RHBA-2017:2663 - Bug Fix Advisory

Topic

Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat OpenStack Platform 10.0 (Newton) for RHEL 7.

Description

Red Hat OpenStack Platform provides the facilities for building, deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware. This advisory includes
packages for:

• OpenStack Networking service

OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.)

Changes to the openstack-neutron component:

• The networking-vpp mechanism driver was not able to correctly set up the router interface when a neutron HA router fails over. This was because the host_id property of the ports owned by a router gateway were not updated to the new host.

This fix updates the host_id property on a failover. (BZ#1466081)

• Cause:

Neutron backup HA routers have the same IP/MAC addresses as the master instance and the backup HA routers have IPv6 forwarding enabled by default. This causes the backup HA routers to subscribe to different multicast groups and these backup HA routers may respond to queries coming from the external network.

Consequence:
This backup HA router traffic causes the upstream switch to learn MAC address on a different port, disrupting existing traffic to the master instance.

Fix:
Disable IPv6 forwarding on backup instances and restore it on failover.

Result:
Traffic will not leave the backup instance to go to the upstream switch thus not disrupt existing connections with the master instance. (BZ#1426735)

• Feature:

The neutron-ns-metadata-proxy is now replaced by haproxy which has a more lightweight memory footprint.

Reason:
The neutron-ns-metadata-proxy process can cause high memory consumption, especially in large environments. This can lead to Out-Of-Memory issues.

Result:
Replace neutron-ns-metadata-proxy with haproxy to proxy meta data requests from the guest VM to the Compute node (nova). The haproxy process considerably reduces the memory footprint. (BZ#1438469)

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat OpenStack Platform 10 runs on Red Hat Enterprise Linux 7.3.

The Red Hat OpenStack Platform 10 Release Notes contain the following:

• An explanation of the way in which the provided components interact to

form a working cloud computing environment.

• Technology Previews, Recommended Practices, and Known Issues.
• The channels required for Red Hat OpenStack Platform 10, including which

channels need to be enabled and disabled.

The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/10/paged/release-notes

This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html

Affected Products

• Red Hat OpenStack 10 x86_64

Fixes

• BZ - 1390863 - Tempest network scenario tests regressions
• BZ - 1426735 - Backup HA router sending traffic, traffic from switch interrupted
• BZ - 1437576 - Instance connectivity issues disabling security groups and port security
• BZ - 1437820 - L3 agent failing with "Failed to process compatible router" errors
• BZ - 1438469 - [OSP10] neutron-ns-metadata-proxy has a large memory footprint
• BZ - 1443024 - [DVR] Instances are not reachable with floating ip from different subnet after compute node reboot
• BZ - 1459181 - [BACKPORT] [Neutron] Don't add duplicate metadata rules after router update
• BZ - 1462509 - LBaaS tests does not run on DFG-network-neutron-lbaas-10_director-rhel-7.3-virthost jobs
• BZ - 1463220 - With vCPU count greater than vhostuser queues, instance not able to bring interface up.
• BZ - 1466081 - Update binding: host_id for network:router_gateway interfaces
• BZ - 1468314 - Integrated DNS does not work with Cisco ACI due to Neutron bug
• BZ - 1469680 - Remove the gateway of external net won't affect router
• BZ - 1478204 - Rebase python-networking-vmware-nsx to 63dfc1dc
• BZ - 1478425 - Rebase python-networking-bigswitch to 9.42.7
• BZ - 1478497 - Rebase openstack-neutron-fwaas to 1471eb
• BZ - 1478519 - Rebase openstack-neutron-vpnaas to d750da
• BZ - 1478788 - SharedNetworksTest.test_filtering_shared_subnets failed for a known issue
• BZ - 1479061 - Rebase openstack-neutron-lbaas to 436286
• BZ - 1479895 - Rebase openstack-neutron-lbaas to 4362863
• BZ - 1480324 - Rebase openstack-neutron to 8339a78

CVEs

(none)

References

(none)