We are psyched to announce the release of: openstack-ansible 14.2.10: Ansible playbooks for deploying OpenStack This release is part of the newton release series. The source is available from: http://git.openstack.org/cgit/openstack/openstack-ansible Download the package from: https://tarballs.openstack.org/openstack-ansible/ For more details, please see below. 14.2.10 ^^^^^^^ New Features ************ * A new repository for installing modern erlang from ESL (erlang solutions) has been added giving us the ability to install and support modern stable erlang over numerous operating systems. * The ability to set the RabbitMQ repo URL for both erlang and RabbitMQ itself has been added. This has been done to allow deployers to define the location of a given repo without having to fully redefine the entire set of definitions for a specific repository. The default variables *rabbitmq_gpg_keys*, *rabbitmq_repo_url*, and *rabbitmq_erlang_repo_url* have been created to facilitate this capability. * The ansible-hardening role supports the application of the Red Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and Ubuntu 16.04 LTS. * The default ulimit for RabbitMQ is now 65536. Deployers can still adjust this limit using the "rabbitmq_ulimit" Ansible variable. Upgrade Notes ************* * Changing to the ESL repos has no upgrade impact. The version of erlang provided by ESL is newer than that what is found in the distro repos. Furthermore, a pin has been added to ensure that APT always uses the ESL repos as it's preferred source which has been done to simply ensure APT is always pointed at ESL. Security Issues *************** * The "net.bridge.bridge-nf-call-*" kernel parameters were set to "0" in previous releases to improve performance and it was left up to neutron to adjust these parameters when security groups are applied. This could cause situations where bridge traffic was not sent through iptables and this rendered security groups ineffective. This could allow unexpected ingress and egress traffic within the cloud. These kernel parameters are now set to "1" on all hosts by the "openstack_hosts" role, which ensures that bridge traffic is always sent through iptables. * "PermitRootLogin" in the ssh configuration has changed from "yes" to "without-password". This will only allow ssh to be used to authenticate root via a key. Bug Fixes ********* * Based on documentation from RabbitMQ [ https://www.rabbitmq.com /which-erlang.html ] this change ensures the version of erlang we're using across distros is consistent and supported by RabbitMQ. Changes in openstack-ansible 14.2.9..14.2.10 -------------------------------------------- 7267d21 Update os_neutron role SHA to include dns_domain ba03543 Update all SHAs for 14.2.10 Diffstat (except docs and test files) ------------------------------------- ansible-role-requirements.yml | 50 +++++++++++----------- playbooks/defaults/repo_packages/gnocchi.yml | 2 +- .../defaults/repo_packages/openstack_services.yml | 48 ++++++++++----------- playbooks/inventory/group_vars/all.yml | 2 +- ...ity-groups-always-applied-eb6e3bdc7b77f022.yaml | 13 ++++++ releasenotes/notes/esl-repo-6ff0c7f24ad2a043.yaml | 25 +++++++++++ ...ot-login-without-password-948ec79c6508c19b.yaml | 6 +++ ...support-for-centos-xenial-2b89c318cc3df4b0.yaml | 2 +- .../ulimit-increased-65536-50b418d8e8ca4eef.yaml | 5 +++ 9 files changed, 101 insertions(+), 52 deletions(-)