We are pumped to announce the release of: tripleo-heat-templates 13.2.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the victoria stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 13.2.0 ^^^^^^ New Features ************ * The new parameter GlanceCinderMountPointBase has been added which will be used for mounting NFS volumes on glance nodes. When glance uses cinder as store and cinder backend is NFS, this parameter must be set to match cinder's mount point. * Added "MemcachedMaxConnections" setting with a default of 8192 maximum connections in order to allow an operator to override that value in environments where memcached is heavily sollicited. * The logic to configure the connection from barbican to nShield HSMs has been augmented to parse a nshield_hsms parameter, which allows the specification of multiple HSMs. The underlying ansible role (ansible-role-thales-hsm) will configure the HSMs in load sharing mode to provide HA. * New "CinderRpcResponseTimeout" and "CinderApiWsgiTimeout" parameters provide a means for configuring Cinder's RPC response and WSGI connection timeouts, respectively. * Add posibilities to configure ovn dbs monitor interval in tht by OVNDBSPacemakerMonitorInterval (default 30s). Under load, this can create extra stress and since the timeout has already been bumped, it makes sense to bump this interval to a higher value as a trade off between detecting a failure and stressing the service. * When a node has hugepages enabled, we can help with live migrations by enabling *NovaLiveMigrationPermitPostCopy* and *NovaLiveMigrationPermitAutoConverge*. These flags are automatically enabled if hugepages are detected, but operators can override these settings. * Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues in nova.conf of the compute. Default 0 corresponds to not set meaning the legacy limits based on the reported kernel major version will be used. Known Issues ************ * Cell_v2 discovery has been moved from the nova-compute|nova-ironic containers as this requires nova api database credentials which must not be configured for the nova-compute service. As a result scale-up deployments which explicitly omit the Controller nodes will need to make alternative arrangements to run cell_v2 discovery. Either the nova-manage command can be run manually after scale-up, or an additional helper node using the NovaManage role can be deployed that will be used for this task instead of a Controller node. See Bug: 1786961 (https://launchpad.net/bugs/1786961) and Bug: 1871482 (https://launchpad.net/bugs/1871482). Deprecation Notes ***************** * Some parameters within ThalesVars have been deprecated. These are - thales_hsm_ip_address and thales_hsm_config_location. See environments/barbican-backend-pkcs11-thales.yaml for details. Bug Fixes ********* * When deploying a spine-and-leaf (L3 routed architecture) with TLS enabled for internal endpoints the deployment would fail because some roles are not connected to the network mapped to the service in ServiceNetMap. To fix this issue a role specific parameter "{{role.name}}ServiceNetMap" is introduced (defaults to: "{}"). The role specific ServiceNetMap parameter allow the operator to override one or more service network mappings per-role. For example: ComputeLeaf2ServiceNetMap: NovaLibvirtNetwork: internal_api_leaf2 The role specific "{{role.name}}ServiceNetMap" override is merged with the global "ServiceNetMap" when it's passed as a value to the "{{role.name}}ServiceChain" resources, and the "{{role.name}}" resource groups so that the correct network for this role is mapped to the service. Closes bug: 1904482 (https://bugs.launchpad.net/tripleo/+bug/1904482). * Do not relabel Swift files on every container (re-)start. These will be relabeled already in step 3 preventing additional delays. Changes in tripleo-heat-templates 13.1.0..13.2.0 ------------------------------------------------ 6eb406ce1 Updating settings description f3ac958f4 Add TLS support to services using memcached 76c8f9ec5 Add non-tls listener to Memcached 321f10d53 Add legacy fact setting dbad3a079 Make UpgradeInitCommand and UpgradeLeapp{ToRemove,ToInstall,CommandOptions} per-role a6c7ba02a Fix start order for {swift_proxy,glance_api}_tls_proxy 1b5768455 Check Ceph cluster healthy state before starting FS to BS playbook 780b05746 Add posibilities to set ovndbs monitor interval 871f26566 Add delegate_fact_hosts: false on ci scenarios bb7b27b90 Support configuring cinder's RPC and WSGI timeouts 04b9cad83 Remove tripleo_transfer cleanup.yml reference ad6eb8ae7 Allow configuring cinder mount point for glance cinder store f022663d4 Make content provider depend on tox-pep8/tht on check layout 67ad3daa2 Use include task for host prep tasks a57f8af41 Use ansible_facts instead 724d65804 Upgrade mariadb storage during upgrade tasks e6e7019ad Fix redis_tls_proxy bd5e2c80f Don't try creating default admin and member roles 9a1b9393b Drop service facts usage c996c85ca Stop barbican servics in unupgraded controllers 0223e9ab6 Stop non-pcmk services of manila and cinder during upgrade d98fa55bd Add parameters to allow multiple nshield HSMs 58825e473 Always set NetworkDeploymentActions to its default 853f4a15c Enabling 'cinder_use_multipath' if cinder multipath is enabled e3b75f1db Stop ironic services in unupgraded controllers bbf25f937 Stop octavia servics in unupgraded controllers 057f2c849 per_node is not parsing generated json e30001881 Problematic nested quotes in hieradata file list 3ac51218f Add ContainerDefaultPidsLimit to set default pid limits in containers.conf 5e4d71b21 Use Ceph cluster name when setting minimum client version 0efeb96a3 Make DnfStreams support RoleParameters 1dc7be85b Add post delay to reboot fd58e99de Enforces minimum Ceph client version to Mimic d49fe9c60 Add a new role parameter rhsm_enforce. a6b463069 Force json output format for hiera in derive pci whitelist 8e5f1e9ee Split network validation to it's own play ace2eb097 Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues ae7ab696d Revert "Reset sriov_numvfs to 0 before leapp upgrade" 9e271664a Use include_role for conditional inclusion 964a4a4e8 Remove ffwd lifecycle environment files. 8d0638eca Deprecate environments/dcn-hci.yaml for dcn-storage.yaml 95f2c33e3 Remove External{Internal,Public,Admin}Url parameters 7f8b5c4d2 Deleting nova-consoleauth services in post-upgrade 00cd7c170 Live migration optimization with HP 7c2933d3b Use Ceph-NFS for Manila in scenario004 28a26099b Making sure virt-guest-shutdown.target exists bb8343a96 Remove pcs/pacemaker package installation from upgrade tasks 57520232f Fix unreachable handling 8e9798caf Serialize shutdown of pacemaker nodes add0f9003 Do not relabel Swift files on every container start 6b4d841d9 Make it possible to override ServiceNetMap per-role 890c149f5 Fix ownership of octavia_rsyslog log directory 7ecc96232 Configure OVNCMSOptions=enable-chassis-as-gw within neutron-ovn-sriov.yaml 6a37431ce nova: Use LIBGUESTFS_BACKEND=direct efd73e15d Set toplevel nova::dhcp_domain for all nova services 1ec4e5ece Add setting to override max memcached connections 43547f521 Fix swift containers idempotency 76481308b Refresh Swift ring files without restarting containers cff6378fb Adding key_size option on the certificate creation 864e4fdd7 Revert rolling certificate updates for HA services f62b05333 HA: reimplement resource locks with cibadmin 6c45e3e8c Update container-config-scripts/ folder content before update_tasks. a2a6ddab5 Refactor nova db config f75e6d51c Wire up new tripleo upgrades jobs template 3ce0c63b1 Enable tripleo_free strategy for upgrade 03697234f Move cell_v2 discovery off compute hosts 5c5f008df Don't pass empty values for ipaclient_servers to ipaclient role 8e316d7f1 Define a new CinderVolumeEdge service 0f1e78d73 Remove Luna HSM clients on scaledown dd1cba373 Add 'networks_all' ansible group_var fe170a316 Move ipa check to external_deploy_tasks 6a43fce4f Remove vfio-pci.conf module load file b1bda7f47 Ensure cloud-init has finished before puppet run b269eec7b Identify HSMs using labels instead of Slot ID 88fea40ae Fix the value of ssl_verify_client c9221d24a Update TOX_CONSTRAINTS_FILE for stable/victoria Diffstat (except docs and test files) ------------------------------------- ci/environments/multinode-containers.yaml | 1 + ci/environments/scenario001-standalone.yaml | 1 + ci/environments/scenario004-standalone.yaml | 6 + common/common-container-config-scripts.yaml | 17 +++ common/container-puppet.sh | 6 +- common/deploy-steps-playbooks-common.yaml | 20 +-- common/deploy-steps-tasks-step-0.j2.yaml | 17 +++ common/deploy-steps-tasks-step-1.yaml | 22 +-- common/deploy-steps-tasks.yaml | 6 +- common/deploy-steps.j2 | 29 +++- common/generate-config-tasks.yaml | 2 +- common/host-container-puppet-tasks.yaml | 4 +- container_config_scripts/mysql_upgrade_db.sh | 15 +++ .../pacemaker_mutex_shutdown.sh | 120 +++++++++++++++++ .../pacemaker_resource_lock.sh | 134 +++++++++++------- deployment/apache/apache-baremetal-puppet.j2.yaml | 16 +++ .../barbican/barbican-api-container-puppet.yaml | 112 +++++++++------- .../barbican-backend-pkcs11-crypto-puppet.yaml | 14 +- .../ceilometer-base-container-puppet.yaml | 13 ++ deployment/ceph-ansible/ceph-base.yaml | 11 ++ deployment/ceph-ansible/ceph-grafana.yaml | 16 +++ deployment/ceph-ansible/ceph-mgr.yaml | 16 +++ deployment/ceph-ansible/ceph-mon.yaml | 28 ++++ deployment/ceph-ansible/ceph-rgw.yaml | 20 ++- deployment/cinder/cinder-api-container-puppet.yaml | 11 +- .../cinder/cinder-backup-container-puppet.yaml | 15 +++ .../cinder/cinder-backup-pacemaker-puppet.yaml | 2 +- deployment/cinder/cinder-base.yaml | 5 + .../cinder/cinder-volume-container-puppet.yaml | 15 +++ .../cinder/cinder-volume-pacemaker-puppet.yaml | 2 +- deployment/containers-common.yaml | 3 + deployment/database/mysql-base.yaml | 22 +++ deployment/database/mysql-container-puppet.yaml | 51 +++++-- deployment/database/mysql-pacemaker-puppet.yaml | 54 ++++---- deployment/database/redis-container-puppet.yaml | 16 +++ deployment/database/redis-pacemaker-puppet.yaml | 24 +++- .../novajoin/novajoin-container-puppet.yaml | 6 +- deployment/etcd/etcd-container-puppet.yaml | 48 ++++--- deployment/glance/glance-api-container-puppet.yaml | 14 +- .../haproxy-internal-tls-certmonger.j2.yaml | 19 +++ deployment/haproxy/haproxy-pacemaker-puppet.yaml | 4 +- .../haproxy/haproxy-public-tls-certmonger.yaml | 19 +++ deployment/haproxy/haproxy-public-tls-inject.yaml | 2 +- deployment/heat/heat-base-puppet.yaml | 24 +++- deployment/horizon/horizon-container-puppet.yaml | 2 +- deployment/ipa/ipaservices-baremetal-ansible.yaml | 34 +++-- deployment/ironic/ironic-api-container-puppet.yaml | 14 ++ .../ironic/ironic-conductor-container-puppet.yaml | 15 +++ .../ironic/ironic-inspector-container-puppet.yaml | 16 +++ deployment/ironic/ironic-pxe-container-puppet.yaml | 16 +++ deployment/keystone/keystone-container-puppet.yaml | 28 +++- deployment/manila/manila-api-container-puppet.yaml | 15 +++ .../manila/manila-scheduler-container-puppet.yaml | 15 +++ .../manila/manila-share-container-puppet.yaml | 15 +++ .../manila/manila-share-pacemaker-puppet.yaml | 2 +- .../memcached/memcached-container-puppet.yaml | 100 +++++++++++++- deployment/metrics/collectd-container-puppet.yaml | 2 +- deployment/metrics/qdr-container-puppet.yaml | 16 +++ .../neutron/derive_pci_passthrough_whitelist.py | 2 +- .../neutron/neutron-api-container-puppet.yaml | 16 +++ .../neutron/neutron-dhcp-container-puppet.yaml | 16 +++ .../neutron-ovs-dpdk-agent-container-puppet.yaml | 24 +++- .../neutron-sriov-agent-container-puppet.yaml | 31 +---- deployment/nova/nova-api-container-puppet.yaml | 38 ++++-- deployment/nova/nova-apidb-client-puppet.yaml | 78 +++++++++++ deployment/nova/nova-base-puppet.yaml | 102 +++----------- .../nova/nova-compute-common-container-puppet.yaml | 22 ++- deployment/nova/nova-compute-container-puppet.yaml | 149 +++++++++++++++++---- .../nova/nova-conductor-container-puppet.yaml | 60 +++++++-- deployment/nova/nova-db-client-puppet.yaml | 80 +++++++++++ deployment/nova/nova-ironic-container-puppet.yaml | 28 ++-- deployment/nova/nova-libvirt-container-puppet.yaml | 61 +++++++-- deployment/nova/nova-manager-container-puppet.yaml | 105 +++++++++++++++ .../nova/nova-metadata-container-puppet.yaml | 45 +++++-- .../nova/nova-scheduler-container-puppet.yaml | 31 ++++- .../nova/nova-vnc-proxy-container-puppet.yaml | 81 ++++++++++- .../octavia/octavia-api-container-puppet.yaml | 15 +++ .../octavia/octavia-deployment-config.j2.yaml | 4 +- .../octavia-health-manager-container-puppet.yaml | 20 ++- .../octavia-housekeeping-container-puppet.yaml | 15 +++ .../octavia/octavia-worker-container-puppet.yaml | 19 ++- .../octavia/providers/ovn-provider-config.yaml | 16 +++ .../ovn/ovn-controller-container-puppet.yaml | 16 +++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 34 ++++- deployment/ovn/ovn-metadata-container-puppet.yaml | 16 +++ .../pacemaker/pacemaker-baremetal-puppet.yaml | 6 + deployment/podman/podman-baremetal-ansible.yaml | 7 + deployment/rabbitmq/rabbitmq-container-puppet.yaml | 16 +++ ...rabbitmq-messaging-notify-container-puppet.yaml | 16 +++ ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 2 +- .../rabbitmq-messaging-pacemaker-puppet.yaml | 2 +- .../rabbitmq-messaging-rpc-container-puppet.yaml | 16 +++ .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 2 +- .../external-swift-proxy-baremetal-puppet.yaml | 49 +------ .../swift-refresh-rings-cc327f998490b0df.yaml | 6 + deployment/swift/swift-proxy-container-puppet.yaml | 20 +++ .../swift/swift-ringbuilder-container-puppet.yaml | 10 ++ .../swift/swift-storage-container-puppet.yaml | 48 ++++++- deployment/timesync/chrony-baremetal-ansible.yaml | 11 +- deployment/tls/undercloud-tls.yaml | 6 +- .../tripleo-packages-baremetal-puppet.yaml | 61 ++++++--- deployment/undercloud/undercloud-upgrade.yaml | 4 +- environments/barbican-backend-pkcs11-lunasa.yaml | 24 ++-- environments/barbican-backend-pkcs11-thales.yaml | 22 ++- environments/dcn-hci.yaml | 5 +- environments/dcn-storage.yaml | 53 ++++++++ environments/lifecycle/ffwd-upgrade-converge.yaml | 9 -- environments/lifecycle/ffwd-upgrade-prepare.yaml | 10 -- environments/services/neutron-ovn-dvr-ha.yaml | 2 - environments/services/neutron-ovn-ha.yaml | 4 - environments/services/neutron-ovn-sriov.yaml | 6 +- environments/ssl/enable-memcached-tls.yaml | 10 ++ overcloud-resource-registry-puppet.j2.yaml | 4 + overcloud.j2.yaml | 29 +++- puppet/extraconfig/pre_deploy/per_node.yaml | 12 +- ...ount-point-base-parameter-852554398b9f3a19.yaml | 7 + ...ddmemcachedmaxconnections-b591c0fa39e821f5.yaml | 6 + .../notes/barbican-thales-ha-581fbe9b5ef4dc87.yaml | 11 ++ .../notes/bug-1904482-dbc5162c8245a9b3.yaml | 21 +++ ...v2_discovery_off_computes-2b977c6b9a01cde2.yaml | 13 ++ ...er-add-timeout-parameters-54550a6e1c11c0b9.yaml | 6 + .../dcn-hci-storage-rename-0b1c17dd50f4cc9a.yaml | 8 ++ .../monitor_interval_ovndbs-b14c886737965300.yaml | 9 ++ ...mit-postcopy-autoconverge-ca1719fd2abed45f.yaml | 8 ++ .../nova_libvirt_max_queues-8024fc63105bd25d.yaml | 6 + .../swift-prevent-relabeling-b9721aa5a1abda6e.yaml | 5 + roles/CephFile.yaml | 1 + roles/CephObject.yaml | 1 + roles/CephStorage.yaml | 1 + roles/DistributedCompute.yaml | 2 + roles/DistributedComputeHCI.yaml | 2 +- roles/NovaManager.yaml | 37 +++++ roles/README.rst | 6 + roles/Standalone.yaml | 3 + roles_data.yaml | 1 + sample-env-generator/dcn.yaml | 13 +- tools/yaml-validate.py | 7 +- tox.ini | 2 +- zuul.d/layout.yaml | 5 + 139 files changed, 2466 insertions(+), 603 deletions(-)