Queens Series Release Notes


New Features

  • The interface tripleo::<service name>::mysql_user was created. It allows service writes to create databases, database users and grants via hieradata instead of having to modify puppet-tripleo.

  • Under pressure, the default monitor timeout value of 20 seconds is not enough to prevent unnecessary failovers of the ovn-dbs pacemaker resource. While spawning a few VMs in the same time this could lead to unnecessary movements of master DB, then re-connections of ovn-controllers (slaves are read-only), further peaks of load on DBs, and at the end it could lead to snowball effect. Now this value can be configurable by dbs_timeout in tripleo::profile::pacemaker::ovn_dbs_bundle and by default is set to 60s.

Bug Fixes

  • Allow using upper case names for SRIOV interface names.


New Features

  • Add the ability to create Cinder’s default volume type. This capability will be used to fix bug 1782217.

  • Adds support for Ironic Networking Baremetal. Networking Baremetal is used to integrate the Bare Metal service with the Networking service.

Known Issues

  • Allow a hiera key to add an additional rabbitmq policy in the resource agend.

Upgrade Notes

  • All manifests no longer use the bootstrap_nodeid hiera key, since this was generated per role and can result in multiple bootstrap nodes when a service on more than one role. The SERVICE_short_bootstrap_node_name key is used instead, which is automatically generated in tripleo-heat-templates based on the service_name key of the service template role_data.

Other Notes

  • Add dateext and related paramters for containerized logrotate service to find easily when logfiles were rotated.


New Features

  • Support setting values for cephfs_volume_mode parameter which controls the rwx mode of the cephfs volumes, snapshots, and groups of these that back manila shares.

  • Add the ability to configure the nfs_snapshot_support parameter associated with Cinder’s NFS backend.


New Features

  • Add support to enable ODL deployment on IPv6 networks

  • Added Dell EMC SC multipath support This change adds support for cinder::backend::dellsc_iscsi::use_multipath_for_image_xfer.

  • Add new parameter haproxy_log_facility.

  • Added support for networking-ansible ML2 plugin.

Upgrade Notes

  • Logrotate’s copytruncate is used by default for containerized services logs rotation. The default period to keep old logs remains unchanged (14 days).


Bug Fixes

  • with tls-everywhere enabled the connection from haproxy to the nova novnc proxy was not encrypted. Now we request a certificate and configue haproxy and the novnc proxy to encrypt this remaining part in a vnc connection to be encrypted as well.


Bug Fixes

  • Fixed how deprecated parameters for Cinder’s Netapp backend are handled so that empty strings are not misinterpreted. Fixes bug 1782376.


New Features

  • Add the ability to deploy an NFS backend for the Cinder Backup service.

  • Added support to IPV6 and SSL parameters for Dell EMC Unity manila backend.

Upgrade Notes

  • Rotated logs of containerized services in /var/log/containers will be purged with the next containerized logrotate run triggered via cron, if the rotated logs have been kept longer than purge_after_days (defaults to a 14 days).

    The logrotate maxage parameter is set to purge_after_days as well.

    The size parameter does not honor time-based constraints and is disabled as not GDPR compliant. From now on, it configures maxsize instead. Minsize is set to a 1 byte to put all /var/log/containers logs under the containerized logrotate control.

    New param rotation additionally allows to alter logrotate rotation interval, like ‘hourly’ or ‘weekly’.

Security Issues

  • Retention rules of files in /var/log/containers additionally defined in the containerized logrotate postrotate script and based on any of the listed criteria met:

    • time of last access of contents (atime) exceeds purge_after_days,

    • time of last modification of contents (mtime) exceeds purge_after_days,

    • time of last modification of the inode (metadata, ctime) exceeds purge_after_days.

    Expired files will be purged forcibly with each containerized logrotate run triggered via cron. Note that the files creation time (the Birth attribute) is not taken into account as it cannot be accessed normally by system operators (depends on FS type). Retention policies based on the creation time must be managed elsewhere.

Bug Fixes


New Features

  • Added parameters to generate wrapper scripts for the neutron dhcp and l3 agents to run dnsmasq and keepalived, respectively, in separate containers.

  • Added tripleo::profile::base::docker::additional_sockets to allow configuring additional domain sockets bindings on dockerd. This facilitates creating containers that need to access dockerd without having to mount /run.

  • Split up neutron-lbaas service plugin and agent

Upgrade Notes

  • Class tripleo::profile::base::neutron::lbaas will only configure the Neutron LBaaS service plugin from now on. Use class tripleo::profile::base::neutron::agents::lbaas to configure the Neutron LBaaS agent.

Bug Fixes

Other Notes

  • Add the compress option for the containerized logrotate service to compress rotated logs by default.


New Features

  • Added variables for endpoint_proxy_nova, endpoint_config_nova, and Apache mod_proxy configuration to proxy nova service just like similar services

Bug Fixes

  • Removes neutron ownership of certificates.


New Features

  • Add support via hiera keys like ‘tripleo::haproxy::${name}::listen_options’ to customize the options of an haproxy service stanza. For example passing the by setting the ‘tripleo::haproxy::cinder::options’ hiera key to a hash made composed of: ‘timeout client’: ‘90m’ ‘timeout server’: ‘90m’

Security Issues

  • TLS v1.0 connections are no longer accepted by our HAProxy configuration.

Bug Fixes

  • Fixes a bug where TLS certificates for ODL could not be generated correctly for deployment due to wrong owner/group applied to the files.


New Features

  • Add keystone notification topic for barbican keystone listener to consume.

  • Configure the deployment_user to be part of docker group, required for openstack container commands.

  • Add ability to update firewall chains with the tripleo::firewall class.

  • Allow to let puppet-keystone managing _member_ role which is required by Horizon. Can be enabled with keystone_enable_member parameter (disabled by default.)

  • IPtables rules managed by Neutron won’t be persistent on the host anymore. Instead, they’ll be removed (if exist) from /etc/sysconfig/iptables.

  • Add support for libvirt VNC TLS with option of a dedicated CA

    Configures ca/certs/key for nova-novnc vencrypt.

    A dedicated IPA sub-CA can optionally be used to restrict access. A custom certmonger helper is used to support this as certmonger currently has limited support for IPA sub-CAs.

  • Add support to configure Dell EMC VNX cinder backend

  • Added support to IPV6 and SSL parameters for Dell EMC VNX manila backend

Upgrade Notes

  • Remove support for heat-api-cloudwatch service. It’s been removed from heat since Queens release.

Bug Fixes

  • Adds neutron key/certificate generation for using with Neutron agents for communication with OVS.


New Features

  • Added code to select plugin configuration based on tripleo heat template dynamic variables for each backend, depending on if the backend is enabled. Multiple backends can now be configured.

  • Configuration of Octavia ‘service_auth’ section is now enabled for configuring service-to-service communication.

  • Adds support for deploying OpenDaylight with TLS. Open vSwitch is also configured with TLS in this deployment.

  • Enable configuration of octavia certificate related properties to support secure communication with amphorae.

  • Adds support for standard puppet separator. The “.” separator does not work in puppet-rpsec, so we can’t get proper unit tests on the firewall service_rules definition.

  • Adds Basic Authentication support for HAProxy endpoints.

  • Adds support for puppet standard separator notation in order to be able to have unit tests. The “.” separator notation doesn’t work in puppet-rspec, probably because “hiera” isn’t called per se. This new feature allows to get two hashes, they are merged in the definition.

  • Allows to configure SR-IOV NIC to switchdev mode. This feature requires kernel 4.10 and above.

  • Precision Time Protocol (PTP) is a protocol used to synchronize clocks throughout a network. When used in conjunction with hardware support, PTP is capable of sub-microsecond accuracy which is far better than is normally obtainable with NTP.

  • The security compliance manifest was included in the keystone profile. This enables us to configure the security compliance options through t-h-t.

Deprecation Notes

  • The hardcoded parameter names for network vips in hiera have been deprecated and replaced with the network_virtual_ips dict that includes composable networks. Likewise the hardcoded network parameters to class tripleo::keepalived have been deprecated.

Bug Fixes

  • The new network_virtual_ips hiera parameter is used to generate all network VIP resources in haproxy, haproxy_bundle, and keepalived manifests. Since additional custom networks may be added, the virtual_router_ids in keepalived have been reordered.

  • Partly fixes bug 1737086 in oder to get unit tests on firewall service_rules definition

  • Fixes bug 1736132 by implementing Basic Authentication in HAProxy endpoint.

  • Partly fixes bug 1737086 for unit tests on haproxy service_endpoints

  • Swift added a requirement to ensure that storage directories exist before using them. However, when local directories are used in Tripleo (storing data in /srv/node/d1), these are missing by default and thus Swift won’t store any data. This fix creates this directory if needed.


New Features

  • Add tripleo puppet manifest to support the configuration of the cisco VTS controller ml2 plugin.

  • Added new parameter to tripleo::haproxy: activate_httplog This allows to activate the HTTP full logs in HAProxy.

  • This change allows to dynamically create new service endpoints, either using hiera in heat, or with some new service profile you can then include in the roles_data.yml

  • keystone notification topics are now configured via the keystone_notification_topics hiera key. Which aggregates all the keys that match this. It’s useful for dynamically configuring the topics and not always sending them.

  • Enables management of the login.defs file and its values around password functionality (such as max days, min days, warning age, fail retry times)

Deprecation Notes

  • The keymgr_api_class parameter is deprecated in favor of an equivalent keymgr_backend option. The deprecated keymgr_api_class is still supported for backward compatibility.

Security Issues

  • Operators using this puppet module, can change values that influence password security.

Bug Fixes

  • Added missing haproxy endpoint for the Octavia API.

  • Fixes OpenDaylight port status to now work correctly via websocket connection.

  • Allow to add custom backends in HAProxy (1721832)

  • Include the Swift base class in the proxy class, to ensure Swift hash values are properly set in swift.conf when not applying the storage manifest on the same node.


New Features

  • Add support for configuring service function chaining with neutron networking-sfc project

  • This new parameter allows to set/override HAProxy global options in a convenient way.

  • Provides a way to set HAProxy socket access level. This will allow people to manage HAProxy directly through command-line, for example in order to temporarly disable backends.

  • Add support to configure Dell EMC Isilon backend

  • Add support for specifying a list of Ceph pools to be used for additional Cinder RBD backends. This is in addition to the Ceph pool associated with the first Cinder RBD backend. The list of extra pools is optional, and defaults to an empty list.

  • Expose a new Puppet parameter to snmp profile, snmpd_config which is an array definded to undef by default. It can be used to override all snmpd configuration for advanced deployments. If used, all parameters have to be configured included users and passwords, which should be the same as given to snmpd_password and snmpd_user. There is no logic that will verify the content of snmpd_config.

  • Add support to configure Dell EMC Unity backend

  • Add support to configure Dell EMC VNX backend

  • Allow using Redis as Zaqar messaging backend.

Bug Fixes

  • Adds workaround to disable port status feature for OpenDaylight which is currently broken in OpenDaylight. This fixes the inability to launch nova instances.

  • Disables port status feature with OpenDaylight when deployed as HA until it can be properly supported in an HA environment.

  • Retry Swift ring up-/downloads on failures to improve overall stability during deployments when there are temporary errors. Retries are executed in case of HTTP errors (for example due to a temporary issue between the proxy and backend servers) as well as connection issue to the proxy itself.