We are gleeful to announce the release of: puppet-tripleo 6.2.0: Puppet module for OpenStack TripleO This release is part of the ocata stable release series. Download the package from: https://tarballs.openstack.org/puppet-tripleo/ For more details, please see below. 6.2.0 ^^^^^ Release notes are generated by Reno. New Features ************ * Add networking-fujitsu support to Neutron ML2 profile. * Split OVN plugin and northd configuration. * Introduce tripleo::tls_proxy used to set up a TLS proxy using mod_proxy that redirects towards localhost. * HPELeftHandISCSIDriver support for Cinder Volume profile. * Add support for CollectD profile, for performance monitoring. * Configure Nova Cells v2 database, required in Ocata. * Configure the basic setup for Nova Cells v2. * Support for opendalight_v2 mechanism_driver in Neutron ML2 profile. * Support for Ceph MDS service profile. * Add IPv6 support to Firewall rules. It will create both IPv4 & IPv6 rules at the same time. It automatically converts icmp rules to ipv6-icmp. When a source or destination is specified, it will only create rules to the right version of IP that is needed. * Add support for not using admin_token in Ceph/RGW profile. * Add Docker Registry profile. * Add Nova Placement API profile. * Add NTP profile. * Add etcd profile, used by networking-vpp ML2 plugin. * Add profiles for Octavia services. * Enable object-expirer on Swift proxy profile. * Set memcache_servers in /etc/swift/object-expirer.conf. * Add support for fence_ironic fencing agent. * Add a noop_resource function, which allow to disable any resource type in a catalog, with --tags option to puppet apply. * Add Ceph RBD mirrog Pacemaker profile. * Remove Glance Registry profile, not used anymore. Glance API v1 is not available anymore. * Add Nova EC2API profile. * Add support for Pacemaker Remote with a new profile. * Updates Pacemaker profiles for Composable HA architecture. * Add Tacker profile. * Add Congress profile. * Add a default rule for dhcpv6 traffic. * Re-organizes Contrail services to the correct roles. * Set innodb_file_per_table to ON for MySQL / Galera * Switch Nova / Libvirt VNC server binding to use the IP address provided in Hiera instead of 0.0.0.0. * Proxy API endpoints that TripleO UI uses. * Rebranding of Eqlx to Dell EMC PS Series. * Add support for ScaleIO backend in Cinder Volume profile. * Add support to changing the Rabbitmq password on stack-update. * Add profiles for the Octavia LBaaS service. * Added hpelefthand_iscsi backend support for cinder * Enable innodb_file_per_table for MySQL/MariaDB databases * Configure the basic cells setup for Nova, now required in Ocata. * Added ability to proxy API service endpoints through Apache mod_rewrite rules by creating ProxyPass and ProxyPassReverse directives for each API service * Adds the ability to manage auditd.service and enter audit.rules * Add support for configuring Ceph RGW to use keystone V3 service authentication instead of admin token authentication * Added manifest and template to enable configuration of sshd_config * Release notes are no longer maintained by hand, we now use the reno tool to manage them. * Configure VNC server to be binded on internal network interface on compute nodes. This value comes from tripleo-heat-templates and is configured by default to use an IP address from the internal API network. We use the ServiceNetMap in tripleo-heat-templates to compute the IP address, and we won't configure 0.0.0.0 anymore as it used to open the binding to any network, which is unsecure. Known Issues ************ * Invoke rabbitmq_user resource explicity to apply password change during update, if any. Upgrade Notes ************* * Newly created MySQL database tables will be stored in their own datafiles, instead of in a single monolithic ibdata file. * Existing MySQL database tables that are persisted within the monolithic ibdata file will remain so unless the database is migrated as well. * Migration of all current database tables out of the monolithic ibdata file is possible by dumping and restoring the whole database to a new data directory, however when using Galera the entire cluster must be shut down and upgraded at once. * Migration of individual tables to datafiles is possible using the MySQL command "ALTER TABLE <databasename>.<tablename> ENGINE=InnoDB;", however this will not shrink the ibdata file and also is not safe to run on a running Galera cluster for large tables. * Removed the following URL configuration variables from tripleo::ui: * keystone_url * heat_url * ironic_url * mistral_url * swift_url * zaqar_websocket_url Deprecation Notes ***************** * Remove tripleo::vip_hosts class, no longer used. Security Issues *************** * CVE-2016-9599 Enforce Firewall TCP / UDP rules management, by sanitizing dynamic HAproxy endpoints firewall rules, securing firewall rules creations (disallow TCP/UDP rules without sport or dport), but allow to open all traffic for TCP/UDP when actually desired. Bug Fixes ********* * Fixes bug 1648736 so swift-proxy is decoupled from ceilometer packages. * Fixes bug 1652107 so we ensure package updates don't happen unexpectedly. * Fixes bug 1645898 so we ensure to bind the rabbit inter-cluster to a specific interface. Other Notes *********** * Introduce more Puppet rspec tests that improve testing quality. Changes in puppet-tripleo 6.1.0..6.2.0 -------------------------------------- aafff78 Add missing release notes for Ocata RC1 d545621 tuning: manage keystone resources only at step3 0a44474 Make quotes consistent to match the sample config 9b12ee0 nova: move placement credentials config at step 3 b541bf5 Uncomment internal TLS options for placement API 8765270 nova/api: more cleanup bb63f51 Run nova-cell_v2-discover_hosts at step 5 f1065f3 Add module to support ScaleIO backend in Cinder 6e074bf Rebranding of Eqlx to Dell EMC PS Series 3b00ffc start nova-compute when keystone resources are created f7087b8 nova: disable API in WSGI by default 40f12b4 Disable midonet unit tests 6556123 nova/libvirt: switch vnc server binding 22c5d34 Stop deploying Nova API in WSGI with Apache 27b2598 Add ::ironic::config to Ironic base profile 9a69201 Proxy API endpoints that UI uses a0983a4 Revert "Revert "set innodb_file_per_table to ON for MySQL / Galera"" 76931e5 Add support to changing the Rabbitmq password on update 3f7e74a Revert "set innodb_file_per_table to ON for MySQL / Galera" da0e9fd Prepare 6.2.0 release 621ea89 set innodb_file_per_table to ON for MySQL / Galera d3190a1 Fix style nits in contrail manifests daaa7ce Use transport_url for swift-proxy instead of rabbitmq params 349d05d Fix test failure caused by change to puppet-octavia 5ef4a34 Fix MySQL service name parameter e089cc6 Clean TLS proxy-related setup for neutron-server profile 8bb1029 nova: deploy basic setup for cells 9c9667e Re-organizes Contrail services to the correct roles eb14c2a Add AuditD Profile d5d4cc1 Add a default rule for dhcpv6 traffic 62bb10b horizon: be more flexible in hiera neutron bd98b12 Support composable HA for the Ceph rbdmirror daemon 033e1f3 Use TLS proxy for neutron server's internal TLS a63ee9c Adding congress service 8077d84 Use transport_url for rabbitmq connection parameters in heat 2d40150 Rename controller_admin_vip to controller_admin_host 6b8349b Add initial profiles for rest of Octavia services f9efeb1 Composable HA c6f0856 Adding tacker service 13fb869 Remove double include of neutron::server class 467c939 Ensure basic Ceph configuration is performed by RBD mirror 51ed535 [keepalived] fix netmask for vip 3849c6a Fix wrong hiera key in ceph_rbdmirror 20b2a54 Clean TLS proxy-related setup for glance api profile 25b327c pacemaker remote profile support 5318a83 Use TLS proxy for Glance API's internal TLS 014375f Remove last bits of Glance Registry e2a4dee Delete the unnecessary word in numvfs_persistence.pp a3de7c0 Add a noop_resource function 0b32f60 Implement Nova ec2api profile 2f038b3 Make sure we bind the rabbit inter-cluster to a specific interface a16642b Fix typo in endpoint.pp 93195f6 cinder: move glance params into common 0ea2d52 Move nova::placement to common nova manifest 193e45b Add base profile for Octavia services bed1c23 Implement NTP profile be7886a Add retries to the ::pacemaker::stonith property ade8845 Adds etcd 53ee464 Use network entries for nova placement cdd7341 Add Ceph RBD mirror Pacemaker profile cdeefea Remove legacy flag and use composable interface e56f9e3 updates to collectd support bf68fa9 Do not depend on bootstrap_nodeid for any pacemaker profile da678b7 add cache to object-expirer pipeline 0e7a38a nova: disable ::nova::db::sync_cell_v2 a9cd9e6 Include ::heat at step 3 2dcc387 Set ceph key when using manila ceph backend e93527b Add support for fence_ironic fencing agent. 858b220 Implement Nova Placement API profile 079468f Rspec tests for nova profiles 7af9ff3 Move nova cells db sync into nova-api profile bbf13fe Add support for not using admin_token in Ceph/RGW 77cd102 Use THT to define cell0 creation a21f1a1 Add Docker Registry profile 8eb99b8 Add haproxy firewall rules for galera and redis 54a067a Ensure panko::db class is initialized 03158e5 Fix puppet warning for empty value 8c99073 firewall: add IPv6 support a59aa24 glance/api: cleanup on dbsync f61277e nova-api: switch to new wsgi class 9c187f5 Adds a profile for the Ceph MDS service 0f002c6 Fixes missing haproxy firewall rules for OpenDaylight b09f7a6 Sync the db as part of the glance-api install 545cfa2 Avoid Yum/RPM prefetch in norpm provider 5f23a71 Don't include api/scheduler manifests on manila share service set up c412f50 Add the ml2_odl section when using opendalight_v2 fec12df nova: use transport_url for rabbitmq b6f7956 Add cell_v2 setup for nova 70c9dca [CVE-2016-9599] Enforce Firewall TCP / UDP rules management 3d8dfa1 Ensure package updates don't happen unexpectedly 6f1aa13 Add fossw of networking-fujitsu support to puppet-tripleo 5a1764a Adds ability to populate SSH Banner text 1adc49a Decouples neutron services from OpenDaylight API service 199d9b7 Add missing Swift base class d4453c9 Add TLS proxy resource a6b6c05 Include nova::compute::libvirt::qemu from the libvirt profile 959101f add support for collectd 22c7835 Add networking-fujitsu support to puppet-tripleo 93dc107 Decouple swift-proxy from ceilometer packages bb317aa Disable legacy ceilometer api by default cf63869 Remove unused variable in certmonger/mysql manifest 3d74ad8 HPELeftHandISCSIDriver support for cinder 5054f12 Do not use hardcoded controller_node_names when setting up the cluster 676e1d4 Add tripleo::ui rspec tests fb0436e Add basic structure for ReNo 659cdf1 Include swift::storage::loopbacks class f223d4a Set memcache_servers in /etc/swift/object-expirer.conf 3abbad6 Enable object-expirer on Swift proxy profile 1cd8eaf Drop vip_hosts 4458ce0 Split ovn plugin and northd configuration 9a79bda Call VF configuration from udev rules d5574f8 Fix puppet version for requirements in metadata 3cb18bb Fix a typo in haproxy.pp Diffstat (except docs and test files) ------------------------------------- .gitignore | 3 + Puppetfile_extras | 7 +- Rakefile | 6 + lib/puppet/parser/functions/ip_to_erl_format.rb | 31 ++ lib/puppet/parser/functions/noop_resource.rb | 53 +++ lib/puppet/provider/package/norpm.rb | 8 + manifests/certmonger/mysql.pp | 16 +- manifests/fencing.pp | 3 + manifests/firewall/pre.pp | 6 + manifests/firewall/rule.pp | 51 ++- manifests/haproxy.pp | 367 ++++++++++++++++--- manifests/haproxy/endpoint.pp | 33 +- manifests/host/sriov.pp | 3 +- manifests/host/sriov/numvfs_persistence.pp | 25 +- manifests/keepalived.pp | 28 +- manifests/network/contrail/analytics.pp | 331 ++++++++++++----- manifests/network/contrail/analyticsdatabase.pp | 202 +++++++++++ manifests/network/contrail/config.pp | 397 ++++++++++++++++----- manifests/network/contrail/control.pp | 197 ++++++---- manifests/network/contrail/database.pp | 149 +++++++- manifests/network/contrail/heat.pp | 80 +++++ manifests/network/contrail/neutron_plugin.pp | 203 +++++++++++ manifests/network/contrail/provision.pp | 92 +++++ manifests/network/contrail/vrouter.pp | 302 ++++++++++++++++ manifests/network/contrail/webui.pp | 104 ++++-- manifests/pacemaker/haproxy_with_vip.pp | 52 ++- manifests/packages.pp | 4 +- manifests/profile/base/auditd.pp | 30 ++ manifests/profile/base/ceph/mds.pp | 35 ++ manifests/profile/base/ceph/rgw.pp | 37 +- manifests/profile/base/cinder.pp | 1 + manifests/profile/base/cinder/api.pp | 1 - manifests/profile/base/cinder/volume.pp | 56 ++- manifests/profile/base/cinder/volume/dellps.pp | 50 +++ manifests/profile/base/cinder/volume/eqlx.pp | 50 --- .../profile/base/cinder/volume/hpelefthand.pp | 71 ++++ manifests/profile/base/cinder/volume/scaleio.pp | 56 +++ manifests/profile/base/congress.pp | 86 +++++ manifests/profile/base/database/mysql.pp | 28 +- manifests/profile/base/docker_registry.pp | 74 ++++ manifests/profile/base/etcd.pp | 66 ++++ manifests/profile/base/glance/api.pp | 105 +++++- manifests/profile/base/glance/registry.pp | 56 --- manifests/profile/base/gnocchi/metricd.pp | 2 - manifests/profile/base/gnocchi/statsd.pp | 2 - manifests/profile/base/heat.pp | 57 ++- manifests/profile/base/horizon.pp | 2 +- manifests/profile/base/ironic.pp | 1 + manifests/profile/base/keystone.pp | 33 +- manifests/profile/base/metrics/collectd.pp | 103 ++++++ .../base/metrics/collectd/collectd_plugin.pp | 6 + .../base/metrics/collectd/collectd_service.pp | 11 + .../profile/base/metrics/collectd/plugin_helper.pp | 6 + manifests/profile/base/neutron/agents/ovn.pp | 14 +- manifests/profile/base/neutron/opendaylight.pp | 19 +- manifests/profile/base/neutron/ovn_northd.pp | 40 +++ manifests/profile/base/neutron/ovs.pp | 2 +- manifests/profile/base/neutron/plugins/ml2.pp | 12 +- manifests/profile/base/neutron/plugins/ml2/ovn.pp | 25 +- manifests/profile/base/neutron/server.pp | 108 ++++-- manifests/profile/base/nova.pp | 56 ++- manifests/profile/base/nova/api.pp | 56 ++- manifests/profile/base/nova/compute.pp | 1 + manifests/profile/base/nova/compute/libvirt.pp | 15 +- manifests/profile/base/nova/ec2api.pp | 35 ++ manifests/profile/base/nova/placement.pp | 96 +++++ manifests/profile/base/octavia.pp | 57 +++ manifests/profile/base/octavia/api.pp | 54 +++ manifests/profile/base/octavia/health_manager.pp | 33 ++ manifests/profile/base/octavia/housekeeping.pp | 34 ++ manifests/profile/base/octavia/worker.pp | 34 ++ manifests/profile/base/pacemaker.pp | 69 +++- manifests/profile/base/pacemaker_remote.pp | 37 ++ manifests/profile/base/panko.pp | 1 + manifests/profile/base/rabbitmq.pp | 54 ++- manifests/profile/base/sshd.pp | 61 ++++ manifests/profile/base/swift/proxy.pp | 81 +++-- manifests/profile/base/swift/storage.pp | 2 + manifests/profile/base/tacker.pp | 86 +++++ manifests/profile/base/time/ntp.pp | 28 ++ manifests/profile/pacemaker/ceph/rbdmirror.pp | 98 +++++ manifests/profile/pacemaker/cinder/backup.pp | 26 +- manifests/profile/pacemaker/cinder/volume.pp | 26 +- manifests/profile/pacemaker/database/mysql.pp | 29 +- manifests/profile/pacemaker/database/redis.pp | 40 ++- manifests/profile/pacemaker/haproxy.pp | 83 +++-- manifests/profile/pacemaker/manila.pp | 65 +++- manifests/profile/pacemaker/rabbitmq.pp | 54 ++- manifests/tls_proxy.pp | 60 ++++ manifests/ui.pp | 127 +++++-- manifests/vip_hosts.pp | 39 -- metadata.json | 6 +- releasenotes/notes/6.2.0-64eaf596539f3ed1.yaml | 64 ++++ .../add-support-for-octavia-f1e472af89e9a05c.yaml | 4 + .../notes/hpelefthand_8474c416b0d411e6.yaml | 3 + .../innodb_file_per_table-f925b3bbf29d44ea.yaml | 20 ++ .../notes/nova_cells_setup-2c3e3344d8adcc26.yaml | 3 + .../proxy-api-endpoints-359e5fb64d80d400.yaml | 6 + .../notes/puppet-auditd-0f6cbd6a2d193aac.yaml | 4 + .../rabbitmq_password_change-4fce15c9ebb0e20c.yaml | 4 + .../notes/remove-old-urls-dea2b7fdcb50dd48.yaml | 12 + .../notes/rgw-keystone-v3-43ef17dd10f825be.yaml | 5 + releasenotes/notes/sshd-437c531301f458bb.yaml | 3 + releasenotes/notes/use-reno-80402e5526a598aa.yaml | 6 + .../notes/vncserver_listen-4417377cac38464c.yaml | 7 + releasenotes/source/_static/.placeholder | 0 releasenotes/source/conf.py | 262 ++++++++++++++ releasenotes/source/index.rst | 8 + releasenotes/source/unreleased.rst | 5 + setup.cfg | 13 + setup.py | 22 ++ spec/classes/tripleo_firewall_spec.rb | 87 ++++- spec/classes/tripleo_midonet_agent_spec.rb | 58 --- .../tripleo_profile_base_ceilometer_api_spec.rb | 2 +- spec/classes/tripleo_profile_base_ceph_mds_spec.rb | 59 +++ spec/classes/tripleo_profile_base_ceph_rgw_spec.rb | 11 + .../tripleo_profile_base_cinder_api_spec.rb | 4 - .../tripleo_profile_base_cinder_scaleio_spec.rb | 58 +++ spec/classes/tripleo_profile_base_cinder_spec.rb | 6 + ...ipleo_profile_base_cinder_volume_dellps_spec.rb | 58 +++ ...tripleo_profile_base_cinder_volume_eqlx_spec.rb | 58 --- .../tripleo_profile_base_cinder_volume_spec.rb | 18 +- spec/classes/tripleo_profile_base_nova_api_spec.rb | 137 +++++++ ...ripleo_profile_base_nova_compute_ironic_spec.rb | 67 ++++ ...ipleo_profile_base_nova_compute_libvirt_spec.rb | 69 ++++ .../tripleo_profile_base_nova_compute_spec.rb | 87 +++++ .../tripleo_profile_base_nova_conductor_spec.rb | 61 ++++ .../tripleo_profile_base_nova_consoleauth_spec.rb | 62 ++++ .../tripleo_profile_base_nova_libvirt_spec.rb | 68 ++++ .../tripleo_profile_base_nova_scheduler_spec.rb | 64 ++++ spec/classes/tripleo_profile_base_nova_spec.rb | 135 +++++++ .../tripleo_profile_base_nova_vncproxy_spec.rb | 62 ++++ .../tripleo_profile_base_octavia_api_spec.rb | 138 +++++++ spec/classes/tripleo_profile_base_octavia_spec.rb | 119 ++++++ spec/classes/tripleo_profile_base_sshd_spec.rb | 30 ++ ...ripleo_profile_pacemaker_ceph_rbdmirror_spec.rp | 64 ++++ spec/classes/tripleo_ui_spec.rb | 121 +++++++ .../tripleo_host_sriov_numvfs_persistence_spec.rb | 11 +- spec/fixtures/hieradata/default.yaml | 16 + spec/functions/ip_to_erl_format_spec.rb | 11 + .../docker_distribution/registry_config.yml.erb | 11 + templates/ui/tripleo_ui_config.js.erb | 31 +- test-requirements.txt | 4 + tox.ini | 8 + 144 files changed, 6779 insertions(+), 1008 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 0000000..bedd666 --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1,4 @@ +# this is required for the docs build jobs +sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2 +oslosphinx>=2.5.0 # Apache-2.0 +reno>=0.1.1 # Apache-2.0