We are excited to announce the release of: tripleo-heat-templates 16.0.0: Heat templates for deploying OpenStack with OpenStack. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ For more details, please see below. 16.0.0 ^^^^^^ New Features ************ * Add parameter to set the auth type for the snmpd_user. Possible options are MD5 (which is what was hardcoded before and is the default now) and SHA. This should be set to SHA on FIPS environments. * Add IronicDefaultBootInterface parameter to allow users to set / override the default boot interface used by ironic. This may not work if a hardware type does not support the set boot interface. This overrides create-time defaults. The ordered union of the enabled boot interfaces and hardware type determines, under normal circumstances, what the default will be. * Since genisoimage was removed from CentOS9 / RHEL9, the nova's default "mkisofs_cmd" option will not work anymore. In RHEL/CentOS realm, "mkisofs" is an alias to alternatives that either map to "xorriso" (9) or "genisoimage" (8). * * Added the Octavia TLS parameters. * RabbitMQ can be configured to run in FIPS mode via the new configuration option RabbitFIPS. The default value is false. * Admin endpoint of Keystone listens on Internal API network by default. * Logging for the designate bind backend is now more fully configured. DNS query logging can be enabled by setting *DesignateBindQueryLogging* to *true*. * Neutron can now be configured to support secure RBAC using *EnforceSecureRbac*. Note, you may not be able to use this until Neutron upstream has support for common RBAC personas (https://docs.openstack.org/keystone/latest/admin/service-api- protection.html#roles-definitions). * Keystone can now be configured to support secure RBAC personas (https://docs.openstack.org/keystone/latest/admin/service-api- protection.html#roles-definitions) with the *EnforceSecureRbac* setting. Note that deployments with mixed permission models will have unexpected side-effects. Setting this option won't have meaningful effect until all services in your deployment support secure RBAC personas. * The new parameter "EnforceSecureRbac" has been added to enforce authorization based on common RBAC personas. Currently in glance the support is only available for project-admin, project-member and project-reader personas and system personas will come in a later release. * The new "KeystoneNotificationDriver" parameter has been added. This parameter overrides the global "NotificationDriver" parameter and allows customizing notification driver only in Keystone, which is required to use notification listner function in Barbican. * Add *NovaShowHostStatus* to allow overriding API policies to access the compute host status in the requested Nova server details. The default value 'hidden' allows only admins to access it. Setting it to 'all' ('unknown-only') without additional fine-grained tuning of *NovaApiHostStatusPolicy* shows the full (limited) *host_status* to the system/project readers. Add *NovaApiHostStatusPolicy* that defines a custom API policy for *os_compute_api:servers:show:host_status and `os_compute_api:servers:show:host_status:unknown-only*. These rules, or roles, replace the admins-only policies based on the given *NovaShowHostStatus*: 'unknown-only' shows the limited host status UNKNOWN whenever a heartbeat was not received within the configured threshold, and 'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server details. Finally, *NovaShowHostStatus*: 'hidden' puts it back being visible only for admins. Additional policies specified using *NovaApiPolicies* get merged with this policy. * A heat parameter "IronicPowerStateChangeTimeout" has been added which sets the number of seconds to wait for power operations to complete, i.e., so that a baremetal node is in the desired power state. If timed out, the power operation is considered a failure. The default is 60 seconds, which is the same as the current Ironic default. * Added "pure_iscsi_cidr" and "pure_host_personality" and "eradicate_on_delete" support for the Pure Storage FlashArray Cinder driver. * Added "NovaDisableComputeServiceCheckForFfu" parameter to configure "nova::workarounds::disable_compute_service_check_for_ffu" to disable the service version check workaround for FFU. * Adding Hugepages role parameter Hugepages management was always a manual step done by operators via the TripleO parameter "KernelArgs". This is error prone and causing confusion. The new "Hugepages" parameter allow operators to define hugepages as dictionnary, making it easier to read and follow. To prevent unvolontary changes, there's multiple validations before applying a change: * We convert the current running configurations to an actual dictionnary that we validate the new format against * If no change is necessary, even though the format might not be the same, there's no kernel_args update. * By default, we don't remove hugepages in places except when operators specifically set the "ReconfigureHugepages" to true. This change is also opening the door to more automations and automatic tuning. Upgrade Notes ************* * Support for the following three volume drivers have been removed. * Dell EMC ScaleIO * Dell EMC VxFlexOS * Dell EMC VMAX * The following services should be removed from roles data during upgrade. * "OS::TripleO::Services::CinderBackendScaleIO" * "OS::TripleO::Services::CinderBackendDellEMCVxFlexOS" * "OS::Tripleo::Services::CinderBackendDellEMCVMAXISCSI" * Redis is now disabled by default in new deployments, so existing deployments have to delete the redis resource in pacemaker prior to upgrade, or include the new environment file ha-redis.yaml if they still implicitely depend on redis. * Support for networking-bigswitch has been removed, because the plugin is no longer maineined. * Support for the novajoin service has been removed. * The "OS::TripleO::Service::Novajoin" resource has been removed. It should be removed from roles data before upgrade. * The default boot mode for ironic deployed nodes is now "uefi" when no boot mode is explicitly set in the node's driver_info, capabilities, or instance_info configuration. To restore the previous default, set the heat parameter "IronicDefaultBootMode" to "bios". * The default UEFI iPXE bootfile is now *snponly.efi*. The boolean parameter *IronicIPXEUefiSnpOnly* was added to allow custom configuration. When set to *true* snponly is used, when *false* the previous default ipxe.efi is used. See bug: 1959726 (https://bugs.launchpad.net/tripleo/+bug/1959726). Deprecation Notes ***************** * The MlnxSDNUsername and MlnxSDNPassword have been deprecated and have no effect * The "MysqlIncreaseFileLimit" parameter has been deprecated and has no effect now. * The "IronicIpVersion" parameter has been deprecated and has no effect. * Using environments/enable-designate.yaml has been deprecated in favor of environments/services/designate.yaml, the current location for environment files that enable TripleO components. * With the switch to ephemeral heat for the overcloud, the UndercloudMinion is no longer viable. Deploying UndercloudMinion is not supported anymore and environments files to enable its deployment are dropped. Bug Fixes ********* * Adds the port used for directly accessing Ironic-Inspector using TLS, 13050, to the list of ports to permit inbound connections on. * Rsyslog config for haproxy (https://bugs.launchpad.net/tripleo/+bug/1953672) * Before this patch, invalid certificates would be detected close to the end of the deployment. In small environments, this comes fast but in an environment with a large number of nodes, failures would come really late after a few hours of deployment. With this validation, it now fails before step1 at host_prep_steps if the certificate is smaller than 512 bytes if UsePublicTLS is set to true and PublicSSLCertificateAutogenerated is set to false. It will also use openssl to verify the state of the certificate and fail if the certificate is invalid or expired. * When we install libvirt on a host, the system parameter "fs.aio- max- nr" is to 1048576. Since we containerized libvirtd, we lost this system parameter. We now make sure it's defined by adding it from the nova-libvirt-common template. * Enable Swift replicators in single replica mode to ensure cleanup of old tombstone (.ts) files. Sleep interval between replication runs is set to 24 hours to prevent unneeded load on the systems if no replication is needed. Other Notes *********** * A new param MlnxSDNToken has been added to authenticate sdn controller * Steps are taken to minimize chances of confusion between the default block storage volume type established by the CinderDefaultVolumeType parameter, and cinder's own __DEFAULT__ volume type. In a new deployment where no volumes exist, cinder's __DEFAULT__ type is deleted because it is redundant. In an upgrade scenerio, if volumes exist then the __DEFAULT__ type's description is updated to indicate the actual default volume type is the one established by the CinderDefaultVolumeType parameter. * "OvsDpdkDriverType" is now deprecated. Note that is had no effect since we upgraded to OVS 2.6, where we stopped supporting the configuration of DPDK driver in puppet-vswitch. Since then, we couldn't change the driver; so we can safely deprecate this parameter and remove it in a future release. * "podman image prune" is no longer used on the undercloud to remove unused images during the undercloud update/upgrade. With the usage of ephemeral Heat, not all images will always be used by running or stopped containers, so "podman image prune" should not be used to clean up the local container image storage. Images that are no longer being used can still be removed individually with "podman rmi". Changes in tripleo-heat-templates 15.1.0..16.0.0 ------------------------------------------------ 5136dd9d8 Have Ceph log to a file for scenario 001/004 720dd1482 Add HostnameFormatDefault for Ceph related roles 07adbb7b7 Update .gitignore de668b4ec Use FQCN for ansible builtin tasks 4d23590ca Ceilometer: Remove incomplete cache parameters 6f8a5bc1e Memcached: Allow puppet to be aware IPv6 is used e66f495b1 Include redis templates in Octavia configuration 15744039d Increase stop_grace_period for Octavia controller services 0fa959acb Add support for ovn bgp agent 20230cd59 Remove support for the novajoin service df569e638 Fix typo in HciCephObject role tag 115439e6b Add missing option for rgw/swift compatibility 5d1e6f8c0 Added log volumes for ceilometer-agent-ipmi d3d20bb44 Etcd: Update cluster membership when replacing a node 881334004 Ironic: Use generated dnsmasq conf file 875155550 Add Octavia TLS parameters 0d4fbc86a Remove support for Nuage core plugin e99a251ad Use consistent indent in .sh files 5249a06d4 Nova: Fix missing cache backend d0ca9fe63 Fix trailing slashes in bind-mounts and linting 35eb903a8 Fix network-environment.yaml ipv6 {{network.name}}Routes 5bf166be6 Drop services not used for undercloud role 243f80b8b Octavia: Add missing region_name parameters f59346887 Cinder: Remove leftover of Dell EMC VMAX driver support a2674a176 Update Ceph client service to handle external Ceph 4dc74ac16 Add CephIngress resource fa69bfc1e Disable GSSAPIAuthentication by default f97c99bc2 Use puppet parameters instead of hieradata key b35015b30 Fix sshd host_prep_tasks 309c89e90 Only run mysql upgrade commands when needed 263fee246 Ensure db initialization is not executed by puppet 087d67733 Designate: Ensure pool management by puppet is disabled 1d77d9af2 Don't add conntrack entries for vxlan 67969af3d Remove support for networking-bigswitch 7ec40a3c5 Added NovaDisableComputeServiceCheckForFfu var a8b849f03 Remove unused deployed_server_port_map output 219817528 Remove Nova from undercloud during upgrades 1395d1c49 Update Barbican Orders policy for secure-rbac 7ca6a836f rsyslog: Add missing logging sources for gnocchi services e07098b53 rsyslog: Add missing logging sources for aodh services a1b967faf Add support for additional log sources for rsyslog 7f8876ce7 Sync updated DB root password in running container 2329e416e Required DDP package is not loaded issue 88f2dfbba Update of OVN controllers as an external task. e1de2bcb7 Add CephNfs service on roles providing "external" network connectivity 9ed9c8da5 Horizon: Fix the wrong policy parameters b1e1df2b7 Enable designate-dashboard ae866ab47 Adding Hugepages role parameter c275d7870 Do not run puppet in docker_config 0c3ea4c28 Allow nic-config conversion without Heat 27b8210fd Align defaults for SoftwareConfigTransport 64a19091a Run the SSL verification at step2 18e7522d6 Fix ca-certs-baremetal-puppet.yaml description in header 71ed74176 Update Barbican Secure-RBAC policy 9cb551201 Cleanup openldap certs database 19b0b7429 Remove "ceph" tags for the TripleO cephadm branch d72a23759 Expose tripleo_cephadm_default_container boolean e93b454d6 Redis: Hard-code paths of configuration files 5746310b6 Replace dnf by tripleo_dnf_stream for updates. cd7d10133 Move zuul jobs layout to centos9 only for master branch daa48254e Exclude /etc/openldap to avoid overriding ro file 7e8d88afa Allow deployments to run when selinux is disabled fceeb2fbd Fix AnyErrorsFatal type 85ccef292 Fix Redis config generation when fd limit changes 3ae6ce355 Don't bind host's /run in multipathd container d5701e6ce Validate SSLCertificate is defined a3fa2a052 Nova: Use cross_az_attach from nova::cinder 19c11813d Fix ironic boot interface for undercloud ceed5ac9e Fix OS_CLOUD for multistack and nova az tasks acf032a09 Designate: miniDNS and bind9 instances on the proper networks d3a6e7a99 Start the neutron metadata agent with cgroupns host bd13adefd Add parameter IronicIPXEUefiSnpOnly 7eb280ace Skip podman purge on Undercloud 33d4b44ae Remove unused environment file 7bb44f26b Enable clean-up service for novajoin by default 17004426a Drop Nova and NovaJoin services from UC role data b2b9e983c Add heat::trustee parameters ec33ab404 Disable heat by default in favor of ephemeral-heat. caed5081e Keystone: Use system-admin to create resources c2d110257 Use Internal API by default for Keystone admin endpoint c3affa49a Nova: Use internal endpoint to access Keystone 97c1306b2 Defining fs.aio-max-nr for hosts with libvirt service ff7bc29c7 Added rabbit FIPS flag to FIPS env fle 3f7db6a9a Placement: Enable proxy headers parsing 8e28fde39 Allow neutron to configure secure RBAC options 9aa90bd1a Skip 'ensure dnf modules' for CS9 on undercloud-upgrade 59edff435 Add RabbitFIPS parameter dde9a258d Update dervice_pci script to handle pci address formats 6ff47463b Configure logging for designate bind backend ebab335f3 Role specific container support db63209ae Revert "Update cell0 db connection, if required" e36f44cad Check if passthrough user_config is decoded properly from hiera data ed560e46c Pass OS_CLOUD env when migrating to heat ephemeral. cef35a45a Fix cloud-init detection rules 97a2bd2ca Reduce frequency of task retries 5b9648dd9 Disable libvirtd and stop it 2caf85f84 fix path typo 72e75597c Fix ignored OctaviaControlSecurityGroup dfeb0e643 Nova: Configure [keystone] parameters a1f6142b9 Missing OVN Parameters 9b5dba49e Cinder: Remove support for deprecated Dell EMC volume drivers d57f9a877 Add ironic-inspector TLS endpoint port to be reachable 277ef9bbc README: Remove OVN row f63176e97 Horizon: Manage policy files 4362c14ce Disable metrics_qdr binding in HAProxyEdge b4a9058b8 Make sure libvirt guests shut down before network 2a27e8bdb Enable policy rule management in nova-compute a170d70e2 Add OVNContainerCpusetCpus 5326c3d5e Move *NetworkConfigTemplate to parameter_defaults 81d546a23 Add show unknown only host_status to scn002 b11c78a02 Add show all host_status policy to scn001 2b9461e97 Fix remaining usage of internal url for www_authenticate_uri 3a04690cd Enable notification from Keystone when Barbican is enabled 4e078fc42 Handle ping test ips when not available 392abfd2a Include subnet in unbound colloc port creation to ensure IP allocation b49da7236 Allow keystone to configure secure RBAC options dfd28f7b1 Revert "Revert "Add chrony waitsync back in"" 98e9b2983 Align services of ControllerSriov role 21bd42b4f Revert "Add chrony waitsync back in" 925af6378 Add generated deployed network environment 4f7e4fd18 Fix killscript regex match for libpod-conmon-* 62ded067d Fix IPv6 router on UC re-install 8d46c9c38 Add chrony waitsync back in 160936df1 Use public endpoint for [keystone_authtoken] www_authenticate_uri 3e4135aa3 Add CephAdmVerbose variable 6d142165f IDM server registration is fixed to one server only ee617c09a Add missing services to ControllerNovaStandalone role 15ff29cf1 Fix IronicImageDownloadSource on undercloud 71012af59 Replace deprecated octavia::controller::port_detach_timeout 4c1206938 Remove hieradata for Redis Sentinel 423644945 Check that redis is removed prior to FFU 98d731768 Use Python3 yoga unit tests 157d0c112 Start the l3 agent with cgroupns: host 97da97eda Fix external-ceph deployment directory reference 008b55afa fix InternalApi subnet for ControllerNovaStandalone role d8475ede4 Remove tripleo_ovn_mac_port_name port tag eae88fe0a Sync neutron-ovs-dvr.yaml copies 3983bc744 Update cell0 db connection, if required cb24c0bff Revert "Fix the wrong parameter name to disable management of libvirt services" c3bb91338 Missing rsyslog parameters for HAProxy 20368af84 Fix the wrong parameter name to disable management of libvirt services 9d4d7f9a6 Manage octavia flavor in tripleo-ansible 9d06a3c7e Exec libvirtd in a transient scope a77d5ebde Make tools scripts executable 2e4f35b07 Add templates for custom network ci job a88c32f51 Replace deprecated manila::sql_connection 5e77f8198 Manila: Use internal endpoints to access other services e78fbfb99 Nova: Use internal endpoint to access Neutron API efdbece13 Run designate-api under apache a035de7d3 Remove setype for /var/log/containers creation 98af86994 Parameters for API policies to show a host status 7a99ae23e Introduce a new linter for yaml-validate, and correct issues 613dd92d8 Add a configuration option to enable secure RBAC in Heat 1f868ba53 Ensure we bind-mount /dev instead of /dev/ 579102e54 Sc001: Enable glance image import methods 4df0b3519 Neutron: Use internal endpoint when accessing Placement API 3b80985e5 Assign project-scoped service role for token validation e6f24185b CoreServices list has to be flatten 08c5e74d3 Placement: Define root path explicitly 0436025d8 Add IronicDefaultBootInterface parameter 3055a4f11 Use only internal endpoints in Octavia controller services 1127ac015 Accept lists for Manila*ShareDataPools and Manila*EthernetPorts 7e1ee7511 set manila context-is-admin policy rule for secure-rbac dbf5d36fd Add timestamps to nova/placement wait for scripts 969043bef Correct the multiple_nics_vlans_dvr.j2 file path 06787c853 Add support for powermax. 6dc38e414 Fix doc link 531aecc4b Fix convert_v1_net_data.py - ipv6 property 3a0b86e4e Add ephemeral Heat entry to clouds.yaml 047499937 Fix condition to add per subnet routes parameter ee846d21e [Neutron] Add custom env file to set dns_domain_name 0555ee4df [Pure Storage] Set default parameter for iscsi cidr 368102b14 Deprecate ineffective MysqlIncreaseFileLimit efc328c66 Make PingTestGatewayIPsMap a map of flatten lists 1f79df6da Update project personas policies in custom neutron policy 70720d21d [Pure Storage] Add new FlashArray Cinder driver params 632afe18c Add rgw max attributes constraints c72579637 neutron: Stop setting the allow_overlapping_ips parameter 925e2db46 Keystone: Remove unused container_puppet_tasks 8cb2fd898 Fix logic related to CinderEtcdLocalConnect parameter 7f04caaf4 Use a designate specific directory for the bind persistent storage 0265f9572 Clean up update converge file 1314f345f [ovn] Deleting ovn agents during scale down tasks 61a1dcc3b Remove double slashes in path a287ebc42 Add socket keepalive options for the pymemcache backend 839ddccdb Implement project personas in custom barbican policy file 0fe7045fa Deprecate env/enable-designate in favor of env/services/designate.yaml b3863568a Fix set_fact on the CephMgrAnsibleVars 52ed0f05b Remove old non-ha container removal tasks 6d8091240 task-core basic framework 5d830980e Add ping test for all networks gateway IPs d98009ae4 Change authentication method for Mellanox sdn controller d33865cde Remove mariadb-server packages from the host f2fd2a856 Add ovn_chassis_mac_map to ExtraConfig role 273b41a5d Use ServiceNetMap to filter PublicNetwork in haproxy-tls f6eddad78 Don't use service_net_map_replace in krb-svc-principals 65151adc1 Add parameter IronicPowerStateChangeTimeout 48ed6294c Do not error out when a network is ipv6 only 040859a73 Clean up implementation to manage volume type by puppet 82a0781b4 Revert "Fix TLS-e with custom network names" 4bf486603 Clear up confusion on cinder's default volume type 4ba798c57 Add environment file for FIPS deployments e2f6aec3e Add auth type for snmpd readonly user 6bae260bc Fix TLS-e with custom network names 26b05056e Adding NovaMkisofsCmd parameter to nova-compute 20311a0a5 Flatten yaql list expressions f8e7bf2bb Do not set rabbitmq SSL CA certs when InternalTLSCAFile is '' 6b50e1622 Flatten yaql list expressions b3e5e03d6 Drop UndercloudMinion environments 6b4a4389f Remove ganesha_vip extra config workaround 716fe9bc6 Deprecate `OvsDpdkDriverType` parameter 015fc41bd Sc04: Enable glance sparse image upload ba7f896c5 Revert "Enable fernet token cache by default" 9193090b1 Allow configuring secure RBAC in glance 1cbd03a13 Use double quotes for string comparisons policies in glance 34b7d28e6 Drop non-bundle manila from puppet-config 76adfd420 Use true/false for boolean values 4d6dc5308 Refactor usage of QemuMemoryBackingDir f834c26d5 Enable new SELinux boolean for vTPM support f664302c3 Enable new SELinux boolean for vTPM support 40d5282eb follow-up: Enable support for Libvirt modular daemons 42d746921 Introduce ApplyCephConfigOverridesOnUpdate 3d2fec12b Implement project personas in custom cinder policy file 9e30f281f Remove network_virtual_ips hard-coded name filter c0b778301 GaneshaNetwork - fallback -> external -> ctlplane 2202412db Implement project personas in custom neutron policy file 433cc9375 Implement project personas in custom keystone policy file b522254bc Remove six library b30b3cc82 Implement project personas in custom placement policy file 5a43e8a30 Use EnableInternalTLS to set pssl in nb and sb 4477e2862 Implement project personas in custom manila policy file 716492274 Deprecate IronicIpVersion 9d6f24131 Set default value of IronicDefaultBootMode to uefi 9be1b7746 Run Swift replicators in single replica mode 762f5056d Allow Swift to configure secure RBAC options 93d06c2b9 Cinder: Update puppet parameters to set castellan options ccacb548e Enable enable_proxy_headers_parsing in Designate API 5e5472337 Add note indicating only Controllers use network VIPs e618ad8d3 Honor the ExternalSwiftUserTenant parameter Diffstat (except docs and test files) ------------------------------------- .gitignore | 17 +- README.rst | 2 - ci/custom_ci_roles_data.yaml | 263 ++++ ci/custom_names_network_data.yaml | 60 + ci/custom_names_vip_data.yaml | 6 + .../multiple-nics/custom-network-environment.yaml | 27 + ci/environments/neutron_dns_domain.yaml | 2 + ci/environments/scenario000-standalone.yaml | 2 - ci/environments/scenario001-standalone.yaml | 27 +- ci/environments/scenario002-standalone.yaml | 1 + ci/environments/scenario004-standalone.yaml | 14 +- common/common-container-setup-tasks.yaml | 3 +- common/container-puppet.sh | 4 +- common/deploy-steps-playbooks-common.yaml | 20 +- common/deploy-steps-tasks-step-0.j2.yaml | 6 + common/deploy-steps-tasks-step-1.yaml | 28 +- common/deploy-steps-tasks.yaml | 8 +- common/deploy-steps.j2 | 84 +- common/generate-config-tasks.yaml | 2 +- common/host-container-puppet-tasks.yaml | 4 +- common/services/deployment-bootstrap.yaml | 71 + common/services/deployment-host-prep.yaml | 52 + common/services/deployment-legacy-deploy.yaml | 31 + common/services/deployment-network.yaml | 41 + common/services/deployment-post-deploy.yaml | 42 + common/services/deployment-state.yaml | 104 ++ common/services/role.role.j2.yaml | 21 +- .../nova_wait_for_api_service.py | 27 +- .../nova_wait_for_compute_service.py | 27 +- .../pacemaker_restart_bundle.sh | 28 +- container_config_scripts/pacemaker_wait_bundle.sh | 94 +- .../placement_wait_for_service.py | 26 +- deployment/README.rst | 3 + deployment/aodh/aodh-api-container-puppet.yaml | 40 +- .../aodh/aodh-evaluator-container-puppet.yaml | 34 +- .../aodh/aodh-listener-container-puppet.yaml | 33 +- .../aodh/aodh-notifier-container-puppet.yaml | 33 +- .../barbican/barbican-api-container-puppet.yaml | 47 +- deployment/barbican/barbican-client-puppet.yaml | 8 +- .../ceilometer-agent-central-container-puppet.yaml | 25 +- .../ceilometer-agent-compute-container-puppet.yaml | 31 +- .../ceilometer-agent-ipmi-container-puppet.yaml | 25 +- ...ometer-agent-notification-container-puppet.yaml | 29 +- .../ceilometer-base-container-puppet.yaml | 13 +- deployment/cephadm/ceph-base.yaml | 25 +- deployment/cephadm/ceph-client.yaml | 30 +- deployment/cephadm/ceph-external.yaml | 2 - deployment/cephadm/ceph-grafana.yaml | 2 - deployment/cephadm/ceph-ingress.yaml | 72 + deployment/cephadm/ceph-mgr.yaml | 32 +- deployment/cephadm/ceph-nfs.yaml | 6 +- deployment/cephadm/ceph-osd.yaml | 2 - deployment/cephadm/ceph-rbdmirror.yaml | 2 - deployment/cephadm/ceph-rgw.yaml | 8 +- deployment/certs/ca-certs-baremetal-puppet.yaml | 2 +- deployment/cinder/cinder-api-container-puppet.yaml | 78 +- .../cinder-backend-dellemc-vmax-iscsi-puppet.yaml | 82 - deployment/cinder/cinder-backend-pure-puppet.yaml | 30 + .../cinder/cinder-backup-container-puppet.yaml | 29 +- .../cinder/cinder-backup-pacemaker-puppet.yaml | 49 +- .../cinder/cinder-common-container-puppet.yaml | 12 +- .../cinder/cinder-scheduler-container-puppet.yaml | 29 +- .../cinder/cinder-volume-container-puppet.yaml | 24 +- .../cinder/cinder-volume-pacemaker-puppet.yaml | 49 +- deployment/database/mysql-base.yaml | 3 +- deployment/database/mysql-container-puppet.yaml | 26 +- deployment/database/mysql-pacemaker-puppet.yaml | 102 +- deployment/database/redis-base-puppet.yaml | 16 - deployment/database/redis-container-puppet.yaml | 32 +- deployment/database/redis-pacemaker-puppet.yaml | 50 +- .../cinder-backend-dellemc-vxflexos-puppet.yaml | 172 --- .../cinder/cinder-backend-scaleio-puppet.yaml | 153 -- deployment/deprecated/multipathd-container.yaml | 26 +- .../nova/nova-libvirt-container-puppet.yaml | 42 +- .../novajoin/ipaclient-baremetal-ansible.yaml | 191 --- .../novajoin/novajoin-container-puppet.yaml | 273 ---- .../designate/designate-api-container-puppet.yaml | 78 +- deployment/designate/designate-base.yaml | 21 +- deployment/designate/designate-bind-container.yaml | 48 +- .../designate-central-container-puppet.yaml | 23 +- .../designate/designate-mdns-container-puppet.yaml | 31 +- .../designate-producer-container-puppet.yaml | 22 +- .../designate/designate-sink-container-puppet.yaml | 22 +- .../designate-worker-container-puppet.yaml | 22 +- deployment/etcd/etcd-container-puppet.yaml | 195 ++- deployment/frr/frr-container-ansible.yaml | 198 ++- deployment/glance/glance-api-container-puppet.yaml | 45 +- .../gnocchi/gnocchi-api-container-puppet.yaml | 28 +- .../gnocchi/gnocchi-metricd-container-puppet.yaml | 34 +- .../gnocchi/gnocchi-statsd-container-puppet.yaml | 34 +- deployment/haproxy/haproxy-container-puppet.yaml | 38 +- .../haproxy/haproxy-edge-container-puppet.yaml | 1 + .../haproxy-internal-tls-certmonger.j2.yaml | 24 +- deployment/haproxy/haproxy-pacemaker-puppet.yaml | 87 +- deployment/heat/heat-api-cfn-container-puppet.yaml | 25 +- deployment/heat/heat-api-container-puppet.yaml | 29 +- deployment/heat/heat-base-puppet.yaml | 23 +- deployment/heat/heat-engine-container-puppet.yaml | 29 +- .../heat/heat-ephemeral-container-ansible.yaml | 60 +- deployment/horizon/horizon-container-puppet.yaml | 27 +- .../image-serve/image-serve-baremetal-ansible.yaml | 2 +- deployment/ipa/ipaservices-baremetal-ansible.yaml | 10 +- deployment/ironic/ironic-api-container-puppet.yaml | 25 +- .../ironic/ironic-conductor-container-puppet.yaml | 54 +- .../ironic/ironic-inspector-container-puppet.yaml | 29 +- .../ironic-neutron-agent-container-puppet.yaml | 22 +- deployment/ironic/ironic-pxe-container-puppet.yaml | 31 +- deployment/iscsid/iscsid-container-puppet.yaml | 16 +- deployment/kernel/kernel-baremetal-ansible.yaml | 22 +- .../kernel-boot-params-baremetal-ansible.yaml | 33 + deployment/keystone/keystone-container-puppet.yaml | 102 +- deployment/logging/files/barbican-api.yaml | 22 +- deployment/logging/files/glance-api.yaml | 22 +- deployment/logging/files/heat-engine.yaml | 22 +- deployment/logging/files/keystone.yaml | 22 +- deployment/logging/files/neutron-api.yaml | 22 +- deployment/logging/files/nova-api.yaml | 22 +- deployment/logging/files/nova-common.yaml | 19 +- deployment/logging/files/nova-libvirt.yaml | 40 +- deployment/logging/files/nova-metadata.yaml | 22 +- deployment/logging/files/placement-api.yaml | 22 +- deployment/logging/rsyslog-container-puppet.yaml | 34 +- .../logging/rsyslog-sidecar-container-puppet.yaml | 18 +- deployment/logging/stdout/barbican-api.yaml | 34 +- deployment/logging/stdout/haproxy.yaml | 26 +- deployment/logging/stdout/heat-api-cfn.yaml | 34 +- deployment/logging/stdout/heat-api.yaml | 34 +- deployment/logging/stdout/keystone.yaml | 34 +- deployment/logging/stdout/nova-api.yaml | 34 +- deployment/logging/stdout/nova-common.yaml | 2 + deployment/logging/stdout/nova-libvirt.yaml | 95 ++ deployment/logging/stdout/nova-metadata.yaml | 34 +- deployment/logging/stdout/placement-api.yaml | 34 +- .../logrotate-crond-container-puppet.yaml | 29 +- deployment/manila/manila-api-container-puppet.yaml | 46 +- deployment/manila/manila-backend-powermax.yaml | 80 + deployment/manila/manila-backend-unity.yaml | 8 +- deployment/manila/manila-backend-vmax.yaml | 8 +- deployment/manila/manila-backend-vnx.yaml | 8 +- deployment/manila/manila-base.yaml | 2 +- .../manila/manila-scheduler-container-puppet.yaml | 29 +- deployment/manila/manila-share-common.yaml | 4 +- .../manila/manila-share-container-puppet.yaml | 27 +- .../manila/manila-share-pacemaker-puppet.yaml | 36 +- .../memcached/memcached-container-puppet.yaml | 46 +- .../messaging/rpc-qdrouterd-container-puppet.yaml | 22 +- deployment/metrics/collectd-container-ansible.yaml | 22 +- deployment/metrics/collectd-container-puppet.yaml | 24 +- deployment/metrics/qdr-container-ansible.yaml | 15 +- deployment/metrics/qdr-container-puppet.yaml | 22 +- .../multipathd/multipathd-container-ansible.yaml | 23 +- .../neutron/derive_pci_passthrough_whitelist.py | 502 ++++-- deployment/neutron/kill-script | 2 +- .../neutron-agents-ib-config-container-puppet.yaml | 46 +- .../neutron/neutron-api-container-puppet.yaml | 47 +- deployment/neutron/neutron-base.yaml | 1 - .../neutron-bgpvpn-api-container-puppet.yaml | 16 +- .../neutron-bigswitch-agent-baremetal-puppet.yaml | 37 - .../neutron/neutron-dhcp-container-puppet.yaml | 35 +- .../neutron/neutron-l2gw-api-container-puppet.yaml | 18 +- .../neutron/neutron-l3-container-puppet.yaml | 30 +- .../neutron/neutron-metadata-container-puppet.yaml | 30 +- .../neutron-mlnx-agent-container-puppet.yaml | 52 +- .../neutron-ovs-agent-container-puppet.yaml | 95 +- .../neutron-ovs-dpdk-agent-container-puppet.yaml | 8 +- ...eutron-plugin-ml2-ansible-container-puppet.yaml | 16 +- ...tron-plugin-ml2-cisco-vts-container-puppet.yaml | 16 +- .../neutron-plugin-ml2-container-puppet.yaml | 16 +- ...lugin-ml2-mlnx-sdn-assist-container-puppet.yaml | 38 +- .../neutron-plugin-nsx-container-puppet.yaml | 18 +- deployment/neutron/neutron-plugin-nuage.yaml | 96 -- .../neutron/neutron-sfc-api-container-puppet.yaml | 18 +- .../neutron-sriov-agent-container-puppet.yaml | 19 +- deployment/nova/nova-api-container-puppet.yaml | 89 +- deployment/nova/nova-az-config.yaml | 23 +- deployment/nova/nova-base-puppet.yaml | 106 +- .../nova/nova-compute-common-container-puppet.yaml | 2 +- deployment/nova/nova-compute-container-puppet.yaml | 56 +- .../nova/nova-conductor-container-puppet.yaml | 30 +- deployment/nova/nova-ironic-container-puppet.yaml | 32 +- ...a-virt-common.yaml => nova-libvirt-common.yaml} | 22 +- .../nova/nova-libvirt-guests-container-puppet.yaml | 6 +- deployment/nova/nova-manager-container-puppet.yaml | 15 +- .../nova/nova-metadata-container-puppet.yaml | 25 +- .../nova-migration-target-container-puppet.yaml | 24 +- .../nova-modular-libvirt-container-puppet.yaml | 98 +- .../nova/nova-scheduler-container-puppet.yaml | 31 +- .../nova/nova-vnc-proxy-container-puppet.yaml | 37 +- .../octavia/octavia-api-container-puppet.yaml | 82 +- deployment/octavia/octavia-base.yaml | 12 +- .../octavia/octavia-deployment-config.j2.yaml | 23 +- .../octavia-health-manager-container-puppet.yaml | 32 +- .../octavia-housekeeping-container-puppet.yaml | 26 +- .../octavia/octavia-worker-container-puppet.yaml | 33 +- .../openvswitch-dpdk-baremetal-ansible.yaml | 11 +- ...vswitch-dpdk-netcontrold-container-ansible.yaml | 16 +- .../ovn/ovn-controller-container-puppet.yaml | 233 ++- deployment/ovn/ovn-dbs-cluster-ansible.yaml | 30 +- deployment/ovn/ovn-dbs-container-puppet.yaml | 47 +- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 49 +- deployment/ovn/ovn-metadata-container-puppet.yaml | 28 +- .../pacemaker/clustercheck-container-puppet.yaml | 22 +- .../pacemaker/pacemaker-baremetal-puppet.yaml | 25 +- .../pacemaker-remote-baremetal-puppet.yaml | 6 +- .../placement/placement-api-container-puppet.yaml | 32 +- deployment/podman/podman-baremetal-ansible.yaml | 22 + deployment/qdr/qdrouterd-container-puppet.yaml | 22 +- deployment/rabbitmq/rabbitmq-container-puppet.yaml | 38 +- ...rabbitmq-messaging-notify-container-puppet.yaml | 24 +- ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 51 +- .../rabbitmq-messaging-pacemaker-puppet.yaml | 51 +- .../rabbitmq-messaging-rpc-container-puppet.yaml | 24 +- .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 51 +- deployment/snmp/snmp-baremetal-puppet.yaml | 5 + deployment/sshd/sshd-baremetal-ansible.yaml | 6 +- deployment/sshd/sshd-baremetal-puppet.yaml | 2 +- .../external-swift-proxy-baremetal-puppet.yaml | 2 + deployment/swift/swift-proxy-container-puppet.yaml | 42 +- .../swift/swift-ringbuilder-container-puppet.yaml | 18 +- .../swift/swift-storage-container-puppet.yaml | 155 +- deployment/timesync/chrony-baremetal-ansible.yaml | 6 +- .../tripleo-packages-baremetal-puppet.yaml | 33 +- deployment/unbound/unbound-container-ansible.yaml | 39 +- deployment/undercloud/minion-rabbitmq-puppet.yaml | 65 - deployment/undercloud/undercloud-upgrade.yaml | 41 +- environments/cinder-dellemc-vmax-iscsi-config.yaml | 12 - environments/cinder-dellemc-vxflexos-config.yaml | 39 - environments/cinder-pure-config.yaml | 3 + environments/cinder-scaleio-config.yaml | 39 - ...ontainerized-control-plane-dellemc-scaleio.yaml | 35 - environments/deployed-network-environment.j2.yaml | 65 + environments/deployed-networks.yaml | 2 +- environments/disable-neutron.yaml | 1 - environments/docker-ha.yaml | 1 - environments/enable-designate.yaml | 15 +- environments/enable-secure-rbac.yaml | 1598 +++++++++----------- environments/external-ceph.yaml | 2 +- environments/fips.yaml | 9 + environments/ha-redis.yaml | 6 + environments/lifecycle/update-converge.yaml | 7 - environments/manila-cephfsganesha-config.yaml | 1 + environments/manila-powermax-config.yaml | 20 + environments/net-multiple-nics-vlans.j2.yaml | 2 +- environments/network-environment-v6.j2.yaml | 4 +- environments/network-environment.j2.yaml | 9 +- environments/neutron-ml2-bigswitch.yaml | 31 - environments/neutron-ml2-mlnx-sdn.yaml | 3 +- environments/neutron-ovs-dvr.yaml | 13 +- environments/rhsm.yaml | 2 +- environments/services-baremetal/barbican.yaml | 3 + environments/services-baremetal/octavia.yaml | 2 +- environments/services/barbican.yaml | 3 + environments/services/designate.yaml | 20 + environments/services/frr.yaml | 4 + environments/services/neutron-ovn-dpdk.yaml | 3 + environments/services/neutron-ovn-sriov.yaml | 2 + environments/services/neutron-ovs-dpdk.yaml | 1 - environments/services/neutron-ovs-dvr.yaml | 6 +- environments/services/novajoin.yaml | 5 - environments/services/octavia.yaml | 2 +- .../services/undercloud-remove-novajoin.yaml | 4 - environments/ssl/tls-endpoints-public-dns.yaml | 1 - environments/ssl/tls-endpoints-public-ip.yaml | 1 - environments/ssl/tls-everywhere-endpoints-dns.yaml | 3 - environments/undercloud-enable-nova.yaml | 6 - environments/undercloud.yaml | 14 +- environments/undercloud/undercloud-minion.yaml | 289 ---- .../update-from-keystone-admin-internal-api.yaml | 6 - .../krb-service-principals/role.role.j2.yaml | 22 +- .../post_deploy/undercloud_ctlplane_network.py | 73 +- firstboot/userdata_timesync.yaml | 1 + network/endpoints/endpoint_map.yaml | 384 ----- network/network.j2 | 8 +- network/ports/ovn_mac_addr_port.yaml | 4 - network_data.yaml | 3 +- network_data_dashboard.yaml | 3 +- network_data_ganesha.yaml | 3 +- network_data_routed.yaml | 3 +- network_data_subnets_routed.yaml | 3 +- overcloud-resource-registry-puppet.j2.yaml | 17 +- overcloud.j2.yaml | 26 +- .../pre_deploy/compute/neutron-ml2-bigswitch.yaml | 52 - .../controller/neutron-ml2-bigswitch.yaml | 84 - puppet/role.role.j2.yaml | 21 +- ...pe-for-snmp-readonly-user-c90c9e5a12c92893.yaml | 6 + ...-boot-interface-parameter-f07c1fe24c7cb543.yaml | 8 + ...ironic-inspector-tls-port-4e59d0c2b2922f68.yaml | 5 + .../add-novamkisofscmd-param-6dbb64e4497a8ce6.yaml | 7 + .../add-octavia-tls-settings-7583df511c53b27a.yaml | 4 + .../add-rabbit-fips-option-ddf5a0d7e37d8e5d.yaml | 5 + .../notes/add_token_auth-fb9f0dfe8e70a4c1.yaml | 10 + ...g-1953672-haproxy-rsyslog-6f8e386f8909a253.yaml | 4 + .../certificiate-validation-1b08ab8cf40b7cad.yaml | 11 + ...ge-keystone-admin-network-a29499018c323cea.yaml | 4 + ...arify-default-volume-type-c77e7a7ddafdf172.yaml | 12 + .../dellemc-driver-cleanup-4a1febdc51ec674c.yaml | 14 + ...te-MysqlIncreaseFileLimit-20548c5f7234d14c.yaml | 5 + ...precate-ironic-ip-version-27e24f03da6ddd59.yaml | 4 + ...gnate-enable-bind-logging-642e77541645519b.yaml | 6 + ...esignate-environment-file-bd08eef69758a996.yaml | 6 + .../notes/dpdk_driver_remove-76d61711c19cd099.yaml | 7 + ...e-secure-rbac-for-neutron-842bd41339a48f26.yaml | 8 + ..._secure_rbac_for_keystone-62685484ef589726.yaml | 9 + ...e_rbac_support_for_glance-167d53c491cd326c.yaml | 8 + ...-fs.aio-max.nr-on-compute-06447122b8e12c71.yaml | 7 + ...stone-notification-driver-0c71165430eb57ef.yaml | 7 + ...nova_api_show_host_status-f0dfaf4c2b0c536f.yaml | 19 + .../notes/power_state-457f12af30b9e341.yaml | 8 + ...ure_storage_update_params-4de801b1ed2d0744.yaml | 6 + ...redis_disabled_by_default-9992b2bae9b149cd.yaml | 7 + ...ute_service_check_for_ffu-19a91d20e146056c.yaml | 6 + ...move-networking-bigswitch-9ae5c280990284a2.yaml | 5 + .../notes/remove-novajoin-3ccef190c99c419b.yaml | 8 + .../remove-undercloud-minion-198ce8ea01c4e366.yaml | 7 + ...p-podman-purge-undercloud-a3a30b5ac3a0951b.yaml | 9 + ...ft-single-replica-cleanup-fdf72b9e462185c7.yaml | 6 + .../tripleo-kernel-hugepages-424c19a4b1579af8.yaml | 23 + .../notes/uefi-boot-mode-a8b1b416a0e9cdc4.yaml | 7 + .../uefi_ipxe_bootfile_name-f2c9cc8971dc1ed8.yaml | 9 + requirements.txt | 1 - roles/CephAll.yaml | 1 + roles/CephStorage.yaml | 1 + roles/Compute.yaml | 1 + roles/ComputeAlt.yaml | 1 + roles/ComputeDVR.yaml | 1 + roles/ComputeHCI.yaml | 1 + roles/ComputeHCIOvsDpdk.yaml | 1 + roles/ComputeHCISriov.yaml | 1 + roles/ComputeInstanceHA.yaml | 1 + roles/ComputeLocalEphemeral.yaml | 1 + roles/ComputeOvsDpdk.yaml | 1 + roles/ComputeOvsDpdkRT.yaml | 1 + roles/ComputeOvsDpdkSriov.yaml | 1 + roles/ComputeOvsDpdkSriovRT.yaml | 1 + roles/ComputePPC64LE.yaml | 1 + roles/ComputeRBDEphemeral.yaml | 1 + roles/ComputeRealTime.yaml | 1 + roles/ComputeSriov.yaml | 1 + roles/ComputeSriovIB.yaml | 1 + roles/ComputeSriovRT.yaml | 1 + roles/ComputeVdpa.yaml | 1 + roles/Controller.yaml | 5 +- roles/ControllerAllNovaStandalone.yaml | 1 + roles/ControllerNoCeph.yaml | 3 - roles/ControllerNovaStandalone.yaml | 26 +- roles/ControllerOpenstack.yaml | 2 + roles/ControllerSriov.yaml | 11 +- roles/ControllerStorageDashboard.yaml | 5 +- roles/ControllerStorageNfs.yaml | 4 +- roles/DistributedCompute.yaml | 1 + roles/DistributedComputeHCI.yaml | 1 + roles/DistributedComputeHCIDashboard.yaml | 1 + roles/DistributedComputeHCIScaleOut.yaml | 1 + roles/DistributedComputeScaleOut.yaml | 1 + roles/HciCephAll.yaml | 1 + roles/HciCephObject.yaml | 2 +- roles/Standalone.yaml | 4 +- roles/Undercloud.yaml | 35 - roles/UndercloudMinion.yaml | 33 - roles_data.yaml | 7 +- roles_data_undercloud.yaml | 36 +- sample-env-generator/enable-services.yaml | 29 - sample-env-generator/ssl.yaml | 5 - sample-env-generator/undercloud-minion.yaml | 284 ---- scripts/undercloud-upgrade-ephemeral-heat.py | 24 +- tools/convert_heat_nic_config_to_ansible_j2.py | 17 +- tools/convert_nic_config.py | 5 +- tools/convert_v1_net_data.py | 1 + tools/merge-new-params-nic-config-script.py | 5 +- tools/process-templates.py | 5 +- tools/yaml-validate.py | 99 +- tox.ini | 4 +- zuul.d/layout.yaml | 4 +- 377 files changed, 9015 insertions(+), 5122 deletions(-) Requirements updates -------------------- diff --git a/requirements.txt b/requirements.txt index bda47437c..180423b34 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7 +6,0 @@ Jinja2>=2.10 # BSD License (3 clause) -six>=1.10.0 # MIT