Zed Series Release Notes

18.0.0.0b1-172

New Features

  • The service setup in keystone for barbican will now be executed through delegation to the barbican_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    barbican_service_setup_host: "{{ groups['utility_all'][0] }}"
    
  • Added new variables barbican_backends_config and barbican_plugins_config along with barbican.conf cleanup to support multibackend scenario and more handy Barbican backends configuration.

  • Added variable barbican_user_libraries for deploying custom lib files from deploy host to barbican continers that might be required for PKCS#11 or other plugins.

  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the barbican_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in barbican.

Upgrade Notes

  • Barbican service was renamed to barbican-api. During upgrade old barbican service will be stopped and barbican-api will be started instead. Also barbican_*_program_name was removed since had no effect and wasn’t used. Instead variable barbican_*_enabled was introduced to ease enabling barbican services like barbican-worker, barbican-keystone-listener and barbican-retry.

Deprecation Notes

  • The variable barbican_requires_pip_packages is no longer required and has therefore been removed.

  • The log path, /var/log/barbican is no longer used to capture service logs. All logging for the barbican service will now be sent directly to the systemd journal.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - barbican_oslomsg_rpc_servers replaces rabbitmq_servers - barbican_oslomsg_rpc_port replaces rabbitmq_port - barbican_oslomsg_rpc_userid replaces barbican_rabbitmq_userid - barbican_oslomsg_rpc_vhost replaces barbican_rabbitmq_vhost - added barbican_oslomsg_rpc_use_ssl - added barbican_oslomsg_notify_servers - added barbican_oslomsg_notify_port - added barbican_oslomsg_notify_use_ssl - added barbican_oslomsg_notify_userid - added barbican_oslomsg_notify_vhost - added barbican_oslomsg_notify_password

Security Issues

  • The default TLS version has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the barbican_ssl_protocol variable.

16.0.0.0b2

New Features

  • New variables have been added to allow a deployer to customize a barbican systemd unit file to their liking.

  • The task dropping the barbican systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_barbican role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the barbican_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

  • For the os_barbican role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the barbican_*_init_config_overrides variables which use the config_template task to change template defaults.

15.0.0.0b1

New Features

  • The os_barbican role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting barbican_package_state to present.

  • The os_barbican role now supports deployment on Ubuntu 16.04 using SystemD.

Upgrade Notes

  • The os_barbican role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option barbican_package_state should be set to present.

  • The variables barbican_requirements_git_repo and barbican_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.