We are glad to announce the release of: tripleo-common 11.0.0: A common library for TripleO workflows. This release is part of the train release series. The source is available from: https://opendev.org/openstack/tripleo-common Download the package from: https://tarballs.openstack.org/tripleo-common/ Please report issues through: https://bugs.launchpad.net/tripleo-common/+bugs For more details, please see below. 11.0.0 ^^^^^^ New Features ************ * If the *AdditionalArchitectures* parameter has entries then the container image prepare will prepare images for all architectures instead of just the default one. A new boolean field *multi_arch* can also be set in *ContainerImagePrepare* entries to determine the multi arch behaviour for images in that entry. If any entry sets a *multi_arch* value then *AdditionalArchitectures* is ignored. * tripleo-container-rm is the new role that replaces tripleo-docker- rm which is in charge of tearing down containers running in Docker or Podman. If the container_cli is Podman, the role takes care of systemd cleanup for both the container and its healthcheck if it does exist. Security Issues *************** * Fixed a vulnerability where an attacker may cause new Octavia amphorae to run based on any arbitrary image (CVE-2019-3895). Bug Fixes ********* * As of Rocky [1], the nova-consoleauth service has been deprecated and cell databases are used for storing token authorizations. All new consoles will be supported by the database backend and existing consoles will be reset. Console proxies must be run per cell because the new console token authorizations are stored in cell databases. nova-consoleauth was deprecated in tripleo with: I68485a6c4da4476d07ec0ab5e7b5a4c528820a4f This change now removes the NovaConsoleauth Service. [1] https://docs.openstack.org/releasenotes/nova/rocky.html * Fixed an issue were amphora load balancers would fail to create. The problem was because Octavia certificate files were being created in a wrong path and with invalid content. * Ensure [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting. Changes in tripleo-common 10.7.0..11.0.0 ---------------------------------------- 7c89493e Add the ability to compute osds number counting lvm devices f15e6ac3 Overcloud-full image templates for RHEL8 b4d13dc8 Add deployed-server bootstrap tasks to tripleo-bootstrap ba3891b3 Add tripleo-hieradata role 6b722063 Template each deployment file e7c5eab7 [CVE-2019-3895] Set image owner id 4de9f78b Fix Octavia certificate file path and content f3a93bff Fix validations_inputs temporary file name 294f67bd fix 404 when requesting empty tripleo container image catalog feb49b8c Handle failed neutron-plugin-ml2.yaml lookup 37fc8e31 Stop sending execution object via Zaqar message c13c9cf5 Enable staging-ovirt (fence_rhevm) fencing agent. 063e4934 Remove NovaConsoleauth Service 5a7081ea Remove duplications of tasks in scale workbook 030ad3e2 workbooks/deployment: add support to choose playbook name 68334a00 workbooks/deployment: add support to filter nodes when running Ansible 5dcad572 Make get_enabled_services() more robust 35cfa6d3 Use a typemap file instead of symlinks for tags 08ae3286 Define the interface for multi arch image prepare 88524377 Add serial option in the inventory 228fadca Add task to read remote pub key 136d8c75 Fix privileges in task fro tripleo-admin a14bfd9f [Trivial fix]Remove unnecessary slash 13775b8e Introduce tripleo-container-rm 508324b1 Run ansible before scale down 2e54cff0 Use oslo_rootwrap subprocess module in order to gain proper eventlet awareness 878a7727 bootstrap: install network-scripts if EL8 cf86a8d6 tripleo-bootstrap: only enable network, not starting. d0831dc4 Fix chown command in write_inputs_file function 2d52d467 tripleo-bootstrap: ensure network service is enabled & started 4f5a2750 Add new healthchecks for zaqar services 4c3d5182 Fixup octavia-api healthcheck f292c839 Remove images that are not in use anymore 2ee6de2b nova: Remove nova-placement images and healthchecks 2f4e72b8 OpenDev Migration Patch e39577bc Update master for stable/stein b7618c7c Add missing ws seperator between words e368e152 docker-rm: check if rpm dependency is actually installed ab490622 Use 'DEFAULT_VALIDATIONS_BASEDIR' variable from constants.py 05a1f1fa Update default Ceph container image to use to the Nautilus version 9314396e Adds redfish support to 'overcloud generate fencing'. 26967343 Check for file existance in file modification check Diffstat (except docs and test files) ------------------------------------- .gitreview | 2 +- .../container_image_prepare_defaults.yaml | 2 +- container-images/overcloud_containers.yaml | 8 +- container-images/overcloud_containers.yaml.j2 | 24 ----- .../tripleo_kolla_template_overrides.j2 | 16 +-- healthcheck/common.sh | 5 + healthcheck/nova-consoleauth | 14 --- healthcheck/octavia-api | 12 +-- healthcheck/{nova-placement => zaqar-api} | 2 +- healthcheck/zaqar-socket | 15 +++ image-yaml/overcloud-images-python3.yaml | 8 +- image-yaml/overcloud-images-rhel8.yaml | 19 ++++ lower-constraints.txt | 1 + playbooks/octavia-files.yaml | 1 + .../tasks/certificate.yml | 8 +- .../octavia-controller-config/tasks/octavia.yml | 12 +++ .../roles/octavia-undercloud/tasks/image_mgmt.yml | 45 +++++++-- .../notes/multi_arch_image-3c3730cbba95be19.yaml | 9 ++ ...a_remove_nova-consoleauth-95df6d63822ef787.yaml | 15 +++ ...ificates-path-and-content-e8acf1e859e75135.yaml | 6 ++ ...ctavia-set-image-owner-id-adb197d5daae54f1.yaml | 10 ++ .../tripleo-container-rm-082aa93d2de1e8bc.yaml | 7 ++ releasenotes/source/index.rst | 1 + releasenotes/source/stein.rst | 6 ++ requirements.txt | 1 + roles/tripleo-bootstrap/defaults/main.yml | 4 + roles/tripleo-bootstrap/tasks/main.yml | 75 ++++++++++++++ roles/tripleo-container-rm/README.md | 34 +++++++ roles/tripleo-container-rm/defaults/main.yaml | 2 + roles/tripleo-container-rm/tasks/docker.yaml | 21 ++++ roles/tripleo-container-rm/tasks/main.yaml | 5 + roles/tripleo-container-rm/tasks/podman.yaml | 41 ++++++++ roles/tripleo-create-admin/tasks/create_user.yml | 10 +- roles/tripleo-docker-rm/README.md | 2 + roles/tripleo-docker-rm/tasks/main.yaml | 13 +-- roles/tripleo-hieradata/README.md | 35 +++++++ roles/tripleo-hieradata/defaults/main.yaml | 3 + roles/tripleo-hieradata/tasks/main.yaml | 27 +++++ roles/tripleo-hieradata/test-playbook.yaml | 9 ++ sudoers | 1 - tripleo_common/actions/ansible.py | 26 +++-- tripleo_common/actions/parameters.py | 28 +++++- tripleo_common/constants.py | 6 +- tripleo_common/image/image_export.py | 99 ++++++++++++++++-- tripleo_common/image/image_uploader.py | 24 ++++- tripleo_common/image/kolla_builder.py | 27 ++++- tripleo_common/inventory.py | 4 +- tripleo_common/templates/deployment.j2 | 2 - tripleo_common/templates/deployments.yaml | 48 +++++++-- .../ControllerHostEntryDeployment | 2 - .../data/overcloud-controller-0/MyExtraConfigPost | 2 - .../utils/data/overcloud-controller-0/MyPostConfig | 2 - .../data/overcloud-controller-0/NetworkDeployment | 2 - .../ComputeHostEntryDeployment | 2 - .../data/overcloud-novacompute-0/MyExtraConfigPost | 2 - .../data/overcloud-novacompute-0/NetworkDeployment | 2 - .../ComputeHostEntryDeployment | 2 - .../data/overcloud-novacompute-1/MyExtraConfigPost | 2 - .../data/overcloud-novacompute-1/NetworkDeployment | 2 - .../data/overcloud-novacompute-2/AnsibleDeployment | 2 - .../ComputeHostEntryDeployment | 2 - .../data/overcloud-novacompute-2/MyExtraConfigPost | 2 - .../data/overcloud-novacompute-2/NetworkDeployment | 2 - tripleo_common/update.py | 29 +++--- tripleo_common/utils/validations.py | 7 +- workbooks/deployment.yaml | 17 +++- workbooks/derive_params_formulas.yaml | 8 +- workbooks/messaging.yaml | 4 +- workbooks/scale.yaml | 8 +- 74 files changed, 932 insertions(+), 230 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index c304a4be..51b6b604 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,0 +12 @@ oslo.log>=3.36.0 # Apache-2.0 +oslo.rootwrap>=5.8.0 # Apache-2.0