We are gleeful to announce the release of: tripleo-heat-templates 12.4.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the ussuri stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 12.4.0 ^^^^^^ New Features ************ * Add new BarbicanClient tripleo service for configuring DCN/Edge nodes to access a barbican service running in the control plane. The client service is disabled by default, and can be enabled by including the environments/services/barbican-edge.yaml environment file when deploying a DCN/Edge stack. * Added new PublicTLSCAFile parameter, that is used to set the ca cert in clouds.yaml for keystone public endpoint. This defaults to empty string ('') assuming that the certs are already trusted. * Add GlanceImagePrefetcherInterval parameter to run periodic job which fetches the queued images for caching in cache directory, when image cache is enabled. * Add boolean parameter *NovaSchedulerQueryPlacementForAvailabilityZone* that sets *scheduler/query_placement_for_availability_zone* parameter. It allows the scheduler to look up a host aggregate with metadata key of availability zone set to the value provided by incoming request, and request result from placement be limited to that aggregate. Default value for NovaSchedulerQueryPlacementForAvailabilityZone is false. * Adds the "OctaviaLogOffload" setting to enable amphora log offloading. * Added support for VxFlexOS cinder block storage backend driver Deprecation Notes ***************** * Usage of the option "NeutronFirewallDriver" which was used to set "firewall_driver" config option in the Neutron server's config is now deprecated. Firewall driver should be set per agent in the agent's config. It can be done using "NeutronOVSFirewallDriver" option. Option in the Neutron server was in there just for backward compatybility reasons but since Newton release all Neutron agents are reporting to the server what firewall driver is used so there is no need to keep this legacy, server side option anymore. Bug Fixes ********* * Ensure the barbican Key Manager settings are configured on DCN/Edge nodes when the barbican service is deployed in the control plane. See bug 1886070 (https://bugs.launchpad.net/tripleo/+bug/1886070). Other Notes *********** * The ValidateNtp has been removed from the all nodes validation configuration. During the time sync configuration we already do a check to ensure the ntp servers are available. If they are not we will fail with an appropriate message. The ValidateNtp option came from a time before we could fail in a more explicit way. Changes in tripleo-heat-templates 12.3.0..12.4.0 ------------------------------------------------ 1ed3cef04 Remove strategy comment 507898442 Ensure redis_tls_proxy starts after all redis instances afc7e2c28 Use tripleo linear when not using tripleo free b5b2bb640 Add BarbicanClient service for configuring edge sites 6358fd4a1 Remove /run from some services 0d587d8ce Drop the relabel flag for bind-mount 22544669d Switch deploy steps to tripleo_free 9c861fcfc Revert "Prevent nftables to interfere with tripleo firewall" 0c2bee43b Add become: true to the container json file modules c6bafbf03 FFU support for ceph_nfs 71a8917a1 deploy-steps-playbooks-common: fix logic for scale_ignore_unreachable 3b6874daa Convert roles section into tasks-include_role in deploy-steps.j2. eefa55e34 Simplify host entries generation 381f0146f Check for correct column name for execution show d29386d8b Move sidecar kill scripts to host prep f917423be Fix privilege escalation 4ed5c76e4 Generate container startup configs with a new module 03ab2f26d Fix bind mount volumes for novajoin containers 155a2b2a5 Always clear cached facts first 3166f641c Collapse host prep tasks ccb139178 Collapse deploy steps 6cf0b38c4 Don't set RABBITMQ_SERVER_ERL_ARGS 3c48469a7 Task should fail on any failure 4465977d9 Fix default BlockStorageCinderVolume template d423af38a undercloud/heat: set YAQL memory quota to 200000 cdfaab952 Add filestore to bluestore migration tags 7ab3de589 Exclude /etc/hostname 48d735e72 Add non-string value support for CephAnsibleEnvironmentVariables b366fd9e1 Sync httpd conf.modules.d configs de45a1fc6 Cleanup all container startup configs before generating the new ones 51e697362 Fix Error: invalid arguments you must use just one container 48940849b Add new parameter PublicTLSCACert bd8756ef9 Add project template for IPA multinode 35a3bb146 Adding amphora architecture to heat templates 31832bda9 Disable Sahara in scenario003-standalone 4cb98be4d Increase the default UpgradeLeappRebootTimeout to 60 mins 0ed634442 Allow more tasks to be run in check mode 61b564480 Add composible service for tls enrollment ccdbbc9ab Disable presettled metrics fe759c675 Disable Designate service for scenario 03 454a0e652 Allow overriding InterfaceDefaultRoute with ips_from_pool template c775af9e6 collectd: add support for mcelog service 1ca404cbc Move nova online migrations to nova-conductor 64641facd Fix syntax error 7f96ee799 Adding env file for octavia with kvm c8d6df463 Update loop_vars 81b479b14 Allow triggering ceph-ansible filestore-to-bluestore with ceph_fstobs tag faf2ae187 Ironic create_swift_temp_url_key use internal edpoint 71919ffed Support for Dell EMC VXFlexOS Backend 2c9034053 Consider user configuration during the derivation of passthrough whitelist 8a8cf9a5d Only enable leapp tasks when distribution is correct b26167919 Unify metrics_qdr name to underscore 3ac4735cc Fix dry-run for NetworkConfig tasks da727d0c4 Fix reserved name variable 89a2b9a3e Remove ValidateNtp 201f4db58 enable dpdk plugin on neutron ovn and ovs dadc45daa Use empty string for overcloud InternalTLSCAFile param 213bb2680 Remove Ceph{Admin,Mon,Mds}Key parameters e1670159d Add an option to adjust help URL in horizon 31f2658df Add the ability to offload amphora logs 6a119dcfb Ensure net.ipv6.conf.lo.disable_ipv6=0 9ee2f7418 Check transfer data flag to skip pacemaker normal upgrade. e25ff3d50 Update minion rabbit credentials 66683ad94 Fix node scaling db5f2b1d7 Add additional files to ipa standalone test 1d7070e92 Update scn003 to exercise ExtraFirewallrules capabilities 96327c8ef Revert "Only enable leapp tasks when distribution is correct" b225e6b48 Add reserved ports for some services 392de5157 Change the :Z mount flag to :z 97464f164 Enable glance cache prefetcher interval 1c87fae29 MaxFailPercentage: default to 0 4ab32733a Configure valid_exit_code for startup containers d6e86c4cf Fix sending SIGTERM to the sidecar containers 8bdf199af Set default InternalTLSCAFile in enable-tls.yaml 9551cfa6a rhsm: add rhsm_release in environment for doc purpose 8eaf18682 Move chcon for /var/lib/config-data 7dbd96c43 Make user value for GlanceImageImportPlugin prevail on logic e52cfc03c Include tripleo_ceph_workdir role on rgw variables override 05f19f2c5 Force container deletion if namespace does not exist in service_kill a01c36127 Modify tls-e service to not install packages by default c56920c79 Correctly match openvswitch package 00c2da440 Enable adding packages into Leapp's to_remove/to_install files. 4dba85d81 Use /32 or /128 netmask for VIPs c939d913b Remove unnecessary check after removing libvirt rpm dependencies 3a44feeb4 Only enable leapp tasks when distribution is correct 5bbc3ab7d Fix typo in the description of the Neutron related options 5d50ea313 Split ansible_limit with a colon. 7436ab8db Deprecate old NeutronFirewallDriver option 66e029cc3 Add new parameter NovaSchedulerQueryPlacementForAvailabilityZone 8e45fac85 Update TOX_CONSTRAINTS_FILE for stable/ussuri 829bc7268 Update .gitreview for stable/ussuri Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + README.rst | 2 + all-nodes-validation.yaml | 6 - ci/common/all-nodes-validation-disabled.yaml | 6 - ci/environments/octavia-kvm.yaml | 7 + ci/environments/scenario000-standalone.yaml | 1 + .../scenario001-multinode-containers.yaml | 6 +- ci/environments/scenario001-standalone.yaml | 8 +- ci/environments/scenario003-standalone.yaml | 30 ++- ci/environments/scenario004-standalone.yaml | 7 +- .../scenario010-multinode-containers.yaml | 2 - ci/environments/scenario010-standalone.yaml | 6 +- common/container-puppet.sh | 13 +- common/container_startup_configs_tasks.yaml | 19 -- common/deploy-steps-playbooks-common.yaml | 36 ++- common/deploy-steps-tasks-step-0.j2.yaml | 3 + common/deploy-steps-tasks-step-1.yaml | 48 ++-- common/deploy-steps-tasks.yaml | 8 + common/deploy-steps.j2 | 165 ++++++-------- common/generate-config-tasks.yaml | 2 + common/hiera-steps-tasks.yaml | 1 + container_config_scripts/wait-port-and-run.sh | 18 ++ deployed-server/scripts/enable-ssh-admin.sh | 3 +- deployment/aodh/aodh-api-container-puppet.yaml | 7 + .../barbican/barbican-api-container-puppet.yaml | 7 + deployment/barbican/barbican-client-puppet.yaml | 60 +++++ deployment/ceph-ansible/ceph-base.yaml | 16 +- deployment/ceph-ansible/ceph-client.yaml | 5 +- deployment/ceph-ansible/ceph-external.yaml | 5 +- deployment/ceph-ansible/ceph-grafana.yaml | 5 +- deployment/ceph-ansible/ceph-mds.yaml | 12 +- deployment/ceph-ansible/ceph-mgr.yaml | 5 +- deployment/ceph-ansible/ceph-mon.yaml | 22 +- deployment/ceph-ansible/ceph-nfs.yaml | 49 +++- deployment/ceph-ansible/ceph-osd.yaml | 5 +- deployment/ceph-ansible/ceph-rbdmirror.yaml | 5 +- deployment/ceph-ansible/ceph-rgw.yaml | 9 +- deployment/cinder/cinder-api-container-puppet.yaml | 7 + .../cinder-backend-dellemc-vxflexos-puppet.yaml | 148 +++++++++++++ .../cinder/cinder-backup-pacemaker-puppet.yaml | 4 +- .../cinder/cinder-common-container-puppet.yaml | 4 + .../cinder/cinder-volume-pacemaker-puppet.yaml | 4 +- deployment/containers-common.yaml | 3 + deployment/database/mysql-pacemaker-puppet.yaml | 4 +- deployment/database/redis-container-puppet.yaml | 1 - deployment/database/redis-pacemaker-puppet.yaml | 14 +- .../docker/docker-baremetal-ansible.yaml | 4 +- deployment/glance/glance-api-container-puppet.yaml | 23 +- .../gnocchi/gnocchi-api-container-puppet.yaml | 7 + deployment/haproxy/haproxy-pacemaker-puppet.yaml | 6 +- deployment/haproxy/haproxy-public-tls-inject.yaml | 15 +- deployment/heat/heat-api-cfn-container-puppet.yaml | 7 + deployment/heat/heat-api-container-puppet.yaml | 7 + deployment/horizon/horizon-container-puppet.yaml | 13 ++ deployment/ipa/ipaservices-baremetal-ansible.yaml | 2 +- deployment/ironic/ironic-api-container-puppet.yaml | 7 + .../ironic/ironic-conductor-container-puppet.yaml | 1 + deployment/ironic/ironic-pxe-container-puppet.yaml | 7 + deployment/kernel/kernel-baremetal-ansible.yaml | 4 + deployment/keystone/keystone-container-puppet.yaml | 15 +- deployment/logrotate/tmpwatch-install.yaml | 3 +- deployment/manila/manila-api-container-puppet.yaml | 7 + .../manila/manila-share-pacemaker-puppet.yaml | 4 +- deployment/metrics/collectd-container-puppet.yaml | 8 + deployment/metrics/qdr-container-puppet.yaml | 28 +-- .../neutron/derive_pci_passthrough_whitelist.py | 246 ++++++++++++++++++--- deployment/neutron/kill-script | 27 ++- .../neutron/neutron-api-container-puppet.yaml | 7 + .../neutron/neutron-dhcp-container-puppet.yaml | 65 +++--- .../neutron/neutron-l3-container-puppet.yaml | 93 ++++---- .../neutron-ovn-dpdk-config-container-puppet.yaml | 6 + .../neutron-ovs-dpdk-agent-container-puppet.yaml | 6 +- deployment/neutron/neutron-plugin-ml2.yaml | 17 +- .../neutron-sriov-agent-container-puppet.yaml | 4 +- deployment/nova/nova-api-container-puppet.yaml | 16 +- deployment/nova/nova-compute-container-puppet.yaml | 10 +- .../nova/nova-conductor-container-puppet.yaml | 9 + deployment/nova/nova-libvirt-container-puppet.yaml | 2 +- .../nova/nova-metadata-container-puppet.yaml | 7 + .../nova/nova-scheduler-container-puppet.yaml | 9 +- deployment/nova/novajoin-container-puppet.yaml | 4 +- .../octavia/octavia-api-container-puppet.yaml | 7 + .../octavia/octavia-deployment-config.j2.yaml | 12 + .../octavia-health-manager-container-puppet.yaml | 84 +++++-- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 4 +- deployment/ovn/ovn-metadata-container-puppet.yaml | 49 ++-- .../pacemaker/pacemaker-baremetal-puppet.yaml | 32 ++- .../placement/placement-api-container-puppet.yaml | 11 + deployment/podman/podman-baremetal-ansible.yaml | 4 +- deployment/rabbitmq/rabbitmq-container-puppet.yaml | 3 +- ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 4 +- .../rabbitmq-messaging-pacemaker-puppet.yaml | 4 +- .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 4 +- deployment/swift/swift-proxy-container-puppet.yaml | 8 +- deployment/tls/undercloud-tls.yaml | 99 +++++++++ .../tripleo-firewall-baremetal-ansible.yaml | 35 +-- .../tripleo-packages-baremetal-puppet.yaml | 53 ++++- deployment/undercloud/minion-rabbitmq-puppet.yaml | 25 +-- deployment/undercloud/undercloud-upgrade.yaml | 2 +- deployment/zaqar/zaqar-container-puppet.yaml | 7 + environments/cinder-dellemc-vxflexos-config.yaml | 35 +++ environments/enable-stf.yaml | 2 +- environments/lifecycle/upgrade-prepare.yaml | 2 + environments/metrics/collectd-write-qdr.yaml | 2 +- environments/public-tls-undercloud.yaml | 1 + environments/rhsm.yaml | 2 + environments/services/barbican-edge.yaml | 4 + environments/services/undercloud-tls.yaml | 4 + environments/ssl/enable-tls.yaml | 4 + environments/storage-environment.yaml | 4 - environments/undercloud.yaml | 3 +- environments/undercloud/undercloud-minion.yaml | 1 + net-config-standalone.j2.yaml | 6 +- net-config-undercloud.j2.yaml | 6 +- network/ports/port_from_pool.j2 | 27 ++- overcloud-resource-registry-puppet.j2.yaml | 6 +- overcloud.j2.yaml | 82 +++---- puppet/role.role.j2.yaml | 37 ++-- ...tronFirewallDriver-option-f4289b404abcc0b3.yaml | 12 + ...d-barbican-client-for-dcn-7182e8bab41fce21.yaml | 13 ++ ...publictlscafile-parameter-0fd9c19dcd20be0b.yaml | 6 + ...ce_image_cache_prefetcher-288120ffa6ee2a13.yaml | 6 + ...ent_for_availability_zone-ffd415710a9cb903.yaml | 9 + .../octavia-log-offload-d1617e767f688da1.yaml | 4 + .../notes/remove-ValidateNtp-15724eaa8345aa4f.yaml | 8 + .../notes/vxflexos-driver-bec8e372280c44e6.yaml | 4 + roles/Controller.yaml | 1 + roles/ControllerNoCeph.yaml | 1 + roles/ControllerNovaStandalone.yaml | 1 + roles/ControllerStorageDashboard.yaml | 1 + roles/ControllerStorageNfs.yaml | 1 + roles/DistributedCompute.yaml | 1 + roles/DistributedComputeHCI.yaml | 1 + roles/DistributedComputeHCIScaleOut.yaml | 1 + roles/DistributedComputeScaleOut.yaml | 1 + roles/Standalone.yaml | 1 + roles/Undercloud.yaml | 1 + roles_data.yaml | 1 + roles_data_undercloud.yaml | 1 + sample-env-generator/ssl.yaml | 4 + sample-env-generator/undercloud-minion.yaml | 1 + tools/yaml-validate.py | 4 + tox.ini | 2 +- validation-scripts/all-nodes.sh | 40 ---- zuul.d/layout.yaml | 8 +- 145 files changed, 1637 insertions(+), 667 deletions(-)