Freeze all SHAs for 17.0.0.0b2

This patch updates all the roles to the latest available stable
SHA's, copies the release notes from the updated roles into the
integrated repo.

Change-Id: Iebe2dfd5b1a1fd8977d13075dfe7f841e6e416a0
This commit is contained in:
Jean-Philippe Evrard 2017-12-09 15:02:48 +00:00
parent 03a57d6668
commit 91cf1e88dc
28 changed files with 265 additions and 49 deletions

View File

@ -1,31 +1,31 @@
- name: ansible-hardening
scm: git
src: https://git.openstack.org/openstack/ansible-hardening
version: master
version: 46a94c72518f83d27b25a5fa960dde7130956215
- name: apt_package_pinning
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
version: master
version: eba07d7dd7962d90301c49fc088551f9b35f367a
- name: pip_install
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-pip_install
version: master
version: 32c27505c6e0ee00ea0fb4a1c62240c60f17a0e3
- name: galera_client
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-galera_client
version: master
version: 9a8302cbba24ea4e5907567e5f93e874d30d79df
- name: galera_server
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-galera_server
version: master
version: aa452989d7295111962f67a3f3a96d96bc408846
- name: ceph_client
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-ceph_client
version: master
version: 34a04f7b24c80297866bc5ab56618e2211b1d5f9
- name: haproxy_server
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-haproxy_server
version: master
version: 9966fd96fede46c3b00c9e069e402eae90c66f17
- name: keepalived
scm: git
src: https://github.com/evrardjp/ansible-keepalived
@ -33,135 +33,135 @@
- name: lxc_container_create
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create
version: master
version: 68f81c679be88577633f98e8b9252a62bdcef754
- name: lxc_hosts
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts
version: master
version: 84ac3442e542aeedf1396c88e0387b4ea1548eb1
- name: memcached_server
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-memcached_server
version: master
version: ae6f721dc0342e1e7b45ff2448ab51f7539dc01f
- name: openstack_hosts
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts
version: master
version: 05c7f09d181de1809fd596cc0d879c49e3f86bbf
- name: os_keystone
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_keystone
version: master
version: cd9d4ef7d8614d241fa40ba33c1c205fd2b47fa1
- name: openstack_openrc
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
version: master
version: d594c2debc249daa5b7f6f2890f546093efd1ee5
- name: os_aodh
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_aodh
version: master
version: ce871dee75511f94bfd24dde8f97e573cf6d3ead
- name: os_barbican
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_barbican
version: master
version: c3e191037d0978479e3cb95a59b2986adab28c69
- name: os_ceilometer
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer
version: master
version: 55bb04eaad4dd5c7fdad742b3557dc30dc9d45bf
- name: os_cinder
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_cinder
version: master
version: 536dd3446e0fc7fc68ab42b982ac9affc4215787
- name: os_designate
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_designate
version: master
version: a65d7a3394aef340ff94587dd0bb48133ed00763
- name: os_glance
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_glance
version: master
version: 43aa00424f233a6125f7a9216cec42da1d8ca4c5
- name: os_gnocchi
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_gnocchi
version: master
version: b1f7574dc529f8298a983d8d0e09520e90b571a8
- name: os_heat
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_heat
version: master
version: 8fcd29197797eef409254605f0ce73ef8d1bda6b
- name: os_horizon
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_horizon
version: master
version: 28f21f56b74a612c2e3b6f9c4866391128a91219
- name: os_ironic
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_ironic
version: master
version: a90558f7a216e5e661c5d1a4048dbe30559542d1
- name: os_magnum
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_magnum
version: master
version: 736d1707339cb99396578018a6bda7af9184fb02
- name: os_molteniron
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_molteniron
version: master
version: 9b4c104a252c453bcd798fec9dbae7224b3d8001
- name: os_neutron
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_neutron
version: master
version: 962cd92243641092412b6ef09a41bbf5e698c4a1
- name: os_nova
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_nova
version: master
version: 53df001c9034f198b9349def3c9158f8bbe43ff3
- name: os_octavia
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_octavia
version: master
version: 02ad3c68802287a1ba54cf10de085dcd14c324d8
- name: os_rally
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_rally
version: master
version: bc9075dba204e64d11cb397017d32b0c2297eed0
- name: os_sahara
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_sahara
version: master
version: 3c45121050ba21bd284f054d7b82a338f347157f
- name: os_swift
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_swift
version: master
version: f31217bb097519f15755f2337165657d7eb6b014
- name: os_tacker
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_tacker
version: master
version: d95902891c4e6200510509c066006c921cfff8df
- name: os_tempest
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_tempest
version: master
version: 703ea4ad12332e1f98b46f6c3c4ad8ac18189e28
- name: os_trove
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-os_trove
version: master
version: b425fa316999d0863a44126f239a33d8c3fec3a6
- name: plugins
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-plugins
version: master
version: d2f60237761646968a4b39b15185fb5c84e7386f
- name: rabbitmq_server
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server
version: master
version: 311f76890c8f99cb0b46958775d84de614609323
- name: repo_build
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-repo_build
version: master
version: 59a3f444c263235d8f0f584da8768656179fa02a
- name: repo_server
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-repo_server
version: master
version: 7889f37cdd2a90b4b98e8ef2e886f1fd4950fc0a
- name: rsyslog_client
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_client
version: master
version: 310cfe9506d3742be10790533ad0d16100d81498
- name: rsyslog_server
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server
version: master
version: ba7bb699c0c874c7977add86ca308ca18be8f9a8
- name: sshd
scm: git
src: https://github.com/willshersystems/ansible-sshd

View File

@ -14,7 +14,7 @@
# limitations under the License.
## OpenStack Source Code Release
openstack_release: master
openstack_release: 17.0.0.0b2
## Verbosity Options
debug: False

View File

@ -0,0 +1,8 @@
---
security:
- |
The following headers were added as additional default (and static) values.
`X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and
`Content-Security-Policy "default-src 'self' https: wss:;"`. Additionally,
the `X-Frame-Options DENY` header was added, defaulting to DENY. You may
override the header via the `keystone_x_frame_options` variable.

View File

@ -0,0 +1,7 @@
---
features:
- The galera cluster now supports cluster health checks over HTTP using port
9200. The new cluster check ensures a node is healthy by running a simple
query against the wsrep sync status using monitoring user. This change will
provide for a more robust cluster check ensuring we have the most fault
tolerant galera cluster possible.

View File

@ -0,0 +1,17 @@
---
features:
- |
A typical OSA install will put the neutron and octavia queues on different
vhosts thus preventing the event streamer from working While octavia is
streaming to its own queue the consumer on the neutron side listens to the
neutron queue. With a recent octavia enhancement a separate queue for the
event streamer can be configured. This patch will set up the event
streamer to post into the neutron queue using neutron's credentials. Thus
reaching the consumer on the neutron-lbaas side and allowing for
streaming.
security:
- |
Since we use neutron's credentials to access the queue, security conscious
people might want to set up an extra user for octavia on the neutron queue
restricted to the topics octavia posts to.

View File

@ -0,0 +1,7 @@
---
features:
- |
Generating and validating checksums for all files installed by packages is now
disabled by default. The check causes delays in playbook runs and it can
consume a significant amount of CPU and I/O resources. Deployers can re-enable
the check by setting ``security_check_package_checksums`` to ``yes``.

View File

@ -0,0 +1,5 @@
---
upgrade:
- KSM configuration is changed to disabled by default on Ubuntu.
If you overcommit the RAM on your hypervisor it's a good
idea to set ``nova_compute_ksm_enabled`` to ``True``.

View File

@ -0,0 +1,5 @@
---
other:
- Added support for specifying GID and UID for cinder system user by defining
``cinder_system_user_uid`` and ``cinder_system_group_gid``. This setting is
optional.

View File

@ -0,0 +1,22 @@
---
upgrade:
- |
The glance v1 API is now disabled by default as the API is scheduled
to be removed in Queens.
- |
The glance registry service is now disabled by default as it is not
required for the v2 API and is scheduled to be removed in the future.
The service can be enabled by setting ``glance_enable_v2_registry``
to ``True``.
deprecations:
- |
The ``glance_enable_v1_registry`` variable has been removed. When using
the glance v1 API the registry service is required, so having a variable
to disable it makes little sense. The service is now enabled/disabled
for the v1 API using the ``glance_enable_v1_api`` variable.
fixes:
- |
When the ``glance_enable_v2_registry`` variable is set to ``True`` the
corresponding ``data_api`` setting is now correctly set. Previously it
was not set and therefore the API service was not correctly informed
that the registry was operating.

View File

@ -3,4 +3,4 @@ features:
- Horizon now has the ability to set arbitrary configuration options using
global option ``horizon_config_overrides`` in YAML format. The overrides
follow the same pattern found within the other OpenStack service
overrides. `General documentation on overrides can be found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-openstack.html#overriding-openstack-configuration-defaults>`_.
overrides. `General documentation on overrides can be found here <https://docs.openstack.org/project-deploy-guide/openstack-ansible/latest/app-advanced-config-override.html>`_.

View File

@ -3,4 +3,4 @@ features:
- It is now possible to use the horizon_launch_instance_defaults variable
that allows customizing the default values for properties found in the
Launch Instance modal, using the LAUNCH_INSTANCE_DEFAULTS config option.
See https://docs.openstack.org/developer/horizon/install/settings.html#launch-instance-defaults
See https://docs.openstack.org/horizon/latest/configuration/settings.html#launch-instance-defaults

View File

@ -0,0 +1,7 @@
---
features:
- |
The maximum amount of time to wait until forcibly failing the
LXC cache preparation process is now configurable using the
``lxc_cache_prep_timeout`` variable. The value is specified
in seconds, with the default being 20 minutes.

View File

@ -2,7 +2,7 @@
features:
- "Neutron BGP dynamic routing plugin can now optionally be deployed and
configured. Please see `OpenStack Networking Guide: BGP dynamic routing
<http://docs.openstack.org/networking-guide/config-bgp-dynamic-routing.html>`_
<https://docs.openstack.org/mitaka/networking-guide/config-bgp-dynamic-routing.html>`_
for details about what the service is and what it provides."
upgrade:
- Database migration tasks have been added for the dynamic routing neutron

View File

@ -2,9 +2,9 @@
features:
- Neutron Firewall as a Service (FWaaS) can now optionally be deployed and
configured. Please see the `FWaaS Configuration Reference
<http://docs.openstack.org/admin-guide-cloud/networking_introduction.html#firewall-as-a-service-fwaas-overview>`_
<https://docs.openstack.org/neutron/latest/admin/fwaas.html>`_
for details about the what the service is and what it provides. See the
`FWaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-fwaas.html>`_
`FWaaS Install Guide <https://docs.openstack.org/openstack-ansible-os_neutron/latest/configure-network-services.html#firewall-service-optional>`_
for implementation details.
upgrade:
- Database migration tasks have been added for the FWaaS neutron plugin.

View File

@ -2,7 +2,7 @@
features:
- Neutron VPN as a Service (VPNaaS) can now optionally be deployed and
configured. Please see the `OpenStack Networking Guide
<http://docs.openstack.org/mitaka/networking-guide/>`_ for details
<https://docs.openstack.org/mitaka/networking-guide/>`_ for details
about the what the service is and what it provides. See the
`VPNaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-network-services.html#virtual-private-network-service-optional>`_
`VPNaaS Install Guide <https://docs.openstack.org/openstack-ansible-os_neutron/latest/configure-network-services.html#virtual-private-network-service-optional>`_
for implementation details.

View File

@ -0,0 +1,7 @@
---
features:
- |
Galera healthcheck has been improved, and relies on an xinetd service.
By default, the service is unaccessible (filtered with the no_access
directive). You can override the directive by setting any xinetd
valid value to ``galera_monitoring_allowed_source``.

View File

@ -2,7 +2,7 @@
features:
- The horizon next generation instance management panels have been
enabled by default. This changes horizon to use the upstream defaults
instead of the legacy panels. `Documentation can be found here <http://docs.openstack.org/developer/horizon/topics/settings.html#launch-instance-ng-enabled>`_.
instead of the legacy panels. `Documentation can be found here <https://docs.openstack.org/horizon/latest/configuration/settings.html#launch-instance-ng-enabled>`_.
upgrade:
- |
The default horizon instance launch panels have been changed to the

View File

@ -0,0 +1,6 @@
---
features:
- |
Open vSwitch dataplane with NSH support has been implemented.
This feature may be activated by setting ``ovs_nsh_support: True``
in ``/etc/openstack_deploy/user_variables.yml``.

View File

@ -0,0 +1,5 @@
---
features:
- A new variable, ``tempest_roles``, has been added to the
os_tempest role allowing users to define keystone roles
to be during tempest testing.

View File

@ -0,0 +1,8 @@
---
features:
- The ``security_sshd_permit_root_login`` setting can
now be set to change the ``PermitRootLogin`` setting
in ``/etc/ssh/sshd_config`` to any of the possible
options. Set ``security_sshd_permit_root_login`` to
one of ``without-password``, ``prohibit-password``,
``forced-commands-only``, ``yes`` or ``no``.

View File

@ -0,0 +1,9 @@
---
features:
- |
The repo server now implements nginx as a reverse proxy for python
packages sourced from pypi. The initial query will be to a local
deployment of pypiserver in order to serve any locally built packages,
but if the package is not available locally it will retry
the query against the upstream pypi mirror set in the variable
``repo_nginx_pypi_upstream`` (defaults to pypi) and cache the response.

View File

@ -0,0 +1,37 @@
---
features:
- |
The ``tempest_images`` data structure for the ``os_tempest`` role
now expects the values for each image to include ``name`` (optionally)
and ``format`` (the disk format). Also, the optional variable ``checksum``
may be used to set the checksum expected for the file in the format
``<algorithm>:<checksum>``.
- |
The default location for the image downloads in the ``os_tempest``
role set by the ``tempest_image_dir`` variable has now been changed
to be ``/opt/cache/files`` in order to match the default location
in nodepool. This improves the reliability of CI testing in
OpenStack CI as it will find the file already cached there.
- |
A new variable has been introduced into the ``os_tempest`` role
named ``tempest_image_downloader``. When set to ``deployment-host``
(which is the default) it uses the deployment host to handle the
download of images to be used for tempest testing. The images are
then uploaded to the target host for uploading into Glance.
deprecations:
- |
The following variables have been removed from the ``os_tempest``
role to simplify it. They have been replaced through the use of
the data structure ``tempest_images`` which now has equivalent
variables per image.
- cirros_version
- tempest_img_url
- tempest_image_file
- tempest_img_disk_format
- tempest_img_name
- tempest_images.sha256 (replaced by checksum)
fixes:
- |
The ``os_tempest`` tempest role was downloading images twice - once
arbitrarily, and once to use for testing. This has been consolidated
into a single download to a consistent location.

View File

@ -0,0 +1,3 @@
---
other:
- The use_neutron option was marked to be removed in sahara.

View File

@ -0,0 +1,15 @@
---
features:
- |
The tasks within the ansible-hardening role are now based on Version 1,
Release 3 of the Red Hat Enteprise Linux Security Technical Implementation
Guide.
- |
The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to
``2`` by default. This matches the default of most modern Linux
distributions and it ensures that Address Space Layout Randomization
(ASLR) is enabled.
- |
The Datagram Congestion Control Protocol (DCCP) kernel module is now
disabled by default, but a reboot is required to make the change
effective.

View File

@ -0,0 +1,25 @@
---
upgrade:
- |
If you have overriden your
``openstack_host_specific_kernel_modules``, please
remove its group matching, and move that override
directly to the appropriate group.
Example, for an override like:
.. code-block:: yaml
- name: "ebtables"
pattern: "CONFIG_BRIDGE_NF_EBTABLES"
group: "network_hosts"
You can create a file for the network_host group,
inside its group vars folder
``/etc/openstack_deploy/group_vars/network_hosts``,
with the content:
.. code-block:: yaml
- name: "ebtables"
pattern: "CONFIG_BRIDGE_NF_EBTABLES"

View File

@ -0,0 +1,11 @@
---
upgrade:
- |
Any user that is coming from Pike or below on Ubuntu should modify
its ``user_external_repos_list``, switching its ubuntu cloud archive
repository from ``state: present`` to ``state: absent``.
From now on, UCA will be defined with the filename ``uca``. If the deployer
wants to use its mirror, he can still override the variable ``uca_repo``
to point to its mirror. Alternatively, the deployer can completely define
which repos to add and remove, ignoring our defaults, by overriding
``openstack_hosts_package_repos``.

View File

@ -0,0 +1,5 @@
---
features:
- |
Enable Kernel Shared Memory support by setting
``nova_compute_ksm_enabled`` to ``True``.

View File

@ -0,0 +1,7 @@
---
features:
- |
Searching for world-writable files is now disabled by default. The search
causes delays in playbook runs and it can consume a significant amount of
CPU and I/O resources. Deployers can re-enable the search by setting
``security_find_world_writable_dirs`` to ``yes``.