RHBA-2017:0159 - Bug Fix Advisory

Topic

Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for
RHEL 7.

Description

Red Hat Enterprise Linux OpenStack Platform provides the facilities for
building a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware. This advisory includes
packages for:

• OpenStack Networking service

OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)

This update addressed the following issues:

• If neutron ports are created while neutron-openvswitch-agent is down, they enter status "DOWN, binding:vif_type=binding_failed", which is expected behavior. However, prior to this update, there was no way to recover those ports, even if neutron-openvswitch-agent was back online.

With this update, the function "_bind_port_if_needed" binds at least once when the port's binding status is already in "binding_failed". As a result, ports can now recover from a failed binding status by repeated binding attempts triggered when neutron-openvswitch-agent comes back online. (BZ#1240446)

• In IPv4, the broadcast address (the last address of the CIDR) cannot be used as an IP address and is rejected as invalid when setting a gateway. In IPv6 there is no broadcast address, yet the same logic was applied to gateway address validation. Consequently, the gateway address could not be set to the last address in IPv6 range. With this update, the broadcast address check is valid only for IPv4, and not for IPv6. As a result, the last address in an IPv6 range can be set as a gateway address. (BZ#1378888)
• The ip_gre kernel module introduced two new interfaces to every network namespace. With Red Hat Enterprise Linux 7.3, the ip_gre kernel module is a dependency of vport_gre module used by the Open vSwitch module.

Consequently, these two devices could not be removed from the namespace, as neutron-netns-cleanup removes the namespace only if it does not contain any network interfaces. With those devices present, all removal of namespaces was skipped.
With this update, the two new interfaces added by ip_gre will be ignored too (similar to how the loopback interface does not block removal).
As a result, the namespace is considered empty if it contains loopback and gre interfaces and will be cleaned up even if includes these interfaces. (BZ#1382723)

• Prior to this update, with wsgi_default_pool_size(=100) concurrent requests, the state change server would create a heavy CPU load on the l3 agent. With this update, a new option `ha_keepalived_state_change_server_threads` has been added to configure the number of concurrent threads spawned for keepalived server connection requests. Higher values increase the CPU load on the agent nodes. The default value is half of the number of CPUs present on the node. This allows operators to tune the number of threads to suit their environment. With more threads, simultaneous requests for multiple HA routers state change can be handled faster.

As a result, ha_keepalived_state_change_server_threads can be configured to avoid high load on l3 agents. (BZ#1315114)

• Previously, the DHCP agent only restarted its process when DHCP-enabled subnets were changed. Consequently, when a subnet with DHCP disabled was added or updated, it broke the association between the opts file tags and the process arg tags, which led to a state where dnsmasq sent its IP address as a default gateway.

With this update, the process is restarted when a subnet with DHCP disabled is added or removed. As a result, dnsmasq is now correctly spawned with a matching opts file and tag args. (BZ#1393175)

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat Enterprise Linux OpenStack Platform 7 runs on Red Hat Enterprise
Linux 7.3.

The Red Hat Enterprise Linux OpenStack Platform 7 Release Notes contain the
following:

• An explanation of the way in which the provided components interact to

form a working cloud computing environment.

• Technology Previews, Recommended Practices, and Known Issues.
• The channels required for Red Hat Enterprise Linux OpenStack Platform 7,

including which channels need to be enabled and disabled.

The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/paged/release-notes/

This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html

Affected Products

• Red Hat OpenStack 7 x86_64

Fixes

• BZ - 1315114 - UnixDomainWSGIServer keepalived state change listener in L3 agent has an uncapped number of threads, overloading node
• BZ - 1378888 - IPv6 Neutron network cannot use the last IP in subnet
• BZ - 1382414 - agent traces about bridge-nf-call sysctl values missing in RHEL 7.3
• BZ - 1393175 - Do not assign network address to instance

CVEs

(none)

References

(none)