[release-announce] [magnum] magnum 4.1.1 (ocata)

no-reply at openstack.org no-reply at openstack.org
Mon May 1 15:01:33 UTC 2017 

We are tickled pink to announce the release of:

magnum 4.1.1: Container Management project for OpenStack

This release is part of the ocata stable release series.

The source is available from:

    ** http://git.openstack.org/cgit/openstack/magnum

Download the package from:

    https://tarballs.openstack.org/magnum/

Please report issues through launchpad:

    ** http://bugs.launchpad.net/magnum

For more details, please see below.

4.1.1
^^^^^


Upgrade Notes
*************

* To let clusters communicate directly with OpenStack service other
  than Magnum, in the *trust* section of magnum.conf, set
  *cluster_user_trust* to True. The default value is False.


Security Issues
***************

* Every magnum cluster is assigned a trustee user and a trustID.
  This user is used to allow clusters communicate with the key-manager
  service (Barbican) and get the certificate authority of the cluster.
  This trust user can be used by other services too. It can be used to
  let the cluster authenticate with other OpenStack services like the
  Block Storage service, Object Storage service, Load Balancing etc.
  The cluster with this user and the trustID has full access to the
  trustor's OpenStack project. A new configuration parameter has been
  added to restrict the access to other services than Magnum.


Bug Fixes
*********

* Fixes CVE-2016-7404 for newly created clusters. Existing clusters
  will have to be re-created to benefit from this fix. Part of this
  fix is the newly introduced setting *cluster_user_trust* in the
  *trust* section of magnum.conf. This setting defaults to False.
  *cluster_user_trust* dictates whether to allow passing a trust ID
  into a cluster's instances. For most clusters this capability is not
  needed. Clusters with *registry_enabled=True* or
  *volume_driver=rexray* will need this capability. Other features
  that require this capability may be introduced in the future. To be
  able to create such clusters you will need to set
  *cluster_user_trust* to True.

Changes in magnum 4.1.0..4.1.1
------------------------------

7be95f2 Update Fedora images
9b93f3a Install client in install guide instructions
aaa94e1 Add reno for cluster_user_trust option
9f6296e Pass 'context' to create_client_files method
1ff12b0 Pin images for ocata
1e07c37 Missing root-ca-file parameter for proper service account support
0748029 Fix mesos gate
0c7625f Fix CVE-2016-7404
6c9ef67 Update UPPER_CONSTRAINTS_FILE for stable/ocata
8fd822a Update .gitreview for stable/ocata


Diffstat (except docs and test files)
-------------------------------------

.gitreview                                         |  1 +
devstack/lib/magnum                                |  1 +
devstack/plugin.sh                                 |  2 +-
etc/magnum/policy.json                             | 54 +++++++++++-----------
install-guide/source/install-obs.rst               |  2 +-
install-guide/source/install-rdo.rst               |  2 +-
install-guide/source/install-ubuntu.rst            |  2 +-
install-guide/source/launch-instance.rst           | 14 +++---
magnum/common/docker_utils.py                      |  2 +-
magnum/common/keystone.py                          |  1 +
magnum/common/policy.py                            | 12 +++++
magnum/conductor/handlers/common/trust_manager.py  | 13 ++++--
magnum/conf/trust.py                               | 11 +++++
magnum/db/sqlalchemy/api.py                        | 17 ++++++-
.../fragments/configure-kubernetes-master.sh       |  2 +-
.../kubernetes/fragments/make-cert-client.sh       |  5 --
.../templates/kubernetes/fragments/make-cert.sh    |  5 --
.../fragments/write-heat-params-master.yaml        |  2 +-
.../kubernetes/fragments/write-heat-params.yaml    |  2 +-
.../common/templates/swarm/fragments/make-cert.py  |  6 ---
.../swarm/fragments/write-heat-params-master.yaml  |  2 +-
.../swarm/fragments/write-heat-params-node.yaml    |  2 +-
.../swarm/fragments/write-swarm-agent-service.sh   |  2 +-
.../swarm/fragments/write-swarm-master-service.sh  |  2 +-
magnum/drivers/heat/template_def.py                | 16 ++++++-
.../templates/fragments/make-cert-client.yaml      |  5 --
.../templates/fragments/make-cert.yaml             |  5 --
.../fragments/write-heat-params-master.yaml        |  2 +-
.../templates/fragments/write-heat-params.yaml     |  2 +-
.../templates/kubecluster.yaml                     |  2 +-
.../image/kubernetes/Readme.md                     | 10 ++--
.../image/kubernetes/package-installs.yaml         |  3 +-
.../templates/kubecluster.yaml                     |  2 +-
.../templates/fragments/write-heat-params.yaml     |  2 +-
.../handlers/common/test_trust_manager.py          |  3 +-
.../conductor/handlers/test_cluster_conductor.py   |  5 ++
.../handlers/test_k8s_cluster_conductor.py         | 14 ++++--
.../handlers/test_mesos_cluster_conductor.py       |  9 ++--
.../handlers/test_swarm_cluster_conductor.py       |  8 +++-
.../notes/CVE-2016-7404-f53e62a4a40e4d30.yaml      | 29 ++++++++++++
tox.ini                                            |  2 +-
47 files changed, 244 insertions(+), 117 deletions(-)

More information about the Release-announce mailing list