Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update

Topic

An update for openstack-tripleo-heat-templates is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Heat templates for TripleO

Security Fix(es):

• data leak of internal URL through keystone_authtoken (CVE-2021-4180)

Other fixes:

• Before this update, NTP validation did not occur during deployments. Some users reported issues with cloud authentication failing with invalid tokens due to time not being synchronized between nodes. With this update, NTP synchronization validation during deployment has been re-enabled. Hosts must be able to connect to the defined NTP server list. If you previously performed a deployment with invalid or unreachable NTP servers, after update, the deployment might fail when NTP is validated. Ensure that you have valid and reachable NTP servers before updating. (BZ#2034095)
• With this update, director supports specifying overrides for NVSv4 ID mapping when using a CephFS-NFS back end with the Shared File Systems service (manila). Ceph-NFS with the Shared File Systems service only allows client access through NFSv4.1+. With NFSv4.1, usernames and group names are sent over the wire and translated by both the server and the client. Deployers might want to customize their domain settings to better represent organization users who can access Shared File Systems service shares from multiple clients. Director supports customizing NFS ID mapping settings through these parameters:
• ManilaCephFSNFSIdmapOverrides: Allows specifying configuration objects for override with the default idmapd.conf file used by the NFS service
• ManilaCephFSNFSIdmapConf: Allows specifying a custom idmapd.conf file for the NFS service (BZ#1917356)
• Before this update, the ceilometer-agent-compute container could not read the /var/run/libvirt directory because of an improper volume mount to /var/run/libvirt in the ceilometer-agent-compute container, resulting in the inability to poll for CPU metrics on Compute nodes. With this update, the appropriate global permissions have been applied to the /var/run/libvirt directory, and you can poll for CPU telemetry with the ceilometer-agent-compute container on the Compute nodes. CPU telemetry data is available through the Compute service (nova). (BZ#2103971)
• Before this update, the libvirt service started after the ceilometer-agent-compute service and the ceilometer-agent-compute service did not communicate with libvirt, resulting in missing libvirt metrics. With this update, the ceilometer-agent-compute service starts after the libvirt service and can poll libvirt metrics without "Permission denied" errors. (BZ#2130078)
• Before this update, a Telemetry service (ceilometer) user had insufficient privileges to poll objects from the Object Storage service (swift). The Object Storage service client did not allow the Telemetry service user to fetch object details. With this update, the Telemetry service user is associated with the ResellerAdmin role.

+
Execute the following command to workaround this issue manually:
+

• ---

$ openstack role add --user ceilometer --project service ResellerAdmin

• ---

+
The associated Telemetry service user can poll Object Storage service object metrics successfully. (BZ#2130849)

• Before this update, systemd stopped the Load-balancing services (octavia) during shutdown, leaving resources in the PENDING_UPDATE status. With this update, the graceful shutdown duration of the Load-balancing services is increased, preventing the services from being stopped by systemd. (BZ#2063031)
• In Red Hat OpenStack Platform (RHOSP) 16.1.9, the collectd processes plugin is removed from the default list of plugins. Loading the plugin can cause flooding issues and does not provide value when running in a containerized environment because it only recognizes the collectd and sensubility processes rather than the expected system processes. Bug fixes and support will be provided through the end of the 16.1.9 lifecycle but no new feature enhancements will be made. (BZ#2101949)

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack for IBM Power 16.1 ppc64le
• Red Hat OpenStack 16.1 x86_64

Fixes

• BZ - 1851467 - [OVN] Do not send geneve UDP traffic to conntrack for performance reasons
• BZ - 1910115 - OVNCMSOptions are not set correctly on controller nodes if OVN without DVR is deployed with minimum extra env files
• BZ - 1917356 - [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provided in the ganesha export template during share creation
• BZ - 1936278 - Sensitive amphora values exposed in ansible.log during stack update.
• BZ - 2032295 - [RHOSP 16.1] [ipv6 undercloud] undercloud update fails when you have ipv6 undercloud with enable_routed_networks=false in undercloud.conf; during stack update router interface port is tried to be re-created with the same ip
• BZ - 2032518 - Bonding Rendered Templates have incorrect indentation
• BZ - 2034095 - Deployment fails while authenticating for nova and glance during TASK [tripleo-keystone-resources : Check Keystone public endpoint status]
• BZ - 2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
• BZ - 2036195 - Provide mechanism to tune the sysctl param fs.aio-max-nr on the host
• BZ - 2039412 - after minor update to 16.1.7, libvirtd is enabled on the controllers
• BZ - 2049452 - Killing dhcp sidecar container fails
• BZ - 2061845 - [RHOS 16.1] Fix InternalApi subnet for ControllerNovaStandalone role
• BZ - 2062764 - [RHOSP 16.1] ceilometer-ipmi-agent logs to /var/log/ceilometer inside the container
• BZ - 2063031 - Octavia services might be killed by systemd on update
• BZ - 2064383 - FFU OSP13->16.1 leapp fails with: Detected loaded kernel drivers which have been removed in RHEL 8
• BZ - 2065736 - RHOSP13-16.1 FFU - Use state file for workaround 1925078
• BZ - 2066852 - Overcloud deployment fails with error as 'overcloud_endpoint.pem' not found.
• BZ - 2069755 - [16.1] [Regression] Nova instance QEMU logs are not created under /var/log/libvirt/qemu/
• BZ - 2073607 - Certificate DN is not expanding in the Octavia tenant flow logs
• BZ - 2100907 - Octavia fails when enabling TLS-e in existing setup
• BZ - 2101949 - [RHOSP 16.1] Remove processes plugin from list of default plugins for collectd deployments
• BZ - 2103971 - [RHOSP 16.1] Ceilometer can't read /run/libvirt resulting in no 'cpu' metrics
• BZ - 2109931 - Too frequent async task polling causes delay in timeout detection
• BZ - 2129031 - [RHOSP16.1.8] DHCP agent container is not removed after network deletion
• BZ - 2129882 - [OVN][16.1] VM status spawning and ERROR on CI jenkins job
• BZ - 2130078 - [RHOSP 16.1] Ceilometer-agent-compute could be started on compute nodes before libvirt which will cause ceilometer to fail to collect virt mertrics
• BZ - 2130140 - [13->16.1] Undercloud upgrade fails on nova_db_sync_stein
• BZ - 2130849 - [RHOSP 16.1] swiftclient forbids ceilometer from polling swift objects
• BZ - 2131961 - Overcloud container images not updated during minor update
• BZ - 2136171 - Predictable IP Deploy fails Storage Port cidr is incorrect
• BZ - 2136393 - overcloud update failed with error {"msg": "Failed to get information on remote file (/var/lib/mistral/overcloud/octavia-ansible/group_vars/octavia_vars.yaml): Permission denied"}
• BZ - 2141835 - [RHOSP16.1] DerivePciWhitelistEnabled Is Not Defined

CVEs

• CVE-2021-4180

References

• https://access.redhat.com/security/updates/classification/#moderate