We are happy to announce the release of: openstack-ansible 13.3.4: Ansible playbooks for deploying OpenStack With source available at: http://git.openstack.org/cgit/openstack/openstack-ansible For more details, please see below. 13.3.4 ^^^^^^ New Features ************ * AIDE is configured to skip the entire "/var" directory when it does the database initialization and when it performs checks. This reduces disk I/O and allows these jobs to complete faster. This also allows the initialization to become a blocking process and Ansible will wait for the initialization to complete prior to running the next task. * Although the STIG requires martian packets to be logged, the logging is now disabled by default. The logs can quickly fill up a syslog server or make a physical console unusable. Deployers that need this logging enabled will need to set the following Ansible variable: security_sysctl_enable_martian_logging: yes Upgrade Notes ************* * All of the discretionary access control (DAC) auditing is now disabled by default. This reduces the amount of logs generated during deployments and minor upgrades. The following variables are now set to "no": security_audit_DAC_chmod: no security_audit_DAC_chown: no security_audit_DAC_lchown: no security_audit_DAC_fchmod: no security_audit_DAC_fchmodat: no security_audit_DAC_fchown: no security_audit_DAC_fchownat: no security_audit_DAC_fremovexattr: no security_audit_DAC_lremovexattr: no security_audit_DAC_fsetxattr: no security_audit_DAC_lsetxattr: no security_audit_DAC_setxattr: no Bug Fixes ********* * The "/run" directory is excluded from AIDE checks since the files and directories there are only temporary and often change when services start and stop. * AIDE initialization is now always run on subsequent playbook runs when "initialize_aide" is set to "yes". The initialization will be skipped if AIDE isn't installed or if the AIDE database already exists. See bug 1616281 (https://launchpad.net/bugs/1616281) for more details. * The auditd rules for auditing V-38568 (filesystem mounts) were incorrectly labeled in the auditd logs with the key of "export-V-38568". They are now correctly logged with the key "filesystem_mount-V-38568". Changes in openstack-ansible 13.3.3..13.3.4 ------------------------------------------- e3e60b1 Fix link for lxc-openstack.apparmor.j2 d97b0d1 Docs: Fixed double "that" in docs ac86e5b Retain apt sources options during host bootstrap 42b2a79 load variables as a simple var for upgrades 731164f Restart OS services when symlinks are created 98eef32 Update SHA for openstack_openrc role c665a0e Reduce minimum data disk size for the AIO to 55GB 622fc94 Use correct version when creating backup dir de1a22b Make the file name for user_secrets a variable 777d5bf Update all SHAs for 13.3.4 98c7625 glance_api_servers must contain a valid url with protocol d3262bb Fix ml2 ports after an upgrade Diffstat (except docs and test files) ------------------------------------- ansible-role-requirements.yml | 10 +++---- global-requirement-pins.txt | 2 +- .../defaults/repo_packages/openstack_services.yml | 32 +++++++++++----------- playbooks/inventory/group_vars/all.yml | 2 +- playbooks/inventory/group_vars/hosts.yml | 6 ++-- .../ceph_client/tasks/ceph_install_python_libs.yml | 4 +++ .../notes/aide-exclude-run-4d3c97a2d08eb373.yaml | 6 ++++ .../aide-initialization-fix-16ab0223747d7719.yaml | 17 ++++++++++++ ...figurable-martian-logging-370ede40b036db0b.yaml | 13 +++++++++ .../reduce-auditd-logging-633677a74aee5481.yaml | 25 +++++++++++++++++ scripts/scripts-library.sh | 2 +- .../playbooks/deploy-config-changes.yml | 4 +-- .../playbooks/rfc1034_1035-cleanup.yml | 20 ++++++++++++++ .../playbooks/user-secrets-adjustment.yml | 9 +++--- .../scripts/migrate_openstack_vars.py | 2 +- .../templates/user_variables.aio.yml.j2 | 4 +-- 22 files changed, 132 insertions(+), 44 deletions(-)