We are pumped to announce the release of: tripleo-heat-templates 12.4.2: Heat templates for deploying OpenStack with OpenStack. This release is part of the ussuri stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 12.4.2 ^^^^^^ New Features ************ * Added "MemcachedMaxConnections" setting with a default of 8192 maximum connections in order to allow an operator to override that value in environments where memcached is heavily sollicited. * Add parameter "NovaAllowResizeToSameHost" to allow instances to resize to the host they are currently on. Normally the source host is excluded. * To isolate LVM volumes created by compute guests, within Cinder volumes, from the LVM volumes created/managed by the host itself, a new task has been introduced to create an allowlist and denylist of devices which should be accessible (or not) to the host, configured in lvm.conf using the global_filter key. The allowlist is generated gathering the list of existing in-use physical disks (or partitions) and appending to it any user provided device passed via *LVMFilterAllowlist* parameter. The denylist is configured via *LVMFilterDenylist* and defaults to ['.*'], which means it blocks any device not explicitly allowed. Both the list parameters can be specified per-role. The feature is, by default, disabled and can be enabled passing *LVMFilterEnabled: true*; when disabled the existing lvm.conf won't be touched and a version of it which includes the global_filter will be left, for debugging, in */tmp/tripleo_lvmfilter.conf*. * A new multipathd-container-ansible.yaml heat template replaces the multipathd-container.yaml template. The new template adds support for the following new parameters. * MultipathdSkipKpartx * MultipathdCustomConfigFile * Add parameters *NovaLibvirtCPUMode*, *NovaLibvirtCPUModels* and *NovaLibvirtCPUModelExtraFlags* to allow configuration of CPU related parameters *libvirt/cpu_mode*, *libvirt/cpu_model* and *libvirt/cpu_model_extra_flags* respectively. * This change updates the multiple-nics and multiple-nics-vlans templates so that an external bridge is created if either the role uses the External network or the "external_bridge" tag is set in the role definition. This is done instead of checking if the role name is "Controller". This change also assigns the "external_bridge" tag to the Controller as well as the Compute roles so that both roles can access the Neutron external bridge for floating IPs or SNAT by default so that OVN can use DVR. * The NovaApiMaxLimit parameter allows the operator to set Nova API max_limit using a Heat parameter in their templates. * Add parameter *NovaVGPUTypesDeviceAddressesMapping* provide mapping for multiple vgpu types and corresponding device addresses. Upgrade Notes ************* * Cinder's legacy "volume" service and its associated endpoints are automatically removed from the keystone catalog. The "volume" service is associated with Cinder's v1 API, which was removed in Queens. * When upgrading from the multipathd-container.yaml template to the new multipathd-container-ansible.yaml template, bear in mind the new MultipathdSkipKpartx parameter will configure the corresponding skip_kpartx setting in /etc/multipath.conf. * Now NotificationDriver is set to noop by default, as legacy telemetry services are disabled by default. Explicitly set NotificationDriver parameter to notifications from each services. * The "external_bridge" tag is now used for the Compute node. An external network bridge is required on the compute nodes in order to host floating IPs when using DVR. OVN deploys with DVR by default. Deprecation Notes ***************** * The multipathd-container.yaml template is deprecated in favor of a new multipathd-container-ansible.yaml template. The new template is backward compatible with the old template, but see the features and upgrade notes for additional details. Bug Fixes ********* * As per launchpad bug 1855704, the lvmfilter task aims at hiding to the host the LVM2 volumes created by compute guests in Cinder volumes or Glance images. * When using the Shared File Systems service (manila), you may now use the Heat template parameter "ManilaEnabledShareProtocols" to configure the NAS protocols that users may use. If not set, the value is inferred per the storage backends that have been enabled. * The keystone catalog is automatically updated to remove any entries associated with Cinder's v1 API "volume" service. This fixes bug 1897761 (https://bugs.launchpad.net/tripleo/+bug/1897761). * Fixed the Octavia OctaviaTenantLogFacility setting default to 0 to align it with the project default. * Certificates get merged into the containers using kolla_config mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd gets disabled and enabled at a later point the containers running the qemu process miss the required certificates and live migration fails. This change moves to use bind mount for the certificates and in case of UseTLSTransportForNbd ans creates the required certificates even if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd can be enabled/disabled as the required bind mounts/certificates are already present. * https://review.opendev.org/q/I8df21d5d171976cbb8670dc5aef744b5fae65 7b2 introduced THT parameters to set libvirt/cpu_mode. The patch sets the NovaLibvirtCPUMode wrong to 'none' string which results in puppet-nova not to handle the default cases correct and sets libvirt/cpu_mode to none which results in 'qemu64' CPU model, which is highly buggy and undesirable for production usage. This changes the default to the recommended CPU mode 'host-model', for various benefits documented elsewhere. * When using RHSM Service (deployment/rhsm/rhsm-baremetal- ansible.yaml) based registration of the overcloud nodes and enabling the KSM using NovaComputeEnableKsm=True the overcloud deployment will fail because the RHSM registration and the ksm task run as host_prep task. The handling of enable/disable ksm is now handled in deploy step 1. * In case of cellv2 multicell environment nova-metadata is the only httpd managed service on the cell controller role. In case of tls- everywhere it is required that the cell controller host has ther needed metadata to be able to request the HTTP certificates. Otherwise the getcert request fails with "Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/cell1-cellcontrol-0....'" Changes in tripleo-heat-templates 12.4.1..12.4.2 ------------------------------------------------ 0f3cc2653 [USSURI ONLY] Remove duplicate /var/run/openvswitch bind mount d3ef7c0fa Set up right DNF module stream for Upgrades and Updates. b3521d542 Ensure LANG env is properly set when puppet runs. bc23f0e31 Add setting to override max memcached connections a7b1c81a0 Fix swift containers idempotency de5fcf0d3 Refresh Swift ring files without restarting containers 8968c7efd Rolling certificate update for HA services 977fc27fa Adding key_size option on the certificate creation 54b080903 Wire up new tripleo upgrades jobs template dcab52658 Don't pass empty values for ipaclient_servers to ipaclient role 3b9e1dad6 Define a new CinderVolumeEdge service 57e689834 Rely on the HOSTNAME var to resolve the mon container name 833e812ba Ensure cinder LVM volumes work after system restart 3846879d4 Skip Trilio dirs when setting ownership in /var/lib/nova f6b05380b Set setgid mode bit for /var/lib/ironic b51683ceb Remove Luna HSM clients on scaledown 60b2ac482 The lower constraint file has been removed 176889bec Run os-net-config on step 3 8ffad6e84 Move ipa check to external_deploy_tasks b8ec72926 [Ussuri/Train] Check mode doesn't work for async tasks de1b88ca5 Run online migration tasks from external_update_tasks too. 2d478acc3 Enable tripleo_free strategy for upgrade 319515719 Remove vfio-pci.conf module load file ff4bbbf94 Fix barbican settings missing from glance Edge nodes d35ed9771 node_exporter_container_image is needed in 'all' group ec495e9a0 Adding Ceph Dashboard to the Edge roles 6cc86ee96 Add qemu metadata to compute node when tls for live migration 79b528061 Add NovaApiMaxLimit configure max_limit for nova 2de50cc3c Identify HSMs using labels instead of Slot ID 47d31250e Switch novajoin to use RpcUserName d5a87a297 Use ansible for nodes validation e51143134 Set correct default NovaLibvirtCPUMode 77de9ff3e Use bind mounts for tls certificates fa6700449 Add file which enables QoS related L3 agent extensions 5b553b611 [ussuri] Migrate to content provider jobs/templates 243055beb Make sure apache metadata is set for nova-metadata service 23718b21c Refresh ceph-ansible group_vars values 365397323 Move enable ksm on compute node to deploy step 1 a1058dbe7 Add CinderBackupOptVolumes parameter f15758abb Properly compute hostname when looking for the ceph-mon container 15a196e79 Filter computes with nova_host defined 8d186938d Fix MetricsQdrUseSSL value bf5883f10 Fix ceilometer_agent_compute healthcheck 013d15f48 [stable/ussuri,train] Add cidr to outputs of port_from_pool.j2 230a0ad90 Always set dashboard_protocol when Ceph Dashboard is enabled 29b8a69a8 Fix memcached logging a19a3c6ae Deploy multipathd using tripleo_multipathd ansible role 815af694a Add NovaDisableImageDownloadToRbd parameter 0b58b547b Config options for AMQP1 transport in collectd sensubility bf50c743a Add package install for openssl-perl 805fe6e41 Don't manage bridge mappings in scenario file f41f220cb Add CephClientConfigOverrides resource 4747cc41c Run tripleo_lvmfilter role to restrict block devices visible to LVM2 aaecbcc2e Don't use POLL_SERVER_CFN transport for DeployedServer f9df16fc8 Expose new THT params for cpu model flags acc6fe01e Fix names of the puppet parameters used to set min bw limits in Neutron 256f92d25 Add possibility to set logging source for Horizon 9203e6998 Return details in output of container health check 01714bd31 Fix Octavia OctaviaTenantLogFacility default 3e4745e92 Change permissions on /run/octavia to octavia 6f7027346 Force CephAnsiblePlaybook to its default value on FFU prepare bb866621a [manila] Add "ManilaEnabledShareProtocols" param 7ab640cfa Disable notification from services by default 15faa808a Add config option for collectd libpodstats 514ac5b08 Use `undercloud` instead of `Undercloud` when delegating tasks a7f4a1566 Retry container pull 3 times 99220e0ca [FFU] Remove cinder's v1 keystone service d91a8c121 Also configure Ironic for UC minions d00312805 Expose new parameter `NovaVGPUTypesDeviceAddressesMapping` 76e3a6880 Make NovaLibvirtOptVolumes role specific 98d889fd7 Remove dashboard_frontend_vip from the ceph mgr template e83c47f11 firewall: make ExtraFirewallRules role specific 513321b3b Squashed backport for 'NovaAllowResizeToSameHost' parameter fa830587d Add ability to manage irqbalance on compute per role 1674d3a34 Create external bridge on Compute nodes by default for OVN with DVR e821f91b6 Centralized logging minor fixes e1b4dca17 Add more metadata to logs 74977e585 Enable Ceilometer data transfer for STF Diffstat (except docs and test files) ------------------------------------- all-nodes-validation.yaml | 45 ---- ci/common/all-nodes-validation-disabled.yaml | 37 ---- ci/environments/multinode-containers.yaml | 4 - ci/environments/neutron_l3_qos.yaml | 2 + .../scenario000-multinode-containers.yaml | 3 - ci/environments/scenario000-standalone.yaml | 3 - .../scenario001-multinode-containers.yaml | 5 +- ci/environments/scenario001-standalone.yaml | 16 +- ci/environments/scenario002-standalone.yaml | 8 +- ci/environments/scenario003-standalone.yaml | 10 +- ci/environments/scenario004-standalone.yaml | 3 - .../scenario007-multinode-containers.yaml | 3 - ci/environments/scenario007-standalone.yaml | 3 - .../scenario010-multinode-containers.yaml | 1 - ci/environments/scenario010-standalone.yaml | 3 - ci/environments/scenario012-standalone.yaml | 4 - common/container-puppet.py | 2 + common/container-puppet.sh | 22 +- common/deploy-steps-tasks.yaml | 3 + common/deploy-steps.j2 | 21 +- config-download-software.yaml | 1 + config-download-structured.yaml | 1 + .../monitoring/collectd_check_health.py | 45 ++-- .../nova_statedir_ownership.py | 21 +- .../pacemaker_mutex_restart_bundle.sh | 90 ++++++++ .../pacemaker_resource_lock.sh | 237 +++++++++++++++++++++ deployment/aodh/aodh-base.yaml | 2 +- deployment/apache/apache-baremetal-puppet.j2.yaml | 16 ++ .../barbican/barbican-api-container-puppet.yaml | 86 ++++---- .../barbican-backend-pkcs11-crypto-puppet.yaml | 14 +- deployment/barbican/barbican-client-puppet.yaml | 3 +- .../ceilometer-agent-compute-container-puppet.yaml | 3 +- .../ceilometer-base-container-puppet.yaml | 2 +- deployment/ceph-ansible/ceph-base.yaml | 9 + deployment/ceph-ansible/ceph-client.yaml | 10 + deployment/ceph-ansible/ceph-grafana.yaml | 20 +- deployment/ceph-ansible/ceph-mgr.yaml | 23 +- deployment/ceph-ansible/ceph-osd.yaml | 4 +- deployment/ceph-ansible/ceph-rgw.yaml | 20 +- .../certs/certmonger-user-baremetal-puppet.yaml | 9 + deployment/cinder/cinder-api-container-puppet.yaml | 16 +- .../cinder/cinder-backup-pacemaker-puppet.yaml | 4 + .../cinder/cinder-common-container-puppet.yaml | 17 +- .../cinder/cinder-volume-pacemaker-puppet.yaml | 4 + deployment/containers-common.yaml | 6 + deployment/database/mysql-base.yaml | 16 ++ deployment/database/mysql-pacemaker-puppet.yaml | 4 + deployment/database/redis-container-puppet.yaml | 16 ++ deployment/database/redis-pacemaker-puppet.yaml | 4 + .../multipathd-container.yaml | 0 deployment/deprecated/sahara/sahara-base.yaml | 2 +- deployment/etcd/etcd-container-puppet.yaml | 48 +++-- .../experimental/designate/designate-base.yaml | 2 +- deployment/glance/glance-api-container-puppet.yaml | 2 +- .../haproxy-internal-tls-certmonger.j2.yaml | 19 ++ deployment/haproxy/haproxy-pacemaker-puppet.yaml | 4 + .../haproxy/haproxy-public-tls-certmonger.yaml | 19 ++ deployment/heat/heat-base-puppet.yaml | 2 +- deployment/horizon/horizon-container-puppet.yaml | 13 ++ deployment/ipa/ipaservices-baremetal-ansible.yaml | 38 ++-- deployment/ironic/ironic-api-container-puppet.yaml | 5 +- .../ironic/ironic-conductor-container-puppet.yaml | 2 +- deployment/ironic/ironic-pxe-container-puppet.yaml | 2 +- deployment/iscsid/iscsid-container-puppet.yaml | 67 +++++- deployment/keystone/keystone-container-puppet.yaml | 2 +- deployment/logging/rsyslog-container-puppet.yaml | 24 ++- deployment/manila/manila-api-container-puppet.yaml | 7 + deployment/manila/manila-base.yaml | 2 +- .../manila/manila-share-pacemaker-puppet.yaml | 4 + .../memcached/memcached-container-puppet.yaml | 9 +- deployment/metrics/collectd-container-puppet.yaml | 27 ++- deployment/metrics/qdr-container-puppet.yaml | 24 ++- deployment/mistral/mistral-base.yaml | 2 +- .../multipathd/multipathd-container-ansible.yaml | 128 +++++++++++ .../neutron/neutron-api-container-puppet.yaml | 16 ++ deployment/neutron/neutron-base.yaml | 2 +- .../neutron/neutron-dhcp-container-puppet.yaml | 16 ++ .../neutron-ovs-agent-container-puppet.yaml | 5 +- .../neutron-ovs-dpdk-agent-container-puppet.yaml | 24 ++- .../neutron-sriov-agent-container-puppet.yaml | 2 +- deployment/nova/nova-api-container-puppet.yaml | 10 + deployment/nova/nova-az-config.yaml | 2 +- deployment/nova/nova-base-puppet.yaml | 2 +- deployment/nova/nova-compute-container-puppet.yaml | 144 ++++++++++--- .../nova/nova-conductor-container-puppet.yaml | 5 +- deployment/nova/nova-libvirt-container-puppet.yaml | 225 +++++++++---------- .../nova/nova-metadata-container-puppet.yaml | 2 + .../nova/nova-vnc-proxy-container-puppet.yaml | 28 +++ deployment/nova/novajoin-container-puppet.yaml | 6 +- .../octavia/octavia-api-container-puppet.yaml | 6 + deployment/octavia/octavia-base.yaml | 4 +- .../octavia/providers/ovn-provider-config.yaml | 16 ++ .../ovn/ovn-controller-container-puppet.yaml | 16 ++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 20 ++ deployment/ovn/ovn-metadata-container-puppet.yaml | 16 ++ .../pacemaker/pacemaker-baremetal-puppet.yaml | 2 +- deployment/rabbitmq/rabbitmq-container-puppet.yaml | 16 ++ ...rabbitmq-messaging-notify-container-puppet.yaml | 16 ++ ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 4 + .../rabbitmq-messaging-pacemaker-puppet.yaml | 4 + .../rabbitmq-messaging-rpc-container-puppet.yaml | 16 ++ .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 4 + .../swift-refresh-rings-cc327f998490b0df.yaml | 6 + deployment/swift/swift-proxy-container-puppet.yaml | 10 + .../swift/swift-ringbuilder-container-puppet.yaml | 10 + .../swift/swift-storage-container-puppet.yaml | 32 +++ .../tripleo-firewall-baremetal-ansible.yaml | 19 +- .../tripleo-packages-baremetal-puppet.yaml | 32 ++- deployment/undercloud/undercloud-upgrade.yaml | 34 +++ environments/barbican-backend-pkcs11-lunasa.yaml | 24 ++- environments/dcn-hci.yaml | 6 +- environments/dcn.yaml | 4 + environments/enable-legacy-telemetry.yaml | 1 + environments/enable-stf.yaml | 12 +- environments/firewall.yaml | 23 ++ .../lifecycle/undercloud-upgrade-prepare.yaml | 1 + environments/lifecycle/update-prepare.yaml | 4 + environments/lifecycle/upgrade-prepare.yaml | 2 + environments/metrics/ceilometer-write-qdr.yaml | 4 +- environments/multipathd.yaml | 2 +- .../services-baremetal/undercloud-ceilometer.yaml | 3 + environments/services/undercloud-ceilometer.yaml | 3 + environments/undercloud/undercloud-minion.yaml | 76 +++++++ lower-constraints.txt | 166 --------------- .../config/multiple-nics-vlans/role.role.j2.yaml | 4 +- network/config/multiple-nics/role.role.j2.yaml | 6 +- network/ports/port_from_pool.j2 | 4 + overcloud-resource-registry-puppet.j2.yaml | 13 +- ...ddmemcachedmaxconnections-b591c0fa39e821f5.yaml | 6 + ...allow-resize-to-same-host-62f05a5370993425.yaml | 5 + .../automated-lvmfilter-3bee670c0108585a.yaml | 23 ++ ...ng-manila-share-protocols-6ea6bcbbe21b25ee.yaml | 7 + .../notes/cinder-v1-cleanup-7154ca07652804cf.yaml | 11 + ...e-multipathd-with-ansible-f32f3ea627815191.yaml | 20 ++ releasenotes/notes/cpu-flags-5b027db3eb2b86c2.yaml | 7 + ...sable-notification-driver-a888d4e9b8eed1dc.yaml | 6 + ...dge-by-default-on-compute-f3ff6bf46ab80640.yaml | 15 ++ ...nant-log-facility-default-7b6d0670a51fe845.yaml | 5 + ...use_bind_mounts_for_certs-64cb88f78538a64b.yaml | 13 ++ ...ova_api_max_limit-support-43fe9792eca63599.yaml | 5 + ..._compute_default_cpu_mode-cda2bb3e56463b3a.yaml | 11 + .../notes/nova_compute_ksm-444f1cc51ceafb66.yaml | 8 + ...tadata_http_cert_metadata-274e7e8a66727983.yaml | 9 + .../vgpu-devices-mapping-63dd870f3a00a98a.yaml | 5 + roles/ComputeOvsDpdkRT.yaml | 1 + roles/ComputeOvsDpdkSriovRT.yaml | 1 + roles/ComputeRealTime.yaml | 1 + roles/ComputeSriovRT.yaml | 1 + roles/Controller.yaml | 3 + roles/DistributedCompute.yaml | 2 + roles/DistributedComputeHCI.yaml | 3 +- roles/DistributedComputeHCIDashboard.yaml | 80 +++++++ roles_data.yaml | 3 + sample-env-generator/dcn.yaml | 6 +- sample-env-generator/undercloud-minion.yaml | 43 ++++ tox.ini | 6 - zuul.d/layout.yaml | 122 +---------- 158 files changed, 2169 insertions(+), 774 deletions(-)