- Issued:
- 2016-08-24
- Updated:
- 2016-08-24
RHEA-2016:1762 - Product Enhancement Advisory
Synopsis
Red Hat OpenStack Platform 9 director Advisory
Type/Severity
Product Enhancement Advisory
Topic
Red Hat OpenStack Platform 9.0 director is now
available for Red Hat Enterprise Linux 7.
Description
Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat OpenStack Platform.
Changes to the openstack-tripleo-heat-templates component:
- Previously, as noted in the upstream bug report (https://bugs.launchpad.net/tripleo/+bug/1598092), the default for upstream puppet-keystone was to have 1 worker and $::processorcount threads. Consequently, these settings were inefficient when keystone was deployed on a multicore CPU machine, (as discussed at https://bugzilla.redhat.com/show_bug.cgi?id=1347305#c2 and proposed at https://review.openstack.org/#/c/297342/ (note that the review proved controversial and did not merge into puppet-keystone)). With this update, the defaults for these parameters are inverted in director; set to 1 thread and $::processorcount workers. These two parameters are also configurable if you need to override them, by using the tripleo-heat-templates: an existing template parameter "KeystoneWorkers" now points to keystone::wsgi::apache::workers (before pointing to "admin_workers" which is removed in Mitaka) and keystone::wsgi::apache::threads is hardcoded to '1' in the hieradata (this is user-overridable). Refer to the upstream for more details on the fix: https://review.openstack.org/#/c/336520/
As a result, /etc/httpd/conf.d/10-keystone_wsgi_admin.conf should contain the "processes" and "threads" config items, set to $::processorcount and 1 respectively (or whichever other value the user has set for these). When keystone is deployed on a multicore machine the defaults set by director should provide for much better performance from keystone compared to the current upstream puppet-keystone defaults. (BZ#1347305)
- Prior to this update, the secure_proxy_ssl_header option for Compute was not being set in nova.conf by Red Hat OpenStack Platform director (as discussed in the upstream bug https://bugs.launchpad.net/tripleo/+bug/1606863). Consequently, when haproxy and SSL were enabled for the director deployment, nova-api could not handle service requests since it was not configured to handle the "X-Forwarded-Proto" header in HTTP requests. In particular, the tempest.api.compute.test_versions.TestVersions.test_get_version_details tests failed with the error:
'Connection aborted.', BadStatusLine("''",). With this update, the secure_proxy_ssl_header is now set to the appropriate value (X-Forwarded-Proto) for director deployments, see https://review.openstack.org/#/c/347806/ for more details. As a result, the nova-api service should now be able to handle service requests correctly when haproxy and SSL are enabled for the director deployment. (BZ#1351255)
Changes to the rhel-osp-director component:
- With this update, the eventlet system for keystone has been deprecated upstream. Red Hat OpenStack Platform director now configures keystone to run under apache using WSGI. This change was due to the Keystone project's recommendation that keystone deployment occurs within WSGI. As a result, the keystone service now runs under the apache httpd service. (BZ#1170372)
- The OpenStack data processing service (sahara) is now deployable via OSP-d. The current release will deploy Sahara to all controller nodes and make it available for use. As this is the first release to include Sahara integration with OSP director, the service is minimally configurable, but also places no additional burden on the installer; Sahara will be enabled on overcloud controller nodes by default. (BZ#1347347)
Solution
Before applying this update, ensure all previously released errata relevant to your system have been applied.
Red Hat OpenStack Platform 9 runs on Red Hat Enterprise Linux 7.2.
The Red Hat OpenStack Platform 9 Release Notes contain the following:
- An explanation of the way in which the provided components interact to form a working cloud computing environment.
- Technology Previews, Recommended Practices, and Known Issues.
- The channels required for Red Hat OpenStack Platform 9, including which channels need to be enabled and disabled.
The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/release-notes
This update is available through 'yum update' on systems registered through Red Hat Subscription Manager. For more information about Red Hat Subscription Manager, see:
https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html
Affected Products
- Red Hat OpenStack 9 x86_64
Fixes
- BZ - 1170372 - [RFE] Deploy Keystone in Apache httpd
- BZ - 1258947 - RFE: Gnocchi Integration in osp-director
- BZ - 1261549 - RFE: Include Aodh as part of OSP installer
- BZ - 1325011 - [RFE] Include the Red Hat Insights RPM in the overcloud qcow by default
- BZ - 1333976 - [RFE] Assure working updates for RHOSP 9
- BZ - 1333977 - [RFE] Upgrades from RHOSP 8 -> 9
- BZ - 1333979 - [RFE] Backwards compatibility of OSP-d 9 with RHOSP 8
- BZ - 1337338 - osp-director-9: ControllerNodesPostDeployment fails due to cinder service that can't communicate with DB (cinder.cmd.volume DBConnectionError)
- BZ - 1347305 - Overcloud deployed with keystone as single process leads to abysmal performance
- BZ - 1347347 - [RFE] [Director] Sahara Integration with OSP-d
- BZ - 1351255 - nova-api not properly configure secure_proxy_ssl_header option in nova.conf when using HAProxy and SSL
- BZ - 1361177 - Upgrade initialization command should switch repos from OSP 8 to OSP 9
- BZ - 1362612 - rhel-osp-director: Existing nodes get rebuilt during scale out after updating overcloud image post 9.0->9Async update
- BZ - 1363645 - nova-compute service is down on compute nodes added post 8->9 upgrade
- BZ - 1364490 - rhel-osp-director: CephAdminKey is required for upgrade.
CVEs
(none)
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.