Queens Series Release Notes


New Features

  • Added role-specific parameter validation workflow.

Bug Fixes

  • Fixed a configuration issue where required settings for Octavia services were missing.

  • Fixed an issue were amphora load balancers would fail to create. The problem was because Octavia certificate files were being created in a wrong path and with invalid content.

  • When deploying a large amount of nodes, the create_admin_via_ssh workflow could fail due to the large amount of ansible output generated. This patch updates the tripleo.ansible-playbook action in the workflow with trash_output:true so that the output is not saved in the mistral DB. There is a log file saved already in case the output is needed for debug purposes.


Bug Fixes

  • The passphrase for config option ‘server_certs_key_passphrase’, is used as a Fernet key in Octavia and thus must be 32 bytes long. TripleO will now auto-generate 32 bytes long passphrase for OctaviaServerCertsKeyPassphrase.

  • The tripleo.deployment.v1.get_deployment_status workflow will no longer error when requesting the deployment status for a non-existant plan. A message is sent in the output instead of failing the workflow.

  • Previously, trash_output was not honored if a queue was not being used to post messages. The behavior has changed so that trash_output will be honored even if a queue is not being used, and all stdout/stderr will be discarded.


Security Issues

  • Fixed a vulnerability where an attacker may cause new Octavia amphorae to run based on any arbitrary image (CVE-2019-3895).

Bug Fixes

  • Ensure [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting.

  • Fixes running the baremetal provide workflow with node names.

  • Workaround bug 1810932 by scripting an in-place update of ssh_known_hosts


Bug Fixes

  • The tripleo-bootstrap ansible role will no longer fail if yum fails to install the required packages. This fixed behavior aligns with previous requirements where enabled package repositories and a working package manager are not required on the initially deployed images. Errors are ignored on the package install task, and then a subsequent task will cause a failure indicating the required packages are not present.


New Features

  • Increase the size of the security hardened images to 40G. With the move to containers more disk space is needed and the disk layout has been modified. It needs a global size of 40G to work.

Bug Fixes

  • Node update now works correctly when capabilities are specified as a dict.

  • Add missing httpd and mod_ssl packages to octavia container image to support TLS proxy for internal TLS.

  • The ServerAliveInterval and ServerAliveCountMax SSH options are now set in the mistral ansible action so that when networking configuration is performed on the overcloud nodes SSH will not drop the connection.


New Features

  • If nova novnc proxy is configured to ssl only, (see LP 178570) we need to make sure to also use ssl with the healthcheck script. With this change we verify if ssl_only is configured in nova.conf and set https as the proto to use for the novnc healthcheck.


Deprecation Notes

  • Un-deprecated pm_service_profile option support at the UCS ironic driver.

Bug Fixes

  • Previously, ironic nodes that only differ in pm_service_profile or ucs_service_profile would override one another ultimately leaving just one of them in ironic configuration. This fix un-deprecates pm_service_profile option support at the UCS ironic driver.

Other Notes

  • The inventory code is updated to use hostnames as the host alias. Since the hostname may not always be resolvable, ansible_host is added as a hostvar and set to the host’s IP address. Using hostnames produces a much more user friendly result in the ansible output showing task result and play recap.


Bug Fixes

  • The tripleo.plan_management.v1.update_roles workflow didn’t pass the plan name (container name) or Zaqar queue name to the sub-workflow it triggered. This caused the behaviour to be incorrect when using a name other than the default. It now correctly passes on these parameters.


New Features

  • Allow uploading files bigger than 5GB to swift. Currently we have support for uploading files to swift using the swift client class, this class does not allow to upload files bigger than 5GB. This change enables the upload of files bigger than 5GB by using the swift service class and adjusting the headers to allow this operations. This new helper will be used for the Undercloud backup, to be able to store files bigger than 5GB.

  • Install Octavia amphora image on the undercloud if Red Hat.

  • Create keypair for SSH access to Octavia amphorae.

Bug Fixes

  • Fix bug 1760659 by updating the derived parameters workflow to use scheduler hints associated with a given role. The scheduler hints are used to identify overcloud nodes associated with the role, and take precedence over nodes identified by their profile/flavor.

  • Check pub key file permissions and default to pub key data for Octavia.

  • Fix syntax error in octavia-undercloud role.


Bug Fixes


Bug Fixes

  • Fixes OpenDaylight healthcheck for TLS and regular deployments.


New Features

  • Adds a workflow to delete a deployment plan so the tripleo.plan.delete does not need to be called directly.

  • Adds a new workflow to list available roles for a given deployment plan.

  • Install os-net-config as an RPM package directly via DIB rather than rely on the os-net-config element. This change will allow us to deprecated further use of tripleo-image-elements for this feature.

  • Adds a workflow that takes a list of role names as input and populates roles_data.yaml in deployment plan with respective roles from the ‘/roles directory’.

  • Introduce Undercloud Backup workflow as well as set of Mistral actions to perform Undercloud Backup

  • Adds a workflow and associated actions to update roles in a deployment plan.

Upgrade Notes

  • In the Ocata release we started using a tripleo-heat-templates script to drive os-net-config. This approach gave us better signal handling capabilities, reduces our dependencies on os-apply-config, and makes it easier to integrate and fine tune network configuration with for example custom mapping files. Users who have network scripts using the older ‘os-apply-config’ format will need to update to the new t-h-t script format as part of this change. All in tree templates were updated in t-h-t as part of git commit 2c11e9e179178d074af91d8c5c798078ac3e0966.

Deprecation Notes

  • group:os-apply-config deployments are deprecated for use with config-download and they will not be applied.

  • The tripleoupstream container registry is not used anymore and may be retired in the future.

Bug Fixes

  • The group:ansible deployments were not formatted as human readable in the group_vars. It was all just one long line. This made manual review and debugging more difficult. They are now formatted in a human readable format.

  • The generated ansible-playbook-command.sh now has quotes around $@ so that the value can be passed through to ansible-playbook with spaces or other characters requiring quotes.

  • RoleConfig can exist as a stack output, but have a value of None. That case is now handled with a default value of {} where the value was previously None.

  • Support for the SshKnownHostsDeployment resources has been fixed by adding a new role that can be used to configure /etc/ssh/ssh_known_hosts on each host.


New Features

  • Add OctaviaCaKeyPassphrase to the list of passwords to generate, so users don’t have to pick a string or rely on a default value for octavia CA private key passphrase.

  • HeatAuthEncryptionKey, HorizonSecret, MysqlRootPassword, PcsdPassword and RabbitCookie are now generated by tripleo-common among other passwords managed by TripleO. If existing version of these parameters have been generated by the Heat stack we first harvest those before generating new version.

Security Issues

  • The enable_ssh_admin workflow is now always expecting a list of servers to operate on, passed via ssh_servers input which is left empty when unset.

Bug Fixes

  • Recognizes the root_device property when enrolling nodes. We recommend it to be set for multi-disk nodes, but the enrolling procedure does not actually accept it.

  • Node properties are no longer converted to strings on enrolling. This is not required by the Bare Metal service and may yield incorrect results.


New Features

  • Add generation of the key encryption key for the Barbican simple crypto backend.

  • Allows enrolling oVirt nodes using the staging-ovirt hardware type.

  • Introduce a new Ansible role, called tripleo-bootstrap which will take care of prepare an environment so we can deploy TripleO.

Upgrade Notes

  • The environment variables IRONIC_API_VERSION and OS_BAREMETAL_API_VERSION are no longer set in overcloudrc. Starting with python-ironicclient 2.0.0 this will result in the latest supported API version to be used. Scripts that rely on a particular API version behavior must set these versions explicitly.

Bug Fixes

  • Messages posted back to a zaqar queue by the ansible-playbook action could easily exceed the max message size for the queue. Instead of posting a single message each time, break it up based on the max message size and post a separate message for each.

  • Use the openstack-heat-agents package to install all of the python-heat-agent packages in the image, instead of having to specify each individually.


New Features

  • The Ansible actions will now log to a log file named ansible.log in the working directory.

  • Adds a new workflow, tripleo.deployment.v1.config_download_deploy, that does an overcloud configuration using the config download mechanism.

  • Adds support for enrolling nodes with all production hardware types, matching previously supported classic drivers, namely ilo, idrac, irmc and cisco-ucs-managed.

  • The overcloudrc and overcloudrc.v3 now have the same contents and are keystone-v3-enabled. This was done because keystone no longer supports the v2.0 API.

Upgrade Notes

  • Removes support for enrolling nodes with pxe_ssh driver (already removed from ironic).

  • Removes support for deprecated instackenv.json parameters:

    • pm_service_profile (use ucs_service_profile)

    • pm_auth_method (use irmc_auth_method)

    • pm_client_timeout (use irmc_client_timeout)

    • pm_sensor_method (use irmc_sensor_method)

    • pm_deploy_iso (use irmc_deploy_iso)

Bug Fixes

  • Accept the glance image ID in addition to the name.

  • Fixes compatibility between older deployments with Heat resource network “InternalNetwork” and corrected “InternalApiNetwork”. Upgrades from previous versions will still use the old naming scheme, while new deployments will use the correct name of “InternalApiNetwork”.


New Features

  • Add support for troubleshooting network issues using Skydive.


New Features

  • The default architecure for image builds now defaults to the cpu of the host instead of x86_64/amd64. This allows for a single package of tripleo-common to be used across multiple architectures to generate images.

  • A new minor update workflow has been added, which implemented all the steps in Mistral. It include the following, setup the Heat outputs of the Overcloud, pushed the configuration files of the deployment into swift, including Ansible playbook and tasks, the Puppet files, and run the ansible update playbook via the Ansible action.

  • The config download code has been moved from python-tripleoclient to a dedicated library in order to be consumed by other APIs or tools. A mistral action has been added to handle this library

Deprecation Notes

  • The old minor update workflow is now deprecated, the code for the action ClearBreakpointsAction has been removed

Bug Fixes

  • Add an error message if there are no bare metal nodes available in an available or active state and with maintenance mode off. Previously, the message was misleading about missing control or compute flavor having no profile associated.

  • The keystone utils in tripleo-common had gotten out of sync with the way Mistral was using authentication. This patch aligns the two so that they are closer to equivalent.