Train Series Release Notes

13.0.0

New Features

  • OS::Aodh::LBMemberHealthAlarm resource plugin is added to manage Aodh loadbalancer_member_health alarm.

  • Added a new config option server_keystone_endpoint_type to specify the keystone authentication endpoint (public/internal/admin) to pass into cloud-init data. If left unset the original behavior should remain unchanged.

    This feature allows the deployer to unambiguously specify the keystone endpoint passed to user provisioned servers, and is particularly useful where the deployment network architecture requires the heat service to interact with the internal endpoint, but user provisioned servers only have access to the external network.

    For more information see http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002925.html

  • Support tags property for the resource OS::Octavia::PoolMember, the property is allowed to be updated as well. The resource tag was introduced in Octavia since Stein release, do not specify tags in Heat template if you are using the previous versions.

  • The OS::Neutron::QosBandwidthLimitRule resource type now supports an optional direction property, allowing users to set the ingress bandwidth limit in a QoS rule. Previously only the egress bandwidth limit could be set.

  • Heat can now support software deployments with CoreOS by passing a CoreOS Ignition config in the user_data property for an OS::Nova::Server resource when the user_data_format is set to SOFTWARE_CONFIG.

  • Added new config option [DEFAULT]allow_trusts_redelegation (False by default). When enabled and reauthentication_auth_method is set to trusts, Heat will always create trusts with enabled redelegation, for both trusts used for long running stacks and for trusts used for deferred authentication.

Upgrade Notes

  • When loading a Resource plugin, the attribute schema is now validated in the same way that the properties schema is. Third-party resource plugins should be tested to check that they still comply.

  • multiattach` property in OS::Cinder::Volume is now hidden. Please use multiattach key in metadata property of OS::Cinder::VolumeType instead.

  • Designate project had removed v1 api support since stable/queens. Heat has now removed support for v1 resources OS::Designate::Domain and OS::Designate::Record completely and replaced them with placeholders for existing templates with those resources. The designate.domain custom constraint has also been removed.

Security Issues

  • With both reauthentication_auth_method set to trusts and allow_trusts_redelegation set to True (new config option, False by default), Heat will always create trusts with enabled redelegation, for both trusts used for long running stacks and for trusts used for deferred authentication. This have security implications and is only recommended when Heat is set to use trust and you experience problems with other services Heat consumes that also require to create trusts from token being passed by Heat (examples are Aodh and Heat running in another region).

Bug Fixes

  • Non-ASCII text that appears in parameter constraints (e.g. in the description of a constraint, or a list of allowed values) will now be handled correctly when generating error messages if the constraint is not met.

  • OS::Neutron::Port resources will now be replaced when the mac_address property is modified. Neutron is unable to update the MAC address of a port once the port is in use.

Other Notes