[release-announce] [tripleo] puppet-tripleo-announce-release 5.6.1 (newton)

no-reply at openstack.org no-reply at openstack.org
Fri Aug 4 21:23:48 UTC 2017


We are amped to announce the release of:

puppet-tripleo-announce-release 5.6.1

This release is part of the newton stable release series.

Download the package from:

    https://tarballs.openstack.org/puppet-tripleo/

For more details, please see below.

5.6.1
^^^^^


New Features
************

* * Unless a non-default value is provided, the

    dhcp_agents_per_network neutron configuration variable is set to
    the number of deployed neutron dhcp agents.

* Restrict nova migration ssh tunnel * The ssh authorized_keys file
  is only writeable by root. * Creates a new user for migration
  instead of using root/nova. * Disables SSH forwarding for this user.
  * Restricts the networks that this user can connect from. * Uses an
  ssh wrapper command to whitelist the commands that this user can run
  over ssh. Adds new parameter
  "tripleo::profile::base::nova::migration_ssh_localaddrs" to specify
  which incoming IPs are allow for SSH tunnel connections.

* Configure ssh tunneling for nova cold-migration. Re-use the tunnel
  for libvirt live-migration unless TLS is enabled.

* Added /etc/issue & /etc/issue.net parameters

* Added MOTD banner parameters

* Added external module saz-ssh to allow management of sshd_config


Known Issues
************

* Ignore failures if nf_conntrack_proto_sctp module failed to load.
  Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the
  kernel instead of as a module as the sctp support. TripleO will
  still try to load the module to support RHEL 7.3, but in the future
  will remove the module management and rely on the kernel provided in
  newer versions of RHEL.


Bug Fixes
*********

* Allow VF configuration files to be written for non-existent PCI
  devices to allow updates while physical functions are currently in
  use by a guest.

* With having package mod_ssl by default installed in images we
  introduced issue with mod_ssl package update. In case of SSL not
  being used or provided by HAproxy the puppet-apache module by
  default purges the ssl.conf file. The package update then recreates
  the file with default Listen 443 option. This causes conflict on 443
  port during httpd restart. If we include ::apache::mod::ssl the
  ssl.conf file will be configured and the Listen option will be used
  only if there is vhost set to use SSL.

Changes in puppet-tripleo-announce-release 5.6.0..5.6.1
-------------------------------------------------------

bd97ed5 Release 5.6.1
fe7a001 Use correct manage_firewall hieradata
7d50cc9 Do not fail if PCI device is missing
0b9e9b7 Remove unnecessary references to neutron core plugin hiera
63c3259 Addition of Nuage as mechanism driver for ML2
d1d38fb Default neutron dhcp_agents_per_network to number of agents
e2885f4 Ignore failures when loading nf_conntrack_proto_sctp kernel module
705051f Decouple swift-proxy from ceilometer packages
57c4a52 Include local CA in haproxy PEM
68adf5b Remove condition to match hdr(host) in haproxy redirect rule
eed662f Restrict nova migration ssh tunnel
e1f0633 Configure migration SSH tunnel
0c87038 Refactor SSHD config to allow both SSHD options and banner/motd to be set
3026e27 Stop SSHD profile clobbering SSH client config
fc640d8 SSHD Service extensions
62f1bf7 Update gitignore not to exclude fixture hieradata
547d96d Add retries to the ::pacemaker::stonith property
a70c065 Ensure we configure ssl.conf
b555dc3 Create /etc/my.cnf.d/tripleo.cnf with proper bind-address


Diffstat (except docs and test files)
-------------------------------------

.gitignore                                         |   3 +-
Puppetfile_extras                                  |   4 +
lib/puppet/provider/sriov_vf_config/numvfs.rb      |   2 +-
manifests/certmonger/haproxy.pp                    |  20 +-
manifests/haproxy.pp                               |   2 +-
manifests/haproxy/endpoint.pp                      |   2 +-
manifests/host/sriov.pp                            |   2 +-
manifests/profile/base/aodh/api.pp                 |   1 +
manifests/profile/base/ceilometer/api.pp           |   1 +
manifests/profile/base/database/mysql/client.pp    |  72 ++++
manifests/profile/base/gnocchi/api.pp              |   1 +
manifests/profile/base/kernel.pp                   |  28 +-
manifests/profile/base/keystone.pp                 |   1 +
manifests/profile/base/neutron.pp                  |  30 +-
manifests/profile/base/neutron/plugins/ml2.pp      |   4 +
.../profile/base/neutron/plugins/ml2/nuage.pp      |  31 ++
manifests/profile/base/neutron/sriov.pp            |  14 +-
manifests/profile/base/nova.pp                     | 120 ++++++-
manifests/profile/base/pacemaker.pp                |   8 +-
manifests/profile/base/sshd.pp                     |  85 +++++
manifests/profile/base/swift/proxy.pp              |  21 +-
metadata.json                                      |   2 +-
...missing-pci-dev-for-sriov-bbc29f62fcac10ff.yaml |   5 +
...e-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml |   5 +
.../cold_migration_security-1543136408c76459.yaml  |  10 +
.../cold_migration_setup-dc4ebd834920c27f.yaml     |   4 +
.../notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml    |  10 +
.../nf_conntrack_proto_sctp-a64300a3fc7b4e55.yaml  |   9 +
releasenotes/notes/sshd-437c531301f458bb.yaml      |   5 +
spec/classes/tripleo_host_sriov_spec.rb            |   4 +-
spec/classes/tripleo_profile_base_kernel_spec.rb   |  59 ++++
spec/classes/tripleo_profile_base_nova_spec.rb     | 375 +++++++++++++++++++++
spec/classes/tripleo_profile_base_sshd_spec.rb     | 192 +++++++++++
spec/fixtures/hieradata/default.yaml               |   6 +
spec/spec_helper.rb                                |   2 +
35 files changed, 1093 insertions(+), 47 deletions(-)







More information about the Release-announce mailing list