We are amped to announce the release of: puppet-tripleo-announce-release 5.6.1 This release is part of the newton stable release series. Download the package from: https://tarballs.openstack.org/puppet-tripleo/ For more details, please see below. 5.6.1 ^^^^^ New Features ************ * * Unless a non-default value is provided, the dhcp_agents_per_network neutron configuration variable is set to the number of deployed neutron dhcp agents. * Restrict nova migration ssh tunnel * The ssh authorized_keys file is only writeable by root. * Creates a new user for migration instead of using root/nova. * Disables SSH forwarding for this user. * Restricts the networks that this user can connect from. * Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Adds new parameter "tripleo::profile::base::nova::migration_ssh_localaddrs" to specify which incoming IPs are allow for SSH tunnel connections. * Configure ssh tunneling for nova cold-migration. Re-use the tunnel for libvirt live-migration unless TLS is enabled. * Added /etc/issue & /etc/issue.net parameters * Added MOTD banner parameters * Added external module saz-ssh to allow management of sshd_config Known Issues ************ * Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL. Bug Fixes ********* * Allow VF configuration files to be written for non-existent PCI devices to allow updates while physical functions are currently in use by a guest. * With having package mod_ssl by default installed in images we introduced issue with mod_ssl package update. In case of SSL not being used or provided by HAproxy the puppet-apache module by default purges the ssl.conf file. The package update then recreates the file with default Listen 443 option. This causes conflict on 443 port during httpd restart. If we include ::apache::mod::ssl the ssl.conf file will be configured and the Listen option will be used only if there is vhost set to use SSL. Changes in puppet-tripleo-announce-release 5.6.0..5.6.1 ------------------------------------------------------- bd97ed5 Release 5.6.1 fe7a001 Use correct manage_firewall hieradata 7d50cc9 Do not fail if PCI device is missing 0b9e9b7 Remove unnecessary references to neutron core plugin hiera 63c3259 Addition of Nuage as mechanism driver for ML2 d1d38fb Default neutron dhcp_agents_per_network to number of agents e2885f4 Ignore failures when loading nf_conntrack_proto_sctp kernel module 705051f Decouple swift-proxy from ceilometer packages 57c4a52 Include local CA in haproxy PEM 68adf5b Remove condition to match hdr(host) in haproxy redirect rule eed662f Restrict nova migration ssh tunnel e1f0633 Configure migration SSH tunnel 0c87038 Refactor SSHD config to allow both SSHD options and banner/motd to be set 3026e27 Stop SSHD profile clobbering SSH client config fc640d8 SSHD Service extensions 62f1bf7 Update gitignore not to exclude fixture hieradata 547d96d Add retries to the ::pacemaker::stonith property a70c065 Ensure we configure ssl.conf b555dc3 Create /etc/my.cnf.d/tripleo.cnf with proper bind-address Diffstat (except docs and test files) ------------------------------------- .gitignore | 3 +- Puppetfile_extras | 4 + lib/puppet/provider/sriov_vf_config/numvfs.rb | 2 +- manifests/certmonger/haproxy.pp | 20 +- manifests/haproxy.pp | 2 +- manifests/haproxy/endpoint.pp | 2 +- manifests/host/sriov.pp | 2 +- manifests/profile/base/aodh/api.pp | 1 + manifests/profile/base/ceilometer/api.pp | 1 + manifests/profile/base/database/mysql/client.pp | 72 ++++ manifests/profile/base/gnocchi/api.pp | 1 + manifests/profile/base/kernel.pp | 28 +- manifests/profile/base/keystone.pp | 1 + manifests/profile/base/neutron.pp | 30 +- manifests/profile/base/neutron/plugins/ml2.pp | 4 + .../profile/base/neutron/plugins/ml2/nuage.pp | 31 ++ manifests/profile/base/neutron/sriov.pp | 14 +- manifests/profile/base/nova.pp | 120 ++++++- manifests/profile/base/pacemaker.pp | 8 +- manifests/profile/base/sshd.pp | 85 +++++ manifests/profile/base/swift/proxy.pp | 21 +- metadata.json | 2 +- ...missing-pci-dev-for-sriov-bbc29f62fcac10ff.yaml | 5 + ...e-dhcp-agents-per-network-3089c5e7b15f8b7b.yaml | 5 + .../cold_migration_security-1543136408c76459.yaml | 10 + .../cold_migration_setup-dc4ebd834920c27f.yaml | 4 + .../notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml | 10 + .../nf_conntrack_proto_sctp-a64300a3fc7b4e55.yaml | 9 + releasenotes/notes/sshd-437c531301f458bb.yaml | 5 + spec/classes/tripleo_host_sriov_spec.rb | 4 +- spec/classes/tripleo_profile_base_kernel_spec.rb | 59 ++++ spec/classes/tripleo_profile_base_nova_spec.rb | 375 +++++++++++++++++++++ spec/classes/tripleo_profile_base_sshd_spec.rb | 192 +++++++++++ spec/fixtures/hieradata/default.yaml | 6 + spec/spec_helper.rb | 2 + 35 files changed, 1093 insertions(+), 47 deletions(-)