summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--capabilities-map.yaml12
-rw-r--r--environments/horizon_password_validation.yaml5
-rw-r--r--puppet/services/cinder-api.yaml3
-rw-r--r--puppet/services/horizon.yaml10
-rw-r--r--puppet/services/snmp.yaml4
-rw-r--r--puppet/services/swift-ringbuilder.yaml12
-rw-r--r--puppet/services/swift-storage.yaml13
-rw-r--r--puppet/upgrade_config.yaml9
-rw-r--r--releasenotes/notes/6.0.0-b52a14a71fc62788.yaml95
9 files changed, 161 insertions, 2 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml
index cd846316..aae89307 100644
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@@ -537,3 +537,15 @@ topics:
description:
requires:
- overcloud-resource-registry-puppet.yaml
+
+ - title: Security Options
+ description: Security Hardening Options
+ environment_groups:
+ - title: Horizon Password Validation
+ description: Enable Horizon Password validation
+ environments:
+ - file: environments/horizon_password_validation.yaml
+ title: Horizon Password Validation
+ description:
+ requires:
+ - overcloud-resource-registry-puppet.yaml
diff --git a/environments/horizon_password_validation.yaml b/environments/horizon_password_validation.yaml
new file mode 100644
index 00000000..1a0f92cc
--- /dev/null
+++ b/environments/horizon_password_validation.yaml
@@ -0,0 +1,5 @@
+# Use this enviroment to pass in validation regex for horizons password
+# validation checks
+parameter_defaults:
+ HorizonPasswordValidator: '.*'
+ HorizonPasswordValidatorHelp: 'Your password does not meet the requirements.'
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index a5c912ed..e3c96325 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -149,6 +149,9 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
+ - name: "PreUpgrade step0: Check service openstack-cinder-api is running"
+ shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b'
+ tags: step0,validation
- name: check for cinder running under apache (post upgrade)
tags: step2
shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder"
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index cf35d202..2111021b 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -27,6 +27,14 @@ parameters:
description: A list of IP/Hostname for the server Horizon is running on.
Used for header checks.
type: comma_delimited_list
+ HorizonPasswordValidator:
+ description: Regex for password validation
+ type: string
+ default: ''
+ HorizonPasswordValidatorHelp:
+ description: Help text for password validation
+ type: string
+ default: ''
HorizonSecret:
description: Secret key for Django
type: string
@@ -71,6 +79,8 @@ outputs:
options: ['FollowSymLinks','MultiViews']
horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+ horizon::password_validator: {get_param: [HorizonPasswordValidator]}
+ horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
horizon::secret_key:
yaql:
expression: $.data.passwords.where($ != '').first()
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index be9d143e..fd6ed818 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -43,3 +43,7 @@ outputs:
proto: 'udp'
step_config: |
include ::tripleo::profile::base::snmp
+ upgrade_tasks:
+ - name: Stop snmp service
+ tags: step2
+ service: name=snmpd state=stopped
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
index a7ba7bad..2e3c818f 100644
--- a/puppet/services/swift-ringbuilder.yaml
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -43,6 +43,16 @@ parameters:
description: 'Use a local directory for Swift storage services when building rings'
type: boolean
+conditions:
+ swift_use_local_dir:
+ and:
+ - equals:
+ - get_param: SwiftUseLocalDir
+ - true
+ - equals:
+ - get_param: SwiftRawDisks
+ - {}
+
outputs:
role_data:
description: Role data for Swift Ringbuilder configuration.
@@ -59,7 +69,7 @@ outputs:
expression: $.data.raw_disk_lists.flatten()
data:
raw_disk_lists:
- - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]}
+ - {if: [swift_use_local_dir, [':%PORT%/d1'], []]}
- repeat:
template: ':%PORT%/DEVICE'
for_each:
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 08df928d..247b23ff 100644
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -56,6 +56,17 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
+conditions:
+ swift_mount_check:
+ or:
+ - equals:
+ - get_param: SwiftMountCheck
+ - true
+ - not:
+ equals:
+ - get_param: SwiftRawDisks
+ - {}
+
outputs:
role_data:
description: Role data for the Swift Proxy role.
@@ -65,7 +76,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [SwiftBase, role_data, config_settings]
- - swift::storage::all::mount_check: {get_param: SwiftMountCheck}
+ - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]}
tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
tripleo.swift_storage.firewall_rules:
'123 swift storage':
diff --git a/puppet/upgrade_config.yaml b/puppet/upgrade_config.yaml
index e892d813..c37cc033 100644
--- a/puppet/upgrade_config.yaml
+++ b/puppet/upgrade_config.yaml
@@ -11,6 +11,11 @@ parameters:
type: string
description: Step number of the upgrade
+ SkipUpgradeConfigTags:
+ type: comma_delimited_list
+ description: Ansible tags to skip during upgrade, e.g validation skips pre-upgrade validations
+ default: []
+
resources:
AnsibleConfig:
@@ -30,6 +35,10 @@ resources:
properties:
group: ansible
options:
+ skip_tags:
+ list_join:
+ - ","
+ - {get_param: SkipUpgradeConfigTags}
tags:
str_replace:
template: "stepSTEP"
diff --git a/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml
new file mode 100644
index 00000000..069cbd23
--- /dev/null
+++ b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml
@@ -0,0 +1,95 @@
+---
+prelude: >
+ 6.0.0 is the final release for Ocata.
+ It's the first release where release notes are added.
+features:
+ - Fujitsu Neutron plugin for FOS support. Users can deploy
+ Neutron with this plugin by using
+ environments/neutron-ml2-fujitsu-fossw.yaml environment file.
+ - Expose InstanceDiscoveryMethod parameter to configure Ceilometer
+ method used to discover instances running on compute node.
+ Default value to 'libvirt_metadata'. Allowed values are 'naive',
+ 'libvirt_metadata' and 'workload_partitioning'.
+ - Make ServiceNetMap support custom network names.
+ Note that operators will still be expected to pass any ServiceNetMap
+ overrides with the "new" network name, e.g whatever NetName specifies,
+ otherwise environment files could get very confusing.
+ - Nova Placement API support. As this new service is required, deploy it
+ by default in WSGI with Apache, like other API services.
+ - Cinder pass-through iSER backend support.
+ - etcd composable services, used by networking-vpp ML2 driver as the
+ messaging mechanism.
+ - Allow to configure cron parameters for Cinder, Heat, Keystone and Nova
+ crontabs.
+ - Export NovaDefaultFloatingPool parameter to configure the default pool
+ of floating IP addressed available. Default to 'public' for backward
+ compatibility.
+ - Bump Heat Templates to 'ocata' version, to match Heat requirements.
+ - Configure OVS agent firewall driver only if NeutronOVSFirewallDriver
+ is set.
+ - Expose RbdDefaultFeatures parameter to configure the default features
+ enabled when creating a block device image.
+ Only applies to format '2' images. Set to '1' for Jewel clients using
+ older Ceph servers.
+ - Cinder HPELeftHandISCSIDriver backend support.
+ - Pacemaker stopped to manage Ceilometer, Cinder API,
+ Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached,
+ Neutron, Nova and Sahara.
+ - Ceph MDS service support. Service can be enable with
+ environments/services/ceph-mds.yaml environment file.
+ - Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters
+ to configure Heat.
+ - Add pre-network hook and example showing config-then-reboot.
+ - Expose LibvirtEnabledPerfEvents parameter in Nova Compute service.
+ Default to an empty array.
+ This is a performance event list which could be used as monitor.
+ - Increase libvirt/qemu.conf max_files to 32768 and max_processes to
+ 131072.
+ - Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd
+ services on different nodes.
+ - Add hook to generate metadata from service profiles.
+ This is useful for nova vendordata plugins that can parse said metadata.
+ - Expose EventPipelinePublishers to Ceilometer and set the default to
+ 'notifier://?topic=alarm.all'.
+ - Add Panko service support. This service is not enabled by default. Use
+ environments/services/enable-panko.yaml to include it in your deployment.
+ - Add EC2-API composable service support.
+upgrade:
+ - Update OpenDaylight deployment to use networking-odl v2 as a mechanism
+ driver.
+deprecations:
+ - Glance Registry service has been removed and Glance API v2 is now deploy
+ by default. Glance API v1 is not supported anymore in TripleO.
+ - Remove CeilometerStoreEvents parameter, which has been removed
+ in Ceilometer.
+ - Ceilometer API service is deprecated and will be removed in a future
+ release. If you would like to disable it, use
+ environments/services/disable-ceilometer-api.yaml environment file.
+ - Removes deprecated OpenDaylight L2 only deployments.
+ Deploying ODL without L3 DVR is no longer supported.
+security:
+ - Disallow iframe embed in Horizon configuration to prevent dashboard being
+ embedded within an iframe and exposed to Cross-Frame Scripting (XFS)
+ vulnerability on legacy browsers.
+ - Allow management of enforce_password_check in Horizons configuration to
+ display an 'Admin Password' field on the Change Password form to verify that
+ it is indeed the admin logged-in who wants to change the password.
+ - Allow management of disable_password_reveal in Horizon, to remove the
+ password reveal option.
+ - Enable secure_proxy_ssl_header option in Horizons configuration to take
+ X-Forwarded-Proto header into account when forming URLs.
+fixes:
+ - Fixes `bug 1645898
+ <https://bugs.launchpad.net/tripleo/+bug/1645898>`__ so epmd is binded on
+ the right address, where RabbitMQ is listening too.
+ - Fixes `bug 1652184
+ <https://bugs.launchpad.net/tripleo/+bug/1652184>`__ so swap partitions
+ can be handled from an environment file thanks to AllNodesExtraConfig.
+ - Add retry to RHEL registration, useful when having network outages during
+ registration.
+ - Fixes `bug 1651476
+ <https://bugs.launchpad.net/tripleo/+bug/1651476>`__ so firewall rules
+ are created for Opendaylight API service.
+ - Fixes `bug 1643487
+ <https://bugs.launchpad.net/tripleo/+bug/1643487>`__ to prevent source
+ address from binding to a VIP for database connection.