Ocata Series Release Notes


Bug Fixes

  • Previously, get-occ-config.sh could configure nodes out of order when deploying with more than 10 nodes. The script has been updated to properly sort the node resource names by first converting the names to a number.


New Features

  • Allows the configuration of the Neutron LBaaS agent.

Bug Fixes

  • Don’t unregister systems from the portal/satellite when deleting from Heat. There are several reasons why it’s compelling to fix this behavior. See https://bugs.launchpad.net/tripleo/+bug/1710144 for full information. The previous behavior can be triggered by setting the DeleteOnRHELUnregistration parameter to “true”.

  • The nova/neutron/ceilometer host parameter is now explicitly set to the same value that is written to /etc/hosts. On a correctly configured deployment they should be already be identical. However if the hostname or domainname is altered (e.g via DHCP) then the hostname is unlikely to resolve to the correct IP address for live-migraiton. Related bug: https://bugs.launchpad.net/tripleo/+bug/1758034

  • By default, libvirtd uses ports from 49152 to 49215 for live-migration as specified in qemu.conf, that becomes a subset of ephemeral ports (from 32768 to 61000) used by many linux kernels. The issue here is that these ephemeral ports are used for outgoing TCP sockets. And live-migration might fail, if there are no port available from the specified range. Moving the port range out of ephemeral port range to be used only for live-migration.


New Features

  • Allows the configuration of the Neutron LBaaS agent.

  • Till now, the ovs service file and ovs-ctl command files are patched to allow ovs to run with qemu group. In order to remove this workarounds, a new group hugetlbfs is created which will be shared between ovs and qemu. Use env file ovs-dpdk-permissions.yaml while deploying.


Security Issues

  • Restrict memcached service to TCP and internal_api network (CVE-2018-1000115).


Security Issues

  • Change the IPtables rule for SNMP service and open 161 udp port on SnmpdIpSubnet parameter instead of If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.

Bug Fixes

  • The custom roles for deployed-server in deployed-server-roles-data.yaml will now work when configuring overcloud SSL.

  • As documented in launchpad bug 1708680 the templates for manila with the “generic” back end do not yield a successful manila deployment even if they do not cause the overall overcloud deployment to fail, so we are dropping these faulty and unmaintained manila “generic” back end templates.

  • Fix Heat condition for RHEL registration yum update There were 2 problems with this condition making the rhel-registration.yaml template broken: “conditions” should be “condition” and the condition should refer to just a condition name defined in the “conditions:” section of the template. See https://bugs.launchpad.net/tripleo/+bug/1709916


New Features

  • Allow to easily personalize Kernel modules and sysctl settings with two new parameters. ExtraKernelModules and ExtraSysctlSettings are dictionaries that will take precedence over the defaults settings provided in the composable service.


Bug Fixes

  • Removed the hard coding of osd_pool_default_min_size. Setting this value to 1 can result in data loss in operating production deployments. Not setting this value (or setting it to 0) will allow ceph to calculate the value based on the current setting of osd_pool_default_size. If the replication count is 3, then the calculated min_size is 2. If the replication count is 1, then the calcualted min_size is 1. For a POC deployments using a single OSD, set osd_pool_default_size = 1. See description at http://docs.ceph.com/docs/master/rados/configuration/pool-pg-config-ref/ Added CephPoolDefaultSize to set default replication size. Default value is 3.


New Features

  • Adds a new boolean parameter for RHEL Registration called ‘UpdateOnRHELRegistration’ that when enabled will trigger a yum update on the node after the registration process completes.

  • Add support for Dell EMC VMAX Iscsi cinder driver

Bug Fixes

  • Enable the os-collect-config service on the system when using the get-occ-config.sh method of split stack configuration. LP#1734783


Bug Fixes

  • Enable the ntp iburst configuration for each server by default. As some services are very sensitive to time syncronization, this will help speed up the syncronization when servers are unavailable for a time. See LP#1731883


New Features

  • When using RHSM proxy, TripleO will now verify that the proxy can be reached otherwise we’ll stop early and not try to subscribe nodes.

Upgrade Notes

  • When deploying with RHSM, sat-tools 6.2 will be installed instead of 6.1. The new version is supported by RHEL 7.4 and provides katello-agent package.

Bug Fixes

  • Workaround systems getting registered as “localhost” during RHEL registration if they don’t have a fqdn set by first rm’ing the /etc/rhsm/facts directory. When the directory does not exist, the katello-rshm-consumer which runs when installing the katello-ca-consumer will not set the hostname.override fact to “localhost”. See https://bugs.launchpad.net/tripleo/+bug/1711435


Bug Fixes

  • For deployments running on RHEL with Satellite 6 (or beyond) with Capsule (Katello API enabled), the Katello API is available on 8443 port, so the previous API ping didn’t work for this case. Capsule is now supported since we just check if katello-ca-consumer-latest rpm is available to tell that Satellite version is 6 or beyond.


New Features

  • Adding a new parameter to SNMP profile, SnmpdBindHost so users can change the binding addresses on SNMP daemon. The parameter is an array and takes the default value that were previously hardcoded in puppet-tripleo.

Bug Fixes

  • Set “host” parameter in manila.conf to ‘hostgroup’ when running manila share service under pacemaker. This labels instances of the service on different nodes with the same “host” as cinder does in this circumstance so that the instances are considered by OpenStack to provide the same service and manila share is able to maintain management of shares on the backend after failover and failback.


Bug Fixes

  • The “neutron_admin_auth_url” is now properly set using KeystoneInternal rather than using the NeutronAdmin endpoint.


Bug Fixes

  • Fix support for RPMs to be installed via DeployArtifactURLs. LP#1697102

  • Previously the RHEL registration script disabled the satellite repo after installing the necessary packages from it. This makes it awkward to update those packages later, so the repo will no longer be disabled.


New Features

  • Add parameters to control the Cinder NAS security settings associated with the NFS and NetApp Cinder back ends. The settings are disabled by default.

Upgrade Notes

  • We are not changing the rabbitmq ha-mode policy during upgrades any longer. The policy chosen at deploy time will remain the same but can be changed manually.

  • Disabled cephfs snapshot support (ManilaCephFSNativeCephFSEnableSnapshots parameter) in manila by default.

Bug Fixes

  • When environments/services/ironic.yaml is used, enable periodic task in nova-scheduler to automatically discover new nodes. Otherwise a user has to run nova management command on controllers each time.

  • Disable ceilometer in the swift proxy middleware pipeline out of the box. This generates a lot of events with gnocchi and swift backend and causes heavy load. It should be easy to enable if needed.

  • Expose metric_processing_delay to tweak gnocchi performance.

  • Incorrect network used for Glance API service.

  • The stack name can now be overridden in the get-occ-config.sh script for deployed-server’s by setting the $STACK_NAME variable in the environment.

  • This commit merges both [Pre|Post]Puppet and [Pre|Post]Config resources, giving an agnostic name for the configuration steps. The [Pre|Post]Puppet resource is removed and should not be used anymore.

Other Notes

  • All nodes now enable arp_accept sysctl setting to help with honoring gratuitous ARP packets in their ARP tables. While sources of gratuitous ARP packets are diverse, this comes especially useful for Neutron floating IP addresses that roam between devices, and for which Neutron L3 agent sends gratuitous ARP packets to update all network nodes about IP address new locations.


New Features

  • Add capabilities to configure LDAP backends as for keystone domains. This can be done by using the KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters.

  • Add support for cold migration over ssh.

    This enables nova cold migration.

    This also switches to SSH as the default transport for live-migration. The tripleo-common mistral action that generates passwords supplies the MigrationSshKey parameter that enables this.

  • SSH host key exchange. The ssh host keys are collected from each host, combined, and written to /etc/ssh/ssh_known_hosts.

  • Added ability to manage MOTD Banner Enabled SSHD composible service by default. Puppet-ssh manages the sshd config.

Known Issues

  • During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic yum update command by handling the upgrade of the package separately to not loose the IPs and the connectivity on the nodes. The workaround is discussed here https://bugs.launchpad.net/tripleo/+bug/1669714

Upgrade Notes

  • The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should be no user impact in particular no restart of the openvswitch service. For more information please see the related bug above which also links the relevant code reviews. The workaround (transparent to the user/doesn’t require any input) is to download the OVS package and install with –nopostun and –notriggerun options provided by the rpm binary.

  • The default network for the ctlplane changed from to All references to the ctlplane network in the templates have been updated to reflect this change. When upgrading from a previous release, if the default network was used for the ctlplane (, then it is necessary to provide as input, via environment file, the correct setting for all the parameters that previously defaulted to 192.0.2.x and now default to 192.168.24.x; there is an environment file which could be used on upgrade environments/updates/update-from-192_0_2-subnet.yaml to cover a simple scenario but it won’t be enough for scenarios using an external load balancer, Contrail or Cisto N1KV. Follows a list of params to be provided on upgrade. From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute From external-loadbalancer-vip-v6.yaml: ControlFixedIPs From external-loadbalancer-vip.yaml: ControlFixedIPs From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP From contrail-vrouter.yaml: ContrailVrouterGateway

Deprecation Notes

  • The TCP transport is no longer used for live-migration and the firewall port has been closed.

Security Issues

  • Secure EtcdInitialClusterToken by removing the default value and make the parameter hidden. Fixes bug 1673266.

Bug Fixes

  • NeutronDhcpAgents had a default value of 3 that, even though unused in practice was a bad default value. Changing the default value to a sentinel value and making the hiera conditional allows deploy-time logic in puppet to provide a default value based on the number of dhcp agents being deployed.

  • Updated bigswitch environment file to include the bigswitch agent installation and correct support for the restproxy configuration.

  • Fixes an issue when using the CinderNfsServers parameter_defaults setting. It now works using a single share as well as a comma-separated list of shares.

  • Fixes firewall rules from neutron OVS agent not being inherited correctly and applied in neutron OVS DPDK template.

  • Fixes OpenDaylightProviderMappings parsing on a comma delimited list.

  • openstack-selinux is now installed by the deployed-server bootstrap scripts. Previously, it was not installed, so if SELinux was set to enforcing, all OpenStack policy was missing.

  • Since panko is enabled by default, include it the default dispatcher for ceilometer events.

  • Add knobs to limit memory comsumed by mongodb with systemd

  • We need ceilometer user in cases where ceilometer API is disabled. This is to ensure other ceilometer services can still authenticate with keystone.

  • The pci_passthrough hiera value should be passed as a string (bug 1675036).

  • The token flush cron job has been modified to run hourly instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.



6.0.0 is the final release for Ocata. It’s the first release where release notes are added.

Support for Manila/CephFS with TripleO managed Ceph cluster

New Features

  • Fujitsu Neutron plugin for FOS support. Users can deploy Neutron with this plugin by using environments/neutron-ml2-fujitsu-fossw.yaml environment file.

  • Expose InstanceDiscoveryMethod parameter to configure Ceilometer method used to discover instances running on compute node. Default value to ‘libvirt_metadata’. Allowed values are ‘naive’, ‘libvirt_metadata’ and ‘workload_partitioning’.

  • Make ServiceNetMap support custom network names. Note that operators will still be expected to pass any ServiceNetMap overrides with the “new” network name, e.g whatever NetName specifies, otherwise environment files could get very confusing.

  • Nova Placement API support. As this new service is required, deploy it by default in WSGI with Apache, like other API services.

  • Cinder pass-through iSER backend support.

  • etcd composable services, used by networking-vpp ML2 driver as the messaging mechanism.

  • Allow to configure cron parameters for Cinder, Heat, Keystone and Nova crontabs.

  • Export NovaDefaultFloatingPool parameter to configure the default pool of floating IP addressed available. Default to ‘public’ for backward compatibility.

  • Bump Heat Templates to ‘ocata’ version, to match Heat requirements.

  • Configure OVS agent firewall driver only if NeutronOVSFirewallDriver is set.

  • Expose RbdDefaultFeatures parameter to configure the default features enabled when creating a block device image. Only applies to format ‘2’ images. Set to ‘1’ for Jewel clients using older Ceph servers.

  • Cinder HPELeftHandISCSIDriver backend support.

  • Pacemaker stopped to manage Ceilometer, Cinder API, Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached, Neutron, Nova and Sahara.

  • Ceph MDS service support. Service can be enable with environments/services/ceph-mds.yaml environment file.

  • Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters to configure Heat.

  • Add pre-network hook and example showing config-then-reboot.

  • Expose LibvirtEnabledPerfEvents parameter in Nova Compute service. Default to an empty array. This is a performance event list which could be used as monitor.

  • Increase libvirt/qemu.conf max_files to 32768 and max_processes to 131072.

  • Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd services on different nodes.

  • Add hook to generate metadata from service profiles. This is useful for nova vendordata plugins that can parse said metadata.

  • Expose EventPipelinePublishers to Ceilometer and set the default to ‘notifier://?topic=alarm.all’.

  • Add Panko service support. This service is not enabled by default. Use environments/services/enable-panko.yaml to include it in your deployment.

  • Add EC2-API composable service support.

  • Allow dnsmasq_dns_servers to be configured for Neutron DHCP Agent with a new parameter (NeutronDhcpAgentDnsmasqDnsServers, default to []).

  • Add support for Ceph RBD mirroring daemon managed by Pacemaker.

  • Add deployed server bootstrap for RHEL.

  • Configure VNC Server listen address on internal_api network by default.

  • Support for Cinder Dell EMC PS Series.

  • Support for Cinder Dell EMC EMC Storage Center.

  • Support for Octavia composable services for LBaaS with Neutron.

  • Support for Collectd composable services for performance monitoring.

  • Support for Tacker composable service for VNF management.

  • With the composable HA work landed it is now possible to split pacemaker-managed services like galera, rabbit, redis, haproxy and any A/P resource, off to dedicated nodes. These services can be split off to separate nodes either via the normal Pacemaker service (which has a limit of 16 maximum number of nodes) or via the newer PacemakerRemote service (but not both on the same node). Note that until https://bugzilla.redhat.com/show_bug.cgi?id=1417936 is fixed, PacemakerRemote should only be used for Cinder A/P resources and Manila A/P resources.

  • Composable service plugins now support two additional sections, upgrade_tasks and upgrade_batch_tasks. These can be used by service template authors to define the required behavior on upgrade as ansible tasks, for both upgrades that require downtime, and rolling upgrades. See puppet/services/README.rst for more details.

  • New parameter “IronicCleaningNetwork” can be used to override the name or UUID of the overcloud network Ironic uses for cleaning.

  • It is now possible to configure Manila with CephFS to use a TripleO managed Ceph cluster. When using the Heat environment file at environments/manila-cephfsnative-config.yaml Manila will be configured to use the TripleO managed Ceph cluster if CephMDS is deployed as well, which can be done using the file environments/services/ceph-mds.yaml

  • Memcached max memory configuration is now exposed va MemcachedMaxMemory.

  • Added initial support for deploying the Octavia services in the overcloud.

  • Adds the ability to manage auditd.service and enter audit.rules via tripleo heat templates. This in turn enforces an audit log of system events, such as system time changes, modifications to Discretionary Access Controls, Failed login attempts.

Known Issues

  • We add a default NTP server to the Overcloud for all Pacemaker and non-Pacemaker deployments, also useful for keeping time diff controlled for Keystone and Ceph.

Upgrade Notes

  • Update OpenDaylight deployment to use networking-odl v2 as a mechanism driver.

  • Update Contrail composable services.

  • Reduce the default memory configuration for memcached from 95% to 50%.

Deprecation Notes

  • Glance Registry service has been removed and Glance API v2 is now deploy by default. Glance API v1 is not supported anymore in TripleO.

  • Remove CeilometerStoreEvents parameter, which has been removed in Ceilometer.

  • Ceilometer API service is deprecated and will be removed in a future release. If you would like to disable it, use environments/services/disable-ceilometer-api.yaml environment file.

  • Removes deprecated OpenDaylight L2 only deployments. Deploying ODL without L3 DVR is no longer supported.

Security Issues

  • Enable management of ‘DISALLOW_IFRAME_EMBED’ in Horizon configuration to prevent dashboard being embedded within an iframe and exposed to Cross-Frame Scripting (XFS) vulnerability on legacy browsers.

  • Enable management of ‘ENFORCE_PASSWORD_CHECK’ in Horizons configuration to display an Admin Password field on the Change Password form to verify that it is indeed the admin logged-in who wants to change the password.

  • Enable management of ‘DISABLE_PASSWORD_REVEAL’ in Horizon, to remove the password reveal option.

  • Enable ‘SECURE_PROXY_SSL_HEADER’ option in Horizons configuration to take X-Forwarded-Proto header into account when forming URLs.

  • Enable management of ENFORCE_PASSWORD_CHECK value. By setting ‘ENFORCE_PASSWORD_CHECK’ to ‘True’ within Horizons local_settings.py, it displays an ‘Admin Password’ field on the “Change Password” form to verify that it is the admin logged-in that wants to perform the password change.

  • Enable management of Horizons Password Validation. Enables injection of an operators own password validation regex via a heat template.

  • Enable management of ‘/etc/issue Banner’ whereby an operator can populate their own Banner warning text to be displayed upon terminal login.

  • Enable management of auditd system. ‘/etc/audit/audit.rules’ can now be populated by means of a heat template.

Bug Fixes

  • Fixes bug 1645898 so epmd is binded on the right address, where RabbitMQ is listening too.

  • Fixes bug 1652184 so swap partitions can be handled from an environment file thanks to AllNodesExtraConfig.

  • Add retry to RHEL registration, useful when having network outages during registration.

  • Fixes bug 1651476 so firewall rules are created for Opendaylight API service.

  • Fixes bug 1643487 to prevent source address from binding to a VIP for database connection.

  • Fixes bug 1649836 to configure DPDK options to isolate PMD cores and ovs process cores.

  • Fixes bug 1662344 by stopping to set bind_address on nova db uri. This reverts the changes in https://review.openstack.org/414629 for nova as they are incompatible with cell_v2. This is a temporary fix for HA while a long-term solution is developed.

  • A default value is now provided for Ironic cleaning_network configuration option. Not providing it on start up was deprecated since Newton, and will result in a failure in the near future.

Other Notes

  • Use Keystone internal endpoint instead of admin for services. The admin endpoint is listening on the ctlplane network by default; services should ideally be using the internal api network for this kind of traffic, as the ctlplane network is mostly for provisioning. On the other hand, the admin endpoint shouldn’t be as relevant with services switching to keystone v3.