Freeze all SHAs for 17.0.0.0b2

This patch updates all the roles to the latest available stable
SHA's, copies the release notes from the updated roles into the
integrated repo.

Change-Id: Iebe2dfd5b1a1fd8977d13075dfe7f841e6e416a0

ansible-role-requirements.yml

@@ -1,31 +1,31 @@
 - name: ansible-hardening
   scm: git
   src: https://git.openstack.org/openstack/ansible-hardening
-  version: master
+  version: 46a94c72518f83d27b25a5fa960dde7130956215
 - name: apt_package_pinning
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
-  version: master
+  version: eba07d7dd7962d90301c49fc088551f9b35f367a
 - name: pip_install
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-pip_install
-  version: master
+  version: 32c27505c6e0ee00ea0fb4a1c62240c60f17a0e3
 - name: galera_client
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-galera_client
-  version: master
+  version: 9a8302cbba24ea4e5907567e5f93e874d30d79df
 - name: galera_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-galera_server
-  version: master
+  version: aa452989d7295111962f67a3f3a96d96bc408846
 - name: ceph_client
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-ceph_client
-  version: master
+  version: 34a04f7b24c80297866bc5ab56618e2211b1d5f9
 - name: haproxy_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-haproxy_server
-  version: master
+  version: 9966fd96fede46c3b00c9e069e402eae90c66f17
 - name: keepalived
   scm: git
   src: https://github.com/evrardjp/ansible-keepalived
@@ -33,135 +33,135 @@
 - name: lxc_container_create
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create
-  version: master
+  version: 68f81c679be88577633f98e8b9252a62bdcef754
 - name: lxc_hosts
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts
-  version: master
+  version: 84ac3442e542aeedf1396c88e0387b4ea1548eb1
 - name: memcached_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-memcached_server
-  version: master
+  version: ae6f721dc0342e1e7b45ff2448ab51f7539dc01f
 - name: openstack_hosts
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts
-  version: master
+  version: 05c7f09d181de1809fd596cc0d879c49e3f86bbf
 - name: os_keystone
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_keystone
-  version: master
+  version: cd9d4ef7d8614d241fa40ba33c1c205fd2b47fa1
 - name: openstack_openrc
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
-  version: master
+  version: d594c2debc249daa5b7f6f2890f546093efd1ee5
 - name: os_aodh
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_aodh
-  version: master
+  version: ce871dee75511f94bfd24dde8f97e573cf6d3ead
 - name: os_barbican
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_barbican
-  version: master
+  version: c3e191037d0978479e3cb95a59b2986adab28c69
 - name: os_ceilometer
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer
-  version: master
+  version: 55bb04eaad4dd5c7fdad742b3557dc30dc9d45bf
 - name: os_cinder
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_cinder
-  version: master
+  version: 536dd3446e0fc7fc68ab42b982ac9affc4215787
 - name: os_designate
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_designate
-  version: master
+  version: a65d7a3394aef340ff94587dd0bb48133ed00763
 - name: os_glance
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_glance
-  version: master
+  version: 43aa00424f233a6125f7a9216cec42da1d8ca4c5
 - name: os_gnocchi
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_gnocchi
-  version: master
+  version: b1f7574dc529f8298a983d8d0e09520e90b571a8
 - name: os_heat
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_heat
-  version: master
+  version: 8fcd29197797eef409254605f0ce73ef8d1bda6b
 - name: os_horizon
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_horizon
-  version: master
+  version: 28f21f56b74a612c2e3b6f9c4866391128a91219
 - name: os_ironic
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_ironic
-  version: master
+  version: a90558f7a216e5e661c5d1a4048dbe30559542d1
 - name: os_magnum
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_magnum
-  version: master
+  version: 736d1707339cb99396578018a6bda7af9184fb02
 - name: os_molteniron
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_molteniron
-  version: master
+  version: 9b4c104a252c453bcd798fec9dbae7224b3d8001
 - name: os_neutron
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_neutron
-  version: master
+  version: 962cd92243641092412b6ef09a41bbf5e698c4a1
 - name: os_nova
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_nova
-  version: master
+  version: 53df001c9034f198b9349def3c9158f8bbe43ff3
 - name: os_octavia
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_octavia
-  version: master
+  version: 02ad3c68802287a1ba54cf10de085dcd14c324d8
 - name: os_rally
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_rally
-  version: master
+  version: bc9075dba204e64d11cb397017d32b0c2297eed0
 - name: os_sahara
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_sahara
-  version: master
+  version: 3c45121050ba21bd284f054d7b82a338f347157f
 - name: os_swift
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_swift
-  version: master
+  version: f31217bb097519f15755f2337165657d7eb6b014
 - name: os_tacker
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_tacker
-  version: master
+  version: d95902891c4e6200510509c066006c921cfff8df
 - name: os_tempest
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_tempest
-  version: master
+  version: 703ea4ad12332e1f98b46f6c3c4ad8ac18189e28
 - name: os_trove
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_trove
-  version: master
+  version: b425fa316999d0863a44126f239a33d8c3fec3a6
 - name: plugins
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-plugins
-  version: master
+  version: d2f60237761646968a4b39b15185fb5c84e7386f
 - name: rabbitmq_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server
-  version: master
+  version: 311f76890c8f99cb0b46958775d84de614609323
 - name: repo_build
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-repo_build
-  version: master
+  version: 59a3f444c263235d8f0f584da8768656179fa02a
 - name: repo_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-repo_server
-  version: master
+  version: 7889f37cdd2a90b4b98e8ef2e886f1fd4950fc0a
 - name: rsyslog_client
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_client
-  version: master
+  version: 310cfe9506d3742be10790533ad0d16100d81498
 - name: rsyslog_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server
-  version: master
+  version: ba7bb699c0c874c7977add86ca308ca18be8f9a8
 - name: sshd
   scm: git
   src: https://github.com/willshersystems/ansible-sshd

group_vars/all/all.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 ## OpenStack Source Code Release
-openstack_release: master
+openstack_release: 17.0.0.0b2
 
 ## Verbosity Options
 debug: False

releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml

@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    The following headers were added as additional default (and static) values.
+    `X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and
+    `Content-Security-Policy "default-src 'self' https: wss:;"`.  Additionally,
+    the `X-Frame-Options DENY` header was added, defaulting to DENY.  You may
+    override the header via the `keystone_x_frame_options` variable.

releasenotes/notes/clustecheck-9311d05fb32f13b3.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - The galera cluster now supports cluster health checks over HTTP using port
+    9200. The new cluster check ensures a node is healthy by running a simple
+    query against the wsrep sync status using monitoring user. This change will
+    provide for a more robust cluster check ensuring we have the most fault
+    tolerant galera cluster possible.

releasenotes/notes/custom_eventstreamer_queue_url-a1dcd1f6769816c5.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    A typical OSA install will put the neutron and octavia queues on different
+    vhosts thus preventing the event streamer from working While octavia is
+    streaming to its own queue the consumer on the neutron side listens to the
+    neutron queue. With a recent octavia enhancement a separate queue for the
+    event streamer can be configured. This patch will set up the event
+    streamer to post into the neutron queue using neutron's credentials. Thus
+    reaching the consumer on the neutron-lbaas side and allowing for
+    streaming.
+security:
+  - |
+    Since we use neutron's credentials to access the queue, security conscious
+    people might want to set up an extra user for octavia on the neutron queue
+    restricted to the topics octavia posts to.
+

releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Generating and validating checksums for all files installed by packages is now
+    disabled by default. The check causes delays in playbook runs and it can
+    consume a significant amount of CPU and I/O resources. Deployers can re-enable
+    the check by setting ``security_check_package_checksums`` to ``yes``.

releasenotes/notes/disable-ksm-670aeb175826b7ca.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - KSM configuration is changed to disabled by default on Ubuntu.
+    If you overcommit the RAM on your hypervisor it's a good
+    idea to set ``nova_compute_ksm_enabled`` to ``True``.

releasenotes/notes/gid-and-uid-cinder-system-user-support-f69b87b4876c0dd8.yaml

@@ -0,0 +1,5 @@
+---
+other:
+  - Added support for specifying GID and UID for cinder system user by defining
+    ``cinder_system_user_uid`` and ``cinder_system_group_gid``. This setting is
+    optional.

releasenotes/notes/glance-v2-api-only-0d4a61b0d4dade18.yaml

@@ -0,0 +1,22 @@
+---
+upgrade:
+  - |
+    The glance v1 API is now disabled by default as the API is scheduled
+    to be removed in Queens.
+  - |
+    The glance registry service is now disabled by default as it is not
+    required for the v2 API and is scheduled to be removed in the future.
+    The service can be enabled by setting ``glance_enable_v2_registry``
+    to ``True``.
+deprecations:
+  - |
+    The ``glance_enable_v1_registry`` variable has been removed. When using
+    the glance v1 API the registry service is required, so having a variable
+    to disable it makes little sense. The service is now enabled/disabled
+    for the v1 API using the ``glance_enable_v1_api`` variable.
+fixes:
+  - |
+    When the ``glance_enable_v2_registry`` variable is set to ``True`` the
+    corresponding ``data_api`` setting is now correctly set. Previously it
+    was not set and therefore the API service was not correctly informed
+    that the registry was operating.

releasenotes/notes/horizon-arbitrary-config-8a36e4bd6818afe1.yaml

@@ -3,4 +3,4 @@ features:
   - Horizon now has the ability to set arbitrary configuration options using
     global option ``horizon_config_overrides`` in YAML format. The overrides
     follow the same pattern found within the other OpenStack service
-    overrides. `General documentation on overrides can be found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-openstack.html#overriding-openstack-configuration-defaults>`_.
+    overrides. `General documentation on overrides can be found here <https://docs.openstack.org/project-deploy-guide/openstack-ansible/latest/app-advanced-config-override.html>`_.

releasenotes/notes/launch-instance-defaults-support-533844543082b2f4.yaml

@@ -3,4 +3,4 @@ features:
   - It is now possible to use the horizon_launch_instance_defaults variable
     that allows customizing the default values for properties found in the
     Launch Instance modal, using the LAUNCH_INSTANCE_DEFAULTS config option.
-    See https://docs.openstack.org/developer/horizon/install/settings.html#launch-instance-defaults
+    See https://docs.openstack.org/horizon/latest/configuration/settings.html#launch-instance-defaults

releasenotes/notes/lxc-cache-prep-timeout-97dc18882f7b1e76.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The maximum amount of time to wait until forcibly failing the
+    LXC cache preparation process is now configurable using the
+    ``lxc_cache_prep_timeout`` variable. The value is specified
+    in seconds, with the default being 20 minutes.

releasenotes/notes/neutron-bgp-552e6e1f6d37f38d.yaml

@@ -2,7 +2,7 @@
 features:
   - "Neutron BGP dynamic routing plugin can now optionally be deployed and
     configured. Please see `OpenStack Networking Guide: BGP dynamic routing
-    <http://docs.openstack.org/networking-guide/config-bgp-dynamic-routing.html>`_
+    <https://docs.openstack.org/mitaka/networking-guide/config-bgp-dynamic-routing.html>`_
     for details about what the service is and what it provides."
 upgrade:
   - Database migration tasks have been added for the dynamic routing neutron

releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml

@@ -2,9 +2,9 @@
 features:
   - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and
     configured. Please see the `FWaaS Configuration Reference
-    <http://docs.openstack.org/admin-guide-cloud/networking_introduction.html#firewall-as-a-service-fwaas-overview>`_
+    <https://docs.openstack.org/neutron/latest/admin/fwaas.html>`_
     for details about the what the service is and what it provides. See the
-    `FWaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-fwaas.html>`_
+    `FWaaS Install Guide <https://docs.openstack.org/openstack-ansible-os_neutron/latest/configure-network-services.html#firewall-service-optional>`_
     for implementation details.
 upgrade:
   - Database migration tasks have been added for the FWaaS neutron plugin.

releasenotes/notes/neutron-vpnaas-5c7c6508f2cc05c5.yaml

@@ -2,7 +2,7 @@
 features:
   - Neutron VPN as a Service (VPNaaS) can now optionally be deployed and
     configured. Please see the `OpenStack Networking Guide
-    <http://docs.openstack.org/mitaka/networking-guide/>`_ for details
+    <https://docs.openstack.org/mitaka/networking-guide/>`_ for details
     about the what the service is and what it provides. See the
-    `VPNaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-network-services.html#virtual-private-network-service-optional>`_
+    `VPNaaS Install Guide <https://docs.openstack.org/openstack-ansible-os_neutron/latest/configure-network-services.html#virtual-private-network-service-optional>`_
     for implementation details.

releasenotes/notes/new_healthcheck-9e559565745defd0.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Galera healthcheck has been improved, and relies on an xinetd service.
+    By default, the service is unaccessible (filtered with the no_access
+    directive). You can override the directive by setting any xinetd
+    valid value to ``galera_monitoring_allowed_source``.

releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml

@@ -2,7 +2,7 @@
 features:
   - The horizon next generation instance management panels have been
     enabled by default. This changes horizon to use the upstream defaults
-    instead of the legacy panels. `Documentation can be found here <http://docs.openstack.org/developer/horizon/topics/settings.html#launch-instance-ng-enabled>`_.
+    instead of the legacy panels. `Documentation can be found here <https://docs.openstack.org/horizon/latest/configuration/settings.html#launch-instance-ng-enabled>`_.
 upgrade:
   - |
     The default horizon instance launch panels have been changed to the

releasenotes/notes/openvswitch-nsh-support-a9f86a929e072cea.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Open vSwitch dataplane with NSH support has been implemented.
+    This feature may be activated by setting ``ovs_nsh_support: True``
+    in ``/etc/openstack_deploy/user_variables.yml``.

releasenotes/notes/os-tempest-roles-cead45b2cd38811f.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - A new variable, ``tempest_roles``, has been added to the
+    os_tempest role allowing users to define keystone roles
+    to be during tempest testing.

releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - The ``security_sshd_permit_root_login`` setting can
+    now be set to change the ``PermitRootLogin`` setting
+    in ``/etc/ssh/sshd_config`` to any of the possible
+    options. Set ``security_sshd_permit_root_login`` to
+    one of ``without-password``, ``prohibit-password``,
+    ``forced-commands-only``, ``yes`` or ``no``.

releasenotes/notes/pypiserver-pypi-cache-216e9e087f6d3f24.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The repo server now implements nginx as a reverse proxy for python
+    packages sourced from pypi. The initial query will be to a local
+    deployment of pypiserver in order to serve any locally built packages,
+    but if the package is not available locally it will retry
+    the query against the upstream pypi mirror set in the variable
+    ``repo_nginx_pypi_upstream`` (defaults to pypi) and cache the response.

releasenotes/notes/remove-duplicated-download-99a9ec5bfe4ba749.yaml

@@ -0,0 +1,37 @@
+---
+features:
+  - |
+    The ``tempest_images`` data structure for the ``os_tempest`` role
+    now expects the values for each image to include ``name`` (optionally)
+    and ``format`` (the disk format). Also, the optional variable ``checksum``
+    may be used to set the checksum expected for the file in the format
+    ``<algorithm>:<checksum>``.
+  - |
+    The default location for the image downloads in the ``os_tempest``
+    role set by the ``tempest_image_dir`` variable has now been changed
+    to be ``/opt/cache/files`` in order to match the default location
+    in nodepool. This improves the reliability of CI testing in
+    OpenStack CI as it will find the file already cached there.
+  - |
+    A new variable has been introduced into the ``os_tempest`` role
+    named ``tempest_image_downloader``. When set to ``deployment-host``
+    (which is the default) it uses the deployment host to handle the
+    download of images to be used for tempest testing. The images are
+    then uploaded to the target host for uploading into Glance.
+deprecations:
+  - |
+    The following variables have been removed from the ``os_tempest``
+    role to simplify it. They have been replaced through the use of
+    the data structure ``tempest_images`` which now has equivalent
+    variables per image.
+    - cirros_version
+    - tempest_img_url
+    - tempest_image_file
+    - tempest_img_disk_format
+    - tempest_img_name
+    - tempest_images.sha256 (replaced by checksum)
+fixes:
+  - |
+    The ``os_tempest`` tempest role was downloading images twice - once
+    arbitrarily, and once to use for testing. This has been consolidated
+    into a single download to a consistent location.

releasenotes/notes/remove_use_neutron-76135a385ef1345d.yaml

@@ -0,0 +1,3 @@
+---
+other:
+  - The use_neutron option was marked to be removed in sahara.

releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The tasks within the ansible-hardening role are now based on Version 1,
+    Release 3 of the Red Hat Enteprise Linux Security Technical Implementation
+    Guide.
+  - |
+    The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to
+    ``2`` by default. This matches the default of most modern Linux
+    distributions and it ensures that Address Space Layout Randomization
+    (ASLR) is enabled.
+  - |
+    The Datagram Congestion Control Protocol (DCCP) kernel module is now
+    disabled by default, but a reboot is required to make the change
+    effective.

releasenotes/notes/specific_kernel_modules_with_group_vars-8d169f564ffd450c.yaml

@@ -0,0 +1,25 @@
+---
+upgrade:
+  - |
+    If you have overriden your
+    ``openstack_host_specific_kernel_modules``, please
+    remove its group matching, and move that override
+    directly to the appropriate group.
+
+    Example, for an override like:
+
+    .. code-block:: yaml
+
+        - name: "ebtables"
+          pattern: "CONFIG_BRIDGE_NF_EBTABLES"
+          group: "network_hosts"
+
+    You can create a file for the network_host group,
+    inside its group vars folder
+    ``/etc/openstack_deploy/group_vars/network_hosts``,
+    with the content:
+
+    .. code-block:: yaml
+
+        - name: "ebtables"
+          pattern: "CONFIG_BRIDGE_NF_EBTABLES"

releasenotes/notes/static_uca_filename-849a6f491acae9c5.yaml

@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    Any user that is coming from Pike or below on Ubuntu should modify
+    its ``user_external_repos_list``, switching its ubuntu cloud archive
+    repository from ``state: present`` to ``state: absent``.
+    From now on, UCA will be defined with the filename ``uca``. If the deployer
+    wants to use its mirror, he can still override the variable ``uca_repo``
+    to point to its mirror. Alternatively, the deployer can completely define
+    which repos to add and remove, ignoring our defaults, by overriding
+    ``openstack_hosts_package_repos``.

releasenotes/notes/support-ksm-fe6993158768a14e.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Enable Kernel Shared Memory support by setting
+    ``nova_compute_ksm_enabled`` to ``True``.

releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Searching for world-writable files is now disabled by default. The search
+    causes delays in playbook runs and it can consume a significant amount of
+    CPU and I/O resources. Deployers can re-enable the search by setting
+    ``security_find_world_writable_dirs`` to ``yes``.