diff options
Diffstat (limited to 'releasenotes')
14 files changed, 101 insertions, 0 deletions
diff --git a/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml new file mode 100644 index 00000000..d1f73407 --- /dev/null +++ b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support to configure Ceilometer Agent Ipmi profiles. diff --git a/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml new file mode 100644 index 00000000..81835323 --- /dev/null +++ b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for L2 Gateway Neutron service plugin diff --git a/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml new file mode 100644 index 00000000..19452f27 --- /dev/null +++ b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add capabilities to configure LDAP backends as for keystone domains. + This can be done by using the KeystoneLDAPDomainEnable and + KeystoneLDAPBackendConfigs parameters. diff --git a/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml new file mode 100644 index 00000000..ecf35933 --- /dev/null +++ b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml @@ -0,0 +1,3 @@ +--- +features: + - Adds DatabaseSyncTimeout parameter to Nova and Neutron templates. diff --git a/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml new file mode 100644 index 00000000..298a8ece --- /dev/null +++ b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The initial firewall will now be purged by the deployed-server bootstrap + scripts. This is needed to prevent possible issues with bootstrapping the + initial Pacemaker cluster. See + https://bugs.launchpad.net/tripleo/+bug/1679234 diff --git a/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml new file mode 100644 index 00000000..2661f7c9 --- /dev/null +++ b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml @@ -0,0 +1,4 @@ +--- +deprecations: + - Deprecate and disable ceilometer Api by default. This can be enabled + by passing in an env file to deploy command. diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml new file mode 100644 index 00000000..0f226a84 --- /dev/null +++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects + are now set to 0 to prevent a compromised host from sending invalid ICMP + redirects to other router devices. + - The net.ipv4.conf.default.accept_redirects, + net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects + are now set to 0 to prevent forged ICMP packet from altering host's routing + tables. + - The net.ipv4.conf.default.secure_redirects & + net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance + of secure ICMP redirected packets. +security: + - Invalide ICMP redirects may corrupt routing and have users access a system + set up by the attacker as opposed to a valid system. + - Routing tables may be altered by bogus ICMP redirect messages and send + packets to incorrect networks. + - Secure ICMP redirects are the same as ICMP redirects, except they come from + gateways listed on the default gateway list. diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml new file mode 100644 index 00000000..bb2543f2 --- /dev/null +++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are + now set to 1 to enable logging of suspicious packets. +security: + - | + Logging of suspicious packets allows an administrator to investigate the + spoofed packets sent to their system. diff --git a/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml new file mode 100644 index 00000000..ef8877ae --- /dev/null +++ b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - The deployed-server Heat agent configuration script, + get-occ-config.sh, is now updated to configure the + local data source for os-collect-config instead of + configuring /etc/os-collect-config.conf directly. Doing + so means that the configuration template for os-apply-config + no longer has to be deleted as the file will be rendered + correctly with the right data. See + https://bugs.launchpad.net/tripleo/+bug/1679705 diff --git a/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml new file mode 100644 index 00000000..c327265a --- /dev/null +++ b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Previously the RHEL registration script disabled the satellite repo after + installing the necessary packages from it. This makes it awkward to + update those packages later, so the repo will no longer be disabled. diff --git a/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml b/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml new file mode 100644 index 00000000..f5ccec06 --- /dev/null +++ b/releasenotes/notes/ovn-fcd4b0168e6745a8.yaml @@ -0,0 +1,6 @@ +--- +features: + - Support configuring NeutronBridgeMappings + - Set force_config_drive to true as OVN doesn't support metadata service + - Add necessary iptables rules to allow Geneve traffic and ovsdb-server + traffic for Northbound and Southbound databases. diff --git a/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml new file mode 100644 index 00000000..8c210823 --- /dev/null +++ b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml @@ -0,0 +1,12 @@ +--- +issues: + - During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic + yum update command by handling the upgrade of the package separately to not + loose the IPs and the connectivity on the nodes. The workaround is + discussed here https://bugs.launchpad.net/tripleo/+bug/1669714 +upgrade: + - The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should + be no user impact in particular no restart of the openvswitch service. For more + information please see the related bug above which also links the relevant code reviews. + The workaround (transparent to the user/doesn't require any input) is to download the OVS + package and install with --nopostun and --notriggerun options provided by the rpm binary. diff --git a/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml new file mode 100644 index 00000000..86622bc1 --- /dev/null +++ b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Add knobs to limit memory comsumed by mongodb with systemd |