[release-announce] tripleo-heat-templates 11.6.0 (train)
no-reply at openstack.org
no-reply at openstack.org
Fri Jun 4 17:47:34 UTC 2021
We are excited to announce the release of:
tripleo-heat-templates 11.6.0: Heat templates for deploying OpenStack
with OpenStack.
This release is part of the train stable release series.
The source is available from:
https://opendev.org/openstack/tripleo-heat-templates
Download the package from:
https://tarballs.openstack.org/tripleo-heat-templates/
Please report issues through:
https://bugs.launchpad.net/tripleo/+bugs
For more details, please see below.
11.6.0
^^^^^^
New Features
************
* Added new options for deploying Barbican with PKCS#11 backends:
*BarbicanPkcs11CryptoTokenLabels* and
*BarbicanPkcs11CryptoOsLockingOk*
* New "CinderRpcResponseTimeout" and "CinderApiWsgiTimeout"
parameters provide a means for configuring Cinder's RPC response and
WSGI connection timeouts, respectively.
* The new "EnableCache" parameter is added to enable/disable chacing
using memcached services. The parameter is true by default, but
should be false when memcached service is disabled in the
deployment.
* The MariaDB tuning parameter for Innodb_buffer_pool_size can now
be set via a new TripleO Heat Template parameter
'MysqlInnodbBufferPoolSize'. By default this is undefined.
* *QemuDefaultTLSVerify* will allow operators to enable or disable
TLS client certificate verification. Enabling this option will
reject any client who does not have a certificate signed by the CA
in /etc/pki/qemu/ca-cert.pem. The default is true and matches
libvirt's. We will want to disable this by default in train.
* Add posibilities to configure ovn dbs monitor interval in tht by
OVNDBSPacemakerMonitorInterval (default 30s). Under load, this can
create extra stress and since the timeout has already been bumped,
it makes sense to bump this interval to a higher value as a trade
off between detecting a failure and stressing the service.
* The nova-ironic setting for 'max_concurrent_builds' can now be set
via the use of a new TripleO Heat templates parameter
'IronicMaxConcurrentBuilds'. It is set to the service default of 10
by default in TripleO Heat templates.
* Adding ptp parameters for timemaster service configuration on
overcloud compute node.Timemaster will use already present chrony
parameters. PTPMessageTransport, PTPInterfaces are added new.
Deprecation Notes
*****************
* The *BarbicanPkcs11CryptoTokenLabel* option has been deprecated
and replaced with the *BarbicanPkcs11CryptoTokenLabels* option.
Bug Fixes
*********
* RHEL-8.3 kernel disabled the Intel TSX (Transactional
Synchronization Extensions) feature by default as a preemptive
security measure, but it breaks live migration from RHEL-7.9 (or
even RHEL-8.1 or RHEL-8.2) to RHEL-8.3.
Operators are expected to explicitly define the TSX flag in their
KernelArgs for the compute role to prevent live-migration issues
during the upgrade or update process.
We now introduce this validation in tripleoclient to ensure early
failure.
The *ForceNoTsx* flag will disable this validation on a per-role
basis.
More information here:
https://access.redhat.com/solutions/6036141
* Previously access to the sshd running by the nova-migration-target
container is only limited via the sshd_config. While login is not
possible from other networks, the service is reachable via all
networks. This change limits the access to the NovaLibvirt and
NovaApi networks which are used for cold and live-migration.
* Nova vnc configuration right now uses NovaVncProxyNetwork,
NovaLibvirtNetwork and NovaApiNetwork to configure the different
components (novnc proxy, nova-compute and libvirt) for vnc. If one
of the networks get changed from internal_api, the service
configuration between libvirt, nova-compute and novnc proxy gets
inconsistent and the console is broken. This changed to just use
NovaLibvirtNetwork for configuring the vnc endpoints and removes
NovaVncProxyNetwork completely.
Changes in tripleo-heat-templates 11.5.0..11.6.0
------------------------------------------------
42a5f7f1b [ffwd] Add legacy cinderv3 volume cleanup to postupgrade
fee55d5dc Fix network_cidrs when ManageNetworks: false
7840da001 [train-only] Adding ForceNoTsx flag
d0ba2d100 Add dependency on OVNMacAddressNetwork for role ResourceGroup
45b4de27c Set tags on all OS::Neutron::Port resources
88ef493cd Add tags to THT network resources
d2d044e02 Add OVNEncapType option to the ovn controller template
af8576222 Disable tunneled mode when use_tls_for_live_migration
ea9ebddf6 Re-add NovaVncProxyNetwork to service_net_map.j2.yaml
c1ee7ccdd [ffwd][train-only] Rebuild clouds.yaml before running keystone endpoint configuration.
8090c8a18 Fix RoleParameters in tuned-baremetal-ansible.yaml
ab5d866cb HA: inject public certificates without blocking container
8a7725f42 Add new options for Barbican PKCS#11 backend
d7e888ac9 Switch Octavia external tasks to 'post deploy'
e8a224f9a [ffwd] Rework checks for hybrid state containers
7768e7608 Run update tasks with become
20561e86c Sync full /etc/leapp/files directory.
373838ffb [train-only] QemuDefaultTLSVerify should be false
ff730282a Stop using (and breaking) /var/tmp for horizon temporary things
002445bea Add RootStackName to group_vars
bcc5f03ab Moving nova-consoleauth to step4
ac1584a44 Missing client certificate for live-migration with TLS
c9fa94dd5 Add systemd dependency to openvswitch to ovn-controller
69e24661b Disabling LM PostCopy and AutoConverge for RT roles
70f6c7804 Mount /etc/openldap inside the keystone container
3bbc8af5b Removing duplicate mount point in metrics_qdr
a6e524477 Limit access to sshd used for nova migration
3d8acef64 [train-only] Introduce hybrid state for iscsi
0de9ea84f [Train Only] Ensure novajoin code is setting ansible_fqdn
f24840a56 Ensure ansible_fqdn is set
860a68a4a Use single NovaLibvirtNetwork to configure instance console components
3b763ab2e [ffwd] Rework WA#1925078
2445de761 Add OVN chassis macs to hieradata
6c62cf789 Remove ovn-cms-options from OVS when OVNCMSOptions is set to ""
489aab582 Expose Innodb_buffer_pool_size
18d40d805 Refactor OVNMacAddressNetwork
7951870db [Train-only] Fix the tripleo-container-stop role in train
cbd025a3f [ffwd][train-only] Run keystone endpoint configuration on FFWD
a22239e27 Add service ordering to cleanup service to avoid conflicts with agent startup
b7ed86c3b [update][upgrade] Use container-tools:3.0
cb2cb5303 Support configuring cinder's RPC and WSGI timeouts
e3413901c Add TLS support to services using memcached
b277ccf6b Add EnableCache option to enable/disable usage of memcache
2851c49d0 Move tmpwatch from cron.daily to actual root crontab
3f59a3aa9 Config parameters for timemaster service
7fe8f4175 OVNChassisMacPorts for distributed VLAN
7203afb39 [OVN] Remove check for OVN + Availability Zones
53bf067fb [ffwd][train-only] Copy /boot/grub2/grubenv to /boot/efi/EFI/redhat/grubenv
2416eb3b1 HA: fix race when moving VIP during minor update
9f50fad9a Add non-tls listener to Memcached
546d994d0 Make memcache also listen to localhost
5319872d9 live_migration setting should be under libvirt namespace
c69b33e92 Create OVNMacAddrNet network on Undercloud
38bcdfa32 Add posibilities to set ovndbs monitor interval
8ecc24fcc Add TLS capabilities to Memcached service
5ecafca64 Expose mistral::rpc_response_timeout as Heat parameter
37263ee17 Expose max_concurrent_builds as a Heat parameter
Diffstat (except docs and test files)
-------------------------------------
common/deploy-steps.j2 | 1 +
common/hiera-steps-tasks.yaml | 1 +
deployed-server/ctlplane-port.yaml | 8 +
deployed-server/deployed-neutron-port.yaml | 11 +
deployed-server/deployed-server.yaml | 8 +
.../barbican/barbican-api-container-puppet.yaml | 23 +-
.../barbican-backend-pkcs11-crypto-puppet.yaml | 16 +-
.../ceilometer-base-container-puppet.yaml | 13 ++
deployment/cinder/cinder-api-container-puppet.yaml | 11 +-
.../cinder/cinder-backup-container-puppet.yaml | 2 +-
deployment/cinder/cinder-base.yaml | 5 +
.../cinder/cinder-volume-container-puppet.yaml | 2 +-
deployment/database/mysql-base.yaml | 11 +
deployment/haproxy/haproxy-public-tls-inject.yaml | 6 +-
deployment/heat/heat-base-puppet.yaml | 24 ++
deployment/horizon/horizon-container-puppet.yaml | 23 +-
deployment/ipa/ipaclient-baremetal-ansible.yaml | 1 +
deployment/ipa/ipaservices-baremetal-ansible.yaml | 9 +
deployment/ironic/ironic-api-container-puppet.yaml | 2 +-
.../ironic/ironic-conductor-container-puppet.yaml | 2 +-
.../ironic/ironic-inspector-container-puppet.yaml | 2 +-
deployment/ironic/ironic-pxe-container-puppet.yaml | 2 +-
deployment/iscsid/iscsid-container-puppet.yaml | 95 +++++++-
.../kernel-boot-params-baremetal-ansible.yaml | 10 +
deployment/keystone/keystone-container-puppet.yaml | 107 ++++++---
.../logrotate-crond-container-puppet.yaml | 45 ++--
deployment/manila/manila-api-container-puppet.yaml | 2 +-
.../manila/manila-scheduler-container-puppet.yaml | 2 +-
.../manila/manila-share-container-puppet.yaml | 2 +-
.../memcached/memcached-container-puppet.yaml | 248 ++++++++++++++++-----
deployment/metrics/qdr-container-puppet.yaml | 5 -
deployment/mistral/mistral-base.yaml | 6 +-
.../neutron/neutron-api-container-puppet.yaml | 3 +-
deployment/neutron/neutron-cleanup.service | 2 +-
.../neutron/neutron-dhcp-container-puppet.yaml | 4 +-
.../neutron-sriov-agent-container-puppet.yaml | 24 +-
deployment/nova/nova-base-puppet.yaml | 24 +-
deployment/nova/nova-compute-container-puppet.yaml | 75 +++++--
deployment/nova/nova-ironic-container-puppet.yaml | 11 +-
deployment/nova/nova-libvirt-container-puppet.yaml | 14 +-
.../nova-migration-target-container-puppet.yaml | 38 +++-
.../nova/nova-vnc-proxy-container-puppet.yaml | 33 +--
.../octavia/octavia-api-container-puppet.yaml | 2 +-
.../octavia/octavia-deployment-config.j2.yaml | 3 +-
.../octavia-health-manager-container-puppet.yaml | 2 +-
.../octavia-housekeeping-container-puppet.yaml | 2 +-
.../octavia/octavia-worker-container-puppet.yaml | 2 +-
.../ovn/ovn-controller-container-puppet.yaml | 21 +-
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 10 +
.../pacemaker/pacemaker-baremetal-puppet.yaml | 2 +-
deployment/swift/swift-proxy-container-puppet.yaml | 9 +
.../swift/swift-storage-container-puppet.yaml | 9 +
.../timemaster/timemaster-baremetal-ansible.yaml | 171 ++++++++++++++
deployment/tls/undercloud-tls.yaml | 3 +
.../tripleo-packages-baremetal-puppet.yaml | 59 ++---
deployment/tuned/tuned-baremetal-ansible.yaml | 19 +-
environments/barbican-backend-pkcs11-atos.yaml | 13 +-
environments/barbican-backend-pkcs11-lunasa.yaml | 3 +-
environments/barbican-backend-pkcs11-thales.yaml | 3 +-
.../lifecycle/undercloud-upgrade-prepare.yaml | 2 +-
environments/lifecycle/update-prepare.yaml | 2 +-
environments/lifecycle/upgrade-prepare.yaml | 2 +-
environments/ssl/enable-memcached-tls.yaml | 10 +
environments/standalone/standalone-overcloud.yaml | 2 +
environments/standalone/standalone-tripleo.yaml | 2 +
environments/undercloud.yaml | 4 +
environments/undercloud/undercloud-minion.yaml | 2 +
network/network.j2 | 46 ++--
network/ovn_mac_addr_net.yaml | 37 +++
network/ports/ctlplane_vip.yaml | 16 +-
network/ports/from_service.yaml | 3 +
network/ports/from_service_v6.yaml | 3 +
network/ports/noop.yaml | 13 ++
network/ports/ovn_mac_addr_port.yaml | 43 ++++
network/ports/port.j2 | 39 ++++
network/ports/port_from_pool.j2 | 13 ++
network/ports/vip.yaml | 15 ++
network/ports/vip_v6.yaml | 16 +-
overcloud-resource-registry-puppet.j2.yaml | 5 +
overcloud.j2.yaml | 20 +-
puppet/role.role.j2.yaml | 38 ++++
.../notes/add-forcenotsx-36fc6dce46518f5b.yaml | 20 ++
...r-barbican-pkcs11-options-a2ec14369518b40e.yaml | 9 +
...er-add-timeout-parameters-54550a6e1c11c0b9.yaml | 6 +
.../notes/enable-cache-293c39b3b6f55c80.yaml | 6 +
.../innodb-tuning-param-e71d2fd727c450ec.yaml | 6 +
...introducing-qemutlsverify-af590e0243fe6b08.yaml | 9 +
.../monitor_interval_ovndbs-b14c886737965300.yaml | 9 +
...ova-max_concurrent_builds-f900d84f35704452.yaml | 6 +
...va_migration_limit_access-20be8d69686ca95c.yaml | 8 +
.../notes/nova_novnc_network-83a1479bf227f867.yaml | 10 +
...dd_support_for_timemaster-a8dc3e4d5db4e8b3.yaml | 7 +
sample-env-generator/standalone.yaml | 7 +
sample-env-generator/undercloud-minion.yaml | 6 +-
tools/process-templates.py | 5 +
95 files changed, 1448 insertions(+), 265 deletions(-)
More information about the Release-announce
mailing list