Pike Series Release Notes¶

New Features¶

• Introduce docker_insecure_registries that is an array of host/port combiniations of docker insecure registries. The default value will be the previous parameter that were hardcoded, but now we can easily override it in undercloud.conf.

Security Issues¶

• Restrict memcached service to TCP and localhost network (CVE-2018-1000115).

Bug Fixes¶

• Fix panko ssl port to match puppet-tripleo haproxy resource.

New Features¶

• Increasing the heat db-sync from 5 to 15 minutes. During an undercloud upgrade, the database can be very big and the dbsync needs at least 10 minutes to run. So we override the Puppet default value of 5 minutes to have a timeout of 15 minutes for production deployments.

Bug Fixes¶

• Explicitly set event pipeline publishers to panko and gnocchi to sent the events to both endpoints.

• When the hostname was written to /etc/hosts, it resulted in an invalid /etc/hosts file due to 127.0.0.1 being specified twice on different lines. That issue is now corrected such that the hostnames will be added to the existing line for 127.0.0.1, which results in valid syntax for /etc/hosts. See https://bugs.launchpad.net/tripleo/+bug/1709460

New Features¶

• Implements websocket-logging Add an hourly cron trigger for tripleo-ui logging

Upgrade Notes¶

• The default bare metal API version used by the undercloud was bumped to 1.34, which is latest API version supported by Pike ironicclient.

• This release replaces node scheduling based on properties (CPU count, memory and disk) with scheduling based on custom resource classes. As part of this change during the upgrade:

  • The resource_class field is set to baremetal, if empty.
  • The standard flavors are adjusted to request one instance of the baremetal resource class and to not request the standard properties. Flavors that already have a resource class attached are not changed.

  All non-standard custom flavors have to be changed in a similar way.

  See the ironic flavor documentation for details.

• Wires up execution of the “post-upgrade” group of tripleo-validations to sanity check the undercloud. The validations are executed at the very end of the process, after the undercloud has been fully upgraded and all services started in the upgraded versions. If there is an error it is logged but not raised so these validations will not fail the upgrade. The operator can set the existing ‘enable_validations’ to false to skip these validations.

Bug Fixes¶

• Validate the local_interface for the undercloud install to fail fast if the interface does not actually exist on the system. If net_config_override is configured, the local_interface will not be validated.

• Log a warning if undercloud.conf is missing to indicate that the defaults will be used.

New Features¶

• Add tripleo::ui::endpoint_proxy_ironic_inspector and tripleo::ui::endpoint_config_ironic_inspector variables to elements for use in new proxy config for ironic-inspector API service

• Add ‘numa-topology’ collector to ‘ipa-inspection-collectors’ if ‘inspection_extras’ is true. The ‘numa-topology’ collector will fetch the details about memory, cpu, nics associated with each NUMA node during introspection. These details will be necessary in deriving the deployment parameters for NFV usecases.

• The DNS domain for overcloud nodes can now be set in undercloud.conf via the overcloud_domain_name option. The same value used for this option must be passed to the overcloud deploy in the CloudDomain parameter.

Upgrade Notes¶

• The environment configuration for deployments is now stored in a file called plan-environment.yaml that is stored in Swift together with the templates. Mistral is no longer used to store this data. openstack undercloud upgrade handles the migration of existing plans automatically, including the deletion of the Mistral environment.

Bug Fixes¶

• The undercloud installer now checks if IPv6 is enabled before applying IPv6 specific sysctl settings that is only available when IPv6 is not disabled. (Fixes bug 1675917)

New Features¶

• Add a new docker_registry_mirror option which can be used to configure a registry mirror in the /etc/docker/daemon.json file. The motivation for this change is to help support pulling images from HTTP mirrors within CI.

• Allow configuring enabled hardware types via new enabled_hardware_types configuration option. See the driver composition reform spec for details. Enabled management and power interfaces are derived for known hardware types. Inspection via ironic-inspector and socat-based serial console support is enabled by default.

• Support Redfish-compatible hardware via redfish hardware type.

• Update undercloud stackrc to use Keystone v3 API. It updates OS_AUTH_URL to use a versionless endpoint, change OS_TENANT_NAME to OS_PROJECT_NAME, force OS_IDENTITY_API_VERSION to 3 and add OS_PROJECT_DOMAIN_NAME pointing to default domain.

Upgrade Notes¶

• If you had telemetry enabled in Ocata and you upgrade to pike with defaults, the telemetry services will be disabled upon upgrade. If you choose to keep it enabled, set the enable_telemetry option to true before upgrade and services will continue to be enabled after upgrade.

• Undercloud upgrade will handle the change of ownership for ironic-dbsync.log to become ironic:ironic instead of root:root. Indeed, https://review.openstack.org/#/c/457478/ broke TripleO upgrades but it’s to fix a valid issue in the puppet-ironic module. We still want to handle upgrades for existing deployments, that’s why we manage the ownership change in instack-undercloud.

• Deployment plan environments for existing plans will be migrated from Mistral to Swift on undercloud upgrade.

• During upgrade make sure to remove any left over tuskar packages. This has been known to cause problems during the upgrade. See bug 1691744 for more information

Deprecation Notes¶

• Ceilometer collector service is deprecated in pike release.

Bug Fixes¶

• Disable ceilometer collector by default as its deprecated. All the data will now be dispatched through pipeline directly.

• Finally disabling telemetry services on undercloud by default. Telemetry use case has been quite limited on undercloud and it makes sense to disable by default and let user enabl based on need.

• The description of the enable_cinder option was fixed to not imply that booting from Cinder volumes is implemented in the undercloud.

• Closes bug https://bugs.launchpad.net/tripleo/+bug/1691744 which is caused by left-over tuskar packages. This would only affect environments deployed with TripleoO since Kilo and for which tuskar has not explicitly been removed.

• The TripleO UI now supports Keystone v3 and %(project_id)s placeholders in URLs. Updated the endpoints in the configuration to reflect this. (Fixes bug bug 1692046)

Other Notes¶

• Removing Nova cert service, which has been removed in Nova during Pike cycle.

New Features¶

• The undercloud installation now adds a keystone user and configures the authtoken middleware for novajoin.

• Heat APIs (API, CFN and Cloudwatch) now run over httpd in the undercloud.

• Add new plugins for lldp processing (lldp_basic) and switch port link information (local_link_connection) to processing_hooks in inspector.conf.

• Introspection now detects and properly set boot mode (BIOS or UEFI) for ironic nodes.

• Update Keystone endpoints to be versionless, so v3 API can be used by services that use service catalog in Keystone..

• Use Swift as a backend of Zaqar. This effectively removes the new of MongoDB on the undercloud.

• When sourcing the stackrc on the undercloud, the command prompt will show that the credentials have been loaded by being prepended with ‘(undercloud) ‘. For example, ‘(undercloud) [stack@undercloud ~]$ ‘

• Zaqar API now run over httpd in the undercloud.

Upgrade Notes¶

• Changed the configuration of endpoints that UI uses in order to connect to the Undercloud in a non-SSL deployment. The port number that the UI now uses to communicate with the Undercloud for non-SSL connections is 3000, which supports endpoint proxy configuration. Previously, this port number was the default port number for the service endpoint that UI connected to.

• The boot mode (BIOS or UEFI) is now detected on introspection and stored on nodes as part of boot_mode capability. This has two consequences:
  • If you change the actual boot mode via hardware management interface, you have to either re-run introspection or update it manually.
  • If you set expected boot mode on Ironic nodes manually (for drivers that support it, e.g. pxe_ilo), you have to double-check it after every introspection run and fix if necessary.

• Out-of-box support for Ironic *_ssh drivers was removed. These drivers were deprecated in the Newton release.

• The _member_ role (if it exists) on the admin user will now be retained automatically during undercloud upgrades. This functionality was originally added to work around an issue with upgrading very old versions of TripleO, but was broken by changes to the upgrade process. It will no longer be necessary to manually add the _member_ role to the admin user after upgrading an affected deployment.

Deprecation Notes¶

• Ceilometer API is deprecated since ocata release.

Bug Fixes¶

• Fixes bug 1668775 Certmonger certificate does not include EKUs

• Add gnocchi to events dispatcher so ceilometer can publish events to panko and gnocchi.

• Add OS_AUTH_TYPE to undercloud stackrc file. Not all clients default to keystone auth, so lets explicitly set the auth type in env.

• Fixes bug 1663199 UI doesn’t work without manual update on HTTP undercloud

• In /etc/heat/heat.conf, [clients]/endpoint_type was configured to use the internal endpoints and this was hardcoded in puppet-stack-config.pp so there was no way to change it. It’s now configurable via the hiera key heat_clients_endpoint_type.

• The Heat CFN endpoint is now created in Keystone during the undercloud install. A new configuration option, undercloud_heat_cfn_password is added for the heat_cfn service user associated with the endpoint.

• Ceilometer API is now disabled by default. This has been deprecated since ocata release. Use gnocchi/aodh and panko APIs instead.

• The default IRONIC_API_VERSION in stackrc is now set to the same value as OS_BAREMETAL_API_VERSION for consistency between two clients.

• Previously, when an IP value was provided for the undercloud_public_host or undercloud_admin_host config value, it was validated to ensure it fell within the network_cidr. This was to avoid problems when the CIDR was changed but the IPs were not. However, this validation was broken for a time in the case where generate_service_certificate was used. During this time, the UI began to depend on the broken validation as it needs to listen on a routable network, which the provisioning network often is not. When the validation was fixed, the user was no longer able to configure the host values to listen on a different routable network.

  To enable this UI functionality again, the host validation has been disabled when enable_ui is true. This means the user is responsible for selecting functional host values, but the UI can once again be configured to listen on a separate network.

• Add a dependency to restart collector after other services are up and ceilometer upgrade is complete.

• Run ceilometer-upgrade conditionally when gnocchi is running so that gnocchi resource types are created.

• undercloud_debug is now wired up for additional OpenStack services. See bug 1669895 for more information.

Other Notes¶

• Swap memory is now included in the minimum memory check. While relying on swap is still not recommended for production deployments, it is not uncommon for developers to use SSD-backed swap to fit more instances into a system with limited memory.

• The default OS_BAREMETAL_API_VERSION in stackrc was bumped to 1.29, which corresponds to Ocata final and allows using all recent features without specifying and explicit version.