Open Stack

We are psyched to announce the release of:

openstack-ansible 14.2.10: Ansible playbooks for deploying OpenStack

This release is part of the newton release series.

The source is available from:

    http://git.openstack.org/cgit/openstack/openstack-ansible

Download the package from:

    https://tarballs.openstack.org/openstack-ansible/

For more details, please see below.

14.2.10
^^^^^^^


New Features
************

* A new repository for installing modern erlang from ESL (erlang
  solutions) has been added giving us the ability to install and
  support modern stable erlang over numerous operating systems.

* The ability to set the RabbitMQ repo URL for both erlang and
  RabbitMQ itself has been added. This has been done to allow
  deployers to define the location of a given repo without having to
  fully redefine the entire set of definitions for a specific
  repository. The default variables *rabbitmq_gpg_keys*,
  *rabbitmq_repo_url*, and *rabbitmq_erlang_repo_url* have been
  created to facilitate this capability.

* The ansible-hardening role supports the application of the Red Hat
  Enterprise Linux 6 STIG configurations to systems running CentOS 7
  and Ubuntu 16.04 LTS.

* The default ulimit for RabbitMQ is now 65536. Deployers can still
  adjust this limit using the "rabbitmq_ulimit" Ansible variable.


Upgrade Notes
*************

* Changing to the ESL repos has no upgrade impact. The version of
  erlang provided by ESL is newer than that what is found in the
  distro repos. Furthermore, a pin has been added to ensure that APT
  always uses the ESL repos as it's preferred source which has been
  done to simply ensure APT is always pointed at ESL.


Security Issues
***************

* The "net.bridge.bridge-nf-call-*" kernel parameters were set to
  "0" in previous releases to improve performance and it was left up
  to neutron to adjust these parameters when security groups are
  applied. This could cause situations where bridge traffic was not
  sent through iptables and this rendered security groups ineffective.
  This could allow unexpected ingress and egress traffic within the
  cloud.

  These kernel parameters are now set to "1" on all hosts by the
  "openstack_hosts" role, which ensures that bridge traffic is always
  sent through iptables.

* "PermitRootLogin" in the ssh configuration has changed from "yes"
  to "without-password".  This will only allow ssh to be used to
  authenticate root via a key.


Bug Fixes
*********

* Based on documentation from RabbitMQ [ https://www.rabbitmq.com
  /which-erlang.html ] this change ensures the version of erlang we're
  using across distros is consistent and supported by RabbitMQ.

Changes in openstack-ansible 14.2.9..14.2.10
--------------------------------------------

7267d21 Update os_neutron role SHA to include dns_domain
ba03543 Update all SHAs for 14.2.10


Diffstat (except docs and test files)
-------------------------------------

ansible-role-requirements.yml                      | 50 +++++++++++-----------
playbooks/defaults/repo_packages/gnocchi.yml       |  2 +-
.../defaults/repo_packages/openstack_services.yml  | 48 ++++++++++-----------
playbooks/inventory/group_vars/all.yml             |  2 +-
...ity-groups-always-applied-eb6e3bdc7b77f022.yaml | 13 ++++++
releasenotes/notes/esl-repo-6ff0c7f24ad2a043.yaml  | 25 +++++++++++
...ot-login-without-password-948ec79c6508c19b.yaml |  6 +++
...support-for-centos-xenial-2b89c318cc3df4b0.yaml |  2 +-
.../ulimit-increased-65536-50b418d8e8ca4eef.yaml   |  5 +++
9 files changed, 101 insertions(+), 52 deletions(-)