RHBA-2015:1866 - Bug Fix Advisory

Topic

Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for
RHEL 7.

Description

Red Hat Enterprise Linux OpenStack Platform provides the facilities for
building a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware. This advisory includes
packages for:

• OpenStack Networking service

OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)

This update addresses the following issues:

• Support for multiple IPv6 prefixes/addresses on one interface.

As a result, neutron considers the type of IPv6 subnets that form part of the network and then associates ports with addresses from all SLAAC-enabled subnets within the ports network.
The REST API is unchanged, but port-create/port-update replies now include SLAAC addresses in the fixed_ips list. (BZ#1089447)

• Previously, dnsmasq mistakenly aligned IPv6 host entries with IPv4 clients, and IPv4 host entries with IPv6 clients, resulting in host detection issues. With this update, dnsmasq correctly handles IPv4 and IPv6 host entries. (BZ#1228176)
• openstack-neutron-lbaas updated to 2015.1.1

(BZ#1258602)

• openstack-neutron-fwaas updated to 2015.1.1:
• iptables: Support for L3 plug-ins that do not yet support DVR.

(BZ#1258606)

• openstack-neutron-vpnaas updated to 2015.1.1:
• neutron agent-list correctly reports VPN agent
• Fixed status reporting for failures

(BZ#1258607)

• Previously, the openstack-neutron-vmware package omitted python-networking-vmware-nsx package as a dependency. Both packages had to be manually installed for NSX integration.

With this update, python-networking-vmware-nsx is a dependency of the openstack-neutron-vmware package. As a result, all needed components for NSX integration are obtained by installing openstack-neutron-vmware.
openstack-neutron-vmware is to be deprecated in a future release, with NSX components moving to python-networking-vmware-nsx. (BZ#1259285)

• openstack-neutron updated to version 2015.1.1:
• DHCP agent: fixed IP address assignment for stateless IPv6 address when extra options are used; stability fixes
• L3 agent: support IPv6 HA routers
• DVR: fixed floating IP namespace creation for late port binding; unschedule a router on the last port deletion; support isolated metadata networks served by DHCP agent.
• Open vSwitch agent: enhancements in ARP spoofing protection
• Multiple fixes for 0.0.0.0/0 and ::/0 address pair support
• Stability fixes in ML2, Open vSwitch and L3 agents, and others
• Preserve firewall counters on security group update
• Prevent modifying address pairs on a shared network
• Updates for Arista and VMware plugins and ML2 drivers (BZ#1259517)
• Previously, in kernel 3.10, when the last IPv6 address was removed from the interface, IPv6 would shut it down, and the related /proc entries were deleted.

Consequently, a traceback occurred when IPv6 /proc entries were missing and neutron tried to configure '/proc/sys/net/ipv6/conf/qg-1fc4061d-3c/accept_ra'.
With this update, /proc is only configured on the Master HA Router, where the gateway interface has the IPv6 Link Local Address, keeping the functionality intact. As a result, the traceback no longer occurs on RHEL 7.1. (BZ#1262647)

• Previously, the Open vSwitch agent attempted to set OpenFlow rules for ARP responder for IPv6 addresses. Consequently, OpenFlow transactions that included IPv6 addresses would fail, and the connection between nodes was broken. This fix now avoids setting ARP responder OpenFlow rules for IPv6 addresses. As a result, flows that forward packets between nodes are set correctly. (BZ#1261577)

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat Enterprise Linux OpenStack Platform 7 runs on Red Hat Enterprise
Linux 7.1.

The Red Hat Enterprise Linux OpenStack Platform 7 Release Notes contain the
following:

• An explanation of the way in which the provided components interact to

form a working cloud computing environment.

• Technology Previews, Recommended Practices, and Known Issues.
• The channels required for Red Hat Enterprise Linux OpenStack Platform 7,

including which channels need to be enabled and disabled.

The Release Notes are available at:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Release_Notes/index.html

This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html

Affected Products

• Red Hat OpenStack 7 x86_64

Fixes

• BZ - 1089447 - [RFE][neutron]: support multiple ipv6 prefixes for ipv6 network
• BZ - 1137057 - Custom MTU is not set for bridge and tap devices on compute node while using linuxbridge-agent
• BZ - 1228176 - Instance is not assigned with an IP address (Version 4 or 6) when the network attached to it have two subnets - IPv4 and IPv6 (IPv6 can be stateful or stateless)
• BZ - 1246599 - neutron requires oslo_rootwrap
• BZ - 1257270 - Fix logging version in neutron logs coming from pbr
• BZ - 1258602 - Rebase openstack-neutron-lbaas to 2015.1.1
• BZ - 1258606 - Rebase openstack-neutron-fwaas to 2015.1.1
• BZ - 1258607 - Rebase openstack-neutron-vpnaas to 2015.1.1
• BZ - 1259285 - openstack-neutron-vmware should probably depend on python-networking-vmware-nsx
• BZ - 1261086 - New Package Request: python-networking-bigswitch - big switch neutron plugin
• BZ - 1261555 - Include patches from kilo for networking-cisco
• BZ - 1262647 - Neutron traceback when an external network without IPv6 subnet is attached to an HA Router
• BZ - 1264144 - python-networking-bigswitch rpm bumps to 2015.1.38

CVEs

(none)

References

• http://www.redhat.com/security/updates/classification/#normal