Ocata Series Release Notes

Ocata Series Release Notes

6.2.0-10

Bug Fixes

  • Fix support for RPMs to be installed via DeployArtifactURLs. LP#1697102

6.2.0

New Features

  • Add parameters to control the Cinder NAS security settings associated with the NFS and NetApp Cinder back ends. The settings are disabled by default.

Upgrade Notes

  • We are not changing the rabbitmq ha-mode policy during upgrades any longer. The policy chosen at deploy time will remain the same but can be changed manually.
  • Disabled cephfs snapshot support (ManilaCephFSNativeCephFSEnableSnapshots parameter) in manila by default.

Bug Fixes

  • When environments/services/ironic.yaml is used, enable periodic task in nova-scheduler to automatically discover new nodes. Otherwise a user has to run nova management command on controllers each time.
  • Disable ceilometer in the swift proxy middleware pipeline out of the box. This generates a lot of events with gnocchi and swift backend and causes heavy load. It should be easy to enable if needed.
  • Expose metric_processing_delay to tweak gnocchi performance.
  • Incorrect network used for Glance API service.
  • The stack name can now be overridden in the get-occ-config.sh script for deployed-server’s by setting the $STACK_NAME variable in the environment.
  • This commit merges both [Pre|Post]Puppet and [Pre|Post]Config resources, giving an agnostic name for the configuration steps. The [Pre|Post]Puppet resource is removed and should not be used anymore.

Other Notes

  • All nodes now enable arp_accept sysctl setting to help with honoring gratuitous ARP packets in their ARP tables. While sources of gratuitous ARP packets are diverse, this comes especially useful for Neutron floating IP addresses that roam between devices, and for which Neutron L3 agent sends gratuitous ARP packets to update all network nodes about IP address new locations.

6.1.0

New Features

  • Add capabilities to configure LDAP backends as for keystone domains. This can be done by using the KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters.
  • Add support for cold migration over ssh.

    This enables nova cold migration.

    This also switches to SSH as the default transport for live-migration. The tripleo-common mistral action that generates passwords supplies the MigrationSshKey parameter that enables this.

  • SSH host key exchange. The ssh host keys are collected from each host, combined, and written to /etc/ssh/ssh_known_hosts.
  • Added ability to manage MOTD Banner Enabled SSHD composible service by default. Puppet-ssh manages the sshd config.

Known Issues

  • During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic yum update command by handling the upgrade of the package separately to not loose the IPs and the connectivity on the nodes. The workaround is discussed here https://bugs.launchpad.net/tripleo/+bug/1669714

Upgrade Notes

  • The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should be no user impact in particular no restart of the openvswitch service. For more information please see the related bug above which also links the relevant code reviews. The workaround (transparent to the user/doesn’t require any input) is to download the OVS package and install with –nopostun and –notriggerun options provided by the rpm binary.
  • The default network for the ctlplane changed from 192.0.2.0/24 to 192.168.24.0/24. All references to the ctlplane network in the templates have been updated to reflect this change. When upgrading from a previous release, if the default network was used for the ctlplane (192.0.2.0/24), then it is necessary to provide as input, via environment file, the correct setting for all the parameters that previously defaulted to 192.0.2.x and now default to 192.168.24.x; there is an environment file which could be used on upgrade environments/updates/update-from-192_0_2-subnet.yaml to cover a simple scenario but it won’t be enough for scenarios using an external load balancer, Contrail or Cisto N1KV. Follows a list of params to be provided on upgrade. From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute From external-loadbalancer-vip-v6.yaml: ControlFixedIPs From external-loadbalancer-vip.yaml: ControlFixedIPs From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP From contrail-vrouter.yaml: ContrailVrouterGateway

Deprecation Notes

  • The TCP transport is no longer used for live-migration and the firewall port has been closed.

Security Issues

  • Secure EtcdInitialClusterToken by removing the default value and make the parameter hidden. Fixes bug 1673266.

Bug Fixes

  • NeutronDhcpAgents had a default value of 3 that, even though unused in practice was a bad default value. Changing the default value to a sentinel value and making the hiera conditional allows deploy-time logic in puppet to provide a default value based on the number of dhcp agents being deployed.
  • Updated bigswitch environment file to include the bigswitch agent installation and correct support for the restproxy configuration.
  • Fixes an issue when using the CinderNfsServers parameter_defaults setting. It now works using a single share as well as a comma-separated list of shares.
  • Fixes firewall rules from neutron OVS agent not being inherited correctly and applied in neutron OVS DPDK template.
  • Fixes OpenDaylightProviderMappings parsing on a comma delimited list.
  • openstack-selinux is now installed by the deployed-server bootstrap scripts. Previously, it was not installed, so if SELinux was set to enforcing, all OpenStack policy was missing.
  • Since panko is enabled by default, include it the default dispatcher for ceilometer events.
  • Add knobs to limit memory comsumed by mongodb with systemd
  • We need ceilometer user in cases where ceilometer API is disabled. This is to ensure other ceilometer services can still authenticate with keystone.
  • The pci_passthrough hiera value should be passed as a string (bug 1675036).
  • The token flush cron job has been modified to run hourly instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.

6.0.0

Prelude

6.0.0 is the final release for Ocata. It’s the first release where release notes are added.

Support for Manila/CephFS with TripleO managed Ceph cluster

New Features

  • Fujitsu Neutron plugin for FOS support. Users can deploy Neutron with this plugin by using environments/neutron-ml2-fujitsu-fossw.yaml environment file.
  • Expose InstanceDiscoveryMethod parameter to configure Ceilometer method used to discover instances running on compute node. Default value to ‘libvirt_metadata’. Allowed values are ‘naive’, ‘libvirt_metadata’ and ‘workload_partitioning’.
  • Make ServiceNetMap support custom network names. Note that operators will still be expected to pass any ServiceNetMap overrides with the “new” network name, e.g whatever NetName specifies, otherwise environment files could get very confusing.
  • Nova Placement API support. As this new service is required, deploy it by default in WSGI with Apache, like other API services.
  • Cinder pass-through iSER backend support.
  • etcd composable services, used by networking-vpp ML2 driver as the messaging mechanism.
  • Allow to configure cron parameters for Cinder, Heat, Keystone and Nova crontabs.
  • Export NovaDefaultFloatingPool parameter to configure the default pool of floating IP addressed available. Default to ‘public’ for backward compatibility.
  • Bump Heat Templates to ‘ocata’ version, to match Heat requirements.
  • Configure OVS agent firewall driver only if NeutronOVSFirewallDriver is set.
  • Expose RbdDefaultFeatures parameter to configure the default features enabled when creating a block device image. Only applies to format ‘2’ images. Set to ‘1’ for Jewel clients using older Ceph servers.
  • Cinder HPELeftHandISCSIDriver backend support.
  • Pacemaker stopped to manage Ceilometer, Cinder API, Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached, Neutron, Nova and Sahara.
  • Ceph MDS service support. Service can be enable with environments/services/ceph-mds.yaml environment file.
  • Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters to configure Heat.
  • Add pre-network hook and example showing config-then-reboot.
  • Expose LibvirtEnabledPerfEvents parameter in Nova Compute service. Default to an empty array. This is a performance event list which could be used as monitor.
  • Increase libvirt/qemu.conf max_files to 32768 and max_processes to 131072.
  • Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd services on different nodes.
  • Add hook to generate metadata from service profiles. This is useful for nova vendordata plugins that can parse said metadata.
  • Expose EventPipelinePublishers to Ceilometer and set the default to ‘notifier://?topic=alarm.all’.
  • Add Panko service support. This service is not enabled by default. Use environments/services/enable-panko.yaml to include it in your deployment.
  • Add EC2-API composable service support.
  • Allow dnsmasq_dns_servers to be configured for Neutron DHCP Agent with a new parameter (NeutronDhcpAgentDnsmasqDnsServers, default to []).
  • Add support for Ceph RBD mirroring daemon managed by Pacemaker.
  • Add deployed server bootstrap for RHEL.
  • Configure VNC Server listen address on internal_api network by default.
  • Support for Cinder Dell EMC PS Series.
  • Support for Cinder Dell EMC EMC Storage Center.
  • Support for Octavia composable services for LBaaS with Neutron.
  • Support for Collectd composable services for performance monitoring.
  • Support for Tacker composable service for VNF management.
  • With the composable HA work landed it is now possible to split pacemaker-managed services like galera, rabbit, redis, haproxy and any A/P resource, off to dedicated nodes. These services can be split off to separate nodes either via the normal Pacemaker service (which has a limit of 16 maximum number of nodes) or via the newer PacemakerRemote service (but not both on the same node). Note that until https://bugzilla.redhat.com/show_bug.cgi?id=1417936 is fixed, PacemakerRemote should only be used for Cinder A/P resources and Manila A/P resources.
  • Composable service plugins now support two additional sections, upgrade_tasks and upgrade_batch_tasks. These can be used by service template authors to define the required behavior on upgrade as ansible tasks, for both upgrades that require downtime, and rolling upgrades. See puppet/services/README.rst for more details.
  • New parameter “IronicCleaningNetwork” can be used to override the name or UUID of the overcloud network Ironic uses for cleaning.
  • It is now possible to configure Manila with CephFS to use a TripleO managed Ceph cluster. When using the Heat environment file at environments/manila-cephfsnative-config.yaml Manila will be configured to use the TripleO managed Ceph cluster if CephMDS is deployed as well, which can be done using the file environments/services/ceph-mds.yaml
  • Memcached max memory configuration is now exposed va MemcachedMaxMemory.
  • Added initial support for deploying the Octavia services in the overcloud.
  • Adds the ability to manage auditd.service and enter audit.rules via tripleo heat templates. This in turn enforces an audit log of system events, such as system time changes, modifications to Discretionary Access Controls, Failed login attempts.

Known Issues

  • We add a default NTP server to the Overcloud for all Pacemaker and non-Pacemaker deployments, also useful for keeping time diff controlled for Keystone and Ceph.

Upgrade Notes

  • Update OpenDaylight deployment to use networking-odl v2 as a mechanism driver.
  • Update Contrail composable services.
  • Reduce the default memory configuration for memcached from 95% to 50%.

Deprecation Notes

  • Glance Registry service has been removed and Glance API v2 is now deploy by default. Glance API v1 is not supported anymore in TripleO.
  • Remove CeilometerStoreEvents parameter, which has been removed in Ceilometer.
  • Ceilometer API service is deprecated and will be removed in a future release. If you would like to disable it, use environments/services/disable-ceilometer-api.yaml environment file.
  • Removes deprecated OpenDaylight L2 only deployments. Deploying ODL without L3 DVR is no longer supported.

Security Issues

  • Enable management of ‘DISALLOW_IFRAME_EMBED’ in Horizon configuration to prevent dashboard being embedded within an iframe and exposed to Cross-Frame Scripting (XFS) vulnerability on legacy browsers.
  • Enable management of ‘ENFORCE_PASSWORD_CHECK’ in Horizons configuration to display an Admin Password field on the Change Password form to verify that it is indeed the admin logged-in who wants to change the password.
  • Enable management of ‘DISABLE_PASSWORD_REVEAL’ in Horizon, to remove the password reveal option.
  • Enable ‘SECURE_PROXY_SSL_HEADER’ option in Horizons configuration to take X-Forwarded-Proto header into account when forming URLs.
  • Enable management of ENFORCE_PASSWORD_CHECK value. By setting ‘ENFORCE_PASSWORD_CHECK’ to ‘True’ within Horizons local_settings.py, it displays an ‘Admin Password’ field on the “Change Password” form to verify that it is the admin logged-in that wants to perform the password change.
  • Enable management of Horizons Password Validation. Enables injection of an operators own password validation regex via a heat template.
  • Enable management of ‘/etc/issue Banner’ whereby an operator can populate their own Banner warning text to be displayed upon terminal login.
  • Enable management of auditd system. ‘/etc/audit/audit.rules’ can now be populated by means of a heat template.

Bug Fixes

  • Fixes bug 1645898 so epmd is binded on the right address, where RabbitMQ is listening too.
  • Fixes bug 1652184 so swap partitions can be handled from an environment file thanks to AllNodesExtraConfig.
  • Add retry to RHEL registration, useful when having network outages during registration.
  • Fixes bug 1651476 so firewall rules are created for Opendaylight API service.
  • Fixes bug 1643487 to prevent source address from binding to a VIP for database connection.
  • Fixes bug 1649836 to configure DPDK options to isolate PMD cores and ovs process cores.
  • Fixes bug 1662344 by stopping to set bind_address on nova db uri. This reverts the changes in https://review.openstack.org/414629 for nova as they are incompatible with cell_v2. This is a temporary fix for HA while a long-term solution is developed.
  • A default value is now provided for Ironic cleaning_network configuration option. Not providing it on start up was deprecated since Newton, and will result in a failure in the near future.

Other Notes

  • Use Keystone internal endpoint instead of admin for services. The admin endpoint is listening on the ctlplane network by default; services should ideally be using the internal api network for this kind of traffic, as the ctlplane network is mostly for provisioning. On the other hand, the admin endpoint shouldn’t be as relevant with services switching to keystone v3.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.