Denial Of Service (DoS)

Red Hat Enterprise Linux OpenStack Platform provides the facilities for building a private or public infrastructure-as-a-service (IaaS) cloud running on commonly available physical hardware. This update addresses the following issues: * This package rebases mariadb-galera to 5.5.42, fixing an issue where duplicate key errors would occur during INSERT statements, when performed during the period when database connectivity was moving to another Galera node, and when the first node was entering a non-available state. (BZ#1240114) * Previously, a call to the ‘sed’ command within ‘mysqld_safe.sh’ (to certain command line arguments) failed to accommodate arguments which include a slash, such as the paths to SSL key and certificate files which are passed through this function. Consequently, the ‘mysqld_safe.sh’ script produced warnings of the form “unknown option to `s’”. However, the script continued to work correctly, as these arguments are not actually needed in this specific context. This update addresses this issue by correcting the call to ‘sed’ so that SSL arguments which include slashes are properly interpreted. As a result, the warnings regarding ‘sed’ are now resolved. (BZ#1134033) * Previously, a default logrotate configuration was not provided. This update adds a default config, rotating based on log size rather than time, avoiding long logs as per current RHEL OpenStack Platform standards. (BZ#1212488) * Previously, the HDP plug-in installed the ‘Extra Packages for Enterprise Linux (EPEL)’ repo on cluster generation, even though neither the plug-in nor the saraha-image-elements package used the repo. Consequently, a potentially error-prone step was introduced into HDP cluster generation; in addition, these clusters may potentially update to unsupported packages. With this update, the repo is no longer installed by the HDP plug-in. (BZ#1231922) * Previously, the neutron VPN agent received an incorrect SELinux context. Consequently, SELinux was causing the VPN agent to fail. This update addresses this issue by changing the type to ‘neutron_vpn_agent_t’. As a result, the VPN agent now runs as expected. (BZ#1238360) * Previously, SELinux prevented glance from creating a symlink. Consequently, users could not use /home/glance to replace /var/lib/glance. This fix addresses the issue by granting Image Service permission to create a symlink to glance types. As a result, users can now free up space in the / directory by symlinking /var/lib/glance to /home/glance. (BZ#1210271) * Previously, glance’s VMware vSphere store failed to handle 401 errors correctly. These errors were raised after the vSphere session had expired, causing long-standing operations, such as snapshots, to fail. This update resolves the issue, allowing these operations to succeed. (BZ#1200075) * Previously, oslo.messaging could enter a loop while waiting for messages, if RabbitMQ had died. This update adds a more precise timeout handling for message consumption, allowing the poll operations on specific connections to end whenever such scenarios occur. (BZ#1188304) * This update addresses potential race conditions involving the ‘oslo’ messaging backend used in RabbitMQ. (BZ#1188309) * Previously, the GM process would send a message to terminate all slaves once the master process terminated, but would not wait for confirmation that the slaves had received this message before terminating itself. As a result, a slave that did not receive the message would detect that the master GM process had terminated and promote itself to master, causing the previous master process to hang. With this update, the GM process now waits for its broadcast buffer to empty before terminating. This results in all slaves receiving the message to terminate, allowing the master process to terminate as expected. (BZ#1239141) * This rebase package contains an updated snapshot from the LTS upstream ‘branch-2.3’ that includes multiple bugfixes. (BZ#1250221)