diff options
Diffstat (limited to 'releasenotes/notes')
73 files changed, 491 insertions, 5 deletions
diff --git a/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml new file mode 100644 index 00000000..8847b22b --- /dev/null +++ b/releasenotes/notes/Add-Internal-TLS-CA-File-parameter-c24ee13daaa11dfc.yaml @@ -0,0 +1,6 @@ +--- +features: + - Adds the InternalTLSCAFile parameter, which defines which CA file should be + used by the internal services to verify that the peer's certificate is + trusted. This is applicable if internal TLS is enabled. Currently, it + defaults to using the CA file for FreeIPA, which is the default CA. diff --git a/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml new file mode 100644 index 00000000..e8941b7c --- /dev/null +++ b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + If TLS in the internal network is enabled, libvirt's transport defaults to + using TLS. This can be changed by setting the ``UseTLSTransportForLiveMigration`` + parameter, which is ``true`` by default. diff --git a/releasenotes/notes/Switch-keystone's-default-token-provider-to-fernet-2542fccb5a588852.yaml b/releasenotes/notes/Switch-keystone's-default-token-provider-to-fernet-2542fccb5a588852.yaml new file mode 100644 index 00000000..50b8167e --- /dev/null +++ b/releasenotes/notes/Switch-keystone's-default-token-provider-to-fernet-2542fccb5a588852.yaml @@ -0,0 +1,6 @@ +--- +features: + - Keystone's default token provider is now fernet instead of UUID +upgrade: + - When upgrading, old tokens will not work anymore due to the provider + changing from UUID to fernet. diff --git a/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml b/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml new file mode 100644 index 00000000..b0ad9d93 --- /dev/null +++ b/releasenotes/notes/add-all-hosts-to-hostsentry-20a8ee8a1a210ce2.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - Previously only the VIPs and their associated hostnames were present + in the HostsEntry output, due to the hosts_entries output on the + hosts-config.yaml nested stack being empty. It was referencing an + invalid attribute. See + https://bugs.launchpad.net/tripleo/+bug/1683517 + + diff --git a/releasenotes/notes/add-bgpvpn-support-f60c5a9cee0bb393.yaml b/releasenotes/notes/add-bgpvpn-support-f60c5a9cee0bb393.yaml new file mode 100644 index 00000000..2af6aa72 --- /dev/null +++ b/releasenotes/notes/add-bgpvpn-support-f60c5a9cee0bb393.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for BGPVPN Neutron service plugin diff --git a/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml new file mode 100644 index 00000000..d1f73407 --- /dev/null +++ b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support to configure Ceilometer Agent Ipmi profiles. diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml new file mode 100644 index 00000000..8b57f587 --- /dev/null +++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Add IPv6 disable option and make it configurable for user to disable IPv6 + when it's not used, this will descrease the risk of ipv6 attack. + Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6 + will be explicitly set to the default value (0) which is enabled. diff --git a/releasenotes/notes/add-l2gw-agent-1a2f14a6ceefe362.yaml b/releasenotes/notes/add-l2gw-agent-1a2f14a6ceefe362.yaml new file mode 100644 index 00000000..7f88e269 --- /dev/null +++ b/releasenotes/notes/add-l2gw-agent-1a2f14a6ceefe362.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for L2 Gateway Neutron agent diff --git a/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml new file mode 100644 index 00000000..81835323 --- /dev/null +++ b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for L2 Gateway Neutron service plugin diff --git a/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml new file mode 100644 index 00000000..19452f27 --- /dev/null +++ b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add capabilities to configure LDAP backends as for keystone domains. + This can be done by using the KeystoneLDAPDomainEnable and + KeystoneLDAPBackendConfigs parameters. diff --git a/releasenotes/notes/add-opendaylight-ha-e46ef46e29689dde.yaml b/releasenotes/notes/add-opendaylight-ha-e46ef46e29689dde.yaml new file mode 100644 index 00000000..882ee4e5 --- /dev/null +++ b/releasenotes/notes/add-opendaylight-ha-e46ef46e29689dde.yaml @@ -0,0 +1,5 @@ +--- +features: + - Adds support for OpenDaylight HA clustering. Now when specifying + three or more ODL roles, ODL will be deployed in a cluster, and + use port 2550 for cluster communication. diff --git a/releasenotes/notes/add-parameters-for-heat-apis-over-httpd-df83ab04d9f9ebb2.yaml b/releasenotes/notes/add-parameters-for-heat-apis-over-httpd-df83ab04d9f9ebb2.yaml new file mode 100644 index 00000000..b3a62ced --- /dev/null +++ b/releasenotes/notes/add-parameters-for-heat-apis-over-httpd-df83ab04d9f9ebb2.yaml @@ -0,0 +1,6 @@ +--- +features: + - The relevant parameters have been added to deploy the heat APIs over httpd. + This means that the HeatWorkers now affect httpd instead of the heat API + themselves, and that the apache hieradata will also be deployed in the + nodes where the heat APIs run. diff --git a/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml b/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml new file mode 100644 index 00000000..163536dd --- /dev/null +++ b/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml @@ -0,0 +1,8 @@ +--- +features: + - Introduce the ability to deploy the qpid-dispatch-router (Qdr) for + the oslo.messaging AMQP 1.0 driver backend. The Qdr provides + direct messaging (e.g. brokerless) communications for + oslo.messaging services. To facilitate simple use for evaluation + in an overcloud deployment, the Qdr aliases the RabbitMQ service + to provide the messaging backend. diff --git a/releasenotes/notes/add-support-for-pure-cinder-1a595f1940d5a06f.yaml b/releasenotes/notes/add-support-for-pure-cinder-1a595f1940d5a06f.yaml new file mode 100644 index 00000000..da326e4d --- /dev/null +++ b/releasenotes/notes/add-support-for-pure-cinder-1a595f1940d5a06f.yaml @@ -0,0 +1,3 @@ +--- +features: + - Added Pure Storage FlashArray iSCSI and FC backend support for cinder diff --git a/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml new file mode 100644 index 00000000..ecf35933 --- /dev/null +++ b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml @@ -0,0 +1,3 @@ +--- +features: + - Adds DatabaseSyncTimeout parameter to Nova and Neutron templates. diff --git a/releasenotes/notes/api-policy-4ca739519537f6f4.yaml b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml new file mode 100644 index 00000000..54beb305 --- /dev/null +++ b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + TripleO is now able to configure role-based access API policies with new + parameters for each API service. + For example, Nova API service has now NovaApiPolicies and the value + could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + It will configure /etc/nova/policy.json file and configure context_is_admin + to true. Puppet will take care of this configuration and API services are + restarted when the file is touched. + We're also adding augeas resource to the list of Puppet providers that + container deployments grab in the catalog to generate configurations, so + this feature can be used when deploying TripleO in containers. diff --git a/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml b/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml new file mode 100644 index 00000000..49ede200 --- /dev/null +++ b/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Updated bigswitch environment file to include the bigswitch agent + installation and correct support for the restproxy configuration. diff --git a/releasenotes/notes/change-rabbitmq-ha-mode-policy-default-6c6cd7f02181f0e0.yaml b/releasenotes/notes/change-rabbitmq-ha-mode-policy-default-6c6cd7f02181f0e0.yaml new file mode 100644 index 00000000..d6f74eff --- /dev/null +++ b/releasenotes/notes/change-rabbitmq-ha-mode-policy-default-6c6cd7f02181f0e0.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + We are not changing the rabbitmq ha-mode policy during upgrades any longer. + The policy chosen at deploy time will remain the same but can be changed + manually. +fixes: + - | + Due to https://bugs.launchpad.net/tripleo/+bug/1686337 we switch the + default of rabbitmq back ha-mode "all". This is to make the installation + more robust in the face of network issues. diff --git a/releasenotes/notes/configurable-snmpd-options-3954c5858e2c7656.yaml b/releasenotes/notes/configurable-snmpd-options-3954c5858e2c7656.yaml new file mode 100644 index 00000000..d69bf4f6 --- /dev/null +++ b/releasenotes/notes/configurable-snmpd-options-3954c5858e2c7656.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Per default, don't log a message in syslog for each incoming SNMP query. + So set the default log level to '-LS0-5d'. Allow the operator to customize + the log level via a parameter. diff --git a/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml new file mode 100644 index 00000000..298a8ece --- /dev/null +++ b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The initial firewall will now be purged by the deployed-server bootstrap + scripts. This is needed to prevent possible issues with bootstrapping the + initial Pacemaker cluster. See + https://bugs.launchpad.net/tripleo/+bug/1679234 diff --git a/releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml b/releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml new file mode 100644 index 00000000..09067296 --- /dev/null +++ b/releasenotes/notes/deprecate-NeutronExternalNetworkBridge-7d42f1a0718da327.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - The ``NeutronExternalNetworkBridge`` parameter changed its default value + from ``br-ex`` to an empty string value. It means that by default Neutron + L3 agent will be able to serve multiple external networks. (It was always + the case for those who were using templates with the value of the parameter + overridden by an empty string value.) +deprecations: + - The ``NeutronExternalNetworkBridge`` parameter is deprecated and will be + removed in a next release. diff --git a/releasenotes/notes/deprecate-ceilometer-expirer-83b193a07631d89d.yaml b/releasenotes/notes/deprecate-ceilometer-expirer-83b193a07631d89d.yaml new file mode 100644 index 00000000..9088f963 --- /dev/null +++ b/releasenotes/notes/deprecate-ceilometer-expirer-83b193a07631d89d.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - With expirer deprecated and disabled by default, there is an upgrade + impact here. If you had expirer enabled in ocata and you upgrade to + pike the expirer will not be enabled anymore. If you wish to use + expirer, ensure you include the ceilometer-expirer.yaml + to your upgrade deploy command. Also note that with collector + disabled, there is no need for expirer to be running. +deprecations: + - Deprecate and turn off expirer service as collector. Without collector + and standard storage, expirer has no use. diff --git a/releasenotes/notes/deprecate-collector-a16e5d58ae00806d.yaml b/releasenotes/notes/deprecate-collector-a16e5d58ae00806d.yaml new file mode 100644 index 00000000..b9546a90 --- /dev/null +++ b/releasenotes/notes/deprecate-collector-a16e5d58ae00806d.yaml @@ -0,0 +1,14 @@ +--- +upgrade: + - With collector deprecated and disabled by default, there is an upgrade + impact here. If you had collector enabled in ocata and you upgrade to + pike the collector will not be enabled anymore. If you wish to use + collector, ensure you include the ceilometer-collector.yaml + to your upgrade deploy command. We recommend switching to using the + new pipeline approach with publisher instead. +deprecations: + - Deprecate and disable ceilometer collector service by default. Instead + use the publisher directly in the pipeline to push data where appropriate. + This can be manually enabled by passing the environment file to deploy + command which is included in environment dir as ceilometer-collector.yaml. + By default, the pipeline publisher pushes data automatically to gnocchi. diff --git a/releasenotes/notes/deprecate-panko-b2bdce647d2b9a6d.yaml b/releasenotes/notes/deprecate-panko-b2bdce647d2b9a6d.yaml new file mode 100644 index 00000000..96f2c554 --- /dev/null +++ b/releasenotes/notes/deprecate-panko-b2bdce647d2b9a6d.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - Panko API service is deprecated in Pike release. Note that this service + will remain enabled by default as there is no replacement yet. This will + be disabled in future releases. diff --git a/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml new file mode 100644 index 00000000..2661f7c9 --- /dev/null +++ b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml @@ -0,0 +1,4 @@ +--- +deprecations: + - Deprecate and disable ceilometer Api by default. This can be enabled + by passing in an env file to deploy command. diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml new file mode 100644 index 00000000..0f226a84 --- /dev/null +++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects + are now set to 0 to prevent a compromised host from sending invalid ICMP + redirects to other router devices. + - The net.ipv4.conf.default.accept_redirects, + net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects + are now set to 0 to prevent forged ICMP packet from altering host's routing + tables. + - The net.ipv4.conf.default.secure_redirects & + net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance + of secure ICMP redirected packets. +security: + - Invalide ICMP redirects may corrupt routing and have users access a system + set up by the attacker as opposed to a valid system. + - Routing tables may be altered by bogus ICMP redirect messages and send + packets to incorrect networks. + - Secure ICMP redirects are the same as ICMP redirects, except they come from + gateways listed on the default gateway list. diff --git a/releasenotes/notes/disable-manila-cephfs-snapshots-by-default-d5320a05d9b501cf.yaml b/releasenotes/notes/disable-manila-cephfs-snapshots-by-default-d5320a05d9b501cf.yaml new file mode 100644 index 00000000..98d70b63 --- /dev/null +++ b/releasenotes/notes/disable-manila-cephfs-snapshots-by-default-d5320a05d9b501cf.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Disabled cephfs snapshot support (ManilaCephFSNativeCephFSEnableSnapshots + parameter) in manila by default. diff --git a/releasenotes/notes/disable_default_apache_vhost-f41d11fe07605f7f.yaml b/releasenotes/notes/disable_default_apache_vhost-f41d11fe07605f7f.yaml new file mode 100644 index 00000000..279e25cc --- /dev/null +++ b/releasenotes/notes/disable_default_apache_vhost-f41d11fe07605f7f.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Disable default vhost for apache. It is required for a hybrid deployments + when WSGI based services running both at host and in containers, without + conflicting default ports. diff --git a/releasenotes/notes/docker-service-all-roles-5c22a018caeafcf0.yaml b/releasenotes/notes/docker-service-all-roles-5c22a018caeafcf0.yaml new file mode 100644 index 00000000..734db08a --- /dev/null +++ b/releasenotes/notes/docker-service-all-roles-5c22a018caeafcf0.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + When deploying with environments/docker.yaml, the docker service + is now deployed on all predefined roles. diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml new file mode 100644 index 00000000..bb2543f2 --- /dev/null +++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are + now set to 1 to enable logging of suspicious packets. +security: + - | + Logging of suspicious packets allows an administrator to investigate the + spoofed packets sent to their system. diff --git a/releasenotes/notes/enable-support-for-external-swift-proxy-941917f8bcc63a5d.yaml b/releasenotes/notes/enable-support-for-external-swift-proxy-941917f8bcc63a5d.yaml new file mode 100644 index 00000000..83b05bbb --- /dev/null +++ b/releasenotes/notes/enable-support-for-external-swift-proxy-941917f8bcc63a5d.yaml @@ -0,0 +1,5 @@ +--- +features: + - Added support for external swift proxy. Users may need to + configure endpoints pointing to swift proxy service + already available. diff --git a/releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml b/releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml new file mode 100644 index 00000000..da995949 --- /dev/null +++ b/releasenotes/notes/etcdtoken-4c46bdfac940acda.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Secure EtcdInitialClusterToken by removing the default value + and make the parameter hidden. + Fixes `bug 1673266 <https://bugs.launchpad.net/tripleo/+bug/1673266>`__. diff --git a/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml b/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml new file mode 100644 index 00000000..1fc4f105 --- /dev/null +++ b/releasenotes/notes/expose-metric-processing-delay-0c098d7ec0af0728.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Expose metric_processing_delay to tweak gnocchi performance. diff --git a/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml new file mode 100644 index 00000000..682171c1 --- /dev/null +++ b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Fixes an issue when using the CinderNfsServers + parameter_defaults setting. It now works using a + single share as well as a comma-separated list of + shares. diff --git a/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml new file mode 100644 index 00000000..bb18aed8 --- /dev/null +++ b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - Fixes firewall rules from neutron OVS agent not being + inherited correctly and applied in neutron OVS DPDK + template. diff --git a/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml new file mode 100644 index 00000000..79cea05e --- /dev/null +++ b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Fixes OpenDaylightProviderMappings parsing on a + comma delimited list. diff --git a/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml new file mode 100644 index 00000000..ef8877ae --- /dev/null +++ b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - The deployed-server Heat agent configuration script, + get-occ-config.sh, is now updated to configure the + local data source for os-collect-config instead of + configuring /etc/os-collect-config.conf directly. Doing + so means that the configuration template for os-apply-config + no longer has to be deleted as the file will be rendered + correctly with the right data. See + https://bugs.launchpad.net/tripleo/+bug/1679705 diff --git a/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml b/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml new file mode 100644 index 00000000..072e85aa --- /dev/null +++ b/releasenotes/notes/glance-keystonev3-d35182ba9a3778eb.yaml @@ -0,0 +1,4 @@ +--- +features: + - Deploy Glance with Keystone v3 endpoints and make + sure it doesn't rely on Keystone v2 anymore. diff --git a/releasenotes/notes/gnocchi-keystonev3-d288ba40226545c9.yaml b/releasenotes/notes/gnocchi-keystonev3-d288ba40226545c9.yaml new file mode 100644 index 00000000..2f2513c9 --- /dev/null +++ b/releasenotes/notes/gnocchi-keystonev3-d288ba40226545c9.yaml @@ -0,0 +1,4 @@ +--- +features: + - Deploy Gnocchi with Keystone v3 endpoints and make + sure it doesn't rely on Keystone v2 anymore. diff --git a/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml b/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml deleted file mode 100644 index edcc1250..00000000 --- a/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -deprecations: - - The environments/puppet-pacemaker.yaml file is now deprecated and the HA - deployment is now the default. In order to get the non-HA deployment use - environments/nonha-arch.yaml explicitly. diff --git a/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml new file mode 100644 index 00000000..d2b2eb94 --- /dev/null +++ b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - openstack-selinux is now installed by the deployed-server + bootstrap scripts. Previously, it was not installed, so + if SELinux was set to enforcing, all OpenStack policy + was missing. diff --git a/releasenotes/notes/ironic-boot-option-3f3036aa5e82ec7e.yaml b/releasenotes/notes/ironic-boot-option-3f3036aa5e82ec7e.yaml new file mode 100644 index 00000000..53191bd0 --- /dev/null +++ b/releasenotes/notes/ironic-boot-option-3f3036aa5e82ec7e.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + New configuration ``IronicDefaultBootOption`` allows to change the default + boot option to use for bare metal instances in the overcloud. +upgrade: + - | + The default boot option for bare metal instances in overcloud was changed + to "local". This was already the default for whole-disk images, but for + partition images it requires ``grub2`` to be installed on them. + Use the new ``IronicDefaultBootOption`` configuration to override, or + set ``boot_option`` capability on nodes and flavors. diff --git a/releasenotes/notes/ironic-hardware-types-fe5140549d3bb792.yaml b/releasenotes/notes/ironic-hardware-types-fe5140549d3bb792.yaml new file mode 100644 index 00000000..da3da6c7 --- /dev/null +++ b/releasenotes/notes/ironic-hardware-types-fe5140549d3bb792.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Configuring enabled Ironic hardware types is now possible via new + ``IronicEnabledHardwareTypes`` parameter. See this spec for details: + http://specs.openstack.org/openstack/ironic-specs/specs/approved/driver-composition-reform.html. + - | + Bare metal serial console support via ``socat`` utility is enabled for + Ironic hardware types supporting it (currently only ``ipmi``). diff --git a/releasenotes/notes/ironic-neutron-integration-76c4f9e0d10785e4.yaml b/releasenotes/notes/ironic-neutron-integration-76c4f9e0d10785e4.yaml new file mode 100644 index 00000000..dd99acc7 --- /dev/null +++ b/releasenotes/notes/ironic-neutron-integration-76c4f9e0d10785e4.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Allow setting the Ironic provisioning network UUID or name via new + ``IronicProvisioningNetwork`` configuration. + - | + Enable support for "neutron" Ironic networking plugin, enabling advanced + integration with Neutron, such as VLAN/VXLAN network support, bonding and + security groups. diff --git a/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml new file mode 100644 index 00000000..c327265a --- /dev/null +++ b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Previously the RHEL registration script disabled the satellite repo after + installing the necessary packages from it. This makes it awkward to + update those packages later, so the repo will no longer be disabled. diff --git a/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml new file mode 100644 index 00000000..d0624265 --- /dev/null +++ b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Since panko is enabled by default, include it the default dispatcher + for ceilometer events. diff --git a/releasenotes/notes/match-enable_dvr-with-NeutronEnableDVR-fe8aac6c4ce52bce.yaml b/releasenotes/notes/match-enable_dvr-with-NeutronEnableDVR-fe8aac6c4ce52bce.yaml new file mode 100644 index 00000000..54400432 --- /dev/null +++ b/releasenotes/notes/match-enable_dvr-with-NeutronEnableDVR-fe8aac6c4ce52bce.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Neutron API controller no longer advertises ``dvr`` extension if the + cloud is not configured for DVR. This is achieved by setting ``enable_dvr`` + to match ``NeutronEnableDVR`` setting. diff --git a/releasenotes/notes/migration_over_ssh-003e2a92f5f5374d.yaml b/releasenotes/notes/migration_over_ssh-003e2a92f5f5374d.yaml new file mode 100644 index 00000000..45ca9fe5 --- /dev/null +++ b/releasenotes/notes/migration_over_ssh-003e2a92f5f5374d.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Add support for cold migration over ssh. + + This enables nova cold migration. + + This also switches to SSH as the default transport for live-migration. + The tripleo-common mistral action that generates passwords supplies the + MigrationSshKey parameter that enables this. +deprecations: + - | + The TCP transport is no longer used for live-migration and the firewall + port has been closed. diff --git a/releasenotes/notes/nsx-support-1254839718d8df8c.yaml b/releasenotes/notes/nsx-support-1254839718d8df8c.yaml new file mode 100644 index 00000000..1d9f5f8a --- /dev/null +++ b/releasenotes/notes/nsx-support-1254839718d8df8c.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for NSX Neutron plugin diff --git a/releasenotes/notes/octavia-1687026-c01313aab53f55a4.yaml b/releasenotes/notes/octavia-1687026-c01313aab53f55a4.yaml new file mode 100644 index 00000000..2ba01c71 --- /dev/null +++ b/releasenotes/notes/octavia-1687026-c01313aab53f55a4.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Octavia API and Neutron Server can now be deployed on separated nodes. + See https://bugs.launchpad.net/tripleo/+bug/1687026 diff --git a/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml b/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml new file mode 100644 index 00000000..f5ccec06 --- /dev/null +++ b/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml @@ -0,0 +1,6 @@ +--- +features: + - Support configuring NeutronBridgeMappings + - Set force_config_drive to true as OVN doesn't support metadata service + - Add necessary iptables rules to allow Geneve traffic and ovsdb-server + traffic for Northbound and Southbound databases. diff --git a/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml new file mode 100644 index 00000000..8c210823 --- /dev/null +++ b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml @@ -0,0 +1,12 @@ +--- +issues: + - During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic + yum update command by handling the upgrade of the package separately to not + loose the IPs and the connectivity on the nodes. The workaround is + discussed here https://bugs.launchpad.net/tripleo/+bug/1669714 +upgrade: + - The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should + be no user impact in particular no restart of the openvswitch service. For more + information please see the related bug above which also links the relevant code reviews. + The workaround (transparent to the user/doesn't require any input) is to download the OVS + package and install with --nopostun and --notriggerun options provided by the rpm binary. diff --git a/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml b/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml new file mode 100644 index 00000000..5b58d3d4 --- /dev/null +++ b/releasenotes/notes/pluggable-server-type-per-role-314f38f8e5d4c84e.yaml @@ -0,0 +1,8 @@ +--- +features: + - The server resource type, OS::TripleO::Server can now be + mapped per role instead of globally. This allows users to + mix baremetal (OS::Nova::Server) and + deployed-server (OS::Heat::DeployedServer) server resources + in the same deployment. See + https://blueprints.launchpad.net/tripleo/+spec/pluggable-server-type-per-role diff --git a/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml new file mode 100644 index 00000000..09d3be03 --- /dev/null +++ b/releasenotes/notes/replace-references-to-old-ctlplane-0df7f2ae8910559c.yaml @@ -0,0 +1,20 @@ +--- +upgrade: + - | + The default network for the ctlplane changed from 192.0.2.0/24 to + 192.168.24.0/24. All references to the ctlplane network in the templates + have been updated to reflect this change. When upgrading from a previous + release, if the default network was used for the ctlplane (192.0.2.0/24), + then it is necessary to provide as input, via environment file, the correct + setting for all the parameters that previously defaulted to 192.0.2.x and + now default to 192.168.24.x; there is an environment file which could be + used on upgrade `environments/updates/update-from-192_0_2-subnet.yaml` to + cover a simple scenario but it won't be enough for scenarios using an + external load balancer, Contrail or Cisto N1KV. Follows a list of params to + be provided on upgrade. + From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute + From external-loadbalancer-vip-v6.yaml: ControlFixedIPs + From external-loadbalancer-vip.yaml: ControlFixedIPs + From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute + From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP + From contrail-vrouter.yaml: ContrailVrouterGateway diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml new file mode 100644 index 00000000..c24e8921 --- /dev/null +++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive + kernel address information with unprivileged access. Deployments that set + or depend on values other than 1 for kernel.dmesg_restrict may be affected + by upgrading. +security: + - | + Kernel syslog contains sensitive kernel address information, setting + kernel.dmesg_restrict to avoid unprivileged access to this information. diff --git a/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml new file mode 100644 index 00000000..86622bc1 --- /dev/null +++ b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Add knobs to limit memory comsumed by mongodb with systemd diff --git a/releasenotes/notes/role-tags-16ac2e9e8fcab218.yaml b/releasenotes/notes/role-tags-16ac2e9e8fcab218.yaml new file mode 100644 index 00000000..dadbfa4b --- /dev/null +++ b/releasenotes/notes/role-tags-16ac2e9e8fcab218.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Adds tags to roles that allow an operator to specify custom tags to use + when trying to find functionality available from a role. Currently a role + with both the 'primary' and 'controller' tag is consider to be the primary + role. Historically the role named 'Controller' was the 'primary' role and + this primary designation is used to determine items like memcache ip + addresses. If no roles have the both the 'primary' and 'controller' tags, + the first role specified in the roles_data.yaml is used as the primary + role. +upgrade: + - | + If using custom roles data, the logic was changed to leverage the first + role listed in the roles_data.yaml file to be the primary role. This can + be worked around by adding the 'primary' and 'controller' tags to the + custom controller role in your roles_data.yaml to ensure that the defined + custom controller role is still considered the primary role. diff --git a/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml new file mode 100644 index 00000000..c744e0f7 --- /dev/null +++ b/releasenotes/notes/sahara_auth_v3-65bd276b39b4e284.yaml @@ -0,0 +1,4 @@ +--- +features: + - Sahara is now deployed with keystone_authtoken parameters and move + forward with Keystone v3 version. diff --git a/releasenotes/notes/service-role-name-0b8609d314564885.yaml b/releasenotes/notes/service-role-name-0b8609d314564885.yaml new file mode 100644 index 00000000..6c738084 --- /dev/null +++ b/releasenotes/notes/service-role-name-0b8609d314564885.yaml @@ -0,0 +1,4 @@ +--- +features: + - Role specific informations are added to the service template to enable + role specific decisions on the service. diff --git a/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml b/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml new file mode 100644 index 00000000..07407f20 --- /dev/null +++ b/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - We need ceilometer user in cases where ceilometer API is disabled. + This is to ensure other ceilometer services can still authenticate + with keystone. diff --git a/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml b/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml new file mode 100644 index 00000000..7cff9eec --- /dev/null +++ b/releasenotes/notes/snmp_listen-2364188f73d43b14.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Adding a new parameter to SNMP profile, SnmpdBindHost + so users can change the binding addresses on SNMP daemon. + The parameter is an array and takes the default value that + were previously hardcoded in puppet-tripleo. diff --git a/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml new file mode 100644 index 00000000..20146b0a --- /dev/null +++ b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - The ``pci_passthrough`` hiera value should be passed as a string + (`bug 1675036 <https://bugs.launchpad.net/tripleo/+bug/1675036>`__). diff --git a/releasenotes/notes/ssh_known_hosts-287563590632d1aa.yaml b/releasenotes/notes/ssh_known_hosts-287563590632d1aa.yaml new file mode 100644 index 00000000..8b533b1a --- /dev/null +++ b/releasenotes/notes/ssh_known_hosts-287563590632d1aa.yaml @@ -0,0 +1,4 @@ +--- +features: + - SSH host key exchange. The ssh host keys are collected from each host, + combined, and written to /etc/ssh/ssh_known_hosts. diff --git a/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml new file mode 100644 index 00000000..4cc01df8 --- /dev/null +++ b/releasenotes/notes/sshd-service-extensions-0c4d0879942a2052.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added ability to manage MOTD Banner + Enabled SSHD composible service by default. Puppet-ssh manages the sshd config. diff --git a/releasenotes/notes/stack-name-input-73f4d4d052f1377e.yaml b/releasenotes/notes/stack-name-input-73f4d4d052f1377e.yaml new file mode 100644 index 00000000..2ccbee9c --- /dev/null +++ b/releasenotes/notes/stack-name-input-73f4d4d052f1377e.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - The stack name can now be overridden in the get-occ-config.sh script + for deployed-server's by setting the $STACK_NAME variable in the + environment. diff --git a/releasenotes/notes/swap-prepuppet-and-postpuppet-to-preconfig-and-postconfig-debd5f28bc578d51.yaml b/releasenotes/notes/swap-prepuppet-and-postpuppet-to-preconfig-and-postconfig-debd5f28bc578d51.yaml new file mode 100644 index 00000000..875b704a --- /dev/null +++ b/releasenotes/notes/swap-prepuppet-and-postpuppet-to-preconfig-and-postconfig-debd5f28bc578d51.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - This commit merges both [Pre|Post]Puppet and [Pre|Post]Config + resources, giving an agnostic name for the configuration + steps. The [Pre|Post]Puppet resource is removed and should not + be used anymore. diff --git a/releasenotes/notes/token-flush-twice-a-day-d4b00a2953a6b383.yaml b/releasenotes/notes/token-flush-twice-a-day-d4b00a2953a6b383.yaml new file mode 100644 index 00000000..70051f65 --- /dev/null +++ b/releasenotes/notes/token-flush-twice-a-day-d4b00a2953a6b383.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - The token flush cron job has been modified to run hourly instead of once + a day. This is because this was causing issues with larger deployments, as + the operation would take too long and sometimes even fail because of the + transaction being so large. Note that this only affects people using the + UUID token provider. diff --git a/releasenotes/notes/update-on-rhel-registration-afbef3ead983b08f.yaml b/releasenotes/notes/update-on-rhel-registration-afbef3ead983b08f.yaml new file mode 100644 index 00000000..ad1f39c4 --- /dev/null +++ b/releasenotes/notes/update-on-rhel-registration-afbef3ead983b08f.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds a new boolean parameter for RHEL Registration called + 'UpdateOnRHELRegistration' that when enabled will trigger a yum update + on the node after the registration process completes. diff --git a/releasenotes/notes/update-plan-environment-4e164b57a801e2cb.yaml b/releasenotes/notes/update-plan-environment-4e164b57a801e2cb.yaml new file mode 100644 index 00000000..29d32cb7 --- /dev/null +++ b/releasenotes/notes/update-plan-environment-4e164b57a801e2cb.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add name and description fields to plan-environment.yaml diff --git a/releasenotes/notes/upgrade-stack-action-94598796a9d3511f.yaml b/releasenotes/notes/upgrade-stack-action-94598796a9d3511f.yaml new file mode 100644 index 00000000..bdff0e6e --- /dev/null +++ b/releasenotes/notes/upgrade-stack-action-94598796a9d3511f.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The new StackUpdateType parameter is now set to UPGRADE + when a major version upgrade is in progress. This enables application + configuration via puppet to distinuish a major version upgrade from a + normal stack update (e.g for minor updates or reconfiguration) by + inspecting the stack_update_type hiera value. In future other values may be added to + flag e.g minor updates vs reconfiguration, but for now only UPGRADE is considered. diff --git a/releasenotes/notes/vpp-ml2-8e115f7763510531.yaml b/releasenotes/notes/vpp-ml2-8e115f7763510531.yaml new file mode 100644 index 00000000..2f8ae146 --- /dev/null +++ b/releasenotes/notes/vpp-ml2-8e115f7763510531.yaml @@ -0,0 +1,3 @@ +--- +features: + - Adds support for networking-vpp ML2 mechanism driver and agent. diff --git a/releasenotes/notes/zaqar-httpd-e7d91bf396da28d0.yaml b/releasenotes/notes/zaqar-httpd-e7d91bf396da28d0.yaml new file mode 100644 index 00000000..a2172aac --- /dev/null +++ b/releasenotes/notes/zaqar-httpd-e7d91bf396da28d0.yaml @@ -0,0 +1,3 @@ +--- +features: + - Run the Zaqar WSGI service over httpd in Puppet. |