machines and disks to lock.

The current release adds two key-value pairs to the engine configuration. You can configure these using the engine-config tool:

  • Setting LiveSnapshotPerformFreezeInEngine to true enables the Manager to freeze VMs' file systems before it creates a snapshot of them.
  • Setting LiveSnapshotAllowInconsistent to true enables the Manager to continue creating snapshots if it fails to freeze VMs' file systems.

BZ#1767319

In this release, modifying a MAC address pool or modifying the range of a MAC address pool that has any overlap with existing MAC address pool ranges, is strictly forbidden.

BZ#1768844

With this enhancement, when you add a host to a cluster, it has the advanced virtualization channel enabled, so the host uses the latest supported libvirt and qemu packages.

BZ#1769463

Previously, in a large environment, the oVirt’s REST API’s response to a request for the cluster list was slow: This slowness was caused by processing a lot of surplus data from the engine database about out-of-sync hosts on the cluster which eventually was not included in the response. The current release fixes this issue. The query excludes the surplus data, and the API responds quickly.

BZ#1819960

Previously, if you used the update template script example of the ovirt-engine-sdk to import a virtual machine or template from an OVF configuration, it failed with a null-pointer exception (NPE). This happened because the script example did not supply the Storage Pool Id and Source Storage Domain Id. The current release fixes this issue. Now, the script gets the correct ID values from the image, so importing a template succeeds.

BZ#1821930

With this enhancement, RHEL 7-based hosts have SPICE encryption enabled during host deployment. Only TLSv1.2 and newer protocols are enabled. Available ciphers are limited as described in BZ1563271

RHEL 8-based hosts do not have SPICE encryption enabled. Instead, they rely on defined RHEL crypto policies (similar to VDSM BZ1179273).

BZ#1834523

Previously, adding or removing a smart card to a running virtual machine did not work. The current release fixes this issue. When you add or remove a smart card, it saves this change to the virtual machine’s next run configuration. In the Administration Portal, the virtual machine indicates that a next run configuration exists, and lists "Smartcard" as a changed field. When you restart the virtual machine, it applies the new configuration to the virtual machine.

BZ#1838493

Previously, creating a live snapshot with memory while LiveSnapshotPerformFreezeInEngine was set to True, resulted in a virtual machine file system that is frozen when previewing or committing the snapshot with memory restore. In this release, the virtual machine runs successfully after creating a preview snapshot from a memory snapshot.

BZ#1845473

Previously, exporting a virtual machine or template to an OVA file incorrectly sets its format in the OVF metadata file to "RAW". This issue causes problems using the OVA file. The current release fixes this issue. Exporting to OVA sets the format in the OVF metadata file to "COW", which represents the disk’s actual format, qcow2.

BZ#1080097

In this release, it is now possible to edit the properties of a Floating Disk in the Storage > Disks tab of the Administration Portal. For example, the user can edit the Description, Alias, and Size of the disk.

BZ#1427717

The current release adds the ability for you to select affinity groups while creating or editing a virtual machine (VM) or host. Previously, you could only add a VM or host by editing an affinity group.

BZ#1546838

The current release displays a new warning when you use 'localhost' as an FQDN: "[WARNING] Using the name 'localhost' is not recommended, and may cause problems later on."

BZ#1585986

Previously, if you lowered the cluster compatibility version, the change did not propagate to the self-hosted engine virtual machine. As a result, the self-hosted engine virtual machine was not compatible with the new cluster version; you could not start or migrate it to another host in the cluster. The current release fixes this issue: The lower cluster compatibility version propagates to the self-hosted engine virtual machine; you can start and migrate it.

BZ#1647440

The current release adds a new feature: On the VM list page, the tooltip for the VM type icon shows a list of the fields you have changed between the current and the next run of the virtual machine.

BZ#1656621

Previously, an imported VM always had 'Cloud-Init/Sysprep' turned on. The Manager created a VmInit even when one did not exist in the OVF file of the OVA. The current release fixes this issue: The imported VM only has 'Cloud-Init/Sysprep' turned on if the OVA had it enable. Otherwise, it is disabled.

BZ#1666913

With this enhancement, if a network name contains spaces or is longer than 15 characters, the Administration Portal notifies you that the RHV Manager will rename the network using the host network’s UUID as a basis for the new name.

BZ#1671876

Suppose a Host has a pair of bonded NICs using (Mode 1) Active-Backup. Previously, the user clicked Refresh Capabilities to get the current status of this bonded pair. In the current release, if the active NIC changes, it refreshes the state of the bond in the Administration Portal and REST API. You do not need to click Refresh Capabilities.

BZ#1679110

This enhancement moves the pop-up ("toast") notifications from the upper right corner to the lower right corner, so they no longer cover the action buttons. Now, the notifications rise from the bottom right corner to within 400 px of the top.

BZ#1679471

Previously, the console client resources page showed truncated titles for some locales. The current release fixes this issue. It re-arranges the console client resources page layout as part of migrating from Patternfly 3 to Patternfly 4 and fixes the truncated titles.

BZ#1700021

Previously, if a Certificate Authority ca.pem file was not present, the engine-setup tool automatically regenerated all PKI files, requiring you to reinstall or re-enroll certificates for all hosts.

Now, if ca.pem is not present but other PKI files are, engine-setup prompts you to restore ca.pem from backup without regenerating all PKI files. If a backup is present and you select this option, then you no longer need to reinstall or re-enroll certificates for all hosts.

BZ#1710491

With this enhancement, an EVENT_ID is logged when a virtual machine’s guest operating system reboots. External systems such as Cloudforms and Manage IQ rely on the EVENT_ID log messages to keep track of the virtual machine’s state.

BZ#1716590

With this enhancement, on the "System" tab of the "New Virtual Machine" and "Edit Virtual Machine" windows, the "Serial Number Policy" displays the value of the "Cluster default" setting. If you are adding or editing a VM and are deciding whether to override the cluster-level serial number policy, seeing that information here is convenient. Previously, to see the cluster’s default serial number policy, you had to close the VM window and navigate to the Cluster window.

BZ#1728472

Previously, the RHV Manager reported network out of sync because the Linux kernel applied the default gateway IPv6 router advertisements, and the IPv6 routing table was not configured by RHV. The current release fixes this issue. The IPv6 routing table is configured by RHV. NetworkManager manages the default gateway IPv6 router advertisements.

BZ#1730264

Previously, enabling port mirroring on networks whose user-visible name was longer than 15 characters failed. This happened because port mirroring tried to use this long user-visible network name, which was not a valid network name. The current release fixes this issue. Now, instead of the user-visible name, port mirroring uses the VDSM network name. Therefore, you can enable port mirroring for networks whose user-visible name is longer than 15 characters.

BZ#1740978

When a VM from the older compatibility version is imported, its configuration has to be updated to be compatible with the current cluster compatibility version. This enhancement adds a warning to the audit log that lists the updated parameters.

BZ#1754363

With this release, the number of DNS configuration SQL queries that the Red Hat Virtualization Manager runs is significantly reduced, which improves the Manager’s ability to scale.

BZ#1758289

When you remove a host from the RHV Manager, it can create duplicate entries for a host-unreachable event in the RHV Manager database. Later, if you add the host back to the RHV Manager, these entries can cause networking issues. With this enhancement, if this type of event happens, the RHV Manager prints a message to the events tab and log. The message notifies users of the issue and explains how to avoid networking issues if they add the host back to RHV Manager.

BZ#1788424

Previously, if you disabled the virtio-scsi drive and imported the virtual machine that had a direct LUN attached, the import validation failed with a "Cannot import VM. VirtIO-SCSI is disabled for the VM" error. This happened because the validation tried to verify that the virtio-scsi drive was still attached to the VM. The current release fixes this issue. If the Disk Interface Type is not virtio-scsi, the validation does not search for the virtio-scsi drive. Disk Interface Type uses an alternative driver, and the validation passes.

BZ#1810893

Previously, using the Administration Portal to import a storage domain omitted custom mount options for NFS storage servers. The current release fixes this issue by including the custom mount options.

BZ#1812875

Previously, when the Administration Portal was configured to use French language, the user could not create virtual machines. This was caused by French translations that were missing from the user interface. The current release fixes this issue. It provides the missing translations. Users can configure and create virtual machines while the Administration Portal is configured to use the French language.

BZ#1475774

Previously, when creating/managing an iSCSI storage domain, there was no indication that the operation may take a long time. In this release, the following message has been added: “Loading…​ A large number of LUNs may slow down the operation.”

BZ#1600059

Previously, when High Availability was selected for a new virtual machine, the Lease Storage Domain was set to a bootable Storage Domain automatically if the user did not already select one. In this release, a bootable Storage Domain is set as the lease Storage Domain for new High Availability virtual machines.

BZ#1640908

Previously, if there were hundreds of Fiber Channel LUNs, the Administration Portal dialog box for adding or managing storage domains took too long to render and might become unresponsive. This enhancement improves performance: It displays a portion of the LUNs in a table and provides right and left arrows that users can click to see the next or previous set of LUNs. As a result, the window renders normally and remains responsive regardless of how many LUNs are present.

BZ#1650417

Previously, if a host failed and if the RHV Manager tried to start the high-availability virtual machine (HA VM) before the NFS lease expired, OFD locking caused the HA VM to fail with the error, "Failed to get "write" lock Is another process using the image?." If the HA VM failed three times in a row, the Manager could not start it again, breaking the HA functionality. The current release fixes this issue. RHV Manager would continue to try starting the VM even after three failures (the frequency of the attempts decreases over time). Eventually, once the lock expires, the VM would be started.

BZ#1659161

Previously, changing the template version of a VM pool created from a delete-protected VM made the VM pool non-editable and unusable. The current release fixes this issue: It prevents you from changing the template version of the VM pool whose VMs are delete-protected and fails with an error message.

BZ#1683108

This release adds a new 'status' column to the affinity group table that shows whether all of an affinity group’s rules are satisfied (status = ok) or not (status = broken). The "Enforcing" option does not affect this status.

BZ#1692592

Previously, items with number ten and higher on the BIOS boot menu were not assigned sequential indexes. This made it difficult to select those items. The current release fixes this issue. Now, items ten and higher are assigned letter indexes. Users can select those items by entering the corresponding letter.

BZ#1693628

Previously, the state of the user session was not saved correctly in the Engine database, causing many unnecessary database updates to be performed. The current release fixes this issue: Now, the user session state is saved correctly on the first update.

BZ#1693813

Previously, if you updated the Data Center (DC) level, and the DC had a VM with a lower custom compatibility level than the DC’s level, the VM could not resume due to a "not supported custom compatibility version." The current release fixes this issue: It validates the DC before upgrading the DC level. If the validation finds VMs with old custom compatibility levels, it does not upgrade the DC level: Instead, it displays "Cannot update Data Center compatibility version. Please resume/power off the following VMs before updating the Data Center."

BZ#1696245

Previously, while cloning a virtual machine, you could only edit the name of the virtual machine in the Clone Virtual Machine window. With this enhancement, you can fully customize any of the virtual machine settings in the Clone Virtual Machine window. This means, for example, that you can clone a virtual machine into a different storage domain.

BZ#1700338

This enhancement enables you to use the RHV Manager’s REST API to manage subscriptions and receive notifications based on specific events. In previous versions, you could do this only in the Administration Portal.

BZ#1703428

Previously, when importing a KVM into Red Hat Virtualization, "Hardware Clock Time Offset" was not set. As a result, the Manager machine did not recognize the guest agent installed in the virtual machine. In this release, the Manager machine recognizes the guest agent on a virtual machine imported from KVM, and the "Hardware Clock Time Offset" won’t be null.

BZ#1712255

Support for datacenter and cluster levels earlier than version 4.2 has been removed.

BZ#1731212

Previously, the RHV landing page did not support scrolling. With lower screen resolutions, some users could not use the log in menu option for the Administration Portal or VM Portal. The current release fixes this issue by migrating the landing and login pages to PatternFly 4, which displays horizontal and vertical scroll bars when needed. Users can access the entire screen regardless of their screen resolution or zoom setting.

BZ#1733843

Previously, exporting a virtual machine (VM) to an Open Virtual Appliance (OVA) file archive failed if the VM was running on the Host performing the export operation. The export process failed because doing so created a virtual machine snapshot, and while the image was in use, the RHV Manager could not tear down the virtual machine. The current release fixes this issue. If the VM is running, the RHV Manager skips tearing down the image. Exporting the OVA of a running VM succeeds.

BZ#1737234

Previously, if you sent the RHV Manager an API command to attach a non-existing ISO to a VM, it attached an empty CD or left an existing one intact. The current release fixes this issue. Now, the Manager checks if the specified ISO exists, and throws an error if it doesn’t.

BZ#1745019

The current release adds support for running virtual machines on hosts that have an Intel Snow Ridge CPU. There are two ways to enable this capability:

  • Enable a virtual machine’s Pass-Through Host CPU setting and configure it to Start Running On on Specific Host(s) that have a Snow Ridge CPU.
  • Set cpuflags in the virtual machine’s custom properties to +gfni,+cldemote.

BZ#1751215

Previously, after upgrading to RHV version 4.1 to 4.3, the Graphical Console for the self-hosted engine virtual machine was locked because the default display in version 4.1 is VGA. The current release fixes this issue. While upgrading to version 4.3, it changes the default display to VNC. As a result, the Graphical Console for the Hosted-Engine virtual machine is changeable.

BZ#1777954

Previously, for the list of virtual machine templates in the Administration Portal, a paging bug hid every other page, and the templates on those pages, from view. The current release fixes this issue and displays every page of templates correctly.

BZ#1779580

The current release updates the Documentation section of the RHV welcome or landing page. This makes it is easier to access the current documentation and facilitate access to translated documentation in the future.

  • The links now point to the online documentation on the Red Hat customer portal.
  • The "Introduction to the Administration Portal" guide and "REST API v3 Guide" are now obsolete and have been removed.
  • The rhvm-doc package is obsolete and has been removed.

BZ#1784049

Previously, if you ran a virtual machine (VMs) with an old operating system such as RHEL 6 and the BIOS Type was a Q35 Chipset, it caused a kernel panic. The current release fixes this issue. If a VM has an old operating system and the BIOS Type is a Q35 Chipset, it uses the VirtIO-transitional model for some devices, which enables the VM to run normally.

BZ#1831031

This enhancement increases the maximum memory limit for virtual machines to 6TB. This also applies to virtual machines with cluster level 4.3 in RHV 4.4.

BZ#1679730

This update adds an audit log warning on an out-of-range IPv4 gateway static configuration for a host NIC. The validity of the gateway is assessed compared to the configured IP address and netmask. This gives users better feedback and helps them notice incorrect configurations.

BZ#1698102

Previously, engine-setup did not provide enough information about configuring ovirt-provider-ovn. The current release fixes this issue by providing more information in the engine-setup prompt and documentation that helps users understand their choice and follow up actions.

BZ#1720795

Previously, the Manager searched for guest tools only on ISO domains, not data domains. The current release fixes this issue: Now, if the Manager detects a new tool on data domains or ISO domains, it displays a mark for the Windows VM.

BZ#1770237

Previously, the virtual machine (VM) instance type edit and create dialog displayed a vNIC profile editor. This item gave users the impression they could associate a vNIC profile with an instance type, which is not valid. The current release fixes this issue by removing the vNIC profile editor from the instance edit and create dialog.

2.9. ovirt-engine-metrics

BZ#1711006

This enhancement adds support for using the Metrics Store configuration file to set virtual machine NIC parameters. For example, this enhancement enables you to run the ovirt-metrics-store-installation playbook on a network that does not have DHCP.

2.10. ovirt-engine-ui-extensions

BZ#1714528

Previously, some HTML elements in Cluster Upgrade dialog had missing or duplicated IDs, which impaired automated UI testing. The current release fixes this issue. It provides missing IDs and removes duplicates to improve automated UI testing.

2.11. ovirt-scheduler-proxy

BZ#1720686

With this rebase ovirt-scheduler-proxy packages have been updated to version 0.1.9 introducing support for RHEL 8 and a refactor of the code for Python3 and Java 11 support.

2.12. ovirt-web-ui

BZ#1750482

Previously, when you used the VM Portal to configure a virtual machine (VM) to use Windows OS, it failed with the error, "Invalid time zone for given OS type." This happened because the VM’s timezone for Windows OS was not set properly. The current release fixes this issue. If the time zone in the VM template or VM is not compatible with the VM OS, it uses the default time zone. For Windows, this default is "GMT Standard Time". For other OSs, it is "Etc/GMT". Now, you can use the VM Portal to configure a VM to use Windows OS.

BZ#1596178

Previously, the VM Portal was inconsistent in how it displayed pool cards. After a user took all of the virtual machines from them, the VM Portal removed automatic pool cards but continued displaying manual pool cards. The current release fixes this issue: VM Portal always displays a pool card, and the card has a new label that shows how many virtual machines the user can take from the pool.

BZ#1724959

Previously, the About dialog in the VM Portal provided a link to GitHub for reporting issues. However, RHV customers should use the Customer Portal to report issues. The current release fixes this issue. Now, the About dialog provides a link to the Red Hat Customer Portal.

BZ#1752995

With this update, the default action in the VM Portal’s dashboard for a running virtual machine is to open a console. Before this update, the default action was "Suspend".

Specifically, the default operation for a running VM is set to "SPICE Console" if the virtual machine supports SPICE, or "VNC Console" if the virtual machine only supports VNC.

For a virtual machine running in headless mode, the default action is still "Suspend".

2.13. rhv-log-collector-analyzer

BZ#1818745

With this release, Red Hat Virtualization is ported to Python 3. It no longer depends on Python 2.

BZ#1809875

Before this update, a problem in the per Data-Center loop collecting images information caused incomplete data for analysis for all but the last Data-Center collected. With this update, the information is properly collected for all Data-Centers, resolving the issue.

2.14. rhvm-branding-rhv

BZ#1751268

The current release adds a new Insights section to the RHV welcome or landing page. This section contains two links:

  • "Insights Guide" links to the "Deploying Insights in Red Hat Virtualization Manager" topic in the Administration Guide.
  • "Insights Dashboard" links to the Red Hat Insights Dashboard on the Customer Portal at https://cloud.redhat.com/insights/overview

2.15. rhvm-dependencies

BZ#1796811

The apache-sshd library is not bundled anymore in the rhvm-dependencies package. The apache-sshd library is now packaged in its own rpm package.

BZ#1796817

The Object-Oriented SNMP API for Java Managers and Agents (snmp4j) library is no longer bundled with the rhvm-dependencies package. It is now provided as a standalone rpm package (Bug #1796815).

2.16. snmp4j

BZ#1796815

The Object-Oriented SNMP API for Java Managers and Agents (snmp4j) library has been packaged for RHV-M consumption. The library was previously provided by the rhvm-dependencies package and is now provided as a standalone package.

2.17. vdsm

BZ#1660071

Previously, when migrating a paused virtual machine, the Red Hat Virtualization Manager did not always recognize that the migration completed. With this update, the Manager immediately recognizes when migration is complete.

2.18. vulnerability

BZ#1767483

A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.

BZ#1801149

A flaw was found in quartz through version 2.3.0. A XXE attack is possible in the Terracotta Quartz Scheduler using a job description. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

BZ#1686454

A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.

BZ#1764791

A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability.

BZ#1765660

An XSS vulnerability was discovered in noVNC in which arbitrary HTML could be injected into the noVNC web page. An attacker having access to a VNC server could use target host values in a crafted URL to gain access to secure information (such as VM tokens).

BZ#1781001

A cross-site scripting vulnerability was reported in the oVirt-engine’s OAuth authorization endpoint. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user’s oVirt session.

BZ#1828406

A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.

BZ#1847420

An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible. The highest threat from this vulnerability is on confidentiality.

2.19. ws-commons-util

BZ#1799171

With this rebase, package ws-commons-utils has been updated to version 1.0.2 which provides following changes:

  • Updated a non-static "newDecoder" method in the Base64 class to be static.
  • Fixed the completely broken CharSetXMLWriter.

Chapter 3. RHSA-2020:3807-03 Moderate: Red Hat Virtualization security, bug fix, and enhancement update

The bugs in this chapter are addressed by advisory RHSA-2020:3807-03. Further information about this advisory is available at https://access.redhat.com/errata/RHSA-2020:3807.

3.1. ovirt-engine

BZ#1749803

This enhancement enables you to set the same target domain for multiple disks.

Previously, when moving or copying multiple disks, you needed to set the target domain for each disk separately. Now, if a common target domain exists, you can set it as the target domain for all disks.

If there is no common storage domain, such that not all disks are moved or copied to the same storage domain, set the common target domain as 'Mixed'.

BZ#1804037

Previously, the Memory scheduling filter did not correctly consider memory for huge pages. Consequently, the Manager tried to start virtual machines without huge pages on the memory dedicated to huge pages.

With this update, the Memory filter correctly considers huge page memory.

BZ#1804046

Previously the RHV Manager did not reduce scheduling memory when a virtual machine with dynamic hugepages was running. Instead, the Manager treated the memory occupied by dynamic hugepages as schedulable memory. As a result, the Manager scheduled more virtual machines on a host than could fit on it. The current release fixes this issue. Now, the Manager treats dynamic hugepages and the memory they occupy correctly.

BZ#1843234

Before this update, when using Firefox 74.0.1 and greater with Autofill enabled, the Administration Portal password was used to autofill the Sysprep Administrator password field in the Initial Run tab of the Run Virtual Machine(s) dialog. Validation of the dialog failed because the password did not match the Verify admin password field, which was not autofilled.

This issue has been resolved, and the browser no longer uses Autofill for the Sysprep admin password field.

BZ#1871235

Before this update, a virtual machine that was set with a High Performance profile using the REST API could not start if it had any USB devices, because the High Performance profile disabled the USB controller. Additionally, hosts in clusters with compatibility level 4.3 did not report the TSC frequency.

This update resolves these issues. TSC is no longer present for 4.3 clusters and the VM won’t have USB devices when there is no USB controller, allowing VMs to run normally.

BZ#1643520

Before this update, when updating a disk profile using the REST API, sending an empty QoS tag <qos /> had no effect. Consequently, it was not possible to remove QoS from the disk profile using the REST API.

This update resolves this issue, and now sending an empty QoS tag (<qos />) removes QoS from the disk profile.

BZ#1763812

The current release moves the button to Remove a virtual machine to the "more" menu (three dots in the upper-right area). This was done to improve usability: Too many users pressed the Remove button, mistakenly believing it would remove a selected item in the details view, such as a snapshot. They did not realize it would delete the virtual machine. The new location should help users avoid this kind of mistake.

BZ#1819260

The following search filter properties for Storage Domains have been enhanced: - 'size' changed to 'free_size' - 'total_size' added to the search engine options - 'used' changed to 'used_size'

For example , you can use now the following in the Storage Domains tab:

free_size > 6 GB and total_size < 20 GB

BZ#1674420

This update adds support for the following virtual CPU models:

  • Intel Cascade Lake Server
  • Intel Ivy Bridge

BZ#1806339

The current release changes the Huge Pages label to Free Huge Pages so it is easier to understand what the values represent.

3.2. ovirt-engine-ui-extensions

BZ#1875851

Firefox 68 ESR does not support several standard units in the <svg> tag. (For more information, see https://bugzilla.mozilla.org/show_bug.cgi?id=1287054.) Consequently, before this update, aggregated status card icons appeared larger than intended.

This update uses supported units to size icons, and as a result, icons appear correctly in FireFox 68 ESR and later.

3.3. vdsm

BZ#1869209

Before this update, adding hosts with newer Intel CPUs to IBRS family clusters could fail, and the spec_ctrl flag was not detected.

This update resolves the issue and you can now add hosts with modern Intel CPUs to the IBRS family clusters and the spec_ctrl flag is detected.

3.4. vulnerability

BZ#1828406

A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.

BZ#1850004

A flaw was found in jQuery in versions beginning in 1.0.3 through 3.5.0. HTML containing ` elements from untrusted sources are passed, even after sanitizing, to one of jQuery’s DOM manipulation methods which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.

BZ#1858184

A flaw was found in the web interface of ovirt-engine 4.4.2 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user’s cookies or other confidential information, or impersonate them within the application’s context.

Chapter 4. RHSA-2020:5179-04 Low: Red Hat Virtualization security, bug fix, and enhancement update

The bugs in this chapter are addressed by advisory RHSA-2020:5179-04. Further information about this advisory is available at https://access.redhat.com/errata/RHSA-2020:5179.

4.1. ovirt-ansible-roles

BZ#1657294

With this enhancement, the user can change the HostedEngine VM name after deployment.

4.2. ovirt-engine

BZ#1702016

Previously, the Manager allowed adding or migrating hosts configured as self-hosted engine hosts to a data center or cluster other than the one in which the self-hosted engine VM is running, even though all self-hosted engine hosts should be in the same data center and cluster. The hosts' IDs were identical to what they were when initially deployed, causing a Sanlock error. Consequently, the agent failed to start.

With this update, an error is raised when adding a new self-hosted engine host or migrating an existing one to a data center or cluster other than the one in which the self-hosted engine is running.

To add or migrate a self-hosted engine host to a data center or cluster other than the one in which the self-hosted engine is running, you need to disable the host from being a self-hosted engine host by reinstalling it. Follow these steps in the Administration Portal:

  1. Move the host to Maintenance mode.
  2. Invoke Reinstall with the Hosted Engine UNDEPLOY option selected. If using the REST API, use the undeploy_hosted_engine parameter.
  3. Edit the host and select the target data center and cluster.
  4. Activate the host.

For details, see the Administration Guide or REST API Guide.

BZ#1745024

With this enhancement, the Intel Icelake Server Family is now supported in 4.4 and 4.5 compatibility levels.

BZ#1760170

Previously, the MAC Pool search functionality failed to find unused addresses. As a result, creating a vNIC failed. In this release, the MAC pool search is now able to locate an unused address in the pool, and all unused addresses are assigned from a pool.

BZ#1866862

Previously, Virtual Machines deployed on AMD EPYC hosts without NUMA enabled sometimes failed to start, with an unsupported configuration error reported. In this release, Virtual Machines start successfully on AMD EPYC hosts.

BZ#1888626

Ansible-2.9.14 is required for proper setup and functioning of Red Hat Virtualization Manager 4.4.3.

BZ#1361718

This enhancement provides support for attaching an emulated NVDIMM to virtual machines that are backed by NVDIMM on the host machine. For details, see https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/virtual_machine_management_guide/index#conc-nvdimm-host-devices_vm_guide_administrative_tasks

BZ#1797717

With this enhancement, you can now perform a free text search in the Administration Portal that includes internally defined keywords.

BZ#1808320

Previously, users with specific Data Center or Cluster permissions could not edit the cluster they have access to. In this release, users with specific Data Center or Cluster permissions can edit the cluster they have access to if they don’t change the MAC pool associated with the cluster or attempt to add a new MAC pool.

BZ#1879280

Default Data Center and Default Cluster, which are created during Red Hat Virtualization installation, are created with 4.5 compatibility level by default in Red Hat Virtualization 4.4.3. Please be aware that compatibility level 4.5 requires RHEL 8.3 with Advanced Virtualization 8.3.

BZ#1812316

With this enhancement, when scheduling a Virtual Machine with pinned NUMA nodes, memory requirements are calculated correctly by taking into account the available memory as well as hugepages allocated on NUMA nodes.

BZ#1854888

This enhancements adds error handling for OVA import and export operations, providing successful detection and reporting to the Red Hat Virtualization Manager if the qemu-img process fails to complete.

BZ#1855305

Previously, hot-plugging a disk to Virtual Machine sometimes failed if the disk was assigned an address that was already assigned to a host-passthrough disk device. In this release, conflicts are avoided by preventing an address that is assigned to host-passthrough disk device from being assigned to a disk that is hot-plugged to the Virtual Machine.

BZ#1871694

Previously, changing a cluster’s bios type to UEFI or UEFI+SecureBoot changed the Self-Hosted Engine Virtual Machine that runs within the cluster as well. As a result, the Self-Hosted Engine Virtual Machine failed to reboot upon restart. In this release, the Self-Hosted Engine Virtual Machine is configured with a custom bios type, and does not change if the cluster’s bios type changes.

BZ#1752751

This enhancement enables customization of the columns displayed in the Virtual Machines table of the Administration Portal. - Two new columns have been added to the Virtual Machines table - (number of) ‘vCPUs’, and ‘Memory (MB)’. These columns are not displayed by default. - A new pop-up menu has been added to the Virtual Machines table that allows you to reset the table column settings, and to add or remove columns from the display. - The selected column display settings (column visibility and order) are now persistent on the server by default, and are migrated (uploaded) to the server. This functionality can be disabled in the User > Options popup, by de-selecting the 'Persist grid settings' option.

4.3. ovirt-engine-api-explorer

BZ#1884146

The ovirt-engine-api-explorer package has been deprecated and removed in Red Hat Virtualization Manager 4.4.3. Customers should use the official REST API Guide instead, which provides the same information as ovirt-engine-api-explorer. See https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/rest_api_guide/index

4.4. ovirt-engine-db-query

BZ#1866981

Previously, unicode strings were not handled properly by the ovirt-engine-db-query after porting to Python3. In this release, unicode strings are now handled properly.

4.5. rhv-log-collector-analyzer

BZ#1859314

Previously, unicode strings were not handled properly by the rhv-log-collector-analyzer after porting to python3. In this release, unicode strings are now handled properly.

4.6. vdsm

BZ#1613514

This enhancement adds the ‘nowait’ option to the domain stats to help avoid instances of non-responsiveness in the VDSM. As a result, libvirt now receives the ‘nowait’ option to avoid non-responsiveness.

BZ#1877632

Previously, when the VDSM was restarted during a Virtual Machine migration on the migration destination host, the VM status wasn’t identified correctly. In this release, the VDSM identifies the migration destination status correctly.

BZ#1845397

With this enhancement, the migration transfer speed in the VDSM log is now displayed as Mbps (Megabits per second).

Chapter 5. RHBA-2021:0312-02 RHV Engine and Host Common Packages 4.4.z [ovirt-4.4.4]

The bugs in this chapter are addressed by advisory RHBA-2021:0312-02. Further information about this advisory is available at https://access.redhat.com/errata/RHBA-2021:0312.

5.1. ovirt-ansible-collection

BZ#1893385

In previous versions, when using 'hosted-engine --restore-from-file' to restore or upgrade, if the backup included extra required networks in the cluster, and if the user did not reply 'Yes' to the question about pausing the execution, deployment failed. In this release, regardless of the answer to 'pause?', if the host is found to be in state "Non Operational", deployment will pause, outputting relevant information to the user, and waiting until a lock file is removed. This should allow the user to then connect to the web admin UI and manually handle the situation, activate the host, and then remove the lock file and continue the deployment. This release also allows supplying a custom hook to fix such issues automatically.

5.2. ovirt-engine

BZ#1694711

Previously, the UI NUMA panel showed an incorrect NUMA node for a corresponding socket. In this release, the NUMA nodes are ordered by the database, and the socket matches the NUMA node.

BZ#1710446

With this enhancement, the Europe/Helsinki timezone can now be set in virtual machines.

BZ#1729897

Previously, the NUMA tune mode was set according to the Virtual Machine, using the same setting for every virtual NUMA node of the Virtual Machine. In this release, it is possible to set the NUMA tune mode for each virtual NUMA node.

BZ#1797553

Previously, when the export VM as OVA command was executed, other operations on the engine were blocked. This made the engine execute operations serially while expected to be parallel. In this release, engine tasks are executed in parallel, unblocked by the export VM as OVA command.

BZ#1871792

Previously, when importing a Virtual Machine using virt-v2v and the ovirt-engine service restarted, the import failed. In this release, the import continues as long there is an async command running, allowing the import to complete successfully.

BZ#1886750

Previously, when removing a host, neither the virtual machine’s host device nor the host dependency list were removed. As a result, this sometimes caused error messages when running the virtual machine on another host, and leaving behind incorrect entries in the database. In this release, the virtual machine host device and entry in the virtual machine’s dependency list for the removed host are no longer included in the database, and the associated error messages no longer occur.

BZ#1888142

Previously, stateless virtual machines including pool virtual machines issued a warning regarding not using the latest version, even when the virtual machine was not set to use the last version. In this release, there is no attempt to change the version of the template that virtual machines are based on unless they are set to use the last version of a template and thus this warning is omitted from the log.

BZ#1889987

Previously, when the export VM as OVA command was executed, other operations on the engine were blocked. This made the engine execute operations serially while expected to be parallel. In this release, engine tasks are executed in parallel, unblocked by the export VM as OVA command.

BZ#1897422

Previously, virtual machines that were imported from OVA files were not set with small or large icons. In this release, small/large icons are set according to the operating system the Virtual Machine is configured with during import from OVA files. Consequently, virtual machines that are imported from OVA files are set with small and large icons.

BZ#1899768

Previously, live-merge failed on snapshots of virtual machines that are set with bios-type = CLUSTER-DEFAULT. In this release, live-merge works on snapshots of virtual machines that are set with bios-type = CLUSTER-DEFAULT.

5.3. ovirt-vmconsole

BZ#1834876

Previously, ovirt-vmconsole caused SELinux denials logged by sshd. While it generally didn’t affect ovirt-vmconsole functionality, it could raise false alerts. In this release, there are no ovirt-vmconsole SELinux denials issued.

5.4. vdsm

BZ#1792905

Previously, users could invoke the 'sparsify' operation on thin-provisioned (qcow) disks with a single volume. While the freed space was reclaimed by the storage device, the image size didn’t change and users could see this as a failure to sparsify the image. In this release, sparsifying a thin-provisioned disks with a single volume is now blocked.

Chapter 6. RHSA-2021:1169-07 Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement

The bugs in this chapter are addressed by advisory RHSA-2021:1169-07. Further information about this advisory is available at https://errata.devel.redhat.com/advisory/68228.

6.1. Ovirt-engine

BZ#1145658

This release allows the proper removal of a storage domain containing memory dumps, either by moving the memory dumps to another storage domain or deleting the memory dumps from the snapshot.

BZ#1155275

With this update, you can synchronize a LUN’s disk size on all hosts that are connected to the LUN’s disk, and update its size on all running virtual machines to which it is attached.

To refresh a LUN’s disk size: 1. In the Administration portal, go to Compute>Virtual Machines and select a virtual machine. 2. In the Disks tab, click Refresh LUN.

For connected virtual machines that are not running, update the disk on the virtual machines once they are running.

BZ#1688186

Previously, the CPU and NUMA pinning were done manually or automatically only by using the REST API when adding a new virtual machine.

With this update, you can update the CPU and NUMA pinning using the Administration portal and when updating a virtual machine.

BZ#1837221

Previously, the Manager was able to connect to hypervisors only using RSA public keys for SSH connection. With this update, the Manager can also use EcDSA and EdDSA public keys for SSH.

Previously, RHV used only the fingerprint of an SSH public key to verify the host. Now that RHV can use EcDSA and EdDSA public keys for SSH, the whole public SSH key must be stored in the RHV database. As a result, using the fingerprint of an SSH public key is deprecated.

When adding a new host to the Manager, the Manager will always use the strongest public key that the host offers, unless an administrator provides another specific public key to use.

For existing hosts, the Manager stores the entire RSA public key in its database on the next SSH connection. For example, if an administrator moves the host to maintenance mode and executes an enroll certificate or reinstalls the host, to use a different public key for the host, the administrator can provide a custom public key using the REST API or by fetching the strongest public key in the Edit host dialog in the Administration Portal.

BZ#1921104

Ansible-2.9.17 is required for proper setup and functioning of Red Hat Virtualization Manager 4.4.5.

BZ#1431792

This feature allows adding emulated TPM (Trusted Platform Module) devices to Virtual Machines. TPM devices are useful in cryptographic operations (generating cryptographic keys, random numbers, hashes, etc.) or for storing data that can be used to verify software configurations securely. QEMU and libvirt implement support for emulated TPM 2.0 devices, which is what Red Hat Virtualization uses to add TPM devices to Virtual Machines.

Once an emulated TPM device is added to the Virtual Machine, it can be used as a normal TPM 2.0 device in the guest OS.

BZ#1910302

Previously, the storage pool manager (SPM) failed to switch to another host if the SPM had uncleared tasks. With this enhancement, a new UI menu has been added to enable cleaning up finished tasks.

BZ#1921119

Previously, a cluster page indicated an out-of-sync cluster when in fact all networks were in sync. This was due to a logical error in the code when a host QoS was assigned to two networks on same host. In this release, the cluster page does not show out-of-sync for this setup.

BZ#1895217

Previously, after a host that virtual machines were pinned to was removed, the Manager failed to start. As a result,the setup of the self-hosted engine failed. In this release, when a host is removed, virtual machines no longer remain pinned to that host and the Manager can start successfully.

BZ#1905108

Previously, plugging several virtual disks to a running virtual machine over a short time interval could cause a failure to plug some of the disks, and issued an error message: "Domain already contains a disk with that address". In this release, this is avoided by making sure that a disk that is being plugged to a running virtual machine is not assigned with an address that has already been assigned to another disk that was previously plugged to the virtual machine.

BZ#1927851

The timezone AUS Eastern Standard Time has been added to cover daylight saving time in Canberra, Melbourne and Sydney.

BZ#1931786

Previously, the Red Hat Virtualization Manager missed the SkuToAVLevel configuration for 4.5 clusters. In this release, the SkuToAVLevel is available for these clusters and allows Windows updates to update Red Hat related drivers for the guest host.

BZ#1884233

The authz name is now used as the user domain on the RHVM (Red hat Virtualization Manager) home page. It replaces the profile name. Additionally, several log statements related to authorization/authentication flow have been made consistent by presenting both the user authz name and the profile name where applicable. In this release, <username>@<authz name> is displayed on the home page once the user is successfully logged in to the RHVM. In addition, the log statements now contain both the authz name and the profile name as well as the username.

BZ#1922200

Previously, records in the event_notification_hist table were only erased during regular cleanup of the audit_log table. By default, audit_log table records were only removed iof they were older than 30 days were removed. In this release, because records in the event_notification_hist are much less important than records in the audit_log table, records in the event_notification_hist table are only kept for 7 days. This limit can be overriden by creating a custom configuration file /etc/ovirt-engine/notifier/notifier.conf.d/history.conf with the following content:

DAYS_TO_KEEP_HISTORY=NNN

where NNN is number of days to keep records in the event_notification_host table. After changing this value ovirt-engine-notifier service needs to be restarted:

systemctl restart ovirt-engine-notifier

6.2. Vulnerability

BZ#1889823

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.