We are glad to announce the release of: openstack-ansible 12.0.16: Ansible playbooks for deploying OpenStack With source available at: http://git.openstack.org/cgit/openstack/openstack-ansible For more details, please see below. 12.0.16 ^^^^^^^ New Features ************ * The audit rules added by the security role now have key fields that make it easier to link the audit log entry to the audit rule that caused it to appear. * Apache MPM tunable support has been added to the os-keystone role in order to allow MPM thread tuning. Default values reflect the current Ubuntu default settings: keystone_httpd_mpm_backend: event keystone_httpd_mpm_start_servers: 2 keystone_httpd_mpm_min_spare_threads: 25 keystone_httpd_mpm_max_spare_threads: 75 keystone_httpd_mpm_thread_limit: 64 keystone_httpd_mpm_thread_child: 25 keystone_httpd_mpm_max_requests: 150 keystone_httpd_mpm_max_conn_child: 0 Upgrade Notes ************* * During the upgrade from Kilo to Liberty, this change deletes the repo containers and recreates them to fix an upgrade issue with dependencies. Bug Fixes ********* * The role previously did not restart the audit daemon after generating a new rules file. The bug (https://launchpad.net/bugs/1590916) has been fixed and the audit daemon will be restarted after any audit rule changes. * The dictionary-based variables in "defaults/main.yml" are now individual variables. The dictionary-based variables could not be changed as the documentation instructed. Instead it was required to override the entire dictionary. Deployers must use the new variable names to enable or disable the security configuration changes applied by the security role. For more information, see Launchpad Bug 1577944 (https://bugs.launchpad.net/openstack- ansible/+bug/1577944). * Failed access logging is now disabled by default and can be enabled by changing "security_audit_failed_access" to "yes". The rsyslog daemon checks for the existence of log files regularly and this audit rule was triggered very frequently, which led to very large audit logs. * The security role previously set the permissions on all audit log files in "/var/log/audit" to "0400", but this prevents the audit daemon from writing to the active log file. This will prevent "auditd" from starting or restarting cleanly. The task now removes any permissions that are not allowed by the STIG. Any log files that meet or exceed the STIG requirements will not be modified. * When the security role was run in Ansible's check mode and a tag was provided, the "check_mode" variable was not being set. Any tasks which depend on that variable would fail. This bug is fixed (https://bugs.launchpad.net/openstack-ansible/+bug/1590086) and the "check_mode" variable is now set properly on every playbook run. * The security role now handles "ssh_config" files that contain "Match" stanzas. A marker is added to the configuration file and any new configuration items will be added below that marker. In addition, the configuration file is validated for each change to the ssh configuration file. Changes in openstack-ansible 12.0.15..12.0.16 --------------------------------------------- 8d40626 conditionally include the scsi_dh kernel module 4b63bdd Added the ip_vs kernel module to all openstack hosts 368b7e2 Destroy repo containers before upgrade a4d0ef9 Add support to tune the keystone apache MPM settings 0b661e2 Fix config generated for rsyslog_client_log_files 504c656 Update all SHAs for 12.0.16 874edd6 Only match full IP addresses in /etc/hosts Diffstat (except docs and test files) ------------------------------------- ansible-role-requirements.yml | 23 ++--- .../defaults/repo_packages/openstack_services.yml | 28 +++--- playbooks/inventory/group_vars/all.yml | 2 +- playbooks/inventory/group_vars/hosts.yml | 2 +- playbooks/roles/openstack_hosts/defaults/main.yml | 3 +- .../templates/openstack-host-hostfile-setup.sh.j2 | 2 +- playbooks/roles/os_keystone/defaults/main.yml | 10 ++ .../roles/os_keystone/tasks/keystone_apache.yml | 3 +- .../templates/keystone-httpd-mpm.conf.j2 | 9 ++ playbooks/roles/os_nova/templates/policy.json.j2 | 3 - .../tasks/rsyslog_client_post_install.yml | 7 +- .../rsyslog_client/templates/99-rsyslog.conf.j2 | 2 +- .../templates/os_aggregate_storage.j2 | 2 +- .../notes/augenrules-restart-39fe3e1e2de3eaba.yaml | 5 + ...tionary-variables-removed-957c7b7b2108ba1f.yaml | 9 ++ ...iled-access-audit-logging-789dc01c8bcbef17.yaml | 6 ++ ...-audit-log-permission-bug-81a772e2e6d0a5b3.yaml | 10 ++ .../fix-check-mode-with-tags-bf798856a27c53eb.yaml | 7 ++ ...ndling-sshd-match-stanzas-fa40b97689004e46.yaml | 7 ++ .../improved-audit-rule-keys-9fa85f758386446c.yaml | 5 + ...pache-mpm-tunable-support-1c72f2f99cd502bc.yaml | 18 ++++ ...fore-upgrade-kilo-liberty-40df3cd4c992a52a.yaml | 5 + requirements.txt | 2 +- scripts/ansible-role-requirements-editor.py | 104 +++++++++++++++++++++ scripts/get-pypi-pkg-version.py | 2 +- scripts/run-upgrade.sh | 3 +- scripts/scripts-library.sh | 2 +- scripts/sources-branch-updater.sh | 73 +++++++++++++++ test-requirements.txt | 9 +- 30 files changed, 331 insertions(+), 55 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index ec58012..d866451 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12 +12 @@ pip==8.1.2 -setuptools==22.0.0 +setuptools==23.0.0 diff --git a/test-requirements.txt b/test-requirements.txt index 1e3f8b5..d8f8de5 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -3,2 +3,2 @@ ansible-lint>=2.0.3,<=2.3.6 -bashate==0.5.0 # Apache-2.0 -flake8==2.2.4 +bashate>=0.2 # Apache-2.0 +flake8>=2.2.4,<=2.4.1 @@ -6 +6,2 @@ hacking>=0.10.0,<0.11 -mccabe==0.2.1 # capped for flake8 +# mccabe capped for flake8 +mccabe==0.2.1 # MIT License @@ -11 +12 @@ pyflakes==0.8.1 -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 +sphinx>=1.1.2,!=1.2.0,!=1.3b1,<1.3