aboutsummaryrefslogtreecommitdiffstats
path: root/releasenotes/notes
AgeCommit message (Collapse)AuthorFilesLines
2017-04-25Merge "SSHD Service extensions" into stable/ocataJenkins1-0/+5
2017-04-25Merge "Add migration SSH tunneling support" into stable/ocataJenkins1-0/+14
2017-04-25Merge "SSH known_hosts config" into stable/ocataJenkins1-0/+4
2017-04-21SSHD Service extensionsLuke Hinds1-0/+5
This change implements a MOTD message and provides a hash of sshd config options which are sourced to the puppet-ssh module as a hash. The SSHD puppet service is enabled by default, as it is required for Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293. Also added the service to the CI roles. Change-Id: Ie2e01d93082509b8ede37297067eab03bb1ab06e Depends-On: I1d09530d69e42c0c36311789166554a889e46556 Closes-Bug: #1668543 Co-Authored-By: Oliver Walsh <owalsh@redhat.com> (cherry picked from commit 5e14f95a4a46fcf88293f1b0fa93327566614d43)
2017-04-21Merge "Run token flush cron job hourly by default" into stable/ocataJenkins1-0/+7
2017-04-21Merge "Replace references to the 192.0.2 network" into stable/ocataJenkins1-0/+20
2017-04-20Add migration SSH tunneling supportOliver Walsh1-0/+14
This enables nova cold migration. This also switches to SSH as the default transport for live-migration. The tripleo-common mistral action that generates passwords supplies the MigrationSshKey parameter that enables this. The TCP transport is no longer used for live-migration and the firewall port has been closed. Change-Id: I4e55a987c93673796525988a2e4cc264a6b5c24f Depends-On: I367757cbe8757d11943af7e41af620f9ce919a06 Depends-On: I9e7a1862911312ad942233ac8fc828f4e1be1dcf Depends-On: Iac1763761c652bed637cb7cf85bc12347b5fe7ec (cherry picked from commit 0271a63e52b961eab0da2f5c6a61811a7a1498f7)
2017-04-20SSH known_hosts configOliver Walsh1-0/+4
Fetch the host public keys from each node, combine them all and write to the system-wide ssh known hosts. The alternative of disabling host key verification is vulnerable to a MITM attack. Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c (cherry picked from commit 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
2017-04-19Merge "Modify pci_passthrough hiera value as string" into stable/ocataJenkins1-0/+4
2017-04-19Run token flush cron job hourly by defaultJuan Antonio Osorio Robles1-0/+7
Running this job once a day has proven problematic for large deployments as seen in the bug report. Setting it to run hourly would be an improvement to the current situation, as the flushes wouldn't need to process as much data. Note that this only affects people using UUID as the token provider. Change-Id: I462e4da2bfdbcba0403ecde5d613386938e2283a Related-Bug: #1649616 (cherry picked from commit 65e643aca2202f031db94f1ccd3d44e195e5e772)
2017-04-17Add params to tweak memory limit on mongodbPradeep Kilambi1-0/+3
The puppet-tripleo change was added in Ie9391aa39532507c5de8dd668a70d5b66e17c891. Closes-bug: #1656558 Change-Id: Ibe2e4be5b5dc953d8d4b14f680a460409db95585 (cherry picked from commit 75d48838020ad9ff2bbd739212599ec8eb932649)
2017-04-12Replace references to the 192.0.2 networkGiulio Fidente1-0/+20
Following change I1393d65ffb20b1396ff068def237418958ed3289 the ctlplane network will be 192.168.24 by default and not 192.0.2 anymore. This change removes old references left to 192.0.2 network from the overcloud templates. (cherry picked from commit b5b6681a74e001448a836e7eea5e75fba859b88c) Closes-Bug: #1682144 Change-Id: I49bd1ac8d594105665010bd898670b17e72fa763
2017-04-07Add trigger to setup a LDAP backend as keystone domaineCyril Lopez1-0/+5
It is using a trigger tripleo::profile::base::keystone::ldap_backend_enable in puppet-tripleo who will call a define in puppet-keysone ldap_backend.pp. Given the following environment: parameter_defaults: KeystoneLDAPDomainEnable: true KeystoneLDAPBackendConfigs: tripleoldap: url: ldap://192.0.2.250 user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com password: Secrete suffix: dc=redhat,dc=example,dc=com user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)" user_objectclass: person user_id_attribute: cn user_allow_create: false user_allow_update: false user_allow_delete: false ControllerExtraConfig: nova::keystone::authtoken::auth_version: v3 cinder::keystone::authtoken::auth_version: v3 It would then create a domain called tripleoldap with an LDAP configuration as defined by the hash. The parameters from the hash are defined by the keystone::ldap_backend resource in puppet-keystone. More backends can be added as more entries to that hash. This also enables multi-domain support for horizon. Conflicts: puppet/services/keystone.yaml Closes-Bug: 1677603 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Depends-On: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db Change-Id: I6c815e4596d595bfa2a018127beaf21249a10643 Signed-off-by: Cyril Lopez <cylopez@redhat.com> (cherry picked from commit 347f5434b3e3793b9fdf2a94f49ab7734c5d923b)
2017-04-06Add manual ovs upgrade script for workaround ovs upgrade issueMathieu Bultel1-0/+12
When we upgrade OVS from 2.5 to 2.6, the postrun package update restart the services and drop the connectivity We need to push this manual upgrade script and executed to the nodes for newton to ocata The special case is needed for 2.5.0-14 specifically see related bug for more info (or, older where the postun tries restart). See related review at [1] for the minor update/manual upgrade. Related-Bug: 1669714 Depends-On: I3227189691df85f265cf84bd4115d8d4c9f979f3 Co-Authored-By: Sofer Athlan-Guyot <sathlang@redhat.com> [1] https://review.openstack.org/#/c/450607/ Change-Id: If998704b3c4199bbae8a1d068c31a71763f5c8a2 (cherry picked from commit d2d319ec0ead06b860f8464b001048fb4f723788)
2017-04-06Merge "Make neutron dhcp agents per network conditional" into stable/ocataJenkins1-0/+8
2017-04-04Purge initial firewall for deployed-server'sJames Slagle1-0/+6
We need to purge the initial firewall for deployed-server's, otherwise if you have a default REJECT rule, the pacemaker cluster will fail to initialize. This matches the behavior done when using images, see: Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 I0dee5ff045fbfe7b55d078583e16b107eec534aa Change-Id: Ia83d17b609e4f737074482a980689cc57c3ad911 Closes-Bug: #1679234 (cherry picked from commit a216934f408439e77bf8346dafe30c4752c70946)
2017-04-04Set auth flag so ceilometer auth is enabledPradeep Kilambi1-0/+5
Ceilometer Auth should be enabled even if ceilometer api is not. Lets decouple these, this flag will be used in puppet-tripleo where ceilometer::keystone::auth class is initialized. Change-Id: Iffebd40752eafb1d30b5962da8b5624fb9df7d48 Closes-bug: #1677354 (cherry picked from commit 0d04302abd19f98df3cd700f9cc4ec47273e5dac)
2017-04-03Merge "Re-Add bigswitch agent support" into stable/ocataJenkins1-0/+5
2017-04-02Include panko in the default dispatcherPradeep Kilambi1-0/+4
panko is enabled by default, we might as well make it the default dispatcher along with gnocchi. Closes-bug: #1676900 Change-Id: Icb6c98ed0810724e4445d78f3d34d8b71db826ae (cherry picked from commit 568573b9b054c3804d9d1be2ce6ec2668ca2dbfb)
2017-03-31Re-Add bigswitch agent supportAlex Schultz1-0/+5
The agent configuration was lost in newton during the puppet-tripleo and THT role conversion. This change adds support for including the bigswitch agent service for composable roles. Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908 Closes-Bug: #1673126 (cherry picked from commit 8eaa5f8e10a801be8fc45eeaaa479e7774d97997)
2017-03-29Modify pci_passthrough hiera value as stringSaravanan KR1-0/+4
Hiera value of nova::compute::pci_passthrough should be a string. It has been modified to JSON with the heira hook changes. Modifying it again back to string. Closes-Bug: #1675036 Change-Id: I441907ff313ecc5b7b4da562c6be195687fc6c76 (cherry picked from commit 57c06ddefd4d7ff87de02dab9d1c5e92eb8e6eef)
2017-03-28Merge "Fixes missing firewall rules for neutron_ovs_dpdk_agent service" into ↵Jenkins1-0/+5
stable/ocata
2017-03-28Merge "Fix usage of CinderNfsServers" into stable/ocataJenkins1-0/+6
2017-03-27Merge "Install openstack-selinux for deployed-server" into stable/ocataJenkins1-0/+6
2017-03-27Fix usage of CinderNfsServersChristian Schwede1-0/+6
This feature stopped working somewhere along the lines. In the past it was working with parameter_defaults like this: CinderNfsServers: '10.0.0.254:/srv/nfs/cinder' or CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder" The problem was that the templating escaped these strings, and puppet-tripleo didn't receive a proper array, but a string. This patch fixes this. It accepts strings as above as well as comma-delimited lists of Nfs Servers. Closes-Bug: 1671153 Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc (cherry picked from commit 9445b0e0972696e7de1c0a702f456571d12fa964)
2017-03-27Merge "etcd: secure EtcdInitialClusterToken parameter" into stable/ocataJenkins1-0/+6
2017-03-26Install openstack-selinux for deployed-serverJames Slagle1-0/+6
No other packages actually require openstack-selinux, so it must be explicity installed. Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a Closes-Bug: #1675170 (cherry picked from commit 583a60248f47428542a560a869aab04933512d94)
2017-03-26Fixes missing firewall rules for neutron_ovs_dpdk_agent serviceTim Rozet1-0/+5
Firewall config was being inherited by the dpdk service, however since the firewall service name was the parent (neutron_ovs_agent) and technically that service was not enabled - the rules were never applied. This modifies the service name as it is inherited using map_replace. Closes-Bug: 1674689 Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95 Signed-off-by: Tim Rozet <trozet@redhat.com> (cherry picked from commit 48a38a19347a18d4d35fb22de82136359aae5cb7)
2017-03-25Fixes OpenDaylightProviderMappings hiera parsingTim Rozet1-0/+4
The str_replace conversion used previously is no longer needed and breaks the hieradata value. Closes-Bug: 1675426 Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055 Signed-off-by: Tim Rozet <trozet@redhat.com> (cherry picked from commit ae10ae4a5a21bb58c183aa50f237ffa2d6f14280)
2017-03-22etcd: secure EtcdInitialClusterToken parameterEmilien Macchi1-0/+6
Secure EtcdInitialClusterToken parameter by: * removing the default value. * make it hidden. Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961 Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9 Closes-Bug: #1673266 (cherry picked from commit 55d17ca118d27f16b57424774265f5b3db7b7b52)
2017-03-08Remove ha-by-default release note in OcataCarlos Camacho1-5/+0
This was not implemented for Ocata so this release note should not exist. Change-Id: I58216fb54a156853f60697a903f1c38cf7970216
2017-03-06Make neutron dhcp agents per network conditionalBrent Eagles1-0/+8
While the heat templates specify a default value of 3, it rarely seems to have an effect as the tripleoclient is setting this according to the controller scale. This was fine before composable roles, but it is now invalid. While the client needs to be modified to no longer set this according to controller scale, the template should default to a sentinel value that will allow the puppet code to determine the proper value by the number of hosts that have the neutron dhcp agent deployed on them. Depends-On: I5533e42c5ba9f72cc70d80489a07e30ee2341198 Partial-bug: #1632721 Change-Id: I06628764c4769d91bbc42efe1c722702d6574d02 (cherry picked from commit 3c5345fc75da1e289929ef5caf08a0f75f904bb4)
2017-02-24Add release notes for Manila/CephFS with managed CephGiulio Fidente1-0/+11
Previously we could only configure Manila/CephFS with an externally managed Ceph cluster. By adding CephMDS users can use the TripleO managed Ceph cluster as well. Change-Id: If714076e34a639c3df54936f335da4f2684b4533 (cherry picked from commit 9b70330a150b363c31b952867819e48830a10817)
2017-02-16Merge "Configuring a default ntp server."Jenkins1-0/+6
2017-02-16Merge "Add release notes for the HA-by-default change"Jenkins1-0/+5
2017-02-15Merge "Release notes ha composable"Jenkins1-0/+12
2017-02-14Merge "Reduce memcached memory configuration"Jenkins1-0/+7
2017-02-14Release notes ha composableMichele Baldessari1-0/+12
Add some release notes about the composable ha work Change-Id: I8975c3f597d1affbe6e52d4e16a2aad527006264
2017-02-14Configuring a default ntp server.Carlos Camacho1-0/+6
Adding a default NTP server by default will keep all Pacemaker and non-Pacemaker deployments aligned with the same server by default. Also useful for keeping time diff controlled for Keystone and Ceph. Change-Id: I8a26bae15cbfb83e3abd6b9ef9d12b57467e6258
2017-02-14Add release note for services endpoint changeEmilien Macchi1-0/+9
Add reno for: - I1213a83ef8693c1cca1d20de974f7949a801d9f1 - Ib1103c00ddb7d6d624f4911147197d8355a3a6dd Change-Id: Iecbbab5aeeade46b5cc238bc5542396e78db751c
2017-02-13Remove duplicated release notesEmilien Macchi1-2/+0
Change-Id: I8c2e0af3ad4e47b12f4ecf2d5762df95e66fa34d
2017-02-13Merge "Added further security functionality in release notes."Jenkins1-7/+17
2017-02-12Reduce memcached memory configurationAlex Schultz1-0/+7
Previously the memcached configuration was set to use the defaults which would be 95% of the avaiable ram in the system. This can lead to memory contention issues if memcache is heavily utilized. This change reduces the default to 50% and exposes the ability to tune this configuration. Change-Id: Ie8a48ff4cf509e93d7c1487813d5feed5e5131a4 Closes-Bug: #1662941
2017-02-12Add missing release notes for OcataEmilien Macchi1-0/+22
Change-Id: I1bc3f37f910d6dfa833166217b1f58931d06be02
2017-02-07Merge "Add registry and role service list entries for Octavia"Jenkins1-0/+4
2017-02-03Add registry and role service list entries for OctaviaBrent Eagles1-0/+4
This patch adds the Octavia services to the registry and controller role (disabled by default). Also included is an example environment file for enabling the services and required configuration. The API service profile is also amended configure the load balancer service provider in neutron to point to the octavia load balancer driver. Change-Id: I7f3bba950f5b1574ba842a39e93a8ac2b1ccf7bb Partially-implements: blueprint octavia-service-integration
2017-02-03Provide a default value for Ironic cleaning_network configurationDmitry Tantsur1-0/+10
Ironic will soon refuse to start when at least some value is not provided. Unfortunately, we do not create any overcloud[*] networks during deployment. Fortunately, Ironic does not validate this value until actual cleaning. So, this change sets it to "provisioning", which is what people often use. An update will follow to the documentation to recommend this name: http://tripleo.org/advanced_deployment/baremetal_overcloud.html#configuring-cleaning A new parameter is created for this value, with a reminded to change it to an actual UUID later on. While a pre-defined name will work in a simplest case, in a real multi-tenant deployment a network name conflict is possible. Using a UUID is safer in this regard. [*] networks created in overcloud neutron Change-Id: I1b7dc2ff70d3b76f19a183a60e88cf72f6d2a318 Closes-Bug: #1661082
2017-02-03Added further security functionality in release notes.lhinds1-7/+17
This patch seeks to add futher security functions present within tripleo for the ocata release. Change-Id: Ie89b85589c2dfd3580de75253b73009b5d06c9f2
2017-01-27Add AuditD composable serviceSteven Hardy1-0/+9
This patch allows the management of the AuditD service and its associated files (such as `audit.rules`) This is achieved by means of the `puppet-auditd` puppet module. Also places ssh banner capabilities map on top of patch Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b
2017-01-27Merge "Add a release note for using deployed-servers (aka split-stack)"Jenkins1-0/+8