[release-announce] [openstackansible] openstack-ansible 14.2.10 (newton)
no-reply at openstack.org
no-reply at openstack.org
Thu Oct 26 22:08:29 UTC 2017
We are psyched to announce the release of:
openstack-ansible 14.2.10: Ansible playbooks for deploying OpenStack
This release is part of the newton release series.
The source is available from:
http://git.openstack.org/cgit/openstack/openstack-ansible
Download the package from:
https://tarballs.openstack.org/openstack-ansible/
For more details, please see below.
14.2.10
^^^^^^^
New Features
************
* A new repository for installing modern erlang from ESL (erlang
solutions) has been added giving us the ability to install and
support modern stable erlang over numerous operating systems.
* The ability to set the RabbitMQ repo URL for both erlang and
RabbitMQ itself has been added. This has been done to allow
deployers to define the location of a given repo without having to
fully redefine the entire set of definitions for a specific
repository. The default variables *rabbitmq_gpg_keys*,
*rabbitmq_repo_url*, and *rabbitmq_erlang_repo_url* have been
created to facilitate this capability.
* The ansible-hardening role supports the application of the Red Hat
Enterprise Linux 6 STIG configurations to systems running CentOS 7
and Ubuntu 16.04 LTS.
* The default ulimit for RabbitMQ is now 65536. Deployers can still
adjust this limit using the "rabbitmq_ulimit" Ansible variable.
Upgrade Notes
*************
* Changing to the ESL repos has no upgrade impact. The version of
erlang provided by ESL is newer than that what is found in the
distro repos. Furthermore, a pin has been added to ensure that APT
always uses the ESL repos as it's preferred source which has been
done to simply ensure APT is always pointed at ESL.
Security Issues
***************
* The "net.bridge.bridge-nf-call-*" kernel parameters were set to
"0" in previous releases to improve performance and it was left up
to neutron to adjust these parameters when security groups are
applied. This could cause situations where bridge traffic was not
sent through iptables and this rendered security groups ineffective.
This could allow unexpected ingress and egress traffic within the
cloud.
These kernel parameters are now set to "1" on all hosts by the
"openstack_hosts" role, which ensures that bridge traffic is always
sent through iptables.
* "PermitRootLogin" in the ssh configuration has changed from "yes"
to "without-password". This will only allow ssh to be used to
authenticate root via a key.
Bug Fixes
*********
* Based on documentation from RabbitMQ [ https://www.rabbitmq.com
/which-erlang.html ] this change ensures the version of erlang we're
using across distros is consistent and supported by RabbitMQ.
Changes in openstack-ansible 14.2.9..14.2.10
--------------------------------------------
7267d21 Update os_neutron role SHA to include dns_domain
ba03543 Update all SHAs for 14.2.10
Diffstat (except docs and test files)
-------------------------------------
ansible-role-requirements.yml | 50 +++++++++++-----------
playbooks/defaults/repo_packages/gnocchi.yml | 2 +-
.../defaults/repo_packages/openstack_services.yml | 48 ++++++++++-----------
playbooks/inventory/group_vars/all.yml | 2 +-
...ity-groups-always-applied-eb6e3bdc7b77f022.yaml | 13 ++++++
releasenotes/notes/esl-repo-6ff0c7f24ad2a043.yaml | 25 +++++++++++
...ot-login-without-password-948ec79c6508c19b.yaml | 6 +++
...support-for-centos-xenial-2b89c318cc3df4b0.yaml | 2 +-
.../ulimit-increased-65536-50b418d8e8ca4eef.yaml | 5 +++
9 files changed, 101 insertions(+), 52 deletions(-)
More information about the Release-announce
mailing list