New Features¶

• Adds additional healtchecks for Swift to monitor account,container and object replicators as well as the rsync process.

Bug Fixes¶

• Fixed a configuration issue where required settings for Octavia serviceswere missing.

• Previously, trash_output was not honored if a queue was not being used to post messages. The behavior has changed so that trash_output will be honored even if a queue is not being used, and all stdout/stderr will be discarded.

• Fixed an issue were amphora load balancers would fail to create. Theproblem was because Octavia certificate files were being created in a wrongpath and with invalid content.

• When deploying a large amount of nodes, the create_admin_via_ssh workflow could fail due to the large amount of ansible output generated. This patch updates the tripleo.ansible-playbook action in the workflow with trash_output:true so that the output is not saved in the mistral DB. There is a log file saved already in case the output is needed for debug purposes.

Bug Fixes¶

• The passphrase for config option ‘server_certs_key_passphrase’, is used as a Fernet key in Octavia and thus must be 32 bytes long. TripleO will now auto-generate 32 bytes long passphrase for OctaviaServerCertsKeyPassphrase.

New Features¶

• tripleo-deploy-openshift script now understands the–plan option torun the openshift-ansible playbooks for a deployment named differently than“openshift”.

• Introduce a–playbook option to thetripleo-deploy-openshift script inorder to be able to run openshift-ansible playbook directly on alreadydeployed servers.

Deprecation Notes¶

• The–config-download-dir option to thetripleo-deploy-openshift scriptis deprecated in favor of–plan.

Security Issues¶

• Fixed a vulnerability where an attacker may cause new Octavia amphorae torun based on any arbitrary image (CVE-2019-3895).

Bug Fixes¶

• Ensure [controller_worker]/amp_image_owner_id is set. This configurationoption restricts Glance image selection to a specific owner ID. This is arecommended security setting.

• Fixes running the baremetalprovide workflow with node names.

New Features¶

• Theironic-staging-drivers are now installed in the ironic-conductorcontainer so that these drivers can be used without rebuilding thecontainer. TheIronic Staging Drivers is used tohold out-of-tree Ironic drivers which doesn’t have means to provide a 3rdParty CI at this point in time which is required by Ironic.

• Increase the size of the security hardened images to 40G. With the moveto containers more disk space is needed and the disk layout has beenmodified. It needs a global size of 40G to work.

Upgrade Notes¶

• Package octavia-amphora-image (RHEL) will no longer be installed by roleoctavia-undercloud, and it now installs image files in directory/usr/share/openstack-octavia-amphora-images/. Please ensure you have thelatest package version installed in the undercloud node beforehanddeploying or updating the overcloud.

Bug Fixes¶

• Fixesbug 1793605 sowhen nodes are blacklisted, they are not included in the Overcloud config.A warning will show that the server_id that was ignored if the it can’tbe found in the stack.

• Node update now works correctly when capabilities are specified as a dict.

• The config_download_deploy workflow now has a config_download_timeout input that will honor the user requested timeout. Previously, no timeout was honored even though the user could request one via tripleoclient.

• The tripleo-bootstrap ansible role will no longer fail if yum fails to install the required packages. This fixed behavior aligns with previous requirements where enabled package repositories and a working package manager are not required on the initially deployed images. Errors are ignored on the package install task, and then a subsequent task will cause a failure indicating the required packages are not present.

• tripleo.access.v1.enable_ssh_admin now honors the server blacklist if one is set. Servers in the blacklist will not be used by the workflow.

• Previously, running ansible-playbook with –check would cause a failure during the individual server deployments when checking the result of a previous attempt.

• The tripleo.deployment.v1.get_deployment_status workflow will no longer error when requesting the deployment status for a non-existant plan. A message is sent in the output instead of failing the workflow.

• While we have a dedicated nova_metadata healthcheck script, thenova_metadata and nova_api container the same image and the current novaapi healtcheck script still checks the non wsgi implementation. Thischanges the nova_api healthcheck script to check the metadata wsgi vhostconfig for details instead of the details in nova.conf.

• Add missing httpd and mod_ssl packages to octavia container image tosupport TLS proxy for internal TLS.

• The ServerAliveInterval and ServerAliveCountMax SSH options are now set in the mistral ansible action so that when networking configuration is performed on the overcloud nodes SSH will not drop the connection.

• Workaroundbug 1810932 by scripting an in-place update of ssh_known_hosts

• A new workflow, config_download_export, for exporting the config-download files via a Swift tempurl is added so that the openstack overcloud config download tripleoclient command can use the API.

Other Notes¶

• Individual server deployments that are of type group:hiera now support check mode, and when running under check mode, also support diff mode.

New Features¶

• Creates a worflow to get flattened deployment parameters, so the relatedaction does not need to be called directly.

• Creates a workbook to update and get heat capabilities, so the related actionsdo not need to be called directly.

• Add disable-nouveau element to tripleo imagesThis ensures nouveau is not loaded at boot, as this can prevent PCI passthroughor loading the NVIDIA binary drivers that are required for vGPU support.

• Adds nova_metadata healthcheck script when nova metadata api is run viahttpd wsgi to check service status.

• If nova novnc proxy is configured to ssl only, (see LP 178570)we need to make sure to also use ssl with the healthcheck script.With this change we verify if ssl_only is configured in nova.confand set https as the proto to use for the novnc healthcheck.

New Features¶

• The config_download_deploy workflow now uses a consistent working directory for the config-download directory. Since the directory is now managed by git, it can be reused across executions.

• Initialize a git repository in the config-download directory andautomatically snapshot changes made to the repository.

• The GetOvercloudConfig action now sets a commit message that indicates the config was downloaded by the Mistral action and what user/project were used to execute the action.

• Since the config download directory is now managed by git, the GetOvercloudConfig action will now first download the existing config container (default of overcloud-config), so that the git history is preserved and new changes will reuse the same git repo. Each new change to the config-download directory creates a new git commit.

• New workflows are added for manipulating the deployment status, including tripleo.deployment.v1.set_deployment_status_success, tripleo.deployment.v1.set_deployment_status_failed, and tripleo.deployment.v1.set_deployment_status_deploying.

• Generating roles_data.yaml file has been enhanced to generate the definedroles’s properties with a differnet name, so that a cluster can havemultiple roles with same set of service, without manual edit. Adds thesupport to provide role name input asCompute:ComputeA so that theroleComputeA can be generated from the defined roleCompute, byonly chaning the name.

• We are changing nova metadata api to be served via httpd wsgi. Thereforewe’ll have a new config volume for the nova_metadata container.

  Adding DockerNovaMetadataConfigImage for this.

Upgrade Notes¶

• The tripleo.plan_management.v1.create_default_deployment_plan workflowhas been removed, since it’s been deprecated since the pike release andis no longer used in TripleO. Any other users of this workflow shouldswitch to tripleo.plan_management.v1.create_deployment_plan instead.

Deprecation Notes¶

• Un-deprecatedpm_service_profile option support at the UCS ironicdriver.

Bug Fixes¶

• The tripleo.plan_management.v1.update_roles workflow didn’t pass the planname (container name) or Zaqar queue name to the sub-workflow it triggered.This caused the behaviour to be incorrect when using a name other than thedefault. It now correctly passes on these parameters.

• Previously, ironic nodes that only differ inpm_service_profileorucs_service_profile would override one another ultimately leavingjust one of them in ironic configuration. This fix un-deprecatespm_service_profile option support at the UCS ironic driver.

New Features¶

• Adds a workflow to create a container so the underlying action doesnot need to be called directly.

• Add a workflow to generate fencing parameters so actiontripleo.parameters.generate_fencing does not need to be called directly.

• Allow uploading files bigger than 5GB to swift.Currently we have support for uploading filesto swift using the swift client class, this classdoes not allow to upload files bigger than 5GB.This change enables the upload of files bigger than5GB by using the swift service class and adjustingthe headers to allow this operations. This new helperwill be used for the Undercloud backup, to be able tostore files bigger than 5GB.

• Adds a workflow to generate the overcloudrc files in a given deploymentso the tripleo.deployment.overcloudrc action does not need to be calleddirectly.

• Adds support to specify additional parameters for Bare Metal ports whenregistering nodes.

  Themac key in nodes_json (instackenv.json) is replaced by the newports key. Each port-entry supports the following keys:address,physical_network andlocal_link_connection. (The keys inportsmirror a subset off theBare Metal service API.)

  Example specifying port mac address only:

  "ports":[{"address":"52:54:00:87:c8:2e"}]

  Example specifying additional parameters:

  "ports":[{"address":"52:54:00:87:c8:2f","physical_network":"network","local_link_connection":{"switch_info":"switch","port_id":"gi1/0/11","switch_id":"a6:18:66:33:cb:49"}}]

• Install Octavia amphora image on the undercloud if Red Hat.

• Setsrescue_kernel andrescue_ramdisk to the same values asdeploy_kernel anddeploy_ramdisk on node enrollment orconfiguration.

• Adds support forrescue_interface when enrolling nodes.

• On enrollment, all classic drivers are replaced with their hardware typeequivalents (e.g.pxe_ipmitool is replaced withipmi).Thefake_pxe classic driver is replaced with themanual-managementhardware type (which must be enabled in the undercloud).

• Create keypair for SSH access to Octavia amphorae.

• ContainerImagePrepare entries can now take anincludes option, which likeexcludes will take a list of regex patterns.includes will filterentries which do not match at least one of the include expressions.

• Enhance lb-mgmt-subnet to be a class B subnet, so the global amount of Octavia loadbalancers won’t be constrained to a very low number.

Deprecation Notes¶

• Themac key in nodes_json is replaced byports. Theports keyexpect a list of dictionaries specifyingaddress (mac address), andoptional keysphysical_network andlocal_link_connection.

• Theos_auth argument to thegenerate_fencing_parameters workflowis deprecated and should not be provided. It will be removed in a futureversion.

Bug Fixes¶

• Fixbug 1760659 by updating the derived parameters workflow to use scheduler hints associated with a given role. The scheduler hints are used to identify overcloud nodes associated with the role, and take precedence over nodes identified by their profile/flavor.

• Fixes handling hardware types (new-style Ironic drivers) when generatingfencing parameters. Also completely removes support for no longer existingpxe_ssh driver.

• Fix Octavia amphora image RPM install on undercloud node for Red Hat based deployments (bug 1772880 <https://bugs.launchpad.net/tripleo/+bug/1772880>)

• Check pub key file permissions and default to pub key data for Octavia.

• Fix syntax error in octavia-undercloud role.

Upgrade Notes¶

• openstackovercloudconfigdownload now writes directly to thedirectory specified by--config-dir. The directory contents will beoverwritten, preserving any contents not originating from the stack. A--no-preserve-config option is provided which will cause the--config-dir to be deleted and recreated if the``–config-dir``location exists. Tmpdirs are no longer used.

New Features¶

• Adds a workflow to list deployment plans so the tripleo.plan.list actiondoes not need to be called directly.

• Added role-specific parameter validation workflow.

• Adds a workflow to update the parameters in a given deployment plan so thetripleo.parameters.update action does not need to be called directly.

Deprecation Notes¶

• The tripleo.roles.list action is deprecated. Please use thetripleo.plan_management.v1.list_roles workflow instead. Calling actionsdirectly is no longer supported.

Bug Fixes¶

• Modifies the healthcheck for OpenDaylight to a supported URL. Seehttps://bugs.launchpad.net/tripleo/+bug/1751857

• Fixes OpenDaylight healthcheck for TLS and regular deployments.

Other Notes¶

• The inventory code is updated to use hostnames as the host alias. Since the hostname may not always be resolvable, ansible_host is added as a hostvar and set to the host’s IP address. Using hostnames produces a much more user friendly result in the ansible output showing task result and play recap.