We are pleased to announce the release of: tripleo-heat-templates 11.5.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 11.5.0 ^^^^^^ New Features ************ * The new parameter GlanceCinderMountPointBase has been added which will be used for mounting NFS volumes on glance nodes. When glance uses cinder as store and cinder backend is NFS, this parameter must be set to match cinder's mount point. * The logic to configure the connection from barbican to nShield HSMs has been augmented to parse a nshield_hsms parameter, which allows the specification of multiple HSMs. The underlying ansible role (ansible-role-thales-hsm) will configure the HSMs in load sharing mode to provide HA. * A new multipathd-container-ansible.yaml heat template replaces the multipathd-container.yaml template. The new template adds support for the following new parameters. * MultipathdSkipKpartx * MultipathdCustomConfigFile * When a node has hugepages enabled, we can help with live migrations by enabling *NovaLiveMigrationPermitPostCopy* and *NovaLiveMigrationPermitAutoConverge*. These flags are automatically enabled if hugepages are detected, but operators can override these settings. * Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues in nova.conf of the compute. Default 0 corresponds to not set meaning the legacy limits based on the reported kernel major version will be used. Known Issues ************ * Cell_v2 discovery has been moved from the nova-compute|nova-ironic containers as this requires nova api database credentials which must not be configured for the nova-compute service. As a result scale-up deployments which explicitly omit the Controller nodes will need to make alternative arrangements to run cell_v2 discovery. Either the nova-manage command can be run manually after scale-up, or an additional helper node using the NovaManage role can be deployed that will be used for this task instead of a Controller node. See Bug: 1786961 (https://launchpad.net/bugs/1786961) and Bug: 1871482 (https://launchpad.net/bugs/1871482). Upgrade Notes ************* * When upgrading from the multipathd-container.yaml template to the new multipathd-container-ansible.yaml template, bear in mind the new MultipathdSkipKpartx parameter will configure the corresponding skip_kpartx setting in /etc/multipath.conf. Deprecation Notes ***************** * Some parameters within ThalesVars have been deprecated. These are - thales_hsm_ip_address and thales_hsm_config_location. See environments/barbican-backend-pkcs11-thales.yaml for details. * The multipathd-container.yaml template is deprecated in favor of a new multipathd-container-ansible.yaml template. The new template is backward compatible with the old template, but see the features and upgrade notes for additional details. Bug Fixes ********* * When deploying a spine-and-leaf (L3 routed architecture) with TLS enabled for internal endpoints the deployment would fail because some roles are not connected to the network mapped to the service in ServiceNetMap. To fix this issue a role specific parameter "{{role.name}}ServiceNetMap" is introduced (defaults to: "{}"). The role specific ServiceNetMap parameter allow the operator to override one or more service network mappings per-role. For example: ComputeLeaf2ServiceNetMap: NovaLibvirtNetwork: internal_api_leaf2 The role specific "{{role.name}}ServiceNetMap" override is merged with the global "ServiceNetMap" when it's passed as a value to the "{{role.name}}ServiceChain" resources, and the "{{role.name}}" resource groups so that the correct network for this role is mapped to the service. Closes bug: 1904482 (https://bugs.launchpad.net/tripleo/+bug/1904482). * Fixed the Octavia OctaviaTenantLogFacility setting default to 0 to align it with the project default. * Previously, HorizonDebug and Debug parameters change the value of horizon::django_debug. However, those parameters didn't set DEBUG log level to horizon logger components. By this change, if those are true, horizon::log_level is set to 'DEBUG'. * Do not relabel Swift files on every container (re-)start. These will be relabeled already in step 3 preventing additional delays. Changes in tripleo-heat-templates 11.4.0..11.5.0 ------------------------------------------------ 0ebdf0c58 Updating settings description d5949fe86 Set toplevel nova::dhcp_domain for all nova services f1d91a9e0 [TRAIN-Only] Update ansible python fact bc6840c6e Enabling 'cinder_use_multipath' if cinder multipath is enabled b9dd8ccd6 Allow configuring cinder mount point for glance cinder store 90a04d94e Add legacy fact setting f9e51cf46 Stop ironic services in unupgraded controllers 25493bcb1 Make UpgradeInitCommand and UpgradeLeapp{ToRemove,ToInstall,CommandOptions} per-role 02743e1ab Check Ceph cluster healthy state before starting FS to BS playbook eb61c8054 Fix start order for {swift_proxy,glance_api}_tls_proxy 5be4f8f31 Stop barbican servics in unupgraded controllers 8fc59c12c Stop octavia servics in unupgraded controllers deee084ed Validation are not run via mistral anymore in Train 9bdf4b168 Upgrade mariadb storage during upgrade tasks aaf9e860e [Ussuri and older] Set python_cmd where we need it 54414a14b Remove scenario007-multinode and scenario010-standalone from layout ffae4ae76 Add delegate_fact_hosts: false on ci scenarios 526791d6c Remove tripleo_transfer cleanup.yml reference cc0752392 Use include task for host prep tasks 4e79336d6 Use ansible_facts instead 6902fcea0 Drop service facts usage badc6bc1e Fix redis_tls_proxy 7d56985fa Don't try creating default admin and member roles e1aee7c3e Stop non-pcmk services of manila and cinder during upgrade 785706f4a Refactor nova db config 9d7a5a5c6 Adding placement client package to clients 656a6f50d pcs commands on host: ovn dbs 4db546260 pcs commands on host: manila-share 60cd610f9 pcs commands on host: rabbitmq 327f0e503 pcs commands on host: cinder backup/volume 07d8f2082 pcs commands on host: mysql 67e5d621e pcs commands on host: redis bundle a7cceb0f9 pcs commands on host: haproxy bundle c8f1976fa Add parameters to allow multiple nshield HSMs 2dc7ceeac Add a new role parameter rhsm_enforce. d3c837e81 Fix logic to honor HorizonDebug 79aec182b Set 'DEBUG' to horizon::log_level if HorizonDebug or Debug is true 19bb2152f [train-only] Add FFWD workaround for UEFI systems 1a1744316 Add ContainerDefaultPidsLimit to set default pid limits in containers.conf b894347cb Always set NetworkDeploymentActions to its default 679258281 per_node is not parsing generated json eaf59f4b2 Problematic nested quotes in hieradata file list 988d5dc89 [train-only] Ensure we stop ovn-controller with cleanup 91b780d3d Use Ceph cluster name when setting minimum client version bd36a306a Make DnfStreams support RoleParameters c9541b477 Move cell_v2 discovery off compute hosts 28cb354c3 Make NovaComputeOptVolumes and NovaComputeOptEnvVars role aware 43b7188ef Live migration optimization with HP 678186027 Add post delay to reboot 43b352e9a Enforces minimum Ceph client version to Mimic 6733d14f1 Serialize shutdown of pacemaker nodes cf605138f Make ExternalSwift*Url parameters optional 230147720 Deprecate environments/dcn-hci.yaml for dcn-storage.yaml c5a2a9ce5 Use include_role for conditional inclusion e69b06ae2 [Train-Only] Remove python-2 packages in the overcloud nodes after leapp upgrade. f55af442d Deploy multipathd using tripleo_multipathd ansible role 861af8d81 Force json output format for hiera in derive pci whitelist 431cfb979 Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues 0c68c4428 Revert "Reset sriov_numvfs to 0 before leapp upgrade" e038ecd2e Use Ceph-NFS for Manila in scenario004 05c859273 Split network validation to it's own play 916b9385c Rolling certificate update for HA services 76577b3ae Update container-config-scripts/ folder content before update_tasks. 75f3d22fe Remove ffwd lifecycle environment files. 38fcff865 Deleting nova-consoleauth services in post-upgrade 75c287232 Remove pcs/pacemaker package installation from upgrade tasks 6c038ca3a [Train only] Retry distro-sync until success 5472332d6 Do not relabel Swift files on every container start 6fb47e4af Make it possible to override ServiceNetMap per-role 4dd0f9dab Fix ownership of octavia_rsyslog log directory e26e6a1fb nova: Use LIBGUESTFS_BACKEND=direct 953a8ef96 Configure OVNCMSOptions=enable-chassis-as-gw within neutron-ovn-sriov.yaml 8372d5e6d ovn: Add neutron-cleanup 83cce19f6 Fix Octavia OctaviaTenantLogFacility default Diffstat (except docs and test files) ------------------------------------- ci/environments/multinode-containers.yaml | 1 + ci/environments/scenario001-standalone.yaml | 4 + ci/environments/scenario004-standalone.yaml | 6 + common/common-container-config-scripts.yaml | 17 ++ common/deploy-steps-playbooks-common.yaml | 17 ++ common/deploy-steps-tasks-step-0.j2.yaml | 13 +- common/deploy-steps-tasks-step-1.yaml | 33 +-- common/deploy-steps-tasks.yaml | 6 +- common/deploy-steps.j2 | 24 +- common/generate-config-tasks.yaml | 19 +- common/host-container-puppet-tasks.yaml | 21 +- container_config_scripts/mysql_upgrade_db.sh | 15 ++ .../pacemaker_mutex_restart_bundle.sh | 90 +++++++ .../pacemaker_mutex_shutdown.sh | 120 +++++++++ .../pacemaker_resource_lock.sh | 267 +++++++++++++++++++++ .../barbican/barbican-api-container-puppet.yaml | 28 ++- deployment/ceph-ansible/ceph-base.yaml | 13 +- deployment/ceph-ansible/ceph-mon.yaml | 28 +++ deployment/ceph-ansible/ceph-rgw.yaml | 4 - .../certs/certmonger-user-baremetal-puppet.yaml | 9 + .../cinder/cinder-backup-container-puppet.yaml | 15 ++ .../cinder/cinder-backup-pacemaker-puppet.yaml | 70 ++---- .../cinder/cinder-volume-container-puppet.yaml | 15 ++ .../cinder/cinder-volume-pacemaker-puppet.yaml | 69 ++---- .../openstack-clients-baremetal-puppet.yaml | 1 + deployment/containers-common.yaml | 9 + deployment/database/mysql-base.yaml | 6 + deployment/database/mysql-container-puppet.yaml | 46 ++-- deployment/database/mysql-pacemaker-puppet.yaml | 97 ++++---- deployment/database/redis-pacemaker-puppet.yaml | 102 +++----- .../kubernetes-master-baremetal-ansible.yaml | 4 +- .../multipathd-container.yaml | 0 deployment/glance/glance-api-container-puppet.yaml | 14 +- deployment/haproxy/haproxy-pacemaker-puppet.yaml | 75 ++---- deployment/haproxy/haproxy-public-tls-inject.yaml | 2 +- deployment/horizon/horizon-container-puppet.yaml | 24 +- deployment/ipa/ipaclient-baremetal-ansible.yaml | 2 +- deployment/ipa/ipaservices-baremetal-ansible.yaml | 4 +- deployment/ironic/ironic-api-container-puppet.yaml | 14 ++ .../ironic/ironic-conductor-container-puppet.yaml | 15 ++ .../ironic/ironic-inspector-container-puppet.yaml | 16 ++ deployment/ironic/ironic-pxe-container-puppet.yaml | 16 ++ deployment/manila/manila-api-container-puppet.yaml | 15 ++ .../manila/manila-scheduler-container-puppet.yaml | 15 ++ .../manila/manila-share-container-puppet.yaml | 15 ++ .../manila/manila-share-pacemaker-puppet.yaml | 69 ++---- deployment/metrics/collectd-container-puppet.yaml | 2 +- .../multipathd/multipathd-container-ansible.yaml | 128 ++++++++++ .../neutron/derive_pci_passthrough_whitelist.py | 2 +- .../neutron-sriov-agent-container-puppet.yaml | 30 --- deployment/nova/nova-api-container-puppet.yaml | 38 ++- deployment/nova/nova-apidb-client-puppet.yaml | 78 ++++++ deployment/nova/nova-base-puppet.yaml | 45 +--- .../nova/nova-compute-common-container-puppet.yaml | 22 +- deployment/nova/nova-compute-container-puppet.yaml | 148 +++++++++--- .../nova/nova-conductor-container-puppet.yaml | 52 +++- deployment/nova/nova-db-client-puppet.yaml | 80 ++++++ deployment/nova/nova-ironic-container-puppet.yaml | 28 ++- deployment/nova/nova-libvirt-container-puppet.yaml | 11 +- deployment/nova/nova-manager-container-puppet.yaml | 105 ++++++++ .../nova/nova-metadata-container-puppet.yaml | 45 +++- .../nova/nova-scheduler-container-puppet.yaml | 31 ++- .../nova/nova-vnc-proxy-container-puppet.yaml | 52 +++- deployment/nova/novajoin-container-puppet.yaml | 6 +- .../octavia/octavia-api-container-puppet.yaml | 15 ++ deployment/octavia/octavia-base.yaml | 2 +- .../octavia/octavia-deployment-config.j2.yaml | 4 +- .../octavia-health-manager-container-puppet.yaml | 20 +- .../octavia-housekeeping-container-puppet.yaml | 15 ++ .../octavia/octavia-worker-container-puppet.yaml | 19 +- .../ovn/ovn-controller-container-puppet.yaml | 37 +++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 58 +++-- .../pacemaker/pacemaker-baremetal-puppet.yaml | 6 + deployment/podman/podman-baremetal-ansible.yaml | 7 + ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 47 ++-- .../rabbitmq-messaging-pacemaker-puppet.yaml | 47 ++-- .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 47 ++-- .../external-swift-proxy-baremetal-puppet.yaml | 3 + deployment/swift/swift-proxy-container-puppet.yaml | 1 + .../swift/swift-storage-container-puppet.yaml | 7 +- deployment/time/timezone-baremetal-ansible.yaml | 4 +- deployment/timesync/chrony-baremetal-ansible.yaml | 11 +- deployment/tls/undercloud-tls.yaml | 6 +- .../tripleo-packages-baremetal-puppet.yaml | 133 ++++++++-- deployment/undercloud/undercloud-upgrade.yaml | 4 +- environments/barbican-backend-pkcs11-thales.yaml | 22 +- environments/dcn-hci.yaml | 3 + environments/dcn-storage.yaml | 57 +++++ environments/lifecycle/ffwd-upgrade-converge.yaml | 10 - environments/lifecycle/ffwd-upgrade-prepare.yaml | 12 - environments/multipathd.yaml | 2 +- environments/services/neutron-ovn-dvr-ha.yaml | 2 - environments/services/neutron-ovn-ha.yaml | 4 - environments/services/neutron-ovn-sriov.yaml | 6 +- extraconfig/post_deploy/undercloud_post.py | 8 - overcloud-resource-registry-puppet.j2.yaml | 3 + overcloud.j2.yaml | 25 +- puppet/extraconfig/pre_deploy/per_node.yaml | 12 +- ...ount-point-base-parameter-852554398b9f3a19.yaml | 7 + .../notes/barbican-thales-ha-581fbe9b5ef4dc87.yaml | 11 + .../notes/bug-1904482-dbc5162c8245a9b3.yaml | 21 ++ ...v2_discovery_off_computes-2b977c6b9a01cde2.yaml | 13 + ...e-multipathd-with-ansible-f32f3ea627815191.yaml | 20 ++ .../dcn-hci-storage-rename-0b1c17dd50f4cc9a.yaml | 8 + ...nant-log-facility-default-7b6d0670a51fe845.yaml | 5 + .../horizon_logger_debug-cd70c45c1b695e4b.yaml | 8 + ...mit-postcopy-autoconverge-ca1719fd2abed45f.yaml | 8 + .../nova_libvirt_max_queues-8024fc63105bd25d.yaml | 6 + .../swift-prevent-relabeling-b9721aa5a1abda6e.yaml | 5 + roles/CephFile.yaml | 1 + roles/CephObject.yaml | 1 + roles/CephStorage.yaml | 1 + roles/NovaManager.yaml | 37 +++ roles/README.rst | 6 + roles/Standalone.yaml | 3 + roles_data.yaml | 1 + sample-env-generator/dcn.yaml | 11 +- tools/yaml-validate.py | 7 +- zuul.d/layout.yaml | 32 --- 119 files changed, 2483 insertions(+), 756 deletions(-)