We are stoked to announce the release of: tripleo-heat-templates 12.4.4: Heat templates for deploying OpenStack with OpenStack. This release is part of the ussuri stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 12.4.4 ^^^^^^ New Features ************ * Added new options for deploying Barbican with PKCS#11 backends: *BarbicanPkcs11CryptoTokenLabels* and *BarbicanPkcs11CryptoOsLockingOk* * The "OS::TripleO::{{role.name}}::PreNetworkConfig" resource has been restored. This resource can be used to implement any configuration steps executed before network configurations are applied. * The MariaDB tuning parameter for Innodb_buffer_pool_size can now be set via a new TripleO Heat Template parameter 'MysqlInnodbBufferPoolSize'. By default this is undefined. * *QemuDefaultTLSVerify* will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt's. We will want to disable this by default in train. * The nova-ironic setting for 'max_concurrent_builds' can now be set via the use of a new TripleO Heat templates parameter 'IronicMaxConcurrentBuilds'. It is set to the service default of 10 by default in TripleO Heat templates. * Adding ptp parameters for timemaster service configuration on overcloud compute node.Timemaster will use already present chrony parameters. PTPMessageTransport, PTPInterfaces are added new. Deprecation Notes ***************** * The *BarbicanPkcs11CryptoTokenLabel* option has been deprecated and replaced with the *BarbicanPkcs11CryptoTokenLabels* option. Bug Fixes ********* * Now "ExtraConfigPre" resource and "NodeExtraConfig" resource are executed after network configurations are applied in nodes. This is consitent with the previous version with heat software deployment mechanism instead of config-download. * Previously access to the sshd running by the nova-migration-target container is only limited via the sshd_config. While login is not possible from other networks, the service is reachable via all networks. This change limits the access to the NovaLibvirt and NovaApi networks which are used for cold and live-migration. * Nova vnc configuration right now uses NovaVncProxyNetwork, NovaLibvirtNetwork and NovaApiNetwork to configure the different components (novnc proxy, nova-compute and libvirt) for vnc. If one of the networks get changed from internal_api, the service configuration between libvirt, nova-compute and novnc proxy gets inconsistent and the console is broken. This changed to just use NovaLibvirtNetwork for configuring the vnc endpoints and removes NovaVncProxyNetwork completely. Changes in tripleo-heat-templates 12.4.3..12.4.4 ------------------------------------------------ 8e31cbf17 Allow customizing podman's [engine]/events_logger a4e6c8e3c Add dependency on OVNMacAddressNetwork for role ResourceGroup 95835538c Unify cinder's volume and backup kolla_config settings 76059627b Disable tunnelled migration c06ccdffc Add new options for Barbican PKCS#11 backend ad5ab191e Correct metrics_qdr logging path and regex parsing e5d189443 Fix network_cidrs when ManageNetworks: false 3d48d87ed Set tags on all OS::Neutron::Port resources 752498922 Add tags to THT network resources 8014ae223 Add OVNEncapType option to the ovn controller template 976a5e905 Run update tasks with become 0e8be5508 Disable tunneled mode when use_tls_for_live_migration e5cba2899 Re-add NovaVncProxyNetwork to service_net_map.j2.yaml ef575f87f Restore PreNetworkConfig resources c5e24795f Fix RoleParameters in tuned-baremetal-ansible.yaml 9bbd4fe55 Don't assume role has default_route_networks/tags 0a16f3a30 Stop handler flush eafdee6ae HA: fix race when moving VIP during minor update dbfc51597 Switch Octavia external tasks to 'post deploy' 4abeffe64 Stop using (and breaking) /var/tmp for horizon temporary things 010febfbd Moving nova-consoleauth to step4 dfb282b50 Missing client certificate for live-migration with TLS 35b9949dd Add RootStackName to group_vars d81c5544d Add systemd dependency to openvswitch to ovn-controller 10d541806 Disabling LM PostCopy and AutoConverge for RT roles 6342deafc Mount /etc/openldap inside the keystone container 1325566ba Ensure ansible_fqdn is set 124419ca7 Use single NovaLibvirtNetwork to configure instance console components 85e89060b Limit access to sshd used for nova migration 59fcd220f Remove ovn-cms-options from OVS when OVNCMSOptions is set to "" 96d50af58 Expose Innodb_buffer_pool_size 1265a63ed Add OVN chassis macs to hieradata dd496f06c Refactor OVNMacAddressNetwork cab6bbd6c Config parameters for timemaster service c2ba66915 [OVN] Remove check for OVN + Availability Zones b17267791 Expose mistral::rpc_response_timeout as a Heat parameter dd24b3133 Expose max_concurrent_builds as a Heat parameter 8bc099057 ovn: Add neutron-cleanup Diffstat (except docs and test files) ------------------------------------- common/deploy-steps.j2 | 37 ++++- common/hiera-steps-tasks.yaml | 1 + deployed-server/ctlplane-port.yaml | 8 + deployed-server/deployed-neutron-port.yaml | 11 ++ deployed-server/deployed-server.yaml | 8 + .../barbican/barbican-api-container-puppet.yaml | 20 ++- .../barbican-backend-pkcs11-crypto-puppet.yaml | 16 +- .../cinder/cinder-backup-container-puppet.yaml | 51 +----- .../cinder/cinder-backup-pacemaker-puppet.yaml | 31 +--- .../cinder/cinder-common-container-puppet.yaml | 52 +++++++ .../cinder/cinder-volume-container-puppet.yaml | 36 +---- .../cinder/cinder-volume-pacemaker-puppet.yaml | 23 +-- deployment/database/mysql-base.yaml | 11 ++ deployment/horizon/horizon-container-puppet.yaml | 23 ++- deployment/ipa/ipaservices-baremetal-ansible.yaml | 9 ++ deployment/keystone/keystone-container-puppet.yaml | 1 + deployment/metrics/qdr-container-puppet.yaml | 4 +- deployment/mistral/mistral-base.yaml | 6 +- .../neutron/neutron-api-container-puppet.yaml | 3 +- .../neutron/neutron-dhcp-container-puppet.yaml | 4 +- deployment/nova/nova-compute-container-puppet.yaml | 49 +++--- deployment/nova/nova-ironic-container-puppet.yaml | 9 ++ deployment/nova/nova-libvirt-container-puppet.yaml | 14 +- .../nova-migration-target-container-puppet.yaml | 38 +++-- .../nova/nova-vnc-proxy-container-puppet.yaml | 33 ++-- .../octavia/octavia-deployment-config.j2.yaml | 5 +- .../ovn/ovn-controller-container-puppet.yaml | 27 +++- .../pacemaker/pacemaker-baremetal-puppet.yaml | 4 +- deployment/podman/podman-baremetal-ansible.yaml | 9 ++ .../timemaster/timemaster-baremetal-ansible.yaml | 171 +++++++++++++++++++++ deployment/timesync/chrony-baremetal-ansible.yaml | 2 - deployment/tls/undercloud-tls.yaml | 3 + deployment/tuned/tuned-baremetal-ansible.yaml | 19 ++- environments/barbican-backend-pkcs11-atos.yaml | 13 +- environments/barbican-backend-pkcs11-lunasa.yaml | 3 +- environments/barbican-backend-pkcs11-thales.yaml | 3 +- environments/network-isolation-v6-all.j2.yaml | 2 +- .../config/2-linux-bonds-vlans/role.role.j2.yaml | 8 +- network/config/bond-with-vlans/role.role.j2.yaml | 6 +- .../config/multiple-nics-vlans/role.role.j2.yaml | 14 +- network/config/multiple-nics/role.role.j2.yaml | 12 +- .../role.role.j2.yaml | 4 +- network/config/single-nic-vlans/role.role.j2.yaml | 4 +- network/network.j2 | 46 +++--- network/networks.j2.yaml | 3 - network/ports/ctlplane_vip.yaml | 16 +- network/ports/from_service.yaml | 3 + network/ports/from_service_v6.yaml | 3 + network/ports/noop.yaml | 13 ++ network/ports/ovn_mac_addr_port.yaml | 16 ++ network/ports/port.j2 | 39 +++++ network/ports/port_from_pool.j2 | 13 ++ network/ports/vip.yaml | 15 ++ network/ports/vip_v6.yaml | 16 +- overcloud-resource-registry-puppet.j2.yaml | 4 +- overcloud.j2.yaml | 21 ++- puppet/role.role.j2.yaml | 15 +- ...r-barbican-pkcs11-options-a2ec14369518b40e.yaml | 9 ++ .../notes/bug-1907214-df2f07cbacbe8a24.yaml | 13 ++ .../innodb-tuning-param-e71d2fd727c450ec.yaml | 6 + ...introducing-qemutlsverify-af590e0243fe6b08.yaml | 9 ++ ...ova-max_concurrent_builds-f900d84f35704452.yaml | 6 + ...va_migration_limit_access-20be8d69686ca95c.yaml | 8 + .../notes/nova_novnc_network-83a1479bf227f867.yaml | 10 ++ ...dd_support_for_timemaster-a8dc3e4d5db4e8b3.yaml | 7 + tools/process-templates.py | 5 + 66 files changed, 821 insertions(+), 282 deletions(-)