[openstack-announce] [new][openstackansible] openstack-ansible 12.2.4 release

no-reply at openstack.org no-reply at openstack.org
Thu Sep 29 18:13:35 UTC 2016 

We are glad to announce the release of:

openstack-ansible 12.2.4: Ansible playbooks for deploying OpenStack

With source available at:

    http://git.openstack.org/cgit/openstack/openstack-ansible

For more details, please see below.

12.2.4
^^^^^^


New Features
************

* AIDE is configured to skip the entire "/var" directory when it
  does the database initialization and when it performs checks. This
  reduces disk I/O and allows these jobs to complete faster.

  This also allows the initialization to become a blocking process and
  Ansible will wait for the initialization to complete prior to
  running the next task.

* Although the STIG requires martian packets to be logged, the
  logging is now disabled by default. The logs can quickly fill up a
  syslog server or make a physical console unusable.

  Deployers that need this logging enabled will need to set the
  following Ansible variable:

     security_sysctl_enable_martian_logging: yes


Upgrade Notes
*************

* The upgrade playbook *nova-flavor-migration.yml* will perform a
  migration of nova flavor data. This will need to be completed prior
  to upgrading to Liberty. It is recommended that Kilo be deployed
  from the *eol-kilo* tag prior to upgrading to Liberty to ensure that
  this task is completed successfully.

  This upgrade task is related to bug 1594584
  (https://bugs.launchpad.net/openstack-ansible/+bug/1594584).

* All of the discretionary access control (DAC) auditing is now
  disabled by default. This reduces the amount of logs generated
  during deployments and minor upgrades.  The following variables are
  now set to "no":

     security_audit_DAC_chmod: no
     security_audit_DAC_chown: no
     security_audit_DAC_lchown: no
     security_audit_DAC_fchmod: no
     security_audit_DAC_fchmodat: no
     security_audit_DAC_fchown: no
     security_audit_DAC_fchownat: no
     security_audit_DAC_fremovexattr: no
     security_audit_DAC_lremovexattr: no
     security_audit_DAC_fsetxattr: no
     security_audit_DAC_lsetxattr: no
     security_audit_DAC_setxattr: no

* New overrides are provided to allow for better customization
  around logfile retention and rate limiting for UDP/TCP sockets.
  "rsyslog_server_logrotation_window" defaults to 14 days
  "rsyslog_server_ratelimit_interval" defaults to 0 seconds
  "rsyslog_server_ratelimit_burst" defaults to 10000

* The rsyslog.conf is now using v7+ style configuration settings


Bug Fixes
*********

* The "/run" directory is excluded from AIDE checks since the files
  and directories there are only temporary and often change when
  services start and stop.

* AIDE initialization is now always run on subsequent playbook runs
  when "initialize_aide" is set to "yes". The initialization will be
  skipped if AIDE isn't installed or if the AIDE database already
  exists.

  See bug 1616281 (https://launchpad.net/bugs/1616281) for more
  details.

* The auditd rules for auditing V-38568 (filesystem mounts) were
  incorrectly labeled in the auditd logs with the key of
  "export-V-38568". They are now correctly logged with the key
  "filesystem_mount-V-38568".

Changes in openstack-ansible 12.2.3..12.2.4
-------------------------------------------

5cbbe80 Add upgrade playbook to force nova flavor migrate
2d9cd36 Separate remote rsyslog stream from local
f1536d8 Update all SHAs for 12.2.4
296a89a Point auditor service at the replicator config
555d506 Add collect_statistics_interval, rates_mode in rabbitmq.config template


Diffstat (except docs and test files)
-------------------------------------

ansible-role-requirements.yml                      |  2 +-
global-requirement-pins.txt                        |  2 +-
.../defaults/repo_packages/openstack_services.yml  | 26 +++++-----
playbooks/inventory/group_vars/all.yml             |  2 +-
playbooks/inventory/group_vars/hosts.yml           |  2 +-
.../os_swift/tasks/swift_storage_hosts_account.yml | 29 ++++++++---
.../tasks/swift_storage_hosts_container.yml        | 29 ++++++++---
.../os_swift/tasks/swift_storage_hosts_object.yml  | 29 ++++++++---
.../templates/account-server-replicator.conf.j2    |  3 ++
.../os_swift/templates/account-server.conf.j2      |  2 +-
.../templates/container-server-replicator.conf.j2  |  3 ++
.../os_swift/templates/container-server.conf.j2    |  6 +--
.../templates/object-server-replicator.conf.j2     |  3 ++
.../roles/os_swift/templates/object-server.conf.j2 |  6 +--
playbooks/roles/rabbitmq_server/defaults/main.yml  |  6 +++
.../rabbitmq_server/templates/rabbitmq.config.j2   |  4 +-
playbooks/roles/rsyslog_server/defaults/main.yml   |  7 +++
.../templates/os_aggregate_storage.j2              |  2 +-
.../roles/rsyslog_server/templates/rsyslog.conf.j2 | 59 ++++++++++------------
.../notes/aide-exclude-run-4d3c97a2d08eb373.yaml   |  6 +++
.../aide-initialization-fix-16ab0223747d7719.yaml  | 17 +++++++
...figurable-martian-logging-370ede40b036db0b.yaml | 13 +++++
...grade-nova-flavor-migrate-05402ab6faf1df1c.yaml | 11 ++++
.../reduce-auditd-logging-633677a74aee5481.yaml    | 25 +++++++++
...log-remote-log-separation-76de4b64f0c18edb.yaml |  8 +++
scripts/run-upgrade.sh                             |  1 +
scripts/scripts-library.sh                         |  2 +-
.../playbooks/nova-flavor-migration.yml            | 30 +++++++++++
29 files changed, 270 insertions(+), 76 deletions(-)

More information about the OpenStack-announce mailing list