Newton Series Release Notes

14.2.12

Known Issues

  • If the protocol of either the keystone admin or internal endpoints is ‘https’ and SSL is being terminated at a load balancer, tasks which verify that services are responsive and perform the initial service setup through through the keystone hosts’ web server ports may fail.

    Set keystone_mod_wsgi_enabled to false to deploy Keystone under Uwsgi and allow the web server to be bypassed during these tasks.

    See Launchpad Bug 1699191 for more details.

14.2.11

New Features

  • Extra headers can be added to Keystone responses by adding items to keystone_extra_headers. Example:

    keystone_extra_headers:
      - parameter: "Access-Control-Expose-Headers"
        value: "X-Subject-Token"
      - parameter: "Access-Control-Allow-Headers"
        value: "Content-Type, X-Auth-Token"
      - parameter: "Access-Control-Allow-Origin"
        value: "*"
    

14.2.4

New Features

  • New variables have been added to allow a deployer to customize a keystone systemd unit file to their liking.

  • The task dropping the keystone systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

  • For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.

14.2.1

Critical Issues

  • A bug that caused the Keystone credential keys to be lost when the playbook is run during a rebuild of the first Keystone container has been fixed. Please see launchpad bug 1667960 for more details.

14.0.2

Upgrade Notes

  • The variables keystone_requirements_git_repo and keystone_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

14.0.0

New Features

  • Added keystone_apache_custom_log_format tunable for changing CustomLog format. Default is “combined”.

  • Apache MPM tunable support has been added to the os-keystone role in order to allow MPM thread tuning. Default values reflect the current Ubuntu default settings:

    keystone_httpd_mpm_backend: event
    keystone_httpd_mpm_start_servers: 2
    keystone_httpd_mpm_min_spare_threads: 25
    keystone_httpd_mpm_max_spare_threads: 75
    keystone_httpd_mpm_thread_limit: 64
    keystone_httpd_mpm_thread_child: 25
    keystone_httpd_mpm_max_requests: 150
    keystone_httpd_mpm_max_conn_child: 0
    
  • Introduced option to deploy Keystone under Uwsgi. A new variable keystone_mod_wsgi_enabled is introduced to toggle this behavior. The default is true which continues to deploy with mod_wsgi for Apache. The ports used by Uwsgi for socket and http connection for both public and admin Keystone services are configurable (see also the keystone_uwsgi_ports dictionary variable). Other Uwsgi configuration can be overridden by using the keystone_uwsgi_ini_overrides variable as documented under “Overriding OpenStack configuration defaults” in the OpenStack-Ansible Install Guide. Federation features should be considered _experimental_ with this configuration at this time.

  • Introduced option to deploy Keystone behind Nginx. A new variable keystone_apache_enabled is introduced to toggle this behavior. The default is true which continues to deploy with Apache. Additional configuration can be delivered to Nginx through the use of the keystone_nginx_extra_conf list variable. Federation features are not supported with this configuration at this time. Use of this option requires keystone_mod_wsgi_enabled to be set to false which will deploy Keystone under Uwsgi.

  • CentOS7/RHEL support has been added to the os_keystone role.

  • The os_keystone role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting keystone_package_state to present.

Upgrade Notes

  • Installation of keystone and its dependent pip packages will now only occur within a Python virtual environment. The keystone_venv_enabled variable has been removed.

  • The variable keystone_apt_packages has been renamed to keystone_distro_packages.

  • The variable keystone_idp_apt_packages has been renamed to keystone_idp_distro_packages.

  • The variable keystone_sp_apt_packages has been renamed to keystone_sp_distro_packages.

  • The variable keystone_developer_apt_packages has been renamed to keystone_developer_mode_distro_packages.

  • The os_keystone role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option keystone_package_state should be set to present.

Security Issues

  • The admin_token_auth middleware presents a potential security risk and will be removed in a future release of keystone. Its use can be removed by setting the keystone_keystone_paste_ini_overrides variable.

    keystone_keystone_paste_ini_overrides:
      pipeline:public_api:
        pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
      pipeline:admin_api:
        pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
      pipeline:api_v3:
        pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3