Ocata Series Release Notes


New Features

  • Adds composable service interface for Neutron LBaaSv2 service.

Security Issues

  • TLS v1.0 connections are no longer accepted by our HAProxy configuration.


New Features

  • IPtables rules managed by Neutron won’t be persistent on the host anymore. Instead, they’ll be removed (if exist) from /etc/sysconfig/iptables.


New Features

  • Expose a new Puppet parameter to snmp profile, snmpd_config which is an array definded to undef by default. It can be used to override all snmpd configuration for advanced deployments. If used, all parameters have to be configured included users and passwords, which should be the same as given to snmpd_password and snmpd_user. There is no logic that will verify the content of snmpd_config.


New Features

  • Enable innodb_flush_log_at_trx_commit configuration for Galera only.

Upgrade Notes

  • Setting the innodb_flush_log_at_trx_commit flag to the value of “2” instead of its default value of “1” means that the underlying MySQL/MariaDB engine will no longer flush transactions to disk on a per-transaction basis; instead, flushes occur once per second. This leads to far fewer disk writes and can dramatically improve write performance, at the cost of durability (e.g. will lose the last second’s worth of transactions) if the database engine is ungracefully shut down. The clustered nature of Galera mitigates this risk in that transactions are replicated to other nodes before completion, and the setting of “2” is considered to be generally safe for a Galera cluster, with the exception case of simultaneous power loss for all nodes.


New Features

  • Enable innodb_buffer_pool_size configuration for all MySQL databases.

Known Issues

  • Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL.

Bug Fixes

  • Allow VF configuration files to be written for non-existent PCI devices to allow updates while physical functions are currently in use by a guest.

  • In order to avoid service restarts, all services deploy their httpd configuration at the same time. Thus, httpd now starts in step 3 for the bootstrap nodes, and step 4 for all other nodes.


New Features

  • Restrict nova migration ssh tunnel * The ssh authorized_keys file is only writeable by root. * Creates a new user for migration instead of using root/nova. * Disables SSH forwarding for this user. * Restricts the networks that this user can connect from. * Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Adds new parameter “tripleo::profile::base::nova::migration_ssh_localaddrs” to specify which incoming IPs are allow for SSH tunnel connections.


New Features

  • Add keystone::ldap_backend call as resource when is trigged to setup a LDAP backend as keystone domain. This allows per-domain LDAP backends for keystone.

  • Unless a non-default value is provided, the dhcp_agents_per_network neutron configuration variable is set to the number of deployed neutron dhcp agents.

  • Configure ssh tunneling for nova cold-migration. Re-use the tunnel for libvirt live-migration unless TLS is enabled.

Bug Fixes

  • Octavia is now properly registered with keystone when deployed.

  • We need ceilometer user in cases where ceilometer API is disabled. This is to ensure other ceilometer services can still authenticate with keystone.

  • With having package mod_ssl by default installed in images we introduced issue with mod_ssl package update. In case of SSL not being used or provided by HAproxy the puppet-apache module by default purges the ssl.conf file. The package update then recreates the file with default Listen 443 option. This causes conflict on 443 port during httpd restart. If we include ::apache::mod::ssl the ssl.conf file will be configured and the Listen option will be used only if there is vhost set to use SSL.

  • Fixes horizon getting temporarily deconfigured during a stack update due to the apache configuration occuring in step 3 but the horizon configuration not occuring until step 4.

  • Fixes missing neutron base class in sriov

  • Re-run gnocchi and ceilometer upgrade in step5. This is required for gnocchi resource types to be created in ceilometer and gnocchi to function properly.

  • Add a way for mongodb to limit amount of memory it comsumes with systemd. A new param memory_limit has been added to tripleo::profile::base::database::mongodb class with default limit of 20G.


New Features

  • The undercloud UI is available in multiple languages, which can now be configured via the manifest. All available languages are enabled by default.



Release notes are generated by Reno.

New Features

  • Add networking-fujitsu support to Neutron ML2 profile.

  • Split OVN plugin and northd configuration.

  • Introduce tripleo::tls_proxy used to set up a TLS proxy using mod_proxy that redirects towards localhost.

  • HPELeftHandISCSIDriver support for Cinder Volume profile.

  • Add support for CollectD profile, for performance monitoring.

  • Configure Nova Cells v2 database, required in Ocata.

  • Configure the basic setup for Nova Cells v2.

  • Support for opendalight_v2 mechanism_driver in Neutron ML2 profile.

  • Support for Ceph MDS service profile.

  • Add IPv6 support to Firewall rules. It will create both IPv4 & IPv6 rules at the same time. It automatically converts icmp rules to ipv6-icmp. When a source or destination is specified, it will only create rules to the right version of IP that is needed.

  • Add support for not using admin_token in Ceph/RGW profile.

  • Add Docker Registry profile.

  • Add Nova Placement API profile.

  • Add NTP profile.

  • Add etcd profile, used by networking-vpp ML2 plugin.

  • Add profiles for Octavia services.

  • Enable object-expirer on Swift proxy profile.

  • Set memcache_servers in /etc/swift/object-expirer.conf.

  • Add support for fence_ironic fencing agent.

  • Add a noop_resource function, which allow to disable any resource type in a catalog, with –tags option to puppet apply.

  • Add Ceph RBD mirrog Pacemaker profile.

  • Remove Glance Registry profile, not used anymore. Glance API v1 is not available anymore.

  • Add Nova EC2API profile.

  • Add support for Pacemaker Remote with a new profile.

  • Updates Pacemaker profiles for Composable HA architecture.

  • Add Tacker profile.

  • Add Congress profile.

  • Add a default rule for dhcpv6 traffic.

  • Re-organizes Contrail services to the correct roles.

  • Set innodb_file_per_table to ON for MySQL / Galera

  • Switch Nova / Libvirt VNC server binding to use the IP address provided in Hiera instead of

  • Proxy API endpoints that TripleO UI uses.

  • Rebranding of Eqlx to Dell EMC PS Series.

  • Add support for ScaleIO backend in Cinder Volume profile.

  • Add support to changing the Rabbitmq password on stack-update.

  • Add profiles for the Octavia LBaaS service.

  • Added hpelefthand_iscsi backend support for cinder

  • Enable innodb_file_per_table for MySQL/MariaDB databases

  • Configure the basic cells setup for Nova, now required in Ocata.

  • Added ability to proxy API service endpoints through Apache mod_rewrite rules by creating ProxyPass and ProxyPassReverse directives for each API service

  • Adds the ability to manage auditd.service and enter audit.rules

  • Add support for configuring Ceph RGW to use keystone V3 service authentication instead of admin token authentication

  • Added /etc/issue & /etc/issue.net parameters

  • Added MOTD banner parameters

  • Added external module saz-ssh to allow management of sshd_config

  • Release notes are no longer maintained by hand, we now use the reno tool to manage them.

  • Configure VNC server to be binded on internal network interface on compute nodes. This value comes from tripleo-heat-templates and is configured by default to use an IP address from the internal API network. We use the ServiceNetMap in tripleo-heat-templates to compute the IP address, and we won’t configure anymore as it used to open the binding to any network, which is unsecure.

Known Issues

  • Invoke rabbitmq_user resource explicity to apply password change during update, if any.

Upgrade Notes

  • Newly created MySQL database tables will be stored in their own datafiles, instead of in a single monolithic ibdata file.

  • Existing MySQL database tables that are persisted within the monolithic ibdata file will remain so unless the database is migrated as well.

  • Migration of all current database tables out of the monolithic ibdata file is possible by dumping and restoring the whole database to a new data directory, however when using Galera the entire cluster must be shut down and upgraded at once.

  • Migration of individual tables to datafiles is possible using the MySQL command “ALTER TABLE <databasename>.<tablename> ENGINE=InnoDB;”, however this will not shrink the ibdata file and also is not safe to run on a running Galera cluster for large tables.

  • Removed the following URL configuration variables from tripleo::ui:

    • keystone_url

    • heat_url

    • ironic_url

    • mistral_url

    • swift_url

    • zaqar_websocket_url

Deprecation Notes

  • Remove tripleo::vip_hosts class, no longer used.

Security Issues

  • CVE-2016-9599 Enforce Firewall TCP / UDP rules management, by sanitizing dynamic HAproxy endpoints firewall rules, securing firewall rules creations (disallow TCP/UDP rules without sport or dport), but allow to open all traffic for TCP/UDP when actually desired.

Bug Fixes

  • Fixes bug 1648736 so swift-proxy is decoupled from ceilometer packages.

  • Fixes bug 1652107 so we ensure package updates don’t happen unexpectedly.

  • Fixes bug 1645898 so we ensure to bind the rabbit inter-cluster to a specific interface.

Other Notes

  • Introduce more Puppet rspec tests that improve testing quality.