[release-announce] tripleo-heat-templates 13.3.0 (victoria)
no-reply at openstack.org
no-reply at openstack.org
Thu Jun 3 10:26:51 UTC 2021
We are jazzed to announce the release of:
tripleo-heat-templates 13.3.0: Heat templates for deploying OpenStack
with OpenStack.
This release is part of the victoria stable release series.
The source is available from:
https://opendev.org/openstack/tripleo-heat-templates
Download the package from:
https://tarballs.openstack.org/tripleo-heat-templates/
Please report issues through:
https://bugs.launchpad.net/tripleo/+bugs
For more details, please see below.
13.3.0
^^^^^^
New Features
************
* Added new options for deploying Barbican with PKCS#11 backends:
*BarbicanPkcs11CryptoTokenLabels* and
*BarbicanPkcs11CryptoOsLockingOk*
* The "OS::TripleO::{{role.name}}::PreNetworkConfig" resource has
been restored. This resource can be used to implement any
configuration steps executed before network configurations are
applied.
* *QemuDefaultTLSVerify* will allow operators to enable or disable
TLS client certificate verification. Enabling this option will
reject any client who does not have a certificate signed by the CA
in /etc/pki/qemu/ca-cert.pem. The default is true and matches
libvirt's. We will want to disable this by default in train.
* Adding ptp parameters for timemaster service configuration on
overcloud compute node.Timemaster will use already present chrony
parameters. PTPMessageTransport, PTPInterfaces are added new.
Deprecation Notes
*****************
* The *BarbicanPkcs11CryptoTokenLabel* option has been deprecated
and replaced with the *BarbicanPkcs11CryptoTokenLabels* option.
Bug Fixes
*********
* Now "ExtraConfigPre" resource and "NodeExtraConfig" resource are
executed after network configurations are applied in nodes. This is
consitent with the previous version with heat software deployment
mechanism instead of config-download.
* Previously access to the sshd running by the nova-migration-target
container is only limited via the sshd_config. While login is not
possible from other networks, the service is reachable via all
networks. This change limits the access to the NovaLibvirt and
NovaApi networks which are used for cold and live-migration.
* Nova vnc configuration right now uses NovaVncProxyNetwork,
NovaLibvirtNetwork and NovaApiNetwork to configure the different
components (novnc proxy, nova-compute and libvirt) for vnc. If one
of the networks get changed from internal_api, the service
configuration between libvirt, nova-compute and novnc proxy gets
inconsistent and the console is broken. This changed to just use
NovaLibvirtNetwork for configuring the vnc endpoints and removes
NovaVncProxyNetwork completely.
Changes in tripleo-heat-templates 13.2.0..13.3.0
------------------------------------------------
4890946ec Fix network_cidrs when ManageNetworks: false
0eaa748bb Add dependency on OVNMacAddressNetwork for role ResourceGroup
f35479563 Set tags on all OS::Neutron::Port resources
007eaecf0 Stop handler flush
cf17ac91e Add tags to THT network resources
d39526de1 Fix "ManageNetworks" use-case
9b67d6420 Add new options for Barbican PKCS#11 backend
b4cec5b72 Add OVNEncapType option to the ovn controller template
b6d85231a Re-add NovaVncProxyNetwork to service_net_map.j2.yaml
86de3c350 Disable tunneled mode when use_tls_for_live_migration
0fba0ce39 Add openstack-tox-tht to the gate
9536a5f31 Fix RoleParameters in tuned-baremetal-ansible.yaml
1311f8a52 Don't assume every role has default_route_networks
1785dabb8 Correct metrics_qdr logging path and regex parsing
521eae135 Run update tasks with become
c71b72b29 Stop using (and breaking) /var/tmp for horizon temporary things
f8485c9db Moving nova-consoleauth to step4
6ba1d84a4 Missing client certificate for live-migration with TLS
50c089a1f Add RootStackName to group_vars
48c444796 Add systemd dependency to openvswitch to ovn-controller
b542452cc Disabling LM PostCopy and AutoConverge for RT roles
ce9ae8666 Mount /etc/openldap inside the keystone container
9befbde21 Limit access to sshd used for nova migration
b276cb24b Remove ovn-cms-options from OVS when OVNCMSOptions is set to ""
e1998a8e5 Ensure ansible_fqdn is set
5171cd3d7 Fix NovaVncProxyNetwork removal
df04e9518 Remove no longer used NovaNfsEnabled parameter and condtion
de98fdb20 HA: fix race when moving VIP during minor update
1e137876a [update][upgrade] Use container-tools:3.0
63001263a HA: inject public certificates without blocking container
5325ac311 Move tmpwatch from cron.daily to actual root crontab
4260d30ea Set vlan-limit value depending on vlan_transparent setting
c2e62032b Correct spelling mistake
4be137395 Config parameters for timemaster service
721a8d414 [OVN] Remove check for OVN + Availability Zones
87fc83d7b Restore PreNetworkConfig resources
9ba03482c live_migration setting should be under libvirt namespace
05b191d3e Use single NovaLibvirtNetwork to configure instance console components
178018d90 Switch Octavia external tasks to 'post deploy'
Diffstat (except docs and test files)
-------------------------------------
common/deploy-steps.j2 | 31 +++-
deployed-server/ctlplane-port.yaml | 8 +
deployed-server/deployed-neutron-port.yaml | 11 ++
deployed-server/deployed-server.yaml | 8 +
.../barbican/barbican-api-container-puppet.yaml | 20 ++-
.../barbican-backend-pkcs11-crypto-puppet.yaml | 16 +-
deployment/glance/glance-api-container-puppet.yaml | 2 +-
deployment/haproxy/haproxy-public-tls-inject.yaml | 6 +-
deployment/horizon/horizon-container-puppet.yaml | 23 ++-
deployment/ipa/ipaservices-baremetal-ansible.yaml | 9 ++
deployment/keystone/keystone-container-puppet.yaml | 1 +
.../logrotate-crond-container-puppet.yaml | 45 ++++--
deployment/metrics/qdr-container-puppet.yaml | 4 +-
.../neutron/neutron-api-container-puppet.yaml | 3 +-
.../neutron/neutron-dhcp-container-puppet.yaml | 4 +-
deployment/nova/nova-compute-container-puppet.yaml | 58 ++++---
deployment/nova/nova-ironic-container-puppet.yaml | 12 --
deployment/nova/nova-libvirt-container-puppet.yaml | 25 ++-
.../nova-migration-target-container-puppet.yaml | 52 ++++---
.../nova/nova-vnc-proxy-container-puppet.yaml | 33 ++--
.../octavia/octavia-deployment-config.j2.yaml | 3 +-
.../ovn/ovn-controller-container-puppet.yaml | 24 ++-
.../pacemaker/pacemaker-baremetal-puppet.yaml | 4 +-
.../timemaster/timemaster-baremetal-ansible.yaml | 171 +++++++++++++++++++++
deployment/timesync/chrony-baremetal-ansible.yaml | 2 -
deployment/tls/undercloud-tls.yaml | 3 +
deployment/tuned/tuned-baremetal-ansible.yaml | 19 ++-
environments/barbican-backend-pkcs11-atos.yaml | 13 +-
environments/barbican-backend-pkcs11-lunasa.yaml | 3 +-
environments/barbican-backend-pkcs11-thales.yaml | 3 +-
.../lifecycle/undercloud-upgrade-prepare.yaml | 2 +-
environments/lifecycle/update-prepare.yaml | 2 +-
environments/lifecycle/upgrade-prepare.yaml | 2 +-
.../config/2-linux-bonds-vlans/role.role.j2.yaml | 2 +-
network/config/bond-with-vlans/role.role.j2.yaml | 2 +-
.../config/multiple-nics-vlans/role.role.j2.yaml | 2 +-
network/config/multiple-nics/role.role.j2.yaml | 2 +-
.../role.role.j2.yaml | 2 +-
network/config/single-nic-vlans/role.role.j2.yaml | 2 +-
network/network.j2 | 63 +++++---
network/ports/ctlplane_vip.yaml | 16 +-
network/ports/from_service.yaml | 3 +
network/ports/from_service_v6.yaml | 3 +
network/ports/noop.yaml | 13 ++
network/ports/ovn_mac_addr_port.yaml | 16 ++
network/ports/port.j2 | 39 +++++
network/ports/port_from_pool.j2 | 13 ++
network/ports/vip.yaml | 15 ++
network/ports/vip_v6.yaml | 16 +-
overcloud-resource-registry-puppet.j2.yaml | 2 +
overcloud.j2.yaml | 24 ++-
puppet/role.role.j2.yaml | 13 ++
...r-barbican-pkcs11-options-a2ec14369518b40e.yaml | 9 ++
.../notes/bug-1907214-df2f07cbacbe8a24.yaml | 13 ++
...introducing-qemutlsverify-af590e0243fe6b08.yaml | 9 ++
...va_migration_limit_access-20be8d69686ca95c.yaml | 8 +
.../notes/nova_novnc_network-83a1479bf227f867.yaml | 10 ++
...dd_support_for_timemaster-a8dc3e4d5db4e8b3.yaml | 7 +
tools/process-templates.py | 5 +
zuul.d/layout.yaml | 1 +
60 files changed, 751 insertions(+), 181 deletions(-)
More information about the Release-announce
mailing list