diff options
| -rw-r--r-- | capabilities-map.yaml | 12 | ||||
| -rw-r--r-- | environments/horizon_password_validation.yaml | 5 | ||||
| -rw-r--r-- | puppet/major_upgrade_steps.j2.yaml | 80 | ||||
| -rw-r--r-- | puppet/services/README.rst | 22 | ||||
| -rw-r--r-- | puppet/services/ceph-mon.yaml | 21 | ||||
| -rw-r--r-- | puppet/services/ceph-osd.yaml | 41 | ||||
| -rw-r--r-- | puppet/services/cinder-api.yaml | 3 | ||||
| -rw-r--r-- | puppet/services/horizon.yaml | 10 | ||||
| -rw-r--r-- | puppet/services/ironic-api.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/ironic-conductor.yaml | 7 | ||||
| -rw-r--r-- | puppet/services/services.yaml | 5 | ||||
| -rw-r--r-- | puppet/services/snmp.yaml | 4 | ||||
| -rw-r--r-- | puppet/services/swift-ringbuilder.yaml | 12 | ||||
| -rw-r--r-- | puppet/services/swift-storage.yaml | 13 | ||||
| -rw-r--r-- | puppet/upgrade_config.yaml | 9 | ||||
| -rw-r--r-- | releasenotes/notes/6.0.0-b52a14a71fc62788.yaml | 95 | ||||
| -rw-r--r-- | roles_data.yaml | 5 |
17 files changed, 341 insertions, 7 deletions
diff --git a/capabilities-map.yaml b/capabilities-map.yaml index cd846316..aae89307 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -537,3 +537,15 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + + - title: Security Options + description: Security Hardening Options + environment_groups: + - title: Horizon Password Validation + description: Enable Horizon Password validation + environments: + - file: environments/horizon_password_validation.yaml + title: Horizon Password Validation + description: + requires: + - overcloud-resource-registry-puppet.yaml diff --git a/environments/horizon_password_validation.yaml b/environments/horizon_password_validation.yaml new file mode 100644 index 00000000..1a0f92cc --- /dev/null +++ b/environments/horizon_password_validation.yaml @@ -0,0 +1,5 @@ +# Use this enviroment to pass in validation regex for horizons password +# validation checks +parameter_defaults: + HorizonPasswordValidator: '.*' + HorizonPasswordValidatorHelp: 'Your password does not meet the requirements.' diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 433b03a0..eae85991 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -1,3 +1,4 @@ +{% set upgrade_steps_max = 8 -%} heat_template_version: ocata description: 'Upgrade steps for all roles' @@ -15,26 +16,94 @@ parameters: Setting to a previously unused value during stack-update will trigger the Upgrade resources to re-run on all roles. +conditions: + # Conditions to disable any steps where the task list is empty +{% for step in range(0, upgrade_steps_max) %} + {% for role in roles %} + UpgradeBatchConfig_Step{{step}}Enabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + - [] + UpgradeConfig_Step{{step}}Enabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_tasks]} + - [] + {% endfor %} +{% endfor %} + resources: +# Upgrade Steps for all roles, batched updates +# FIXME(shardy): would be nice to make the number of steps configurable +{% for step in range(0, upgrade_steps_max) %} + {% for role in roles %} + # Step {{step}} resources + {{role.name}}UpgradeBatchConfig_Step{{step}}: + type: OS::TripleO::UpgradeConfig + condition: UpgradeBatchConfig_Step{{step}}Enabled + # The UpgradeConfig resources could actually be created without + # serialization, but the event output is easier to follow if we + # do, and there should be minimal performance hit (creating the + # config is cheap compared to the time to apply the deployment). + {% if step > 0 %} + depends_on: + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{step -1}} + {% endfor %} + {% endif %} + properties: + UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + step: {{step}} + + {{role.name}}UpgradeBatch_Step{{step}}: + type: OS::Heat::StructuredDeploymentGroup + condition: UpgradeBatchConfig_Step{{step}}Enabled + {% if step > 0 %} + depends_on: + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{step -1}} + {% endfor %} + {% endif %} + update_policy: + batch_create: + max_batch_size: {{role.upgrade_batch_size|default(1)}} + rolling_update: + max_batch_size: {{role.upgrade_batch_size|default(1)}} + properties: + name: {{role.name}}UpgradeBatch_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}} + input_values: + role: {{role.name}} + update_identifier: {get_param: UpdateIdentifier} + {% endfor %} +{% endfor %} + # Upgrade Steps for all roles # FIXME(shardy): would be nice to make the number of steps configurable -{% for step in range(0, 8) %} +{% for step in range(0, upgrade_steps_max) %} {% for role in roles %} # Step {{step}} resources {{role.name}}UpgradeConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig + condition: UpgradeConfig_Step{{step}}Enabled # The UpgradeConfig resources could actually be created without # serialization, but the event output is easier to follow if we # do, and there should be minimal performance hit (creating the # config is cheap compared to the time to apply the deployment). - {% if step > 0 %} depends_on: + {% if step > 0 %} {% for dep in roles %} {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} {% endif %} {% endfor %} + {% else %} + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{upgrade_steps_max -1}} + {% endfor %} {% endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} @@ -42,13 +111,18 @@ resources: {% if not role.disable_upgrade_deployment|default(false) %} {{role.name}}Upgrade_Step{{step}}: type: OS::Heat::StructuredDeploymentGroup - {% if step > 0 %} + condition: UpgradeConfig_Step{{step}}Enabled depends_on: + {% if step > 0 %} {% for dep in roles %} {% if not dep.disable_upgrade_deployment|default(false) %} - {{dep.name}}Upgrade_Step{{step -1}} {% endif %} {% endfor %} + {% else %} + {% for dep in roles %} + - {{dep.name}}UpgradeBatch_Step{{upgrade_steps_max -1}} + {% endfor %} {% endif %} properties: name: {{role.name}}Upgrade_Step{{step}} diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 6e4e9c1d..34cb350b 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -49,6 +49,28 @@ are re-asserted when applying latter ones. 5) Service activation (Pacemaker) +Batch Upgrade Steps +------------------- + +Each service template may optionally define a `upgrade_batch_tasks` key, which +is a list of ansible tasks to be performed during the upgrade process. + +Similar to the step_config, we allow a series of steps for the per-service +upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first +step, "step2" for the second, etc. Note that each step is performed in batches, +then we move on to the next step which is also performed in batches (we don't +perform all steps on one node, then move on to the next one which means you +can sequence rolling upgrades of dependent services via the step value). + +The tasks performed at each step is service specific, but note that all batch +upgrade steps are performed before the `upgrade_tasks` described below. This +means that all services that support rolling upgrades can be upgraded without +downtime during `upgrade_batch_tasks`, then any remaining services are stopped +and upgraded during `upgrade_tasks` + +The default batch size is 1, but this can be overridden for each role via the +`upgrade_batch_size` option in roles_data.yaml + Upgrade Steps ------------- diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68ad69b7..0c61305d 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -113,3 +113,24 @@ outputs: get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon + upgrade_batch_tasks: + # Note we perform these tasks in list order, but they are all step0 so + # we can perform a rolling upgrade of all mon nodes in step0, then a + # rolling upgrade of all osd nodes in step1 + # FIXME(shardy) I suspect we can use heat or ansible facts here instead? + - name: Get hostname + tags: step0 + shell: hostname -s + register: mon_id + - name: Stop Ceph Mon + tags: step0 + service: name=ceph-mon@{{mon_id.stdout}} pattern=ceph-mon state=stopped + - name: Update ceph packages + tags: step0 + yum: name=ceph-mon,ceph state=latest + - name: Start ceph-mon service + tags: step0 + service: name=ceph-mon@{{mon_id.stdout}} state=started + - name: ceph osd crush tunables default + tags: step0 + shell: ceph osd crush tunables default diff --git a/puppet/services/ceph-osd.yaml b/puppet/services/ceph-osd.yaml index df0ee6c3..e9ed6c29 100644 --- a/puppet/services/ceph-osd.yaml +++ b/puppet/services/ceph-osd.yaml @@ -45,3 +45,44 @@ outputs: - '6800-7300' step_config: | include ::tripleo::profile::base::ceph::osd + upgrade_batch_tasks: + - name: Get OSD IDs + tags: step1 + shell: ls /var/lib/ceph/osd | awk 'BEGIN { FS = "-" } ; { print $2 }' + register: osd_ids + # "so that mirrors aren't rebalanced as if the OSD died" - gfidente / leseb + - name: ceph osd set noout + tags: step1 + command: ceph osd set noout + - name: ceph osd set norebalance + tags: step1 + command: ceph osd set norebalance + - name: ceph osd set nodeep-scrub + tags: step1 + command: ceph osd set nodeep-scrub + - name: ceph osd set noscrub + tags: step1 + command: ceph osd set noscrub + - name: Stop Ceph OSD + tags: step1 + service: name=ceph-osd@$item state=stopped + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: Update ceph OSD packages + tags: step1 + yum: name=ceph-osd state=latest + - name: Start ceph-osd service + tags: step1 + service: name=ceph-osd@$item state=started + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: ceph osd unset noout + tags: step1 + command: ceph osd unset noout + - name: ceph osd unset norebalance + tags: step1 + command: ceph osd unset norebalance + - name: ceph osd unset nodeep-scrub + tags: step1 + command: ceph osd unset nodeep-scrub + - name: ceph osd unset noscrub + tags: step1 + command: ceph osd unset noscrub diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index a5c912ed..e3c96325 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -149,6 +149,9 @@ outputs: metadata_settings: get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: + - name: "PreUpgrade step0: Check service openstack-cinder-api is running" + shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: check for cinder running under apache (post upgrade) tags: step2 shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder" diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index cf35d202..2111021b 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -27,6 +27,14 @@ parameters: description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list + HorizonPasswordValidator: + description: Regex for password validation + type: string + default: '' + HorizonPasswordValidatorHelp: + description: Help text for password validation + type: string + default: '' HorizonSecret: description: Secret key for Django type: string @@ -71,6 +79,8 @@ outputs: options: ['FollowSymLinks','MultiViews'] horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::password_validator: {get_param: [HorizonPasswordValidator]} + horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index aebb37b2..ff91eb63 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -81,3 +81,7 @@ outputs: ironic::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop ironic_api service + tags: step2 + service: name=openstack-ironic-api state=stopped diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 194afec7..a10c03a5 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -98,3 +98,10 @@ outputs: step_config: | include ::tripleo::profile::base::ironic::conductor + upgrade_tasks: + - name: Stop ironic_conductor service + tags: step2 + service: name=openstack-ironic-conductor state=stopped + - name: Sync ironic_conductor DB + tags: step5 + command: ironic-dbsync diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 90268c78..80da5352 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -118,4 +118,9 @@ outputs: # Note we use distinct() here to filter any identical tasks, e.g yum update for all services expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} + upgrade_batch_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index be9d143e..fd6ed818 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -43,3 +43,7 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::snmp + upgrade_tasks: + - name: Stop snmp service + tags: step2 + service: name=snmpd state=stopped diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index a7ba7bad..2e3c818f 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -43,6 +43,16 @@ parameters: description: 'Use a local directory for Swift storage services when building rings' type: boolean +conditions: + swift_use_local_dir: + and: + - equals: + - get_param: SwiftUseLocalDir + - true + - equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for Swift Ringbuilder configuration. @@ -59,7 +69,7 @@ outputs: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} + - {if: [swift_use_local_dir, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 08df928d..247b23ff 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -56,6 +56,17 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} +conditions: + swift_mount_check: + or: + - equals: + - get_param: SwiftMountCheck + - true + - not: + equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for the Swift Proxy role. @@ -65,7 +76,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - - swift::storage::all::mount_check: {get_param: SwiftMountCheck} + - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} tripleo.swift_storage.firewall_rules: '123 swift storage': diff --git a/puppet/upgrade_config.yaml b/puppet/upgrade_config.yaml index e892d813..c37cc033 100644 --- a/puppet/upgrade_config.yaml +++ b/puppet/upgrade_config.yaml @@ -11,6 +11,11 @@ parameters: type: string description: Step number of the upgrade + SkipUpgradeConfigTags: + type: comma_delimited_list + description: Ansible tags to skip during upgrade, e.g validation skips pre-upgrade validations + default: [] + resources: AnsibleConfig: @@ -30,6 +35,10 @@ resources: properties: group: ansible options: + skip_tags: + list_join: + - "," + - {get_param: SkipUpgradeConfigTags} tags: str_replace: template: "stepSTEP" diff --git a/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml new file mode 100644 index 00000000..069cbd23 --- /dev/null +++ b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml @@ -0,0 +1,95 @@ +--- +prelude: > + 6.0.0 is the final release for Ocata. + It's the first release where release notes are added. +features: + - Fujitsu Neutron plugin for FOS support. Users can deploy + Neutron with this plugin by using + environments/neutron-ml2-fujitsu-fossw.yaml environment file. + - Expose InstanceDiscoveryMethod parameter to configure Ceilometer + method used to discover instances running on compute node. + Default value to 'libvirt_metadata'. Allowed values are 'naive', + 'libvirt_metadata' and 'workload_partitioning'. + - Make ServiceNetMap support custom network names. + Note that operators will still be expected to pass any ServiceNetMap + overrides with the "new" network name, e.g whatever NetName specifies, + otherwise environment files could get very confusing. + - Nova Placement API support. As this new service is required, deploy it + by default in WSGI with Apache, like other API services. + - Cinder pass-through iSER backend support. + - etcd composable services, used by networking-vpp ML2 driver as the + messaging mechanism. + - Allow to configure cron parameters for Cinder, Heat, Keystone and Nova + crontabs. + - Export NovaDefaultFloatingPool parameter to configure the default pool + of floating IP addressed available. Default to 'public' for backward + compatibility. + - Bump Heat Templates to 'ocata' version, to match Heat requirements. + - Configure OVS agent firewall driver only if NeutronOVSFirewallDriver + is set. + - Expose RbdDefaultFeatures parameter to configure the default features + enabled when creating a block device image. + Only applies to format '2' images. Set to '1' for Jewel clients using + older Ceph servers. + - Cinder HPELeftHandISCSIDriver backend support. + - Pacemaker stopped to manage Ceilometer, Cinder API, + Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached, + Neutron, Nova and Sahara. + - Ceph MDS service support. Service can be enable with + environments/services/ceph-mds.yaml environment file. + - Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters + to configure Heat. + - Add pre-network hook and example showing config-then-reboot. + - Expose LibvirtEnabledPerfEvents parameter in Nova Compute service. + Default to an empty array. + This is a performance event list which could be used as monitor. + - Increase libvirt/qemu.conf max_files to 32768 and max_processes to + 131072. + - Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd + services on different nodes. + - Add hook to generate metadata from service profiles. + This is useful for nova vendordata plugins that can parse said metadata. + - Expose EventPipelinePublishers to Ceilometer and set the default to + 'notifier://?topic=alarm.all'. + - Add Panko service support. This service is not enabled by default. Use + environments/services/enable-panko.yaml to include it in your deployment. + - Add EC2-API composable service support. +upgrade: + - Update OpenDaylight deployment to use networking-odl v2 as a mechanism + driver. +deprecations: + - Glance Registry service has been removed and Glance API v2 is now deploy + by default. Glance API v1 is not supported anymore in TripleO. + - Remove CeilometerStoreEvents parameter, which has been removed + in Ceilometer. + - Ceilometer API service is deprecated and will be removed in a future + release. If you would like to disable it, use + environments/services/disable-ceilometer-api.yaml environment file. + - Removes deprecated OpenDaylight L2 only deployments. + Deploying ODL without L3 DVR is no longer supported. +security: + - Disallow iframe embed in Horizon configuration to prevent dashboard being + embedded within an iframe and exposed to Cross-Frame Scripting (XFS) + vulnerability on legacy browsers. + - Allow management of enforce_password_check in Horizons configuration to + display an 'Admin Password' field on the Change Password form to verify that + it is indeed the admin logged-in who wants to change the password. + - Allow management of disable_password_reveal in Horizon, to remove the + password reveal option. + - Enable secure_proxy_ssl_header option in Horizons configuration to take + X-Forwarded-Proto header into account when forming URLs. +fixes: + - Fixes `bug 1645898 + <https://bugs.launchpad.net/tripleo/+bug/1645898>`__ so epmd is binded on + the right address, where RabbitMQ is listening too. + - Fixes `bug 1652184 + <https://bugs.launchpad.net/tripleo/+bug/1652184>`__ so swap partitions + can be handled from an environment file thanks to AllNodesExtraConfig. + - Add retry to RHEL registration, useful when having network outages during + registration. + - Fixes `bug 1651476 + <https://bugs.launchpad.net/tripleo/+bug/1651476>`__ so firewall rules + are created for Opendaylight API service. + - Fixes `bug 1643487 + <https://bugs.launchpad.net/tripleo/+bug/1643487>`__ to prevent source + address from binding to a VIP for database connection. diff --git a/roles_data.yaml b/roles_data.yaml index 90250aa8..530e4376 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -17,8 +17,9 @@ # disable_constraints: (boolean) optional, whether to disable Nova and Glance # constraints for each role specified in the templates. # -# disable_upgrade_deployment: (boolean) optional, whether to run the composable upgrade -# steps for all services that are deployed on the particular role. +# upgrade_batch_size: (number): batch size for upgrades where tasks are +# specified by services to run in batches vs all nodes at once. +# This defaults to 1, but larger batches may be specified here. # # ServicesDefault: (list) optional default list of services to be deployed # on the role, defaults to an empty list. Sets the default for the |