The IBM Cloud Manager with Openstack 4.1.0.5 cmwo 4.1.0.5 interim fix 6 Readme

Readme file for:IBM Cloud Manager with OpenStack 4.1 interim fix 6 for fix pack 5
Product/Component Release:4.1.0.5
Update Name:cmwo 4.1.0.5 interim fix 6
Fix ID:4.1.0.5-IBM-CMWO-IF006
Publication Date:2017-03-17
Last modified date:2017-03-17

Online version of the readme file:http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003183
Important: The most current version of the readme file can always be found online.

Contents

Download location
Prerequisites and co-requisites
Known issues
Known limitations

Installation information
   Installing

List of fixes
Copyright and trademark information



Download location

Download updates for IBM Cloud Manager with OpenStack 4.1 from the following location:
http://www.ibm.com/eserver/support/fixes/

Below is a list of components, platforms, and file names that apply to this Readme file.

Fix Download for Linux
Product/Component Name:Platform:Fix:
IBM Cloud Manager with OpenstackLinux 64-bit,x86_64 Linux 64-bit,x86_64
Linux 64-bit,pSeries Linux 64-bit,pSeries
cmwo_fixpack_4.1.0.5.6.tar.gz





Prerequisites and co-requisites

None.



Known issues

No known issues have been identified.

Known limitations

No known limitations have been identified.

Installation information

This file contains directions for installing the fix pack on the IBM Cloud Manager with OpenStack deployment server and additional information not available in the IBM Cloud Manager with OpenStack Knowledge Center.

If you have already deployed a topology, you will need to update your deployed topology after following the directions in this file. If the special instructions in this file do not apply to your environment, you still must update your deployed topology to apply other fixes contained in this fix pack.

Directions for updating deployed topologies can be found in the IBM Cloud Manager with OpenStack Knowledge Center.


Before installing

Be aware that updating a deployed topology will stop IBM Cloud Manager with OpenStack services on the deployed nodes. Deploying updates should not affect active virtual machines deployed using the IBM Cloud Manager with OpenStack self-service portal or OpenStack.

Installing

To install the IBM Cloud Manager with OpenStack fix pack, do the following:
  1. Download the fix pack archive (e.g. cmwo_fixpack_4.1.0.5.6.tar.gz) to a temporary directory on the deployment server.
  2. Change to that directory and expand the archive:

    # tar -zxf cmwo_fixpack_4.1.0.5.6.tar.gz

  3. Run the fix pack installer:

    # ./install_cmwo_fixpack.sh

  4. If the fix pack installed successfully you will see this message:

       Installation of fix pack completed successfully.

    Otherwise, you will this message:

       ERROR: Installation of fix pack failed. See log files for details.

    Additional messages will tell you where the log files are stored.


After installing

After installing the fixpack, review the following sections to degtermine if there are additional actions that must be performed:

Automated environment updates

Fix pack 3 and later includes a tool that can be used to automatically perform certain environment updates:

To update an environment named 'my-environment' stored in the chef server use this command:
  knife os manage update environment my-environment

To update a JSON environment file named 'my-environment.json' use this command:
  knife os manage update environment my-environment.json

The file name must end with the '.json' extension. If the file refers to an existing chef environment, the file will also be uploaded to the chef server.

Manual environment updates

If the fix pack requires other environment changes, you can edit the environment(s) used for your topologies using the following procedure.

Installing the fix pack updates the example environments:
  example-ibm-os-allinone
  example-ibm-os-single-controller-n-compute
  example-ibm-sce

If you have created an environment for your topology, or have created an environment file, these must be updated manually. If you do not do this, future deploys or updates will continue to use the original cookbook.

1. Change to the directory where you have created your topology files.

2. If you do not have your environment file, you can download the current environment from the chef server:
  # knife environment list
  _default
  example-ibm-os-allinone
  example-ibm-os-single-controller-n-compute
  example-ibm-sce
  test-environment

Identify the environment to change, e.g. test-environment and download it:
  # knife environment show test-environment -d -F json > test-environment.json

3. Edit the environment file and modify it as required.

4. Save the file.

5. Upload the modified environment to the chef server:
  # knife environment from file test-environment.json
  Updated Environment test-environment

Update cookbook versions

This fix pack contains cookbook updates which require updates to the chef environment(s) for your topologies.

If any of the following conditions are true, no action is required to update cookbook versions, and you should continue with the next section of this README file.

Use the 'knife os manage update environment' command as described in 'Automated environment updates' to update your environment or environment file.

This table lists the updated cookbook versions and the fix pack that includes them.

Fix pack Cookbook Current version
======== ======== ========
4.1.0.3 openstack-block-storage 9.4.1
4.1.0.3 openstack-common 9.5.2
4.1.0.3 openstack-compute 9.2.10
4.1.0.3 openstack-image 9.1.2
4.1.0.3 openstack-network 9.1.1
4.1.0.3 openstack-orchestration 9.1.6
4.1.0.3 openstack-telemetry 9.2.0
4.1.0.3 ibm-openstack-appliance-migration 0.1.41
4.1.0.3 ibm-openstack-common 9.5.7
4.1.0.3 ibm-openstack-iaas-gateway 0.1.4
4.1.0.3 ibm-openstack-powervc-driver 9.2.1
4.1.0.3 ibm-openstack-zvm-driver 0.1.1
4.1.0.3 ibm-sce 0.1.14
4.1.0.4 db2 0.2.6
4.1.0.4 openstack-dashboard 9.1.2
4.1.0.4 ibm-openstack-iaas-gateway 0.1.5
4.1.0.4 ibm-sce 0.1.19
New openstack-compute attributes (4.1.0.3)

New attributes were added to the openstack-compute cookbook. Changes are required to your environment if it contains the following the configuration options in the openstack.compute.misc_nova attribute.


misc_nova option: flat_injected
new attribute: openstack.compute.config.flat_injected
required: no
   
misc_nova option: use_ipv6
new attribute: openstack.compute.network.use_ipv6
required: no
   
misc_nova option: resize_confirm_window
new attribute: openstack.compute.config.resize_confirm_window
required: no
   
misc_nova option: live_migration_flag
new attribute: openstack.compute.libvirt.live_migration_flag
required: yes

Use the 'knife os manage environment update' command as described in 'Automated environment updates' to update your environment or environment files.

Create openstack-powervc-driver password data bag item (4.1.0.1)

Fix pack 4.1.0.1 adds an openstack-powervc-driver password to the service_passwords data bag. This password is required to deploy a topology that includes the OpenStack PowerVC driver.

If you did not create a custom service_passwords data bag prior to installing this fix pack, or you are not using PowerVC, no action is required to update the service_passwords data bag, and you should continue with the next section of this README file.

  1. Change to the directory where you stored the files for the topology that you deployed. Change your-deployment-name to the name for your deployment.
  2. Create a local directory to contain the new password. Change your_env_service_passwords to the name of the data bags for your environment. The openstack.secret.*_data_bag JSON attributes in your environment file contain the data bag names to use.
      # mkdir -p data_bags/your_env_service_passwords
      # cp /opt/ibm/cmwo/chef-repo/data_bags/service_passwords/* data_bags/your_env_service_passwords
      # chmod -R 600 data_bags/
  3. Change the openstack-powervc-driver password in your environment data bag. This is done by changing the value for the data bag item's name. Using the your_env_service_passwords/openstack-powervc-driver.json data bag item, change the value at CHANGEME to the password.
      {
        "id": "openstack-powervc-driver",
        "openstack-powervc-driver": "CHANGEME"
      }
  4. Upload the data bag items for the password changed in the previous step. Run the following command from the parent of the data_bags directory that you created. Change your-secret-key-name to the secret key for your topology. The secret_file JSON attribute in your topology file contains the secret file to use.
      # knife data bag from file your_env_service_passwords
      openstack-powervc-driver.json --secret-file your-secret-key-name
  5. Remove the local data bag items since they are no longer needed.
      # rm -rf data_bags/
Configure self-service portal fix information

Starting with fix pack 3, the self-service portal is updated to the latest fix pack level automatically when you update your deployed topology or deploy a new topology. It is no longer necessary to update your environment to configure the self-service portal fix pack or JRE updates.

Update the deployed topology

After making the changes described above, update your deployed topology to apply the fixes contained in this fix pack.

If you did not deploy a topology prior to installing this fix pack, no further action is required.

The IBM Cloud Manager with OpenStack Knowledge Center has more information on updating a deployed topology.


Uninstalling

IBM Cloud Manager with OpenStack fix packs cannot be uninstalled.


List of fixes

Update log (03/17/2017):
IBM Cloud Manager with OpenStack 4.1 ifix 4.1.0.5.6 includes:
- OpenStack IceHouse ifixes for:
  SE66417 Add limitation about "Live migration between hosts with differents CPU models is not supported." into the Knowledge center.
  OpenStack IceHouse ifixes for PSIRT for ICM "Open Source OpenStack Neutron ,Horizon and Ironic Vulnerabilities" (CVE-2016-5363 CVE2016-4428)
  OpenStack IceHouse ifixes for PSIRT for ICM "Open Source OpenStack Glance Vulnerabilities" (CVE-2015-5162)

Update log (11/30/2016):
IBM Cloud Manager with OpenStack 4.1 ifix 4.1.0.5.5 includes:
- IBM SmartCloud Entry JRE update for:
  PSIRT for SCE/ICM "IBM SDK, Java Technology Edition Quarterly CPU - Jul 2016 - Includes Oracle Jul 2016 CPU" (CVE-2016-3610 CVE-2016-3598 CVE-2016-3606 CVE-2016-3587 CVE-2016-3511 CVE-2016-3508 CVE-2016-3550 CVE-2016-3500 CVE-2016-3458 CVE-2016-3485 Not Applicable CVE-2016-3498 CVE-2016-3552 CVE-2016-3503)
- OpenStack IceHouse ifixes for:
  Fixed the heat template Get_file error
  Fixed the error of when a stack deleted by a unprivileged user, it is not deleted correctly


Update log (10/19/2016):
IBM Cloud Manager with OpenStack 4.1 ifix 4.1.0.5.4 includes:
- OpenStack IceHouse ifixes for:
  PSIRT for ICM "opensource openstack vuln." (CVE-2016-2140)


Update log (09/08/2016):
IBM Cloud Manager with OpenStack 4.1 ifix 4.1.0.5.3 includes:
- OpenStack IceHouse ifixes for:
  PSIRT for ICM Appliance "opensource openstack vuln." (CVE-2016-0757)


Update log (07/25/2016):
IBM Cloud Manager with OpenStack 4.1 ifix 4.1.0.5.2 includes:
- JRE update for:
  PSIRT for ICM "IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU + 3 IBM CVEs(CVE-2016-3443 CVE-2016-0687 CVE-2016-0686 CVE-2016-3427 CVE-2016-3449 CVE-2016-3425 CVE-2016-3422 CVE-2016-0695 CVE-2016-3426 CVE-2016-0636)"
- OpenStack IceHouse ifixes for:
  PSIRT for ICM Appliance "opensource openstack vuln." (CVE-2015-7548 CVE-2015-8749)
- Chef OpenSSL update for:
  PSIRT for ICM: "OpenSource OpenSSL Vuln." (CVE-2016-0701 CVE-2015-3197 CVE-2016-0705 CVE-2016-0798 CVE-2016-0797 CVE-2016-0799 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 CVE-2016-2842 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176)


Update log (03/01/2016):
IBM Cloud Manager with OpenStack 4.1 ifix 4.1.0.5.1 includes:
- JRE update for:
  PSIRT for SCE/ICM "EXPEDITED Java specific SLOTH - Weak MD5 Signature Hash - CVE-2015-7575"
  PSIRT for SCE/ICM "IBM SDK, Java Technology Edition Quarterly CPU - Jan 2016 - Includes Oracle Jan 2016 CPU + CVEs(CVE-2016-0475 CVE-2016-0448 CVE-2015-7575 CVE-2016-0466)"
- OpenStack Icehouse ifixes for:
  PSIRT for "OpenSource OpenStack vulnerability" (CVE-2014-8177 CVE-2015-5163 CVE-2015-3241 CVE-2015-5223)
  PSIRT for ICM "opensource openstack vuln." (CVE-2015-5240 CVE-2015-3280)
  PSIRT for "OpenSource OpenStack Vuln" (CVE-2015-7713 CVE-2015-5286)
  PSIRT for "OpenSource Openstack Glance Vuln." ()


4.1.0.5:

Upgrade Qpid to 0.32
Remove s3 modules from ICM
Reorder qpid packages installation sequence

4.1.0.4:

Patch for fixpack installation failure with none english local
Patch for keystonemiddleware SSL man-in-the-middle(CVE-2014-7144)
Remove senstive authentication data in log file

4.1.0.3:

Add support for Manage from zVM for IBM Cloud Manager with Openstack 4.1
Provide Cinder volume service for Z/VM hypervisor in IBM CloudManager with OpenStack 4.1
Added new role, ibm-os-block-storage-node, to allow a topology with a standalone cinder server node in IBM CloudManager with OpenStack 4.1
Provide XIV driver in IBM CloudManager with OpenStack 4.1. For the detail steps to enable XIV driver, please refer to https://www.ibm.com/support/knowledgecenter/SST55W_4.1.0/liaca/liaca_configuring_xiv_storage_cookbook.html
Provide automatic installation for SCE fixpack and jre version upgrade in IBM CloudManager with OpenStack 4.1

Contents of Fix/Service Pack build:



Copyright and trademark information

This fix is subject to the terms of the license agreement which accompanied, or was contained in, the Program for which you are obtaining the fix. You are not authorized to install or use the fix except as part of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT, REGARDING THE PTF.

By furnishing this document, IBM grants no licenses to any related patents or copyrights.

The applicable license agreement may have been provided to you in printed form and/or may be viewed at http://www-03.ibm.com/software/sla/sladb.nsf/viewbla/.

Copyright © IBM Corporation 2015