aboutsummaryrefslogtreecommitdiffstats
path: root/releasenotes
diff options
context:
space:
mode:
Diffstat (limited to 'releasenotes')
-rw-r--r--releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml3
-rw-r--r--releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml5
-rw-r--r--releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml3
-rw-r--r--releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml4
-rw-r--r--releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml12
-rw-r--r--releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml19
-rw-r--r--releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml9
-rw-r--r--releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml10
-rw-r--r--releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml6
-rw-r--r--releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml12
10 files changed, 83 insertions, 0 deletions
diff --git a/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml
new file mode 100644
index 00000000..81835323
--- /dev/null
+++ b/releasenotes/notes/add-l2gw-api-support-2206d3d14f409088.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add support for L2 Gateway Neutron service plugin
diff --git a/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml
new file mode 100644
index 00000000..19452f27
--- /dev/null
+++ b/releasenotes/notes/add-ldap-backend-0bda702fb0aa24bf.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - Add capabilities to configure LDAP backends as for keystone domains.
+ This can be done by using the KeystoneLDAPDomainEnable and
+ KeystoneLDAPBackendConfigs parameters.
diff --git a/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml
new file mode 100644
index 00000000..ecf35933
--- /dev/null
+++ b/releasenotes/notes/add_db_sync_timeout-c9b2f401cca0b37d.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Adds DatabaseSyncTimeout parameter to Nova and Neutron templates.
diff --git a/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml
new file mode 100644
index 00000000..2661f7c9
--- /dev/null
+++ b/releasenotes/notes/disable-ceilo-api-dfe5d0947563bbe0.yaml
@@ -0,0 +1,4 @@
+---
+deprecations:
+ - Deprecate and disable ceilometer Api by default. This can be enabled
+ by passing in an env file to deploy command.
diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml
new file mode 100644
index 00000000..3168a549
--- /dev/null
+++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+ - |
+ The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent
+ exposing sensitive data through core dumps of processes with elevated
+ permissions. Deployments that set or depend on non-zero values for
+ fs.suid_dumpable may be affected by upgrading.
+security:
+ - |
+ Explicitly disable core dump for setuid programs by setting
+ fs.suid_dumpable = 0, this will descrease the risk of unauthorized access
+ of core dump file generated by setuid program.
diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
new file mode 100644
index 00000000..0f226a84
--- /dev/null
+++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
@@ -0,0 +1,19 @@
+---
+upgrade:
+ - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
+ are now set to 0 to prevent a compromised host from sending invalid ICMP
+ redirects to other router devices.
+ - The net.ipv4.conf.default.accept_redirects,
+ net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
+ are now set to 0 to prevent forged ICMP packet from altering host's routing
+ tables.
+ - The net.ipv4.conf.default.secure_redirects &
+ net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
+ of secure ICMP redirected packets.
+security:
+ - Invalide ICMP redirects may corrupt routing and have users access a system
+ set up by the attacker as opposed to a valid system.
+ - Routing tables may be altered by bogus ICMP redirect messages and send
+ packets to incorrect networks.
+ - Secure ICMP redirects are the same as ICMP redirects, except they come from
+ gateways listed on the default gateway list.
diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
new file mode 100644
index 00000000..bb2543f2
--- /dev/null
+++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+ - |
+ The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
+ now set to 1 to enable logging of suspicious packets.
+security:
+ - |
+ Logging of suspicious packets allows an administrator to investigate the
+ spoofed packets sent to their system.
diff --git a/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml
new file mode 100644
index 00000000..ef8877ae
--- /dev/null
+++ b/releasenotes/notes/get-occ-config-local-connector-5bbec3f591a9f311.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+ - The deployed-server Heat agent configuration script,
+ get-occ-config.sh, is now updated to configure the
+ local data source for os-collect-config instead of
+ configuring /etc/os-collect-config.conf directly. Doing
+ so means that the configuration template for os-apply-config
+ no longer has to be deleted as the file will be rendered
+ correctly with the right data. See
+ https://bugs.launchpad.net/tripleo/+bug/1679705
diff --git a/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml
new file mode 100644
index 00000000..c327265a
--- /dev/null
+++ b/releasenotes/notes/leave-satellite-repo-enabled-8b60528bd5450c7b.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ Previously the RHEL registration script disabled the satellite repo after
+ installing the necessary packages from it. This makes it awkward to
+ update those packages later, so the repo will no longer be disabled.
diff --git a/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml
new file mode 100644
index 00000000..8c210823
--- /dev/null
+++ b/releasenotes/notes/ovs-2.5-2.6-composable-upgrades-workaround-73f4e56127c910b4.yaml
@@ -0,0 +1,12 @@
+---
+issues:
+ - During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic
+ yum update command by handling the upgrade of the package separately to not
+ loose the IPs and the connectivity on the nodes. The workaround is
+ discussed here https://bugs.launchpad.net/tripleo/+bug/1669714
+upgrade:
+ - The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should
+ be no user impact in particular no restart of the openvswitch service. For more
+ information please see the related bug above which also links the relevant code reviews.
+ The workaround (transparent to the user/doesn't require any input) is to download the OVS
+ package and install with --nopostun and --notriggerun options provided by the rpm binary.