Pike Series Release Notes

7.4.17

Upgrade Notes

• Logrotate’s copytruncate is used by default for containerized services logs rotation. The default period to keep old logs remains unchanged (14 days).

7.4.16

Upgrade Notes

• Rotated logs of containerized services in /var/log/containers will be purged with the next containerized logrotate run triggered via cron, if the rotated logs have been kept longer than purge_after_days (defaults to a 14 days).

  The logrotate maxage parameter is set to purge_after_days as well.

  The size parameter does not honor time-based constraints and is disabled as not GDPR compliant. From now on, it configures maxsize instead. Minsize is set to a 1 byte to put all /var/log/containers logs under the containerized logrotate control.

  New param rotation additionally allows to alter logrotate rotation interval, like ‘hourly’ or ‘weekly’.

Security Issues

• Retention rules of files in /var/log/containers additionally defined in the containerized logrotate postrotate script and based on any of the listed criteria met:

  • time of last access of contents (atime) exceeds purge_after_days,

  • time of last modification of contents (mtime) exceeds purge_after_days,

  • time of last modification of the inode (metadata, ctime) exceeds purge_after_days.

  Expired files will be purged forcibly with each containerized logrotate run triggered via cron. Note that the files creation time (the Birth attribute) is not taken into account as it cannot be accessed normally by system operators (depends on FS type). Retention policies based on the creation time must be managed elsewhere.

Bug Fixes

• Fixed how deprecated parameters for Cinder’s Netapp backend are handled so that empty strings are not misinterpreted. Fixes bug 1782376.

Other Notes

• Add the compress option for the containerized logrotate service to compress rotated logs by default.

7.4.15

New Features

• Added new parameter to tripleo::haproxy: activate_httplog This allows to activate the HTTP full logs in HAProxy.

Bug Fixes

• Fix deployment issue where neutron-server would crash on start on split-stack deployments when neutron-lbaas is enabled.

• Fixes bug 1733801 so we can activate haproxy logs.

• With the change in https://review.openstack.org/#/c/561784/3 we need to make sure that the new port range get applied to the the qemu.conf file.

7.4.11

Security Issues

• TLS v1.0 connections are no longer accepted by our HAProxy configuration.

7.4.10

New Features

• IPtables rules managed by Neutron won’t be persistent on the host anymore. Instead, they’ll be removed (if exist) from /etc/sysconfig/iptables.

• Add support to configure Dell EMC VNX cinder backend

7.4.9

Deprecation Notes

• The hardcoded parameter names for network vips in hiera have been deprecated and replaced with the network_virtual_ips dict that includes composable networks. Likewise the hardcoded network parameters to class tripleo::keepalived have been deprecated.

Bug Fixes

• The new network_virtual_ips hiera parameter is used to generate all network VIP resources in haproxy, haproxy_bundle, and keepalived manifests. Since additional custom networks may be added, the virtual_router_ids in keepalived have been reordered.

7.4.8

Bug Fixes

• Added missing haproxy endpoint for the Octavia API.

7.4.5

New Features

• keystone notification topics are now configured via the keystone_notification_topics hiera key. Which aggregates all the keys that match this. It’s useful for dynamically configuring the topics and not always sending them.

Bug Fixes

• Include the Swift base class in the proxy class, to ensure Swift hash values are properly set in swift.conf when not applying the storage manifest on the same node.

7.4.3

Bug Fixes

• Adds workaround to disable port status feature for OpenDaylight which is currently broken in OpenDaylight. This fixes the inability to launch nova instances.

7.4.2

New Features

• This new parameter allows to set/override HAProxy global options in a convenient way.

• Expose a new Puppet parameter to snmp profile, snmpd_config which is an array definded to undef by default. It can be used to override all snmpd configuration for advanced deployments. If used, all parameters have to be configured included users and passwords, which should be the same as given to snmpd_password and snmpd_user. There is no logic that will verify the content of snmpd_config.

Bug Fixes

• Disables port status feature with OpenDaylight when deployed as HA until it can be properly supported in an HA environment.

7.4.1

New Features

• Provides a way to set HAProxy socket access level. This will allow people to manage HAProxy directly through command-line, for example in order to temporarly disable backends.

7.4.0

New Features

• Add support to configure Dell EMC Isilon backend

• Add support to configure Dell EMC Unity backend

• Add support to configure Dell EMC VNX backend

7.3.0

New Features

• When TLS everywhere is enabled, the HAProxy stats interface will also use TLS. This requires the user to access the interface through the ctlplane FQDN (which is configured by the CloudNameCtlplane parameter in tripleo-heat-templates). Note that one can still use the haproxy_stats_certificate parameter from the haproxy class, and that one will take precedence if set.

• Encryption is used for pacemaker traffic by default. This is achieved by using a pre shared key for all the pacemaker cluster nodes (same as the one that was used for the pacemaker remote communication).

• Enable innodb_buffer_pool_size configuration for all MySQL databases.

• Add support to configure Dell EMC VMAX Manila backend

7.2.0

New Features

• The resource ::tripleo::certmonger::ca::crl was added. The purpose of this resource is to fetch a CRL file and set up a cron job to refresh that file.

• Added new parameter mysql_maxconn to the tripleo::haproxy class, allowing haproxy maxconn to be configured for the MySQL server.

• Added variables for endpoint_proxy_ironic_inspector, endpoint_config_ironic_inspector, and Apache mod_proxy configuration to proxy ironic-inspector service just like similar services

• This release allows to enable Contrail DPDK on the compute nodes.

• Enable innodb_flush_log_at_trx_commit configuration for Galera only.

• Added new parameter san_private_key to configure SSH Private Key for the PS Series cinder backend

• Added a new profile for the setup of the Swift dispersion tool. This will be executed in step 5 or later to ensure Swift and Keystone are already up and running.

• New profile for Veritas HyperScale Cinder backend.

• Support configurable backends Zaqar backends. Updates the Zaqar profile so that we have support for configuring alternate versions of the messaging and management backends.

Known Issues

• Ignore failures if nf_conntrack_proto_sctp module failed to load. Since RHEL 7.4, nf_conntrack_proto_sctp module is compiled into the kernel instead of as a module as the sctp support. TripleO will still try to load the module to support RHEL 7.3, but in the future will remove the module management and rely on the kernel provided in newer versions of RHEL.

Upgrade Notes

• Setting the innodb_flush_log_at_trx_commit flag to the value of “2” instead of its default value of “1” means that the underlying MySQL/MariaDB engine will no longer flush transactions to disk on a per-transaction basis; instead, flushes occur once per second. This leads to far fewer disk writes and can dramatically improve write performance, at the cost of durability (e.g. will lose the last second’s worth of transactions) if the database engine is ungracefully shut down. The clustered nature of Galera mitigates this risk in that transactions are replicated to other nodes before completion, and the setting of “2” is considered to be generally safe for a Galera cluster, with the exception case of simultaneous power loss for all nodes.

Deprecation Notes

• Deprecates and removes workaround OpenDaylight clustering function and class. Clustering config is now handled by puppet-opendaylight.

• Removes deprecated opendaylight parameter ‘ha_node_index’ which is no longer needed to configure clustering.

Security Issues

• If the crl_file parameter is given to the ::tripleo::haproxy resource and TLS is enabled in the internal network, it will configure the CRL file for all the nodes it’s proxying and thus properly handle revocation of the server certificates.

Bug Fixes

• Allow VF configuration files to be written for non-existent PCI devices to allow updates while physical functions are currently in use by a guest.

• Traffic between Contrail nodes used the public network. This release will move the traffic to the internal_api network per default and also allows to optionally use the storage_mgmt network. This is in preparation for for composable networks, where Contrail will have its own network.

• The mysql pacemaker profile now makes sure that the rsync package is installed since it configures wsrep_sst_method for galera to use rsync. See https://bugs.launchpad.net/tripleo/+bug/1693003

• In order to avoid service restarts, all services deploy their httpd configuration at the same time. Thus, httpd now starts in step 3 for the bootstrap nodes, and step 4 for all other nodes.

• Fixes the step conditions in the Swift ring building process and also chains the tarball creation to the rebalance. Adds an option to disable the recon check before uploading modified rings. These fixes are required to properly manage rings when used in containerized environments.

7.1.0

New Features

• Adds composable service interface for Neutron LBaaSv2 service.

• Add support for Mistral event engine.

• Restrict nova migration ssh tunnel * The ssh authorized_keys file is only writeable by root. * Creates a new user for migration instead of using root/nova. * Disables SSH forwarding for this user. * Restricts the networks that this user can connect from. * Uses an ssh wrapper command to whitelist the commands that this user can run over ssh. Adds new parameter “tripleo::profile::base::nova::migration_ssh_localaddrs” to specify which incoming IPs are allow for SSH tunnel connections.

• Added support for external swift proxy. Users may need to configure endpoints pointing to swift proxy service already available.

• Enable internal network TLS for etcd

• Move Mistral API to use mod_wsgi under Apache.

• Support HA for OVN db servers and ovn-northd using Pacemaker

• Support for Redfish hardware is enabled by default for overcloud Ironic via the redfish hardware type.

• Run the Zaqar WSGI service over httpd.

Upgrade Notes

• Mistral API systemd service will be stopped and disabled.

Deprecation Notes

• The redis_file_limit hiera parameter is now deprecated. Use the redis::ulimit parameter instead.

Bug Fixes

• With having package mod_ssl by default installed in images we introduced issue with mod_ssl package update. In case of SSL not being used or provided by HAproxy the puppet-apache module by default purges the ssl.conf file. The package update then recreates the file with default Listen 443 option. This causes conflict on 443 port during httpd restart. If we include ::apache::mod::ssl the ssl.conf file will be configured and the Listen option will be used only if there is vhost set to use SSL.

• For Heat API, increase the HAproxy timeout from 2 minutes to 10 minutes so we give a chance to Heat to use the rpc_response_timeout value which is set to 600 by default in TripleO.

• Since collector is deprecated, move the ceilo upgrade in step5 out of collector profile and into cielometer base. This way ceilo upgrade can run even when collector is disabled which is the default in pike.

• Moves bigswitch neutron agent configuration to a new tripleo profile tripleo::profile::base::neutron::agents::bigswitch

7.0.0

New Features

• Add support for Bagpipe Neutron driver as backend in BGPVPN scenarios

• Add ML2 plugin configuration for Bagpipe BGPVPN extension

• Add support for BGPVPN Neutron service plugin

• Add support for ceilometer polling agent. The central, compute and ipmi agent services should use polling agent with namespace. This has been done in packaging already since few releases now. Let puppet do it correctly as well.

• Add keystone::ldap_backend call as resource when is trigged to setup a LDAP backend as keystone domain. This allows per-domain LDAP backends for keystone.

• Adds OpenDaylight HA support. Now when ODL is applied to three or more nodes ODL will be deployed as a cluster in HA, rather than the previous behavior of only running on the first node.

• Added Pure Storage FlashArray iSCSI and FC backend support for cinder

• Unless a non-default value is provided, the dhcp_agents_per_network neutron configuration variable is set to the number of deployed neutron dhcp agents.

• Configure ssh tunneling for nova cold-migration. Re-use the tunnel for libvirt live-migration unless TLS is enabled.

• Heat APIs (api, cfn and cloudwatch) are now deployed over httpd.

• Added a new profile to configure the docker service

• The undercloud UI is available in multiple languages, which can now be configured via the manifest. All available languages are enabled by default.

• Enabled httpdchk in HAProxy for http based services to reduce situtations where the port may be open but the service is not actively serving http requests.

• Add support for l2 gateway Neutron agent support.

• Add support for l2 gateway Neutron service plugin.

• Include the amqp messaging class when the oslo.messaging rpc protocol is enabled for AMQP 1.0.

• Sahara is now deployed with keystone_authtoken parameters and move forward with Keystone v3 version.

• Allows granular level of control over the /etc/securetty file. By allowing operators to specify the values in securetty, they can improve security by limiting root console access.

• Add profiles for VPP service. Vector Packet Processing (VPP) is a high performance packet processing stack that runs in user space in Linux. VPP is used as an alternative to kernel networking stack for accelerated network data path.

• Adds support for networking-vpp ML2 mechanism driver and agent.

Upgrade Notes

• Out-of-box support for Ironic *_ssh drivers was removed. These drivers were deprecated in the Newton release.

Bug Fixes

• Octavia is now properly registered with keystone when deployed.

• Add a tunnel timeout to the HAProxy tripleo-ui configuration to ensure Zaqar WebSocket tunnels persist longer than two minutes https://bugs.launchpad.net/tripleo/+bug/1672826

• Bugfix 1664561. Removing the string cast when using the os_transport_url function.

• We need ceilometer user in cases where ceilometer API is disabled. This is to ensure other ceilometer services can still authenticate with keystone.

• Fixes horizon getting temporarily deconfigured during a stack update due to the apache configuration occuring in step 3 but the horizon configuration not occuring until step 4.

• Fixes missing neutron base class in sriov

• The rabbitmq user check is moved to step >= 2 from step >= 1. There is no guarantee that rabbitmq is running at step 1, especially if updating a failed stack that never made it past step 1 to begin with.

• Re-run gnocchi and ceilometer upgrade in step5. This is required for gnocchi resource types to be created in ceilometer and gnocchi to function properly.

• Add a way for mongodb to limit amount of memory it comsumes with systemd. A new param memory_limit has been added to tripleo::profile::base::database::mongodb class with default limit of 20G.