RHSA-2018:0602 - Security Advisory
Moderate: openstack-tripleo-common and openstack-tripleo-heat-templates update
Security Advisory: Moderate
An update for openstack-tripleo-common and openstack-tripleo-heat-templates is now available for Red Hat OpenStack Platform 12.0 (Pike).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
openstack-tripleo-common contains the python library for code common to the Red Hat OpenStack Platform director CLI and GUI (codename tripleo).
openstack-tripleo-heat-templates is a collection of OpenStack Orchestration templates and tools (codename heat), which can be used to help deploy OpenStack.
- openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director (CVE-2017-12155)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Katuya Kawakami (NEC) for reporting this issue.
- All Compute and Controller nodes have bridge-mappings configured and therefore are eligible to schedule routers. However, if you scheduled a router on a Compute node that doesn't have a connection to an external network, connectivity with the external network fails. This fix adds the ability to configure bridge-mappings in TripleO and in the director according to roles so that you can now exclude Compute nodes from router scheduling and maintain external network connectivity. (BZ#1510879)
- Previously, the CephPools parameter value was incorrectly consumed as a string list instead of as a JSON object. This prevented creating additional Ceph pools during the overcloud deployment, because attempting to pass a JSON object failed. This fix updates the CephPools parameter so that it now accepts any JSON object that describes additional pools to create in the Ceph cluster. Note: The JSON object structure must conform to ceph-ansible conventions. (BZ#1516389)
- There is currently a known issue with LDAP integration for Red Hat OpenStack Platform. The `keystone_domain_confg` tag is missing currently from `keystone.yaml`, preventing Puppet from properly applying the required configuration files. Consequently, LDAP integration with Red Hat OpenStack Platform will not be properly configured. As a workaround, you must manually edit `keystone.yaml` and add the missing tag. There are two ways to do this:
1. Edit the file directly:
a. Log into the undercloud as the stack user.
b. Open the keystone.yaml in the editor of your choice. For example:
`sudo vi /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml`
c. Append the missing puppet tag, `keystone_domain_confg`, to line 94. For example:
d. Save and close `keystone.yaml`.
e. Verify you see the missing tag in the `keystone.yaml` file. The following command should return '1':
`cat /usr/share/openstack-tripleo-heat-templates/docker/sercies/keystone.yaml | grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l`
2. Or, use sed to edit the file inline:
a. Login to the undercloud as the stack user.
b. Run the following command to add the missing puppet tag:
`sed -i 's/puppet_tags\: keystone_config/puppet_tags\: keystone_config,keystone_domain_config/' /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml`
c. Verify you see the missing tag in the keystone.yaml file The following command should return '1':
`cat /usr/share/openstack-tripleo-heat-templates/docker/sercies/keystone.yaml | grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l` (BZ#1519057)
- It is only possible to deploy Ceph storage servers if their disk devices are homogeneous. (BZ#1520004)
For details on how to apply this update, which includes the changes described in this advisory, refer to:
- Red Hat OpenStack 12 x86_64
- Red Hat OpenStack for IBM Power 12 ppc64le
- BZ - 1301534 - The gateway_ip attribute for the isolated networks are not accurate
- BZ - 1433534 - [RFE] [OVN] HA support for OVN ovn-northd
- BZ - 1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director
- BZ - 1507888 - Deployment with ceph and TLS everywhere fails with: "WorkflowTasks_Step2_Execution: ERROR "cannot stat '/var/run/ceph/ceph-mon.overcloud-controller-2.asok': No such file or directory""
- BZ - 1508601 - Add NetIpMap to hieradata for *ExtraConfig overrides (Composable Networks)
- BZ - 1519765 - containerized HA rabbitmq stops on re-deploy if lsns fails
- BZ - 1523272 - OSP10->11->12 upgrade: major-upgrade-composable-steps-docker.yaml fails with Error: Evaluation Error: Error while evaluating a Function Call, Could not find class ::panko
- BZ - 1523707 - [UPDATES] PCS managed containers ain't restarted with latest images
- BZ - 1528755 - ConfigDebug setting does not work for docker init bundles
- BZ - 1533097 - CephPools parameter does not add CephX permission for openstack user
- BZ - 1533468 - capabilities-map.yaml references wrong environment files for ceph services
- BZ - 1533875 - Using the Telmetry Role with Ceph/RBD as gnocchi backend Fails in step 4 of the Deployment
- BZ - 1537725 - Deployment templates for unsupported components causing some confusion
- BZ - 1538828 - standalone Telemetry.yaml role has wrong services and typo
- BZ - 1538875 - mysql_init_bundle container doesn't fail deployment if puppet fails
- BZ - 1539090 - Cinder backups fail when running in a container (non-HA)
- BZ - 1542537 - tox -epep8 fails with ERROR: Generated roles file not match
- BZ - 1543641 - Cinder HA and non-HA containers are not configured the same
- BZ - 1546234 - Rebase openstack-tripleo-heat-templates to 7.0.9
- BZ - 1546807 - [OSP12] After a minor update the swift_rsync container was in restarting state
- BZ - 1547955 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases)
- BZ - 1551137 - Queue versioned_notifications.info not found
- BZ - 1551461 - [UPDATES] Failed to setup heat-output: refusing to convert between directory and link for /var/log/containers/swift
- BZ - 1552466 - docker_puppet_apply.sh has a fatal typo
- BZ - 1558639 - Collectd not re-using /var/run directory from overcloud node therefor ovs plugin fails to connect to db.sock of openswitch.
Red Hat OpenStack 12
Red Hat OpenStack for IBM Power 12