OpenStack¶

Ubuntu security updates¶

Backported the following security updates for Pike and Queens:

• USN-3978-1 qemu-kvm vulnerabilities
• USN-3985-1 libvirt vulnerabilities
• USN-3720-1 python-cryptography vulnerabilities (for Queens)

Keystone security compliance policies¶

Implemented the possibility to enable additional Keystone security compliance features independently of each other based on your corporate security policy. All available features apply only to the SQL back end for the Identity driver. By default, all security compliance features are disabled.

The TLS version and allowed SSL ciphers options for nova console proxy server¶

Added the ability to specify a required TLS version and allowed SSL ciphers to use by the Nova console proxy server.

The TLS version 1.2 and allowed SSL ciphers for libvirt¶

Unhardcoded the tls_priority setting in /etc/libvirt/libvirtd.conf and added the following TLS v.1.2 Federal Information Processing Standard (FIPS) approved SSHD strong cipher suites:

• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-ECDSA-AES256-SHA384

RabbitMQ upgrade and update¶

Implemented the Deploy - upgrade RabbitMQ server Jenkins pipeline job that enables the automated upgrade and update of the RabbitMQ component.

Constrain the range of SSH ciphers to be accepted by the OpenSSH server¶

Enhanced the OpenSSH server to accept only strong ciphers and disabled the following weak ones:

• arcfour
• arcfour128
• arcfour256

The force option for deleting the Octavia load balancers¶

Added the --force flag to the loadbalancer delete command to simplify the deletion of load balancers that hang in the PENDING state. For the usage details, see: 27071.

Disable DHCP on gateway nodes¶

Added the capability to disable DHCP on the gateway nodes so that DHCP can be handled on dedicated DHCP servers separately. The gateway:dhcp_agent_enabled: false option allows distributing load in terms of the number of OVS ports per node.