We are satisfied to announce the release of: tripleo-heat-templates 8.4.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the queens stable release series. The source is available from: https://opendev.org/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through: https://bugs.launchpad.net/tripleo/+bugs For more details, please see below. 8.4.0 ^^^^^ New Features ************ * Added the configuration option to disable Exact Match Cache (EMC) * Support setting values for "cephfs_volume_mode" manila parameter via the THT parameter ManilaCephFSCephVolumeMode. These control the POSIX rwx mode of the cephfs volumes, snapshots, and groups of these that back corresponding manila resources. Default value for ManilaCephFSCephVolumeMode is '0755', backwards-compatible with the mode for these objects before it was settable. * Add new CinderNfsSnapshotSupport parameter, which controls whether cinder's NFS driver supports snapshots. The default value is True. * The parameter {{role.name}}RemovalPoliciesMode can be set to 'update' to reset the existing blacklisted nodes in heat. This will help re-use the node indexes when required. * Allows a deployer to specify the IdM domain with --domain on the ipa-client-install invocation by providing the IdMDomain parameter. * Allows a deployer to direct the ipa-client-install to skip NTP setup by specifying the IdMNoNtpSetup parameter. This is useful if the ipa-client-install setup clobbers the NTP setup by puppet. * New parameters, NovaCronDBArchivedMaxDelay and CinderCronDbPurgeMaxDelay, are introduced to configure max_delay parameter to calculate randomized sleep time before db archive/purge. This avoids db collisions when performing db archive/purge operations on multiple controller nodes. * The passphrase for config option 'server_certs_key_passphrase', that was recently added to Octavia, and will now be auto-generated by TripleO by adding OctaviaServerCertsKeyPassphrase to the list of parameters TripleO configures in Octavia. * To allow PAM to create home directory for user who do not have one, ipa-client-install need an option. This change allow to enable it. * Configure Neutron API for Nova Placement When the Neutron Routed Provider Networks feature is used in the overcloud, the Networking service will use those credentials to communicate with the Compute scheduler's placement API. * The parameters "NovaNfsEnabled", "NovaNfsShare", "NovaNfsOptions", "NovaNfsVersion" are changed to be role specific. This requires the usage of host aggregates as otherwise it will break live migration of instances as we can not do this with different storage backends. * The parameter "NovaRbdPoolName" is changed to be role specific. This requires the usage of host aggregates as otherwise it will break live migration of instances as we can not do this with different storage backends. * New parameter "NovaNfsVersion" allow configuring the NFS version used for nova storage (when NovaNfsEnabled is true). Since NFSv3 does not support full locking a NFSv4 version need to be used. To not break current installations the default is the previous hard coded version 4. * The Shared File Systems service (manila) API has been switched to running behind httpd, and it now supports configuring TLS options. Upgrade Notes ************* * Cinder's NFS driver does not support snapshots unless the feature is explicitly enabled (this policy was chosen to ensure compatibility with very old versions of libvirt). The CinderNfsSnapshotSupport default value is True, and so the new default behavior enables NFS snapshots. This change is safe because it just enables a capability (i.e. snapshots) that other cinder drivers generally provide. * Per-service config_settings should now use hiera interpolation to set the bind IP for services, e.g "%{hiera('internal_api')}" whereas prior to this release we replaced e.g internal_api for the IP address internally. The network name can still be derived from the ServiceNetMap - all the in-tree templates have been converted to the new format, but any out of tree templates may require similar adjustment. * Keystone catalog entries for Cinder's v1 API are no longer created, but existing entries will not be automatically deleted. Deprecation Notes ***************** * The only OVN Tunnel Encap Type that we are supporting in OVN is Geneve and this is set by default in ovn puppet. So there are no need to set it in TripleO Bug Fixes ********* * Fixes an issue where deployment would fail if a non-default "name_lower" is used in network data for one of the networks: "External", "InternalApi" or "StorageMgmt". (See bug: 1830852 (https://bugs.launchpad.net/tripleo/+bug/1830852).) * Fixed service auth URL in Octavia to use the Keystone v3 internal endpoint. * It is now possible for temporary containers inside THT to test if they are being run as part of a minor update by checking if the TRIPLEO_MINOR_UPDATE environment variable is set to 'true' (said containers need to export it to the container explicitely), see <service>_restart_bundles for examples. * When setting up TLS everywhere, some deployers may not have their FreIPA server in the ctlplane, causing the ipaclient registration to fail. We move this registration to host-prep tasks and invoke it using ansible. At this point, all networks should be set up and the FreeIPA server should be accessible. * [1] switched to run nova-manage discovery as non root user. In case of updates there can be already a nove-manage log owned by root from previous runs. This change make sure we change the owner of nova- manage log to nova:nova on overcloud deploy runs on the computes [1] https://review.opendev.org/#/c/652039/13/deployment/nova/nova- compute-container-puppet.yaml * With large number of OSDs, where each OSD need a connection, the default nofile (1024) of nova_compute is too small. This changes the default DockerNovaComputeUlimit to 131072 what is the same for cinder. * Change-Id: I1a159a7c2ac286373df2b7c566426b37b7734961 moved the dicovery to run on a single compute host to not race on simultanious nova-manage commands. This change make sure we run the discover on every deploy run which is required for scaling up events. * If nova-manage command was triggered on a host for the first time as root (usually manual runs) the nova-manage.log gets created as root user. On overcloud deploy runs the nova-manage command is run as nova user. In such situation the overcloud deploy fails as the nova user can not write to the nova-manage.log. With this change we run the chown of the logs files on every overcloud deploy to fix the nova-manage.log file permissions. * The keystone service and endpoint for Cinder's API v1 are no longer created. Cinder removed support for its v1 API in Queens. * Historically if a puppet definition for a pacemaker resource did change puppet would not update it. We now enable the updating of pacemaker resources by default. The main use case being restarting a bundle when a bind mount gets added. Puppet will wait for the resource to completely restart before proceeding with the deploy. Other Notes *********** * The common tasks in deploy-steps-tasks.yaml that are common to all roles are now tagged with one of: host_config, container_config, container_config_tasks, container_config_scripts, or container_startup_configs. * The step plays in deploy-steps.j2 (which generates the deploy_steps_tasks.yaml playbook) are now tagged with step[1-5] so that they can run individually if needed. Changes in tripleo-heat-templates 8.3.1..8.4.0 ---------------------------------------------- bc1bfd8f7 Fix NovaNfs role parameters 7e9e0cd60 Remove scenario008 jobs f6883a0bf Fix log owner on computes during overcloud deploy runs 190689f4e Use auth_uri for Neutron API for Nova Placement 8b73814e7 Re-enable manila dashboard 127508c0f Backport miss to run discovery via bootstrap_host_exec 103431bba Add ComputeHCIOvsDpdk role a17f79890 Fix correct network for nova-vnc 7b1e923ed Add panko_api_cron container 7e6b6bafa Add {{role.name}}RemovalPoliciesMode parameter 45ab7d963 Fix undefined variable python_interpreter 6cfa2976a Request certificate for using host service principals e42e72b0f Configure server_certs_key_passphrase for Octavia b2a9af00f Start/enable OVS on neutron ovs agent nodes 68dfc3006 Only request neutron certificate from neutron dhcp service 8d4f109a6 Clean metrics related environments 13f77b981 Revert "[queens-only] Write docker config scripts only if config exists" 0d77e3d31 Configure Neutron API for Nova Placement... 257315572 Fix ssl.yaml generating GaneshaInternal in the endpoint map 916a5378c OVN: Add env file to deploy SRIOV with OVN. 43b074c10 Do not bind /run on host to nova_migration_target be2977005 Remove bogus EXPERIMENTAL from services-docker file. 40467b0f3 [Rocky/Queens Only] Remove pre-upgrade validation tasks in cont services. 9934640fc Fix service auth URL in Octavia 82875a493 Fix haproxy stats network binding 073851d32 [queens-only] Write docker config scripts only if config exists 5e5f2d0f3 Fix custom network.name_lower in krb-service-principals 7edda0e2b Convert ServiceNetMap evals to hiera interpolation 525def101 Remove the iptables rules set via service_config_settings a3662c067 Run collectd socket cleanup on container start 560f88532 Make krb-service-principal metadata per-Role 2c4004d7a [stable queens/pike] Use server_not_blacklisted condition 67b2ec841 Add domain and no-ntp options to ipaclient e59c324e4 [FFWD] Fix cell0 database uri 2d9b95971 Fix run-os-net-config.sh to use ping6 for IPv6 hostnames fd92a337b Add ability to specify dns search domains eee4d27a4 Fix IPA client when doing brownfield deployment of internal TLS 5c37edc49 Add mkhomedir option to ipa-client-install 4a377819d Only add internal_api_virtual_ip if InternalApi in network_data 35fc35bc1 Try a timesync as part of first boot 4bce0f151 Enable serial execution for ansible host 4bde3dc4d Add cinder credentials to nova conf c47de732a Set arp_notify to match ndisc_notify 306412539 Remove deprecated Ram/Disk filters in NovaSchedulerDefaultFilters 518741618 Fix NovaNfs role parameter precedence in conditions 10a6610f4 Remove OVNTunnelEncapType 181ecb583 Deployment: Properly pick bootstrap node per role 3ff4bdcd3 Enable ndisc_notify sysctl setting to notify of MAC changes f14b4dcd8 Add parameter to configure maxdelay in db purge/archive job 3c9f7577c Allow ssh from all for undercloud b81c74437 implement default ssh-from-ctlplane rule via hiera 72b0b93d2 Ensure there is no redis on host cce6c7e34 Run nova-manage as root to prevent wrong nova-manage.log permissions 92d860e73 Run nova_cell_v2_discover_hosts.py on every deploy run 74ba670bb Allow NovaNfs parameters to be role specific d8e4ee655 Avoid concurrent nova cell_v2 discovery instances fa69837f9 Switch Manila API to httpd and support TLS d158bc7fc Modifying the ovs-hw-offlaod file to adapt new changes 169ceb9a9 OpenDev Migration Patch 0fb8970bb fix storage.yaml to write environments/storage/nova-nfs.yaml 450d50f54 Run octavia-api under httpd 5f147a0b2 Add release check for ffwd upgrade tasks 7577c22f1 Allow NovaRbdPoolName to be role specific babe303f2 Fixed wrong cinder store user name 847ec663c ceilometer_agent_notification: disable-panko.yaml 33784c053 Remove deprecated value used to set nova_metadata_ip 9ddef7106 Provide option to disable EMC in puppet-vswitch 3c0a2190f Increase DockerNovaComputeUlimit default value 35b4bf6e0 Set ulimit 16384 for Neutron SR-IOV container bf87c099c Fix usage of satellite in organization mode bc30fb036 Increase default ulimit values for Neutron agents containers dc9a67ced Do not restart bundles during a minor update 79eddd155 Be able to know when we are running inside a minor update workflow 2a734381f Enable deep_compare of pcmk resources by default 9a1ebb368 Add GnocchiStorageS3BucketPrefix into deployment bb9592fd3 Add support to ping IPv6 metadata IP 3bc041b47 Fix tempest volume tests on queens 96de607ed Add support for cinder NFS snapshots f6c4f652c [queens-only] Remove primary role constraint to deploy NodeTLSData e51967ff2 Disable a directory listing of /icons in httpd. 9b78d4eff TLS everywhere: switch Octavia to use DNS entries ff5a5bf5a Simplify ssh known_hosts entries for non-default port 65b285ffa Include ssh known_hosts entries for non-default port 95b235403 Enable flat network for ovn 48b277cdc [Queens-only] Install and configure tmpwatch for log cleanup 221a9eb5d Pass all vars to deploy-steps-tasks.yaml with config-download 849d5ce55 Fix reload notification file 4826a2de3 Stop iscsid when running FFU tasks. 23271148f Make nfs version for nova ephemeral storage configurable bd5246616 Remove unused parameter NovaPassword fb4ef9101 Disable cinder's LVM backend when deploying Pure backend f7bae9b7f Fix python binary lookup regression 86c8de92b Don't create service or endpoint for cinder API v1 f036df558 Run chown for nova log files on every run to fix wrong permissions 1cb29d0c8 Add missing TLS configuration for ironic 68e57adde Remove ENV parameters for nova_cell_v2_discover_host.py ace57871f Convert with_dict tasks to use loop and be less chatty f56b8b547 Optional ICMP validation of controllers and gateways 4f4bd1c28 Tag tasks in in common tasks ec02985da Reload rsyslog/cron when we change timezones 2c7f55cf1 Support cephfs_volume_mode parameter 7fad087a8 Refactored configuration options for nova/neutron in manila f29a2fdeb Switch scenario004-multinode-containers to Ceph filestore 7761ae38d Fix idempotency for horizon container logs 9e26c529a Rework nova_cell_v2_discover_host.py to use nova.conf and python novaclient 0371fb3c3 Add missing entries for Pure Storage Cinder Backend and fix typos 8d77ea169 Move cellv2 discovery from control plane services to compute services 6d44ae7b6 (Queens only) Remove privileged capabilities from nova-metadata c05aa892e [stable/queens] Add a check for kernels args update to avoid unnecessary reboot 967542fcb [stable/queens] Disable default config-download method for PreNetworkConfig 8aa46b6c8 NFV: Support for config-download to deploy node with kernel args 75f604ed7 Remove the rokcy services from queens ComputeOvsDpdkSriov role fce40e60a Move ipa enrollment to host_prep_tasks a89cd6b19 Switch scenario00{1,4}-multinode-containers to Ceph bluestore 6297c1b2d [FFU] Ensure compatibility with ansible 2.6. 317c3ecea Don't look for primary_role ips in AllNodesValidationConfig a9d10fdf7 minor update: move VIP before stopping pacemaker on a node c49911a5b Upgrades: Ensure idempotency of pacemaker services f10d3c3d5 certmonger: Don't restart haproxy on cert renewal 57e4ac345 Remove "when failed" from debug task names 0bb498182 Tag step plays b87f6a257 Handle upper and lower case system uuids be9e50c4e Add CertmongerUser role to OVB defaults 7794cc60c Adding support of glance cinder store settings b6ebb07c7 Add missing RoleParameters and ServiceNames a247fa3a7 Remove ties between ceilometer and panko 4c51665b3 Fix generation of configs that contain password files 49a87e0be mysql: sync credentials in running container on password change b5f792f8f FFWD: Introduce workaround for neutron cisco plugin c9b06deaa mysql: do not overwrite password file during docker-puppet 1cbc51af3 Remove console as opendaylight log mechanism Diffstat (except docs and test files) ------------------------------------- .gitreview | 2 +- all-nodes-validation.yaml | 12 ++ .../multiple-nics-ipv6/nic-configs/compute.yaml | 5 + .../multiple-nics-ipv6/nic-configs/controller.yaml | 5 + .../network/multiple-nics/nic-configs/compute.yaml | 5 + .../multiple-nics/nic-configs/controller.yaml | 5 + .../network/public-bond/nic-configs/compute.yaml | 5 + .../public-bond/nic-configs/controller.yaml | 5 + ci/environments/ovb-ha.yaml | 2 + .../scenario001-multinode-containers.yaml | 13 +- .../scenario004-multinode-containers.yaml | 1 - ci/environments/scenario010-standalone.yaml | 99 +++++++++++ common/deploy-steps-tasks.yaml | 150 ++++++++++++++--- common/deploy-steps.j2 | 23 ++- .../{services.yaml => services/role.role.j2.yaml} | 17 +- deployed-server/deployed-server-roles-data.yaml | 1 + .../octavia/octavia-deployment-config.yaml | 10 +- .../nova_cell_v2_discover_hosts.py | 55 ++++++ .../nova_wait_for_compute_service.py | 96 +++++++++++ environments/cavium-liquidio.yaml | 2 +- environments/cinder-pure-config.yaml | 2 + environments/config-download-environment.yaml | 4 + environments/disable-panko.yaml | 11 ++ environments/hyperconverged-ceph.yaml | 1 + environments/manila-cephfsganesha-config.yaml | 1 + environments/manila-cephfsnative-config.yaml | 1 + environments/metrics/collect-read-rabbitmq.yaml | 15 ++ .../collectd-standalone.yaml} | 0 environments/metrics/collectd-write-qdr.yaml | 28 ++++ environments/neutron-ml2-ovn-ha.yaml | 2 +- environments/neutron-ovs-dpdk.yaml | 2 +- environments/neutron-sriov.yaml | 2 +- environments/ovs-hw-offload.yaml | 16 +- .../neutron-opendaylight-dpdk.yaml | 4 +- .../neutron-opendaylight-hw-offload.yaml | 2 +- .../neutron-opendaylight-sriov.yaml | 2 +- .../services-baremetal/neutron-opendaylight.yaml | 1 - .../services-baremetal/neutron-ovs-dpdk.yaml | 2 +- .../services-baremetal/neutron-ovs-hw-offload.yaml | 2 +- environments/services-baremetal/neutron-sriov.yaml | 2 +- environments/services-baremetal/octavia.yaml | 5 +- .../services-docker/neutron-opendaylight.yaml | 1 - environments/services-docker/neutron-ovn-ha.yaml | 2 +- environments/services-docker/neutron-sriov.yaml | 5 +- .../services/neutron-opendaylight-dpdk.yaml | 4 +- .../services/neutron-opendaylight-hw-offload.yaml | 2 +- .../services/neutron-opendaylight-sriov.yaml | 2 +- environments/services/neutron-ovn-dvr-ha.yaml | 2 +- environments/services/neutron-ovn-ha.yaml | 2 +- environments/services/neutron-ovn-sriov.yaml | 17 ++ environments/services/neutron-ovs-dpdk.yaml | 2 +- environments/services/neutron-ovs-hw-offload.yaml | 2 +- environments/services/neutron-sriov.yaml | 2 +- environments/services/octavia.yaml | 5 +- ...ternal-tls.yaml => enable-internal-tls.j2.yaml} | 5 +- environments/ssl/tls-everywhere-endpoints-dns.yaml | 6 +- environments/storage-environment.yaml | 2 + environments/storage/external-ceph.yaml | 2 +- environments/storage/nova-nfs.yaml | 4 + environments/undercloud.yaml | 2 + .../role.role.j2.yaml} | 29 +++- .../rhel-registration/rhel-registration.yaml | 6 + .../rhel-registration/scripts/rhel-registration | 13 +- extraconfig/pre_network/boot-params-service.yaml | 102 ++++++++++++ ...ible_host_config.yaml => boot_param_tasks.yaml} | 42 ++++- extraconfig/pre_network/config_then_reboot.yaml | 7 + .../pre_network/host_config_and_reboot.yaml | 30 +++- extraconfig/services/ipaclient.yaml | 184 +++++++++++++++++++++ extraconfig/services/tmpwatch-install.yaml | 43 +++++ firstboot/os-net-config-mappings.yaml | 5 +- firstboot/userdata_timesync.yaml | 97 +++++++++++ net-config-bond.j2.yaml | 8 + net-config-static-bridge.j2.yaml | 6 + net-config-static.j2.yaml | 6 + net-config-undercloud.j2.yaml | 6 + .../bond-with-vlans/controller-no-external.j2.yaml | 8 + .../config/bond-with-vlans/controller-v6.j2.yaml | 6 + network/config/bond-with-vlans/role.role.j2.yaml | 6 + network/config/multiple-nics/compute-dvr.j2.yaml | 6 + network/config/multiple-nics/controller-v6.j2.yaml | 6 + network/config/multiple-nics/role.role.j2.yaml | 6 + .../controller-v6.j2.yaml | 6 + .../role.role.j2.yaml | 6 + .../controller-no-external.j2.yaml | 6 + .../config/single-nic-vlans/controller-v6.j2.yaml | 6 + network/config/single-nic-vlans/role.role.j2.yaml | 6 + network/scripts/run-os-net-config.sh | 10 +- network/service_net_map.j2.yaml | 2 + overcloud-resource-registry-puppet.j2.yaml | 20 ++- overcloud.j2.yaml | 29 ++-- puppet/all-nodes-config.j2.yaml | 12 +- puppet/extraconfig/pre_deploy/per_node.yaml | 16 +- puppet/role.role.j2.yaml | 33 ++-- puppet/services/aodh-api.yaml | 9 +- puppet/services/apache.j2.yaml | 13 +- puppet/services/barbican-api.yaml | 7 +- puppet/services/ceph-base.yaml | 21 ++- puppet/services/ceph-external.yaml | 9 +- puppet/services/ceph-mon.yaml | 8 +- puppet/services/ceph-rgw.yaml | 7 +- puppet/services/cinder-api.yaml | 23 ++- puppet/services/cinder-backend-pure.yaml | 19 ++- puppet/services/cinder-base.yaml | 8 +- puppet/services/cinder-volume.yaml | 16 +- puppet/services/congress.yaml | 7 +- puppet/services/database/mongodb.yaml | 9 +- puppet/services/database/mysql-client.yaml | 7 +- puppet/services/database/mysql.yaml | 25 ++- puppet/services/database/redis-base.yaml | 14 +- puppet/services/docker-registry.yaml | 6 +- puppet/services/ec2-api.yaml | 12 +- puppet/services/etcd.yaml | 9 +- puppet/services/glance-api.yaml | 21 ++- puppet/services/gnocchi-api.yaml | 9 +- puppet/services/gnocchi-base.yaml | 5 + .../haproxy-internal-tls-certmonger.j2.yaml | 10 +- puppet/services/haproxy-public-tls-certmonger.yaml | 2 +- puppet/services/haproxy.yaml | 6 + puppet/services/heat-api-cfn.yaml | 16 +- puppet/services/heat-api.yaml | 16 +- puppet/services/horizon.yaml | 13 +- puppet/services/ironic-api.yaml | 16 +- puppet/services/ironic-conductor.yaml | 30 +++- puppet/services/ironic-inspector.yaml | 14 +- puppet/services/kernel.yaml | 4 + puppet/services/keystone.yaml | 16 +- puppet/services/manila-api.yaml | 56 ++++++- puppet/services/manila-backend-cephfs.yaml | 4 + puppet/services/manila-scheduler.yaml | 21 +-- puppet/services/manila-share.yaml | 17 ++ puppet/services/memcached.yaml | 7 +- puppet/services/metrics/collectd.yaml | 1 + puppet/services/mistral-api.yaml | 14 +- puppet/services/neutron-api.yaml | 24 ++- puppet/services/neutron-base.yaml | 30 ---- puppet/services/neutron-dhcp.yaml | 15 ++ puppet/services/neutron-linuxbridge-agent.yaml | 7 +- puppet/services/neutron-metadata.yaml | 1 - puppet/services/neutron-ovs-agent.yaml | 16 +- puppet/services/neutron-plugin-ml2-ovn.yaml | 7 +- puppet/services/nova-api.yaml | 9 +- puppet/services/nova-base.yaml | 13 +- puppet/services/nova-compute.yaml | 71 +++++++- puppet/services/nova-libvirt.yaml | 13 +- puppet/services/nova-metadata.yaml | 12 +- puppet/services/nova-migration-target.yaml | 24 ++- puppet/services/nova-placement.yaml | 9 +- puppet/services/nova-vnc-proxy.yaml | 15 +- puppet/services/octavia-api.yaml | 41 ++--- puppet/services/octavia-base.yaml | 8 +- puppet/services/opendaylight-api.yaml | 7 +- puppet/services/opendaylight-ovs.yaml | 7 +- puppet/services/openvswitch.yaml | 9 + puppet/services/ovn-controller.yaml | 12 +- puppet/services/ovn-dbs.yaml | 7 +- puppet/services/pacemaker.yaml | 23 +++ puppet/services/pacemaker/database/mysql.yaml | 8 +- puppet/services/pacemaker/database/redis.yaml | 6 +- puppet/services/panko-api.yaml | 9 +- puppet/services/qdr.yaml | 7 +- puppet/services/rabbitmq.yaml | 16 +- puppet/services/sahara-api.yaml | 9 +- puppet/services/sshd.yaml | 19 ++- puppet/services/swift-proxy.yaml | 14 +- puppet/services/swift-storage.yaml | 7 +- puppet/services/tacker.yaml | 7 +- puppet/services/time/timezone.yaml | 13 ++ puppet/services/tripleo-firewall.yaml | 6 + puppet/services/zaqar-api.yaml | 21 ++- .../notes/OvsDisableEMC-ab29e5c08856d439.yaml | 3 + ...eph_volume_mode-parameter-5553a9b39718a749.yaml | 9 + ...nder-nfs-snapshot-support-16664aa46a67a5ad.yaml | 13 ++ ...add-removal-policies-mode-6869362fbeed2cd2.yaml | 6 + ...n_and_no_ntp_to_ipaclient-048fdfccf0cb7835.yaml | 7 + .../notes/bug-1823274-ca992c1055035c7b.yaml | 7 + ...-lower-and-tls-everywhere-1f2300f9a2ba4d98.yaml | 7 + ...-service-auth-url-octavia-90f19c835cb1cc0a.yaml | 4 + ...rver_certs_key_passphrase-229a677df1b7f6e0.yaml | 6 + .../notes/hiera_net_ip_map-ff866b443a28bdc4.yaml | 9 + .../notes/ipa-mkhomedir-c126291bcbdd0111.yaml | 5 + .../notes/minor-update-env-20657417094d4aeb.yaml | 7 + ...enroll-to-host-prep-tasks-934c6e0a9f75f15b.yaml | 8 + .../notes/neutron-placement-6ea6de89bd30b592.yaml | 8 + ...a-nfs-parms-role-specific-527915c6e99ceb89.yaml | 7 + ...va-rbd-pool-role-specific-010f6072d641d84f.yaml | 6 + ...va_add_nfs_vers_parameter-62b9e9d6150358d1.yaml | 8 + ...mpute_fix_log_permissions-e866f91848d647fb.yaml | 9 + .../nova_compute_nofile-0427e49cc8ae70a6.yaml | 6 + ...ell_discovery_on_each_run-11dbb6096ebbf51b.yaml | 7 + ...run_chown_on_every_deploy-c366af9898ecaeed.yaml | 9 + .../ovn_tunnel_encap_type-04df21d622874c27.yaml | 7 + .../remove-cinder-api-v1-66a24998d7f8e985.yaml | 9 + ...-api-to-httpd-support-tls-9b995fe4113b2412.yaml | 5 + .../notes/tag-common-tasks-4a78275787655fdd.yaml | 6 + .../notes/tag-step-plays-b1b1ea7584f1665d.yaml | 5 + ...-pcmk-resource-by-default-ed54100721f55a30.yaml | 8 + roles/BlockStorage.yaml | 1 + roles/CephAll.yaml | 1 + roles/CephFile.yaml | 1 + roles/CephObject.yaml | 1 + roles/CephStorage.yaml | 1 + roles/Compute.yaml | 1 + roles/ComputeAlt.yaml | 1 + roles/ComputeDVR.yaml | 1 + roles/ComputeHCI.yaml | 1 + roles/ComputeHCIOvsDpdk.yaml | 61 +++++++ roles/ComputeInstanceHA.yaml | 1 + roles/ComputeLiquidio.yaml | 1 + roles/ComputeOvsDpdk.yaml | 2 + roles/ComputeOvsDpdkRT.yaml | 2 + roles/ComputeOvsDpdkSriov.yaml | 4 +- roles/ComputeOvsDpdkSriovRT.yaml | 4 +- roles/ComputeRealTime.yaml | 2 + roles/ComputeSriov.yaml | 2 + roles/ComputeSriovRT.yaml | 2 + roles/Controller.yaml | 2 + roles/ControllerAllNovaStandalone.yaml | 1 + roles/ControllerNoCeph.yaml | 2 + roles/ControllerNovaStandalone.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles/ControllerStorageNfs.yaml | 2 + roles/Database.yaml | 1 + roles/HciCephAll.yaml | 1 + roles/HciCephFile.yaml | 1 + roles/HciCephMon.yaml | 1 + roles/HciCephObject.yaml | 1 + roles/IronicConductor.yaml | 1 + roles/Messaging.yaml | 1 + roles/Networker.yaml | 1 + roles/Novacontrol.yaml | 1 + roles/ObjectStorage.yaml | 1 + roles/Telemetry.yaml | 1 + roles/Undercloud.yaml | 1 + roles_data.yaml | 6 + roles_data_undercloud.yaml | 1 + sample-env-generator/ssl.yaml | 13 +- sample-env-generator/storage.yaml | 2 + tools/check-up-to-date.sh | 2 +- tools/process-templates.py | 7 + tools/yaml-diff.py | 32 ++++ tools/yaml-validate.py | 22 ++- validation-scripts/all-nodes.sh | 8 +- zuul.d/layout.yaml | 7 - 337 files changed, 3059 insertions(+), 1009 deletions(-)