In the MCP 2019.2.4 maintenance update, Mirantis introduces the following enhancements for OpenStack:
To obtain the enhancements, follow the steps described in Apply maintenance updates.
Backported the following security updates for Pike and Queens:
qemu-kvm
vulnerabilitieslibvirt
vulnerabilitiespython-cryptography
vulnerabilities (for Queens)Implemented the possibility to enable additional Keystone security compliance features independently of each other based on your corporate security policy. All available features apply only to the SQL backend for the Identity driver. By default, all security compliance features are disabled.
Added the ability to specify a required TLS version and allowed SSL ciphers to use by the Nova console proxy server.
Learn more
MCP Deployment Guide: Enable TLS encryption between the OpenStack compute nodes and VNC clients
Unhardcoded the tls_priority
setting in /etc/libvirt/libvirtd.conf
and added the following TLS v.1.2 Federal Information Processing Standard
(FIPS) approved SSHD strong cipher suites:
Implemented the Deploy - upgrade RabbitMQ server Jenkins pipeline job that enables the automated upgrade and update of the RabbitMQ component.
Enhanced the OpenSSH server to accept only strong ciphers and disabled the following weak ones:
Added the --force
flag to the loadbalancer delete command
to simplify the deletion of load balancers that hang
in the PENDING
state. For the usage details, see: 27071.
Added the capability to disable DHCP on the gateway nodes
so that DHCP can be handled on dedicated DHCP servers separately.
The gateway:dhcp_agent_enabled: false
option
allows distributing load in terms of the number of OVS ports per node.