Pike Series Release Notes


New Features

  • Adds posibilities to set ‘neutron::agents::ml2::ovs::tunnel_csum’ via NeutronOVSTunnelCsum in heat template. This param set or un-set the tunnel header checksum on outgoing IP packet carrying GRE/VXLAN tunnel in ovs agent.

Upgrade Notes

  • The ‘LogrotatePurgeAfterDays’ enforces cleaning up of information exceeded its life-time (defaults to a 14 days) in the /var/log/containers directory of bare metal overcloud hosts, including upgrade (from containers) cases, when leftovers may be remaining on the host systems.

Security Issues

  • New heat parameters for containerized services ‘LogrotateMaxsize’, ‘LogrotateRotationInterval’, ‘LogrotateRotate’ and ‘LogrotatePurgeAfterDays’ allow customizing size/time-based rules for the containerized services logs rotation. The time based rules prevail over all.

Bug Fixes

  • The nova statedir ownership logic has been reimplemented to target only the files/directories controlled by nova. Resolves VM I/O errors when using an NFS backend (bug 1778465).


Bug Fixes

  • Set live_migration_inbound_addr for ssh transport

    Previously this was only set when TLS is enabled, which means that with the ssh transport we could not control the network used, and were relying on DNS or hosts file to be correct, which is not guaranteed (especially with DNS).

  • With https://review.openstack.org/#/c/561784 we change the default migration port range to ‘61152-61215’. nova::migration::qemu::configure_qemu needs to be set to true that the config gets applied via puppet-nova.

Other Notes

  • The default docker0 brige should be normally given a value that does not conflict to any of the existing networks’ CIDR ranges.

    If there is a conflict for the default value, allow users to alter the the docker service startup --bip option via DockerNetworkOptions.

  • Removed experimental manila docker environent files. Although they had comments indicating they were experimental still in Pike, deployers have been deploying production environments with them and getting in trouble.


Bug Fixes

  • Fix a typo in the manila-share pacemaker template which was causing failures on upgrades and updates.

  • Previously, get-occ-config.sh could configure nodes out of order when deploying with more than 10 nodes. The script has been updated to properly sort the node resource names by first converting the names to a number.

  • When using get-occ-config.sh with a role using a count greater than 1, the script will now configure all nodes that are of that role type instead of exiting after only configuring the first.

  • {{role.name}}ExtraConfig will now be honored even when using deprecated params in roles_data.yaml. Previously, its value was ignored and never used even though it is defined as a valid parameter in the rendered template.


Bug Fixes

  • Expose panko expirer params to enable and configure it.

  • The nova/neutron/ceilometer host parameter is now explicitly set to the same value that is written to /etc/hosts. On a correctly configured deployment they should be already be identical. However if the hostname or domainname is altered (e.g via DHCP) then the hostname is unlikely to resolve to the correct IP address for live-migraiton. Related bug: https://bugs.launchpad.net/tripleo/+bug/1758034

  • By default, libvirtd uses ports from 49152 to 49215 for live-migration as specified in qemu.conf, that becomes a subset of ephemeral ports (from 32768 to 61000) used by many linux kernels. The issue here is that these ephemeral ports are used for outgoing TCP sockets. And live-migration might fail, if there are no port available from the specified range. Moving the port range out of ephemeral port range to be used only for live-migration.


New Features

  • Add Mistral to the provided controller roles.

  • Till now, the ovs service file and ovs-ctl command files are patched to allow ovs to run with qemu group. In order to remove this workarounds, a new group hugetlbfs is created which will be shared between ovs and qemu. Use env file ovs-dpdk-permissions.yaml while deploying.


Security Issues

  • Restrict memcached service to TCP and internal_api network (CVE-2018-1000115).


New Features

  • Add support for Dell EMC VNX cinder driver

Security Issues

  • Change the IPtables rule for SNMP service and open 161 udp port on SnmpdIpSubnet parameter instead of If SnmpdIpSubnet is left empty, SnmpdNetwork will be used.

Bug Fixes

  • As documented in launchpad bug 1708680 the templates for manila with the “generic” back end do not yield a successful manila deployment even if they do not cause the overall overcloud deployment to fail, so we are dropping these faulty and unmaintained manila “generic” back end templates.


New Features

  • This patch allows to attach optional volumes to and set optional environment variables in the neutron-api, heat-api and nova-compute containers. This makes it easier to plug plugins to that containers.

Bug Fixes

  • Deployments with Ceph now honor the DeploymentServerBlacklist parameter. Previously, this meant that changes could still be triggered for servers in the blacklist.

  • Added hiera for network_virtual_ips in vip_data to allow composable networks to be configured in puppet.

  • Fixes generation public certificates for haproxy in a non-containerized TLS deployment scenario.

  • The standalone Telemetry role at roles/Telemetry.yaml had an incorrect list of services. The list has been updated to remove services such as MySQL and RabbitMQ and the services common to all TripleO roles have been added.


New Features

  • Allow to easily personalize Kernel modules and sysctl settings with two new parameters. ExtraKernelModules and ExtraSysctlSettings are dictionaries that will take precedence over the defaults settings provided in the composable service.

Bug Fixes

  • – The pacemaker docker version for the rabbitmq service should also include the noop’s for the for Rabbitmq_policy and Rabbitmq_user puppet resources that are noop’d in docker/services/rabbitmq.yaml These resources must be noop’d in puppet, otherwise they could be triggered during puppet apply’s during the docker-puppet.py generate config step where rabbitmqctl is not actually running.


Bug Fixes

  • Allow to configure SR-IOV agent with agent extenstions.

  • Start sequence at 1 for the downloaded deploy steps playbook instead of 0. The first step should be 1 since that is what the puppet manifests expect.

  • Processes are storing important health and debug data in some files within /var/cache/swift, and these files must be shared between all swift-* processes. Therefore it is needed to mount this directory on all Swift containers, which is required to make swift-recon working.


New Features

  • The KeystoneNotificationTopics parameter was introduced. This takes a list which will configure extra notification topics, which end up as queues in the message broker. This is useful for when keystone notifications need to be integrated with third party software. Note that enabling telemetry will by default make keystone emit notifications to the ‘notifications’ topic, but this parameter can enable extra topics still.

Bug Fixes

  • Allow the configuration of image_member_quota in Glance API. This error blocks the ability of sharing images if the default value (128) is reached.

  • Enabling ceilometer automatically enables keystone notifications through the ‘notifications’ topic (which was the default).

  • Enable the ntp iburst configuration for each server by default. As some services are very sensitive to time syncronization, this will help speed up the syncronization when servers are unavailable for a time. See LP#1731883

  • Add swift_config puppet tag to the dockerized proxy service to ensure the required hash values in swift.conf are set properly. This is required when deploying a proxy node without the storage service at the same time.


New Features

  • When using RHSM proxy, TripleO will now verify that the proxy can be reached otherwise we’ll stop early and not try to subscribe nodes.

Upgrade Notes

  • The format to use for the CephPools parameter needs to be updated into the form expected by ceph-ansible. For example, for a new pool named mypool it should change from: { “mypool”: { “size”: 3, “pg_num”: 128, “pgp_num”: 128 } } into: [ { “name”: “mypool”, “pg_num”: 128, “rule_name”: “” } ] The first is a map where each key is a pool name and its value the pool properties, the second is a list where each item describes all properties of a pool, including its name.

  • Changed default address of docker0 bridge to be in the last class B private network – – to stop conflicting with the default network range for InternalApiNetCidr. The docker0 bridge is normally unused in TripleO deployment.

  • When deploying with RHSM, sat-tools 6.2 will be installed instead of 6.1. The new version is supported by RHEL 7.4 and provides katello-agent package.

Security Issues

  • Live migration over TLS has been disabled since the settings it was using don’t meet the required security standards. It is currently not possible to enable it via t-h-t.

Other Notes

  • With the migration from puppet-ceph to ceph-ansible for the deployment of Ceph, the format of CephPools parameter changes because the two tools use a different format to represent the list of additional pools to create.


Upgrade Notes

  • The Heat API Cloudwatch API is deprecated in Pike and so it removed by default during the Ocata to Pike upgrade. If you wish to keep this service then you should use the environments/heat-api-cloudwatch.yaml environment file in the tripleo-heat-templates during the upgrade (note that this is migrated to running under httpd, if you do decide to keep this service on Pike).

Deprecation Notes

  • The Heat API Cloudwatch API is deprecated in Pike and so it is now not deployed by default. You can override this behaviour with the environments/heat-api-cloudwatch.yaml environment file in the tripleo-heat-templates.

Bug Fixes

  • Fixes dynamic networks to fallback to ctlplane network when they are disabled.

  • For deployments running on RHEL with Satellite 6 (or beyond) with Capsule (Katello API enabled), the Katello API is available on 8443 port, so the previous API ping didn’t work for this case. Capsule is now supported since we just check if katello-ca-consumer-latest rpm is available to tell that Satellite version is 6 or beyond.


Upgrade Notes

  • Adds a new UpgradeRemoveUnusedPackages parameter (default False) and some service upgrade_tasks that use this parameter to remove any unused packages. “Unused” is those services that are being stopped and disabled from starting on boot (because they are being containerized). Note that ignore_errors is set on all the package removal ansible tasks so any issues removing a given package will not fail the upgrade workflow. For clarity, setting UpgradeRemoveUnusedPackages to True in your deployment environment file(s) will result in the REMOVAL of packages for stopped and disabled services, during the upgrade.

Bug Fixes

  • Fixes missing Keystone authtoken password for Tacker.

  • Removes hardcoded network names. The networks are now defined dynamically by network_data.yaml.


Upgrade Notes

  • This adds post_upgrade_tasks, ansible tasks that can be added to any service manifest (currently, pacemaker/cinder-volume for bug 1706951).

    These are similar to the existing upgrade_tasks in their format, however they will be executed after the docker/puppet config. So the order is upgrade_tasks, deployment steps (docker/puppet), then post_upgrade_tasks.

    Also like the upgrade_tasks these are serialised and you can use ‘tags’ with ‘step0’ to ‘step6’ (more can be added if needed).

  • Containerized services logs can be found under updated paths. Pacemaker-managed resources write logs to /var/log/pacemaker/bundles/*. Docker-daemon managed openstack services bind-mount their log files to the /var/log/containers/<foo>/* sub-directories. Services running under Apache2 WSGI use the /var/log/containers/httpd/<foo-api>/* destinations. Additional tools or commands that log to syslog, end up placing log records into the hosts journalctl and /var/log/messages.

Bug Fixes

  • Fixes bug where neutron port status was not updated with OpenDaylight deployments due to firewall blocking the websocket port used to send the update (port 8185).

  • Disables QoS with OpenDaylight until officially supported.



Deployment of Ceph in containers is implemented using a Mistral workflow.

Support for Manila/CephFS with TripleO managed Ceph cluster

New Features

  • Adds the InternalTLSCAFile parameter, which defines which CA file should be used by the internal services to verify that the peer’s certificate is trusted. This is applicable if internal TLS is enabled. Currently, it defaults to using the CA file for FreeIPA, which is the default CA.

  • If TLS in the internal network is enabled, libvirt’s transport defaults to using TLS. This can be changed by setting the UseTLSTransportForLiveMigration parameter, which is true by default.

  • This introduces the ManageKeystoneFernetKeys parameter, which tells heat/puppet if it should replace the existing fernet keys on a stack deployment or not. This is useful if the deployer wants to do key rotations out of band.

  • The HAProxy stats interface can now be enabled/disabled with the HAProxyStatsEnabled flag. Note that it’s still enabled by default.

  • Keystone’s default token provider is now fernet instead of UUID

  • The KeystoneFernetKeys parameter was introduced, which is able to take any amount of keys as long as it’s in the right format. It’s generated by the same mechanism as the rest of the passwords; so it’s value is also available via mistral’s “password” environment variable. This will also allow for rotations to be made via mistral and via stack updates.

  • Add support for BGPVPN Neutron service plugin

  • Add new cadf.yaml environment, that will configure Keystone to emit CADF notifications. This standard provides auditing capabilities for compliance with security, and is intented to be used for deploying TripleO with hardened security.

  • Add support to configure Ceilometer Agent Ipmi profiles.

  • Add parameters to control the Cinder NAS security settings associated with the NFS and NetApp Cinder back ends. The settings are disabled by default.

  • Added new DeploymentSwiftDataMap parameter, which is used to set the deployment_swift_data property on the Server resoures. The parameter is a map where the keys are the Heat assigned hostnames, and the value is a map of the container/object name in Swift.

  • Add support for L2 Gateway Neutron agent

  • Add support for L2 Gateway Neutron service plugin

  • Add capabilities to configure LDAP backends as for keystone domains. This can be done by using the KeystoneLDAPDomainEnable and KeystoneLDAPBackendConfigs parameters.

  • Adds new environment file for deploying SRIOV with OpenDaylight.

  • Adds support for OpenDaylight HA clustering. Now when specifying three or more ODL roles, ODL will be deployed in a cluster, and use port 2550 for cluster communication.

  • The relevant parameters have been added to deploy the heat APIs over httpd. This means that the HeatWorkers now affect httpd instead of the heat API themselves, and that the apache hieradata will also be deployed in the nodes where the heat APIs run.

  • Introduce the ability to deploy the qpid-dispatch-router (Qdr) for the oslo.messaging AMQP 1.0 driver backend. The Qdr provides direct messaging (e.g. brokerless) communications for oslo.messaging services. To facilitate simple use for evaluation in an overcloud deployment, the Qdr aliases the RabbitMQ service to provide the messaging backend.

  • Adds a new output, ServerOsCollectConfigData, which is the os-collect-config configuration associated with each server resource. This can be used to [pre]configure the os-collect-config agents on deployed-server’s.

  • Added Pure Storage FlashArray iSCSI and FC backend support for cinder

  • Adds DatabaseSyncTimeout parameter to Nova and Neutron templates.

  • TripleO is now able to configure role-based access API policies with new parameters for each API service. For example, Nova API service has now NovaApiPolicies and the value could be { nova-context_is_admin: { key: context_is_admin, value: ‘role:admin’ } } It will configure /etc/nova/policy.json file and configure context_is_admin to true. Puppet will take care of this configuration and API services are restarted when the file is touched. We’re also adding augeas resource to the list of Puppet providers that container deployments grab in the catalog to generate configurations, so this feature can be used when deploying TripleO in containers.

  • Add an example role roles/IronicConductor.yaml for a node with only ironic-conductor and its (i)PXE service.

  • Add support for Veritas HyperScale Cinder backend.

  • A new role ComputeOvsDpdk has been added to enable dynamic roles_data creation with OVS-DPDK role.

  • Per default, don’t log a message in syslog for each incoming SNMP query. So set the default log level to ‘-LS0-5d’. Allow the operator to customize the log level via a parameter.

  • Configure OpenDaylight SNAT to use conntrack mechanism with OVS and controller based mechanism with OVS-DPDK.

  • Barbican API added to containarised overcloud deployment

  • This patch enables the configuration of Contrail DPDK on the Compute nodes by specifying the required parameters in an environment file.

  • Allow to configure debug per service. The feature is backward compatible with existing Debug parameter. Adding a new parameter per service, e.g. GlanceDebug. Set to False, it will disable debug for the service, even if Debug is set to True. If Debug is set to False but GlanceDebug is set to True, Glance debug will be enabled.

  • Add a new output, DeployedServerEnvironment, that can be used as the contents of an environment file. This environment file can then be used as input into a services only stack when using split-stack. The parameter simplifies the manual steps needed to deploy split-stack.

  • Added a custom plan-environment file for providing workflow specific inputs for the derived parameters workflow.

  • When deploying with environments/docker.yaml, the docker service is now deployed on all predefined roles.

  • DPDK is enabled in OvS before the NetworkDeployment to ensure DPDK is ready to handle new port additions.

  • Allows the configuration of the Neutron LBaaS agent.

  • Allows the configuration of the Neutron LBaaS agent.

  • Added support for external swift proxy. Users may need to configure endpoints pointing to swift proxy service already available.

  • A set of example roles has been created in the roles folder in tripleo-heat-templates. Management of services for roles should occur in these role files rather than in roles_data.yaml.

  • There is now a tool in tripleo-heat-templates, similar to the oslo-config-generator, that can be used to programmatically generate sample environment files based directly on the contents of the templates themselves. This ensures consistency in the sample environments, as well as making it easier to update environments to reflect changes to the templates.

  • Deploy Glance with Keystone v3 endpoints and make sure it doesn’t rely on Keystone v2 anymore.

  • Deploy Gnocchi with Keystone v3 endpoints and make sure it doesn’t rely on Keystone v2 anymore.

  • New configuration IronicDefaultBootOption allows to change the default boot option to use for bare metal instances in the overcloud.

  • Bare metal serial console support via socat utility is enabled for Ironic hardware types supporting it (currently only ipmi).

  • Add basic support for ironic-inspector in the overcloud. It is highly experimental and is not yet recommended for production use.

  • Allow setting the Ironic provisioning network UUID or name via new IronicProvisioningNetwork configuration.

  • Enable support for “neutron” Ironic networking plugin, enabling advanced integration with Neutron, such as VLAN/VXLAN network support, bonding and security groups.

  • Add support for Dell EMC Isilon manila driver

  • It is now possible to configure Manila with CephFS to use a TripleO managed Ceph cluster. When using the Heat environment file at environments/manila-cephfsnative-config.yaml Manila will be configured to use the TripleO managed Ceph cluster if CephMDS is deployed as well, which can be done using the file environments/services/ceph-mds.yaml

  • KeystoneFernetMaxActiveKeys was introduced as a parameter to the keystone profile. It sets the max_active_keys value of the keystone.conf file and will subsequently be used by mistral to purge the keys in a mistral task.

  • Add support for cold migration over ssh.

    This enables nova cold migration.

    This also switches to SSH as the default transport for live-migration. The tripleo-common mistral action that generates passwords supplies the MigrationSshKey parameter that enables this.

  • Move Mistral API to use mod_wsgi under Apache.

  • Add NeutronOverlayIPVersion parameter to congfigure neutron ML2 overlay_ip_version option. This parameter should be set to 6 when user requires tenant vxlan tunnel endpoints to be IPv6.

  • Allow to configure the Message Queue notification driver. By default, we’ll configure ‘messagingv2’ but we can now override NotificationDriver parameter and set ‘noop’ when we don’t want notifications, which is the case when we disable Telemetry services.

  • Add support for NSX Neutron plugin

  • Add support to configure number of sacks in gnocchi.

  • Enables per role configuration of per host configuration which allows an operator to dedicate different compute roles to different network or port types in OpenDaylight deployments.

  • Support containerized ovn-controller

  • Support containerized OVN Dbs without HA

  • Support containerized OVN DBs with HA

  • Support configuring NeutronBridgeMappings

  • Set force_config_drive to true as OVN doesn’t support metadata service

  • Add necessary iptables rules to allow Geneve traffic and ovsdb-server traffic for Northbound and Southbound databases.

  • Support HA for OVN db servers and ovn-northd using Pacemaker.

  • Added support for DPDK with OvS2.7, which requires huge page configuration (with reboot) to be available before enabling DPDK.

  • The server resource type, OS::TripleO::Server can now be mapped per role instead of globally. This allows users to mix baremetal (OS::Nova::Server) and deployed-server (OS::Heat::DeployedServer) server resources in the same deployment. See https://blueprints.launchpad.net/tripleo/+spec/pluggable-server-type-per-role

  • PreNetworkConfig is modified to support role-specific parameters.

  • Added new parameter san_private_key to configure SSH Private Key for the PS Series cinder backend

  • Support for Redfish hardware is enabled by default for overcloud Ironic via the redfish hardware type.

  • Support changing enabled management and power interfaces for hardware types in overcloud Ironic.

  • Adds common openvswitch service template to be inherited by other services.

  • Adds environment file to be used for deploying OpenDaylight + OVS DPDK.

  • Adds first boot and ovs configuration scripts

  • Adds tags to roles that allow an operator to specify custom tags to use when trying to find functionality available from a role. Currently a role with both the ‘primary’ and ‘controller’ tag is consider to be the primary role. Historically the role named ‘Controller’ was the ‘primary’ role and this primary designation is used to determine items like memcache ip addresses. If no roles have the both the ‘primary’ and ‘controller’ tags, the first role specified in the roles_data.yaml is used as the primary role.

  • The roles_data.yaml and roles_data_undercloud.yaml can be generated with tox using tox -e genrolesdata.

  • pep8 now checks that the roles_data.yaml and roles_data_undercloud.yaml matches data generated from the roles/ files.

  • Sahara is now deployed with keystone_authtoken parameters and move forward with Keystone v3 version.

  • Added the ability to blacklist servers by name from being associated with any Heat triggered SoftwareDeployment resources. The servers are specified in the new DeploymentServerBlacklist parameter.

  • Role specific informations are added to the service template to enable role specific decisions on the service.

  • Adding a new parameter to SNMP profile, SnmpdBindHost so users can change the binding addresses on SNMP daemon. The parameter is an array and takes the default value that were previously hardcoded in puppet-tripleo.

  • Add 2 new example environments to facilitate deploying split-stack, environments/overcloud-baremetal.j2.yaml and environments/overcloud-services.yaml. The environments are used to deploy two separate Heat stacks, one for just the baremetal+network configuration and one for the service configuration.

  • SSH host key exchange. The ssh host keys are collected from each host, combined, and written to /etc/ssh/ssh_known_hosts.

  • Added ability to manage MOTD Banner Enabled SSHD composible service by default. Puppet-ssh manages the sshd config.

  • Allows the user to set the tuned profile on a given host. Defaults to throughput-performance.

  • Add support for Dell EMC Unity cinder driver

  • Add support for Dell EMC Unity Manila driver

  • Adds a new boolean parameter for RHEL Registration called ‘UpdateOnRHELRegistration’ that when enabled will trigger a yum update on the node after the registration process completes.

  • Add name and description fields to plan-environment.yaml

  • Add VipMap output to the top level stack output. VipMap is a mapping from each network to the VIP address on that network. Also includes the Redis VIP.

  • Add support for Dell EMC VMAX Iscsi cinder driver

  • Add support for Dell EMC VMAX Manila driver

  • Add support for Dell EMC VNX Manila driver

  • Add the ability to deploy VPP. Vector Packet Processing (VPP) is a high performance packet processing stack that runs in user space in Linux. VPP is used as an alternative to kernel networking stack for accelerated network data path.

  • Adds support for networking-vpp ML2 mechanism driver and agent.

  • It is now possible to trigger Mistral workflows or workflow actions before a deployment step is applied. This can be defined within the scope of a service template and is described as a task property for the Heat OS::Mistral::Workflow resource, for more details also see the puppet/services/README.rst file.

  • Run the Zaqar WSGI service over httpd in Puppet.

  • Add Heat parameters which allow the end user to configure custom management and messaging backends for MySQL and Swift.

  • Update undercloud default Heat parameters so we use the Zaqar swift/mysql backends. This allows us to drop MongoDB from the undercloud.

Known Issues

  • During the ovs upgrade for 2.5 to 2.6 we need to workaround the classic yum update command by handling the upgrade of the package separately to not loose the IPs and the connectivity on the nodes. The workaround is discussed here https://bugs.launchpad.net/tripleo/+bug/1669714

  • Modify NeutronVhostuserSocketDir to a seprate directory in the DPDK environment file. A different set of permission is required for creating vhost sockets when the vhost type is dpdkvhostuserclient (which is default from ocata).

Upgrade Notes

  • The path to the zaqar profile has changed from puppet/services/zaqar.yaml to puppet/services/zaqar-api.yaml. Make sure to update any references to this in the resource registry.

  • Mongodb is no longer used by default, so now one has to enable it explicitly if there’s a need for using it.

  • When upgrading, old tokens will not work anymore due to the provider changing from UUID to fernet.

  • We are not changing the rabbitmq ha-mode policy during upgrades any longer. The policy chosen at deploy time will remain the same but can be changed manually.

  • The NeutronExternalNetworkBridge parameter changed its default value from br-ex to an empty string value. It means that by default Neutron L3 agent will be able to serve multiple external networks. (It was always the case for those who were using templates with the value of the parameter overridden by an empty string value.)

  • With expirer deprecated and disabled by default, there is an upgrade impact here. If you had expirer enabled in ocata and you upgrade to pike the expirer will not be enabled anymore. If you wish to use expirer, ensure you include the ceilometer-expirer.yaml to your upgrade deploy command. Also note that with collector disabled, there is no need for expirer to be running.

  • With collector deprecated and disabled by default, there is an upgrade impact here. If you had collector enabled in ocata and you upgrade to pike the collector will not be enabled anymore. If you wish to use collector, ensure you include the ceilometer-collector.yaml to your upgrade deploy command. We recommend switching to using the new pipeline approach with publisher instead.

  • The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent exposing sensitive data through core dumps of processes with elevated permissions. Deployments that set or depend on non-zero values for fs.suid_dumpable may be affected by upgrading.

  • The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects are now set to 0 to prevent a compromised host from sending invalid ICMP redirects to other router devices.

  • The net.ipv4.conf.default.accept_redirects, net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects are now set to 0 to prevent forged ICMP packet from altering host’s routing tables.

  • The net.ipv4.conf.default.secure_redirects & net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance of secure ICMP redirected packets.

  • Disabled cephfs snapshot support (ManilaCephFSNativeCephFSEnableSnapshots parameter) in manila by default.

  • Disable default vhost for apache. It is required for a hybrid deployments when WSGI based services running both at host and in containers, without conflicting default ports.

  • A new parameter ServiceNames is added to the PreNeworkConfig resource. All templates associated with PreNeworkConfig should add this new parameter during the upgrade.

  • The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are now set to 1 to enable logging of suspicious packets.

  • Some sample environment files will be moving as part of the work to generate them programmatically. The old versions will be left in place for one cycle to allow a smooth upgrade process. When upgrading, if any of the environment files in use for the deployment have been deprecated they should be replaced with the new generated verions.

  • The default boot option for bare metal instances in overcloud was changed to “local”. This was already the default for whole-disk images, but for partition images it requires grub2 to be installed on them. Use the new IronicDefaultBootOption configuration to override, or set boot_option capability on nodes and flavors.

  • Neutron API controller no longer advertises dvr extension if the cloud is not configured for DVR. This is achieved by setting enable_dvr to match NeutronEnableDVR setting.

  • Mistral API systemd service will be stopped and disabled.

  • The upgrade from openvswitch 2.5 to 2.6 is handled gracefully and there should be no user impact in particular no restart of the openvswitch service. For more information please see the related bug above which also links the relevant code reviews. The workaround (transparent to the user/doesn’t require any input) is to download the OVS package and install with –nopostun and –notriggerun options provided by the rpm binary.

  • PreNetworkConfig takes a new parameter, RoleParameters. All the templates associated with PreNetworkConfig should add this new parameter during upgrade.

  • Ceilometer expirer is deprecated in pike. During upgrade, the crontab thats configured with ceilometer user will be removed to ensure the expirer script is not running.

  • The default network for the ctlplane changed from to All references to the ctlplane network in the templates have been updated to reflect this change. When upgrading from a previous release, if the default network was used for the ctlplane (, then it is necessary to provide as input, via environment file, the correct setting for all the parameters that previously defaulted to 192.0.2.x and now default to 192.168.24.x; there is an environment file which could be used on upgrade environments/updates/update-from-192_0_2-subnet.yaml to cover a simple scenario but it won’t be enough for scenarios using an external load balancer, Contrail or Cisto N1KV. Follows a list of params to be provided on upgrade. From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute From external-loadbalancer-vip-v6.yaml: ControlFixedIPs From external-loadbalancer-vip.yaml: ControlFixedIPs From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP From contrail-vrouter.yaml: ContrailVrouterGateway

  • The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive kernel address information with unprivileged access. Deployments that set or depend on values other than 1 for kernel.dmesg_restrict may be affected by upgrading.

  • If using custom roles data, the logic was changed to leverage the first role listed in the roles_data.yaml file to be the primary role. This can be worked around by adding the ‘primary’ and ‘controller’ tags to the custom controller role in your roles_data.yaml to ensure that the defined custom controller role is still considered the primary role.

  • For deployments where a custom roles_data file is used, it should be rebased against the default roles_data.yaml, as several additional items, e.g to specify deprecated parameter names for some of the default roles, have been added. Alternatively you can regenerate your roles_data using the new overcloud roles generate command, so that the updated role definitions in /usr/share/openstack-tripleo-heat-templates/roles are used, which include the necessary additional data.

  • The new StackUpdateType parameter is now set to UPGRADE when a major version upgrade is in progress. This enables application configuration via puppet to distinuish a major version upgrade from a normal stack update (e.g for minor updates or reconfiguration) by inspecting the stack_update_type hiera value. In future other values may be added to flag e.g minor updates vs reconfiguration, but for now only UPGRADE is considered.

Deprecation Notes

  • The individual keystone fernet key parameters (KeystoneFernetKey0 and KeystoneFernetKey1) were deprecated in favor of KeystoneFernetKeys.

  • Deprecate and remove configuring clustering for OpenDaylight container using an exec. Configuration is now handled via puppet-opendaylight using file resources.

  • The following parameters are deprecated for the Compute role: NovaComputeSchedulerHints - use ComputeSchedulerHints instead NovaComputeServerMetadata - use ComputeServerMetadata instead NovaComputeExtraConfig - use ComputeExtraConfig instead NovaComputeIPs - use ComputeIPs instead NovaImage - Use OvercloudComputeImage instead

  • The following parameters are deprecated for the Controller role: controllerExtraConfig - Use ControllerExtraConfig instead, OvercloudControlFlavor - Use OvercloudControllerFlavor instead, controllerImage - use ControllerImage instead.

  • The NeutronExternalNetworkBridge parameter is deprecated and will be removed in a next release.

  • Deprecate and turn off expirer service as collector. Without collector and standard storage, expirer has no use.

  • Deprecate and disable ceilometer collector service by default. Instead use the publisher directly in the pipeline to push data where appropriate. This can be manually enabled by passing the environment file to deploy command which is included in environment dir as ceilometer-collector.yaml. By default, the pipeline publisher pushes data automatically to gnocchi.

  • Both environments/network-management.yaml and environments/network-management-v6.yaml are now deprecated in favor of specifying the needed networks on each role.

  • Panko API service is deprecated in Pike release. Note that this service will remain enabled by default as there is no replacement yet. This will be disabled in future releases.

  • Deprecate and disable ceilometer Api by default. This can be enabled by passing in an env file to deploy command.

  • Where a generated sample environment replaces an existing one, the existing environment is deprecated. This will be noted in a comment at the top of the file.

  • The TCP transport is no longer used for live-migration and the firewall port has been closed.

  • KeystoneNotificationDriver is deprecated in favor of NotificationDriver.

  • The following parameters are deprecated for the ObjectStorage role: SwiftStorageServerMetadata - use ObjectStorageServerMetadata instead SwiftStorageIPs - use ObjectStorageIPs instead SwiftStorageImage - Use ObjectStorageImage instead OvercloudSwiftStorageFlavor - Use OvercloudObjectStorageFlavor instead

  • Parameters {{role}}KernelArgs, {{role}}TunedProfileName and {{role}}HostCpusList are deprecated. Alternatively, role-specific parameter support has been added with the same names.

  • The HostCpusList parameter is deprecated in favor of OvsDpdkCoreList and will be removed in a future release.

  • The NeutronDpdkCoreList parameter is deprecated in favor of OvsPmdCoreList and will be removed in a future release.

  • The NeutronDpdkMemoryChannels parameter is deprecated in favor of OvsDpdkMemoryChannels and will be removed in a future release.

  • The NeutronDpdkSocketMemory parameter is deprecated in favor of OvsDpdkSocketMemory and will be removed in a future release.

  • The NeutronDpdkDriverType parameter is deprecated in favor of OvsDpdkDriverType and will be removed in a future release.

  • The static role definitions contained a number of conflicting parameters which require special handling to convert to dynamic template generation. In the future, these parameters will be removed. If a role requires one of these deprecated parameters, then it will be defined in the role definition in a property named “deprecated_param_<name>”. If the role has one or more deprecated parameters, then “uses_deprecated_params” should be set to True as well. This will enable creation of a parameter_group containing the deprecated parameters in the role definition, which will enable warning users if they use deprecated parameters on deployment.

Security Issues

  • Add IPv6 disable option and make it configurable for user to disable IPv6 when it’s not used, this will descrease the risk of ipv6 attack. Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6 will be explicitly set to the default value (0) which is enabled.

  • Explicitly disable core dump for setuid programs by setting fs.suid_dumpable = 0, this will descrease the risk of unauthorized access of core dump file generated by setuid program.

  • Invalide ICMP redirects may corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

  • Routing tables may be altered by bogus ICMP redirect messages and send packets to incorrect networks.

  • Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list.

  • Logging of suspicious packets allows an administrator to investigate the spoofed packets sent to their system.

  • Secure EtcdInitialClusterToken by removing the default value and make the parameter hidden. Fixes bug 1673266.

  • Kernel syslog contains sensitive kernel address information, setting kernel.dmesg_restrict to avoid unprivileged access to this information.

Bug Fixes

  • Previously only the VIPs and their associated hostnames were present in the HostsEntry output, due to the hosts_entries output on the hosts-config.yaml nested stack being empty. It was referencing an invalid attribute. See https://bugs.launchpad.net/tripleo/+bug/1683517

  • Set “host” parameter in manila.conf to ‘hostgroup’ when running manila share service under pacemaker. This labels instances of the service on different nodes with the same “host” as cinder does in this circumstance so that the instances are considered by OpenStack to provide the same service and manila share is able to maintain management of shares on the backend after failover and failback.

  • NeutronDhcpAgents had a default value of 3 that, even though unused in practice was a bad default value. Changing the default value to a sentinel value and making the hiera conditional allows deploy-time logic in puppet to provide a default value based on the number of dhcp agents being deployed.

  • When environments/services/ironic.yaml is used, enable periodic task in nova-scheduler to automatically discover new nodes. Otherwise a user has to run nova management command on controllers each time.

  • Updated bigswitch environment file to include the bigswitch agent installation and correct support for the restproxy configuration.

  • During a deployment on lower spec systems, the “db sync” can take longer than five minutes. value of DatabaseSyncTimeout has change from 300 to 900 at the environment file “low-memory-usage.yaml”.

  • Changed panko api port to run on 8977 instead of 8779. 8779 is reserved for trove. Hence changing to avoid conflicts.

  • The patch moves the Contrail control plane communication from the public network to the internal_api network.

  • Disable ceilometer in the swift proxy middleware pipeline out of the box. This generates a lot of events with gnocchi and swift backend and causes heavy load. It should be easy to enable if needed.

  • Don’t unregister systems from the portal/satellite when deleting from Heat. There are several reasons why it’s compelling to fix this behavior. See https://bugs.launchpad.net/tripleo/+bug/1710144 for full information. The previous behavior can be triggered by setting the DeleteOnRHELUnregistration parameter to “true”.

  • Expose metric_processing_delay to tweak gnocchi performance.

  • Fixes an issue when using the CinderNfsServers parameter_defaults setting. It now works using a single share as well as a comma-separated list of shares.

  • Incorrect network used for Glance API service.

  • Fix Heat condition for RHEL registration yum update There were 2 problems with this condition making the rhel-registration.yaml template broken: “conditions” should be “condition” and the condition should refer to just a condition name defined in the “conditions:” section of the template. See https://bugs.launchpad.net/tripleo/+bug/1709916

  • Fixes firewall rules from neutron OVS agent not being inherited correctly and applied in neutron OVS DPDK template.

  • The “neutron_admin_auth_url” is now properly set using KeystoneInternal rather than using the NeutronAdmin endpoint.

  • Fixes OpenDaylightProviderMappings parsing on a comma delimited list.

  • Fix support for RPMs to be installed via DeployArtifactURLs. LP#1697102

  • The deployed-server Heat agent configuration script, get-occ-config.sh, is now updated to configure the local data source for os-collect-config instead of configuring /etc/os-collect-config.conf directly. Doing so means that the configuration template for os-apply-config no longer has to be deleted as the file will be rendered correctly with the right data. See https://bugs.launchpad.net/tripleo/+bug/1679705

  • openstack-selinux is now installed by the deployed-server bootstrap scripts. Previously, it was not installed, so if SELinux was set to enforcing, all OpenStack policy was missing.

  • Previously the RHEL registration script disabled the satellite repo after installing the necessary packages from it. This makes it awkward to update those packages later, so the repo will no longer be disabled.

  • Since panko is enabled by default, include it the default dispatcher for ceilometer events.

  • Setting the port-binding to be pseudo-agentdb-binding. Networking-odl no longer supports network-topology

  • Fixing an issue where a custom password for the OpenDaylight controller caused the TripleO deployment to fail

  • Adding the ability to disable the OpenDaylight upstream repository. Introducing the OpenDaylightManageRepositories parameter.

  • Fixed the openvswitch permission to allow ovs to access vhost sockets created by qemu. This is a workaround until openvswitch provides the actual solution.

  • Add knobs to limit memory comsumed by mongodb with systemd

  • We need ceilometer user in cases where ceilometer API is disabled. This is to ensure other ceilometer services can still authenticate with keystone.

  • The pci_passthrough hiera value should be passed as a string (bug 1675036).

  • The stack name can now be overridden in the get-occ-config.sh script for deployed-server’s by setting the $STACK_NAME variable in the environment.

  • This commit merges both [Pre|Post]Puppet and [Pre|Post]Config resources, giving an agnostic name for the configuration steps. The [Pre|Post]Puppet resource is removed and should not be used anymore.

  • Swift rings created or updated on the overcloud nodes will now be stored on the undercloud at the end of each deployment. They will be retrieved before any deployment update, and by doing this the Swift rings will be in a consistent state across the cluster all the time. This makes it possible to add, remove or replace nodes without manual operator interaction.

  • The token flush cron job has been modified to run hourly instead of once a day. This is because this was causing issues with larger deployments, as the operation would take too long and sometimes even fail because of the transaction being so large. Note that this only affects people using the UUID token provider.

  • Removed the hard coding of osd_pool_default_min_size. Setting this value to 1 can result in data loss in operating production deployments. Not setting this value (or setting it to 0) will allow ceph to calculate the value based on the current setting of osd_pool_default_size. If the replication count is 3, then the calculated min_size is 2. If the replication count is 1, then the calcualted min_size is 1. For a POC deployments using a single OSD, set osd_pool_default_size = 1. See description at http://docs.ceph.com/docs/master/rados/configuration/pool-pg-config-ref/ Added CephPoolDefaultSize to set default replication size. Default value is 3.

  • Change the default ManageEventPipeline to true. This is because we want the event pipeline publishers overridden by heat templates to take effect over the puppet defaults. Once we drop panko:// from the pipeline we can switch this back to false.

  • Update the default metric processing delay to 30. This will help reduce the metric backlog and wont load up the storage backend.

  • Workaround systems getting registered as “localhost” during RHEL registration if they don’t have a fqdn set by first rm’ing the /etc/rhsm/facts directory. When the directory does not exist, the katello-rshm-consumer which runs when installing the katello-ca-consumer will not set the hostname.override fact to “localhost”. See https://bugs.launchpad.net/tripleo/+bug/1711435

Other Notes

  • Mongodb is not used by any service we enable by default, so it has been removed from the default services. It has subsequently been added to the services that use it (zaqar and ceilometer-collector).

  • It is possible to deploy Ceph in docker containers in the overcloud. This is implemented by triggering ceph-ansible via a Mistral workflow. A new CephAnsibleExtraConfig parameter has been added to the templates and can be used to provide arbitrary config variables consumed by ceph-ansible. The pre-existing template params consumed by the TripleO Pike release to drive puppet-ceph continue to work and are translated, when possible, into their equivalent ceph-ansible variable. To enable the deployment of Ceph in containers use environments/ceph-ansible/ceph-ansible.yaml when deploying the overcloud.

  • All nodes now enable arp_accept sysctl setting to help with honoring gratuitous ARP packets in their ARP tables. While sources of gratuitous ARP packets are diverse, this comes especially useful for Neutron floating IP addresses that roam between devices, and for which Neutron L3 agent sends gratuitous ARP packets to update all network nodes about IP address new locations.

  • Increased the default of NovaReservedHostMemory for Compute nodes to 4096 MB.

  • Network templates are now rendered with jinja2 based on network_data.yaml. The only required parameter for each network is the name, optional params will populate the defaults in the network template. Network templates will be generated for both IPv4 and IPv6 versions of the networks, setting ipv6: true on the network will generate only IPv6 templates. An example for overriding default IP addresses for IPv6 has been added in environments/network-environment-v6.yaml.

  • Adds the ability to resolve network subnets from within the service templates. The new ServiceData structure contains a mapping like {network_name: cidr} in net_cidr_map.