Zed Series Release Notes¶
18.0.0.0b1-172¶
New Features¶
The service setup in keystone for barbican will now be executed through delegation to the
barbican_service_setup_host
which, by default, islocalhost
(the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override inuser_variables.yml
.barbican_service_setup_host: "{{ groups['utility_all'][0] }}"
Added new variables barbican_backends_config and barbican_plugins_config along with barbican.conf cleanup to support multibackend scenario and more handy Barbican backends configuration.
Added variable barbican_user_libraries for deploying custom lib files from deploy host to barbican continers that might be required for PKCS#11 or other plugins.
The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the
barbican_install_method
variable todistro
.
Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in barbican.
Upgrade Notes¶
Barbican service was renamed to barbican-api. During upgrade old barbican service will be stopped and barbican-api will be started instead. Also barbican_*_program_name was removed since had no effect and wasn’t used. Instead variable barbican_*_enabled was introduced to ease enabling barbican services like barbican-worker, barbican-keystone-listener and barbican-retry.
Deprecation Notes¶
The variable
barbican_requires_pip_packages
is no longer required and has therefore been removed.
The log path,
/var/log/barbican
is no longer used to capture service logs. All logging for the barbican service will now be sent directly to the systemd journal.
The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - barbican_oslomsg_rpc_servers replaces rabbitmq_servers - barbican_oslomsg_rpc_port replaces rabbitmq_port - barbican_oslomsg_rpc_userid replaces barbican_rabbitmq_userid - barbican_oslomsg_rpc_vhost replaces barbican_rabbitmq_vhost - added barbican_oslomsg_rpc_use_ssl - added barbican_oslomsg_notify_servers - added barbican_oslomsg_notify_port - added barbican_oslomsg_notify_use_ssl - added barbican_oslomsg_notify_userid - added barbican_oslomsg_notify_vhost - added barbican_oslomsg_notify_password
Security Issues¶
The default TLS version has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the barbican_ssl_protocol variable.
16.0.0.0b2¶
New Features¶
New variables have been added to allow a deployer to customize a barbican systemd unit file to their liking.
The task dropping the barbican systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
For the
os_barbican
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thebarbican_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
Upgrade Notes¶
For the
os_barbican
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thebarbican_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
15.0.0.0b1¶
New Features¶
The os_barbican role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting
barbican_package_state
topresent
.
The
os_barbican
role now supports deployment on Ubuntu 16.04 using SystemD.
Upgrade Notes¶
The os_barbican role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option
barbican_package_state
should be set topresent
.
The variables
barbican_requirements_git_repo
andbarbican_requirements_git_install_branch
have been removed in favour of using the URL/path to the upper-constraints file using the variablepip_install_upper_constraints
instead.