summaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
AgeCommit message (Collapse)AuthorFilesLines
2017-04-07Merge "ovn: Add missing configurations required"Jenkins1-0/+6
2017-04-06Merge "Add trigger to setup a LDAP backend as keystone domaine"Jenkins1-0/+5
2017-04-06Merge "Use the local collector to bootstrap deployed servers"Jenkins1-0/+10
2017-04-06Merge "Disable ceilometer API"Jenkins1-0/+4
2017-04-06Merge "Don't disable satellite repo after registration"Jenkins1-0/+6
2017-04-06Merge "Add manual ovs upgrade script for workaround ovs upgrade issue"Jenkins1-0/+12
2017-04-06Merge "add configurable timeouts for DB sync"Jenkins1-0/+3
2017-04-06Merge "Add network sysctl tweaks for security"Jenkins2-0/+28
2017-04-06ovn: Add missing configurations requiredNuman Siddique1-0/+6
This patch adds - setting nova config param 'force_config_meta' to True as metadata service is not supported by OVN yet. - Add the necessary iptables rules to allow ovsdb-server traffic for Northbound and Southboud databases. - Update the release notes for OVN. Change-Id: If1a2d07d66e493781b74aab2fc9b76a6d58f3842 Closes-bug: #1670562
2017-04-06Add trigger to setup a LDAP backend as keystone domaineCyril Lopez1-0/+5
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo who will call a define in puppet-keysone ldap_backend.pp. Given the following environment: parameter_defaults: KeystoneLDAPDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. This also enables multi-domain support for horizon. Closes-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643 Signed-off-by: Cyril Lopez <cylopez@redhat.com>
2017-04-05add configurable timeouts for DB syncMike Bayer1-0/+3
This patch integrates with the db_sync_timeout parameter recently added to puppet-nova and puppet-neutron in I6b30a4d9e3ca25d9a473e4eb614a8769fa4567e7, which allow for the full db_sync install to have more time than just Pupppet's default of 300 seconds. Ultimately, similar timeouts can be added for all other projects that feature db sync phases, however Nova and Neutron are currently the ones that are known to time out in some environments. Closes-bug: #1661100 Change-Id: Ic47439a0a774e3d74e844d43b58956da8d1887da
2017-04-05Merge "Add l2gw neutron service plugin support"Jenkins1-0/+3
2017-04-05Merge "Disable core dump for setuid programs"Jenkins1-0/+12
2017-04-04Use the local collector to bootstrap deployed serversSteve Baker1-0/+10
os-collect-config is already configured to use json files in /var/lib/os-collect-config/local-data/ as a data source, so this can be used in the deployed-server get-occ-config.sh to copy in the required json to generate the required os-collect-config.conf. Co-Authored-By: James Slagle <jslagle@redhat.com> Closes-Bug: #1679705 Change-Id: Ibde9e6bf360277d4ff64f66d637a5c7f0360e754
2017-04-05Merge "Add params to tweak memory limit on mongodb"Jenkins1-0/+3
2017-04-04Merge "Purge initial firewall for deployed-server's"Jenkins1-0/+6
2017-04-04Merge "Add ceilometer ipmi agent"Jenkins1-0/+3
2017-04-03Add params to tweak memory limit on mongodbPradeep Kilambi1-0/+3
The puppet-tripleo change was added in Ie9391aa39532507c5de8dd668a70d5b66e17c891. Closes-bug: #1656558 Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585
2017-04-03Purge initial firewall for deployed-server'sJames Slagle1-0/+6
We need to purge the initial firewall for deployed-server's, otherwise if you have a default REJECT rule, the pacemaker cluster will fail to initialize. This matches the behavior done when using images, see: Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 I0dee5ff045fbfe7b55d078583e16b107eec534aa Change-Id: Ia83d17b609e4f737074482a980689cc57c3ad911 Closes-Bug: #1679234
2017-04-03Merge "Qpid dispatch router composable role"Jenkins1-0/+8
2017-04-03Disable ceilometer APIPradeep Kilambi1-0/+4
Ceilometer API has been deprecated since Ocata. lets disable it by default and add an env file to enable it if needed. Closes-bug: #1676968 Change-Id: I571f5467466c29271e0235e8fde6bdae07c20daf
2017-03-31Set auth flag so ceilometer auth is enabledPradeep Kilambi1-0/+5
Ceilometer Auth should be enabled even if ceilometer api is not. Lets decouple these, this flag will be used in puppet-tripleo where ceilometer::keystone::auth class is initialized. Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354
2017-03-31Add manual ovs upgrade script for workaround ovs upgrade issueMathieu Bultel1-0/+12
When we upgrade OVS from 2.5 to 2.6, the postrun package update restart the services and drop the connectivity We need to push this manual upgrade script and executed to the nodes for newton to ocata The special case is needed for 2.5.0-14 specifically see related bug for more info (or, older where the postun tries restart). See related review at [1] for the minor update/manual upgrade. Related-Bug: 1669714 Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3 Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> [1] https://review.openstack.org/#/c/450607/ Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2
2017-03-30Merge "Re-Add bigswitch agent support"Jenkins1-0/+5
2017-03-30Add l2gw neutron service plugin supportPeng Liu1-0/+3
L2 Gateway (L2GW) is an API framework for OpenStack that offers bridging two or more networks together to make them look at a single broadcast domain. This patch implements the l2gw neutron service plugin support part in t-h-t. Change-Id: I1b52dc2c11a15698e43b6deeac6cadeeba1802d5 Depends-On: I01a8afdc51b2a077be1bbc7855892f68756e1fd3 Partially-Implements: blueprint l2gw-service-integration Signed-off-by: Peng Liu <pliu@redhat.com>
2017-03-30Merge "Include panko in the default dispatcher"Jenkins1-0/+4
2017-03-30Merge "Allow to configure policy.json for OpenStack projects"Jenkins1-0/+13
2017-03-29Add ceilometer ipmi agentPradeep Kilambi1-0/+3
Closes-Bug: #1662679 Change-Id: I3446d59b89d43859caedd2be4583099374944379
2017-03-29Add network sysctl tweaks for securityzshi2-0/+28
* Disable Kernel Parameter for Sending ICMP Redirects: - net.ipv4.conf.default.send_redirects = 0 - net.ipv4.conf.all.send_redirects = 0 Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. * Disable Kernel Parameter for Accepting ICMP Redirects: - net.ipv4.conf.default.accept_redirects = 0 Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured. * Disable Kernel Parameter for secure ICMP Redirects: - net.ipv4.conf.default.secure_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. * Enable Kernel Parameter to log suspicious packets: - net.ipv4.conf.default.log_martians = 1 - net.ipv4.conf.all.log_martians = 1 Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. * Ensure IPv6 redirects are not accepted by Default - net.ipv6.conf.all.accept_redirects = 0 - net.ipv6.conf.default.accept_redirects = 0 Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e Co-Authored-By: Luke Hinds <lhinds@redhat.com> Signed-off-by: zshi <zshi@redhat.com>
2017-03-29Qpid dispatch router composable roleJohn Eckersberg1-0/+8
Note: since it replaces rabbitmq, in order to aim for the smallest amount of changes the service_name is called 'rabbitmq' so all the other services do not need additional logic to use qdr. Depends-On: Idecbbabdd4f06a37ff0cfb34dc23732b1176a608 Change-Id: I27f01d2570fa32de91ffe1991dc873cdf2293dbc
2017-03-29Merge "Modify pci_passthrough hiera value as string"Jenkins1-0/+4
2017-03-28Allow to configure policy.json for OpenStack projectsEmilien Macchi1-0/+13
For both containers and classic deployments, allow to configure policy.json for all OpenStack APIs with new parameters (hash, empty by default). Example of new parameter: NovaApiPolicies. See environments/nova-api-policy.yaml for how the feature can be used. Note: use it with extreme caution. Partial-implement: blueprint modify-policy-json Change-Id: I1144f339da3836c3e8c8ae4e5567afc4d1a83e95
2017-03-28Include panko in the default dispatcherPradeep Kilambi1-0/+4
panko is enabled by default, we might as well make it the default dispatcher along with gnocchi. Closes-bug: #1676900 Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae
2017-03-28Modify pci_passthrough hiera value as stringSaravanan KR1-0/+4
Hiera value of nova::compute::pci_passthrough should be a string. It has been modified to JSON with the heira hook changes. Modifying it again back to string. Closes-Bug: #1675036 Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76
2017-03-28Disable core dump for setuid programszshi1-0/+12
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>
2017-03-28Merge "Restrict Access to Kernel Message Buffer"Jenkins1-0/+11
2017-03-25Merge "Fixes missing firewall rules for neutron_ovs_dpdk_agent service"Jenkins1-0/+5
2017-03-25Merge "Install openstack-selinux for deployed-server"Jenkins1-0/+6
2017-03-25Merge "Fix usage of CinderNfsServers"Jenkins1-0/+6
2017-03-23Fixes OpenDaylightProviderMappings hiera parsingTim Rozet1-0/+4
The str_replace conversion used previously is no longer needed and breaks the hieradata value. Closes-Bug: 1675426 Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-23Fix usage of CinderNfsServersChristian Schwede1-0/+6
This feature stopped working somewhere along the lines. In the past it was working with parameter_defaults like this: CinderNfsServers: '10.0.0.254:/srv/nfs/cinder' or CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder" The problem was that the templating escaped these strings, and puppet-tripleo didn't receive a proper array, but a string. This patch fixes this. It accepts strings as above as well as comma-delimited lists of Nfs Servers. Closes-Bug: 1671153 Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
2017-03-22Install openstack-selinux for deployed-serverJames Slagle1-0/+6
No other packages actually require openstack-selinux, so it must be explicity installed. Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a Closes-Bug: #1675170
2017-03-22Fixes missing firewall rules for neutron_ovs_dpdk_agent serviceTim Rozet1-0/+5
Firewall config was being inherited by the dpdk service, however since the firewall service name was the parent (neutron_ovs_agent) and technically that service was not enabled - the rules were never applied. This modifies the service name as it is inherited using map_replace. Closes-Bug: 1674689 Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-22Merge "Enables OpenDaylight clustering in HA deployments"Jenkins1-0/+5
2017-03-22Restrict Access to Kernel Message Bufferzshi1-0/+11
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-20Enables OpenDaylight clustering in HA deploymentsTim Rozet1-0/+5
Port 2550 is required for inter-ODL communication when clustering. odl-jolokia feature is required to expose REST APIs from ODL for monitoring the cluster. Implements: blueprint opendaylight-ha Depends-On: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Change-Id: Ie108ab75cce0cb7d89e72637c600e30fc241d186 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-17Re-Add bigswitch agent supportAlex Schultz1-0/+5
The agent configuration was lost in newton during the puppet-tripleo and THT role conversion. This change adds support for including the bigswitch agent service for composable roles. Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908 Closes-Bug: #1673126
2017-03-16Merge "Added release note for NeutronExternalNetworkBridge deprecation"Jenkins1-0/+10
2017-03-15etcd: secure EtcdInitialClusterToken parameterEmilien Macchi1-0/+6
Secure EtcdInitialClusterToken parameter by: * removing the default value. * make it hidden. Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961 Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9 Closes-Bug: #1673266
2017-03-15Don't disable satellite repo after registrationBen Nemec1-0/+6
Previously the rhel registration script disabled the satellite repo after installing packages from it. This means those packages will never be updated, which is not desirable from a long-term maintenance perspective. I believe this behavior is a holdover from the dib registration script, where we don't want to leave repos enabled because the image may be deployed many times and each instance needs to be re-registered. In t-h-t we don't have that problem because the script only runs at deploy time so it's okay and desirable to leave the repos enabled. Change-Id: I5d760467b458d90d74507a55effc49b71d22eaa3 Closes-Bug: 1673116