We are satisfied to announce the release of: tripleo-heat-templates 12.4.3: Heat templates for deploying OpenStack with OpenStack. This release is part of the ussuri stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 12.4.3 ^^^^^^ New Features ************ * The new parameter GlanceCinderMountPointBase has been added which will be used for mounting NFS volumes on glance nodes. When glance uses cinder as store and cinder backend is NFS, this parameter must be set to match cinder's mount point. * The logic to configure the connection from barbican to nShield HSMs has been augmented to parse a nshield_hsms parameter, which allows the specification of multiple HSMs. The underlying ansible role (ansible-role-thales-hsm) will configure the HSMs in load sharing mode to provide HA. * New "CinderRpcResponseTimeout" and "CinderApiWsgiTimeout" parameters provide a means for configuring Cinder's RPC response and WSGI connection timeouts, respectively. * Add posibilities to configure ovn dbs monitor interval in tht by OVNDBSPacemakerMonitorInterval (default 30s). Under load, this can create extra stress and since the timeout has already been bumped, it makes sense to bump this interval to a higher value as a trade off between detecting a failure and stressing the service. * When a node has hugepages enabled, we can help with live migrations by enabling *NovaLiveMigrationPermitPostCopy* and *NovaLiveMigrationPermitAutoConverge*. These flags are automatically enabled if hugepages are detected, but operators can override these settings. * Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues in nova.conf of the compute. Default 0 corresponds to not set meaning the legacy limits based on the reported kernel major version will be used. * The new "SshServerOptionsOverrides" parameter has been added. This parameter can be used to override a part of sshd_config, which is defined by the "SshServerOptions". Known Issues ************ * Cell_v2 discovery has been moved from the nova-compute|nova-ironic containers as this requires nova api database credentials which must not be configured for the nova-compute service. As a result scale-up deployments which explicitly omit the Controller nodes will need to make alternative arrangements to run cell_v2 discovery. Either the nova-manage command can be run manually after scale-up, or an additional helper node using the NovaManage role can be deployed that will be used for this task instead of a Controller node. See Bug: 1786961 (https://launchpad.net/bugs/1786961) and Bug: 1871482 (https://launchpad.net/bugs/1871482). Deprecation Notes ***************** * Some parameters within ThalesVars have been deprecated. These are - thales_hsm_ip_address and thales_hsm_config_location. See environments/barbican-backend-pkcs11-thales.yaml for details. Bug Fixes ********* * When deploying a spine-and-leaf (L3 routed architecture) with TLS enabled for internal endpoints the deployment would fail because some roles are not connected to the network mapped to the service in ServiceNetMap. To fix this issue a role specific parameter "{{role.name}}ServiceNetMap" is introduced (defaults to: "{}"). The role specific ServiceNetMap parameter allow the operator to override one or more service network mappings per-role. For example: ComputeLeaf2ServiceNetMap: NovaLibvirtNetwork: internal_api_leaf2 The role specific "{{role.name}}ServiceNetMap" override is merged with the global "ServiceNetMap" when it's passed as a value to the "{{role.name}}ServiceChain" resources, and the "{{role.name}}" resource groups so that the correct network for this role is mapped to the service. Closes bug: 1904482 (https://bugs.launchpad.net/tripleo/+bug/1904482). * Previously, HorizonDebug and Debug parameters change the value of horizon::django_debug. However, those parameters didn't set DEBUG log level to horizon logger components. By this change, if those are true, horizon::log_level is set to 'DEBUG'. * Do not relabel Swift files on every container (re-)start. These will be relabeled already in step 3 preventing additional delays. Changes in tripleo-heat-templates 12.4.2..12.4.3 ------------------------------------------------ 560d98396 [update][upgrade] Use container-tools:3.0 83210e340 Move tmpwatch from cron.daily to actual root crontab 2a97154ef OVNChassisMacPorts for distributed VLAN a900a8055 Updating settings description 7e4bb3623 live_migration setting should be under libvirt namespace d690b41ef Create OVNMacAddrNet network on Undercloud 5d62f6642 Set toplevel nova::dhcp_domain for all nova services d96f77930 Support configuring cinder's RPC and WSGI timeouts b561d3a9f Add legacy fact setting 82e4cccce Allow configuring cinder mount point for glance cinder store 36e28d2d3 Check Ceph cluster healthy state before starting FS to BS playbook 284629a87 Make UpgradeInitCommand and UpgradeLeapp{ToRemove,ToInstall,CommandOptions} per-role 33b47f479 Fix start order for {swift_proxy,glance_api}_tls_proxy 9db6db69a Stop ironic services in unupgraded controllers 34c96db0e Stop barbican servics in unupgraded controllers 7281bb019 Add posibilities to set ovndbs monitor interval 698cfa661 Upgrade mariadb storage during upgrade tasks d5899589d Add delegate_fact_hosts: false on ci scenarios 1f8d90c29 Remove tripleo_transfer cleanup.yml reference e140e22e1 Add TLS capabilities to Memcached service f54ca2506 Make content provider depend on tox-pep8/tht on check layout c6e9974ba Change play name 6997676b1 Use include task for host prep tasks 603beaa02 Use ansible_facts instead 0d88e0e20 Enabling 'cinder_use_multipath' if cinder multipath is enabled cc9a390b5 Drop service facts usage bc1fd4741 Fix redis_tls_proxy 6de73eca7 Don't try creating default admin and member roles ac11fc15c Stop non-pcmk services of manila and cinder during upgrade 4e2e984b9 Add parameters to allow multiple nshield HSMs 7f8e32bef Fix logic to honor HorizonDebug 0502fb1aa Set 'DEBUG' to horizon::log_level if HorizonDebug or Debug is true cde398d9b Add a new role parameter rhsm_enforce. 341fbc46e Always set NetworkDeploymentActions to its default 9740d89f1 Stop octavia servics in unupgraded controllers c77472ec3 Add ContainerDefaultPidsLimit to set default pid limits in containers.conf f2602657a per_node is not parsing generated json 633ad7781 Problematic nested quotes in hieradata file list b188630e8 Use Ceph cluster name when setting minimum client version 2be083bf2 Make DnfStreams support RoleParameters 9a8c007da Move cell_v2 discovery off compute hosts ace7eb7d6 Refactor nova db config d38c3df91 Make NovaComputeOptVolumes and NovaComputeOptEnvVars role aware 43c02ebc9 Add post delay to reboot 4b8a18069 Enforces minimum Ceph client version to Mimic cbc5d0e6e Deprecate environments/dcn-hci.yaml for dcn-storage.yaml 2c298e231 Split network validation to it's own play cb8e846ea Force json output format for hiera in derive pci whitelist 59b2d7618 Remove External{Internal,Public,Admin}Url parameters e21b9f8dd Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues 81a184033 Revert "Reset sriov_numvfs to 0 before leapp upgrade" 3bd9c10e8 Use include_role for conditional inclusion d9414af71 Use Ceph-NFS for Manila in scenario004 83ba65e3a Serialize shutdown of pacemaker nodes 4dac4701f Deleting nova-consoleauth services in post-upgrade 38d6c5932 Live migration optimization with HP 9998bfc5d Making sure virt-guest-shutdown.target exists 114ba5dd4 Remove ffwd lifecycle environment files. c04572dbb Remove pcs/pacemaker package installation from upgrade tasks c9ffe726f Fix unreachable handling 3f93e3a15 Update container-config-scripts/ folder content before update_tasks. 826221eb4 Do not relabel Swift files on every container start 7c01d809d Make it possible to override ServiceNetMap per-role 94236c757 Fix ownership of octavia_rsyslog log directory 220bf13a2 Configure OVNCMSOptions=enable-chassis-as-gw within neutron-ovn-sriov.yaml 1484c4560 nova: Use LIBGUESTFS_BACKEND=direct 1a085631c [Ussuri and older] Set python_cmd where we need it ef0675dc0 Ensure cloud-init has finished before puppet run 26298a65c Allow partial override about SshServerOptions 5e9a03d91 Switch host sshd configuration to ansible Diffstat (except docs and test files) ------------------------------------- ci/environments/multinode-containers.yaml | 1 + ci/environments/scenario001-standalone.yaml | 1 + ci/environments/scenario004-standalone.yaml | 6 + common/common-container-config-scripts.yaml | 17 +++ common/deploy-steps-playbooks-common.yaml | 20 ++- common/deploy-steps-tasks-step-0.j2.yaml | 17 +++ common/deploy-steps-tasks-step-1.yaml | 33 +---- common/deploy-steps-tasks.yaml | 6 +- common/deploy-steps.j2 | 24 ++- common/generate-config-tasks.yaml | 19 ++- common/host-container-puppet-tasks.yaml | 21 ++- container_config_scripts/mysql_upgrade_db.sh | 15 ++ .../pacemaker_mutex_shutdown.sh | 120 +++++++++++++++ .../pacemaker_resource_lock.sh | 34 ++++- .../barbican/barbican-api-container-puppet.yaml | 28 +++- deployment/ceph-ansible/ceph-base.yaml | 11 ++ deployment/ceph-ansible/ceph-mon.yaml | 28 ++++ deployment/ceph-ansible/ceph-rgw.yaml | 4 - deployment/cinder/cinder-api-container-puppet.yaml | 11 +- .../cinder/cinder-backup-container-puppet.yaml | 15 ++ .../cinder/cinder-backup-pacemaker-puppet.yaml | 2 +- deployment/cinder/cinder-base.yaml | 5 + .../cinder/cinder-volume-container-puppet.yaml | 15 ++ .../cinder/cinder-volume-pacemaker-puppet.yaml | 2 +- deployment/containers-common.yaml | 3 + deployment/database/mysql-base.yaml | 6 + deployment/database/mysql-container-puppet.yaml | 51 +++++-- deployment/database/mysql-pacemaker-puppet.yaml | 52 +++---- deployment/database/redis-pacemaker-puppet.yaml | 24 ++- deployment/glance/glance-api-container-puppet.yaml | 14 +- deployment/haproxy/haproxy-pacemaker-puppet.yaml | 4 +- deployment/haproxy/haproxy-public-tls-inject.yaml | 2 +- deployment/horizon/horizon-container-puppet.yaml | 24 ++- deployment/ipa/ipaservices-baremetal-ansible.yaml | 4 +- deployment/ironic/ironic-api-container-puppet.yaml | 14 ++ .../ironic/ironic-conductor-container-puppet.yaml | 15 ++ .../ironic/ironic-inspector-container-puppet.yaml | 16 ++ deployment/ironic/ironic-pxe-container-puppet.yaml | 16 ++ .../logrotate-crond-container-puppet.yaml | 45 ++++-- deployment/manila/manila-api-container-puppet.yaml | 15 ++ .../manila/manila-scheduler-container-puppet.yaml | 15 ++ .../manila/manila-share-container-puppet.yaml | 15 ++ .../manila/manila-share-pacemaker-puppet.yaml | 2 +- .../memcached/memcached-container-puppet.yaml | 115 +++++++++++---- deployment/metrics/collectd-container-puppet.yaml | 2 +- .../neutron/derive_pci_passthrough_whitelist.py | 2 +- .../neutron-sriov-agent-container-puppet.yaml | 31 +--- deployment/nova/nova-api-container-puppet.yaml | 38 +++-- deployment/nova/nova-apidb-client-puppet.yaml | 78 ++++++++++ deployment/nova/nova-base-puppet.yaml | 74 +--------- .../nova/nova-compute-common-container-puppet.yaml | 22 ++- deployment/nova/nova-compute-container-puppet.yaml | 163 +++++++++++++++++---- .../nova/nova-conductor-container-puppet.yaml | 60 ++++++-- deployment/nova/nova-db-client-puppet.yaml | 80 ++++++++++ deployment/nova/nova-ironic-container-puppet.yaml | 28 ++-- deployment/nova/nova-libvirt-container-puppet.yaml | 11 +- deployment/nova/nova-manager-container-puppet.yaml | 105 +++++++++++++ .../nova/nova-metadata-container-puppet.yaml | 45 ++++-- .../nova/nova-scheduler-container-puppet.yaml | 31 +++- .../nova/nova-vnc-proxy-container-puppet.yaml | 53 ++++++- deployment/nova/novajoin-container-puppet.yaml | 6 +- .../octavia/octavia-api-container-puppet.yaml | 15 ++ .../octavia/octavia-deployment-config.j2.yaml | 4 +- .../octavia-health-manager-container-puppet.yaml | 20 ++- .../octavia-housekeeping-container-puppet.yaml | 15 ++ .../octavia/octavia-worker-container-puppet.yaml | 19 ++- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 16 +- .../pacemaker/pacemaker-baremetal-puppet.yaml | 6 + deployment/podman/podman-baremetal-ansible.yaml | 7 + ...rabbitmq-messaging-notify-pacemaker-puppet.yaml | 2 +- .../rabbitmq-messaging-pacemaker-puppet.yaml | 2 +- .../rabbitmq-messaging-rpc-pacemaker-puppet.yaml | 2 +- deployment/sshd/sshd-baremetal-ansible.yaml | 105 +++++++++++++ deployment/sshd/sshd-baremetal-puppet.yaml | 10 +- .../external-swift-proxy-baremetal-puppet.yaml | 49 +------ deployment/swift/swift-proxy-container-puppet.yaml | 1 + .../swift/swift-storage-container-puppet.yaml | 7 +- deployment/timesync/chrony-baremetal-ansible.yaml | 11 +- deployment/tls/undercloud-tls.yaml | 6 +- .../tripleo-packages-baremetal-puppet.yaml | 57 +++++-- deployment/undercloud/undercloud-upgrade.yaml | 4 +- environments/barbican-backend-pkcs11-thales.yaml | 22 ++- environments/dcn-hci.yaml | 3 + environments/dcn-storage.yaml | 57 +++++++ environments/lifecycle/ffwd-upgrade-converge.yaml | 9 -- environments/lifecycle/ffwd-upgrade-prepare.yaml | 10 -- .../lifecycle/undercloud-upgrade-prepare.yaml | 2 +- environments/lifecycle/update-prepare.yaml | 2 +- environments/lifecycle/upgrade-prepare.yaml | 2 +- environments/services/neutron-ovn-dvr-ha.yaml | 2 - environments/services/neutron-ovn-ha.yaml | 4 - environments/services/neutron-ovn-sriov.yaml | 6 +- environments/standalone/standalone-overcloud.yaml | 2 + environments/standalone/standalone-tripleo.yaml | 2 + environments/undercloud.yaml | 4 + environments/undercloud/undercloud-minion.yaml | 2 + network/networks.j2.yaml | 3 + network/ovn_mac_addr_net.yaml | 37 +++++ network/ports/ovn_mac_addr_port.yaml | 27 ++++ overcloud-resource-registry-puppet.j2.yaml | 9 +- overcloud.j2.yaml | 26 +++- puppet/extraconfig/pre_deploy/per_node.yaml | 12 +- puppet/role.role.j2.yaml | 34 +++++ ...ount-point-base-parameter-852554398b9f3a19.yaml | 7 + .../notes/barbican-thales-ha-581fbe9b5ef4dc87.yaml | 11 ++ .../notes/bug-1904482-dbc5162c8245a9b3.yaml | 21 +++ ...v2_discovery_off_computes-2b977c6b9a01cde2.yaml | 13 ++ ...er-add-timeout-parameters-54550a6e1c11c0b9.yaml | 6 + .../dcn-hci-storage-rename-0b1c17dd50f4cc9a.yaml | 8 + .../horizon_logger_debug-cd70c45c1b695e4b.yaml | 8 + .../monitor_interval_ovndbs-b14c886737965300.yaml | 9 ++ ...mit-postcopy-autoconverge-ca1719fd2abed45f.yaml | 8 + .../nova_libvirt_max_queues-8024fc63105bd25d.yaml | 6 + ...-server-options-overrides-f677913bfd65efe1.yaml | 6 + .../swift-prevent-relabeling-b9721aa5a1abda6e.yaml | 5 + roles/CephFile.yaml | 1 + roles/CephObject.yaml | 1 + roles/CephStorage.yaml | 1 + roles/NovaManager.yaml | 37 +++++ roles/README.rst | 6 + roles/Standalone.yaml | 3 + roles_data.yaml | 1 + sample-env-generator/dcn.yaml | 11 +- sample-env-generator/standalone.yaml | 9 +- sample-env-generator/undercloud-minion.yaml | 8 +- tools/yaml-validate.py | 7 +- zuul.d/layout.yaml | 5 + 127 files changed, 2073 insertions(+), 496 deletions(-)