aboutsummaryrefslogtreecommitdiffstats
path: root/releasenotes
AgeCommit message (Collapse)AuthorFilesLines
2017-03-28Disable core dump for setuid programszshi1-0/+12
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>
2017-03-28Merge "Restrict Access to Kernel Message Buffer"Jenkins1-0/+11
2017-03-25Merge "Fixes missing firewall rules for neutron_ovs_dpdk_agent service"Jenkins1-0/+5
2017-03-25Merge "Install openstack-selinux for deployed-server"Jenkins1-0/+6
2017-03-25Merge "Fix usage of CinderNfsServers"Jenkins1-0/+6
2017-03-23Fixes OpenDaylightProviderMappings hiera parsingTim Rozet1-0/+4
The str_replace conversion used previously is no longer needed and breaks the hieradata value. Closes-Bug: 1675426 Change-Id: I7a052d1757efe36daf6ed47e55598ca3c2ee9055 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-23Fix usage of CinderNfsServersChristian Schwede1-0/+6
This feature stopped working somewhere along the lines. In the past it was working with parameter_defaults like this: CinderNfsServers: '10.0.0.254:/srv/nfs/cinder' or CinderNfsServers: "[fd00:fd00:fd00:3000::1]:/srv/nfs/cinder" The problem was that the templating escaped these strings, and puppet-tripleo didn't receive a proper array, but a string. This patch fixes this. It accepts strings as above as well as comma-delimited lists of Nfs Servers. Closes-Bug: 1671153 Change-Id: I89439c1d969e92cb8e0503de561e22409deafdfc
2017-03-22Install openstack-selinux for deployed-serverJames Slagle1-0/+6
No other packages actually require openstack-selinux, so it must be explicity installed. Change-Id: Ic7b39ddfc4cfb28b8a08e9b02043211e4ca4a39a Closes-Bug: #1675170
2017-03-22Fixes missing firewall rules for neutron_ovs_dpdk_agent serviceTim Rozet1-0/+5
Firewall config was being inherited by the dpdk service, however since the firewall service name was the parent (neutron_ovs_agent) and technically that service was not enabled - the rules were never applied. This modifies the service name as it is inherited using map_replace. Closes-Bug: 1674689 Change-Id: I6676205b8fc1fd578cb2435ad97fe577a9e81d95 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-22Merge "Enables OpenDaylight clustering in HA deployments"Jenkins1-0/+5
2017-03-22Restrict Access to Kernel Message Bufferzshi1-0/+11
Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-20Enables OpenDaylight clustering in HA deploymentsTim Rozet1-0/+5
Port 2550 is required for inter-ODL communication when clustering. odl-jolokia feature is required to expose REST APIs from ODL for monitoring the cluster. Implements: blueprint opendaylight-ha Depends-On: Ic9a955a1c2afc040b2f9c6fb86573c04a60f9f31 Change-Id: Ie108ab75cce0cb7d89e72637c600e30fc241d186 Signed-off-by: Tim Rozet <trozet@redhat.com>
2017-03-17Re-Add bigswitch agent supportAlex Schultz1-0/+5
The agent configuration was lost in newton during the puppet-tripleo and THT role conversion. This change adds support for including the bigswitch agent service for composable roles. Change-Id: I46896389e48cdbe2864bf5b609a786f1c84ef908 Closes-Bug: #1673126
2017-03-16Merge "Added release note for NeutronExternalNetworkBridge deprecation"Jenkins1-0/+10
2017-03-15etcd: secure EtcdInitialClusterToken parameterEmilien Macchi1-0/+6
Secure EtcdInitialClusterToken parameter by: * removing the default value. * make it hidden. Change-Id: I938af697f9faaadb9c9aeb950e9410db24b1b961 Depends-On: I6e30cce469736e84a3c483fafa29d542b8347ba9 Closes-Bug: #1673266
2017-03-15Don't disable satellite repo after registrationBen Nemec1-0/+6
Previously the rhel registration script disabled the satellite repo after installing packages from it. This means those packages will never be updated, which is not desirable from a long-term maintenance perspective. I believe this behavior is a holdover from the dib registration script, where we don't want to leave repos enabled because the image may be deployed many times and each instance needs to be re-registered. In t-h-t we don't have that problem because the script only runs at deploy time so it's okay and desirable to leave the repos enabled. Change-Id: I5d760467b458d90d74507a55effc49b71d22eaa3 Closes-Bug: 1673116
2017-03-14Switch keystone default provider to fernetJuan Antonio Osorio Robles1-0/+6
UUID is to be deprecated, and we should be using fernet. Change-Id: I61b999e65ba5eb771776344d38eb90fc52d49d56
2017-03-13Merge "gnocchi: deploy services with Keystone v3 endpoints"Jenkins1-0/+4
2017-03-13gnocchi: deploy services with Keystone v3 endpointsEmilien Macchi1-0/+4
* Move swift_authurl to gnocchi-base hieradata, where other swift auth credentials live and switch it to versionless keystone endpoint. * Force swift_auth_version to 3 for Keystone v3. * Switch auth_uri to use versionless Keystone endpoint. * Switch auth_url to use Keystone admin endpoint (instead of internal). * Remove old parameters from gnocchi::api, not used anymore. Partial-blueprint: keystone-v3 Change-Id: I2feed8b1219069128faa1a1e8dcd2ddfbae7e40a
2017-03-13Merge "Remove ha-by-default release note"Jenkins1-5/+0
2017-03-11Merge "Add BGPVPN composable service"Jenkins1-0/+3
2017-03-10Remove ha-by-default release noteBen Nemec1-5/+0
This has not landed yet but was accidentally release noted for Ocata. The release note should land with the patch that actually makes the change: I0f61016df6a9f07971c5eab51cc9674a1458c66f Change-Id: I7d68899a5892e219b73007b18ab42e06196ae07a
2017-03-10Add BGPVPN composable serviceRicardo Noriega1-0/+3
This project aims at supporting inter-connection between L3VPNs and Neutron resources, i.e. Networks, Routers and Ports. Partially-Implements: blueprint bgpvpn-service-integration Depends-On:I7c1686693a29cc1985f009bd7a3c268c0e211876 Change-Id: I576c9ac2b443dbb6886824b3da457dcc4f87b442 Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
2017-03-09Pass hieradata relevant for httpd in the Heat APIsJuan Antonio Osorio Robles1-0/+6
The patch this depends on passes through the classes some parameters that are meant to be passed via t-h-t. This patch addresses these and other things required for deploying these services over httpd: * Set the number of workers taking care not to set this value to 0. * Add the apache base hieradata to the service profiles. * Set the servernames and other httpd-specific values. bp tls-via-certmonger Change-Id: I88e5ea7b9bbf35ae03f84fdc3ec76ae09f11a1b6 Depends-On: I23971b0164468e67c9b3577772af84bd947e16f1
2017-03-08sahara: configure keystone_authtoken parametersEmilien Macchi1-0/+4
Configure keystone_authtoken for Sahara service. Change-Id: I045b7d1d52851ab0d532a8524fcea95705e3db78 Partial-implement: blueprint keystone-v3
2017-03-06Merge "Make neutron dhcp agents per network conditional"Jenkins1-0/+8
2017-03-01Add plan-environment.yamlAna Krivokapic1-0/+2
This file is needed for plan import and export features. We want to enable the user to store the selection of environment options, so that it can be re-imported, and it does not have to be perfmed manually multiple times. The plan create workflow will look into the Swift container for this file, and import its contents into the Mistral environment. Conversely, plan export will create this file from the Mistral environment contents, so that it can later be re-imported. For more information, see the related blueprint, and the spec at https://specs.openstack.org/openstack/tripleo-specs/specs/ocata/gui-plan-import-export.html Partially implements: blueprint enhance-plan-creation-with-plan-environment Change-Id: I95e3e3a25104623d6fcf38e99403cebbd591b92d
2017-02-28Make neutron dhcp agents per network conditionalBrent Eagles1-0/+8
While the heat templates specify a default value of 3, it rarely seems to have an effect as the tripleoclient is setting this according to the controller scale. This was fine before composable roles, but it is now invalid. While the client needs to be modified to no longer set this according to controller scale, the template should default to a sentinel value that will allow the puppet code to determine the proper value by the number of hosts that have the neutron dhcp agent deployed on them. Depends-On: I5533e42c5ba9f72cc70d80489a07e30ee2341198 Partial-bug: #1632721 Change-Id: I06628764c4769d91bbc42efe1c722702d6574d02
2017-02-26Add VPP composable serviceFeng Pan1-0/+6
Vector Packet Processing (VPP) is a high performance packet processing stack that runs in user space in Linux. VPP is used as an alternative to kernel networking stack for accelerated network data path. This patch adds VPP as a composable service. Note that NIC binding related configs for VPP are handled in os-net-config. Depends-on: I70a68a204a8b9d533fc2fa4fc33c39c3b1c366bf Change-Id: I5e4b1903dc87cb16259eeb05db585678acadbc6b Implements: blueprint fdio-integration-tripleo
2017-02-24Added release note for NeutronExternalNetworkBridge deprecationIhar Hrachyshka1-0/+10
The previous patch [1] that changed the default value for the parameter and that also deprecated the parameter missed a release note. This change fixes the mistake. [1] Iade7fbaf92c8c601227f4456a15ea3f13a907ee2 Change-Id: I72f6f7e50d729734ae6d61191f788ae2aed15145
2017-02-23Merge "Add release notes for Manila/CephFS with managed Ceph"Jenkins1-0/+11
2017-02-23Merge "Add missing releasenotes for Swift ring management"Jenkins1-0/+9
2017-02-16Add missing releasenotes for Swift ring managementChristian Schwede1-0/+9
Change-Id: Ifef3e6f661d0094ebcc587fd6c1d0783a92ada3f
2017-02-16Update reno for stable/ocataOpenStack Release Bot2-0/+7
Change-Id: I4e68d566c7d52df850de41cb207f523ccb029c3f
2017-02-16Merge "Configuring a default ntp server."Jenkins1-0/+6
2017-02-16Merge "Add release notes for the HA-by-default change"Jenkins1-0/+5
2017-02-15Merge "Release notes ha composable"Jenkins1-0/+12
2017-02-14Merge "Reduce memcached memory configuration"Jenkins1-0/+7
2017-02-14Release notes ha composableMichele Baldessari1-0/+12
Add some release notes about the composable ha work Change-Id: I8975c3f597d1affbe6e52d4e16a2aad527006264
2017-02-14Configuring a default ntp server.Carlos Camacho1-0/+6
Adding a default NTP server by default will keep all Pacemaker and non-Pacemaker deployments aligned with the same server by default. Also useful for keeping time diff controlled for Keystone and Ceph. Change-Id: I8a26bae15cbfb83e3abd6b9ef9d12b57467e6258
2017-02-14Add release note for services endpoint changeEmilien Macchi1-0/+9
Add reno for: - I1213a83ef8693c1cca1d20de974f7949a801d9f1 - Ib1103c00ddb7d6d624f4911147197d8355a3a6dd Change-Id: Iecbbab5aeeade46b5cc238bc5542396e78db751c
2017-02-13Remove duplicated release notesEmilien Macchi1-2/+0
Change-Id: I8c2e0af3ad4e47b12f4ecf2d5762df95e66fa34d
2017-02-13Merge "Added further security functionality in release notes."Jenkins1-7/+17
2017-02-12Reduce memcached memory configurationAlex Schultz1-0/+7
Previously the memcached configuration was set to use the defaults which would be 95% of the avaiable ram in the system. This can lead to memory contention issues if memcache is heavily utilized. This change reduces the default to 50% and exposes the ability to tune this configuration. Change-Id: Ie8a48ff4cf509e93d7c1487813d5feed5e5131a4 Closes-Bug: #1662941
2017-02-12Add missing release notes for OcataEmilien Macchi1-0/+22
Change-Id: I1bc3f37f910d6dfa833166217b1f58931d06be02
2017-02-07Merge "Add registry and role service list entries for Octavia"Jenkins1-0/+4
2017-02-03Add registry and role service list entries for OctaviaBrent Eagles1-0/+4
This patch adds the Octavia services to the registry and controller role (disabled by default). Also included is an example environment file for enabling the services and required configuration. The API service profile is also amended configure the load balancer service provider in neutron to point to the octavia load balancer driver. Change-Id: I7f3bba950f5b1574ba842a39e93a8ac2b1ccf7bb Partially-implements: blueprint octavia-service-integration
2017-02-03Provide a default value for Ironic cleaning_network configurationDmitry Tantsur1-0/+10
Ironic will soon refuse to start when at least some value is not provided. Unfortunately, we do not create any overcloud[*] networks during deployment. Fortunately, Ironic does not validate this value until actual cleaning. So, this change sets it to "provisioning", which is what people often use. An update will follow to the documentation to recommend this name: http://tripleo.org/advanced_deployment/baremetal_overcloud.html#configuring-cleaning A new parameter is created for this value, with a reminded to change it to an actual UUID later on. While a pre-defined name will work in a simplest case, in a real multi-tenant deployment a network name conflict is possible. Using a UUID is safer in this regard. [*] networks created in overcloud neutron Change-Id: I1b7dc2ff70d3b76f19a183a60e88cf72f6d2a318 Closes-Bug: #1661082
2017-02-03Added further security functionality in release notes.lhinds1-7/+17
This patch seeks to add futher security functions present within tripleo for the ocata release. Change-Id: Ie89b85589c2dfd3580de75253b73009b5d06c9f2
2017-01-27Add AuditD composable serviceSteven Hardy1-0/+9
This patch allows the management of the AuditD service and its associated files (such as `audit.rules`) This is achieved by means of the `puppet-auditd` puppet module. Also places ssh banner capabilities map on top of patch Change-Id: Ib8bb52dde88304cb58b051bced9779c97a314d0d Depends-On: Ie31c063b674075e35e1bfa28d1fc07f3f897407b