9 files changed, 161 insertions, 2 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml
index cd846316..aae89307 100644
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@@ -537,3 +537,15 @@ topics:
             description:
             requires:
               - overcloud-resource-registry-puppet.yaml
+
+  - title: Security Options
+    description: Security Hardening Options
+    environment_groups:
+      - title: Horizon Password Validation
+        description: Enable Horizon Password validation
+        environments:
+          - file: environments/horizon_password_validation.yaml
+            title: Horizon Password Validation
+            description:
+            requires:
+              - overcloud-resource-registry-puppet.yaml
diff --git a/environments/horizon_password_validation.yaml b/environments/horizon_password_validation.yaml
new file mode 100644
index 00000000..1a0f92cc
--- /dev/null
+++ b/environments/horizon_password_validation.yaml
@@ -0,0 +1,5 @@
+# Use this enviroment to pass in validation regex for horizons password
+# validation checks
+parameter_defaults:
+  HorizonPasswordValidator: '.*'
+  HorizonPasswordValidatorHelp: 'Your password does not meet the requirements.'
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index a5c912ed..e3c96325 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -149,6 +149,9 @@ outputs:
       metadata_settings:
         get_attr: [ApacheServiceBase, role_data, metadata_settings]
       upgrade_tasks:
+        - name: "PreUpgrade step0: Check service openstack-cinder-api is running"
+          shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b'
+          tags: step0,validation
         - name: check for cinder running under apache (post upgrade)
           tags: step2
           shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder"
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index cf35d202..2111021b 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -27,6 +27,14 @@ parameters:
     description: A list of IP/Hostname for the server Horizon is running on.
                  Used for header checks.
     type: comma_delimited_list
+  HorizonPasswordValidator:
+    description: Regex for password validation
+    type: string
+    default: ''
+  HorizonPasswordValidatorHelp:
+    description: Help text for password validation
+    type: string
+    default: ''
   HorizonSecret:
     description: Secret key for Django
     type: string
@@ -71,6 +79,8 @@ outputs:
             options: ['FollowSymLinks','MultiViews']
           horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]}
           horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]}
+          horizon::password_validator: {get_param: [HorizonPasswordValidator]}
+          horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]}
           horizon::secret_key:
             yaql:
               expression: $.data.passwords.where($ != '').first()
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index be9d143e..fd6ed818 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -43,3 +43,7 @@ outputs:
             proto: 'udp'
       step_config: |
         include ::tripleo::profile::base::snmp
+      upgrade_tasks:
+        - name: Stop snmp service
+          tags: step2
+          service: name=snmpd state=stopped
diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml
index a7ba7bad..2e3c818f 100644
--- a/puppet/services/swift-ringbuilder.yaml
+++ b/puppet/services/swift-ringbuilder.yaml
@@ -43,6 +43,16 @@ parameters:
     description: 'Use a local directory for Swift storage services when building rings'
     type: boolean
 
+conditions:
+  swift_use_local_dir:
+    and:
+    - equals:
+      - get_param: SwiftUseLocalDir
+      - true
+    - equals:
+      - get_param: SwiftRawDisks
+      - {}
+
 outputs:
   role_data:
     description: Role data for Swift Ringbuilder configuration.
@@ -59,7 +69,7 @@ outputs:
             expression: $.data.raw_disk_lists.flatten()
             data:
               raw_disk_lists:
-              - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]}
+              - {if: [swift_use_local_dir, [':%PORT%/d1'], []]}
               - repeat:
                   template: ':%PORT%/DEVICE'
                   for_each:
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 08df928d..247b23ff 100644
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -56,6 +56,17 @@ resources:
       DefaultPasswords: {get_param: DefaultPasswords}
       EndpointMap: {get_param: EndpointMap}
 
+conditions:
+  swift_mount_check:
+    or:
+    - equals:
+      - get_param: SwiftMountCheck
+      - true
+    - not:
+        equals:
+        - get_param: SwiftRawDisks
+        - {}
+
 outputs:
   role_data:
     description: Role data for the Swift Proxy role.
@@ -65,7 +76,7 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [SwiftBase, role_data, config_settings]
-          - swift::storage::all::mount_check: {get_param: SwiftMountCheck}
+          - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]}
             tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
             tripleo.swift_storage.firewall_rules:
               '123 swift storage':
diff --git a/puppet/upgrade_config.yaml b/puppet/upgrade_config.yaml
index e892d813..c37cc033 100644
--- a/puppet/upgrade_config.yaml
+++ b/puppet/upgrade_config.yaml
@@ -11,6 +11,11 @@ parameters:
     type: string
     description: Step number of the upgrade
 
+  SkipUpgradeConfigTags:
+    type: comma_delimited_list
+    description: Ansible tags to skip during upgrade, e.g validation skips pre-upgrade validations
+    default: []
+
 resources:
 
   AnsibleConfig:
@@ -30,6 +35,10 @@ resources:
     properties:
       group: ansible
       options:
+        skip_tags:
+          list_join:
+            - ","
+            - {get_param: SkipUpgradeConfigTags}
         tags:
           str_replace:
             template: "stepSTEP"
diff --git a/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml
new file mode 100644
index 00000000..069cbd23
--- /dev/null
+++ b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml
@@ -0,0 +1,95 @@
+---
+prelude: >
+    6.0.0 is the final release for Ocata.
+    It's the first release where release notes are added.
+features:
+  - Fujitsu Neutron plugin for FOS support.  Users can deploy
+    Neutron with this plugin by using
+    environments/neutron-ml2-fujitsu-fossw.yaml environment file.
+  - Expose InstanceDiscoveryMethod parameter to configure Ceilometer
+    method used to discover instances running on compute node.
+    Default value to 'libvirt_metadata'. Allowed values are 'naive',
+    'libvirt_metadata' and 'workload_partitioning'.
+  - Make ServiceNetMap support custom network names.
+    Note that operators will still be expected to pass any ServiceNetMap
+    overrides with the "new" network name, e.g whatever NetName specifies,
+    otherwise environment files could get very confusing.
+  - Nova Placement API support.  As this new service is required, deploy it
+    by default in WSGI with Apache, like other API services.
+  - Cinder pass-through iSER backend support.
+  - etcd composable services, used by networking-vpp ML2 driver as the
+    messaging mechanism.
+  - Allow to configure cron parameters for Cinder, Heat, Keystone and Nova
+    crontabs.
+  - Export NovaDefaultFloatingPool parameter to configure the default pool
+    of floating IP addressed available. Default to 'public' for backward
+    compatibility.
+  - Bump Heat Templates to 'ocata' version, to match Heat requirements.
+  - Configure OVS agent firewall driver only if NeutronOVSFirewallDriver
+    is set.
+  - Expose RbdDefaultFeatures parameter to configure the default features
+    enabled when creating a block device image.
+    Only applies to format '2' images. Set to '1' for Jewel clients using
+    older Ceph servers.
+  - Cinder HPELeftHandISCSIDriver backend support.
+  - Pacemaker stopped to manage Ceilometer, Cinder API,
+    Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached,
+    Neutron, Nova and Sahara.
+  - Ceph MDS service support. Service can be enable with
+    environments/services/ceph-mds.yaml environment file.
+  - Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters
+    to configure Heat.
+  - Add pre-network hook and example showing config-then-reboot.
+  - Expose LibvirtEnabledPerfEvents parameter in Nova Compute service.
+    Default to an empty array.
+    This is a performance event list which could be used as monitor.
+  - Increase libvirt/qemu.conf max_files to 32768 and max_processes to
+    131072.
+  - Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd
+    services on different nodes.
+  - Add hook to generate metadata from service profiles.
+    This is useful for nova vendordata plugins that can parse said metadata.
+  - Expose EventPipelinePublishers to Ceilometer and set the default to
+    'notifier://?topic=alarm.all'.
+  - Add Panko service support. This service is not enabled by default. Use
+    environments/services/enable-panko.yaml to include it in your deployment.
+  - Add EC2-API composable service support.
+upgrade:
+  - Update OpenDaylight deployment to use networking-odl v2 as a mechanism
+    driver.
+deprecations:
+  - Glance Registry service has been removed and Glance API v2 is now deploy
+    by default. Glance API v1 is not supported anymore in TripleO.
+  - Remove CeilometerStoreEvents parameter, which has been removed
+    in Ceilometer.
+  - Ceilometer API service is deprecated and will be removed in a future
+    release. If you would like to disable it, use
+    environments/services/disable-ceilometer-api.yaml environment file.
+  - Removes deprecated OpenDaylight L2 only deployments.
+    Deploying ODL without L3 DVR is no longer supported.
+security:
+  - Disallow iframe embed in Horizon configuration to prevent dashboard being
+    embedded within an iframe and exposed to Cross-Frame Scripting (XFS)
+    vulnerability on legacy browsers.
+  - Allow management of enforce_password_check in Horizons configuration to
+    display an 'Admin Password' field on the Change Password form to verify that
+    it is indeed the admin logged-in who wants to change the password.
+  - Allow management of disable_password_reveal in Horizon, to remove the
+    password reveal option.
+  - Enable secure_proxy_ssl_header option in Horizons configuration to take
+    X-Forwarded-Proto header into account when forming URLs.
+fixes:
+  - Fixes `bug 1645898
+    <https://bugs.launchpad.net/tripleo/+bug/1645898>`__ so epmd is binded on
+    the right address, where RabbitMQ is listening too.
+  - Fixes `bug 1652184
+    <https://bugs.launchpad.net/tripleo/+bug/1652184>`__ so swap partitions
+    can be handled from an environment file thanks to AllNodesExtraConfig.
+  - Add retry to RHEL registration, useful when having network outages during
+    registration.
+  - Fixes `bug 1651476
+    <https://bugs.launchpad.net/tripleo/+bug/1651476>`__ so firewall rules
+    are created for Opendaylight API service.
+  - Fixes `bug 1643487
+    <https://bugs.launchpad.net/tripleo/+bug/1643487>`__ to prevent source
+    address from binding to a VIP for database connection.