Fix Readme
Abstract
xxx
Content
Readme file for: IBM Cloud Manager with Openstack 4.1 interim fix 4 for fix pack 3
Product/Component Release: 4.1.0.3
Update Name: cmwo 4.1.0.3 interim fix 4
Fix ID: 4.1.0.3-IBM-CMWO-IF004
Publication Date: 2015-01-21
Last modified date: 2015-01-21
Installation information
Download location
Download updates for IBM Cloud Manager with Openstack 4.1 from the following location:
http://www.ibm.com/eserver/support/fixes/
Below is a list of components, platforms, and file names that apply to this Readme file.
| Product/Component Name: | Platform: | Fix: |
|---|---|---|
| IBM Cloud Manager with Openstack | Linux 64-bit,x86_64 Linux 64-bit,x86_64 Linux 64-bit,pSeries Linux 64-bit,pSeries | cmwo_fixpack_4.1.0.3.4.tar.gz |
Prerequisites and co-requisites
Known issues
No known issues have been identified.
Known limitations
No known limitations have been identified.
Installation information
This file contains directions for installing the fix pack on the CMWO deployment server and additional information not available in the CMWO Knowledge Center.
If you have already deployed a topology, you will need to update your deployed topology after following the directions in this file. If the special instructions in this file do not apply to your environment, you still must update your deployed topology to apply other fixes contained in this fix pack.
Directions for updating deployed topologies can be found in the IBM Cloud Manager with OpenStack Knowledge Center.
Before installing
Installing
- Download the fix pack archive (e.g. cmwo_fixpack_4.1.0.3.4.tar.gz) to a temporary directory on the deployment server.
- Change to that directory and expand the archive: # tar -zxf cmwo_fixpack_4.1.0.3.4.tar.gz
- Run the fix pack installer: # ./install_cmwo_fixpack.sh
- If the fix pack installed successfully you will see this message:
Installation of fix pack completed successfully.
Otherwise, you will this message:
ERROR: Installation of fix pack failed. See log files for details.
Additional messages will tell you where the log files are stored.
After installing
- Update cookbook versions (4.1.0.3.2)
- New openstack-compute attributes (4.1.0.3)
- Create new openstack-powervc-driver password data bag item (4.1.0.1)
- Configure self-service portal fix information (no longer required)
- Update the deployed topology
Fix pack 3 and later includes a tool that can be used to automatically perform certain environment updates:
- Update cookbook version constraints
- Move attributes - notably options in attributes like misc_nova - when a cookbook change requires different override attributes in the chef environment.
To update an environment named 'my-environment' stored in the chef server use this command:
knife os manage update environment my-environment
To update a JSON environment file named 'my-environment.json' use this command:
knife os manage update environment my-environment.json
The file name must end with the '.json' extension. If the file refers to an existing chef environment, the file will also be uploaded to the chef server.
If the fix pack requires other environment changes, you can edit the environment(s) used for your topologies using the following procedure.
Installing the fix pack updates the example environments:
example-ibm-os-allinone
example-ibm-os-single-controller-n-compute
example-ibm-sce
If you have created an environment for your topology, or have created an environment file, these must be updated manually. If you do not do this, future deploys or updates will continue to use the original cookbook.
1. Change to the directory where you have created your topology files.
2. If you do not have your environment file, you can download the current environment from the chef server:
# knife environment list
_default
example-ibm-os-allinone
example-ibm-os-single-controller-n-compute
example-ibm-sce
test-environment
Identify the environment to change, e.g. test-environment and download it:
# knife environment show test-environment -d -F json > test-environment.json
3. Edit the environment file and modify it as required.
4. Save the file.
5. Upload the modified environment to the chef server:
# knife environment from file test-environment.json
Updated Environment test-environment
This fix pack contains cookbook updates which require updates to the chef environment(s) for your topologies.
If any of the following conditions are true, no action is required to update cookbook versions, and you should continue with the next section of this README file.
- You have not created an environment
- You created your environment after installing fix pack 4.1.0.3 or later.
- You updated the cookbook versions for your environment after installing fix pack 4.1.0.3 or later.
Use the 'knife os manage update environment' command as described in 'Automated environment updates' to update your environment or environment file.
This table lists the updated cookbook versions and the fix pack that includes them.
| Fix pack | Cookbook | Current version |
| ======== | ======== | ======== |
| 4.1.0.3 | openstack-block-storage | "~> 9.4.1" |
| 4.1.0.3 | openstack-common | "~> 9.5.2" |
| 4.1.0.3 | openstack-compute | "~> 9.2.10" |
| 4.1.0.3.2 | openstack-dashboard | "~> 9.1.2" |
| 4.1.0.3 | openstack-image | "~> 9.1.2" |
| 4.1.0.3 | openstack-network | "~> 9.1.1" |
| 4.1.0.3 | openstack-orchestration | "~> 9.1.6" |
| 4.1.0.3 | openstack-telemetry | "~> 9.2.0" |
| 4.1.0.3 | ibm-openstack-appliance-migration | "~> 0.1.41" |
| 4.1.0.3 | ibm-openstack-common | "~> 9.5.7" |
| 4.1.0.3 | ibm-openstack-iaas-gateway | "~> 0.1.4" |
| 4.1.0.3 | ibm-openstack-powervc-driver | "~> 9.2.1" |
| 4.1.0.3 | ibm-openstack-zvm-driver | "~> 0.1.1" |
| 4.1.0.3.2 | ibm-sce | "~> 0.1.19" |
New attributes were added to the openstack-compute cookbook. Changes are required to your environment if it contains the following the configuration options in the openstack.compute.misc_nova attribute.
| misc_nova option: | flat_injected |
| new attribute: | openstack.compute.config.flat_injected |
| required: | no |
| misc_nova option: | use_ipv6 |
| new attribute: | openstack.compute.network.use_ipv6 |
| required: | no |
| misc_nova option: | resize_confirm_window |
| new attribute: | openstack.compute.config.resize_confirm_window |
| required: | no |
| misc_nova option: | live_migration_flag |
| new attribute: | openstack.compute.libvirt.live_migration_flag |
| required: | yes |
Use the 'knife os manage environment update' command as described in 'Automated environment updates' to update your environment or environment files.
Fix pack 4.1.0.1 adds an openstack-powervc-driver password to the service_passwords data bag. This password is required to deploy a topology that includes the OpenStack PowerVC driver.
If you did not create a custom service_passwords data bag prior to installing this fix pack, or you are not using PowerVC, no action is required to update the service_passwords data bag, and you should continue with the next section of this README file.
1. Change to the directory where you stored the files for the topology that you deployed. Change your-deployment-name to the name for your deployment.
2. Create a local directory to contain the new password. Change your_env_service_passwords to the name of the data bags for your environment. The openstack.secret.*_data_bag JSON attributes in your environment file contain the data bag names to use.
# mkdir -p data_bags/your_env_service_passwords
# cp /opt/ibm/cmwo/chef-repo/data_bags/service_passwords/*
data_bags/your_env_service_passwords
# chmod -R 600 data_bags/
3. Change the openstack-powervc-driver password in your environment data bag. This is done by changing the value for the data bag item's name. Using the your_env_service_passwords/openstack-powervc-driver.json data bag item, change the value at CHANGEME to the password.
{
"id": "openstack-powervc-driver",
"openstack-powervc-driver": "CHANGEME"
}
4. Upload the data bag items for the password changed in the previous step. Run the following command from the parent of the data_bags directory that you created. Change your-secret-key-name to the secret key for your topology. The secret_file JSON attribute in your topology file contains the secret file to use.
# knife data bag from file your_env_service_passwords
openstack-powervc-driver.json --secret-file your-secret-key-name
5. Remove the local data bag items since they are no longer needed.
# rm -rf data_bags/
Starting with fix pack 3, the self-service portal is updated to the latest fix pack level automatically when you update your deployed topology or deploy a new topology. It is no longer necessary to update your environment to configure the self-service portal fix pack or JRE updates.
After making the changes described above, update your deployed topology to apply the fixes contained in this fix pack.
If you did not deploy a topology prior to installing this fix pack, no further action is required.
The IBM Cloud Manager with OpenStack Knowledge Center has more information on updating a deployed topology.
Uninstalling
List of fixes
Update log (01/20/2015):
ICM 4.1 ifix 4.1.0.3.4 includes:
- OpenStack Icehouse ifixes:
- rtc-187394: Persistent XSS in Horizon Host Aggregates interface (CVE-2014-3594)
- rtc-192140: OpenStack Nova API filters denial of service (CVE-2014-3708)
- rtc-192220: OpenStack Cinder vulnerability (CVE-2014-3641, CVE-2014-7230, CVE-2014-7231)
- rtc-192222: OpenStack Nova vulnerability (CVE-2014-3608, CVE-2014-7230, CVE-2014-7231)
Update log (01/14/2015):
ICM 4.1 ifix 4.1.0.3.3 includes:
- OpenStack Icehouse ifixes:
- rtc-189852: Get fix for "keystonemiddleware SSL man-in-the-middle" (CVE-2014-7144) into osee-icehouse
- rtc-189513: Get fix for CVE-2014-3621 to osee-icehouse
- rtc-189540: Icehouse fix for "Admin-only network attributes may be reset to defaults by non-privileged users" (CVE-2014-6414)
- rtc-192214: For fix about swift on icehouse release for the task 191078 -- rebuild swift needed
- rtc-187640: Merge community fix in osee-Icehouse for PSIRT for "Glance store DoS through disk space exhaustion" (CVE-2014-5356)
- rtc-192033: Maliciously crafted dns_nameservers will crash neutron (CVE-2014-7821) - Icehouse
Update log (12/05/2014):
ICM 4.1 ifix 4.1.0.3.2 for SSLv3 POODLE Attack in the communication between self service portal and IaaS Gateway
4.1.0.3.1:
ICM 4.1 ifix for SSLv3 POODLE Attack cookbook fixes
4.1.0.3:
Add support for Manage from zVM for IBM Cloud Manager with Openstack 4.1
Provide Cinder volume service for Z/VM hypervisor in IBM CloudManager with OpenStack 4.1
Added new role, ibm-os-block-storage-node, to allow a topology with a standalone cinder server node in IBM CloudManager with OpenStack 4.1
Provide XIV driver in IBM CloudManager with OpenStack 4.1. For the detail steps to enable XIV driver, please refer to https://www.ibm.com/support/knowledgecenter/SST55W_4.1.0/liaca/liaca_co…
Provide automatic installation for SCE fixpack and jre version upgrade in IBM CloudManager with OpenStack 4.1
Contents of Fix/Service Pack build:
- CMWO: 4.1.0.3.4-20150116-0209
- IaaS: 2014.1.0.3-1.2.ibm.201407132130
- OpenStack: D20140918-2142
- PowerVC Driver: 2014.1.0.3-1.2.ibm.201412120314
- Self-Service Portal: IBM-sce.410.IF001-20141125-0548
- PRS: D20140625-1331
Was this topic helpful?
Document Information
Modified date:
21 January 2015
UID
isg400002019