We are tickled pink to announce the release of:
puppet-tripleo 7.1.0: Puppet module for OpenStack TripleO
This release is part of the pike release series.
Download the package from:
https://tarballs.openstack.org/puppet-tripleo/
For more details, please see below.
7.1.0 ^^^^^
New Features ************
* Adds composable service interface for Neutron LBaaSv2 service.
* Add support for Mistral event engine.
* Restrict nova migration ssh tunnel * The ssh authorized_keys file is only writeable by root. * Creates a new user for migration instead of using root/nova. * Disables SSH forwarding for this user. * Restricts the networks that this user can connect from. * Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Adds new parameter "tripleo::profile::base::nova::migration_ssh_localaddrs" to specify which incoming IPs are allow for SSH tunnel connections.
* Added support for external swift proxy. Users may need to configure endpoints pointing to swift proxy service already available.
* Enable internal network TLS for etcd
* Move Mistral API to use mod_wsgi under Apache.
* Support HA for OVN db servers and ovn-northd using Pacemaker
* Support for Redfish hardware is enabled by default for overcloud Ironic via the "redfish" hardware type.
* Run the Zaqar WSGI service over httpd.
Upgrade Notes *************
* Mistral API systemd service will be stopped and disabled.
Deprecation Notes *****************
* The redis_file_limit hiera parameter is now deprecated. Use the redis::ulimit parameter instead.
Bug Fixes *********
* With having package mod_ssl by default installed in images we introduced issue with mod_ssl package update. In case of SSL not being used or provided by HAproxy the puppet-apache module by default purges the ssl.conf file. The package update then recreates the file with default Listen 443 option. This causes conflict on 443 port during httpd restart. If we include ::apache::mod::ssl the ssl.conf file will be configured and the Listen option will be used only if there is vhost set to use SSL.
* For Heat API, increase the HAproxy timeout from 2 minutes to 10 minutes so we give a chance to Heat to use the rpc_response_timeout value which is set to 600 by default in TripleO.
* Since collector is deprecated, move the ceilo upgrade in step5 out of collector profile and into cielometer base. This way ceilo upgrade can run even when collector is disabled which is the default in pike.
* Moves bigswitch neutron agent configuration to a new tripleo profile tripleo::profile::base::neutron::agents::bigswitch
Changes in puppet-tripleo 7.0.0..7.1.0 --------------------------------------
e9fac79 Add _spec suffix to class spec tests 016cef3 Add polkit rule to allow kolla nova user access to libvirtd socket on docker host cc84155 Add novajoin profile 7995f9b Prepare for release 7.1.0 0e674bd Puppet module to deploy MySQL bundle for HA be2a1d3 Drop un-needed 'else' in noop_resource 90704a6 Add conditional for setting authlogin_nsswitch_use_ldap selboolean e968869 do not include remote name in branch spec for release notes c89f879 make release note a list of strings 48a6a09 Pacemaker support for OVN DB servers 04ff27d Puppet module to deploy RabbitMQ bundle for HA c635586 Restart docker after changing storage driver c21c573 Puppet module to deploy HAProxy bundle for HA 8b5b0b3 Puppet module to deploy Redis bundle for HA daf6497 Move ceilometer upgrade step out of base cc8e33e Add missing octavia mysql user creation f88d4a4 Clustercheck, monitor service for galera containers 88560a7 Enable novajoin user on keystone profile 533f3e5 Bad example in firewall.pp 6b17c04 Switch to overlay2 driver for storage 66b6ea1 Update gitignore not to exclude fixture hieradata 48954b3 Update tox configuration ef6309e TLS everywhere: Add resources for mongodb's TLS configuration 976bb6b Composable Role for Neutron LBaaS 2556c56 vhostuser socket dir shall be created for vhostuserclient mode b6d02fd Use verify_on_create when creating pacemaker remote resources 5f0f850 Pass mistral::api service_name from t-h-t 732d878 Enable mistral to run under mod_wsgi ce1a26b Add Mistral event engine 041ea64 Migrates OpenDaylight to official repo 926ec01 Remove limits for redis in /etc/security/limits.d 05e696c Handle duplicate/invalid entries in migration SSH inbound addresses fe8edab Disable SSH login for nova_migration user when migration over ssh is disabled. 5a35002 Add support for Cinder "NAS secure" driver params f8ca94a Restrict nova migration ssh tunnel 3b3d43e MySQL client: Make CA file configurable 6227484 IPv6 VIP addresses need to be /128 2ac0a83 snmp: remove useless parameter for binding 7568ac4 Fix wrong notify in swift proxy profile b2aad9c Include base apache module in tls_proxy resource 19d177c Add support for autofencing to Pacemaker Remote. c504d6a Add a flag to rabbitmq so that we can deploy with ha-mode: all again 8f5c6b8 Update puppet-etcd version a640e13 Add support for Redfish hardware in Ironic 2e89f8e Move ceilometer upgrade re-run out of collector 2ce8aa0 Include zaqar apache module 3c49f51 Refactor SSHD config to allow both SSHD options and banner/motd to be set 4450afd Cover gnocchi api step 4 and 5 be27b5c Ensure /etc/docker/daemon.json f30b791 Dell SC: Add secondary DSM support 84d3a82 Allow to configure haproxy daemon's status f8ed8b6 Add linuxbridge agent profile 9e729c0 Ensure we configure ssl.conf 6990da8 Enable setting SubjectaltNames for haproxy and httpd certs 0261a22 Added release note for "Support for external swift proxy" c372d01 Haproxy: When using TLS everywhere, use verifyhost for the balancermembers 6cb95e6 HAproxy/heat_api: increase timeout to 10m da1cae2 Support for external swift proxy bf6b929 Allow setting of keepalived router ID 49ea8b5 Dell SC: Add exclude_domain_ip option 5c8d5fd Make install of kolla optional on the undercloud 9de4c92 Move gnocchi wsgi configuration to step 3 890178b Move ceilometer wsgi to step 3 2e30593 Add ML2 configuration for Bagpipe BGPVPN extension 60d187e Enable internal network TLS for etcd 2a329d5 Stop SSHD profile clobbering SSH client config bbe603a Ensure directory exists for certificates for httpd b140cf1 Update UI language list 39568b1 etcd: Make HAProxy terminate TLS connections 936aece Add registry_mirror to base::docker profile 2ec381a Use docker profile in docker_registry c0c850d firewall: generally accept "jump" param and use tripleo:firewall for log rule 6992eaf Add resource profile for vmware nsx_v3 b517344 Create bigswitch agent profile
Diffstat (except docs and test files) -------------------------------------
.gitignore | 4 +- Gemfile | 4 +- Puppetfile_extras | 4 +- bindep.txt | 9 + lib/puppet/parser/functions/noop_resource.rb | 1 - manifests/certmonger/apache_dirs.pp | 55 ++++ manifests/certmonger/etcd.pp | 73 +++++ manifests/certmonger/haproxy.pp | 14 +- manifests/certmonger/httpd.pp | 15 +- manifests/certmonger/mongodb.pp | 87 ++++++ manifests/firewall.pp | 2 +- manifests/firewall/post.pp | 2 +- manifests/firewall/rule.pp | 16 +- manifests/haproxy.pp | 91 +++--- manifests/keepalived.pp | 21 +- manifests/pacemaker/haproxy_with_vip.pp | 38 ++- manifests/profile/base/aodh/api.pp | 1 + manifests/profile/base/barbican/api.pp | 1 + manifests/profile/base/ceilometer.pp | 1 - .../profile/base/ceilometer/agent/notification.pp | 1 + manifests/profile/base/ceilometer/agent/polling.pp | 5 +- manifests/profile/base/ceilometer/api.pp | 3 +- manifests/profile/base/ceilometer/collector.pp | 9 - manifests/profile/base/ceilometer/upgrade.pp | 49 ++++ manifests/profile/base/certmonger_user.pp | 19 ++ manifests/profile/base/cinder/api.pp | 1 + manifests/profile/base/cinder/volume/dellsc.pp | 23 +- manifests/profile/base/cinder/volume/netapp.pp | 2 + manifests/profile/base/cinder/volume/nfs.pp | 33 ++- manifests/profile/base/database/mysql.pp | 3 + manifests/profile/base/database/mysql/client.pp | 7 +- manifests/profile/base/docker.pp | 128 ++++++++- manifests/profile/base/docker_registry.pp | 24 +- manifests/profile/base/etcd.pp | 57 +++- manifests/profile/base/gnocchi/api.pp | 17 +- manifests/profile/base/heat/api.pp | 1 + manifests/profile/base/heat/api_cfn.pp | 1 + manifests/profile/base/heat/api_cloudwatch.pp | 1 + manifests/profile/base/ironic/conductor.pp | 1 + manifests/profile/base/keystone.pp | 12 +- manifests/profile/base/mistral/api.pp | 46 ++- manifests/profile/base/mistral/event_engine.pp | 46 +++ manifests/profile/base/neutron/agents/bigswitch.pp | 31 +++ manifests/profile/base/neutron/lbaas.pp | 44 +++ manifests/profile/base/neutron/linuxbridge.pp | 20 ++ manifests/profile/base/neutron/ovs.pp | 17 +- .../profile/base/neutron/plugins/ml2/bagpipe.pp | 37 +++ manifests/profile/base/neutron/plugins/nsx_v3.pp | 45 +++ manifests/profile/base/nova.pp | 180 ++++++++---- manifests/profile/base/nova/api.pp | 1 + manifests/profile/base/nova/placement.pp | 1 + manifests/profile/base/novajoin.pp | 83 ++++++ manifests/profile/base/pacemaker.pp | 1 + manifests/profile/base/pacemaker_remote.pp | 27 ++ manifests/profile/base/panko/api.pp | 1 + manifests/profile/base/snmp.pp | 1 - manifests/profile/base/sshd.pp | 34 ++- manifests/profile/base/swift/proxy.pp | 2 +- manifests/profile/base/zaqar.pp | 8 +- manifests/profile/pacemaker/clustercheck.pp | 65 +++++ .../profile/pacemaker/database/mysql_bundle.pp | 302 ++++++++++++++++++++ manifests/profile/pacemaker/database/redis.pp | 31 ++- .../profile/pacemaker/database/redis_bundle.pp | 178 ++++++++++++ manifests/profile/pacemaker/haproxy_bundle.pp | 196 +++++++++++++ manifests/profile/pacemaker/neutron/lbaas.pp | 44 +++ manifests/profile/pacemaker/ovn_northd.pp | 121 ++++++++ manifests/profile/pacemaker/rabbitmq.pp | 8 +- manifests/profile/pacemaker/rabbitmq_bundle.pp | 194 +++++++++++++ manifests/tls_proxy.pp | 1 + manifests/ui.pp | 2 + metadata.json | 2 +- ...le_role_for_neutron_lbaas-acdf08f1a9dfd3fe.yaml | 3 + .../notes/add-bagpipe-driver-9163f5b22096fde0.yaml | 1 + .../add-mistral-event-engine-05097cb76834f09d.yaml | 4 + ...e-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml | 5 +- .../cold_migration_security-1543136408c76459.yaml | 10 + ...eprecate-redis-file-limit-4a60fa0fde4667ef.yaml | 5 + ...-for-external-swift-proxy-f12c99b34516a023.yaml | 5 + .../notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml | 10 + releasenotes/notes/etcd-tls-bb8605c91ff8a94c.yaml | 3 + .../notes/heat_api_timeout-cbb01242534cec79.yaml | 5 + .../notes/mistral-mod-wsgi-1a1d3eb279daa7fd.yaml | 7 + .../move-ceilo-upgrade-out-3318df875de5cd00.yaml | 6 + ...n-bigswitch-agent-profile-1250bb1518199a67.yaml | 5 + releasenotes/notes/ovn-ha-c7668c26aefb8f2d.yaml | 4 + releasenotes/notes/redfish-9203af1f7bf02bc5.yaml | 5 + .../notes/zaqar-httpd-93db7feb60622687.yaml | 3 + releasenotes/source/conf.py | 4 +- releasenotes/source/ocata.rst | 2 +- spec/classes/tripleo_certmonger_ca_local.rb | 46 --- spec/classes/tripleo_certmonger_ca_local_spec.rb | 46 +++ spec/classes/tripleo_certmonger_etcd_spec.rb | 60 ++++ spec/classes/tripleo_certmonger_mysql.rb | 64 ----- spec/classes/tripleo_certmonger_mysql_spec.rb | 64 +++++ spec/classes/tripleo_certmonger_rabbitmq.rb | 64 ----- spec/classes/tripleo_certmonger_rabbitmq_spec.rb | 64 +++++ .../tripleo_profile_base_ceilometer_api_spec.rb | 8 +- ...ipleo_profile_base_ceilometer_collector_spec.rb | 26 -- .../tripleo_profile_base_ceilometer_spec.rb | 1 + spec/classes/tripleo_profile_base_docker_spec.rb | 153 +++++++++- .../tripleo_profile_base_gnocchi_api_spec.rb | 150 ++++++++++ ...o_profile_base_neutron_agents_bigswitch_spec.rb | 48 ++++ .../tripleo_profile_base_neutron_ovs_spec.rb | 73 +++++ spec/classes/tripleo_profile_base_nova_spec.rb | 309 ++++++++++++++++++++- spec/classes/tripleo_profile_base_novajoin_spec.rb | 126 +++++++++ spec/classes/tripleo_profile_base_sshd_spec.rb | 118 +++++++- .../tripleo_profile_base_swift_ringbuilder.rb | 65 ----- .../tripleo_profile_base_swift_ringbuilder_spec.rb | 65 +++++ spec/fixtures/hieradata/default.yaml | 7 + spec/spec_helper_acceptance.rb | 57 +--- test-requirements.txt | 11 +- tox.ini | 3 + 112 files changed, 3769 insertions(+), 551 deletions(-)
Requirements updates --------------------
diff --git a/test-requirements.txt b/test-requirements.txt index bedd666..1ea50a8 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,4 +1,7 @@ -# this is required for the docs build jobs -sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 -oslosphinx>=2.5.0 # Apache-2.0 -reno>=0.1.1 # Apache-2.0 +# This is required for the docs build jobs +sphinx>=1.5.1 # BSD +oslosphinx>=4.7.0 # Apache-2.0 + +# This is required for the releasenotes build jobs +# FIXME: reno is manually pinned to !=2.0.0 because of bug #1651995 +reno>=1.8.0,!=2.0.0 # Apache-2.0