[openstack-announce] [new][openstackansible] openstack-ansible 12.0.16 release

no-reply at openstack.org no-reply at openstack.org
Tue Jul 5 14:51:23 UTC 2016


We are glad to announce the release of:

openstack-ansible 12.0.16: Ansible playbooks for deploying OpenStack

With source available at:

    http://git.openstack.org/cgit/openstack/openstack-ansible

For more details, please see below.

12.0.16
^^^^^^^


New Features
************

* The audit rules added by the security role now have key fields
  that make it easier to link the audit log entry to the audit rule
  that caused it to appear.

* Apache MPM tunable support has been added to the os-keystone role
  in order to allow MPM thread tuning. Default values reflect the
  current Ubuntu default settings:

     keystone_httpd_mpm_backend: event
     keystone_httpd_mpm_start_servers: 2
     keystone_httpd_mpm_min_spare_threads: 25
     keystone_httpd_mpm_max_spare_threads: 75
     keystone_httpd_mpm_thread_limit: 64
     keystone_httpd_mpm_thread_child: 25
     keystone_httpd_mpm_max_requests: 150
     keystone_httpd_mpm_max_conn_child: 0


Upgrade Notes
*************

* During the upgrade from Kilo to Liberty, this change deletes the
  repo containers and recreates them to fix an upgrade issue with
  dependencies.


Bug Fixes
*********

* The role previously did not restart the audit daemon after
  generating a new rules file. The bug
  (https://launchpad.net/bugs/1590916) has been fixed and the audit
  daemon will be restarted after any audit rule changes.

* The dictionary-based variables in "defaults/main.yml" are now
  individual variables. The dictionary-based variables could not be
  changed as the documentation instructed. Instead it was required to
  override the entire dictionary. Deployers must use the new variable
  names to enable or disable the security configuration changes
  applied by the security role. For more information, see Launchpad
  Bug 1577944 (https://bugs.launchpad.net/openstack-
  ansible/+bug/1577944).

* Failed access logging is now disabled by default and can be
  enabled by changing "security_audit_failed_access" to "yes". The
  rsyslog daemon checks for the existence of log files regularly and
  this audit rule was triggered very frequently, which led to very
  large audit logs.

* The security role previously set the permissions on all audit log
  files in "/var/log/audit" to "0400", but this prevents the audit
  daemon from writing to the active log file. This will prevent
  "auditd" from starting or restarting cleanly.

  The task now removes any permissions that are not allowed by the
  STIG. Any log files that meet or exceed the STIG requirements will
  not be modified.

* When the security role was run in Ansible's check mode and a tag
  was provided, the "check_mode" variable was not being set. Any tasks
  which depend on that variable would fail. This bug is fixed
  (https://bugs.launchpad.net/openstack-ansible/+bug/1590086) and the
  "check_mode" variable is now set properly on every playbook run.

* The security role now handles "ssh_config" files that contain
  "Match" stanzas. A marker is added to the configuration file and any
  new configuration items will be added below that marker. In
  addition, the configuration file is validated for each change to the
  ssh configuration file.

Changes in openstack-ansible 12.0.15..12.0.16
---------------------------------------------

8d40626 conditionally include the scsi_dh kernel module
4b63bdd Added the ip_vs kernel module to all openstack hosts
368b7e2 Destroy repo containers before upgrade
a4d0ef9 Add support to tune the keystone apache MPM settings
0b661e2 Fix config generated for rsyslog_client_log_files
504c656 Update all SHAs for 12.0.16
874edd6 Only match full IP addresses in /etc/hosts


Diffstat (except docs and test files)
-------------------------------------

ansible-role-requirements.yml                      |  23 ++---
.../defaults/repo_packages/openstack_services.yml  |  28 +++---
playbooks/inventory/group_vars/all.yml             |   2 +-
playbooks/inventory/group_vars/hosts.yml           |   2 +-
playbooks/roles/openstack_hosts/defaults/main.yml  |   3 +-
.../templates/openstack-host-hostfile-setup.sh.j2  |   2 +-
playbooks/roles/os_keystone/defaults/main.yml      |  10 ++
.../roles/os_keystone/tasks/keystone_apache.yml    |   3 +-
.../templates/keystone-httpd-mpm.conf.j2           |   9 ++
playbooks/roles/os_nova/templates/policy.json.j2   |   3 -
.../tasks/rsyslog_client_post_install.yml          |   7 +-
.../rsyslog_client/templates/99-rsyslog.conf.j2    |   2 +-
.../templates/os_aggregate_storage.j2              |   2 +-
.../notes/augenrules-restart-39fe3e1e2de3eaba.yaml |   5 +
...tionary-variables-removed-957c7b7b2108ba1f.yaml |   9 ++
...iled-access-audit-logging-789dc01c8bcbef17.yaml |   6 ++
...-audit-log-permission-bug-81a772e2e6d0a5b3.yaml |  10 ++
.../fix-check-mode-with-tags-bf798856a27c53eb.yaml |   7 ++
...ndling-sshd-match-stanzas-fa40b97689004e46.yaml |   7 ++
.../improved-audit-rule-keys-9fa85f758386446c.yaml |   5 +
...pache-mpm-tunable-support-1c72f2f99cd502bc.yaml |  18 ++++
...fore-upgrade-kilo-liberty-40df3cd4c992a52a.yaml |   5 +
requirements.txt                                   |   2 +-
scripts/ansible-role-requirements-editor.py        | 104 +++++++++++++++++++++
scripts/get-pypi-pkg-version.py                    |   2 +-
scripts/run-upgrade.sh                             |   3 +-
scripts/scripts-library.sh                         |   2 +-
scripts/sources-branch-updater.sh                  |  73 +++++++++++++++
test-requirements.txt                              |   9 +-
30 files changed, 331 insertions(+), 55 deletions(-)


Requirements updates
--------------------

diff --git a/requirements.txt b/requirements.txt
index ec58012..d866451 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12 +12 @@ pip==8.1.2
-setuptools==22.0.0
+setuptools==23.0.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 1e3f8b5..d8f8de5 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,2 +3,2 @@ ansible-lint>=2.0.3,<=2.3.6
-bashate==0.5.0 # Apache-2.0
-flake8==2.2.4
+bashate>=0.2 # Apache-2.0
+flake8>=2.2.4,<=2.4.1
@@ -6 +6,2 @@ hacking>=0.10.0,<0.11
-mccabe==0.2.1 # capped for flake8
+# mccabe capped for flake8
+mccabe==0.2.1 # MIT License
@@ -11 +12 @@ pyflakes==0.8.1
-sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
+sphinx>=1.1.2,!=1.2.0,!=1.3b1,<1.3





More information about the OpenStack-announce mailing list