We are excited to announce the release of: openstack-ansible 16.0.5: Ansible playbooks for deploying OpenStack This release is part of the pike release series. The source is available from: https://git.openstack.org/cgit/openstack/openstack-ansible Download the package from: https://tarballs.openstack.org/openstack-ansible/ For more details, please see below. 16.0.5 ^^^^^^ New Features ************ * FWaaS V2 has been added to neutron. To enable this service simply add "firewall_v2" to the "neutron_plugin_base" list. * The maximum amount of time to wait until forcibly failing the LXC cache preparation process is now configurable using the "lxc_cache_prep_timeout" variable. The value is specified in seconds, with the default being 10 minutes. * A new LXC container template has been added which will allow us to better manage containers on the host machines we support. The new template uses the *machinectl* command to create container rootfs using the existing cache. This in-turn will provide easier management of container images, faster build times, and the ability to instantly clone a container (or a given variant) without impacting a containers state. This new lxc container create template, and the features it provides, will only impact new containers created allowing deployers to safely adopt this change in any existing environment. * The tag options when creating an LXC container have been simplified. The two tags now supported by the *lxc_container_create* role are **lxc-{create,config}**. * The "security_sshd_permit_root_login" setting can now be set to change the "PermitRootLogin" setting in "/etc/ssh/sshd_config" to any of the possible options. Set "security_sshd_permit_root_login" to one of "without-password", "prohibit-password", "forced-commands- only", "yes" or "no". * Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting "security_find_world_writable_dirs" to "yes". Upgrade Notes ************* * The glance registry service for the v2 API is now disabled by default as it is not required and is scheduled to be removed in the future. The service can be enabled by setting "glance_enable_v2_registry" to "True". As the glance v1 API is still enabled by default, and it requires the registry service, the glance-registry service will still remain running and operational as before. If the variable "glance_enable_v1_api" is set to "False" then both the v1 API and the registry service will be disabled and removed. * The LXC container create option *lxc_container_backing_store* is now defined by default and has a value of "dir". Prior to this release the backend store option was using several auto-detection methods to try and guess the store type based on facts fed into the role and derived from the physical host. While the auto-detection methods worked, they created a cumbersome set of conditionals and limited our ability to leverage additional container stores. Having this option be a default allows deployers to mix and match container stores to suit the needs of the deployment. Existing deployments should set this option within group or user variables to ensure there's no change in the backend store when new container be provisioned. Deprecation Notes ***************** * The "glance_enable_v1_registry" variable has been removed. When using the glance v1 API the registry service is required, so having a variable to disable it makes little sense. The service is now enabled/disabled for the v1 API using the "glance_enable_v1_api" variable. Bug Fixes ********* * When the "glance_enable_v2_registry" variable is set to "True" the corresponding "data_api" setting is now correctly set. Previously it was not set and therefore the API service was not correctly informed that the registry was operating. Other Notes *********** * The LXC container create role will now check for the LXC volume group if the option *lxc_container_backing_store* is set to "lvm". If this volume group is not found, the role will halt and instruct the deployer to update their configuration options and inspect their host setup. Changes in openstack-ansible 16.0.4..16.0.5 ------------------------------------------- fa2ddbb Do not source openstack-ansible.rc when pulling roles 6836c7f Bump roles SHA dcf6443 Use 'PermitRootLogin 'without-password'' 5fb6357 Update all SHAs for 16.0.5 f3a5d6e scripts: scripts-library.sh: Use pgrep -f to find the dstat process 527cbf7 Use tests repo for all lint tests e113e19 Do not force using the remote "origin" when testing upgrades 6e917e4 Do not implement reload for novnc/spice service Diffstat (except docs and test files) ------------------------------------- ansible-role-requirements.yml | 46 ++++---- group_vars/all/all.yml | 2 +- group_vars/hosts.yml | 2 +- playbooks/defaults/repo_packages/gnocchi.yml | 2 +- .../defaults/repo_packages/openstack_services.yml | 66 ++++++------ playbooks/os-nova-install.yml | 23 ++-- .../notes/fwaasv2-added-ab9ba18c8b98a83e.yaml | 4 + .../notes/glance-v2-api-only-0d4a61b0d4dade18.yaml | 23 ++++ .../lxc-cache-prep-timeout-97dc18882f7b1e76.yaml | 7 ++ .../lxc-machinectl-template-9e65779a94cb767f.yaml | 11 ++ ...c_container_backing_store-e0a77c48da3a57b2.yaml | 21 ++++ .../permitrootlogin_options-a62e33ccc4a69657.yaml | 8 ++ ...able-file-search-optional-7420269230a0e22f.yaml | 7 ++ scripts/bootstrap-ansible.sh | 2 +- scripts/gate-check-commit.sh | 2 +- scripts/scripts-library.sh | 2 +- tox.ini | 110 ++++++++----------- 18 files changed, 317 insertions(+), 138 deletions(-)