Ocata Series Release Notes¶

Bug Fixes¶

• The ordering of the cell_v2 setup steps during undercloud upgrade has been corrected to ensure dbsync is run after cell0 setup. Fixes bug 1778788.

• Duplicate cell_v2 cells are no longer created by a Newton to Ocata upgrade. Duplicate cells in an existing Ocata deployment are also removed. Fixes bug 1773398.

Security Issues¶

• Restrict memcached service to TCP and localhost network (CVE-2018-1000115).

New Features¶

• Increasing the heat db-sync from 5 to 15 minutes. During an undercloud upgrade, the database can be very big and the dbsync needs at least 10 minutes to run. So we override the Puppet default value of 5 minutes to have a timeout of 15 minutes for production deployments.

Upgrade Notes¶

• Undercloud upgrade will handle the change of ownership for ironic-dbsync.log to become ironic:ironic instead of root:root. Indeed, https://review.openstack.org/#/c/457478/ broke TripleO upgrades but it’s to fix a valid issue in the puppet-ironic module. We still want to handle upgrades for existing deployments, that’s why we manage the ownership change in instack-undercloud.

• During upgrade make sure to remove any left over tuskar packages. This has been known to cause problems during the upgrade. See bug 1691744 for more information

Bug Fixes¶

• The description of the enable_cinder option was fixed to not imply that booting from Cinder volumes is implemented in the undercloud.

• The default IRONIC_API_VERSION in stackrc is now set to the same value as OS_BAREMETAL_API_VERSION for consistency between two clients.

• Closes bug https://bugs.launchpad.net/tripleo/+bug/1691744 which is caused by left-over tuskar packages. This would only affect environments deployed with TripleoO since Kilo and for which tuskar has not explicitly been removed.

Other Notes¶

• The default OS_BAREMETAL_API_VERSION in stackrc was bumped to 1.29, which corresponds to Ocata final and allows using all recent features without specifying and explicit version.

Upgrade Notes¶

• Changed the configuration of endpoints that UI uses in order to connect to the Undercloud in a non-SSL deployment. The port number that the UI now uses to communicate with the Undercloud for non-SSL connections is 3000, which supports endpoint proxy configuration. Previously, this port number was the default port number for the service endpoint that UI connected to.

Bug Fixes¶

• Fixes bug 1668775 Certmonger certificate does not include EKUs

• Add gnocchi to events dispatcher so ceilometer can publish events to panko and gnocchi.

• Add OS_AUTH_TYPE to undercloud stackrc file. Not all clients default to keystone auth, so lets explicitly set the auth type in env.

• Fixes bug 1663199 UI doesn’t work without manual update on HTTP undercloud

• In /etc/heat/heat.conf, [clients]/endpoint_type was configured to use the internal endpoints and this was hardcoded in puppet-stack-config.pp so there was no way to change it. It’s now configurable via the hiera key heat_clients_endpoint_type.

• The Heat CFN endpoint is now created in Keystone during the undercloud install. A new configuration option, undercloud_heat_cfn_password is added for the heat_cfn service user associated with the endpoint.

• Previously, when an IP value was provided for the undercloud_public_host or undercloud_admin_host config value, it was validated to ensure it fell within the network_cidr. This was to avoid problems when the CIDR was changed but the IPs were not. However, this validation was broken for a time in the case where generate_service_certificate was used. During this time, the UI began to depend on the broken validation as it needs to listen on a routable network, which the provisioning network often is not. When the validation was fixed, the user was no longer able to configure the host values to listen on a different routable network.

  To enable this UI functionality again, the host validation has been disabled when enable_ui is true. This means the user is responsible for selecting functional host values, but the UI can once again be configured to listen on a separate network.

• Add a dependency to restart collector after other services are up and ceilometer upgrade is complete.

• Run ceilometer-upgrade conditionally when gnocchi is running so that gnocchi resource types are created.

Prelude¶

6.0.0 is the final release for Ocata. It’s the first release where release notes are added.

New Features¶

• Support for gnocchi service on undercloud to provide metrics support in Telemetry. This will only be enabled when enable_telemetry is true.

• Support for panko service on undercloud to provide events support in Telemetry. This will only be enabled when enable_telemetry is true.

• Remove Glance Registry from undercloud. It also means Glance API v1 won’t be available anymore.

• Validate vips when generating certificate.

• Improve upgrade process to include upgrade flag. This flag will be used by the Puppet manifest to knows when an upgrade happens.

• Deploy Nova Placement API service.

• Novajoin service support.

• Run yum update -y before Puppet run.

• Optional Cinder support for undercloud.

• When Cinder is enabled, deploy both v2 and v3 APIs.

• Aodh is now configured by default to use its own mysql backend.

• Add additional endpoints to hieradata, which are used in the tripleo:ui class to facilitate proxying of API endpoints via Apache’s mod_rewrite

• Add a UNDERCLOUD_NTP_SERVERS configuration in undercloud.conf

• Add new plugins for lldp processing (lldp_basic) and switch port link information (local_link_connection) to processing_hooks in inspector.conf.

• Allow enabling auto-discovery of ironic nodes by setting new option enable_node_discovery=True in the undercloud.conf. When enabled, adds unknown nodes that boot the introspection ramdisk to ironic in the enroll provisioning state and the driver set to the value of discovery_default_driver configuration option (pxe_ipmitool by default). See ironic-inspector documentation for more details: http://docs.openstack.org/developer/ironic-inspector/usage.html#discovery.

• Configure the basic cells setup for Nova, now required in Ocata.

Known Issues¶

• Deploy Nova API in eventlet instead of WSGI like it’s suggested by Nova team. It’s causing some issues that we didn’t catch until now. Related to bug 1661360.

Upgrade Notes¶

• Network configuration changes are no longer allowed during undercloud upgrades. Changing the local_ip of a deployed undercloud causes problems with some of the services, so a pre-deployment check was added to prevent such changes.

  Because the default CIDR was changed in this release, the check also prevents accidental reconfiguration of the ctlplane network if the old default is still in use, but not explicitly configured.

• During the upgrade to Ocata, ironic-inspector is switched from a local SQLite database to the same MySQL/MariaDB all other services are using. Please make sure that no introspections are in progress during upgrade. Please re-create introspection rules after the upgrade. This change does not affect the ability to retrieve introspection data from introspection runs before the upgrade.

• No longer set deprecated enable_setting_ipmi_credentials ironic-inspector option to true. Deployers still needing it should set it explicitly via a hieradata override.

• The required memory for an undercloud install has been increased from 4 GB to 8 GB. Note that this is an absolute minimum. More memory is recommended for production installs.

Deprecation Notes¶

• Ceilometer API is officially deprecated. The service is still enabled when enable_telemetry is true. This can be disabled using the enable_legacy_ceilometer_api option in undercloud.conf. Users should start migrating to aodh, gnocchi and panko in future.

• the instack-virt-setup script has been deprecated.

Bug Fixes¶

• Fixes bug 1664537 undercloud ntp configuration.

Other Notes¶

• Increase sync timeout for nova db syncs. We have seen on lower quality hardware that the nova db syncs can take an excessive amount of time. In order to still support deploying on this hardware, we now increase the timeout from the default 300 seconds to 900 seconds to allow for this less performant gear. This value should never be bumped to more than 900. If we ever happen to hit such time outs again, we’ll have to investigate and fix the root cause.

• The image_path configuration option does nothing and has been removed.