tripleo-heat-templates 13.3.0 (victoria)
We are jazzed to announce the release of: tripleo-heat-templates 13.3.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the victoria stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 13.3.0 ^^^^^^ New Features ************ * Added new options for deploying Barbican with PKCS#11 backends: *BarbicanPkcs11CryptoTokenLabels* and *BarbicanPkcs11CryptoOsLockingOk* * The "OS::TripleO::{{role.name}}::PreNetworkConfig" resource has been restored. This resource can be used to implement any configuration steps executed before network configurations are applied. * *QemuDefaultTLSVerify* will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt's. We will want to disable this by default in train. * Adding ptp parameters for timemaster service configuration on overcloud compute node.Timemaster will use already present chrony parameters. PTPMessageTransport, PTPInterfaces are added new. Deprecation Notes ***************** * The *BarbicanPkcs11CryptoTokenLabel* option has been deprecated and replaced with the *BarbicanPkcs11CryptoTokenLabels* option. Bug Fixes ********* * Now "ExtraConfigPre" resource and "NodeExtraConfig" resource are executed after network configurations are applied in nodes. This is consitent with the previous version with heat software deployment mechanism instead of config-download. * Previously access to the sshd running by the nova-migration-target container is only limited via the sshd_config. While login is not possible from other networks, the service is reachable via all networks. This change limits the access to the NovaLibvirt and NovaApi networks which are used for cold and live-migration. * Nova vnc configuration right now uses NovaVncProxyNetwork, NovaLibvirtNetwork and NovaApiNetwork to configure the different components (novnc proxy, nova-compute and libvirt) for vnc. If one of the networks get changed from internal_api, the service configuration between libvirt, nova-compute and novnc proxy gets inconsistent and the console is broken. This changed to just use NovaLibvirtNetwork for configuring the vnc endpoints and removes NovaVncProxyNetwork completely. Changes in tripleo-heat-templates 13.2.0..13.3.0 ------------------------------------------------ 4890946ec Fix network_cidrs when ManageNetworks: false 0eaa748bb Add dependency on OVNMacAddressNetwork for role ResourceGroup f35479563 Set tags on all OS::Neutron::Port resources 007eaecf0 Stop handler flush cf17ac91e Add tags to THT network resources d39526de1 Fix "ManageNetworks" use-case 9b67d6420 Add new options for Barbican PKCS#11 backend b4cec5b72 Add OVNEncapType option to the ovn controller template b6d85231a Re-add NovaVncProxyNetwork to service_net_map.j2.yaml 86de3c350 Disable tunneled mode when use_tls_for_live_migration 0fba0ce39 Add openstack-tox-tht to the gate 9536a5f31 Fix RoleParameters in tuned-baremetal-ansible.yaml 1311f8a52 Don't assume every role has default_route_networks 1785dabb8 Correct metrics_qdr logging path and regex parsing 521eae135 Run update tasks with become c71b72b29 Stop using (and breaking) /var/tmp for horizon temporary things f8485c9db Moving nova-consoleauth to step4 6ba1d84a4 Missing client certificate for live-migration with TLS 50c089a1f Add RootStackName to group_vars 48c444796 Add systemd dependency to openvswitch to ovn-controller b542452cc Disabling LM PostCopy and AutoConverge for RT roles ce9ae8666 Mount /etc/openldap inside the keystone container 9befbde21 Limit access to sshd used for nova migration b276cb24b Remove ovn-cms-options from OVS when OVNCMSOptions is set to "" e1998a8e5 Ensure ansible_fqdn is set 5171cd3d7 Fix NovaVncProxyNetwork removal df04e9518 Remove no longer used NovaNfsEnabled parameter and condtion de98fdb20 HA: fix race when moving VIP during minor update 1e137876a [update][upgrade] Use container-tools:3.0 63001263a HA: inject public certificates without blocking container 5325ac311 Move tmpwatch from cron.daily to actual root crontab 4260d30ea Set vlan-limit value depending on vlan_transparent setting c2e62032b Correct spelling mistake 4be137395 Config parameters for timemaster service 721a8d414 [OVN] Remove check for OVN + Availability Zones 87fc83d7b Restore PreNetworkConfig resources 9ba03482c live_migration setting should be under libvirt namespace 05b191d3e Use single NovaLibvirtNetwork to configure instance console components 178018d90 Switch Octavia external tasks to 'post deploy' Diffstat (except docs and test files) ------------------------------------- common/deploy-steps.j2 | 31 +++- deployed-server/ctlplane-port.yaml | 8 + deployed-server/deployed-neutron-port.yaml | 11 ++ deployed-server/deployed-server.yaml | 8 + .../barbican/barbican-api-container-puppet.yaml | 20 ++- .../barbican-backend-pkcs11-crypto-puppet.yaml | 16 +- deployment/glance/glance-api-container-puppet.yaml | 2 +- deployment/haproxy/haproxy-public-tls-inject.yaml | 6 +- deployment/horizon/horizon-container-puppet.yaml | 23 ++- deployment/ipa/ipaservices-baremetal-ansible.yaml | 9 ++ deployment/keystone/keystone-container-puppet.yaml | 1 + .../logrotate-crond-container-puppet.yaml | 45 ++++-- deployment/metrics/qdr-container-puppet.yaml | 4 +- .../neutron/neutron-api-container-puppet.yaml | 3 +- .../neutron/neutron-dhcp-container-puppet.yaml | 4 +- deployment/nova/nova-compute-container-puppet.yaml | 58 ++++--- deployment/nova/nova-ironic-container-puppet.yaml | 12 -- deployment/nova/nova-libvirt-container-puppet.yaml | 25 ++- .../nova-migration-target-container-puppet.yaml | 52 ++++--- .../nova/nova-vnc-proxy-container-puppet.yaml | 33 ++-- .../octavia/octavia-deployment-config.j2.yaml | 3 +- .../ovn/ovn-controller-container-puppet.yaml | 24 ++- .../pacemaker/pacemaker-baremetal-puppet.yaml | 4 +- .../timemaster/timemaster-baremetal-ansible.yaml | 171 +++++++++++++++++++++ deployment/timesync/chrony-baremetal-ansible.yaml | 2 - deployment/tls/undercloud-tls.yaml | 3 + deployment/tuned/tuned-baremetal-ansible.yaml | 19 ++- environments/barbican-backend-pkcs11-atos.yaml | 13 +- environments/barbican-backend-pkcs11-lunasa.yaml | 3 +- environments/barbican-backend-pkcs11-thales.yaml | 3 +- .../lifecycle/undercloud-upgrade-prepare.yaml | 2 +- environments/lifecycle/update-prepare.yaml | 2 +- environments/lifecycle/upgrade-prepare.yaml | 2 +- .../config/2-linux-bonds-vlans/role.role.j2.yaml | 2 +- network/config/bond-with-vlans/role.role.j2.yaml | 2 +- .../config/multiple-nics-vlans/role.role.j2.yaml | 2 +- network/config/multiple-nics/role.role.j2.yaml | 2 +- .../role.role.j2.yaml | 2 +- network/config/single-nic-vlans/role.role.j2.yaml | 2 +- network/network.j2 | 63 +++++--- network/ports/ctlplane_vip.yaml | 16 +- network/ports/from_service.yaml | 3 + network/ports/from_service_v6.yaml | 3 + network/ports/noop.yaml | 13 ++ network/ports/ovn_mac_addr_port.yaml | 16 ++ network/ports/port.j2 | 39 +++++ network/ports/port_from_pool.j2 | 13 ++ network/ports/vip.yaml | 15 ++ network/ports/vip_v6.yaml | 16 +- overcloud-resource-registry-puppet.j2.yaml | 2 + overcloud.j2.yaml | 24 ++- puppet/role.role.j2.yaml | 13 ++ ...r-barbican-pkcs11-options-a2ec14369518b40e.yaml | 9 ++ .../notes/bug-1907214-df2f07cbacbe8a24.yaml | 13 ++ ...introducing-qemutlsverify-af590e0243fe6b08.yaml | 9 ++ ...va_migration_limit_access-20be8d69686ca95c.yaml | 8 + .../notes/nova_novnc_network-83a1479bf227f867.yaml | 10 ++ ...dd_support_for_timemaster-a8dc3e4d5db4e8b3.yaml | 7 + tools/process-templates.py | 5 + zuul.d/layout.yaml | 1 + 60 files changed, 751 insertions(+), 181 deletions(-)
participants (1)
-
no-reply@openstack.org