Stein Series Release Notes¶
Fixed a configuration issue where required settings for Octavia services were missing.
If the AdditionalArchitectures parameter has entries then the container image prepare will prepare images for all architectures instead of just the default one. A new boolean field multi_arch can also be set in ContainerImagePrepare entries to determine the multi arch behaviour for images in that entry. If any entry sets a multi_arch value then AdditionalArchitectures is ignored.
Adds additional healtchecks for Swift to monitor account, container and object replicators as well as the rsync process.
When deploying a large amount of nodes, the create_admin_via_ssh workflow could fail due to the large amount of ansible output generated. This patch updates the tripleo.ansible-playbook action in the workflow with trash_output:true so that the output is not saved in the mistral DB. There is a log file saved already in case the output is needed for debug purposes.
The passphrase for config option ‘server_certs_key_passphrase’, is used as a Fernet key in Octavia and thus must be 32 bytes long. TripleO will now auto-generate 32 bytes long passphrase for OctaviaServerCertsKeyPassphrase.
Previously, trash_output was not honored if a queue was not being used to post messages. The behavior has changed so that trash_output will be honored even if a queue is not being used, and all stdout/stderr will be discarded.
Fixed a vulnerability where an attacker may cause new Octavia amphorae to run based on any arbitrary image (CVE-2019-3895).
Fixed an issue were amphora load balancers would fail to create. The problem was because Octavia certificate files were being created in a wrong path and with invalid content.
Ensure [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting.
new health check for “cron” containers, ensuring it exists and has content
overcloudrc.v3 is no longer generated from the overcloudrc workflow. This is due to the fact that we’ve been shipping keystone v3 by default for some releases now, and we have the same contents available in overcloudrc.
Fixes running the baremetal
provideworkflow with node names.
tripleo-deploy-openshift script now understands the –plan option to run the openshift-ansible playbooks for a deployment named differently than “openshift”.
Introduce a –playbook option to the tripleo-deploy-openshift script in order to be able to run openshift-ansible playbook directly on already deployed servers.
The –config-download-dir option to the tripleo-deploy-openshift script is deprecated in favor of –plan.
add support for unknown CA
kolla_builder now supports Buildah and not just Docker.
Prevent upgrading a stack to a version of tripleo templates or environment that specifies neutron mechanism drivers that are incompatible with the existing stack. Upgrade can be forced by ForceNeutronDriverUpdate parameter which need to be set in deployment parameters.
Break out tripleo-admin creation to its own role called tripleo-create-admin. This removes some inline ansible from the mistral workflow, and allows this role to be reused in other contexts (such as undercloud install).
Preparing docker image containers with just OVN now also generates the corresponding Neutron Server OVN docker image.
Workaround bug 1810932 by scripting an in-place update of ssh_known_hosts
Add an initial task to the config_download_deploy workflow that queries for existing executions of the same workflow on the same plan. If any are found, that means that config-download is already running on the existing plan, so the additional one that is trying to start is failed.
ironic-staging-driversare now installed in the ironic-conductor container so that these drivers can be used without rebuilding the container. The Ironic Staging Drivers is used to hold out-of-tree Ironic drivers which doesn’t have means to provide a 3rd Party CI at this point in time which is required by Ironic.
Node’s profile can now be specified as a separate
profilefield in the
instackenv.jsoninstead of inside capabilities.
A new Ansible role to tag containers managed by Pacemaker. This role will be consummed by services managed by Pacemaker.
The new tripleo-docker-rm will be useful to remove the containers that were managed by Docker and that are now managed by Podman.
Package octavia-amphora-image (RHEL) will no longer be installed by role octavia-undercloud, and it now installs image files in directory /usr/share/openstack-octavia-amphora-images/. Please ensure you have the latest package version installed in the undercloud node beforehand deploying or updating the overcloud.
Specifying profile in capabilities when enrolling nodes is deprecated. Please use the new
Node update now works correctly when capabilities are specified as a dict.
The list of pre and post deployment names generated with config-download are now written per server instead of per role. This change handles the case where a deployment may apply to only an individual or set of servers within a role, and not all servers in that role. host_vars are used to set the variable of deployment names per server instead of group_vars.
Remove the tripleo specific inclusion of the openstack-ironic-statging-drivers package into the ironic-conductor container as this has been included in kolla.
TripleoInventory class no longer supports the parameters being passed in as as config object. This was added to support transition in in tripleo-validations that was corrected in Queens.
Increase the size of the security hardened images to 40G. With the move to containers more disk space is needed and the disk layout has been modified. It needs a global size of 40G to work.
Loads and persist kernel modules from the host directly.
While we have a dedicated nova_metadata healthcheck script, the nova_metadata and nova_api container the same image and the current nova api healtcheck script still checks the non wsgi implementation. This changes the nova_api healthcheck script to check the metadata wsgi vhost config for details instead of the details in nova.conf.
Add missing httpd and mod_ssl packages to octavia container image to support TLS proxy for internal TLS.
Individual server deployments that are of type group:hiera now support check mode, and when running under check mode, also support diff mode.
Fixes bug 1793605 so when nodes are blacklisted, they are not included in the Overcloud config. A warning will show that the server_id that was ignored if the it can’t be found in the stack.
The config_download_deploy workflow now has a config_download_timeout input that will honor the user requested timeout. Previously, no timeout was honored even though the user could request one via tripleoclient.
The tripleo-bootstrap ansible role will no longer fail if yum fails to install the required packages. This fixed behavior aligns with previous requirements where enabled package repositories and a working package manager are not required on the initially deployed images. Errors are ignored on the package install task, and then a subsequent task will cause a failure indicating the required packages are not present.
tripleo.access.v1.enable_ssh_admin now honors the server blacklist if one is set. Servers in the blacklist will not be used by the workflow.
Previously, running ansible-playbook with –check would cause a failure during the individual server deployments when checking the result of a previous attempt.
The tripleo.deployment.v1.get_deployment_status workflow will no longer error when requesting the deployment status for a non-existant plan. A message is sent in the output instead of failing the workflow.
The ServerAliveInterval and ServerAliveCountMax SSH options are now set in the mistral ansible action so that when networking configuration is performed on the overcloud nodes SSH will not drop the connection.
A new workflow, config_download_export, for exporting the config-download files via a Swift tempurl is added so that the openstack overcloud config download tripleoclient command can use the API.
Switched to a versionless Keystone url in the overcloudrc. Previously, /v3 was being appended to the OS_AUTH_URL url but is not required when configuring OS_IDENTITY_API_VERSION