RHBA-2018:2514 - Bug Fix Advisory

Topic

Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat OpenStack Platform 12.0 (Pike) for RHEL 7.

Description

Red Hat OpenStack Platform provides the facilities for building, deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware. This advisory includes
packages for:

• OpenStack Networking service

OpenStack Networking (neutron) is a virtual network service for OpenStack.
Just as OpenStack Compute (nova) provides an API to dynamically request and
configure virtual servers, OpenStack Networking provides an API to
dynamically request and configure virtual networks. These networks connect
'interfaces' from other OpenStack services (e.g. virtual NICs from Compute
VMs). The OpenStack Networking API supports extensions to provide advanced
network capabilities (e.g. QoS, ACLs, network monitoring, etc.).

Changes to the openstack-neutron component:

• A new configuration option called bridge_mac_table_size has been added for the neutron OVS agent. This value is set on every Open vSwitch bridge managed by the openvswitch-neutron-agent. The value controls the maximum number of MAC addresses that can be learned on a bridge. The default value for this new option is 50,000, which should be enough for most systems. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch. (BZ#1591204)
• neutron-ovs-cleanup exceeded the three hour timeout on large OVS databases. This left the OVS database only partially cleaned. This fix changes how the cleanup function looks up ports on an OVS bridge. This significantly reduces the time needed to clean the database. (BZ#1541494)
• When an interface was added/removed to/from a router and isolated metadata was enabled on the DHCP Agent, the metadata proxy for that network was not updated. As a result, instances on a network not connected to a router could not fetch metadata.

We now update metadata proxies when a router interface is added/removed, and instances can fetch metadata from the DHCP namespace when their networks become isolated. (BZ#1552103)

• To reduce the time spent processing security group updates in the L2 agent, conntrack deletion is now performed in a set of worker threads instead of the main agent thread. (BZ#1558148)

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat OpenStack Platform 12 runs on Red Hat Enterprise Linux 7.4.

The Red Hat OpenStack Platform 12 Release Notes contain the following:

• An explanation of the way in which the provided components interact to

form a working cloud computing environment.

• Technology Previews, Recommended Practices, and Known Issues.
• The channels required for Red Hat OpenStack Platform 12, including which

channels need to be enabled and disabled.

The Release Notes are available at:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/

This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html

Affected Products

• Red Hat OpenStack for IBM Power 12 ppc64le
• Red Hat OpenStack 12 x86_64

Fixes

• BZ - 1541494 - neutron-ovs-cleanup failing when there are too many ports
• BZ - 1547660 - openstack-neutron DHCP agent requires dnsmasq-utils 2.76
• BZ - 1552103 - neutron-ns-metadata-proxy disappeared
• BZ - 1557940 - Can't create Octavia Loadbalancer when firewall_driver = openvswitch
• BZ - 1558090 - router port binding fails with dvr and service subnets
• BZ - 1565615 - Sometimes dhcp_release packet isn't reaching dnsmasq process because it's being reloaded
• BZ - 1568978 - [Tests] PEP8 is broken
• BZ - 1569062 - ovs-fw does not reinstate GRE conntrack entry
• BZ - 1569067 - OVS firewall should drop iptables rules if it detects a bridge
• BZ - 1569070 - Security group updates fail when port hasn't been initialized yet
• BZ - 1570911 - Cannot set --no-share on shared network that has floating_ip, gateway AND a tenant port
• BZ - 1576284 - neutron-openvswitch-agent cleans up stale flows months after they were created but it does not recreated correct flows and bridge configuration
• BZ - 1579502 - Packet loss during standby L3 agent restart
• BZ - 1582646 - Rebase openstack-neutron-fwaas to d02659f
• BZ - 1588544 - Rebase python-networking-odl to 01f7636
• BZ - 1589935 - Rebase python-networking-vmware-nsx to 7481a77
• BZ - 1590020 - Rebase openstack-neutron-lbaas-ui to 98c7d38
• BZ - 1590026 - Rebase openstack-octavia to 90599da
• BZ - 1590458 - Backport support for specifying security group protocol numbers
• BZ - 1590530 - Rebase openstack-neutron-lbaas to d52ad67
• BZ - 1590872 - Rebase openstack-neutron to 466cb9a
• BZ - 1591204 - The mac table size of neutron bridges (br-tun, br-int, br-*) is too small by default and eventually makes openvswitch explode
• BZ - 1592423 - Rebase python-networking-ovn to 54740d9

CVEs

(none)

References

(none)