diff options
Diffstat (limited to 'releasenotes')
19 files changed, 129 insertions, 0 deletions
diff --git a/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml new file mode 100644 index 00000000..d1f73407 --- /dev/null +++ b/releasenotes/notes/add-ceilometer-agent-ipmi-2c86726d0373d354.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support to configure Ceilometer Agent Ipmi profiles. diff --git a/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml new file mode 100644 index 00000000..81835323 --- /dev/null +++ b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml @@ -0,0 +1,3 @@ +--- +features: + - Add support for L2 Gateway Neutron service plugin diff --git a/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml b/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml new file mode 100644 index 00000000..163536dd --- /dev/null +++ b/releasenotes/notes/add-qdr-99a27dffef42c13e.yaml @@ -0,0 +1,8 @@ +--- +features: + - Introduce the ability to deploy the qpid-dispatch-router (Qdr) for + the oslo.messaging AMQP 1.0 driver backend. The Qdr provides + direct messaging (e.g. brokerless) communications for + oslo.messaging services. To facilitate simple use for evaluation + in an overcloud deployment, the Qdr aliases the RabbitMQ service + to provide the messaging backend. diff --git a/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml new file mode 100644 index 00000000..ecf35933 --- /dev/null +++ b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml @@ -0,0 +1,3 @@ +--- +features: + - Adds DatabaseSyncTimeout parameter to Nova and Neutron templates. diff --git a/releasenotes/notes/api-policy-4ca739519537f6f4.yaml b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml new file mode 100644 index 00000000..54beb305 --- /dev/null +++ b/releasenotes/notes/api-policy-4ca739519537f6f4.yaml @@ -0,0 +1,13 @@ +--- +features: + - | + TripleO is now able to configure role-based access API policies with new + parameters for each API service. + For example, Nova API service has now NovaApiPolicies and the value + could be { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } } + It will configure /etc/nova/policy.json file and configure context_is_admin + to true. Puppet will take care of this configuration and API services are + restarted when the file is touched. + We're also adding augeas resource to the list of Puppet providers that + container deployments grab in the catalog to generate configurations, so + this feature can be used when deploying TripleO in containers. diff --git a/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml b/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml new file mode 100644 index 00000000..49ede200 --- /dev/null +++ b/releasenotes/notes/big-switch-agent-4c743a2112251234.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Updated bigswitch environment file to include the bigswitch agent + installation and correct support for the restproxy configuration. diff --git a/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml new file mode 100644 index 00000000..298a8ece --- /dev/null +++ b/releasenotes/notes/deployed-server-firewall-purge-9d9fe73faf925056.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - The initial firewall will now be purged by the deployed-server bootstrap + scripts. This is needed to prevent possible issues with bootstrapping the + initial Pacemaker cluster. See + https://bugs.launchpad.net/tripleo/+bug/1679234 diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml new file mode 100644 index 00000000..0f226a84 --- /dev/null +++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects + are now set to 0 to prevent a compromised host from sending invalid ICMP + redirects to other router devices. + - The net.ipv4.conf.default.accept_redirects, + net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects + are now set to 0 to prevent forged ICMP packet from altering host's routing + tables. + - The net.ipv4.conf.default.secure_redirects & + net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance + of secure ICMP redirected packets. +security: + - Invalide ICMP redirects may corrupt routing and have users access a system + set up by the attacker as opposed to a valid system. + - Routing tables may be altered by bogus ICMP redirect messages and send + packets to incorrect networks. + - Secure ICMP redirects are the same as ICMP redirects, except they come from + gateways listed on the default gateway list. diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml new file mode 100644 index 00000000..bb2543f2 --- /dev/null +++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are + now set to 1 to enable logging of suspicious packets. +security: + - | + Logging of suspicious packets allows an administrator to investigate the + spoofed packets sent to their system. diff --git a/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml new file mode 100644 index 00000000..682171c1 --- /dev/null +++ b/releasenotes/notes/fix-cinder-nfs-share-usage-0968f88eff7ffb99.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - Fixes an issue when using the CinderNfsServers + parameter_defaults setting. It now works using a + single share as well as a comma-separated list of + shares. diff --git a/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml new file mode 100644 index 00000000..bb18aed8 --- /dev/null +++ b/releasenotes/notes/fix-neutron-dpdk-firewall-436aee39a0d7ed65.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - Fixes firewall rules from neutron OVS agent not being + inherited correctly and applied in neutron OVS DPDK + template. diff --git a/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml new file mode 100644 index 00000000..79cea05e --- /dev/null +++ b/releasenotes/notes/fix-odl-provider-mapping-hiera-5b3472184be490e2.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Fixes OpenDaylightProviderMappings parsing on a + comma delimited list. diff --git a/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml new file mode 100644 index 00000000..d2b2eb94 --- /dev/null +++ b/releasenotes/notes/install-openstack-selinux-d14b2e26feb6d04e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - openstack-selinux is now installed by the deployed-server + bootstrap scripts. Previously, it was not installed, so + if SELinux was set to enforcing, all OpenStack policy + was missing. diff --git a/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml new file mode 100644 index 00000000..d0624265 --- /dev/null +++ b/releasenotes/notes/make-panko-default-8d0e824fc91cef56.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - Since panko is enabled by default, include it the default dispatcher + for ceilometer events. diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml new file mode 100644 index 00000000..c24e8921 --- /dev/null +++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive + kernel address information with unprivileged access. Deployments that set + or depend on values other than 1 for kernel.dmesg_restrict may be affected + by upgrading. +security: + - | + Kernel syslog contains sensitive kernel address information, setting + kernel.dmesg_restrict to avoid unprivileged access to this information. diff --git a/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml new file mode 100644 index 00000000..86622bc1 --- /dev/null +++ b/releasenotes/notes/restrict-mongodb-memory-de7bf6754d7234d9.yaml @@ -0,0 +1,3 @@ +--- +fixes: + - Add knobs to limit memory comsumed by mongodb with systemd diff --git a/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml b/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml new file mode 100644 index 00000000..07407f20 --- /dev/null +++ b/releasenotes/notes/set-ceilometer-auth-flag-382f68ddb2cbcb6b.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - We need ceilometer user in cases where ceilometer API is disabled. + This is to ensure other ceilometer services can still authenticate + with keystone. diff --git a/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml new file mode 100644 index 00000000..20146b0a --- /dev/null +++ b/releasenotes/notes/sriov-pci-passthrough-8f28719b889bdaf7.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - The ``pci_passthrough`` hiera value should be passed as a string + (`bug 1675036 <https://bugs.launchpad.net/tripleo/+bug/1675036>`__). |