We are jubilant to announce the release of: openstack-ansible-os_keystone 14.0.0: os_keystone for OpenStack Ansible This release is part of the newton release series. Download the package from: https://tarballs.openstack.org/openstack-ansible-os_keystone/ For more details, please see below. 14.0.0 ^^^^^^ New Features ************ * Added keystone_apache_custom_log_format tunable for changing CustomLog format. Default is "combined". * Apache MPM tunable support has been added to the os-keystone role in order to allow MPM thread tuning. Default values reflect the current Ubuntu default settings: keystone_httpd_mpm_backend: event keystone_httpd_mpm_start_servers: 2 keystone_httpd_mpm_min_spare_threads: 25 keystone_httpd_mpm_max_spare_threads: 75 keystone_httpd_mpm_thread_limit: 64 keystone_httpd_mpm_thread_child: 25 keystone_httpd_mpm_max_requests: 150 keystone_httpd_mpm_max_conn_child: 0 * Introduced option to deploy Keystone under Uwsgi. A new variable "keystone_mod_wsgi_enabled" is introduced to toggle this behavior. The default is "true" which continues to deploy with mod_wsgi for Apache. The ports used by Uwsgi for socket and http connection for both public and admin Keystone services are configurable (see also the "keystone_uwsgi_ports" dictionary variable). Other Uwsgi configuration can be overridden by using the "keystone_uwsgi_ini_overrides" variable as documented under "Overriding OpenStack configuration defaults" in the OpenStack- Ansible Install Guide. Federation features should be considered _experimental_ with this configuration at this time. * Introduced option to deploy Keystone behind Nginx. A new variable "keystone_apache_enabled" is introduced to toggle this behavior. The default is "true" which continues to deploy with Apache. Additional configuration can be delivered to Nginx through the use of the "keystone_nginx_extra_conf" list variable. Federation features are not supported with this configuration at this time. Use of this option requires "keystone_mod_wsgi_enabled" to be set to "false" which will deploy Keystone under Uwsgi. * CentOS7/RHEL support has been added to the os_keystone role. * The os_keystone role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting "keystone_package_state" to "present". Upgrade Notes ************* * Installation of keystone and its dependent pip packages will now only occur within a Python virtual environment. The "keystone_venv_enabled" variable has been removed. * The variable "keystone_apt_packages" has been renamed to "keystone_distro_packages". * The variable "keystone_idp_apt_packages" has been renamed to "keystone_idp_distro_packages". * The variable "keystone_sp_apt_packages" has been renamed to "keystone_sp_distro_packages". * The variable "keystone_developer_apt_packages" has been renamed to "keystone_developer_mode_distro_packages". * The os_keystone role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option "keystone_package_state" should be set to "present". Security Issues *************** * The admin_token_auth middleware presents a potential security risk and will be removed in a future release of keystone. Its use can be removed by setting the "keystone_keystone_paste_ini_overrides" variable. keystone_keystone_paste_ini_overrides: pipeline:public_api: pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service pipeline:admin_api: pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service pipeline:api_v3: pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 Changes in openstack-ansible-os_keystone 13.0.0..14.0.0 ------------------------------------------------------- ceabcef Remove 'ignore_errors: true' in favor of 'failed_when: false' c71a7bc Fix bare variable in handler 34bc598 Update tox.ini tests target for stable/newton 449e3a1 Update UPPER_CONSTRAINTS_FILE for stable/newton a2adb12 Update .gitreview for stable/newton 4d77b28 Update default git branch to stable/newton 40ea292 Update ansible-role-requirements to stable/newton fa5b5f9 Use centralised test scripts 0bbacf6 Revert dynamic includes for inventory-based conditionals 7872b49 Force Ansible to use dynamic includes e21be41 Update home page link in cfg file 8d836da Remove testing vars present in test repo a74af47 Address ansible_ssh_* var deprecation 3614448 Update testing bits for consistency 01e1299 Remove unrequired messaging setup task file 1bfcd10 Add role linking to tox tests 05892b5 Ansible 2.1.1 role testing 9411414 Fix depreciation "Using bare variables" 0750972 Compress test execution logs 2fd095b Update paste, policy and rootwrap configurations 2016-09-08 f0ed20d Re-activate service catalog caching fbd9535 Add credential_setup for keystone a0d71d6 Add tempest to keystone role tests 42cef50 Fix nginx SCRIPT_NAME uwsgi_param d0e5097 Use the central test repository for Keystone 38dbd42 Fix apache + uwsgi for keystone 15733bb Fix nginx to work with RedHat/CentOS b6f914a Shorten tox target names 3b47fc7 Allow Uwsgi configuration overrides 52b1a71 Configure Apache to proxy for Uwsgi db7248b Isolate mod_wsgi from Apache install 30bd479 Correct developer mode package var name 2b8aa07 Rename package lists (and related vars) appropriately 4edb378 Install and configure Nginx 0de819e Implement CentOS 7 support in os_keystone 61759e7 Work around Ansible vcpu fact bug on ppc64le 7e5548e Add a test Scenario for uwsgi & nginx 9082c79 Install and configure uWSGI b1c2f9c Isolate Apache components 39faeb0 Make all linting tests use upper-constraints 9fd8ff0 Adding Vagrantfile for local testing/dev 3122ff6 Add SNI support via OS packages for os_keystone 50730da Add apt-get update to run_tests b9e799b Force a restart of all the apache nodes during upgrade e047979 Updated from global requirements 8d046aa Update the keystone WSGI application locations 53e3df2 Add python packages for SNI support in tests c0fa231 [DOCS] Move keystone federation role docs 2cb8866 Move other-requirements.txt to bindep.txt 0a51854 Include ansible commands for ansible linting 866c153 Disable stderr logging 5637fec Add project group to role 9bd40cc Add ability to change apt/yum package state 2d8fa3d Fix bug in RPC config that broke Rabbit SSL support 418ebd6 Ensure that doc linting is included in the linters test 61848d3 Provide default for rabbitmq telemetry password 7bb3cd0 Allow configuration of multiple rabbit clusters aced6b5 Remove openstack_hosts from test requirements 0425d1c Optimise pip install tasks 986d1d8 Use keystone_system_user_name in fernet rotation cron entry. 22afe01 Use plugins repo version of the human_log callback plugin 98b19d8 Updated from global requirements 4d983d8 Remove duplicates from .gitignore ca10c41 Implement doc8 checks for docs ad7919e Update sphinx configuration d208029 Ansible 2.x - Address deprecation warning of bare variables 86a545d Update the virtualenv paths only when we have a new venv b786654 Update tox configuration 44d053c Only install to virtual environment 6c8a9b9 Update paste, policy and rootwrap configurations 2016-07-01 325db1a Clean up container cache prep in tests d8802f3 Pin test-requirements to match OpenStack requirements 1396dda Update paste, policy and rootwrap configurations 2016-06-17 d27d055 Add note on admin_token_auth deprecation 85a9202 Minimum example playbook could let suppose db creation c82a089 Add support for CustomLog format modification f244e1c Remove pip_lock_down dependency bbc645c Consistency for multi-os in the includes b6fbd99 Skip unavailable hosts when distributing keys cdb5259 Grammar: requires -> required 8797fc7 Cleanup/standardize usage of tags ebdcb34 Implement 16.04 support in Keystone 06d7fb5 Use ansible-lint 2.7.0 4f9caaa Verbose option has been deprecated from oslo.log 994bb0f Fix keystone tests 7704d94 Add support to tune the keystone apache MPM settings 57e3390 Add .swp files to .gitignore b3cca27 Change pip install task state to 'latest' 78e6744 Remove py_from_git role cc29aa4 Add dependencies for paramiko 2.0 20db79e Update paste, policy and rootwrap configurations 2016-04-22 3695699 Remove Liberty releasenote index 1635737 Change pip install task state to 'latest' eb3ce0f Fail fast when required secrets are not present dfd80ea Fix server/hostname for RFC 1034/1035 59ffe5e blacklist Ansible 1.9.6 36486b1 Remove venv activation code 7e14932 Use ansible facts for distributing SSL certs/keys 7b1543d Update min_ansible_version to 1.9 df164fb Add reno scaffolding for release notes management 0a6737c Switch defaults/tests to use master branch 42998df removed duplicate key Diffstat (except docs and test files) ------------------------------------- .gitignore | 9 + .gitreview | 1 + README.rst | 68 +---- Vagrantfile | 12 + bindep.txt | 41 +++ defaults/main.yml | 99 ++++++-- examples/playbook.yml | 48 ++++ handlers/main.yml | 32 ++- manual-test.rc | 33 +++ meta/main.yml | 13 +- other-requirements.txt | 16 -- releasenotes/notes/.placeholder | 0 ...in-token-auth-deprecation-24e84a18f8a56814.yaml | 17 ++ ...apache-log-format-support-7232177f835222ee.yaml | 4 + ...pache-mpm-tunable-support-1c72f2f99cd502bc.yaml | 17 ++ ...eystone-only-install-venv-b766568ee8d40354.yaml | 5 + ...e-uwsgi-and-nginx-options-2157f8e40a7a8156.yaml | 22 ++ ..._keystone-centos7-support-0a5d97f81ac42e44.yaml | 4 + ...package-list-name-changes-007cacee4faf8ee6.yaml | 10 + .../notes/package-state-711a1eb4814311cc.yaml | 13 + releasenotes/source/_static/.placeholder | 0 releasenotes/source/_templates/.placeholder | 0 releasenotes/source/conf.py | 281 +++++++++++++++++++++ releasenotes/source/index.rst | 9 + releasenotes/source/mitaka.rst | 6 + releasenotes/source/unreleased.rst | 5 + setup.cfg | 2 +- setup.py | 11 +- tasks/keystone_apache.yml | 104 +++++--- tasks/keystone_credential.yml | 22 ++ tasks/keystone_credential_autorotate.yml | 47 ++++ tasks/keystone_credential_create.yml | 46 ++++ tasks/keystone_credential_distribute.yml | 25 ++ tasks/keystone_db_setup.yml | 5 - tasks/keystone_federation_sp_idp_setup.yml | 38 +-- tasks/keystone_federation_sp_setup.yml | 21 +- tasks/keystone_fernet.yml | 6 +- tasks/keystone_fernet_keys_autorotate.yml | 10 +- tasks/keystone_fernet_keys_create.yml | 9 - tasks/keystone_fernet_keys_distribute.yml | 6 +- tasks/keystone_idp_metadata.yml | 8 +- tasks/keystone_idp_self_signed_create.yml | 6 +- tasks/keystone_idp_self_signed_distribute.yml | 5 +- tasks/keystone_idp_self_signed_store.yml | 2 - tasks/keystone_idp_setup.yml | 13 +- tasks/keystone_idp_sp_setup.yml | 4 +- tasks/keystone_init_common.yml | 27 ++ tasks/keystone_init_systemd.yml | 48 ++++ tasks/keystone_init_upstart.yml | 31 +++ tasks/keystone_install.yml | 134 +++------- tasks/keystone_install_apt.yml | 86 +++++-- tasks/keystone_install_yum.yml | 154 +++++++++++ tasks/keystone_key_distribute.yml | 6 +- tasks/keystone_key_populate.yml | 6 - tasks/keystone_key_setup.yml | 6 - tasks/keystone_ldap_setup.yml | 16 +- tasks/keystone_messaging_setup.yml | 37 --- tasks/keystone_nginx.yml | 51 ++++ tasks/keystone_post_install.yml | 40 +-- tasks/keystone_pre_install.yml | 32 +-- tasks/keystone_service_setup.yml | 41 +-- tasks/keystone_ssl.yml | 11 +- tasks/keystone_ssl_key_create.yml | 20 +- tasks/keystone_ssl_key_distribute.yml | 42 +-- tasks/keystone_ssl_key_store.yml | 32 +-- tasks/keystone_ssl_self_signed.yml | 9 +- tasks/keystone_ssl_user_provided.yml | 18 +- tasks/keystone_token_cleanup.yml | 2 - tasks/keystone_uwsgi.yml | 58 +++++ tasks/main.yml | 116 ++++++++- templates/keystone-credential-rotate.sh.j2 | 67 +++++ templates/keystone-fernet-rotate.sh.j2 | 2 +- templates/keystone-httpd-mpm.conf.j2 | 9 + templates/keystone-httpd.conf.j2 | 38 ++- templates/keystone-paste.ini.j2 | 16 +- templates/keystone-systemd-tempfiles.j2 | 4 + templates/keystone-uwsgi.ini.j2 | 20 ++ templates/keystone-uwsgi_systemd-init.j2 | 25 ++ templates/keystone-uwsgi_upstart.conf.j2 | 44 ++++ templates/keystone-wsgi.py.j2 | 48 ---- templates/keystone.conf.j2 | 40 ++- templates/keystone_nginx.conf.j2 | 34 +++ templates/policy.json.j2 | 8 +- test-requirements.txt | 19 +- tox.ini | 197 ++++++++++----- vars/redhat-7.yml | 77 ++++++ vars/ubuntu-14.04.yml | 45 +++- vars/ubuntu-16.04.yml | 70 +++++ 110 files changed, 3044 insertions(+), 1156 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index 3422d65..8fdd8d8 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,4 +1,9 @@ -ansible-lint<=2.3.9 -ansible>=1.9.1,<2.0.0 -bashate -flake8 +# The order of packages is significant, because pip processes them in the order +# of appearance. Changing the order has an impact on the overall integration +# process, which may cause wedges in the gate later. +bashate>=0.2 # Apache-2.0 +flake8<2.6.0,>=2.5.4 # MIT +pyasn1 # BSD +pyOpenSSL>=0.14 # Apache-2.0 +requests>=2.10.0 # Apache-2.0 +ndg-httpsclient>=0.4.2;python_version<'3.0' # BSD @@ -7,2 +12,4 @@ flake8 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 -oslosphinx>=2.5.0 # Apache-2.0 +sphinx!=1.3b1,<1.3,>=1.2.1 # BSD +oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 +doc8 # Apache-2.0 +reno>=1.8.0 # Apache2