RHBA-2016:1364 - Bug Fix Advisory

Topic

Updated RFE packages that fix several bugs and add various enhancements are now available.

Description

The Red Hat Enterprise Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer (REST) Application Programming Interface (API).

Changes to the rhevm component:

• Previously, live merge tasks which completed, displayed as running in the Manager. The task will now be presented as completed in the Manager, and will be removed from the appropriate database. (BZ#1348214)
• To provide a way how to configure gssapi using ticket cache for authz pool, a new security domain called 'oVirtKerbAAA' was added to JBoss configuration, which can be customized by using the following variables:

AAA_KRB5_CONF_FILE=path_to_krb5_conf
Specify the custom krb5.conf file. The default is /etc/ovirt-engine/krb5.conf
Java supports only one krb5 configuration, if the user changes this property, then manage-domains will stop working because its configuration is managed in /etc/ovirt-engine/krb5.conf.

AAA_JAAS_USE_TICKET_CACHE=true/false
Enable or disable using the ticket cache file for authentication.

AAA_JAAS_TICKET_CACHE_FILE=path_to_ticket_cache
Specify the custom ticket cache file. The default is /tmp/krb5cc_${UID}, where UID is the ID of the ovirt user.

AAA_JAAS_USE_KEYTAB=false/true
Enable or disable using the keytab file for authentication.

AAA_JAAS_KEYTAB_FILE=path_to_keytab_file
Specify the custom keytab file. The default is ${OVIRT_HOME}/krb5.keytab where OVIRT_HOME is home directory of ovirt user.

To use one of the features, the user has to create a new configuration file and specify the correct values for those variables, for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.

To use the new security domain configuration from aaa-ldap, the user has to specify the correct JAASClientName (default is oVirtKerb). Therefore, to use this new configuration for authz pool, the user has to add following line to aaa-ldap authz configuration:

pool.authz.auth.gssapi.jAASClientName = oVirtKerbAAA

To use it for both authn and authz, the user has to add the following line to aaa-ldap configuration:

pool.default.auth.gssapi.jAASClientName = oVirtKerbAAA (BZ#1327041)

• Previously, only the first page of results were displayed when searching for all virtual machine templates in the system. This issue has been fixed, and now it is possible to view all result pages. (BZ#1338816)
• Virtual machines are backed up periodically if the version field changes since the last backup. However, because modifying the virtual machine vNic does not update the version field, virtual machine definitions do not get backed up if only a vNic change occurs. This update ensures that a vNic update will cause virtual machine definitions to be backed up. (BZ#1340628)
• Previously the cluster level could be changed while virtual machines were running, which caused non-deterministic issues.

This update ensures that no virtual machines are running when changing the cluster level. (BZ#1341023)

• Previously during vdsm restart, the host would still respond to queries over JSON-RPC protocol from the Manager, which could result in the Manager reporting the incorrect virtual machine state. This could cause a highly available virtual machine to restart despite it already running. This has been fixed and the API calls are blocked during the vdsm service startup. (BZ#1342388)
• This update fixes an issue when adding a virtual machine to an existing virtual machine pool via the REST API. The virtual machines did not have the correct initialized parameters for sysprep and cloud-init. (BZ#1342389)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Virtualization 3.6 x86_64

Fixes

• BZ - 1143869 - Impossible to limit access to CPU profiles via user WEBUI portal on user/group basis.
• BZ - 1327041 - [RFE] [z-stream clone - 3.6.7] AAA - Make Kerberos work with Java Authentication Framework
• BZ - 1331186 - [events] Host memory usage exceeded defined threshold email message not generated.
• BZ - 1335638 - Groups resolution shouldn't be done on authn stage
• BZ - 1338816 - Template tab doesn't show all templates
• BZ - 1340628 - [downsream clone - 3.6.7] HE Vm's ovf isn't updated according to 'OvfUpdateIntervalInMinutes' value
• BZ - 1341023 - Cluster level can be changed while there are running VMs
• BZ - 1342388 - VM split brain during networking issues
• BZ - 1342389 - REST API vmpool increase won't join domain
• BZ - 1348214 - [z-stream clone - 3.6.7] Live Merge completes but the 'job' table entry in the database is not marked as finished

CVEs

(none)

References

• http://www.redhat.com/security/updates/classification/#normal