We exuberantly announce the release of: tripleo-heat-templates 10.6.1: Heat templates for deploying OpenStack with OpenStack. This release is part of the stein stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 10.6.1 ^^^^^^ New Features ************ * *ContainerImageRegistryLogin* has been added to indicate if login calls should be issued by the container engine on deployment. The default is set to *false*. * Values specified in *ContainerImageRegistryCredentials* will now be used to issue a login call when deploying the container engine on the hosts if *ContainerImageRegistryLogin* is set to *true* * Created a *ExtraKernelPackages* parameter to allow users to install additional kernel related packages prior to loading the kernel modules defined in *ExtraKernelModules*. * When running config-download manually, fact gathering at the play level can now be controlled with the gather_facts Ansible boolean variable. * Add *ContainerNovaLibvirtUlimit* to configure Ulimit for containerized Libvirt. Defaults to "nofile=131072,nproc=126960". * Add parameter NovaLibvirtMemStatsPeriodSeconds, which allows to set *libvirt/mem_stats_period_seconds* parameter value to number of seconds to memory usage statistics period, zero or negative value mean to disable memory usage statistics. Default value for NovaLibvirtMemStatsPeriodSeconds is 10. * Adds LibvirtLogFilters parameter to define a filter to select a different logging level for a given category log outputs, as specified in https://libvirt.org/logging.html . Default: '1:libvirt 1:qemu 1:conf 1:security 3:event 3:json 3:file 3:object 1:util' * Adds LibvirtTLSPriority parameter to override the compile time default TLS priority string. Default: 'NORMAL:-VERS-SSL3.0:-VERS- TLS-ALL:+VERS-TLS1.2' * This parameter sets inactive probe interval of the JSON session from ovn-controller to the OVN SB database. By default this it is 5s which not be sufficient in loaded systems or during high control- plane activity spikes, leading to unnecessary reconnections to OVSDB server. Now it is extended by default to 1 min and it is configurable by param OVNRemoteProbeInterval. * Introduce a PacemakerTLSPriorities parameter (which will set the PCMK_tls_priorities config option in /etc/sysconfig/pacemaker and the PCMK_tls_priorities variable inside the bundle. This, when set, allows an operator to specify what kind of GNUTLS ciphers are desired for the pacemaker control port. Bug Fixes ********* * Enable VFIO module on boot for SR-IOV deployments. Before this change on SR-IOV capable deployments when rebooting a compute node, vfio_iommu_type1 will not be loaded which will cause guest instances with VF/PF fail to start/spawn. * The passphrase for config option 'server_certs_key_passphrase', is used as a Fernet key in Octavia and thus must be 32 bytes long. In the case of an operator-provided passphrase, TripleO will validate that. * Certain nova containers require more locked memory that the default limit of 16KiB. Increase the default memlock to 64MiB via "DockerNovaComputeUlimit". As this is only a maximum limit and not a pre-allocatiosn this will not increase the memory requirements for all nova containers. To date the only container to require this is nova_cell_v2_discover_hosts which is short lived. * Recent changes for e.g edge scenarios caused intended move of discovery from controller to bootstrap compute node. The task is triggered by deploy-identifier to make sure it gets run on any deploy,scale, ... run. If deploy run is triggered with --skip- deploy-identifier flag, discovery will not be triggered at and as result causing failures in previously supported scenarios. This change moves the host discovery task to be an ansible deploy_steps_tasks that it gets triggered even if --skip-deploy- identifier is used, or the compute bootstrap node is blacklisted. * Deployment with enabled NFS share for nova ephemeral storage fails. Podman fails to relable with mounted nfs in /var/lib/nova/instances and container fail to start with "operation not supported". This change only sets the z flag for the /var/lib/nova in case nfs is not enabled for the compute. Changes in tripleo-heat-templates 10.6.0..10.6.1 ------------------------------------------------ ac5f18c7e Fix indent in deploy-steps playbook 2d7c68234 HA: fix <service>_restart_bundle with minor update workflow 02e0a4e21 container-puppet: run podman rm with --storage 9858e6eb4 Use separate plays for Host prep steps f3c9487b6 Revert "Do not forcibly enable Glance multiple locations for RBD backend" 1110b7537 Replace include_tasks with import_tasks 907271797 Respect tags in upgrade tasks 26a0585d4 Split upgrade_steps_playbook into different plays. fd84e1df3 Add parameters for dateext in logrotate ffb1d1576 Disable Pacemaker on scenario000 231372441 No cloud_name_$NET_NAME for disabled networks 897a38678 Filter nameservers for undercloud networks 0febc015d Fix NovaEnableRbdBackend to be role specific 338801824 Fix wrong hieradata for glance api authtoken 12ad0d83a Use /var/tmp on host to store temporal files for image upload via Horizon 3f5764691 Set EnablePackageInstall to true by default for in-place OS upgrade 393f43a66 Add LibvirtTLSPriority to set libvirtd tls_priority 2f4dd2c92 Only generate Octavia certs on stack create c992964f1 Remove pre-upgrade best-effort online data migrations f5ffc4d4c Fix MariaDB staged upgrade ffb63dfec Parametrize UpgradeLeappDevelSkip to pass multiple env variables. 78d16ded1 Adds LibvirtLogFilters to define a libvirtd filter 1058955ad Do not forcibly enable Glance multiple locations for RBD backend 90e36a106 Move cephfs and cephfs_*_pool ceph-ansible parameters in -base 2ed88dbcd Explicitly set notification driver for novajoin af43abe82 Add ExtraKernelPackages a2cbb5044 Unescape IPv6 addresses for ceph_nfs_bind_addr b72c5e4bc Configure nova_compute for vendordata 54051f5ec Add tags always into external update tasks. 79b0ff8e9 Use default value for NovaLiveMigrationWaitForVIFPlug b92aa0e5b Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt" 9639dc938 Fix NovaResumeGuestsStateOnHostBoot when using podman 7f7960a53 Allow combining system_upgrade_prepare and system_upgrade_run into system_upgrade 62f6287a8 Support TLS priorities for pacemaker 4b9c3637f Force re-run of pacemaker bundle init containers during upgrade-scaleup 29fdd20bb Fix for enable VFIO module on boot for SR-IOV deployments d5723703f Fix external resource usage in additional subnets 9af90d740 Fix vlan id assignment with additional subnets 864b2e9e6 Also assign default subnets to network segment 8b8b6dc18 Ensure we get at least one ctlplane subnet 9ee30cdeb Check for rc instead of |succeeded 4b78e7013 Revert "Ensure we get a subnet for ctlplane" f47bc7b3e Fix retaging of ovn-dbs container during update. a0b2a75db Fix default network in barbican deployment 375d6a757 Add a daemon-reload to the tripleo-iptables services 2a684c0b8 Ensure we get a subnet for ctlplane d191423e8 Force "Pre-cache" tasks to run in dry run abf7c24bd Change datatype of revalidator,handler threads a8f24be0a Fix typo in barbican deployment eb09a925f Ensure libnsl dependency is available 837c54259 Redis HA TLS: do not use the pacemaker image tag for redis_tls_proxy e20d02a8b Fix pcmk remote podman bundle restarts 7b72488d2 Add missing update_serial key to compute roles ea24fc57d Pacemaker resource upgrade tasks compatible with staged upgrade 1a74f7557 Add internal keystone endpoint in octavia variables f4a3563bc keystone: drop duplicate -DFOREGROUND ade09f3a3 Point InternalTLSVncCAFile to /etc/ipa/ca.crt 0cf066490 Generate addition drop-in dependencies for podman containers e7c3496a9 Transport ManilaCephFSDataPoolName to Manila CephFS template 954abc8e9 ceph-base: Disable ceph-ansible firewall tasks eb2cfcdb4 Move the Hiera symlink task from post configuration to deployment steps. 945a22166 Handle edge cases in staged upgrade hiera data 6e329424f Upgrade fixes for RabbitMQ and Pacemaker d89fe28b3 Disable ceph-dashboard by default in Stein 3746b9133 Updates the cephfs_pools format to match that of openstack_pools 3719af166 Prefer CephPoolDefaultPgNum over counterintuitive Manila specific params 9f239f8c8 Fix bogus reference to conditional in octavia upgrade tasks ac5001004 Enable VFIO module on boot for SR-IOV deployments 4aa557494 Moving NeutronMechanismDrivers value to be list in neutron-ml2-mlnx-sdn.yaml 6d7239812 Add the ability to configure ovn-remote-probe-interval bb3390b41 Make nova ephemeral storage backend configurable per-role 5b681900c Make sure libvirt-guests get started 680f341f1 CI should auto-generate server_certs_key_passphrase 7bedd167e Correct jinja loop logic for role_networks bf51f816b Set selinux type for facter.conf 8fe366434 Fix resume_guests_state_on_host_boot_enabled fact e49b8db26 Only run cellv2 host discovery on default cell c2397d94d Mount /var/run rw 10e8506e1 Re-Add facter cache for container configurations 76356dc4f Add a suffix for tmpwatch c3644ab44 Replace hardcoded gather_facts:no with variable 67b7e8d84 Add bind mount for config setup abf34de6c Add new role parameter NovaLibvirtMemStatsPeriodSeconds 8a9e8ae52 Stop services for unupgraded controllers 2871ce0fa Specify a default for container_registry_logins 463576dc6 Clean docker and podman after executing an update or upgrade c8ad086ba Allow logrotate to access container_file_t files d6bd20d5b Stein: Re-enable container auth support 0a3ee4ea7 Support TLS deployments with KernelDisableIPv6 enabled 0fbb061f8 Add stein periodic job not in template b82417126 Move nova cell v2 discovery to deploy_steps_tasks 2d0e01382 Don't use the z flag in case NovaNfsEnabled is true 1293c460e Increase the default memlock to 64MiB via ``DockerNovaComputeUlimit``. cfb8e9786 Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long e022668a0 swift: ensure we get rsyslog state "--check" mode ac5145c28 Revert "Add container engine authentication support" 169f4ac83 Add container engine authentication support 743b81692 Fix ovn dbs control port 223ddba91 Per-Role krb-service-principal for CompactServices 6c8a064c1 Fix nova compute container depends_on to be list 581d2d544 Add ContainerNovaLibvirtUlimit to tweak Ulimits 29fa95801 Idempotency for system_upgrade_prepare 367f4decd Allow skipping RHSM with Leapp 5f40f0e80 Upgrade playbook fixes for OS upgrade Diffstat (except docs and test files) ------------------------------------- .../scenario000-multinode-containers.yaml | 15 +- .../scenario010-multinode-containers.yaml | 1 - ci/environments/scenario010-standalone.yaml | 1 - common/container-puppet.py | 23 +- common/deploy-steps-tasks.yaml | 49 ++++ common/deploy-steps.j2 | 217 +++++++++------- .../nova_cell_v2_discover_hosts.py | 62 ----- .../pacemaker_restart_bundle.sh | 40 +++ deployment/aodh/aodh-api-container-puppet.yaml | 15 ++ .../aodh/aodh-evaluator-container-puppet.yaml | 15 ++ .../aodh/aodh-listener-container-puppet.yaml | 15 ++ .../aodh/aodh-notifier-container-puppet.yaml | 15 ++ .../barbican/barbican-api-container-puppet.yaml | 6 +- .../ceilometer-agent-central-container-puppet.yaml | 15 ++ ...ometer-agent-notification-container-puppet.yaml | 15 ++ deployment/ceph-ansible/ceph-base.yaml | 48 ++++ deployment/ceph-ansible/ceph-mds.yaml | 23 +- deployment/ceph-ansible/ceph-nfs.yaml | 2 +- deployment/cinder/cinder-api-container-puppet.yaml | 48 ++-- .../cinder/cinder-backup-pacemaker-puppet.yaml | 28 +-- .../cinder/cinder-scheduler-container-puppet.yaml | 15 ++ .../cinder/cinder-volume-pacemaker-puppet.yaml | 118 ++++----- deployment/containers-common.yaml | 24 ++ deployment/database/mysql-pacemaker-puppet.yaml | 272 +++++++++++---------- deployment/database/redis-container-puppet.yaml | 21 ++ deployment/database/redis-pacemaker-puppet.yaml | 213 ++++++++-------- .../docker/docker-baremetal-ansible.yaml | 71 ++++++ .../nova/nova-placement-container-puppet.yaml | 15 ++ .../panko/panko-api-container-puppet.yaml | 16 ++ deployment/ec2/ec2-api-container-puppet.yaml | 4 +- .../designate-worker-container-puppet.yaml | 2 + deployment/glance/glance-api-container-puppet.yaml | 39 ++- .../gnocchi/gnocchi-api-container-puppet.yaml | 15 ++ .../gnocchi/gnocchi-metricd-container-puppet.yaml | 15 ++ .../gnocchi/gnocchi-statsd-container-puppet.yaml | 15 ++ deployment/haproxy/haproxy-container-puppet.yaml | 15 ++ deployment/haproxy/haproxy-pacemaker-puppet.yaml | 212 ++++++++-------- deployment/heat/heat-api-cfn-container-puppet.yaml | 15 ++ deployment/heat/heat-api-container-puppet.yaml | 16 ++ deployment/heat/heat-engine-container-puppet.yaml | 15 ++ deployment/horizon/horizon-container-puppet.yaml | 17 ++ deployment/ironic/ironic-api-container-puppet.yaml | 17 -- deployment/kernel/kernel-baremetal-puppet.yaml | 17 ++ deployment/keystone/keystone-container-puppet.yaml | 18 +- .../logrotate-crond-container-puppet.yaml | 60 ++++- deployment/manila/manila-backend-cephfs.yaml | 4 + .../manila/manila-share-pacemaker-puppet.yaml | 28 +-- .../memcached/memcached-container-puppet.yaml | 15 ++ deployment/metrics/collectd-container-puppet.yaml | 2 +- .../neutron/neutron-api-container-puppet.yaml | 17 +- deployment/nova/nova-api-container-puppet.yaml | 32 ++- .../nova/nova-compute-common-container-puppet.yaml | 38 ++- deployment/nova/nova-compute-container-puppet.yaml | 103 ++++---- .../nova/nova-conductor-container-puppet.yaml | 15 ++ deployment/nova/nova-ironic-container-puppet.yaml | 52 ++-- deployment/nova/nova-libvirt-container-puppet.yaml | 71 +++++- .../nova/nova-metadata-container-puppet.yaml | 15 ++ .../nova-migration-target-container-puppet.yaml | 22 +- .../nova/nova-scheduler-container-puppet.yaml | 15 ++ .../nova/nova-vnc-proxy-container-puppet.yaml | 15 ++ deployment/nova/novajoin-container-puppet.yaml | 8 +- .../octavia/octavia-api-container-puppet.yaml | 9 + deployment/octavia/octavia-base.yaml | 4 +- .../octavia/octavia-deployment-config.j2.yaml | 25 +- .../ovn/ovn-controller-container-puppet.yaml | 5 + deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 38 ++- .../pacemaker/clustercheck-container-puppet.yaml | 15 ++ deployment/podman/podman-baremetal-ansible.yaml | 107 +++++++- ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 225 ++++++++++------- .../rabbitmq-messaging-pacemaker-puppet.yaml | 222 +++++++++-------- .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 243 ++++++++++-------- deployment/swift/swift-proxy-container-puppet.yaml | 6 +- .../swift/swift-storage-container-puppet.yaml | 4 +- .../tripleo-firewall-baremetal-puppet.yaml | 30 ++- .../tripleo-packages-baremetal-puppet.yaml | 41 +++- .../ceph-ansible/ceph-ansible-per-role.yaml | 18 ++ environments/lifecycle/upgrade-converge.yaml | 1 + environments/lifecycle/upgrade-prepare.yaml | 1 + .../network-isolation-no-tunneling.j2.yaml | 6 +- environments/network-isolation-v6.j2.yaml | 6 +- environments/network-isolation.j2.yaml | 6 +- environments/neutron-ml2-mlnx-sdn.yaml | 2 +- .../krb-service-principals/role.role.j2.yaml | 17 +- extraconfig/post_deploy/standalone_post.yaml | 28 --- .../post_deploy/undercloud_ctlplane_network.py | 15 +- extraconfig/post_deploy/undercloud_post.sh | 2 - extraconfig/pre_network/boot_param_tasks.yaml | 9 + .../config/2-linux-bonds-vlans/role.role.j2.yaml | 6 +- network/config/bond-with-vlans/role.role.j2.yaml | 6 +- network/config/multiple-nics/role.role.j2.yaml | 6 +- .../role.role.j2.yaml | 6 +- network/config/single-nic-vlans/role.role.j2.yaml | 6 +- network/network.j2 | 10 +- puppet/all-nodes-config.j2.yaml | 2 +- puppet/role.role.j2.yaml | 2 +- puppet/services/README.rst | 18 ++ puppet/services/openvswitch.yaml | 8 +- puppet/services/pacemaker.yaml | 113 +++++---- ...-container-registry-login-08d6a87586c84a99.yaml | 10 + ...-kernel-package-parameter-f3ad68ed4b72b0f5.yaml | 6 + .../enable-vfio-for-sriov-62b7bd67df250840.yaml | 8 + .../gather-facts-variable-d7f1d74d1dc68ee9.yaml | 4 + ...rver_certs_key_passphrase-908471f31d09f088.yaml | 5 + ...gration_wait_for_vif_plug-6d16da261a138fb8.yaml | 3 +- ...arams_to_configure_ulimit-82057bf64d7173a8.yaml | 5 + .../nova-memlock-increase-066ed22764ed3ce1.yaml | 9 + ..._mem_stats_period_seconds-b9b606232629cb38.yaml | 8 + ...nova_libvirtd_log_filters-63e9e6501d779dd9.yaml | 8 + ...ova_libvirtd_tls_priority-d0129f804d7ca847.yaml | 5 + ...xternal_post_deploy_tasks-e978560ee59b8b56.yaml | 12 + .../nova_nfs_enabled_podman-a92ea12cd4cd92c8.yaml | 8 + ...ovn_remote_probe_interval-023b3fa671f88101.yaml | 9 + .../notes/pcmktlspriorities-4315010185adf45a.yaml | 7 + roles/ComputeHCIOvsDpdk.yaml | 2 + roles/ComputeLocalEphemeral.yaml | 70 ++++++ roles/ComputeOvsDpdkRT.yaml | 1 + roles/ComputeOvsDpdkSriovRT.yaml | 1 + roles/ComputeRBDEphemeral.yaml | 70 ++++++ roles/ComputeRealTime.yaml | 1 + roles/ComputeSriovRT.yaml | 1 + tools/yaml-validate.py | 27 +- zuul.d/layout.yaml | 4 + 122 files changed, 2674 insertions(+), 1240 deletions(-)