We are excited to announce the release of: tripleo-heat-templates 11.6.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the train stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 11.6.0 ^^^^^^ New Features ************ * Added new options for deploying Barbican with PKCS#11 backends: *BarbicanPkcs11CryptoTokenLabels* and *BarbicanPkcs11CryptoOsLockingOk* * New "CinderRpcResponseTimeout" and "CinderApiWsgiTimeout" parameters provide a means for configuring Cinder's RPC response and WSGI connection timeouts, respectively. * The new "EnableCache" parameter is added to enable/disable chacing using memcached services. The parameter is true by default, but should be false when memcached service is disabled in the deployment. * The MariaDB tuning parameter for Innodb_buffer_pool_size can now be set via a new TripleO Heat Template parameter 'MysqlInnodbBufferPoolSize'. By default this is undefined. * *QemuDefaultTLSVerify* will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt's. We will want to disable this by default in train. * Add posibilities to configure ovn dbs monitor interval in tht by OVNDBSPacemakerMonitorInterval (default 30s). Under load, this can create extra stress and since the timeout has already been bumped, it makes sense to bump this interval to a higher value as a trade off between detecting a failure and stressing the service. * The nova-ironic setting for 'max_concurrent_builds' can now be set via the use of a new TripleO Heat templates parameter 'IronicMaxConcurrentBuilds'. It is set to the service default of 10 by default in TripleO Heat templates. * Adding ptp parameters for timemaster service configuration on overcloud compute node.Timemaster will use already present chrony parameters. PTPMessageTransport, PTPInterfaces are added new. Deprecation Notes ***************** * The *BarbicanPkcs11CryptoTokenLabel* option has been deprecated and replaced with the *BarbicanPkcs11CryptoTokenLabels* option. Bug Fixes ********* * RHEL-8.3 kernel disabled the Intel TSX (Transactional Synchronization Extensions) feature by default as a preemptive security measure, but it breaks live migration from RHEL-7.9 (or even RHEL-8.1 or RHEL-8.2) to RHEL-8.3. Operators are expected to explicitly define the TSX flag in their KernelArgs for the compute role to prevent live-migration issues during the upgrade or update process. We now introduce this validation in tripleoclient to ensure early failure. The *ForceNoTsx* flag will disable this validation on a per-role basis. More information here: https://access.redhat.com/solutions/6036141 * Previously access to the sshd running by the nova-migration-target container is only limited via the sshd_config. While login is not possible from other networks, the service is reachable via all networks. This change limits the access to the NovaLibvirt and NovaApi networks which are used for cold and live-migration. * Nova vnc configuration right now uses NovaVncProxyNetwork, NovaLibvirtNetwork and NovaApiNetwork to configure the different components (novnc proxy, nova-compute and libvirt) for vnc. If one of the networks get changed from internal_api, the service configuration between libvirt, nova-compute and novnc proxy gets inconsistent and the console is broken. This changed to just use NovaLibvirtNetwork for configuring the vnc endpoints and removes NovaVncProxyNetwork completely. Changes in tripleo-heat-templates 11.5.0..11.6.0 ------------------------------------------------ 42a5f7f1b [ffwd] Add legacy cinderv3 volume cleanup to postupgrade fee55d5dc Fix network_cidrs when ManageNetworks: false 7840da001 [train-only] Adding ForceNoTsx flag d0ba2d100 Add dependency on OVNMacAddressNetwork for role ResourceGroup 45b4de27c Set tags on all OS::Neutron::Port resources 88ef493cd Add tags to THT network resources d2d044e02 Add OVNEncapType option to the ovn controller template af8576222 Disable tunneled mode when use_tls_for_live_migration ea9ebddf6 Re-add NovaVncProxyNetwork to service_net_map.j2.yaml c1ee7ccdd [ffwd][train-only] Rebuild clouds.yaml before running keystone endpoint configuration. 8090c8a18 Fix RoleParameters in tuned-baremetal-ansible.yaml ab5d866cb HA: inject public certificates without blocking container 8a7725f42 Add new options for Barbican PKCS#11 backend d7e888ac9 Switch Octavia external tasks to 'post deploy' e8a224f9a [ffwd] Rework checks for hybrid state containers 7768e7608 Run update tasks with become 20561e86c Sync full /etc/leapp/files directory. 373838ffb [train-only] QemuDefaultTLSVerify should be false ff730282a Stop using (and breaking) /var/tmp for horizon temporary things 002445bea Add RootStackName to group_vars bcc5f03ab Moving nova-consoleauth to step4 ac1584a44 Missing client certificate for live-migration with TLS c9fa94dd5 Add systemd dependency to openvswitch to ovn-controller 69e24661b Disabling LM PostCopy and AutoConverge for RT roles 70f6c7804 Mount /etc/openldap inside the keystone container 3bbc8af5b Removing duplicate mount point in metrics_qdr a6e524477 Limit access to sshd used for nova migration 3d8acef64 [train-only] Introduce hybrid state for iscsi 0de9ea84f [Train Only] Ensure novajoin code is setting ansible_fqdn f24840a56 Ensure ansible_fqdn is set 860a68a4a Use single NovaLibvirtNetwork to configure instance console components 3b763ab2e [ffwd] Rework WA#1925078 2445de761 Add OVN chassis macs to hieradata 6c62cf789 Remove ovn-cms-options from OVS when OVNCMSOptions is set to "" 489aab582 Expose Innodb_buffer_pool_size 18d40d805 Refactor OVNMacAddressNetwork 7951870db [Train-only] Fix the tripleo-container-stop role in train cbd025a3f [ffwd][train-only] Run keystone endpoint configuration on FFWD a22239e27 Add service ordering to cleanup service to avoid conflicts with agent startup b7ed86c3b [update][upgrade] Use container-tools:3.0 cb2cb5303 Support configuring cinder's RPC and WSGI timeouts e3413901c Add TLS support to services using memcached b277ccf6b Add EnableCache option to enable/disable usage of memcache 2851c49d0 Move tmpwatch from cron.daily to actual root crontab 3f59a3aa9 Config parameters for timemaster service 7fe8f4175 OVNChassisMacPorts for distributed VLAN 7203afb39 [OVN] Remove check for OVN + Availability Zones 53bf067fb [ffwd][train-only] Copy /boot/grub2/grubenv to /boot/efi/EFI/redhat/grubenv 2416eb3b1 HA: fix race when moving VIP during minor update 9f50fad9a Add non-tls listener to Memcached 546d994d0 Make memcache also listen to localhost 5319872d9 live_migration setting should be under libvirt namespace c69b33e92 Create OVNMacAddrNet network on Undercloud 38bcdfa32 Add posibilities to set ovndbs monitor interval 8ecc24fcc Add TLS capabilities to Memcached service 5ecafca64 Expose mistral::rpc_response_timeout as Heat parameter 37263ee17 Expose max_concurrent_builds as a Heat parameter Diffstat (except docs and test files) ------------------------------------- common/deploy-steps.j2 | 1 + common/hiera-steps-tasks.yaml | 1 + deployed-server/ctlplane-port.yaml | 8 + deployed-server/deployed-neutron-port.yaml | 11 + deployed-server/deployed-server.yaml | 8 + .../barbican/barbican-api-container-puppet.yaml | 23 +- .../barbican-backend-pkcs11-crypto-puppet.yaml | 16 +- .../ceilometer-base-container-puppet.yaml | 13 ++ deployment/cinder/cinder-api-container-puppet.yaml | 11 +- .../cinder/cinder-backup-container-puppet.yaml | 2 +- deployment/cinder/cinder-base.yaml | 5 + .../cinder/cinder-volume-container-puppet.yaml | 2 +- deployment/database/mysql-base.yaml | 11 + deployment/haproxy/haproxy-public-tls-inject.yaml | 6 +- deployment/heat/heat-base-puppet.yaml | 24 ++ deployment/horizon/horizon-container-puppet.yaml | 23 +- deployment/ipa/ipaclient-baremetal-ansible.yaml | 1 + deployment/ipa/ipaservices-baremetal-ansible.yaml | 9 + deployment/ironic/ironic-api-container-puppet.yaml | 2 +- .../ironic/ironic-conductor-container-puppet.yaml | 2 +- .../ironic/ironic-inspector-container-puppet.yaml | 2 +- deployment/ironic/ironic-pxe-container-puppet.yaml | 2 +- deployment/iscsid/iscsid-container-puppet.yaml | 95 +++++++- .../kernel-boot-params-baremetal-ansible.yaml | 10 + deployment/keystone/keystone-container-puppet.yaml | 107 ++++++--- .../logrotate-crond-container-puppet.yaml | 45 ++-- deployment/manila/manila-api-container-puppet.yaml | 2 +- .../manila/manila-scheduler-container-puppet.yaml | 2 +- .../manila/manila-share-container-puppet.yaml | 2 +- .../memcached/memcached-container-puppet.yaml | 248 ++++++++++++++++----- deployment/metrics/qdr-container-puppet.yaml | 5 - deployment/mistral/mistral-base.yaml | 6 +- .../neutron/neutron-api-container-puppet.yaml | 3 +- deployment/neutron/neutron-cleanup.service | 2 +- .../neutron/neutron-dhcp-container-puppet.yaml | 4 +- .../neutron-sriov-agent-container-puppet.yaml | 24 +- deployment/nova/nova-base-puppet.yaml | 24 +- deployment/nova/nova-compute-container-puppet.yaml | 75 +++++-- deployment/nova/nova-ironic-container-puppet.yaml | 11 +- deployment/nova/nova-libvirt-container-puppet.yaml | 14 +- .../nova-migration-target-container-puppet.yaml | 38 +++- .../nova/nova-vnc-proxy-container-puppet.yaml | 33 +-- .../octavia/octavia-api-container-puppet.yaml | 2 +- .../octavia/octavia-deployment-config.j2.yaml | 3 +- .../octavia-health-manager-container-puppet.yaml | 2 +- .../octavia-housekeeping-container-puppet.yaml | 2 +- .../octavia/octavia-worker-container-puppet.yaml | 2 +- .../ovn/ovn-controller-container-puppet.yaml | 21 +- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 10 + .../pacemaker/pacemaker-baremetal-puppet.yaml | 2 +- deployment/swift/swift-proxy-container-puppet.yaml | 9 + .../swift/swift-storage-container-puppet.yaml | 9 + .../timemaster/timemaster-baremetal-ansible.yaml | 171 ++++++++++++++ deployment/tls/undercloud-tls.yaml | 3 + .../tripleo-packages-baremetal-puppet.yaml | 59 ++--- deployment/tuned/tuned-baremetal-ansible.yaml | 19 +- environments/barbican-backend-pkcs11-atos.yaml | 13 +- environments/barbican-backend-pkcs11-lunasa.yaml | 3 +- environments/barbican-backend-pkcs11-thales.yaml | 3 +- .../lifecycle/undercloud-upgrade-prepare.yaml | 2 +- environments/lifecycle/update-prepare.yaml | 2 +- environments/lifecycle/upgrade-prepare.yaml | 2 +- environments/ssl/enable-memcached-tls.yaml | 10 + environments/standalone/standalone-overcloud.yaml | 2 + environments/standalone/standalone-tripleo.yaml | 2 + environments/undercloud.yaml | 4 + environments/undercloud/undercloud-minion.yaml | 2 + network/network.j2 | 46 ++-- network/ovn_mac_addr_net.yaml | 37 +++ network/ports/ctlplane_vip.yaml | 16 +- network/ports/from_service.yaml | 3 + network/ports/from_service_v6.yaml | 3 + network/ports/noop.yaml | 13 ++ network/ports/ovn_mac_addr_port.yaml | 43 ++++ network/ports/port.j2 | 39 ++++ network/ports/port_from_pool.j2 | 13 ++ network/ports/vip.yaml | 15 ++ network/ports/vip_v6.yaml | 16 +- overcloud-resource-registry-puppet.j2.yaml | 5 + overcloud.j2.yaml | 20 +- puppet/role.role.j2.yaml | 38 ++++ .../notes/add-forcenotsx-36fc6dce46518f5b.yaml | 20 ++ ...r-barbican-pkcs11-options-a2ec14369518b40e.yaml | 9 + ...er-add-timeout-parameters-54550a6e1c11c0b9.yaml | 6 + .../notes/enable-cache-293c39b3b6f55c80.yaml | 6 + .../innodb-tuning-param-e71d2fd727c450ec.yaml | 6 + ...introducing-qemutlsverify-af590e0243fe6b08.yaml | 9 + .../monitor_interval_ovndbs-b14c886737965300.yaml | 9 + ...ova-max_concurrent_builds-f900d84f35704452.yaml | 6 + ...va_migration_limit_access-20be8d69686ca95c.yaml | 8 + .../notes/nova_novnc_network-83a1479bf227f867.yaml | 10 + ...dd_support_for_timemaster-a8dc3e4d5db4e8b3.yaml | 7 + sample-env-generator/standalone.yaml | 7 + sample-env-generator/undercloud-minion.yaml | 6 +- tools/process-templates.py | 5 + 95 files changed, 1448 insertions(+), 265 deletions(-)