We are excited to announce the release of: tripleo-heat-templates 9.3.0: Heat templates for deploying OpenStack with OpenStack. This release is part of the rocky stable release series. The source is available from: http://git.openstack.org/cgit/openstack/tripleo-heat-templates Download the package from: https://tarballs.openstack.org/tripleo-heat-templates/ Please report issues through launchpad: https://bugs.launchpad.net/tripleo For more details, please see below. 9.3.0 ^^^^^ New Features ************ * Add new parameter 'GlanceInjectMetadataProperties', to add metadata properties to be injected in image. Add new parameter 'GlanceIgnoreUserRoles', to specify name of user roles to be ignored for injecting metadata properties in the image. * Allow to output HAProxy in a dedicated file * Adds new HAProxySyslogFacility param * Add new TunedCustomProfile parameter which may contain a string in INI format describing a custom tuned profile. Also provide a new environment file for users of hypercoverged Ceph deployments using the Ceph filestore storage backened. The tuned profile is based on heavy I/O load testing. The provided environment file creates /etc/tuned/ceph-filestore-osd-hci/tuned.conf and sets this tuned profile to be active. Not intended for use with Ceph bluestore. Known Issues ************ * Fix misnaming of service in firewall rule for Octavia Health Manager service. Upgrade Notes ************* * Deployers that used "resource_registry" override in their environment to add networks to roles without also using a custom roles data file must create a custom roles data file and add the additional network(s) and use this when upgrading. Previously it was possible to add additional networks to a role without using a custom role by overriding the resource registry, for example: OS::TripleO::Compute::Ports::ExternalPort: ../network/ports/external.yaml Warning: Since resources are no longer added to the plan unless the network is specified in the role, the "resource_registry" override alone is no longer sufficient. * Non-lifecycle stack actions like stack check and cancel update for undercloud are now disabled. Stack check is yet to be migrated to heat convergence architecture and cancel update is not recommended for overcloud. Both are disabled by adding required heat policy for undercloud. 'overcloud update abort' wrapper for stack cancel update had been dropped since few releases. Deprecation Notes ***************** * The NodeDataLookup parameter type was changed from string to json Critical Issues *************** * Networks not specified for roles in roles data ("roles_data.yaml") no longer have Heat resources created. It is now mandatory that custom roles are used when non-default networks is used for a role. Previously it was possible to add additional networks to a role without using a custom role by overriding the resource registry, for example: OS::TripleO::Compute::Ports::ExternalPort: ../network/ports/external.yaml Note: The "resource_registry" override was the only requirement prior to the introduction of *Composable Networks* in the Pike release.Since Pike a custom role would ideally be used when adding networks to roles, but documentation and other guides may not have been properly updated and only mention the "resource_registry" override. Bug Fixes ********* * * Bug 1784967 invalid JSON in NodeDataLookup error message should be more helpful * In other sections we already use the internal endpoints for authentication urls. With this change the auth_uri in the neutron section gets moved from KeystoneV3Admin to KeystoneV3Internal. * CephOSD/Compute nodes crash under memory pressure unless custom tuned profile is used (bug 1800232). Changes in tripleo-heat-templates 9.2.0..9.3.0 ---------------------------------------------- ded38b744 minor update: move VIP before stopping pacemaker on a node 90c456463 Sanitize the uuid string for ceph-ansible 0b42fb17f Disable stack check and cancel update for undercloud 87b16ddbf run docker_puppet_tasks on any role b476c1e9a mysql: sync credentials in running container on password change c8b4fd25f Fix generation of configs that contain password files 9a59f1b0a mysql: do not overwrite password file during docker-puppet 80f48f131 Ensure we get dedicated logging file for HAProxy 5a4431d0a Adding dependency for NetworkDeployment in 'server_resource_name'Deployment e9c6cf100 Handle case change for dmidecode >= 3.1 in Ceph templates 65111909c Change NodeDataLookup type from string to json 30892a6fc Include the DB password in a Mistral environment for creating backups and restores 11b135e7d Catch directories we can not change ownership ea6fc8f95 Run nova_statedir_owner on every run 44586cec5 Add ContainerImagePrepare service to ControllerStorageNfs role 5753352ee Move UpgradeInitCommand and UpgradeInitCommonCommand to run by Ansible 85c419f83 Add stop_grace_period for heat_engine container 98d9b8d82 Autocreate CephAnsibleFetchDirectoryBackup 4017891ab Rely on osa defaults for enabled services 2bd91308a Set virt queue size as 1024 for all OVS-DPDK roles d218493ea Enable ovs-stats by default when using ovs de03b1ca1 Remove gluster settings from previous deployments on re-deploy 93285264e Ensure logs folder is created in prep hosts tasks. d95b5b9a7 Revert "Create missing directories before mounting them" 7d24a21b8 Revert "Set proper setype for service directories" 4208b0474 Revert "docker: wire SELinuxMode with Ansible vars" 7f09fc9a3 Add HorizonSecureCookies to environments/ssl/enable-tls.yaml caf97046f Restart openshift master services after stack update 1c96500c5 Rework the generated openshift-ansible playbook b49ce79c1 Fix address for glusterfs container images 61ac7d307 Enable image inject metadata properties & user roles to be ignored 606ce4bc5 Set proper setype for service directories 666573d15 Create missing directories before mounting them 9a003d0c8 Configure http/https on OVN Metadata service to talk to Nova 048131984 Enable ceilometer-agent-compute health check 45a118b0f Enable health check for OVN containers 0e3afdce4 Enable fluentd health check f37b5e062 Bind mount /var/lib/iscsi in containers using iSCSI 3a701cce4 Let the operator manage openshift updates and upgrades 3cb95e163 Update auth parameters 8bdef1e7b Fix typo in octavia upgrade_tasks 836b1b332 Reno only - Check for available networks for a role 9d4dce3ce Do not dereference .stdout if dmidecode is missing 6652aaa47 Enable health check for Ironic inspector services 38e16618b Enable Sahara API health check 220cb3998 docker: wire SELinuxMode with Ansible vars f750ab67e puppet_config for rabbitmq_bundle needs file_line 4e299d65a Allow customization of more openshift-ansible vars c2504ed9b Add missing role_specific tag for NUMA aware vswitches params ff7c6e285 Add TunedCustomProfile parameter and HCI Ceph filestore environment 7e9adc62e Move [neutron] auth_url to KeystoneV3Internal 1132612f7 Fix access to /var/lib/haproxy when SELinux is enabled b7167b072 Put user data in the main stack ea52821ca Spliting compact services in multiples lines a74808faf Fix misnaming of service in firewall rule 6e0ff00b0 Fix Octavia hieradata keys 582182f39 ceilometer: --skip-metering-database is gone b18740ad4 Set correct project name for designate-neutron integration 3c739c3cd Add /v2 suffix to Designate uris 6c4de510d Split designate envs 4911af207 Add sample designate environment for ha 81f119363 Don't configure BIND to listen on localhost deec7a6bf Pass in rndc key to Designate deployment 12f4b7192 Open designate-mdns ports in firewall 146398d0b Run designate pool update only on bootstrap node 828821ae7 Configure rndc to listen on internal_api network 6167ffba0 Enable configuration of Designate's pools.yaml c42247b70 Exposing NeutronDhcpOvsIntegrationBridge cbf3364a8 Per role Numa aware vswitch configuration 10074982e Add role definition for ComputeOvsDpdkSriov role e3b4f927c Remove NeutronServicePlugins from octavia environment files Diffstat (except docs and test files) ------------------------------------- .../scenario003-multinode-containers.yaml | 47 ++++++ common/deploy-steps-tasks.yaml | 70 ++++----- common/services.yaml | 5 +- deployed-server/deployed-server.yaml | 21 --- .../services/logging/files/opendaylight-api.yaml | 11 +- environments/designate-config-ha.yaml | 127 +++++++++++++++ environments/designate-config.yaml | 69 ++++++++ environments/enable-designate.yaml | 16 +- environments/services-baremetal/octavia.yaml | 1 - environments/services/octavia.yaml | 1 - environments/ssl/enable-tls.yaml | 4 + environments/tuned-ceph-filestore-hci.yaml | 13 ++ environments/undercloud.yaml | 6 + .../nova_metadata/krb-service-principals.j2.yaml | 4 +- extraconfig/post_deploy/undercloud_post.sh | 4 +- extraconfig/post_deploy/undercloud_post.yaml | 6 + extraconfig/services/openshift-cns.yaml | 39 +---- extraconfig/services/openshift-master.yaml | 58 ++++--- network/endpoints/endpoint_data.yaml | 6 + network/endpoints/endpoint_map.yaml | 3 + overcloud.j2.yaml | 28 ++++ puppet/extraconfig/pre_deploy/per_node.yaml | 8 +- puppet/role.role.j2.yaml | 61 +------- puppet/services/designate-api.yaml | 7 +- puppet/services/designate-central.yaml | 6 +- puppet/services/designate-mdns.yaml | 9 ++ puppet/services/designate-worker.yaml | 32 +++- puppet/services/glance-api.yaml | 10 ++ puppet/services/haproxy.yaml | 5 + puppet/services/manila-scheduler.yaml | 11 +- puppet/services/neutron-dhcp.yaml | 9 ++ puppet/services/neutron-ovs-agent.yaml | 4 + puppet/services/nova-base.yaml | 2 +- puppet/services/nova-compute.yaml | 4 + puppet/services/octavia-api.yaml | 11 ++ puppet/services/octavia-controller.yaml | 88 +++++++++++ puppet/services/octavia-health-manager.yaml | 13 +- puppet/services/octavia-housekeeping.yaml | 13 +- puppet/services/octavia-worker.yaml | 47 ++---- puppet/services/ovn-metadata.yaml | 15 ++ puppet/services/pacemaker.yaml | 20 +++ puppet/services/pacemaker/haproxy.yaml | 10 ++ puppet/services/tripleo-packages.yaml | 44 +++++- puppet/services/tuned.yaml | 15 +- ...-availble-network-in-role-7860d8d5cd1df4b0.yaml | 34 ++++ ...eat-non-lifecycle-actions-d551fe4551d71770.yaml | 10 ++ ...nject-metadata-properties-72cdc946748e9b1b.yaml | 7 + ...lth-manager-firewall-rule-cdffe31d580ecf4b.yaml | 4 + .../notes/haproxy-log-2805e3697cbadf49.yaml | 4 + ...ata_lookup_string_to_json-69362e93d862bd87.yaml | 7 + ..._url_to_internal_endpoint-aaf0e550750335eb.yaml | 7 + .../tuned_custom_profile-25d1f4a2bc217216.yaml | 15 ++ roles/ComputeOvsDpdk.yaml | 2 + roles/ComputeOvsDpdkRT.yaml | 2 + roles/ComputeOvsDpdkSriov.yaml | 60 +++++++ roles/ComputeOvsDpdkSriovRT.yaml | 61 ++++++++ roles/ControllerStorageNfs.yaml | 1 + sample-env-generator/enable-services.yaml | 174 ++++++++++++++++++++- sample-env-generator/ssl.yaml | 4 + 150 files changed, 1787 insertions(+), 527 deletions(-)