diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml index ab26ba5053..180e477356 100644 --- a/ansible-role-requirements.yml +++ b/ansible-role-requirements.yml @@ -1,125 +1,125 @@ - name: apt_package_pinning scm: git src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning - version: master + version: 27c0a0f3ab51c12d8b5602eb1f4053069cf7dfa0 - name: pip_install scm: git src: https://git.openstack.org/openstack/openstack-ansible-pip_install - version: master + version: 0c782d893b4720eff64a4aa1ef1d0c900468db6f - name: pip_lock_down scm: git src: https://git.openstack.org/openstack/openstack-ansible-pip_lock_down - version: master + version: b2b669e3f4b78c9bcbfb09c111556ecd1142ec9f - name: galera_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_client - version: master + version: 90d58da17908b4b32638a739e01da254a589f5c6 - name: galera_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_server - version: master + version: 5b23837dd0cbddb3aab13702bf7b824ae8c775ba - name: keepalived scm: git src: https://github.com/evrardjp/ansible-keepalived - version: master + version: 2.0.0 - name: lxc_container_create scm: git src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create - version: master + version: e6022b33195d3dc2e7a24830b2d95b8c31f7c282 - name: lxc_hosts scm: git src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts - version: master + version: c1fe6c0251186dcd4f5dcb04a6dc91c7aaa22b10 - name: memcached_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-memcached_server - version: master + version: d76fb52cb2dc733b5aa1e008877197a71feb5c4b - name: openstack-ansible-security scm: git src: https://git.openstack.org/openstack/openstack-ansible-security - version: master + version: ecb03290884e0ef6a05452b072e950f36a29610a - name: openstack_hosts scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts - version: master + version: c9abd5134e22810b6d332e1e0ae43b55bfc883ef - name: os_keystone scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_keystone - version: master + version: bbc645cad8d7bd7864fcf0c76a26d619b23f7d75 - name: openstack_openrc scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc - version: master + version: a9938092081ad34b7ceaf4e1c29275f835425e2d - name: os_aodh scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_aodh - version: master + version: e9cf8b4d11937a68a6674dc5991494c997d1dc86 - name: os_ceilometer scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer - version: master + version: 28ec6206b1c7338db7de85e3ec14e79383abfd45 - name: os_cinder scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_cinder - version: master + version: b854beeaf429546daa1fb9f342674754beeb9941 - name: os_glance scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_glance - version: master + version: 28c573b88d398da178fe992612f26e75033d6921 - name: os_heat scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_heat - version: master + version: 3383a911e4f5624acf5a8ab059f2a2249c74b1c3 - name: os_horizon scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_horizon - version: master + version: fe79b45b6dc2471558d9f2862e6a8cbabd4d9f59 - name: os_ironic - src: https://github.com/openstack/openstack-ansible-ironic scm: git - version: master + src: https://github.com/openstack/openstack-ansible-ironic + version: 3113ef63af3740bb7d671450b38df7c11e82a8d5 - name: os_neutron scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_neutron - version: master + version: dcb0fff2556fd685c0177d963f872af2911a12a7 - name: os_nova scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_nova - version: master + version: 118c12c8c2fe00b8b805dd80e1db4d1bc544b787 - name: os_swift scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_swift - version: master + version: 9380862b618fa77272a8b453885e154e07f43481 - name: os_tempest scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_tempest - version: master + version: 4fe7f096e9754848dddbce3f7dac59f09b916c2a - name: plugins path: /etc/ansible scm: git src: https://git.openstack.org/openstack/openstack-ansible-plugins - version: master + version: a72d40ef8a997b8dc2501e9136a41997519a310a - name: rabbitmq_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server - version: master + version: 1994d6be466c60e5e23b876768ae8bedee6be1b9 - name: repo_build scm: git src: https://git.openstack.org/openstack/openstack-ansible-repo_build - version: master + version: 2c10e0d81cfe62a5b0337057a8ed727a512b0a2f - name: repo_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-repo_server - version: master + version: 4efb9f2f88e98c0cb8a789e77a091b2fd4159df7 - name: rsyslog_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_client - version: master + version: 232bf64dec9a8f5078367a3448d7afadc7b04b5d - name: rsyslog_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server - version: master + version: 12ec7106f23a7ec43a37d139c05b3e58a4f53528 - name: sshd scm: git src: https://github.com/willshersystems/ansible-sshd - version: master + version: 0.4.4 diff --git a/playbooks/defaults/repo_packages/openstack_other.yml b/playbooks/defaults/repo_packages/openstack_other.yml index 6d807f2e91..ef62d1abc7 100644 --- a/playbooks/defaults/repo_packages/openstack_other.yml +++ b/playbooks/defaults/repo_packages/openstack_other.yml @@ -27,17 +27,17 @@ ## Tempest service tempest_git_repo: https://git.openstack.org/openstack/tempest -tempest_git_install_branch: c1513b71279604a58e2f6e40127b8b32eb1f7e93 # HEAD of "master" as of 19.05.2016 +tempest_git_install_branch: e9ae44b574f14ccd44dcd6b8cb8913bcebe35e83 # HEAD of "master" as of 02.06.2016 tempest_git_dest: "/opt/tempest_{{ tempest_git_install_branch | replace('/', '_') }}" ## NOVNC from source novncproxy_git_repo: https://github.com/kanaka/novnc -novncproxy_git_install_branch: f52105bc88ebd18d5cb3fba817173e99600cdc3f # HEAD of "master" as of 19.05.2016 +novncproxy_git_install_branch: f52105bc88ebd18d5cb3fba817173e99600cdc3f # HEAD of "master" as of 02.06.2016 novncproxy_git_dest: "/opt/novnc_{{ novncproxy_git_install_branch | replace('/', '_') }}" ## spice-html5 from source spicehtml5_git_repo: https://github.com/SPICE/spice-html5 -spicehtml5_git_install_branch: 54cc41299bea8cd681ed0262735e0fd821cd774a # HEAD of "master" as of 19.05.2016 +spicehtml5_git_install_branch: 54cc41299bea8cd681ed0262735e0fd821cd774a # HEAD of "master" as of 02.06.2016 spicehtml5_git_dest: "/opt/spicehtml5_{{ spicehtml5_git_install_branch | replace('/', '_') }}" diff --git a/playbooks/defaults/repo_packages/openstack_services.yml b/playbooks/defaults/repo_packages/openstack_services.yml index 4ccca03b28..cf8686de91 100644 --- a/playbooks/defaults/repo_packages/openstack_services.yml +++ b/playbooks/defaults/repo_packages/openstack_services.yml @@ -31,93 +31,93 @@ ## Global Requirements requirements_git_repo: https://git.openstack.org/openstack/requirements -requirements_git_install_branch: f724bca6c907122f53069dd6a6b5c5f56bd76a64 # HEAD of "master" as of 19.05.2016 +requirements_git_install_branch: e00676a8b2b2292138f3f02c2b3b949573730a49 # HEAD of "master" as of 02.06.2016 requirements_git_dest: "/opt/requirements_{{ requirements_git_install_branch | replace('/', '_') }}" ## Aodh service aodh_git_repo: https://git.openstack.org/openstack/aodh -aodh_git_install_branch: 1c1064b6d447aa0186cbd9099dc84d7c34f60405 # HEAD of "master" as of 19.05.2016 +aodh_git_install_branch: 6f897a20bf56522e9b4d2490cf03de2312e47a9d # HEAD of "master" as of 02.06.2016 aodh_git_dest: "/opt/aodh_{{ aodh_git_install_branch | replace('/', '_') }}" ## Ceilometer service ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer -ceilometer_git_install_branch: 23978d7a7944a3a822587b16aeba946cb4d34845 # HEAD of "master" as of 19.05.2016 +ceilometer_git_install_branch: b95710db063258e29abc00a3a6313b840b906b9d # HEAD of "master" as of 02.06.2016 ceilometer_git_dest: "/opt/ceilometer_{{ceilometer_git_install_branch | replace('/', '_') }}" ## Cinder service cinder_git_repo: https://git.openstack.org/openstack/cinder -cinder_git_install_branch: cb0504e24f80c98c662081f74b7e7c2351c9e06c # HEAD of "master" as of 19.05.2016 +cinder_git_install_branch: 3e83a3338943fac4908b3e7c8765563d35cae900 # HEAD of "master" as of 02.06.2016 cinder_git_dest: "/opt/cinder_{{ cinder_git_install_branch | replace('/', '_') }}" ## Glance service glance_git_repo: https://git.openstack.org/openstack/glance -glance_git_install_branch: 67f4866fb232434ec3b22df71b06f7cd29365949 # HEAD of "master" as of 19.05.2016 +glance_git_install_branch: 8dd23d0b9c7ca9bb521f56407f6f601db84771f9 # HEAD of "master" as of 02.06.2016 glance_git_dest: "/opt/glance_{{ glance_git_install_branch | replace('/', '_') }}" ## Heat service heat_git_repo: https://git.openstack.org/openstack/heat -heat_git_install_branch: d4445e15141aad03bba035d475629200a7ef3298 # HEAD of "master" as of 19.05.2016 +heat_git_install_branch: e4c09815e9557e5f93785e8a49db3c41be1d7892 # HEAD of "master" as of 02.06.2016 heat_git_dest: "/opt/heat_{{ heat_git_install_branch | replace('/', '_') }}" ## Horizon service horizon_git_repo: https://git.openstack.org/openstack/horizon -horizon_git_install_branch: 6ec5dd3b5327df4d51c5c9a396656365918258d8 # HEAD of "master" as of 19.05.2016 +horizon_git_install_branch: 4e384db0cf665198866c94dae961d7123730da4c # HEAD of "master" as of 02.06.2016 horizon_git_dest: "/opt/horizon_{{ horizon_git_install_branch | replace('/', '_') }}" ## Horizon LBaaS dashboard plugin neutron_lbaas_dashboard_git_repo: https://git.openstack.org/openstack/neutron-lbaas-dashboard -neutron_lbaas_dashboard_git_install_branch: 528567509debcb9165bcf7bf675d31bde5d36c00 # HEAD of "master" as of 19.05.2016 +neutron_lbaas_dashboard_git_install_branch: 38605d2e4ccee5f956231ddf17785ba940fa66c9 # HEAD of "master" as of 02.06.2016 neutron_lbaas_dashboard_git_dest: "/opt/neutron_lbaas_dashboard_{{ neutron_lbaas_dashboard_git_install_branch | replace('/', '_') }}" ## Keystone service keystone_git_repo: https://git.openstack.org/openstack/keystone -keystone_git_install_branch: 6635f8dcac2c14c24e1033ca7226671075161eb6 # HEAD of "master" as of 19.05.2016 +keystone_git_install_branch: 0068096e132d05aa799a8d7b58f9646b4d96ac34 # HEAD of "master" as of 02.06.2016 keystone_git_dest: "/opt/keystone_{{ keystone_git_install_branch | replace('/', '_') }}" ## Neutron service neutron_git_repo: https://git.openstack.org/openstack/neutron -neutron_git_install_branch: 79c1d7efc1a964836a98339e1e820ab6ebc5570e # HEAD of "master" as of 19.05.2016 +neutron_git_install_branch: 96a195c064df65fb566defa839e8872750931f58 # HEAD of "master" as of 02.06.2016 neutron_git_dest: "/opt/neutron_{{ neutron_git_install_branch | replace('/', '_') }}" neutron_lbaas_git_repo: https://git.openstack.org/openstack/neutron-lbaas -neutron_lbaas_git_install_branch: 0033ab1d00a342bb0627a9e44b5140f389883855 # HEAD of "master" as of 19.05.2016 +neutron_lbaas_git_install_branch: d693e6e9b2103fa02b31fe6bcd94cb888267cbc4 # HEAD of "master" as of 02.06.2016 neutron_lbaas_git_dest: "/opt/neutron_lbaas_{{ neutron_lbaas_git_install_branch | replace('/', '_') }}" neutron_vpnaas_git_repo: https://git.openstack.org/openstack/neutron-vpnaas -neutron_vpnaas_git_install_branch: 5a7883bdf5c17ea5440c1f3dcdc2fbc065fc13f1 # HEAD of "master" as of 19.05.2016 +neutron_vpnaas_git_install_branch: bca157440b09659d4d47f01152dc951e2c960139 # HEAD of "master" as of 02.06.2016 neutron_vpnaas_git_dest: "/opt/neutron_vpnaas_{{ neutron_vpnaas_git_install_branch | replace('/', '_') }}" neutron_fwaas_git_repo: https://git.openstack.org/openstack/neutron-fwaas -neutron_fwaas_git_install_branch: fadfe86516de7982c86de4dd1a0d275d0a6c84f7 # HEAD of "master" as of 19.05.2016 +neutron_fwaas_git_install_branch: 24921d8e2f62ed3c0dd14d5d67c3992fe8395a46 # HEAD of "master" as of 02.06.2016 neutron_fwaas_git_dest: "/opt/neutron_fwaas_{{ neutron_fwaas_git_install_branch | replace('/', '_') }}" ## Nova service nova_git_repo: https://git.openstack.org/openstack/nova -nova_git_install_branch: 813787644bd11ffb8bdf46a547bd25982d995dea # HEAD of "master" as of 19.05.2016 +nova_git_install_branch: 0f8b89c6bf1762985ff59dc19a458e99c07278fa # HEAD of "master" as of 02.06.2016 nova_git_dest: "/opt/nova_{{ nova_git_install_branch | replace('/', '_') }}" ## PowerVM Virt Driver nova_powervm_git_repo: https://git.openstack.org/openstack/nova-powervm -nova_powervm_git_install_branch: 86d7fdfee450de555cdc506c4ad2fdfbbc14ab24 # HEAD of "master" as of 18.05.2016 +nova_powervm_git_install_branch: 8c4a0c19d73aa38a1849a7da529889464d790bca # HEAD of "master" as of 02.06.2016 nova_powervm_git_dest: "/opt/nova_powervm_{{ nova_powervm_git_install_branch | replace('/', '_') }}" ## Swift service swift_git_repo: https://git.openstack.org/openstack/swift -swift_git_install_branch: 4f9d9eab7fdf7c85c3ad1fc884464d4df952118d # HEAD of "master" as of 19.05.2016 +swift_git_install_branch: 99186aded9d4904f63444eb8d33ab2d1c08eed76 # HEAD of "master" as of 02.06.2016 swift_git_dest: "/opt/swift_{{ swift_git_install_branch | replace('/', '_') }}" ## Ironic service ironic_git_repo: https://git.openstack.org/openstack/ironic -ironic_git_install_branch: bb42652d709a82aecb93f1d77bfbcb7e1d027d06 # HEAD of "master" as of 19.05.2016 +ironic_git_install_branch: 838420868e98b30e6f2c11d538f6a881ee112975 # HEAD of "master" as of 02.06.2016 ironic_git_dest: "/opt/ironic_{{ ironic_git_install_branch | replace('/', '_') }}" diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index 97e7eb2025..e2216cf4bd 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -70,7 +70,7 @@ pip_links: # These pins are updated through the sources-branch-updater script pip_packages: - pip==8.1.2 - - setuptools==21.1.0 + - setuptools==22.0.0 - wheel==0.29.0 ## Memcached options diff --git a/releasenotes/notes/RFC-1034-and-1035-container-update-6e880e4b45e11cf0.yaml b/releasenotes/notes/RFC-1034-and-1035-container-update-6e880e4b45e11cf0.yaml new file mode 100644 index 0000000000..ee1204571c --- /dev/null +++ b/releasenotes/notes/RFC-1034-and-1035-container-update-6e880e4b45e11cf0.yaml @@ -0,0 +1,15 @@ +--- +features: + - LXC containers will now have a proper RFC1034/5 hostname set during post + build tasks. A localhost entry for 127.0.1.1 will be created by converting + all of the "_" in the ``inventory_hostname`` to "-". Containers will be + created with a default domain of *openstack.local*. + This domain name can be customized to meet your deployment needs by + setting the option ``lxc_container_domain``. +upgrade: + - LXC containers will now have a proper RFC1034/5 hostname set during post + build tasks. A localhost entry for 127.0.1.1 will be created by converting + all of the "_" in the ``inventory_hostname`` to "-". Containers will be + created with a default domain of *openstack.local*. + This domain name can be customized to meet your deployment needs by + setting the option ``lxc_container_domain``. diff --git a/releasenotes/notes/add-ca-certs-2398cb4856356028.yaml b/releasenotes/notes/add-ca-certs-2398cb4856356028.yaml new file mode 100644 index 0000000000..9a744fc0ae --- /dev/null +++ b/releasenotes/notes/add-ca-certs-2398cb4856356028.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - The ``ca-certificates`` package has been included in the LXC + container build process in order to prevent issues related to + trying to connect to public websites which make use of newer + certificates than exist in the base CA certificate store. diff --git a/releasenotes/notes/apt-package-pinning-dependency-6e2e94d829508859.yaml b/releasenotes/notes/apt-package-pinning-dependency-6e2e94d829508859.yaml new file mode 100644 index 0000000000..e24eac1cf8 --- /dev/null +++ b/releasenotes/notes/apt-package-pinning-dependency-6e2e94d829508859.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - The Galera client role now has a dependency on the + apt package pinning role. diff --git a/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml b/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml new file mode 100644 index 0000000000..0c20701f11 --- /dev/null +++ b/releasenotes/notes/auditing-mac-policy-changes-fb83e0260a6431ed.yaml @@ -0,0 +1,15 @@ +--- + +upgrade: + - | + The variable ``security_audit_apparmor_changes`` is now renamed to + ``security_audit_mac_changes`` and is enabled by default. Setting + ``security_audit_mac_changes`` to ``no`` will disable syscall auditing for + any changes to AppArmor policies (in Ubuntu) or SELinux policies (in + CentOS). +features: + - | + The auditd rules template included a rule that audited changes to the + AppArmor policies, but the SELinux policy changes were not being audited. + Any changes to SELinux policies in ``/etc/selinux`` are now being logged + by auditd. diff --git a/releasenotes/notes/ceilometer-default-os-endpoint-type-3adf9db32764ddf3.yaml b/releasenotes/notes/ceilometer-default-os-endpoint-type-3adf9db32764ddf3.yaml new file mode 100644 index 0000000000..94110d9088 --- /dev/null +++ b/releasenotes/notes/ceilometer-default-os-endpoint-type-3adf9db32764ddf3.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - The default value of ``service_credentials/os_endpoint_type`` + within ceilometer's configuration file has been changed to + **internalURL**. This may be overridden through the use of + the ``ceilometer_ceilometer_conf_overrides`` variable. diff --git a/releasenotes/notes/combine_pip_roles-ba524dbaa601e1a1.yaml b/releasenotes/notes/combine_pip_roles-ba524dbaa601e1a1.yaml new file mode 100644 index 0000000000..4b5e6f727e --- /dev/null +++ b/releasenotes/notes/combine_pip_roles-ba524dbaa601e1a1.yaml @@ -0,0 +1,6 @@ +--- +features: + - The pip_install role can now configure pip to be locked down to the + repository built by OpenStack-Ansible. To enable the lockdown + configuration, deployers may set ``pip_lock_to_internal_repo`` to + ``true`` in ``/etc/openstack_deploy/user_variables.yml``. diff --git a/releasenotes/notes/config_template-MultiStrOps-support-c28e33fd5044e14d.yaml b/releasenotes/notes/config_template-MultiStrOps-support-c28e33fd5044e14d.yaml new file mode 100644 index 0000000000..44759c06bd --- /dev/null +++ b/releasenotes/notes/config_template-MultiStrOps-support-c28e33fd5044e14d.yaml @@ -0,0 +1,29 @@ +--- +features: + - | + The ability to support MultiStrOps has been added to the + config_template action plugin. This change updates the parser to use + the ``set()`` type to determine if values within a given key are to be + rendered as ``MultiStrOps``. If an override is used in an INI config + file the set type is defined using the standard yaml construct of "?" + as the item marker. + + :: + + # Example Override Entries + Section: + typical_list_things: + - 1 + - 2 + multistrops_things: + ? a + ? b + + :: + + # Example Rendered Config: + [Section] + typical_list_things = 1,2 + multistrops_things = a + multistrops_things = b + diff --git a/releasenotes/notes/container-repo-host-match-2be99b14642e0591.yaml b/releasenotes/notes/container-repo-host-match-2be99b14642e0591.yaml new file mode 100644 index 0000000000..9f6137ce4b --- /dev/null +++ b/releasenotes/notes/container-repo-host-match-2be99b14642e0591.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The LXC container cache preparation process now copies package + repository configuration from the host instead of implementing + its own configuration. The following variables are therefore + unnecessary and have been removed: + + * ``lxc_container_template_main_apt_repo`` + * ``lxc_container_template_security_apt_repo`` + * ``lxc_container_template_apt_components`` + diff --git a/releasenotes/notes/container-resolv-host-match-c6e3760cf4a8e5cd.yaml b/releasenotes/notes/container-resolv-host-match-c6e3760cf4a8e5cd.yaml new file mode 100644 index 0000000000..e1e93c261c --- /dev/null +++ b/releasenotes/notes/container-resolv-host-match-c6e3760cf4a8e5cd.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - The LXC container cache preparation process now copies DNS + resolution configuration from the host instead of implementing + its own configuration. The ``lxc_cache_resolvers`` variable + is therefore unnecessary and has been removed. diff --git a/releasenotes/notes/decrease-mariadb-waittimeout-setting-ddaae0f2e1d31ee1.yaml b/releasenotes/notes/decrease-mariadb-waittimeout-setting-ddaae0f2e1d31ee1.yaml new file mode 100644 index 0000000000..aac2fe4932 --- /dev/null +++ b/releasenotes/notes/decrease-mariadb-waittimeout-setting-ddaae0f2e1d31ee1.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The MariaDB wait_timeout setting is decreased to 1h to match the + SQL Alchemy pool recycle timeout, in order to prevent unnecessary + database session buildups. diff --git a/releasenotes/notes/deprecate-rabbitmq_apt_packages-b85ea1b449dc136e.yaml b/releasenotes/notes/deprecate-rabbitmq_apt_packages-b85ea1b449dc136e.yaml new file mode 100644 index 0000000000..46caa81953 --- /dev/null +++ b/releasenotes/notes/deprecate-rabbitmq_apt_packages-b85ea1b449dc136e.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The ``rabbitmq_apt_packages`` variable has been deprecated. + ``rabbitmq_dependencies`` should be used instead to override + additional packages to install alongside rabbitmq-server. diff --git a/releasenotes/notes/deprecate-repo-apt-packages-f8c4a22fc60828bf.yaml b/releasenotes/notes/deprecate-repo-apt-packages-f8c4a22fc60828bf.yaml new file mode 100644 index 0000000000..50c0a293e7 --- /dev/null +++ b/releasenotes/notes/deprecate-repo-apt-packages-f8c4a22fc60828bf.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The ``repo_apt_packages`` variable has been deprecated. + ``repo_server_packages`` should be used instead to override + packages required to install a repo server. diff --git a/releasenotes/notes/detect_power-a6a679c8c3dd3262.yaml b/releasenotes/notes/detect_power-a6a679c8c3dd3262.yaml new file mode 100644 index 0000000000..76d31bf9ad --- /dev/null +++ b/releasenotes/notes/detect_power-a6a679c8c3dd3262.yaml @@ -0,0 +1,4 @@ +--- +features: + - The os_nova role can now detect a PowerNV environment and set the + virtualization type to 'kvm'. diff --git a/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml new file mode 100644 index 0000000000..6386acaaad --- /dev/null +++ b/releasenotes/notes/dictionary-variables-removed-957c7b7b2108ba1f.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - The dictionary-based variables in ``defaults/main.yml`` are now individual + variables. The dictionary-based variables could not be changed as the + documentation instructed. Instead it was required to override the entire + dictionary. Deployers must use the new variable names to enable or disable + the security configuration changes applied by the security role. For more + information, see + `Launchpad Bug 1577944 `_. diff --git a/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml new file mode 100644 index 0000000000..e6038500fe --- /dev/null +++ b/releasenotes/notes/disable-failed-access-audit-logging-789dc01c8bcbef17.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Failed access logging is now disabled by default and can be enabled by + changing ``security_audit_failed_access`` to ``yes``. The rsyslog daemon + checks for the existence of log files regularly and this audit rule was + triggered very frequently, which led to very large audit logs. diff --git a/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml b/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml new file mode 100644 index 0000000000..406ca5aaa3 --- /dev/null +++ b/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml @@ -0,0 +1,7 @@ +fixes: + - | + An Ansible task was added to disable the ``netconsole`` service on CentOS + systems if the service is installed on the system. + + Deployers can opt-out of this change by setting + ``security_disable_netconsole`` to ``no``. diff --git a/releasenotes/notes/disable_slave_repo_during_sync-2aaabf90698221e3.yaml b/releasenotes/notes/disable_slave_repo_during_sync-2aaabf90698221e3.yaml new file mode 100644 index 0000000000..48aa014194 --- /dev/null +++ b/releasenotes/notes/disable_slave_repo_during_sync-2aaabf90698221e3.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - In order to ensure that the appropriate data is delivered to requesters from the repo servers, + the slave repo_server web servers are taken offline during the synchronisation process. This + ensures that the right data is always delivered to the requesters through the load balancer. +security: + - A sudoers entry has been added to the repo_servers in order to allow the nginx user to stop and + start nginx via the init script. This is implemented in order to ensure that the repo sync + process can shut off nginx while synchronising data from the master to the slaves. \ No newline at end of file diff --git a/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml b/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml new file mode 100644 index 0000000000..0c579b57f9 --- /dev/null +++ b/releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + An Ansible was added to disable the ``rdisc`` service on CentOS systems if + the service is installed on the system. + + Deployers can opt-out of this change by setting ``security_disable_rdisc`` + to ``no``. diff --git a/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml new file mode 100644 index 0000000000..64b945dd1d --- /dev/null +++ b/releasenotes/notes/enable-lsm-bae903e463079a3f.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + The Linux Security Module (LSM) that is appropriate for the Linux + distribution in use will be automatically enabled by the security role by + default. Deployers can opt out of this change by setting the following + Ansible variable: + + .. code-block:: yaml + + security_enable_linux_security_module: False + + The documentation for STIG V-51337 has more information about how each + LSM is enabled along with special notes for SELinux. diff --git a/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml b/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml new file mode 100644 index 0000000000..61b05693b3 --- /dev/null +++ b/releasenotes/notes/fix-audit-log-permission-bug-81a772e2e6d0a5b3.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + The security role previously set the permissions on all audit log files in + ``/var/log/audit`` to ``0400``, but this prevents the audit daemon from + writing to the active log file. This will prevent ``auditd`` from + starting or restarting cleanly. + + The task now removes any permissions that are not allowed by the STIG. Any + log files that meet or exceed the STIG requirements will not be modified. diff --git a/releasenotes/notes/glance-1604-support-e65870170a925bfe.yaml b/releasenotes/notes/glance-1604-support-e65870170a925bfe.yaml new file mode 100644 index 0000000000..79f5253b75 --- /dev/null +++ b/releasenotes/notes/glance-1604-support-e65870170a925bfe.yaml @@ -0,0 +1,3 @@ +--- +features: + - The ``os_glance`` role now supports Ubuntu 16.04 and SystemD. diff --git a/releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml b/releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml new file mode 100644 index 0000000000..d562381be6 --- /dev/null +++ b/releasenotes/notes/handling-sshd-match-stanzas-fa40b97689004e46.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - The security role now handles ``ssh_config`` files that contain + ``Match`` stanzas. A marker is added to the configuration file and any new + configuration items will be added below that marker. In addition, the + configuration file is validated for each change to the ssh configuration + file. diff --git a/releasenotes/notes/horizon-enable-password-autocomplete-5f8f78a6c8f1edb3.yaml b/releasenotes/notes/horizon-enable-password-autocomplete-5f8f78a6c8f1edb3.yaml new file mode 100644 index 0000000000..d4741a1667 --- /dev/null +++ b/releasenotes/notes/horizon-enable-password-autocomplete-5f8f78a6c8f1edb3.yaml @@ -0,0 +1,5 @@ +--- +security: + - Horizon disables password autocompletion in the browser by default, but + deployers can now enable autocompletion by setting + ``horizon_enable_password_autocomplete`` to ``True``. diff --git a/releasenotes/notes/implement-centos7-support-cf6b6ee0d606223f.yaml b/releasenotes/notes/implement-centos7-support-cf6b6ee0d606223f.yaml new file mode 100644 index 0000000000..b6e8f6e87f --- /dev/null +++ b/releasenotes/notes/implement-centos7-support-cf6b6ee0d606223f.yaml @@ -0,0 +1,3 @@ +--- +features: + - CentOS 7 support has been added to the ``galera_server`` role. diff --git a/releasenotes/notes/implement-xenial-support-0de6444c53337d46.yaml b/releasenotes/notes/implement-xenial-support-0de6444c53337d46.yaml new file mode 100644 index 0000000000..c26241fbdd --- /dev/null +++ b/releasenotes/notes/implement-xenial-support-0de6444c53337d46.yaml @@ -0,0 +1,12 @@ +--- +features: + - Implemented support for Ubuntu 16.04 Xenial. percona-xtrabackup + packages will be installed from distro repositories, instead of + upstream percona repositories due to lack of available packages + upstream at the time of implementing this feature. +deprecations: + - galera_package_url changed to percona_package_url for clarity + - galera_package_sha256 changed to percona_package_sha256 for clarity + - galera_package_path changed to percona_package_path for clarity + - galera_package_download_validate_certs changed to + percona_package_download_validate_certs for clarity diff --git a/releasenotes/notes/keystone_user_and_project_support-e35b0b335b6522e9.yaml b/releasenotes/notes/keystone_user_and_project_support-e35b0b335b6522e9.yaml new file mode 100644 index 0000000000..1e3700b24c --- /dev/null +++ b/releasenotes/notes/keystone_user_and_project_support-e35b0b335b6522e9.yaml @@ -0,0 +1,42 @@ +--- +features: + - | + The ability to support login user domain and login project domain has been added to the + keystone module. + + :: + + # Example usage + - keystone: + command: ensure_user + endpoint: "{{ keystone_admin_endpoint }}" + login_user: admin + login_password: admin + login_project_name: admin + login_user_domain_name: custom + login_project_domain_name: custom + user_name: demo + password: demo + project_name: demo + domain_name: custom + +fixes: + - | + The ability to support login user domain and login project domain has been added to the + keystone module. This resolves https://bugs.launchpad.net/openstack-ansible/+bug/1574000 + + :: + + # Example usage + - keystone: + command: ensure_user + endpoint: "{{ keystone_admin_endpoint }}" + login_user: admin + login_password: admin + login_project_name: admin + login_user_domain_name: custom + login_project_domain_name: custom + user_name: demo + password: demo + project_name: demo + domain_name: custom \ No newline at end of file diff --git a/releasenotes/notes/lbaasv2-horizon-panel-8f99026b025ca2fd.yaml b/releasenotes/notes/lbaasv2-horizon-panel-8f99026b025ca2fd.yaml new file mode 100644 index 0000000000..6b920d67d7 --- /dev/null +++ b/releasenotes/notes/lbaasv2-horizon-panel-8f99026b025ca2fd.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The new LBaaS v2 dashboard is available in Horizon. Deployers can enable + the panel by setting the following Ansible variable: + + .. code-block:: yaml + + horizon_enable_neutron_lbaas: True diff --git a/releasenotes/notes/lxc-container-multi-distro-f495f73951fafd1a.yaml b/releasenotes/notes/lxc-container-multi-distro-f495f73951fafd1a.yaml new file mode 100644 index 0000000000..21a0e449ff --- /dev/null +++ b/releasenotes/notes/lxc-container-multi-distro-f495f73951fafd1a.yaml @@ -0,0 +1,29 @@ +--- +features: + - The ``lxc_container_create`` role will now build a container + based on the distro of the host OS. + - The ``lxc_container_create`` role now supports Ubuntu 14.04, + 16.04, and RHEL/CentOS 7 +upgrade: + - The ``lxc_container_create`` role no longer uses the distro specific lxc + container create template. + - | + The following variable changes have been made in the ``lxc_host`` role: + + * **lxc_container_template**: Removed because the template option is now + contained within the operating system specific variable file loaded at + runtime. + * **lxc_container_template_options**: This option was renamed to + *lxc_container_download_template_options*. The deprecation filter was not + used because the values provided from this option have been + fundamentally changed and old overrides will cause problems. + * **lxc_container_release**: Removed because image is now tied with the host + operating system. + * **lxc_container_user_name**: Removed because the default users are no longer + created when the cached image is created. + * **lxc_container_user_password**: Removed because the default users are no + longer created when the cached image is created. + * **lxc_container_template_main_apt_repo**: Removed because this option is now + being set within the cache creation process and is no longer needed here. + * **lxc_container_template_security_apt_repo**: Removed because this option is + now being set within the cache creation process and is no longer needed here. diff --git a/releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml b/releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml new file mode 100644 index 0000000000..9b55f8ae0b --- /dev/null +++ b/releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml @@ -0,0 +1,29 @@ +--- +features: + - The ``lxc_host`` cache prep has been updated to use the LXC download + template. This removes the last remaining dependency the project has on + the `rpc-trusty-container.tgz image `_. + - The ``lxc_host`` role will build lxc cache using the download + template built from `images found here `_. + These images are upstream builds from the greater LXC/D community. + - The ``lxc_host`` role introduces support for CentOS 7 and Ubuntu 16.04 + container types. +upgrade: + - The ``lxc_host`` role no longer uses the distro specific lxc container + create template. + - | + The following variable changes have been made in the ``lxc_host`` role: + + * **lxc_container_user_password**: Removed because the default lxc + container user is no longer created by the lxc container template. + * **lxc_container_template_options**: This option was renamed to + *lxc_cache_download_template_options*. The deprecation filter was not + used because the values provided from this option have been + fundamentally changed and potentially old overrides will cause + problems. + * **lxc_container_base_delete**: Removed because the cache will be + refreshed upon role execution. + * **lxc_cache_validate_certs**: Removed because the Ansible ``get_url`` + module is no longer used. + * **lxc_container_caches**: Removed because the container create process + will build a cached image based on the host OS. diff --git a/releasenotes/notes/make-ha-router-a-toggle-eefd61fc7978240d.yaml b/releasenotes/notes/make-ha-router-a-toggle-eefd61fc7978240d.yaml new file mode 100644 index 0000000000..4b5a7be39d --- /dev/null +++ b/releasenotes/notes/make-ha-router-a-toggle-eefd61fc7978240d.yaml @@ -0,0 +1,4 @@ +--- +features: + - Horizon now has a boolean variable named ``horizon_enable_ha_router`` to + enable Neutron HA router management. diff --git a/releasenotes/notes/make-ipv6-a-toggle-63d9c839e204cdda.yaml b/releasenotes/notes/make-ipv6-a-toggle-63d9c839e204cdda.yaml new file mode 100644 index 0000000000..1d2c6337a0 --- /dev/null +++ b/releasenotes/notes/make-ipv6-a-toggle-63d9c839e204cdda.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Horizon's IPv6 support is now enabled by default. This allows users to + manage subnets with IPv6 addresses within the Horizon interface. Deployers + can disable IPv6 support in Horizon by setting the following variable: + + .. code-block:: yaml + + horizon_enable_ipv6: False + + Please note: Horizon will still display IPv6 addresses in various panels + with IPv6 support disabled. However, it will not allow any direct + management of IPv6 configuration. diff --git a/releasenotes/notes/memcached_server-add-nofile-setting-504e0c50e10a4ea6.yaml b/releasenotes/notes/memcached_server-add-nofile-setting-504e0c50e10a4ea6.yaml new file mode 100644 index 0000000000..daedb68ad9 --- /dev/null +++ b/releasenotes/notes/memcached_server-add-nofile-setting-504e0c50e10a4ea6.yaml @@ -0,0 +1,9 @@ +--- +features: + - The openstack-ansible-memcached_server role includes + a new override,`memcached_connections` which is + automatically calculated from the number of memcached + connection limit plus additional 1k to configure + the OS nofile limit. Without proper nofile limit + configuration, memcached will crash in order to support + higher parallel connection TCP/Memcache counts. diff --git a/releasenotes/notes/multi-distro-add-0e53560f66394691.yaml b/releasenotes/notes/multi-distro-add-0e53560f66394691.yaml new file mode 100644 index 0000000000..1fd6705be7 --- /dev/null +++ b/releasenotes/notes/multi-distro-add-0e53560f66394691.yaml @@ -0,0 +1,12 @@ +--- +features: + - CentOS 7 support has been added to the ``galera_client`` role. +deprecations: + - The variable **galera_client_apt_packages** has been deprecated + when deploying the ``galera_client`` role on Ubuntu 14.04. This + variable has been replaced with **galera_client_packages** and + will be removed in the Ocata release. + - The variable **galera_apt_pinned_packages** has been deprecated + when deploying the ``galera_client`` role on Ubuntu 14.04. This + variable has been replaced with **galera_pinned_packages** + and will be removed in the Ocata release. diff --git a/releasenotes/notes/neutron-agent-dynamic-enable-47f0c709ef0dfe55.yaml b/releasenotes/notes/neutron-agent-dynamic-enable-47f0c709ef0dfe55.yaml new file mode 100644 index 0000000000..9084a3d08e --- /dev/null +++ b/releasenotes/notes/neutron-agent-dynamic-enable-47f0c709ef0dfe55.yaml @@ -0,0 +1,15 @@ +--- +features: + - Whether the Neutron DHCP Agent, Metadata Agent or LinuxBridge Agent + should be enabled is now dynamically determined based on the + ``neutron_plugin_type`` and the ``neutron_ml2_mechanism_drivers`` + that are set. This aims to simplify the configuration of Neutron + services and eliminate the need for deployers to override the + entire ``neutron_services`` dict variable to disable these services. +upgrade: + - Whether the Neutron DHCP Agent, Metadata Agent or LinuxBridge Agent + should be enabled is now dynamically determined based on the + ``neutron_plugin_type`` and the ``neutron_ml2_mechanism_drivers`` + that are set. This aims to simplify the configuration of Neutron + services and eliminate the need for deployers to override the + entire ``neutron_services`` dict variable to disable these services. diff --git a/releasenotes/notes/neutron-dhcp-mtu-8767de6f541b04c1.yaml b/releasenotes/notes/neutron-dhcp-mtu-8767de6f541b04c1.yaml new file mode 100644 index 0000000000..c3f7b35a12 --- /dev/null +++ b/releasenotes/notes/neutron-dhcp-mtu-8767de6f541b04c1.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - As described in the `Mitaka release notes + `_ + Neutron now correctly calculates for and advertises the MTU to + instances. The default DHCP configuration to advertise an MTU + to instances has therefore been removed from the variable + ``neutron_dhcp_config``. diff --git a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml index a21013bebf..3048dad9a6 100644 --- a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml +++ b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml @@ -2,7 +2,7 @@ features: - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and configured. Please see the `FWaaS Configuration Reference - `_ + `_ for details about the what the service is and what it provides. See the `FWaaS Install Guide `_ for implementation details. diff --git a/releasenotes/notes/neutron-mtu-cleanup-ce73693b4f7aef0d.yaml b/releasenotes/notes/neutron-mtu-cleanup-ce73693b4f7aef0d.yaml new file mode 100644 index 0000000000..25cf8b1375 --- /dev/null +++ b/releasenotes/notes/neutron-mtu-cleanup-ce73693b4f7aef0d.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - As described in the `Mitaka release notes + `_ + Neutron now correctly calculates for and advertises the MTU to + instances. As such the ``neutron_network_device_mtu`` variable + has been removed and the hard-coded values in the templates for + ``advertise_mtu``, ``path_mtu``, and ``segment_mtu`` have been + removed to allow upstream defaults to operate as intended. diff --git a/releasenotes/notes/neutron-network-variables-ff6d2c7f8c7c3ccd.yaml b/releasenotes/notes/neutron-network-variables-ff6d2c7f8c7c3ccd.yaml new file mode 100644 index 0000000000..ae87ed33d2 --- /dev/null +++ b/releasenotes/notes/neutron-network-variables-ff6d2c7f8c7c3ccd.yaml @@ -0,0 +1,10 @@ +--- +features: + - Deployers can now configure tempest public and private networks by setting + the following variables, 'tempest_private_net_provider_type' to either vxlan + or vlan and 'tempest_public_net_provider_type' to flat or vlan. Depending on + what the deployer sets these variables to, they may also need to update other + variables accordingly, this mainly involves 'tempest_public_net_physical_type' + and 'tempest_public_net_seg_id'. Please refer to + http://docs.openstack.org/mitaka/networking-guide/intro-basic-networking.html + for more neutron networking information. diff --git a/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml b/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml new file mode 100644 index 0000000000..9d2ccefef9 --- /dev/null +++ b/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml @@ -0,0 +1,16 @@ +--- +features: + - The horizon next generation instance management panels have been + enabled by default. This changes horizon to use the upstream defaults + instead of the legacy panels. `Documentation can be found here `_. +upgrade: + - | + The default horizon instance launch panels have been changed to the + next generation panels. To enable legacy functionality set the following + options accordingly: + + .. code-block:: yaml + + horizon_launch_instance_legacy: True + horizon_launch_instance_ng: False + diff --git a/releasenotes/notes/nova-console-proxy-git-cleanup-cdeffd3f0d040275.yaml b/releasenotes/notes/nova-console-proxy-git-cleanup-cdeffd3f0d040275.yaml new file mode 100644 index 0000000000..112739b090 --- /dev/null +++ b/releasenotes/notes/nova-console-proxy-git-cleanup-cdeffd3f0d040275.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - Cleanup tasks are added to remove the nova console git + directories ``/usr/share/novnc`` and ``/usr/share/spice-html5``, + prior to cloning these inside the nova vnc and spice + console playbooks. This is necessary to guarantee + that local modifications do not break git clone + operations, especially during upgrades. diff --git a/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml new file mode 100644 index 0000000000..464d5f76a8 --- /dev/null +++ b/releasenotes/notes/ntp-bind-local-interfaces-only-05f03de632e81097.yaml @@ -0,0 +1,5 @@ +--- +features: + - A new configuration parameter ``security_ntp_bind_local_interfaces`` was + added to the security role to restrict the network interface to which + chronyd will listen for NTP requests. \ No newline at end of file diff --git a/releasenotes/notes/openvswitch-support-1b71ae52dde81403.yaml b/releasenotes/notes/openvswitch-support-1b71ae52dde81403.yaml new file mode 100644 index 0000000000..ac0da8eae9 --- /dev/null +++ b/releasenotes/notes/openvswitch-support-1b71ae52dde81403.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Open vSwitch driver support has been implemented. This includes the implementation of the + appropriate Neutron configuration and package installation. This feature may be activated + by setting ``neutron_plugin_type: ml2.ovs`` in ``/etc/openstack_deploy/user_variables.yml``. +upgrade: + - The variable ``neutron_linuxbridge`` has been removed as it is no longer used. + - The variable ``neutron_driver_interface`` has been removed. The appropriate value for + ``neutron.conf`` is now determined based on the ``neutron_plugin_type``. + - The variable ``neutron_driver_firewall`` has been removed. The appropriate value for + ``neutron.conf`` is now determined based on the ``neutron_plugin_type``. + - The variable ``neutron_ml2_mechanism_drivers`` has been removed. The appropriate value for + ml2_conf.ini is now determined based on the ``neutron_plugin_type``. diff --git a/releasenotes/notes/os-keystone-apache-mpm-tunable-support-1c72f2f99cd502bc.yaml b/releasenotes/notes/os-keystone-apache-mpm-tunable-support-1c72f2f99cd502bc.yaml new file mode 100644 index 0000000000..e74080efe7 --- /dev/null +++ b/releasenotes/notes/os-keystone-apache-mpm-tunable-support-1c72f2f99cd502bc.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + Apache MPM tunable support has been added to the os-keystone + role in order to allow MPM thread tuning. + Default values reflect the current Ubuntu default settings: + + .. code-block:: yaml + + keystone_httpd_mpm_backend: event + keystone_httpd_mpm_start_servers: 2 + keystone_httpd_mpm_min_spare_threads: 25 + keystone_httpd_mpm_max_spare_threads: 75 + keystone_httpd_mpm_thread_limit: 64 + keystone_httpd_mpm_thread_child: 25 + keystone_httpd_mpm_max_requests: 150 + keystone_httpd_mpm_max_conn_child: 0 diff --git a/releasenotes/notes/os-neutron-handle_internal_only_routers-e46092d6f1f7c4b0.yaml b/releasenotes/notes/os-neutron-handle_internal_only_routers-e46092d6f1f7c4b0.yaml new file mode 100644 index 0000000000..152cbfbf00 --- /dev/null +++ b/releasenotes/notes/os-neutron-handle_internal_only_routers-e46092d6f1f7c4b0.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - The Neutron L3 Agent configuration for the handle_internal_only_routers + variable is removed in order to use the Neutron upstream default setting. + The current default for handle_internal_only_routers is True, + which does allow Neutron L3 router without external networks attached + (as discussed per https://bugs.launchpad.net/neutron/+bug/1572390). diff --git a/releasenotes/notes/remove-upgrade-gate-checks-3fbe339e06094681.yaml b/releasenotes/notes/remove-upgrade-gate-checks-3fbe339e06094681.yaml new file mode 100644 index 0000000000..f1256e2952 --- /dev/null +++ b/releasenotes/notes/remove-upgrade-gate-checks-3fbe339e06094681.yaml @@ -0,0 +1,3 @@ +--- +other: + - Mariadb version upgrade gate checks removed. diff --git a/releasenotes/notes/remove-xtrabackup-0513a40593f2d0e3.yaml b/releasenotes/notes/remove-xtrabackup-0513a40593f2d0e3.yaml new file mode 100644 index 0000000000..6a1930c3bb --- /dev/null +++ b/releasenotes/notes/remove-xtrabackup-0513a40593f2d0e3.yaml @@ -0,0 +1,7 @@ +--- +upgrade: + - Percona Xtrabackup has been removed from the Galera client + role. +deprecations: + - The variables ```galera_client_package_*``` and ```galera_client_apt_percona_xtrabackup_*``` + have been removed from the role as Xtrabackup is no longer deployed. diff --git a/releasenotes/notes/remove_verbose_var-c22f4946eedbc5f2.yaml b/releasenotes/notes/remove_verbose_var-c22f4946eedbc5f2.yaml new file mode 100644 index 0000000000..7eaf78ff23 --- /dev/null +++ b/releasenotes/notes/remove_verbose_var-c22f4946eedbc5f2.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The variable ``verbose`` has been removed. Deployers should rely on the + ``debug`` var to enable higher levels of memcached logging. + diff --git a/releasenotes/notes/removed-db-create-tasks-276095a2293ed4ee.yaml b/releasenotes/notes/removed-db-create-tasks-276095a2293ed4ee.yaml new file mode 100644 index 0000000000..6d88836e6c --- /dev/null +++ b/releasenotes/notes/removed-db-create-tasks-276095a2293ed4ee.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The database create and user creates have been removed + from the ``os_heat`` role. These tasks have been relocated + to the playbooks. diff --git a/releasenotes/notes/removed-db-create-tasks-3deea562441871c6.yaml b/releasenotes/notes/removed-db-create-tasks-3deea562441871c6.yaml new file mode 100644 index 0000000000..a7865c345a --- /dev/null +++ b/releasenotes/notes/removed-db-create-tasks-3deea562441871c6.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The database create and user creates have been removed + from the ``os_nova`` role. These tasks have been relocated + to the playbooks. diff --git a/releasenotes/notes/removed-db-create-tasks-4560d4b960383c4e.yaml b/releasenotes/notes/removed-db-create-tasks-4560d4b960383c4e.yaml new file mode 100644 index 0000000000..080f1e2e79 --- /dev/null +++ b/releasenotes/notes/removed-db-create-tasks-4560d4b960383c4e.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The database create and user creates have been removed + from the ``os_glance`` role. These tasks have been relocated + to the playbooks. diff --git a/releasenotes/notes/removed-db-create-tasks-8ae301041fe46cfb.yaml b/releasenotes/notes/removed-db-create-tasks-8ae301041fe46cfb.yaml new file mode 100644 index 0000000000..98d5a849c0 --- /dev/null +++ b/releasenotes/notes/removed-db-create-tasks-8ae301041fe46cfb.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The database and user creates have been removed from the + ``os_horizon`` role. These tasks have been relocated to + the playbooks. diff --git a/releasenotes/notes/removed-db-create-tasks-8d931286d6347bc6.yaml b/releasenotes/notes/removed-db-create-tasks-8d931286d6347bc6.yaml new file mode 100644 index 0000000000..d5c18649fd --- /dev/null +++ b/releasenotes/notes/removed-db-create-tasks-8d931286d6347bc6.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The database create and user creates have been removed + from the ``os_cinder`` role. These tasks have been relocated + to the playbooks. diff --git a/releasenotes/notes/removed-db-create-tasks-eed527e915f23ee0.yaml b/releasenotes/notes/removed-db-create-tasks-eed527e915f23ee0.yaml new file mode 100644 index 0000000000..4f34812920 --- /dev/null +++ b/releasenotes/notes/removed-db-create-tasks-eed527e915f23ee0.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - The database create and user creates have been removed + from the ``os_neutron`` role. These tasks have been relocated + to the playbooks. diff --git a/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml b/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml new file mode 100644 index 0000000000..15742b3f0e --- /dev/null +++ b/releasenotes/notes/search-for-unlabeled-devices-cb047c5f767e93ce.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Tasks were added to search for any device files without a proper SELinux + label on CentOS systems. If any of these device labels are found, the + playbook execution will stop with an error message. diff --git a/releasenotes/notes/ssh-pub-key-check-c42309653dbe3493.yaml b/releasenotes/notes/ssh-pub-key-check-c42309653dbe3493.yaml new file mode 100644 index 0000000000..6b38bb0c91 --- /dev/null +++ b/releasenotes/notes/ssh-pub-key-check-c42309653dbe3493.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - The check to validate whether an appropriate ssh public key + is available to copy into the container cache has been + corrected to check the deployment host, not the LXC host. diff --git a/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml b/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml new file mode 100644 index 0000000000..41d4c71075 --- /dev/null +++ b/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml @@ -0,0 +1,5 @@ +--- +features: + - The openstack-ansible-security role supports the application of the Red + Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and + Ubuntu 16.04 LTS. diff --git a/releasenotes/notes/swift-fallocate-reserve-ff513025da68bfed.yaml b/releasenotes/notes/swift-fallocate-reserve-ff513025da68bfed.yaml new file mode 100644 index 0000000000..ff3eb6e48e --- /dev/null +++ b/releasenotes/notes/swift-fallocate-reserve-ff513025da68bfed.yaml @@ -0,0 +1,11 @@ +--- +features: + - The ``fallocate_reserve` option can now be set (in bytes or as a percentage) for swift + by using the ``swift_fallocate_reserve`` variable in + ``/etc/openstack_deploy/user_variables.yml``. This value is the amount of space to + reserve on a disk to prevent a situation where swift is unable to remove objects due + to a lack of available disk space to work with. The default value is 1% of the total + disk size. +upgrade: + - The ``swift_fallocate_reserve`` default value has changed from 10737418240 + (10GB) to 1% in order to match the OpenStack swift default setting. \ No newline at end of file diff --git a/releasenotes/notes/swift-pypy-support-9706519c4b88a571.yaml b/releasenotes/notes/swift-pypy-support-9706519c4b88a571.yaml new file mode 100644 index 0000000000..fcfac1e8e8 --- /dev/null +++ b/releasenotes/notes/swift-pypy-support-9706519c4b88a571.yaml @@ -0,0 +1,15 @@ +--- +features: + - While default python interpreter for swift is cpython, pypy is + now an option. This change adds the ability to greatly improve swift + performance without the core code modifications. These changes have + been implemented using the documentation provided by Intel and + Swiftstack. Notes about the performance increase can be seen + `here `_. +upgrade: + - A new option `swift_pypy_enabled` has been added to enable or + disable the pypy interpreter for swift. The default is "false". + - A new option `swift_pypy_archive` has been added to allow a pre-built + pypy archive to be downloaded and moved into place to support swift + running under pypy. This option is a dictionary and contains the URL + and SHA256 as keys. diff --git a/releasenotes/notes/swift-reconfigure-xfs-from-mlocate-e4844e6c0469afd6.yaml b/releasenotes/notes/swift-reconfigure-xfs-from-mlocate-e4844e6c0469afd6.yaml new file mode 100644 index 0000000000..bb081338ea --- /dev/null +++ b/releasenotes/notes/swift-reconfigure-xfs-from-mlocate-e4844e6c0469afd6.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - The XFS filesystem is excluded from the daily mlocate crond job + in order to conserve disk IO for large IOPS bursts due to + updatedb/mlocate file indexing. diff --git a/releasenotes/notes/swift-rsync-module-per-drive-79b05af8276e7d6e.yaml b/releasenotes/notes/swift-rsync-module-per-drive-79b05af8276e7d6e.yaml new file mode 100644 index 0000000000..539904623a --- /dev/null +++ b/releasenotes/notes/swift-rsync-module-per-drive-79b05af8276e7d6e.yaml @@ -0,0 +1,12 @@ +--- +features: + - Enable rsync module per object server drive by setting + the ``swift_rsync_module_per_drive`` setting to ``True``. + Set this to configure rsync and swift to utilise individual + configuration per drive. This is required when disabling + rsyncs to individual disks. For example, in a disk full + scenario. +upgrade: + - The ``swift_max_rsync_connections`` default value has + changed from 2 to 4 in order to match the OpenStack swift + documented value. diff --git a/releasenotes/notes/swift-staticweb-support-b280fbebf271820b.yaml b/releasenotes/notes/swift-staticweb-support-b280fbebf271820b.yaml new file mode 100644 index 0000000000..5eb0ffdb72 --- /dev/null +++ b/releasenotes/notes/swift-staticweb-support-b280fbebf271820b.yaml @@ -0,0 +1,9 @@ +--- +features: + - The ``os_swift`` role will now include the swift "staticweb" middleware + by default. +upgrade: + - When upgrading a Swift deployment from Mitaka to Newton it should be noted + that the enabled middleware list has changed. In Newton the "staticweb" + middleware will be loaded by default. While the change adds a feature it is + non-disruptive in upgrades. diff --git a/releasenotes/notes/symlink_libvirt_save_dir_to_nova_dir-3b1b278cb7e5831f.yaml b/releasenotes/notes/symlink_libvirt_save_dir_to_nova_dir-3b1b278cb7e5831f.yaml new file mode 100644 index 0000000000..0f23d70ae9 --- /dev/null +++ b/releasenotes/notes/symlink_libvirt_save_dir_to_nova_dir-3b1b278cb7e5831f.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - The ``/var/lib/libvirt/qemu/save`` directory is now a + symlink to ``{{ nova_system_home_folder }}/save`` to + resolve an issue where the default location used by the + libvirt managed save command can result with the root + partitions on compute nodes becoming full when + ``nova image-create`` is run on large instances. diff --git a/releasenotes/notes/ubuntu_ppc64le-581e5fcd5950186e.yaml b/releasenotes/notes/ubuntu_ppc64le-581e5fcd5950186e.yaml new file mode 100644 index 0000000000..a1b6178af7 --- /dev/null +++ b/releasenotes/notes/ubuntu_ppc64le-581e5fcd5950186e.yaml @@ -0,0 +1,6 @@ +--- +features: + - Support had been added to allow the functional tests to pass when + deploying on ppc64le architecture using the Ubuntu distributions. + + diff --git a/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml b/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml new file mode 100644 index 0000000000..0fa7d814da --- /dev/null +++ b/releasenotes/notes/unique-variable-migration-c0639030b495438f.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + All variables in the security role are now prepended with ``security_`` to + avoid collisions with variables in other roles. All deployers who have + used the security role in previous releases will need to prepend all + security role variables with ``security_``. + + For example, a deployer could have disabled direct root ssh logins with the + following variable: + + .. code-block:: yaml + + ssh_permit_root_login: yes + + That variable would become: + + .. code-block:: yaml + + security_ssh_permit_root_login: yes diff --git a/releasenotes/notes/updated-neutron-plugin_base-25b5dcacc87acd0f.yaml b/releasenotes/notes/updated-neutron-plugin_base-25b5dcacc87acd0f.yaml index 434a1258d1..477c2f9b09 100644 --- a/releasenotes/notes/updated-neutron-plugin_base-25b5dcacc87acd0f.yaml +++ b/releasenotes/notes/updated-neutron-plugin_base-25b5dcacc87acd0f.yaml @@ -4,7 +4,7 @@ upgrade: names. Deployers should change any customisations to this variable to ensure that the customisation makes use of the short names instead of the full class path. - - Database migration tasks have been added for the LBaaS neutron plugins. + - Database migration tasks have been added for the LBaaS neutron plugin. deprecations: - The old class path names used within the ``neutron_plugin_base`` have been deprecated in favor of the friendly names. Support for the use diff --git a/requirements.txt b/requirements.txt index f9f7c8a721..8d3c8752bf 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,5 +8,5 @@ virtualenv>=14.0.0 # Used for Ansible isolation ### These pins are updated through the sources-branch-updater script ### ### pip==8.1.2 -setuptools==21.1.0 +setuptools==22.0.0 wheel==0.29.0 diff --git a/scripts/scripts-library.sh b/scripts/scripts-library.sh index ca47fbb670..d5d0f18b6c 100755 --- a/scripts/scripts-library.sh +++ b/scripts/scripts-library.sh @@ -21,7 +21,7 @@ MAX_RETRIES=${MAX_RETRIES:-5} REPORT_DATA=${REPORT_DATA:-""} ANSIBLE_PARAMETERS=${ANSIBLE_PARAMETERS:-""} STARTTIME="${STARTTIME:-$(date +%s)}" -PIP_INSTALL_OPTIONS=${PIP_INSTALL_OPTIONS:-'pip==8.1.2 setuptools==21.1.0 wheel==0.29.0 '} +PIP_INSTALL_OPTIONS=${PIP_INSTALL_OPTIONS:-'pip==8.1.2 setuptools==22.0.0 wheel==0.29.0 '} # The default SSHD configuration has MaxSessions = 10. If a deployer changes # their SSHD config, then the ANSIBLE_FORKS may be set to a higher number. We