RHBA-2015:0825 - Bug Fix Advisory

Topic

Updated packages that resolve various issues are now available for Red Hat
Enterprise Linux OpenStack Platform 5.0 (Icehouse) for Red Hat Enterprise
Linux 7.

Description

Red Hat Enterprise Linux OpenStack Platform provides the facilities for
building a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware.

This update addresses the following issues:

• Previously, when swift client added a 'Content-Length' header and

requests implicitly added a 'content-length' header, requests sends both
as separate headers. This caused Apache to reject the request with a
400 error.
With this release, python-requests package is now rebased to version 2.3.0.
This version fixes the buggy implementation of case-insensitive mapping.
As a result, Apache no longer rejects requests with a 400
error. (BZ#1169530)

• Previously, the log directory permissions for Sahara was set to 755,

resulting in the Sahara service not conforming to the Red Hat log security
standards.
With this update, the directory permissions are modified to 750, thus,
conforming to the Red Hat log security standards. (BZ#1163420)

• Previously, SELinux prevented the nova scheduler from searching

directories labeled 'cert_t', resulting in SELinux causing Compute to fail.
With this update, an 'allow' rule has been created to give the nova
scheduler permission to search the 'cert_t' directories. As a result,
Compute service functions normally. (BZ#1149975)

• Previously, the 'nova list' was inefficient and took very long to

complete as the number of instances increased.
With this update, 'nova list' command code has been optimized and uses
server-side filtering, resulting in faster response. (BZ#1147958)

• If an existing haproxy process was already running before installing and

running LBaaS (Load-Balancing-as-a-Service), attempting to start LBaaS will
fail. This typically happens when upgrading to Red Hat Enterprise Linux
OpenStack Platform 5 with an existing LBaaS service.
To work around this, you will have to kill the running haproxy process and
restart the LBaaS agent:
# kill $(pgrep haproxy)
# service neutron-lbaas-agent restart (BZ#1133920)

• Previously, the rabbitmq-plugins command was not available in the

default path. As a result, trying to run rabbitmq-plugins command would
result in a 'Command Not Found' error.
With this update, the rabbitmq-plugins command is added to the default
path and it executes as expected. (BZ#1126680)

• Previously, an improvement to the connection pool such that new

connections could be made concurrently made it so that the 'init on first
connect' routine of a SQLAlchemy dialect would not have been completed if
concurrent routines proceeded at the same time. As a result, when a
SQLAlchemy engine was first used, operations which rely on the state
acquired during initial startup could fail, as this information would not
have been completed.
To resolve this issue, with this update, 'mutexing' was added to the event
system which handles the initial dialect startup phase, so that connection
attempts are again serialized, but only when the engine first start
up. (BZ#1121796)

• Previously, SQLite database was created by a user who ran the database

management script, resulting in Sahara being unable to read the default
database without changing ownership of the database.
With this update, the file is not touched and the ownership is assigned to
Sahara (for only the default file location). As a result, Sahara now has
access to its database in the default flow. (BZ#1101516)

• With this release, mariadb-galera is now rebased to version 5.5.41 fixing

the memory barrier problem in InnoDB/XtraDB mutex implementation causing
the server to stall or hang. (BZ#1168321)

In addition to the above issue, this update also addresses bugs and
enhancements which can be found in the Red Hat Enterprise Linux OpenStack
Platform Technical Notes:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Technical_Notes/index.html

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat
Enterprise Linux 7.1.

The Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes
(see References section) contain the following:

• An explanation of the way in which the provided components interact to

form a working cloud computing environment.

• Technology Previews, Recommended Practices, and Known Issues.
• The channels required for Red Hat Enterprise Linux OpenStack Platform 5

for RHEL 7, including which channels need to be enabled and disabled.

For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack 5.0 for RHEL 7 x86_64

Fixes

• BZ - 1101516 - SQLite database created with bad permission/ownership
• BZ - 1121796 - potential race condition on dialect init in SQLAlchemy 0.8.4
• BZ - 1121798 - some mysql "commands out of sync" errors may not be interpreted correctly as a "database disconnect" situation, sqlalchemy 0.8.4
• BZ - 1126680 - rabbitmq-plugins is not in the default $PATH and need for detailed information for those plug-in setting.
• BZ - 1133920 - 'openstack-service restart neutron' uses neutron cleanup scripts
• BZ - 1139413 - RFE: nova service-delete doesn't exist in 2.17.0
• BZ - 1149975 - openstack-nova-scheduler: SELinux is preventing /usr/bin/python2.7 from search access on the directory
• BZ - 1163420 - Adjust log permissions to 0750 for openstack-sahara
• BZ - 1168321 - hangs reported in mariadb / mariadb galera 5.5.40
• BZ - 1169530 - headers with different cases are not merged
• BZ - 1199249 - headers with different cases are not merged

CVEs

• CVE-2014-6568
• CVE-2015-0374
• CVE-2015-0381
• CVE-2015-0382
• CVE-2015-0411
• CVE-2015-0432

References

• https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html