OpenStack

OpenStack

In the MCP 2019.2.4 maintenance update, Mirantis introduces the following enhancements for OpenStack:

To obtain the enhancements, follow the steps described in Apply maintenance updates.


Ubuntu security updates

Backported the following security updates for Pike and Queens:


Keystone security compliance policies

Implemented the possibility to enable additional Keystone security compliance features independently of each other based on your corporate security policy. All available features apply only to the SQL back end for the Identity driver. By default, all security compliance features are disabled.


The TLS version and allowed SSL ciphers options for nova console proxy server

Added the ability to specify a required TLS version and allowed SSL ciphers to use by the Nova console proxy server.


The TLS version 1.2 and allowed SSL ciphers for libvirt

Unhardcoded the tls_priority setting in /etc/libvirt/libvirtd.conf and added the following TLS v.1.2 Federal Information Processing Standard (FIPS) approved SSHD strong cipher suites:

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA384


RabbitMQ upgrade and update

Implemented the Deploy - upgrade RabbitMQ server Jenkins pipeline job that enables the automated upgrade and update of the RabbitMQ component.


Constrain the range of SSH ciphers to be accepted by the OpenSSH server

Enhanced the OpenSSH server to accept only strong ciphers and disabled the following weak ones:

  • arcfour

  • arcfour128

  • arcfour256


The force option for deleting the Octavia load balancers

Added the --force flag to the loadbalancer delete command to simplify the deletion of load balancers that hang in the PENDING state. For the usage details, see: 27071.


Disable DHCP on gateway nodes

Added the capability to disable DHCP on the gateway nodes so that DHCP can be handled on dedicated DHCP servers separately. The gateway:dhcp_agent_enabled: false option allows distributing load in terms of the number of OVS ports per node.