[openstack-announce] [new][openstackansible] openstack-ansible 12.0.16 release
no-reply at openstack.org
no-reply at openstack.org
Tue Jul 5 14:51:23 UTC 2016
We are glad to announce the release of:
openstack-ansible 12.0.16: Ansible playbooks for deploying OpenStack
With source available at:
http://git.openstack.org/cgit/openstack/openstack-ansible
For more details, please see below.
12.0.16
^^^^^^^
New Features
************
* The audit rules added by the security role now have key fields
that make it easier to link the audit log entry to the audit rule
that caused it to appear.
* Apache MPM tunable support has been added to the os-keystone role
in order to allow MPM thread tuning. Default values reflect the
current Ubuntu default settings:
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0
Upgrade Notes
*************
* During the upgrade from Kilo to Liberty, this change deletes the
repo containers and recreates them to fix an upgrade issue with
dependencies.
Bug Fixes
*********
* The role previously did not restart the audit daemon after
generating a new rules file. The bug
(https://launchpad.net/bugs/1590916) has been fixed and the audit
daemon will be restarted after any audit rule changes.
* The dictionary-based variables in "defaults/main.yml" are now
individual variables. The dictionary-based variables could not be
changed as the documentation instructed. Instead it was required to
override the entire dictionary. Deployers must use the new variable
names to enable or disable the security configuration changes
applied by the security role. For more information, see Launchpad
Bug 1577944 (https://bugs.launchpad.net/openstack-
ansible/+bug/1577944).
* Failed access logging is now disabled by default and can be
enabled by changing "security_audit_failed_access" to "yes". The
rsyslog daemon checks for the existence of log files regularly and
this audit rule was triggered very frequently, which led to very
large audit logs.
* The security role previously set the permissions on all audit log
files in "/var/log/audit" to "0400", but this prevents the audit
daemon from writing to the active log file. This will prevent
"auditd" from starting or restarting cleanly.
The task now removes any permissions that are not allowed by the
STIG. Any log files that meet or exceed the STIG requirements will
not be modified.
* When the security role was run in Ansible's check mode and a tag
was provided, the "check_mode" variable was not being set. Any tasks
which depend on that variable would fail. This bug is fixed
(https://bugs.launchpad.net/openstack-ansible/+bug/1590086) and the
"check_mode" variable is now set properly on every playbook run.
* The security role now handles "ssh_config" files that contain
"Match" stanzas. A marker is added to the configuration file and any
new configuration items will be added below that marker. In
addition, the configuration file is validated for each change to the
ssh configuration file.
Changes in openstack-ansible 12.0.15..12.0.16
---------------------------------------------
8d40626 conditionally include the scsi_dh kernel module
4b63bdd Added the ip_vs kernel module to all openstack hosts
368b7e2 Destroy repo containers before upgrade
a4d0ef9 Add support to tune the keystone apache MPM settings
0b661e2 Fix config generated for rsyslog_client_log_files
504c656 Update all SHAs for 12.0.16
874edd6 Only match full IP addresses in /etc/hosts
Diffstat (except docs and test files)
-------------------------------------
ansible-role-requirements.yml | 23 ++---
.../defaults/repo_packages/openstack_services.yml | 28 +++---
playbooks/inventory/group_vars/all.yml | 2 +-
playbooks/inventory/group_vars/hosts.yml | 2 +-
playbooks/roles/openstack_hosts/defaults/main.yml | 3 +-
.../templates/openstack-host-hostfile-setup.sh.j2 | 2 +-
playbooks/roles/os_keystone/defaults/main.yml | 10 ++
.../roles/os_keystone/tasks/keystone_apache.yml | 3 +-
.../templates/keystone-httpd-mpm.conf.j2 | 9 ++
playbooks/roles/os_nova/templates/policy.json.j2 | 3 -
.../tasks/rsyslog_client_post_install.yml | 7 +-
.../rsyslog_client/templates/99-rsyslog.conf.j2 | 2 +-
.../templates/os_aggregate_storage.j2 | 2 +-
.../notes/augenrules-restart-39fe3e1e2de3eaba.yaml | 5 +
...tionary-variables-removed-957c7b7b2108ba1f.yaml | 9 ++
...iled-access-audit-logging-789dc01c8bcbef17.yaml | 6 ++
...-audit-log-permission-bug-81a772e2e6d0a5b3.yaml | 10 ++
.../fix-check-mode-with-tags-bf798856a27c53eb.yaml | 7 ++
...ndling-sshd-match-stanzas-fa40b97689004e46.yaml | 7 ++
.../improved-audit-rule-keys-9fa85f758386446c.yaml | 5 +
...pache-mpm-tunable-support-1c72f2f99cd502bc.yaml | 18 ++++
...fore-upgrade-kilo-liberty-40df3cd4c992a52a.yaml | 5 +
requirements.txt | 2 +-
scripts/ansible-role-requirements-editor.py | 104 +++++++++++++++++++++
scripts/get-pypi-pkg-version.py | 2 +-
scripts/run-upgrade.sh | 3 +-
scripts/scripts-library.sh | 2 +-
scripts/sources-branch-updater.sh | 73 +++++++++++++++
test-requirements.txt | 9 +-
30 files changed, 331 insertions(+), 55 deletions(-)
Requirements updates
--------------------
diff --git a/requirements.txt b/requirements.txt
index ec58012..d866451 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12 +12 @@ pip==8.1.2
-setuptools==22.0.0
+setuptools==23.0.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 1e3f8b5..d8f8de5 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,2 +3,2 @@ ansible-lint>=2.0.3,<=2.3.6
-bashate==0.5.0 # Apache-2.0
-flake8==2.2.4
+bashate>=0.2 # Apache-2.0
+flake8>=2.2.4,<=2.4.1
@@ -6 +6,2 @@ hacking>=0.10.0,<0.11
-mccabe==0.2.1 # capped for flake8
+# mccabe capped for flake8
+mccabe==0.2.1 # MIT License
@@ -11 +12 @@ pyflakes==0.8.1
-sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
+sphinx>=1.1.2,!=1.2.0,!=1.3b1,<1.3
More information about the OpenStack-announce
mailing list