- Issued:
- 2017-07-12
- Updated:
- 2017-07-12
RHBA-2017:1736 - Bug Fix Advisory
Synopsis
openstack-neutron bug fix advisory
Type/Severity
Bug Fix Advisory
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat OpenStack Platform 9.0 (Mitaka) for RHEL 7.
Description
Red Hat OpenStack Platform provides the facilities for building a private
or public infrastructure-as-a-service (IaaS) cloud running on commonly
available physical hardware. This advisory includes packages for:
- OpenStack Networking service
OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)
This update addresses the following issues:
- Prior to this update, when using wsgi_default_pool_size(=100) concurrent requests, the state change server would create a heavy CPU load on the l3 agent.
With this update, a new option `ha_keepalived_state_change_server_threads` has been added to configure the number of concurrent threads spawned for keepalived server connection requests; higher values increase the CPU load on the agent nodes. The default value is half of the number of CPUs present on the node. This allows operators to tune the number of threads to suit their environment. With more threads, simultaneous requests for multiple HA routers state change can be handled faster.
As a result, ha_keepalived_state_change_server_threads can be configured to avoid high load on l3 agents. (BZ#1381619)
- This enhancement configures ProcessMonitor in the HaproxyNSDriver class (v2) to use the external_process module, which allows it to monitor and respawn the haproxy processes as needed. The LBaaS agent (v2) will load options related to external_process in order to take a configured action when the HAproxy process dies unexpectedly. (BZ#1431152)
- This enhancement adds http_proxy_to_wsgi to api-paste. As a result, this places the HTTPProxyToWSGI middleware in front of the Neutron-API. The purpose of this middleware is to setup the request URL correctly in case there is a proxy (for example, a loadbalancer such as HAProxy) in front of neutron.
For example, when TLS connections are being terminated in the proxy, and you attempt to get the versions from the `/` neutron resource, the protocol is incorrect and reports as 'http' instead of 'https'. The HTTPProxyToWSGI middleware handles such cases and helps keystone discovery work correctly. HTTPProxyToWSGI is off by default and needs to be enabled with a configuration value. (BZ#1451508)
Solution
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
Red Hat OpenStack Platform 9 runs on Red Hat Enterprise Linux 7.3.
The Red Hat OpenStack Platform 9 Release Notes contain the following:
- An explanation of the way in which the provided components interact to
form a working cloud computing environment.
- Technology Previews, Recommended Practices, and Known Issues.
- The channels required for Red Hat OpenStack Platform 9, including which
channels need to be enabled and disabled.
The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/release-notes
This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:
https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html
Affected Products
- Red Hat OpenStack 9 x86_64
Fixes
- BZ - 1381619 - UnixDomainWSGIServer keepalived state change listener in L3 agent has an uncapped number of threads, overloading node
- BZ - 1431152 - Backport: [RFE] [Neutron] [LBaaS v2] Add process monitor for haproxy
- BZ - 1437818 - L3 agent failing with "Failed to process compatible router" errors
- BZ - 1451508 - backport request neutron: Add http_proxy_to_wsgi to api-paste
- BZ - 1463759 - OSP8 -> OSP9 upgrade: pacemaker resources are stopped and unmanaged post upgrade
CVEs
(none)
References
(none)
Red Hat OpenStack 9
| SRPM | |
|---|---|
| openstack-neutron-8.3.0-11.el7ost.src.rpm | SHA-256: 1fed91a715268ef7539653cc95d589891990439cb25dca7a3a99dff231fa0f2e |
| openstack-neutron-lbaas-8.1.0-3.el7ost.src.rpm | SHA-256: b592ca13cf64625f3287b75f1c8bb02e6b67dd2dfcc6233683d6c5fc74b51d4e |
| python-networking-bigswitch-8.40.7-2.el7ost.src.rpm | SHA-256: a28ac312c48c5d60ff6dd5c2e90137caadb16140c9765206f68c710bbb30e11b |
| x86_64 | |
| openstack-neutron-8.3.0-11.el7ost.noarch.rpm | SHA-256: 6b7492a7ccd988ca9cee72fe07d4f1cc6e1352cd8f979b75811a2c6ff001296c |
| openstack-neutron-bgp-dragent-8.3.0-11.el7ost.noarch.rpm | SHA-256: b550123b4c7da9803158c640535b61261a65d6e970f06c30392a735f15bf093e |
| openstack-neutron-bigswitch-agent-8.40.7-2.el7ost.noarch.rpm | SHA-256: 474cfc0809df13565aad886f2d0a8e91f22b03ed948eca2900b7671ac244464c |
| openstack-neutron-bigswitch-lldp-8.40.7-2.el7ost.noarch.rpm | SHA-256: 7c84d3a20c947abf2a5c0c09a66886fd86a458024fef943b17b924577c769d51 |
| openstack-neutron-common-8.3.0-11.el7ost.noarch.rpm | SHA-256: 29668a45f19eebc7d4c8ee91f4b00788d9c46d78f60b57af7cc8de429dc78a8a |
| openstack-neutron-lbaas-8.1.0-3.el7ost.noarch.rpm | SHA-256: d3229c826c16732ee595e7a7ef5941bfeacd3b3376eb5c718627e0cb03e7d11e |
| openstack-neutron-linuxbridge-8.3.0-11.el7ost.noarch.rpm | SHA-256: e066ff054e32ae48cbc0d323fbbafb2f95d4d364dd379bb589b8307456bf1e05 |
| openstack-neutron-macvtap-agent-8.3.0-11.el7ost.noarch.rpm | SHA-256: c80c0a60dbacc04ef88440e2f9a769c4a59f420d756a952076cd314f710d9251 |
| openstack-neutron-metering-agent-8.3.0-11.el7ost.noarch.rpm | SHA-256: 20a25485438bae632f361dd06639ce606a0a9231099389a0a1086d2bd575acf5 |
| openstack-neutron-ml2-8.3.0-11.el7ost.noarch.rpm | SHA-256: 0d42328aad5bb2c150d73dbe04362aebc99d4fb30ceb275af494f6a2c2c42489 |
| openstack-neutron-openvswitch-8.3.0-11.el7ost.noarch.rpm | SHA-256: 5e4028401b232341a672f6e52641029f49806db174af1e7f5bfbead7b629f240 |
| openstack-neutron-rpc-server-8.3.0-11.el7ost.noarch.rpm | SHA-256: 12c57f0f1ecad4701d05ae3be2945c534eb7554b5974914b9603cf962e12d681 |
| openstack-neutron-sriov-nic-agent-8.3.0-11.el7ost.noarch.rpm | SHA-256: 78cd4804767fb9c351dcbfc0762bc835e08aab03aad0fdd3e2d1d278482cd554 |
| python-networking-bigswitch-8.40.7-2.el7ost.noarch.rpm | SHA-256: 9ad54e7bee7b5db6306a038eaa70ba5f052e242109c60ef41fce275b646e8e36 |
| python-neutron-8.3.0-11.el7ost.noarch.rpm | SHA-256: 702607dd1e67f3a3e04e77e637b072d349a7c3d14e87e5b604229d98774b73bd |
| python-neutron-lbaas-8.1.0-3.el7ost.noarch.rpm | SHA-256: 382a58cb630ffa118643440aa730b27acf916301f78dbd9c07ca5b4d7b6d4967 |
| python-neutron-lbaas-tests-8.1.0-3.el7ost.noarch.rpm | SHA-256: 4564b04af7ec745fa174d3c41ddc5fcb1549db43ffc3f8649107621001bf7803 |
| python-neutron-tests-8.3.0-11.el7ost.noarch.rpm | SHA-256: b50ca8f12c0b8b05e7d88dedac373e905d5431aa2280290baa419d7358688aa6 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
