settingsLogin | Registersettings

[openstack-announce] [new][openstackansible] openstack-ansible 14.0.0 release (newton)

0 votes

We are eager to announce the release of:

openstack-ansible 14.0.0: Ansible playbooks for deploying OpenStack

This release is part of the newton release series.

The source is available from:

http://git.openstack.org/cgit/openstack/openstack-ansible

Download the package from:

https://tarballs.openstack.org/openstack-ansible/

For more details, please see below.

14.0.0
^^^^^^

New Features


  • LXC containers will now have a proper RFC1034/5 hostname set
    during post build tasks. A localhost entry for 127.0.1.1 will be
    created by converting all of the "" in the "inventoryhostname" to
    "-". Containers will be created with a default domain of
    openstack.local. This domain name can be customized to meet your
    deployment needs by setting the option "lxccontainerdomain".

  • The option "openstack_domain" has been added to the
    openstack_hosts role. This option is used to setup proper
    hostname entries for all hosts within a given OpenStack deployment.

  • The openstack_hosts role will setup an RFC1034/5 hostname and
    create an alias for all hosts in inventory.

  • Added new parameter "`cirrosimgdisk_format" to support disk
    formats other than qcow2.

  • Ceilometer can now use Gnocchi for storage. By default this is
    disabled. To enable the service, set "ceilometergnocchienabled:
    yes". See the Gnocchi role documentation for more details.

  • The oshorizon role now has support for the horizon ironic-ui
    dashboard. The dashboard may be enabled by setting
    "horizon
    enableironicui" to "True" in
    "/etc/openstackdeploy/uservariables.yml".

  • Adds support for the horizon ironic-ui dashboard. The dashboard
    will be automatically enabled if any ironic hosts are defined.

  • The oshorizon role now has support for the horizon magnum-ui
    dashboard. The dashboard may be enabled by setting
    "horizon
    enablemagnumui" to "True" in
    "/etc/openstackdeploy/uservariables.yml".

  • Adds support for the horizon magnum-ui dashboard. The dashboard
    will be automatically enabled if any magnum hosts are defined.

  • The "horizonkeystoneadminroles" variable is added to support
    the "OPENSTACK
    KEYSTONEADMINROLES" list in the
    horizonlocalsettings.py file.

  • A new variable has been added to allow a deployer to control the
    restart of containers via the handler. This new option is
    "lxccontainerallow_restarts" and has a default of "yes". If a
    deployer wishes to disable the auto-restart functionality they can
    set this value to "no" and automatic container restarts that are not
    absolutely required will be disabled.

  • Experimental support has been added to allow the deployment of the
    OpenStack Magnum service when hosts are present in the host group
    "magnum-infra_hosts".

  • Deployers can now blacklist certain Nova extensions by providing a
    list of such extensions in "horizonnovaextensions_blacklist"
    variable, for example:

    horizonnovaextensions_blacklist:

    • "SimpleTenantUsage"
  • The osnova role can now deploy the nova-lxd hypervisor. This can
    be achieved by setting "nova
    virttype" to "lxd" on a per-host basis
    in "openstack
    userconfig.yml" or on a global basis in
    "user
    variables.yml".

  • The osnova role can now deploy the a custom
    /etc/libvirt/qemu.conf file by defining "qemu
    conf_dict".

  • The role now enables auditing during early boot to comply with the
    requirements in V-38438. By default, the GRUB configuration
    variables in "/etc/default/grub.d/" will be updated and the active
    "grub.cfg" will be updated.

    Deployers can opt-out of the change entirely by setting a variable:

    securityenableauditduringboot: no

    Deployers may opt-in for the change without automatically updating
    the active "grub.cfg" file by setting the following Ansible
    variables:

    securityenableauditduringboot: yes
    securityenablegrub_update: no

  • A task was added to disable secure ICMP redirects per the
    requirements in V-38526. This change can cause problems in some
    environments, so it is disabled by default. Deployers can enable the
    task (which disables secure ICMP redirects) by setting
    "securitydisableicmpv4redirectssecure" to "yes".

  • A new task was added to disable ICMPv6 redirects per the
    requirements in V-38548. However, since this change can cause
    problems in running OpenStack environments, it is disabled by
    default. Deployers who wish to enable this task (and disable ICMPv6
    redirects) should set "securitydisableicmpv6_redirects" to "yes".

  • AIDE is configured to skip the entire "/var" directory when it
    does the database initialization and when it performs checks. This
    reduces disk I/O and allows these jobs to complete faster.

    This also allows the initialization to become a blocking process and
    Ansible will wait for the initialization to complete prior to
    running the next task.

  • In order to reduce the time taken for fact gathering, the default
    subset gathered has been reduced to a smaller set than the Ansible
    default. This may be changed by the deployer by setting the
    "ANSIBLEGATHERSUBSET" variable in the bash environment prior to
    executing any ansible commands.

  • A new option has been added to "bootstrap-ansible.sh" to set the
    role fetch mode. The environment variable "ANSIBLEROLEFETCH_MODE"
    sets how role dependencies are resolved.

  • The auditd rules template included a rule that audited changes to
    the AppArmor policies, but the SELinux policy changes were not being
    audited. Any changes to SELinux policies in "/etc/selinux" are now
    being logged by auditd.

  • The container cache preparation process now allows "copy-on-write"
    to be set as the "lxccontainerbackingmethod" when the
    "lxc
    containerbackingstore" is set to "lvm". When this is set a
    base container will be created using a name of the form -distribution-release>-.
    The container will be stopped as it is not used for anything except
    to be a backing store for all other containers which will be based
    on a snapshot of the base container.

  • When using copy-on-write backing stores for containers, the base
    container name may be set using the variable
    "lxccontainerbase_name" which defaults to **-*distribution-release>*-**.

  • The container cache preparation process now allows "overlayfs" to
    be set as the "lxccontainerbacking_store". When this is set a base
    container will be created using a name of the form **-*distribution-release>*-**.
    The container will be stopped as it is not used for anything except
    to be a backing store for all other containers which will be based
    on a snapshot of the base container. The "overlayfs" backing store
    is not recommended to be used for production unless the host kernel
    version is 3.18 or higher.

  • Containers will now bind mount all logs to the physical host
    machine in the "/openstack/log/{{ inventory_hostname }}" location.
    This change will ensure containers using a block backed file system
    (lvm, zfs, bfrfs) do not run into issues with full file systems due
    to logging.

  • Added new variable "tempestimgname".

  • Added new variable "tempestimgurl". This variable replaces
    "cirrostgzurl" and "cirrosimgurl".

  • Added new variable "tempestimagefile". This variable replaces
    the hard-coded value for the "img_file" setting in tempest.conf.j2.
    This will allow users to specify images other than cirros.

  • Added new variable "tempestimgdiskformat". This variable
    replaces "cirros
    imgdiskformat".

  • The "rsyslog_server" role now has support for CentOS 7.

  • Support had been added to install the ceph_client packages and
    dependencies from Ceph.com, Ubuntu Cloud Archive (UCA), or the
    operating system's default repository.

    The "cephpkgsource" variable controls the install source for the
    Ceph packages. Valid values include:

    • "ceph": This option installs Ceph from a ceph.com repo.
      Additional variables to adjust items such as Ceph release and
      regional download mirror can be found in the variables files.

    • "uca": This option installs Ceph from the Ubuntu Cloud Archive.
      Additional variables to adjust items such as the OpenStack/Ceph
      release can be found in the variables files.

    • "distro": This options installs Ceph from the operating system's
      default repository and unlike the other options does not attempt
      to manage package keys or add additional package repositories.

  • The pipinstall role can now configure pip to be locked down to
    the repository built by OpenStack-Ansible. To enable the lockdown
    configuration, deployers may set "pip
    locktointernalrepo" to
    "true" in "/etc/openstack
    deploy/user_variables.yml".

  • The dynamic_inventory.py file now takes a new argument, "--
    check", which will run the inventory build without writing any files
    to the file system. This is useful for checking to make sure your
    configuration does not contain known errors prior to running Ansible
    commands.

  • The ability to support MultiStrOps has been added to the
    config_template action plugin. This change updates the parser to use
    the "set()" type to determine if values within a given key are to be
    rendered as "MultiStrOps". If an override is used in an INI config
    file the set type is defined using the standard yaml construct of
    "?" as the item marker.

    # Example Override Entries
    Section:
    typicallistthings:
    - 1
    - 2
    multistrops_things:
    ? a
    ? b

    # Example Rendered Config:
    [Section]
    typicallistthings = 1,2
    multistropsthings = a
    multistrops
    things = b

  • Although the STIG requires martian packets to be logged, the
    logging is now disabled by default. The logs can quickly fill up a
    syslog server or make a physical console unusable.

    Deployers that need this logging enabled will need to set the
    following Ansible variable:

    securitysysctlenablemartianlogging: yes

  • The "rabbitmqserver" now supports a configurable inventory host
    group. Deployers can override the "rabbitmq
    host_group" variable if
    they wish to use the role to create additional RabbitMQ clusters on
    a custom host group.

  • The "lxc-container-create" role now consumes the variable
    "lxccontainerbindmounts" which should contain a list of bind
    mounts to apply to a newly created container. The appropriate host
    and container directory will be created and the configuration
    applied to the container config. This feature is designed to be used
    in group
    vars to ensure that containers are fully prepared at the
    time they are created, thus cutting down the number of times
    containers are restarted during deployments and upgrades.

  • The "lxc-container-create" role now consumes the variable
    "lxccontainerconfiglist" which should contain a list of the
    entries which should be added to the LXC container config file when
    the container is created. This feature is designed to be used in
    group
    vars to ensure that containers are fully prepared at the time
    they are created, thus cutting down the number of times containers
    are restarted during deployments and upgrades.

  • The "lxc-container-create" role now consumes the variable
    "lxccontainercommands" which should contain any shell commands
    that should be executed in a newly created container. This feature
    is designed to be used in group_vars to ensure that containers are
    fully prepared at the time they are created, thus cutting down the
    number of times containers are restarted during deployments and
    upgrades.

  • The container creation process now allows "copy-on-write" to be
    set as the "lxccontainerbackingmethod" when the
    "lxc
    containerbackingstore" is set to "lvm". When this is set it
    will use a snapshot of the base container to build the containers.

  • The container creation process now allows "overlayfs" to be set as
    the "lxccontainerbacking_store". When this is set it will use a
    snapshot of the base container to build the containers. The
    "overlayfs" backing store is not recommended to be used for
    production unless the host kernel version is 3.18 or higher.

  • LXC containers will now generate a fixed mac address on all
    network interfaces when the option lxccontainerfixed_mac is set
    to true. This feature was implemented to resolve issues with
    dynamic mac addresses in containers generally experienced at scale
    with network intensive services.

  • All of the database and database user creates have been removed
    from the roles into the playbooks. This allows the roles to be
    tested independently of the deployed database and also allows the
    roles to be used independently of infrastructure choices made by the
    integrated OSA project.

  • Host security hardening is now applied by default using the
    "openstack-ansible-security" role. Developers can opt out by setting
    the "applysecurityhardening" Ansible variable to "false". For more
    information about the role and the changes it makes, refer to the
    openstack-ansible-security documentation
    (http://docs.openstack.org/developer/openstack-ansible-security/).

  • If there are swift hosts in the environment, then the value for
    "cinderservicebackupprogramenabled" will automatically be set to
    "True". This negates the need to set this variable in
    "user_variables.yml", but the value may still be overridden at the
    deployer discretion.

  • If there are swift hosts in the environment, then the value for
    "glancedefaultstore" will automatically be set to "swift". This
    negates the need to set this variable in "user_variables.yml", but
    the value may still be overridden at the deployer discretion.

  • The os_nova role can now detect a PowerNV environment and set the
    virtualization type to 'kvm'.

  • The security role now has tasks that will disable the graphical
    interface on a server using upstart (Ubuntu 14.04) or systemd
    (Ubuntu 16.04 and CentOS 7). These changes take effect after a
    reboot.

    Deployers that need a graphical interface will need to set the
    following Ansible variable:

    securitydisablex_windows: no

  • Yaml files used for ceilometer configuration will now allow a
    deployer to override a given list. If an override is provided that
    matches an already defined list in one of the ceilometer default
    yaml files the entire list will be replaced by the provided
    override. Previously, a nested lists of lists within the default
    ceilometer configration files would extend should a deployer provide
    an override matching an existing pipeline. The extension of the
    defaults had a high probability to cause undesirable outcomes and
    was very unpredictable.

  • An Ansible was added to disable the "rdisc" service on CentOS
    systems if the service is installed on the system.

    Deployers can opt-out of this change by setting
    "securitydisablerdisc" to "no".

  • Whether ceilometer should be enabled by default for each service
    is now dynamically determined based on whether there are any
    ceilometer hosts/containers deployed. This behaviour can still be
    overridden by toggling "ceilometerenabled" in
    "/etc/openstackdeploy/uservariables.yml".

  • The "osneutron" role now determines the default configuration for
    openvswitch-agent "tunnel
    types" and the presence or absence of
    "localip" configuration based on the value of
    "neutron
    ml2driverstype". Deployers may directly control this
    configuration by overriding the "neutrontunneltypes" variable .

  • The "osneutron" role now configures neutron ml2 to load the
    "l2
    population" mechanism driver by default based on the value of
    "neutronl2population". Deployers may directly control the neutron
    ml2 mechanism drivers list by overriding the "mechanisms" variable
    in the "neutron_plugins" dictionary.

  • LBaaSv2 is now enabled by default in all-in-one (AIO) deployments.

  • The Linux Security Module (LSM) that is appropriate for the Linux
    distribution in use will be automatically enabled by the security
    role by default. Deployers can opt out of this change by setting the
    following Ansible variable:

    securityenablelinuxsecuritymodule: False

    The documentation for STIG V-51337 has more information about how
    each LSM is enabled along with special notes for SELinux.

  • An export flag has been added to the "inventory-manage.py" script.
    This flag allows exporting of host and network information from an
    OpenStack-Ansible inventory for import into another system, or an
    alternate view of the existing data. See the developer docs for more
    details.

  • Variable "cephextraconfs" has been expanded to support
    retrieving additional ceph.conf and keyrings from multiple ceph
    clusters automatically.

  • Additional libvirt ceph client secrets can be defined to support
    attaching volumes from different ceph clusters.

  • New variable "cephextraconfs" may be defined to support
    deployment of extra Ceph config files. This is useful for cinder
    deployments that utilize multiple Ceph clusters as cinder backends.

  • The "pypkgs" lookup plugin now has strict ordering for
    requirement files discovered. These files are used to add additional
    requirements to the python packages discovered. The order is defined
    by the constant, "REQUIREMENTS
    FILE_TYPES" which contains the
    following entries, 'test-requirements.txt', 'dev-requirements.txt',
    'requirements.txt', 'global-requirements.txt', 'global-requirement-
    pins.txt'. The items in this list are arranged from least to most
    priority.

  • The "openstack-ansible-galeraserver" role will now prevent
    deployers from changing the "galera
    clustername" variable on
    clusters that already have a value set in a running galera cluster.
    You can set the new "galera
    forcechangeclustername" variable to
    "True" to force the "galera
    clustername" variable to be changed. We
    recommend setting this by running the galera-install.yml playbook
    with "-e galera
    forcechangeclustername=True", to avoid changing
    the "galera
    clustername" variable unintentionally. Use with
    caution, changing the "galera
    cluster_name" value can cause your
    cluster to fail, as the nodes won't join if restarted sequentially.

  • The repo build process is now able to make use of a pre-staged git
    cache. If the "/var/www/repo/openstackgit" folder on the repo server
    is found to contain existing git clones then they will be updated if
    they do not already contain the required SHA for the build.

  • The repo build process is now able to synchronize a git cache from
    the deployment node to the repo server. The git cache path on the
    deployment node is set using the variable "repobuildgit_cache". If
    the deployment node hosts the repo container, then the folder will
    be symlinked into the bind mount for the repo container. If the
    deployment node does not host the repo container, then the contents
    of the folder will be synchronised into the repo container.

  • The "os_glance" role now supports Ubuntu 16.04 and SystemD.

  • Gnocchi is available for deploy as a metrics storage service. At
    this time it does not integrate with Aodh or Ceilometer. To deploy
    Aodh or Ceilometer to use Gnocchi as a storage / query API, each
    must be configured appropriately with the use of overrides as
    described in the configuration guides for each of these services.

  • CentOS 7 and Ubuntu 16.04 support have been added to the "haproxy"
    role.

  • The "haproxy" role installs hatop from source to ensure that the
    same operator tooling is available across all supported
    distributions. The download URL for the source can be set using the
    variable "haproxyhatopdownload_url".

  • Added a boolean var haproxyserviceenabled to the
    haproxyserviceconfigs dict to support toggling haproxy endpoints
    on/off.

  • Added a new "haproxyextraservices" var which will allow extra
    haproxy endpoint additions.

  • The repo server will now be used as a package manager cache.

  • The HAProxy role provided by OpenStack-Ansible now terminates SSL
    using a self-signed certificate by default. While this can be
    disabled the inclusion of SSL services on all public endpoints as a
    default will help make deployments more secure without any
    additional user interaction. More information on SSL and certificate
    generation can be found here (http://docs.openstack.org/developer
    /openstack-ansible/install-guide/configure-haproxy.html#securing-
    haproxy-communication-with-ssl-certificates).

  • The "rabbitmqserver" role now supports configuring HiPE
    compilation of the RabbitMQ server Erlang code. This configuration
    option may improve server performance for some workloads and
    hardware. Deployers can override the "rabbitmq
    hipe_compile"
    variable, setting a value of "True" if they wish to enable this
    feature.

  • Horizon now has the ability to set arbitrary configuration options
    using global option "horizonconfigoverrides" in YAML format. The
    overrides follow the same pattern found within the other OpenStack
    service overrides. General documentation on overrides can be found
    here (http://docs.openstack.org/developer/openstack-ansible/install-
    guide/configure-openstack.html#overriding-openstack-configuration-
    defaults).

  • The "oshorizon" role now supports configuration of custom themes.
    Deployers can use the new "horizon
    customthemes" and
    "horizon
    default_theme" variables to configure the dashboard with
    custom themes and default to a specific theme respectively.

  • CentOS 7 support has been added to the "galera_server" role.

  • Implemented support for Ubuntu 16.04 Xenial. percona-xtrabackup
    packages will be installed from distro repositories, instead of
    upstream percona repositories due to lack of available packages
    upstream at the time of implementing this feature.

  • A task was added that restricts ICMPv4 redirects to meet the
    requirements of V-38524 in the STIG. This configuration is disabled
    by default since it could cause issues with LXC in some
    environments.

    Deployers can enable this configuration by setting an Ansible
    variable:

    securitydisableicmpv4_redirects: yes

  • The audit rules added by the security role now have key fields
    that make it easier to link the audit log entry to the audit rule
    that caused it to appear.

  • pip can be installed via the deployment host using the new
    variable "pipofflineinstall". This can be useful in environments
    where the containers lack internet connectivity. Please refer to the
    limited connectivity installation guide
    (http://docs.openstack.org/developer /openstack-ansible/install-
    guide/app-no-internet-connectivity.html #install-pip-through-
    deployment-host) for more information.

  • The env.d directory included with OpenStack-Ansible is now used as
    the first source for the environment skeleton, and
    "/etc/openstackdeploy/env.d" will be used only to override values.
    Deployers without customizations will no longer need to copy the
    env.d directory to /etc/openstack
    deploy. As a result, the env.d
    copy operation has been removed from the node bootstrap role.

  • A new debug flag has been added to "dynamic_inventory.py". This
    should make it easier to understand what's happening with the
    inventory script, and provide a way to gather output for more
    detailed bug reports. See the developer docs for more details.

  • The "ironic" role now supports Ubuntu 16.04 and SystemD.

  • Experimental support has been added to allow the deployment of the
    OpenStack Bare Metal Service (Ironic). Details for how to set it up
    are available in the OpenStack-Ansible Install Guide for Ironic
    (http://docs.openstack.org/developer/openstack-ansible/install-guide
    /configure-ironic.html).

  • To ensure the deployment system remains clean the Ansible
    execution environment is contained within a virtual environment. The
    virtual environment is created at "/opt/ansible-runtime" and the
    "ansible.*" CLI commands are linked within /usr/local/bin to ensure
    there is no interruption in the deployer workflow.

  • There is a new default configuration for keepalived, supporting
    more than 2 nodes.

  • In order to make use of the latest stable keepalived version, the
    variable "keepaliveduselatest_stable" must be set to "True"

  • The ability to support login user domain and login project domain
    has been added to the keystone module.

    # Example usage

    • keystone:
      command: ensureuser
      endpoint: "{{ keystone
      adminendpoint }}"
      login
      user: admin
      loginpassword: admin
      login
      projectname: admin
      login
      userdomainname: custom
      loginprojectdomainname: custom
      user
      name: demo
      password: demo
      projectname: demo
      domain
      name: custom
  • The new LBaaS v2 dashboard is available in Horizon. Deployers can
    enable the panel by setting the following Ansible variable:

    horizonenableneutron_lbaas: True

  • The LBaaSv2 service provider configuration can now be adjusted
    with the "neutronlbaasv2service_provider" variable. This allows a
    deployer to choose to deploy LBaaSv2 with Octavia in a future
    version.

  • The configtemplate action plugin now has a new option to toggle
    list extension for JSON or YAML formats. The new option is
    "list
    extend" and is a boolean. The default is True which maintains
    the existing API.

  • The lxchosts role can now make use of a primary and secondary gpg
    keyserver for gpg validation of the downloaded cache. Setting the
    servers to use can be done using the
    "lxc
    imagecacheprimarykeyserver" and
    "lxc
    imagecachesecondary_keyserver" variables.

  • The "lxccontainercreate" role will now build a container based
    on the distro of the host OS.

  • The "lxccontainercreate" role now supports Ubuntu 14.04, 16.04,
    and RHEL/CentOS 7

  • The LXC container creation process now has a configurable delay
    for the task which waits for the container to start. The variable
    "lxccontainerssh_delay" can be set to change the default delay of
    five seconds.

  • The "lxchost" cache prep has been updated to use the LXC download
    template. This removes the last remaining dependency the project has
    on the rpc-trusty-container.tgz image (http://rpc-
    repo.rackspace.com/container
    images/rpc-trusty-container.tgz).

  • The "lxc_host" role will build lxc cache using the download
    template built from images found here
    (https://images.linuxcontainers.org). These images are upstream
    builds from the greater LXC/D community.

  • The "lxc_host" role introduces support for CentOS 7 and Ubuntu
    16.04 container types.

  • The inventory script will now dynamically populate the "lxc_hosts"
    group dynamically based on which machines have container affinities
    defined. This group is not allowed in user-defined configuration.

  • Neutron HA router capabilities in Horizon will be enabled
    automatically if the neutron plugin type is ML2 and environment has
    >=2 L3 agent nodes.

  • Horizon now has a boolean variable named
    "horizonenableha_router" to enable Neutron HA router management.

  • Horizon's IPv6 support is now enabled by default. This allows
    users to manage subnets with IPv6 addresses within the Horizon
    interface. Deployers can disable IPv6 support in Horizon by setting
    the following variable:

    horizonenableipv6: False

    Please note: Horizon will still display IPv6 addresses in various
    panels with IPv6 support disabled. However, it will not allow any
    direct management of IPv6 configuration.

  • memcached now logs with multiple levels of verbosity, depending on
    the user variables. Setting "debug: True" enables maximum verbosity
    while setting "verbose: True" logs with an intermediate level.

  • The openstack-ansible-memcachedserver role includes a new
    override, "memcached
    connections" which is automatically calculated
    from the number of memcached connection limit plus additional 1k to
    configure the OS nofile limit. Without proper nofile limit
    configuration, memcached will crash in order to support higher
    parallel connection TCP/Memcache counts.

  • The repo build process is now able to support building and
    synchronizing artifacts for multiple CPU architectures. Build
    artifacts are now tagged with the appropriate CPU architecture by
    default, and synchronization of build artifacts from secondary,
    architecture-specific repo servers back to the primary repo server
    is supported.

  • The repo install process is now able to support building and
    synchronizing artifacts for multiple CPU architectures. To support
    multiple architectures, one or more repo servers must be created for
    each CPU architecture in the deployment. When multiple CPU
    architectures are detected among the repo servers, the repo-
    discovery process will automatically assign a repo master to perform
    the build process for each architecture.

  • CentOS 7 support has been added to the "galera_client" role.

  • Whether the Neutron DHCP Agent, Metadata Agent or LinuxBridge
    Agent should be enabled is now dynamically determined based on the
    "neutronplugintype" and the "neutronml2mechanismdrivers" that
    are set. This aims to simplify the configuration of Neutron services
    and eliminate the need for deployers to override the entire
    "neutron
    services" dict variable to disable these services.

  • Neutron BGP dynamic routing plugin can now optionally be deployed
    and configured. Please see OpenStack Networking Guide: BGP dynamic
    routing (http://docs.openstack.org/networking-guide/config-bgp-
    dynamic-routing.html) for details about what the service is and what
    it provides.

  • The Project Calico Neutron networking plugin is now integrated
    into the deployment. For setup instructions please see "os_neutron"
    role documentation.

  • A conditional has been added to the "localip" settings used in
    the "neutronlocalip" which removes the hard requirement for an
    overlay network to be set within a deployment. If no overlay network
    is set within the deployment the "localip" will be set to the value
    of "ansible
    ssh_host".

  • Deployers can now configure tempest public and private networks by
    setting the following variables, 'tempestprivatenetprovidertype'
    to either vxlan or vlan and 'tempestpublicnetprovidertype' to
    flat or vlan. Depending on what the deployer sets these variables
    to, they may also need to update other variables accordingly, this
    mainly involves 'tempestpublicnetphysicaltype' and
    'tempestpublicnetsegid'. Please refer to
    http://docs.openstack.org/mitaka/networking-guide/intro-basic-
    networking.html for more neutron networking information.

  • The Project Calico Neutron networking plugin is now integrated
    into the "os_neutron" role. This can be activated using the
    instructions located in the role documentation.

  • The "osneutron" role will now default to the OVS firewall driver
    when "neutron
    plugintype" is "ml2.ovs" and the host is running
    Ubuntu 16.04 on PowerVM. To override this default behavior,
    deployers should define "neutron
    ml2confinioverrides" and
    'neutron
    openvswitchagentinioverrides' in 'uservariables.yml'.
    Example below

    neutronml2confinioverrides:
    securitygroup:
    firewalldriver: neutron.agent.linux.iptablesfirewall.OVSHybridIptablesFirewallDriver
    neutronopenvswitchagentinioverrides:
    securitygroup:
    firewalldriver: iptableshybrid

  • Neutron VPN as a Service (VPNaaS) can now optionally be deployed
    and configured. Please see the OpenStack Networking Guide
    (http://docs.openstack.org/mitaka/networking-guide/) for details
    about the what the service is and what it provides. See the VPNaaS
    Install Guide (http://docs.openstack.org/developer/openstack-ansible
    /install-guide/configure-network-services.html#virtual-private-
    network-service-optional) for implementation details.

  • Support for Neutron distributed virtual routing has been added to
    the "osneutron" role. This includes the implementation of
    Networking Guide's suggested agent configuration. This feature may
    be activated by setting "neutron
    plugintype: ml2.ovs.dvr" in
    "/etc/openstack
    deploy/user_variables.yml".

  • The horizon next generation instance management panels have been
    enabled by default. This changes horizon to use the upstream
    defaults instead of the legacy panels. Documentation can be found
    here
    (http://docs.openstack.org/developer/horizon/topics/settings.html
    #launch-instance-ng-enabled).

  • The nova SSH public key distribution has been made a lot faster
    especially when deploying against very large clusters. To support
    larger clusters the role has moved away from the "authorized_key"
    module and is now generating a script to insert keys that may be
    missing from the authorized keys file. The script is saved on all
    nova compute nodes and can be found at "/usr/local/bin/openstack-
    nova-key.sh". If ever there is a need to reinsert keys or fix issues
    on a given compute node the script can be executed at any time
    without directly running the ansible playbooks or roles.

  • The os_nova role can now detect and support basic deployment of a
    PowerVM environment. This sets the virtualization type to 'powervm'
    and installs/updates the PowerVM NovaLink package and nova-powervm
    driver.

  • Nova UCA repository support is implemented by default. This will
    allow the users to benefit from the updated packages for KVM. The
    "novaucaenable" variable controls the install source for the KVM
    packages. By default this value is set to "True" to make use of UCA
    repository. User can set to "False" to disable.

  • A new configuration parameter "securityntpbindlocalinterfaces"
    was added to the security role to restrict the network interface to
    which chronyd will listen for NTP requests.

  • The LXC container creation and modification process now supports
    online network additions. This ensures a container remains online
    when additional networks are added to a system.

  • Open vSwitch driver support has been implemented. This includes
    the implementation of the appropriate Neutron configuration and
    package installation. This feature may be activated by setting
    "neutronplugintype: ml2.ovs" in
    "/etc/openstackdeploy/uservariables.yml".

  • An opportunistic Ansible execution strategy has been implemented.
    This allows the Ansible linear strategy to skip tasks with
    conditionals faster by never queuing the task when the conditional
    is evaluated to be false.

  • The Ansible SSH plugin has been modified to support running
    commands within containers without having to directly ssh into them.
    The change will detect presence of a container. If a container is
    found the physical host will be used as the SSH target and commands
    will be run directly. This will improve system reliability and speed
    while also opening up the possibility for SSH to be disabled from
    within the container itself.

  • Added "horizonapachecustomlogformat" tunable to the os-horizon
    role for changing CustomLog format. Default is "combined".

  • Added keystoneapachecustomlogformat tunable for changing
    CustomLog format. Default is "combined".

  • Apache MPM tunable support has been added to the os-keystone role
    in order to allow MPM thread tuning. Default values reflect the
    current Ubuntu default settings:

    keystonehttpdmpmbackend: event
    keystone
    httpdmpmstartservers: 2
    keystone
    httpdmpmminsparethreads: 25
    keystonehttpdmpmmaxsparethreads: 75
    keystone
    httpdmpmthreadlimit: 64
    keystone
    httpdmpmthreadchild: 25
    keystone
    httpdmpmmaxrequests: 150
    keystone
    httpdmpmmaxconnchild: 0

  • Introduced option to deploy Keystone under Uwsgi. A new variable
    "keystonemodwsgienabled" is introduced to toggle this behavior.
    The default is "true" which continues to deploy with mod
    wsgi for
    Apache. The ports used by Uwsgi for socket and http connection for
    both public and admin Keystone services are configurable (see also
    the "keystoneuwsgiports" dictionary variable). Other Uwsgi
    configuration can be overridden by using the
    "keystoneuwsgiinioverrides" variable as documented under
    "Overriding OpenStack configuration defaults" in the OpenStack-
    Ansible Install Guide. Federation features should be considered
    _experimental
    with this configuration at this time.

  • Introduced option to deploy Keystone behind Nginx. A new variable
    "keystoneapacheenabled" is introduced to toggle this behavior. The
    default is "true" which continues to deploy with Apache. Additional
    configuration can be delivered to Nginx through the use of the
    "keystonenginxextraconf" list variable. Federation features are
    not supported with this configuration at this time. Use of this
    option requires "keystone
    modwsgienabled" to be set to "false"
    which will deploy Keystone under Uwsgi.

  • The "os_cinder" role now supports Ubuntu 16.04.

  • CentOS7/RHEL support has been added to the os_cinder role.

  • CentOS7/RHEL support has been added to the os_glance role.

  • CentOS7/RHEL support has been added to the os_keystone role.

  • The "os_magnum" role now supports deployment on Ubuntu 16.04 using
    systemd.

  • The galeraclient role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "galera
    clientpackagestate" to "present".

  • The cephclient role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "ceph
    clientpackagestate" to "present".

  • The osironic role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "ironic
    package_state" to "present".

  • The osnova role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "nova
    package_state" to "present".

  • The memcachedserver role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "memcached
    package_state" to "present".

  • The osheat role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "heat
    package_state" to "present".

  • The rsyslogserver role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "rsyslog
    serverpackagestate" to "present".

  • The pipinstall role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "pip
    installpackagestate" to "present".

  • The repobuild role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "repo
    buildpackagestate" to "present".

  • The osrally role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "rally
    package_state" to "present".

  • The osglance role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "glance
    package_state" to "present".

  • The security role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "securitypackagestate" to "present".

  • A new global option to control all package install states has been
    implemented. The default action for all distribution package
    installations is to ensure that the latest package is installed.
    This may be changed to only verify if the package is present by
    setting "package_state" to "present".

  • The oskeystone role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "keystone
    package_state" to "present".

  • The oscinder role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "cinder
    package_state" to "present".

  • The osgnocchi role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "gnocchi
    package_state" to "present".

  • The osmagnum role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "magnum
    package_state" to "present".

  • The rsyslogclient role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "rsyslog
    clientpackagestate" to "present".

  • The ossahara role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "sahara
    package_state" to "present".

  • The reposerver role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "repo
    serverpackagestate" to "present".

  • The haproxyserver role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "haproxy
    package_state" to "present".

  • The osaodh role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "aodh
    package_state" to "present".

  • The openstackhosts role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "openstack
    hostspackagestate" to "present".

  • The galeraserver role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "galera
    serverpackagestate" to "present".

  • The rabbitmqserver role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "rabbitmq
    package_state" to "present".

  • The lxchosts role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "lxc
    hostspackagestate" to "present".

  • The osceilometer role now supports the ability to configure
    whether apt/yum tasks install the latest available package, or just
    ensure that the package is present. The default action is to ensure
    that the latest package is present. The action taken may be changed
    to only ensure that the package is present by setting
    "ceilometer
    package_state" to "present".

  • The osswift role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "swift
    package_state" to "present".

  • The osneutron role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "neutron
    package_state" to "present".

  • The oshorizon role now supports the ability to configure whether
    apt/yum tasks install the latest available package, or just ensure
    that the package is present. The default action is to ensure that
    the latest package is present. The action taken may be changed to
    only ensure that the package is present by setting
    "horizon
    package_state" to "present".

  • The PATH environment variable that is configured on the remote
    system can now be set using the "openstackhostenvironment_path"
    list variable.

  • The repo build process now has the ability to store the pip
    sources within the build archive. This ability is useful when
    deploying environments that are "multi-architecture", "multi-
    distro", or "multi-interpreter" where specific pre-build wheels may
    not be enough to support all of the deployment. To enable the
    ability to store the python source code within a given release, set
    the new option "repobuildstorepipsources" to "true".

  • The repo server now has a Package Cache service for distribution
    packages. To leverage the cache, deployers will need to configure
    the package manager on all hosts to use the cache as a proxy. If a
    deployer would prefer to disable this service, the variable
    "repopkgcache_enabled" should be set to "false".

  • The "rabbitmqserver" role now supports deployer override of the
    RabbitMQ policies applied to the cluster. Deployers can override the
    "rabbitmq
    policies" variable, providing a list of desired policies.

  • The RabbitMQ Management UI is now available through HAProxy on
    port 15672. The default userid is "monitoring". This user can be
    modified by changing the parameter "rabbitmqmonitoringuserid" in
    the file "uservariables.yml". Please note that ACLs have been added
    to this HAProxy service by default, such that it may only be
    accessed by common internal clients. Reference
    "playbooks/vars/configs/haproxy
    config.yml"

  • Added playbook for deploying Rally in the utility containers

  • Our general config options are now stored in an "/usr/local/bin
    /openstack-ansible.rc" file and will be sourced when the "openstack-
    ansible" wrapper is invoked. The RC file will read in BASH
    environment variables and should any Ansible option be set that
    overlaps with our defaults the provided value will be used.

  • The LBaaSv2 device driver is now set by the Ansible variable
    "neutronlbaasv2device_driver". The default is set to use the
    "HaproxyNSDriver", which allows for agent-based load balancers.

  • The GPG key checks for package verification in V-38476 are now
    working for Red Hat Enterprise Linux 7 in addition to CentOS 7. The
    checks only look for GPG keys from Red Hat and any other GPG keys,
    such as ones imported from the EPEL repository, are skipped.

  • CentOS7 support has been added to the "rsyslog_client" role.

  • The options of application logrotate configuration files are now
    configurable. "rsyslogclientlogrotateoptions" can be used to
    provide a list of directives, and
    "rsyslogclientlogrotatescripts" can be used to provide a list of
    postrotate, prerotate, firstaction, or lastaction scripts.

  • Experimental support has been added to allow the deployment of the
    Sahara data-processing service. To deploy sahara hosts should be
    present in the host group "sahara-infra_hosts".

  • The Sahara dashboard is available in Horizon. Deployers can enable
    the panel by setting the following Ansible variable:

    horizonenablesahara_ui: True

  • Tasks were added to search for any device files without a proper
    SELinux label on CentOS systems. If any of these device labels are
    found, the playbook execution will stop with an error message.

  • The repo build process now selectively clones git repositories
    based on whether each OpenStack service group has any hosts in it.
    If there are no hosts in the group, the git repo for the service
    will not be cloned. This behaviour can be optionally changed to
    force all git repositories to be cloned by setting
    "repobuildgit_selective" to "no".

  • The repo build process now selectively builds venvs based on
    whether each OpenStack service group has any hosts in it. If there
    are no hosts in the group, the venv will not be built. This
    behaviour can be optionally changed to force all venvs to be built
    by setting "repobuildvenv_selective" to "yes".

  • The repo build process now selectively builds python packages
    based on whether each OpenStack service group has any hosts in it.
    If there are no hosts in the group, the list of python packages for
    the service will not be built. This behaviour can be optionally
    changed to force all python packages to be built by setting
    "repobuildwheel_selective" to "no".

  • A new variable is supported in the "neutronservices" dictionary
    called "service
    conf_path". This variable enables services to deploy
    their config templates to paths outside of /etc/neutron by
    specifying a directory using the new variable.

  • The openstack-ansible-security role supports the application of
    the Red Hat Enterprise Linux 6 STIG configurations to systems
    running CentOS 7 and Ubuntu 16.04 LTS.

  • The "fallocatereserve` option can now be set (in bytes or as a
    percentage) for swift by using the ``swift
    fallocatereserve"
    variable in "/etc/openstack
    deploy/user_variables.yml". This value
    is the amount of space to reserve on a disk to prevent a situation
    where swift is unable to remove objects due to a lack of available
    disk space to work with. The default value is 1% of the total disk
    size.

  • The "openstack-ansible-osswift" role will now prevent deployers
    from changing the "swift
    hashpathprefix" and
    "swifthashpathsuffix" variables on clusters that already have a
    value set in "/etc/swift/swift.conf". You can set the new
    "swift
    forcechangehashes" variable to "True" to force the
    "swifthashpath" variables to be changed. We recommend setting
    this by running the os-swift.yml playbook with "-e
    swift
    forcechangehashes=True", to avoid changing the
    "swifthashpath" variables unintentionally. Use with caution,
    changing the "swift
    hashpath" values causes end-user impact.

  • The "osswift" role has 3 new variables that will allow a deployer
    to change the hard, soft and fs.file-max limits. the hard and soft
    limits are being added to the limits.conf file for the swift system
    user. The fs.file-max settings are added to storage hosts via kernel
    tuning. The new options are "swift
    hardopenfilelimits" with a
    default of 10240 "swift
    softopenfilelimits" with a default of
    4096 "swift
    maxfilelimits" with a default of 24 times the value of
    "swifthardopenfilelimits".

  • The "pretendminparthourspassed" option can now be passed to
    swift-ring-builder prior to performing a rebalance. This is set by
    the "swiftpretendminparthourspassed" boolean variable. The
    default for this variable is False. We recommend setting this by
    running the os-swift.yml playbook with "-e
    swift
    pretendminparthourspassed=True", to avoid resetting
    "minparthours" unintentionally on every run. Setting
    "swiftpretendminparthourspassed" to True will reset the clock
    on the last time a rebalance happened, thus circumventing the
    min
    part_hours check. This should only be used with extreme caution.
    If you run this command and deploy rebalanced rings before a
    replication pass completes, you may introduce unavailability in your
    cluster. This has an end-user imapct.

  • While default python interpreter for swift is cpython, pypy is now
    an option. This change adds the ability to greatly improve swift
    performance without the core code modifications. These changes have
    been implemented using the documentation provided by Intel and
    Swiftstack. Notes about the performance increase can be seen here
    (https://software.intel.com/en-us/blogs/2016/05/06/doubling-the-
    performance-of-openstack-swift-with-no-code-changes).

  • Change the port for devices in the ring by adjusting the port
    value for services, hosts, or devices. This will not involve a
    rebalance of the ring.

  • Changing the port for a device, or group of devices, carries a
    brief period of downtime to the swift storage services for those
    devices. The devices will be unavailable during period between when
    the storage service restarts after the port update, and the ring
    updates to match the new port.

  • Enable rsync module per object server drive by setting the
    "swiftrsyncmoduleperdrive" setting to "True". Set this to
    configure rsync and swift to utilise individual configuration per
    drive. This is required when disabling rsyncs to individual disks.
    For example, in a disk full scenario.

  • The "os_swift" role will now include the swift "staticweb"
    middleware by default.

  • The osswift role now allows the permissions for the log files
    created by the swift account, container and object servers to be
    set. The variable is "swift
    sysloglogperms" and is set to "0644"
    by default.

  • Support added to allow deploying on ppc64le architecture using the
    Ubuntu distributions.

  • Support had been added to allow the functional tests to pass when
    deploying on ppc64le architecture using the Ubuntu distributions.

  • Support for the deployment of Unbound caching DNS resolvers has
    been added as an optional replacement for /etc/hosts management
    across all hosts in the environment. To enable the Unbound DNS
    containers, add "unbound_hosts" entries to the environment.

  • The "repobuild" role now provides the ability to override the
    upper-constraints applied which are sourced from OpenStack and from
    the global-requirements-pins.txt file. The variable
    "repo
    buildupperconstraints_overrides" can be populated with a
    list of upper constraints. This list will take the highest
    precedence in the constraints process, with the exception of the
    pins set in the git source SHAs.

Known Issues


  • Deployments on ppc64le are limited to Ubuntu 16.04 for the Newton
    release of OpenStack-Ansible.

  • The variables "haproxykeepalived(internal|external)_cidr" now
    has a default set to "169.254.(2|1).1/24". This is to prevent
    Ansible undefined variable warnings. Deployers must set values for
    these variables for a working haproxy with keepalived environment
    when using more than one haproxy node.

  • In the latest stable version of keepalived there is a problem with
    the priority calculation when a deployer has more than five
    keepalived nodes. The problem causes the whole keepalived cluster to
    fail to work. To work around this issue it is recommended that
    deployers limit the number of keepalived nodes to no more than five
    or that the priority for each node is set as part of the
    configuration (cf. "haproxykeepalivedvars_file" variable).

  • Paramiko version 2.0 Python requires the Python cryptography
    library. New system packages must be installed for this library. For
    OpenStack-Ansible versions <12.0.12, <11.2.15, <13.0.2 the system
    packages must be installed on the deployment host manually by
    executing "apt-get install -y build-essential libssl-dev libffi-
    dev".

Upgrade Notes


  • LXC containers will now have a proper RFC1034/5 hostname set
    during post build tasks. A localhost entry for 127.0.1.1 will be
    created by converting all of the "" in the "inventoryhostname" to
    "-". Containers will be created with a default domain of
    openstack.local. This domain name can be customized to meet your
    deployment needs by setting the option "lxccontainerdomain".

  • A new global variable has been created named "openstack_domain".
    This variable has a default value of "openstack.local".

  • The "ca-certificates" package has been included in the LXC
    container build process in order to prevent issues related to trying
    to connect to public websites which make use of newer certificates
    than exist in the base CA certificate store.

  • In order to reduce the time taken for fact gathering, the default
    subset gathered has been reduced to a smaller set than the Ansible
    default. This may be changed by the deployer by setting the
    "ANSIBLEGATHERSUBSET" variable in the bash environment prior to
    executing any ansible commands.

  • The environment variable "FORKS" is no longer used. The standard
    Ansible environment variable "ANSIBLE_FORKS" should be used instead.

  • The Galera client role now has a dependency on the apt package
    pinning role.

  • The variable "securityauditapparmorchanges" is now renamed to
    "security
    auditmacchanges" and is enabled by default. Setting
    "securityauditmac_changes" to "no" will disable syscall auditing
    for any changes to AppArmor policies (in Ubuntu) or SELinux policies
    (in CentOS).

  • When upgrading deployers will need to ensure they have a backup of
    all logging from within the container prior to running the
    playbooks. If the logging node is present within the deployment all
    logs should already be sync'd with the logging server and no action
    is required. As a pre-step it's recommended that deployers clean up
    logging directories from within containers prior to running the
    playbooks. After the playbooks have run the bind mount will be in
    effect at "/var/log" which will mount over all previous log files
    and directories.

  • Due to a new bind mount at "/var/log" all containers will be
    restarted. This is a required restart. It is recommended that
    deployers run the container restarts in serial to not impact
    production workloads.

  • The default value of "servicecredentials/osendpointtype" within
    ceilometer's configuration file has been changed to internalURL.
    This may be overridden through the use of the
    "ceilometer
    ceilometerconfoverrides" variable.

  • The default database collation has changed from utf8unicodeci
    to utf8generalci. Existing databases and tables will need to be
    converted.

  • The LXC container cache preparation process now copies package
    repository configuration from the host instead of implementing its
    own configuration. The following variables are therefore unnecessary
    and have been removed:

    • "lxccontainertemplatemainapt_repo"

    • "lxccontainertemplatesecurityapt_repo"

    • "lxccontainertemplateaptcomponents"

  • The LXC container cache preparation process now copies DNS
    resolution configuration from the host instead of implementing its
    own configuration. The "lxccacheresolvers" variable is therefore
    unnecessary and has been removed.

  • The MariaDB wait_timeout setting is decreased to 1h to match the
    SQL Alchemy pool recycle timeout, in order to prevent unnecessary
    database session buildups.

  • The variable "reposerverpackages" that defines the list of
    packages required to install a repo server has been replaced by
    "reposerverdistro_packages".

  • If there are swift hosts in the environment, then the value for
    "cinderservicebackupprogramenabled" will automatically be set to
    "True". This negates the need to set this variable in
    "user_variables.yml", but the value may still be overridden at the
    deployer discretion.

  • If there are swift hosts in the environment, then the value for
    "glancedefaultstore" will automatically be set to "swift". This
    negates the need to set this variable in "user_variables.yml", but
    the value may still be overridden at the deployer discretion.

  • The variable "securitysysctlenabletcpsyncookies" has replaced
    "securitysysctltcp_syncookies" and it is now a boolean instead of
    an integer. It is still enabled by default, but deployers can
    disable TCP syncookies by setting the following Ansible variable:

    securitysysctlenabletcpsyncookies: no

  • The "glanceaptpackages" variable has been renamed to
    "glancedistropackages" so that it applies to multiple operating
    systems.

  • Within the "haproxy" role hatop has been changed from a package
    installation to a source-based installation. This has been done to
    ensure that the same operator tooling is available across all
    supported distributions. The download URL for the source can be set
    using the variable "haproxyhatopdownload_url".

  • Haproxy has a new backend to support using the repo server nodes
    as a git server. The new backend is called "repo_git" and uses port
    "9418". Default ACLs have been created to lock down the port's
    availability to only internal networks originating from an RFC1918
    address.

  • Haproxy has a new backend to support using the repo server nodes
    as a package manager cache. The new backend is called "repo_cache"
    and uses port "3142" and a single active node. All other nodes
    within the pool are backups and will be promoted if the active node
    goes down. Default ACLs have been created to lock down the port's
    availability to only internal networks originating from an RFC1918
    address.

  • SSL termination is assumed enabled for all public endpoints by
    default. If this is not needed it can be disabled by setting the
    "openstackexternalssl" option to false and the
    "openstackservicepublicuri_proto" to http.

  • If HAProxy is used as the loadbalancer for a deployment it will
    generate a self-signed certificate by default. If HAProxy is NOT
    used, an SSL certificate should be installed on the external
    loadbalancer. The installation of an SSL certificate on an external
    load balancer is not covered by the deployment tooling.

  • In previous releases connections to Horizon originally terminated
    SSL at the Horizon container. While that is still an option, SSL is
    now assumed to be terminated at the load balancer. If you wish to
    terminate SSL at the horizon node change the "horizonexternalssl"
    option to false.

  • Public endpoints will need to be updated using the Keystone admin
    API to support secure endpoints. The Keystone ansible module will
    not recreate the endpoints automatically. Documentation on the
    Keystone service catalog can be found here
    (http://docs.openstack.org/developer/keystone/configuration.html
    #service-catalog).

  • Upgrades will not replace entries in the
    /etc/openstack_deploy/env.d directory, though new versions of
    OpenStack-Ansible will now use the shipped env.d as a base, which
    may alter existing deployments.

  • The variable used to store the mysql password used by the ironic
    service account has been changed. The following variable:

    ironicgalerapassword: secrete

    has been changed to:

    ironiccontainermysql_password: secrete

  • There is a new default configuration for keepalived. When running
    the haproxy playbook, the configuration change will cause a
    keepalived restart unless the deployer has used a custom
    configuration file. The restart will cause the virtual IP addresses
    managed by keepalived to be briefly unconfigured, then reconfigured.

  • A new version of keepalived will be installed on the haproxy nodes
    if the variable "keepaliveduselatest_stable" is set to "True" and
    more than one haproxy node is configured. The update of the package
    will cause keepalived to restart and therefore will cause the
    virtual IP addresses managed by keepalived to be briefly
    unconfigured, then reconfigured.

  • Adding a new nova.conf entry, livemigrationuri. This entry will
    default to a "qemu-ssh://" uri, which uses the ssh keys that have
    already been distributed between all of the compute hosts.

  • The "lxccontainercreate" role no longer uses the distro specific
    lxc container create template.

  • The following variable changes have been made in the "lxc_host"
    role:

    • lxccontainertemplate: Removed because the template option
      is now contained within the operating system specific variable
      file loaded at runtime.

    • lxccontainertemplate_options: This option was renamed to
      *lxc_container_download_template_options*. The deprecation filter
      was not used because the values provided from this option have
      been fundamentally changed and old overrides will cause problems.

    • lxccontainerrelease: Removed because image is now tied
      with the host operating system.

    • lxccontaineruser_name: Removed because the default users
      are no longer created when the cached image is created.

    • lxccontaineruser_password: Removed because the default
      users are no longer created when the cached image is created.

    • lxccontainertemplatemainapt_repo: Removed because this
      option is now being set within the cache creation process and is
      no longer needed here.

    • lxccontainertemplatesecurityapt_repo: Removed because
      this option is now being set within the cache creation process and
      is no longer needed here.

  • The "lxc_host" role no longer uses the distro specific lxc
    container create template.

  • The following variable changes have been made in the "lxc_host"
    role:

    • lxccontaineruser_password: Removed because the default lxc
      container user is no longer created by the lxc container template.

    • lxccontainertemplate_options: This option was renamed to
      *lxc_cache_download_template_options*. The deprecation filter was
      not used because the values provided from this option have been
      fundamentally changed and potentially old overrides will cause
      problems.

    • lxccontainerbase_delete: Removed because the cache will be
      refreshed upon role execution.

    • lxccachevalidate_certs: Removed because the Ansible
      "get_url" module is no longer used.

    • lxccontainercaches: Removed because the container create
      process will build a cached image based on the host OS.

  • LXC package installation and cache preparation will now occur by
    default only on hosts which will actually implement containers.

  • The dynamicinventory script previously set the provider network
    attributes "is
    containeraddress" and "issshaddress" to True for
    the management network regardless of whether a deployer had them
    configured this way or not. Now, these attributes must be configured
    by deployers and the dynamic
    inventory script will fail if they are
    missing or not True.

  • During upgrades, container and service restarts for the
    mariadb/galera cluster were being triggered multiple times and
    causing the cluster to become unstable and often unrecoverable. This
    situation has been improved immensely, and we now have tight control
    such that restarts of the galera containers only need to happen
    once, and are done so in a controlled, predictable and repeatable
    way.

  • The memcached log is removed from /var/log/memcached.log and is
    now stored in the /var/log/memcached folder.

  • The variable "galeraclientaptpackages" has been replaced by
    "galera
    clientdistropackages".

  • Whether the Neutron DHCP Agent, Metadata Agent or LinuxBridge
    Agent should be enabled is now dynamically determined based on the
    "neutronplugintype" and the "neutronml2mechanismdrivers" that
    are set. This aims to simplify the configuration of Neutron services
    and eliminate the need for deployers to override the entire
    "neutron
    services" dict variable to disable these services.

  • Database migration tasks have been added for the dynamic routing
    neutron plugin.

  • As described in the Mitaka release notes
    (http://docs.openstack.org/releasenotes/neutron/mitaka.html) Neutron
    now correctly calculates for and advertises the MTU to instances.
    The default DHCP configuration to advertise an MTU to instances has
    therefore been removed from the variable "neutrondhcpconfig".

  • As described in the Mitaka release notes
    (http://docs.openstack.org/releasenotes/neutron/mitaka.html) Neutron
    now correctly calculates for and advertises the MTU to instances. As
    such the "neutronnetworkdevicemtu" variable has been removed and
    the hard-coded values in the templates for "advertise
    mtu",
    "pathmtu", and "segmentmtu" have been removed to allow upstream
    defaults to operate as intended.

  • The new host group "neutronopenvswitchagent" has been added to
    the "env.d/neutron.yml" and "env.d/nova.yml" environment
    configuration files in order to support the implementation of Open
    vSwitch. Deployers must ensure that their environment configuration
    files are updated to include the above group name. Please see the
    example implementations in env.d/neutron.yml
    (https://github.com/openstack /openstack-
    ansible/blob/stable/newton/etc/openstackdeploy/env.d/neutron.yml)
    and env.d/nova.yml (https://github.com/openstack/openstack-
    ansible/blob/stable/newton/etc/openstack
    deploy/env.d/nova.yml).

  • The variable "neutronagentmode" has been removed from the
    "osneutron" role. The appropriate value for "l3agent.ini" is now
    determined based on the "neutronplugintype" and host group
    membership.

  • The default horizon instance launch panels have been changed to
    the next generation panels. To enable legacy functionality set the
    following options accordingly:

    horizonlaunchinstancelegacy: True
    horizon
    launchinstanceng: False

  • A new nova admin endpoint will be registered with the suffix
    "/v2.1/%(tenantid)s". The nova admin endpoint with the suffix
    "/v2/%(tenant
    id)s" may be manually removed.

  • Cleanup tasks are added to remove the nova console git directories
    "/usr/share/novnc" and "/usr/share/spice-html5", prior to cloning
    these inside the nova vnc and spice console playbooks. This is
    necessary to guarantee that local modifications do not break git
    clone operations, especially during upgrades.

  • The variable "neutron_linuxbridge" has been removed as it is no
    longer used.

  • The variable "neutrondriverinterface" has been removed. The
    appropriate value for "neutron.conf" is now determined based on the
    "neutronplugintype".

  • The variable "neutrondriverfirewall" has been removed. The
    appropriate value for "neutron.conf" is now determined based on the
    "neutronplugintype".

  • The variable "neutronml2mechanismdrivers" has been removed. The
    appropriate value for ml2
    conf.ini is now determined based on the
    "neutronplugintype".

  • Installation of glance and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "glancevenvbin", "glancevenvenabled", "glancevenvetcdir", and
    "glance
    nonvenvetc_dir" variables have been removed.

  • Installation of glance and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "gnocchivenvbin", "gnocchivenvenabled", "gnocchivenvetcdir",
    and "gnocchi
    nonvenvetc_dir" variables have been removed.

  • Installation of heat and its dependent pip packages will now only
    occur within a Python virtual environment. The "heatvenvbin" and
    "heatvenvenabled" variables have been removed.

  • Installation of horizon and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "horizonvenvbin", "horizonvenvenabled", "horizonvenvlibdir",
    and "horizon
    nonvenvlib_dir" variables have been removed.

  • Installation of ironic and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "ironicvenvbin" and "ironicvenvenabled" variables have been
    removed.

  • Installation of keystone and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "keystonevenvenabled" variable has been removed.

  • The Neutron L3 Agent configuration for the
    handleinternalonlyrouters variable is removed in order to use the
    Neutron upstream default setting. The current default for
    handle
    internalonlyrouters is True, which does allow Neutron L3
    router without external networks attached (as discussed per
    https://bugs.launchpad.net/neutron/+bug/1572390).

  • Installation of aodh and its dependent pip packages will now only
    occur within a Python virtual environment. The "aodhvenvenabled"
    and "aodhvenvbin" variables have been removed.

  • Installation of ceilometer and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "ceilometervenvenabled" and "ceilometervenvbin" variables have
    been removed.

  • Installation of cinder and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "cindervenvenabled" and "cindervenvbin" variables have been
    removed.

  • Installation of magnum and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "magnumvenvbin", "magnumvenvenabled" variables have been
    removed.

  • Installation of neutron and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "neutronvenvenabled", "neutronvenvbin",
    "neutronnonvenvlibdir" and "neutronvenvlib_dir" variables have
    been removed.

  • Installation of nova and its dependent pip packages will now only
    occur within a Python virtual environment. The "novavenvenabled",
    "novavenvbin" variables have been removed.

  • Installation of rally and its dependent pip packages will now only
    occur within a Python virtual environment. The "rallyvenvbin",
    "rallyvenvenabled" variables have been removed.

  • Installation of sahara and its dependent pip packages will now
    only occur within a Python virtual environment. The
    "saharavenvbin", "saharavenvenabled", "saharavenvetcdir", and
    "sahara
    nonvenvetc_dir" variables have been removed.

  • Installation of swift and its dependent pip packages will now only
    occur within a Python virtual environment. The "swiftvenvenabled",
    "swiftvenvbin" variables have been removed.

  • The variable "keystoneaptpackages" has been renamed to
    "keystonedistropackages".

  • The variable "keystoneidpaptpackages" has been renamed to
    "keystone
    idpdistropackages".

  • The variable "keystonespaptpackages" has been renamed to
    "keystone
    spdistropackages".

  • The variable "keystonedeveloperaptpackages" has been renamed to
    "keystone
    developermodedistro_packages".

  • The variable "glanceaptpackages" has been renamed to
    "glancedistropackages".

  • The variable "horizonaptpackages" has been renamed to
    "horizondistropackages".

  • The variable "aodhaptpackages" has been renamed to
    "aodhdistropackages".

  • The variable "cinderaptpackages" has been renamed to
    "cinderdistropackages".

  • The variable "cindervolumeaptpackages" has been renamed to
    "cinder
    volumedistropackages".

  • The variable "cinderlvmvolumeaptpackages" has been renamed to
    "cinderlvmvolumedistropackages".

  • The variable "ironicapiaptpackages" has been renamed to
    "ironic
    apidistropackages".

  • The variable "ironicconductoraptpackages" has been renamed to
    "ironic
    conductordistropackages".

  • The variable "ironicconductorstandaloneaptpackages" has been
    renamed to "ironicconductorstandalonedistropackages".

  • The variable "galeraprepackages" has been renamed to
    "galeraserverrequireddistropackages".

  • The variable "galerapackages" has been renamed to
    "galera
    servermariadbdistro_packages".

  • The variable "haproxyprepackages" has been renamed to
    "haproxyrequireddistro_packages".

  • The variable "haproxypackages" has been renamed to
    "haproxy
    distro_packages".

  • The variable "memcachedaptpackages" has been renamed to
    "memcacheddistropackages".

  • The variable "neutronaptpackages" has been renamed to
    "neutrondistropackages".

  • The variable "neutronlbaasaptpackages" has been renamed to
    "neutron
    lbaasdistropackages".

  • The variable "neutronvpnaasaptpackages" has been renamed to
    "neutron
    vpnaasdistropackages".

  • The variable "neutronaptremovepackages" has been renamed to
    "neutron
    removedistropackages".

  • The variable "heataptpackages" has been renamed to
    "heatdistropackages".

  • The variable "ceilometeraptpackages" has been renamed to
    "ceilometerdistropackages".

  • The variable "ceilometerdevelopermodeaptpackages" has been
    renamed to "ceilometerdevelopermodedistropackages".

  • The variable "swiftaptpackages" has been renamed to
    "swiftdistropackages".

  • The variable "lxcaptpackages" has been renamed to
    "lxchostsdistro_packages".

  • The variable "openstackhostaptpackages" has been renamed to
    "openstack
    hostdistropackages".

  • The galeraclient role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "galera
    clientpackagestate" should be set to "present".

  • The cephclient role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "ceph
    clientpackagestate" should be set to "present".

  • The osironic role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "ironic
    package_state" should be set to "present".

  • The osnova role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "nova
    package_state" should be set to "present".

  • The memcachedserver role always checks whether the latest package
    is installed when executed. If a deployer wishes to change the check
    to only validate the presence of the package, the option
    "memcached
    package_state" should be set to "present".

  • The osheat role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "heat
    package_state" should be set to "present".

  • The rsyslogserver role always checks whether the latest package
    is installed when executed. If a deployer wishes to change the check
    to only validate the presence of the package, the option
    "rsyslog
    serverpackagestate" should be set to "present".

  • The pipinstall role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "pip
    installpackagestate" should be set to "present".

  • The repobuild role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "repo
    buildpackagestate" should be set to "present".

  • The osrally role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "rally
    package_state" should be set to "present".

  • The osglance role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "glance
    package_state" should be set to "present".

  • The security role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "securitypackagestate" should be set to "present".

  • All roles always checks whether the latest package is installed
    when executed. If a deployer wishes to change the check to only
    validate the presence of the package, the option "package_state"
    should be set to "present".

  • The oskeystone role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "keystone
    package_state" should be set to "present".

  • The oscinder role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "cinder
    package_state" should be set to "present".

  • The osgnocchi role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "gnocchi
    package_state" should be set to "present".

  • The osmagnum role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "magnum
    package_state" should be set to "present".

  • The rsyslogclient role always checks whether the latest package
    is installed when executed. If a deployer wishes to change the check
    to only validate the presence of the package, the option
    "rsyslog
    clientpackagestate" should be set to "present".

  • The ossahara role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "sahara
    package_state" should be set to "present".

  • The reposerver role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "repo
    serverpackagestate" should be set to "present".

  • The haproxyserver role always checks whether the latest package
    is installed when executed. If a deployer wishes to change the check
    to only validate the presence of the package, the option
    "haproxy
    package_state" should be set to "present".

  • The osaodh role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "aodh
    package_state" should be set to "present".

  • The openstackhosts role always checks whether the latest package
    is installed when executed. If a deployer wishes to change the check
    to only validate the presence of the package, the option
    "openstack
    hostspackagestate" should be set to "present".

  • The galeraserver role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "galera
    serverpackagestate" should be set to "present".

  • The rabbitmqserver role always checks whether the latest package
    is installed when executed. If a deployer wishes to change the check
    to only validate the presence of the package, the option
    "rabbitmq
    package_state" should be set to "present".

  • The lxchosts role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "lxc
    hostspackagestate" should be set to "present".

  • The osceilometer role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "ceilometer
    package_state" should be set to "present".

  • The osswift role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "swift
    package_state" should be set to "present".

  • The osneutron role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "neutron
    package_state" should be set to "present".

  • The oshorizon role always checks whether the latest package is
    installed when executed. If a deployer wishes to change the check to
    only validate the presence of the package, the option
    "horizon
    package_state" should be set to "present".

  • The variable "rsyslogclientpackages" has been replaced by
    "rsyslogclientdistro_packages".

  • The variable "rsyslogserverpackages" has been replaced by
    "rsyslogserverdistro_packages".

  • The variable "rabbitmqmonitoringpassword" has been added to
    "user_secrets.yml". If this variable does not exist, the RabbitMQ
    monitoring user will not be created.

  • All of the discretionary access control (DAC) auditing is now
    disabled by default. This reduces the amount of logs generated
    during deployments and minor upgrades. The following variables are
    now set to "no":

    securityauditDACchmod: no
    security
    auditDACchown: no
    securityauditDAClchown: no
    security
    auditDACfchmod: no
    securityauditDACfchmodat: no
    security
    auditDACfchown: no
    securityauditDACfchownat: no
    security
    auditDACfremovexattr: no
    securityauditDAClremovexattr: no
    security
    auditDACfsetxattr: no
    securityauditDAClsetxattr: no
    security
    auditDACsetxattr: no

  • The container property "container_release" has been removed as
    this is automatically set to the same version as the host in the
    container creation process.

  • The variable "lxccontainerrelease" has been removed from the
    "lxc- container-create.yml" playbook as it is no longer consumed by
    the container creation process.

  • LBaaSv1 has been removed from the "neutron-lbaas" project in the
    Newton release and it has been removed from OpenStack-Ansible as
    well.

  • The LVM configuration tasks and "lvm.conf" template have been
    removed from the "openstackhosts" role since they are no longer
    needed. All of the LVM configuration is properly handled in the
    "os
    cinder" role.

  • In the "rsyslogclient" role, the variable "rsyslogclient_repos"
    has been removed as it is no longer used.

  • Percona Xtrabackup has been removed from the Galera client role.

  • The "infrahosts" and "infracontainers" inventory groups have
    been removed. No containers or services were assigned to these
    groups exclusively, and the usage of the groups has been supplanted
    by the "shared-infra*" and "os-infra*" groups for some time.
    Deployers who were using the groups should adjust any custom
    configuration in the "env.d" directory to assign containers and/or
    services to other groups.

  • The variable "verbose" has been removed. Deployers should rely on
    the "debug" var to enable higher levels of memcached logging.

  • The variable "verbose" has been removed. Deployers should rely on
    the "debug" var to enable higher levels of logging.

  • The aodh-api init service is removed since aodh-api is deployed as
    an apache mod_wsgi service.

  • The "ceilometer-api" init service is removed since "ceilometer-
    api" is deployed as an apache "mod_wsgi" service.

  • The database create and user creates have been removed from the
    "os_heat" role. These tasks have been relocated to the playbooks.

  • The database create and user creates have been removed from the
    "os_nova" role. These tasks have been relocated to the playbooks.

  • The database create and user creates have been removed from the
    "os_glance" role. These tasks have been relocated to the playbooks.

  • The database and user creates have been removed from the
    "os_horizon" role. These tasks have been relocated to the playbooks.

  • The database create and user creates have been removed from the
    "os_cinder" role. These tasks have been relocated to the playbooks.

  • The database create and user creates have been removed from the
    "os_neutron" role. These tasks have been relocated to the playbooks.

  • The Neutron HA tool written by AT&T is no longer enabled by
    default. This tool was providing HA capabilities for networks and
    routers that were not using the native Neutron L3HA. Because native
    Neutron L3HA is stable, compatible with the Linux Bridge Agent, and
    is a better means of enabling HA within a deployment this tool is no
    longer being setup by default. If legacy L3HA is needed within a
    deployment the deployer can set neutronlegacyhatoolenabled to
    true to enable the legacy tooling.

  • The "repobuildaptpackages" variable has been renamed.
    "repo
    builddistropackages" should be used instead to override
    packages required to build Python wheels and venvs.

  • The "repobuild" role now makes use of Ubuntu Cloud Archive by
    default. This can be disabled by setting "repo
    builducaenable" to
    "False".

  • New overrides are provided to allow for better customization
    around logfile retention and rate limiting for UDP/TCP sockets.
    "rsyslogserverlogrotationwindow" defaults to 14 days
    "rsyslog
    serverratelimitinterval" defaults to 0 seconds
    "rsyslogserverratelimit_burst" defaults to 10000

  • The rsyslog.conf is now using v7+ style configuration settings

  • The "swiftfallocatereserve" default value has changed from
    10737418240 (10GB) to 1% in order to match the OpenStack swift
    default setting.

  • A new option swiftpypyenabled has been added to enable or
    disable the pypy interpreter for swift. The default is "false".

  • A new option swiftpypyarchive has been added to allow a pre-
    built pypy archive to be downloaded and moved into place to support
    swift running under pypy. This option is a dictionary and contains
    the URL and SHA256 as keys.

  • The "swiftmaxrsync_connections" default value has changed from 2
    to 4 in order to match the OpenStack swift documented value.

  • When upgrading a Swift deployment from Mitaka to Newton it should
    be noted that the enabled middleware list has changed. In Newton the
    "staticweb" middleware will be loaded by default. While the change
    adds a feature it is non-disruptive in upgrades.

  • All variables in the security role are now prepended with
    "security" to avoid collisions with variables in other roles. All
    deployers who have used the security role in previous releases will
    need to prepend all security role variables with "security
    ".

    For example, a deployer could have disabled direct root ssh logins
    with the following variable:

    sshpermitroot_login: yes

    That variable would become:

    securitysshpermitrootlogin: yes

  • Ceilometer no longer manages alarm storage when Aodh is enabled.
    It now redirects alarm-related requests to the Aodh API. This is now
    auto-enabled when Aodh is deployed.

  • Overrides for ceilometer "aodhconnectionstring" will no longer
    work. Specifying an Aodh connection string in Ceilometer was
    deprecated within Ceilometer in a prior release so this option has
    been removed.

  • Hosts running LXC on Ubuntu 14.04 will now need to enable the
    "trusty-backports" repository. The backports repo on Ubuntu 14.04 is
    now required to ensure LXC is updated to the latest stable version.

  • The Aodh data migration script should be run to migrate alarm data
    from MongoDB storage to Galera due to the pending removal of MongoDB
    support.

  • Neutron now makes use of Ubuntu Cloud Archive by default. This can
    be disabled by setting "neutronucaenable" to "False".

  • The "utility-all.yml" playbook will no longer distribute the
    deployment host's root user's private ssh key to all utility
    containers. Deployers who desire this behavior should set the
    "utilitysshprivate_key" variable.

  • The following variables have been renamed in order to make the
    variable names neutral for multiple operating systems.

    • novaaptpackages -> novadistropackages

    • novaspiceaptpackages -> novaspicedistropackages

    • novanovncaptpackages -> novanovncdistropackages

    • novacomputekvmaptpackages ->
      novacomputekvmdistropackages

Deprecation Notes


  • Removed "cirrostgzurl" and in most places replaced with
    "tempestimgurl".

  • Removed "cirrosimgurl" and in most places replaced with
    "tempestimgurl".

  • Removed deprecated variable "tempestcomputeimagealtssh_user"

  • Removed deprecated variable "tempestcomputeimagesshpassword"

  • Removed deprecated variable
    "tempestcomputeimagealtssh_password"

  • Renamed "cirrosimgdiskformat" to "tempestimgdiskformat"

  • Downloading and unarchiving a .tar.gz has been removed. The
    related tempest options "amiimgfile", "akiimgfile", and
    "ariimgfile" have been removed from tempest.conf.j2.

  • The "[boto]" section of tempest.conf.j2 has been removed. These
    tests have been completely removed from tempest for some time.

  • The "openstackhostaptpackages" variable has been deprecated.
    "openstack
    host_packages" should be used instead to override
    packages required to install on all OpenStack hosts.

  • The "rabbitmqaptpackages" variable has been deprecated.
    "rabbitmq_dependencies" should be used instead to override
    additional packages to install alongside rabbitmq-server.

  • Moved "haproxyserviceconfigs" var to
    "haproxydefaultserviceconfigs" so that "haproxyservice_configs"
    can be modified and added to without overriding the entire default
    service dict.

  • galerapackageurl changed to perconapackageurl for clarity

  • galerapackagesha256 changed to perconapackagesha256 for
    clarity

  • galerapackagepath changed to perconapackagepath for clarity

  • galerapackagedownloadvalidatecerts changed to
    perconapackagedownloadvalidatecerts for clarity

  • The "main" function in "dynamic_inventory.py" now takes named
    arguments instead of dictionary. This is to support future code
    changes that will move construction logic into separate files.

  • Installation of Ansible on the root system, outside of a virtual
    environment, will no longer be supported.

  • The variables "galera_client_package_*" and
    "galera_client_apt_percona_xtrabackup_*" have been removed from
    the role as Xtrabackup is no longer deployed.

  • The Neutron HA tool written by AT&T has been deprecated and will
    be removed in the Ocata release.

Security Issues


  • A sudoers entry has been added to the repo_servers in order to
    allow the nginx user to stop and start nginx via the init script.
    This is implemented in order to ensure that the repo sync process
    can shut off nginx while synchronising data from the master to the
    slaves.

  • A self-signed certificate will now be generated by default when
    HAproxy is used as a load balancer. This certificate is used to
    terminate the public endpoint for Horizon and all OpenStack API
    services.

  • Horizon disables password autocompletion in the browser by
    default, but deployers can now enable autocompletion by setting
    "horizonenablepassword_autocomplete" to "True".

  • The admintokenauth middleware presents a potential security risk
    and will be removed in a future release of keystone. Its use can be
    removed by setting the "keystonekeystonepasteinioverrides"
    variable.

    keystonekeystonepasteinioverrides:
    pipeline:publicapi:
    pipeline: cors sizelimit osprofiler url
    normalize requestid buildauthcontext tokenauth jsonbody ec2extension publicservice
    pipeline:admin
    api:
    pipeline: cors sizelimit osprofiler urlnormalize requestid buildauthcontext tokenauth jsonbody ec2extension s3extension adminservice
    pipeline:api
    v3:
    pipeline: cors sizelimit osprofiler urlnormalize requestid buildauthcontext tokenauth jsonbody ec2extensionv3 s3extension servicev3

Bug Fixes


  • This role assumes that there is a network named "public|private"
    and a subnet named "public|private-subnet". These names are made
    configurable by the addition of two sets of variables;
    "tempestpublicnetname" and "tempestpublicsubnetname" for
    public networks and "tempestprivatenetname" and
    "tempest
    privatesubnetname" for private networks This addresses
    bug 1588818 (https://bugs.launchpad.net/openstack-
    ansible/+bug/1588818)

  • The "/run" directory is excluded from AIDE checks since the files
    and directories there are only temporary and often change when
    services start and stop.

  • AIDE initialization is now always run on subsequent playbook runs
    when "securityinitializeaide" is set to "yes". The initialization
    will be skipped if AIDE isn't installed or if the AIDE database
    already exists.

    See bug 1616281 (https://launchpad.net/bugs/1616281) for more
    details.

  • Add architecture-specific locations for percona-xtrabackup and
    qpress, with alternate locations provided for ppc64el due to package
    inavailability from the current provider.

  • The role previously did not restart the audit daemon after
    generating a new rules file. The bug
    (https://launchpad.net/bugs/1590916) has been fixed and the audit
    daemon will be restarted after any audit rule changes.

  • Logging within the container has been bind mounted to the hosts
    this reslves issue 1588051 https://bugs.launchpad.net/openstack-
    ansible/+bug/1588051>_

  • Removed various deprecated / no longer supported features from
    tempest.conf.j2. Some variables have been moved to their new
    sections in the config.

  • The standard collectstatic and compression process in the
    os_horizon role now happens after horizon customizations are
    installed, so that all static resources will be collected and
    compressed.

  • LXC containers will now have the ability to use a fixed mac
    address on all network interfaces when the option
    lxccontainerfixed_mac is set true. This change will assist
    in resolving a long standing issue where network intensive services,
    such as neutron and rabbitmq, can enter a confused state for long
    periods of time and require rolling restarts or internal system
    resets to recover.

  • The dictionary-based variables in "defaults/main.yml" are now
    individual variables. The dictionary-based variables could not be
    changed as the documentation instructed. Instead it was required to
    override the entire dictionary. Deployers must use the new variable
    names to enable or disable the security configuration changes
    applied by the security role. For more information, see Launchpad
    Bug 1577944 (https://bugs.launchpad.net/openstack-
    ansible/+bug/1577944).

  • Failed access logging is now disabled by default and can be
    enabled by changing "securityauditfailed_access" to "yes". The
    rsyslog daemon checks for the existence of log files regularly and
    this audit rule was triggered very frequently, which led to very
    large audit logs.

  • An Ansible task was added to disable the "netconsole" service on
    CentOS systems if the service is installed on the system.

    Deployers can opt-out of this change by setting
    "securitydisablenetconsole" to "no".

  • In order to ensure that the appropriate data is delivered to
    requesters from the repo servers, the slave repo_server web servers
    are taken offline during the synchronisation process. This ensures
    that the right data is always delivered to the requesters through
    the load balancer.

  • The pipinstalloptions variable is now honored during repo
    building. This variable allows deployers to specify trusted CA
    certificates by setting the variable to "--cert /etc/ssl/certs/ca-
    certificates.crt"

  • The security role previously set the permissions on all audit log
    files in "/var/log/audit" to "0400", but this prevents the audit
    daemon from writing to the active log file. This will prevent
    "auditd" from starting or restarting cleanly.

    The task now removes any permissions that are not allowed by the
    STIG. Any log files that meet or exceed the STIG requirements will
    not be modified.

  • When the security role was run in Ansible's check mode and a tag
    was provided, the "checkmode" variable was not being set. Any tasks
    which depend on that variable would fail. This bug is fixed
    (https://bugs.launchpad.net/openstack-ansible/+bug/1590086) and the
    "check
    mode" variable is now set properly on every playbook run.

  • The security role now handles "ssh_config" files that contain
    "Match" stanzas. A marker is added to the configuration file and any
    new configuration items will be added below that marker. In
    addition, the configuration file is validated for each change to the
    ssh configuration file.

  • Horizon deployments were broken due to an incorrect hostname
    setting being placed in the apache ServerName configuration. This
    caused Horizon startup failure any time debug was disabled.

  • Changed the way we name host containers groups in
    dynamicinventory.py for a hostname from hostnamecontainers to
    hostname-host_containers to prevent failing in the case where
    containers groups have the same name as host containers when
    choosing hostnames inspired from containers group names. This change
    fixes the following bugs https://bugs.launchpad.net/openstack-
    ansible/+bug/1512883 and https://bugs.launchpad.net/openstack-
    ansible/+bug/1528953.

  • The ability to support login user domain and login project domain
    has been added to the keystone module. This resolves
    https://bugs.launchpad.net/openstack-ansible/+bug/1574000

    # Example usage

    • keystone:
      command: ensureuser
      endpoint: "{{ keystone
      adminendpoint }}"
      login
      user: admin
      loginpassword: admin
      login
      projectname: admin
      login
      userdomainname: custom
      loginprojectdomainname: custom
      user
      name: demo
      password: demo
      projectname: demo
      domain
      name: custom
  • LXC package installation and cache preparation will now occur by
    default only on hosts which will actually implement containers.

  • When upgrading it is possible for an old "neutron-ns-metadata-
    proxy" process to remain running in memory. If this happens the old
    version of the process can cause unexpected issues in a production
    environment. To fix this a task has been added to the os_neutron
    role that will execute a process lookup and kill any "neutron-ns-
    metadata-proxy" processes that are not running the current release
    tag. Once the old processes are removed the metadata agent running
    will respawn everything needed within 60 seconds.

  • Assigning multiple IP addresses to the same host name will now
    result in an inventory error before running any playbooks.

  • The nova admin endpoint is now correctly registered as
    "/v2.1/%(tenantid)s" instead of "/v2/%(tenantid)s".

  • The auditd rules for auditing V-38568 (filesystem mounts) were
    incorrectly labeled in the auditd logs with the key of
    "export-V-38568". They are now correctly logged with the key
    "filesystem_mount-V-38568".

  • Deleting variable entries from the "globaloverrides" dictionary
    in "openstack
    userconfig.yml" now properly removes those variables
    from the "openstack
    inventory.json" file. See Bug

  • The "pippackagestmp" variable has been renamed
    "piptmppackages" to avoid unintended processing by the py_pkgs
    lookup plugin.

  • The "repo_build" role now correctly applies OpenStack requirements
    upper-constraints when building Python wheels. This resolves
    https://bugs.launchpad.net/openstack-ansible/+bug/1605846

  • The check to validate whether an appropriate ssh public key is
    available to copy into the container cache has been corrected to
    check the deployment host, not the LXC host.

  • Static route information for provider networks now must include
    the cidr and gateway information. If either key is missing, an
    error will be raised and the dynamic_inventory.py script will halt
    before any Ansible action is taken. Previously, if either key was
    missing, the inventory script would continue silently without adding
    the static route information to the networks. Note that this check
    does not validate the CIDR or gateway values, just just that the
    values are present.

  • The repo_build play now correctly evaluates environment variables
    configured in /etc/environment. This enables deployments in an
    environment with http proxies.

  • Previously, the "ansible_managed" var was being used to insert a
    header into the "swift.conf" that contained date/time information.
    This meant that swift.conf across different nodes did not have the
    same MD5SUM, causing "swift-recon --md5" to break. We now insert a
    piece of static text instead to resolve this issue.

  • The XFS filesystem is excluded from the daily mlocate crond job in
    order to conserve disk IO for large IOPS bursts due to
    updatedb/mlocate file indexing.

  • The "/var/lib/libvirt/qemu/save" directory is now a symlink to "{{
    novasystemhome_folder }}/save" to resolve an issue where the
    default location used by the libvirt managed save command can result
    with the root partitions on compute nodes becoming full when "nova
    image-create" is run on large instances.

  • Aodh has deprecated support for NoSQL storage (MongoDB and
    Cassandra) in Mitaka with removal scheduled for the O* release. This
    causes warnings in the logs. The default of using MongoDB storage
    for Aodh is replaced with the use of Galera. Continued use of
    MongoDB will require the use of vars to specify a correct
    "aodhconnectionstring" and add pymongo to the "aodhpippackages"
    list.

  • The "--compact" flag has been removed from xtrabackup options.
    This had been shown to cause crashes in some SST situations

Other Notes


  • "novalibvirtlivemigrationflag" is now phased out. Please
    create a nova configuration override with "livemigrationtunnelled:
    True" if you want to force the flag "VIRMIGRATETUNNELLED" to
    libvirt. Nova "chooses a sensible default" otherwise.

  • "novacomputemanager" is now phased out.

  • The in tree "ansible.cfg" file in the playbooks directory has been
    removed. This file was making compatibility difficult for deployers
    who need to change these values. Additionally this files very
    existance forced Ansible to ignore any other config file in either a
    users home directory or in the default "/etc/ansible" directory.

  • Mariadb version upgrade gate checks removed.

  • The "run-playbooks.sh" script has been refactored to run all
    playbooks using our core tool set and run order. The refactor work
    updates the old special case script to a tool that simply runs the
    integrated playbooks as they've been designed.

Changes in openstack-ansible 13.0.0..14.0.0


98303ce Update role SHAs for 14.0.0 2016-10-19
c8e38f0 [Docs] Fix the alignment
f1e2070 Update role SHAs for 14.0.0 2016-10-18
e8aa2d2 Enable fixed mac address generation
a40428a Add full path to inventory
dffd265 updated Appendix H to C
97aa8ed Remove 'ignoreerrors: true' in favor of 'failedwhen: false'
b973a7d [docs] Clarify the 'Network configuration' section
fa21e2b Remove the rabbitmq deterministic sort
f7adda9 Create log aggregation parent directory
93a7aa6 Add support for the Ceph storage driver in Gnocchi
9572ffd [docs] Provide example configurations
6bbb3d5 Prevent overlayfs use in test when kernel < 3.18 or release == trusty
a0bfb6c [docs] Add network config example for test and prod
a87ab1a Fix container log bind mount regression
2d558be Change the common proxy cache manage tasks to be stateful
d5eb321 Configure Calico specific BIRD settings in OSA
d2b7195 [DOCS] Update manual upgrade guide
9ef988a Set default keepalived cidr if none is provided
18de1b4 [Docs] Removed extra grave accent() 0d824ce Update role SHAs for 14.0.0 2016-10-12 8668096 Fix value for openstack_host_manage_hosts_file 83dc13e Use UCA for keepalived by default f3965d0 Add missing double quote 4664922 [DOCS] Edits to the target hosts chaps b021ad2 [docs] Add Introduction heading to Appendix B 04605ca [Docs] There was typo mistake dbef51e [docs] Alignment gets corrected d30a5e3 Ensure that repo_server/repo_build use same user:group 5aee4a3 Rename ironic database password during upgrades cfbd4f4 Set calico wheel name for py_pkgs lookup 7052150 [DOCS] Edits to installation chapter b268540 [Docs] RabbitMQ is an AMQP server ff436eb [Docs] Make the security note readable. a3dd33a Update role SHAs for 14.0.0 2016-10-07 410d915 [Docs] Fix space typo with effect on rendered page 36ab2b3 [Docs] Fix Ansible link 5d151d6 Update all SHAs for 14.0.0 2016-10-06 1375f8c [DOCS] Applies edits to the OSA install guide appendix C e6094c8 [DOCS] Applying edits to the OSA install guide: deployment host d02fd99 [DOCS] Applying edits to the OSA install guide: configure 786b31e [DOCS] Applies edits to the OSA install guide appendix D b638321 [DOCS] Edits to appendix E abc1526 [DOCS] Adjust watermark color 4928c37 [DOCS] Edits to appendix F 8d9601b [DOCS] Edits to appendix G 34efaf9 Update all SHAs for 14.0.0 2016-10-05 fe99dad [DOCS] Applies edits to the OSA install guide appendix B ca727cc [docs] Applying edits to the OSA install guide: overview 3c9d3d1 [DOCS] Applies edits to the OSA install guide appendix A bc3c32c Fix a few grammatical errors 539f8fc Checksum all traffic traveling though the bridges 8f4c0c4 [docs] Update Newton doc index 342e147 Revises yaml to YAML ad7231b [install-guide] Aligned properly at Test environment ac14d06 Update UPPER_CONSTRAINTS_FILE for stable/newton f709469 Update .gitreview for stable/newton 57fef57 Move base environment directory to an argument 1443268 Mock file system when testing duplicate IPs ca7df2f Use detailed arguments for main function 62028d0 [DOCS] Added release-name as a watermark to Docs. d98eb49 Change default log bind mount to be optional ee40a8a Fix CentOS Ansible bootstrap 195b505 Update all SHAs for 14.0.0 2016-09-27 1604bba Add sshd_config to the bootstrap AIO process b5806d7 Remove swift_repl|storage_address calculation b091fff Update the order of release note page 2d1ebb3 Add ironic_rabbitmq settings to group_vars/all.yml 41f42be Filter pre_release versions of packages 6a8a41c Log the ansible runtime report to a file 57baef2 Remove the redundant exit tasks from the gate 671a092 Reduce config file IO and date coupling in tests f94b2d4 Create complete AIO inventory config for tests 99b2747 Use lineinfile to add missing user secrets 0c8bd97 Update run-playbooks to support playbook logic e857c43 Add Ironic service info to group_vars/all.yml 83ce564 [docs] Minor edit to the install guide 51a134d Remove use of venv_enabled variables 8d711ae Add debug logging to dynamic inventory e279676 Force Ansible to use dynamic includes a981b31 Add files to .gitignore bd6a0d8 Add curl to utility distro packages 7ac2dd6 [DOC] Better clarification for container_interface in user_config. 350c061 Fix br-vlan port in multi-node bootstrap-host 18c9e1f Add export host option for inventory-manage script 773dc54 Fix deprecation warning for undefined variables f40ecde Update all SHAs for 14.0.0 5098998 Update AIO script to support ubuntu-ports 1b0f020 [docs] Add links to example configuration files 6e50d69 os_ironic mysql password variable not updated 504bffa Add Swift telemetry notification consumer to Ceilometer 10a7d80 [docs] Resolve errors and simplify sphinx config d980d26 Update testing bits for consistency 55de3ed [DOCS] Update to installation guide 5e3f0ba Remove search_regex from mariadb port check f904d75 Fix bootstrap-host authorized_key transfer for multi-nodes 1926e6e Run haproxy playbook earlier within upgrade script c8791e0 Move inventory management code to enable imports ce26d14 Remove repo-server-pip-conf-removal from upgrade script 51f4dec Define networking for Multi-node environments 7a70d25 Remove existing MariaDB HTTPS repos during upgrade 39280be [DOCS] Added dynamic content to Upgrade guide from conf.py 6496c66 Retain apt sources options during host bootstrap 3917510 [install-guide] remove redundant part for security hardening 2e7a2b8 [install-guide] complete commands in prepare target hosts bc8b321 Update all SHAs for Newton 2016-09-16 0bbf801 Modify use of assertTrue(A in B) 518fb38 Add lxc_host dynamic group to inventory. 867bf11 [DOCS] Added missing level info for haproxy_hosts ec2656e Aodh should inherit service_region 2c2fe6c Updated from global requirements 2ec74e9 load variables as a simple var for upgrades ecd81b9 Cleanup/standardize usage of tags in plays e7f37f9 Remove assumption that the neutron_lbaas var is set 27a41d1 [DOCS] Added HAProxy example to Production environment document. eff7914 Gnocchi identities created before Swift playbook f7a50a2 Implement scenario capability for AIO a29d5df Configure Ceilometer middleware for Gnocchi-Swift 968d893 [docs] Merge install guide configure content into a single page cc250b7 Ensure that gnocchi uses keystone authentication ab80b0a Fix log path option 863bedb [Docs] Add explanations about our bug triage process e588a52 Enable the opportunistic strategy eb55da0 Update all SHAs for Newton 2016-09-12 bceb1e1 Make the file name for user_secrets a variable 527e22f Correct Magnum issues found in AIO testing 5a878af Added the option to copy changes between stock env.d and repo env.d[M->N] 084fc69 Ensure file modes are 644 for inventory and group_vars for Magnum 1da4f02 [DOCS] Reorders ToC for upgrade guide cbc9234 Properly namespace cinder_storage_address 5be187d Add ansible_host to dynamic inventory 3978647 Enabled conversion of existing db and tables to utf8_general_ci [M->N] 64708ec Compress all gathered logs for CI 1083dc9 bump the keystone sha for changes to keystone 8cc0125 [docs] added a necessary arg for ansible command after removal of ansible.cfg d0448be [docs] Move all example configurations to Appendix 7c5f177 Add a doc example for yaml file overrides 3b6895b Move network_entry function to top level 0ba4f8b [docs] Minor edits to the overview chapter 128242a Derive the OpenStack service list from the service file eeaa433 Reduce the default fact gather subset e14d359 [docs] Replace 'Host Layout' with 'Service Architecture' 5cc5277 [docs] Split Network Architecture page 4f94bf7 Set file mode to 644 on os-magnum-install.yml a5a5bf8 Skip V-38471 for CI execution f4290c0 [Docs] Update security appendix 4f07ac6 [DOC]Added Xenial support in install guide 2d2b732 [docs] Revise Storage Architecture Overview 55b62e8 [DOCS] Renaming sections for install guide 28544d6 [DOCS] IA movement of the install guide 6b7e646 Ensure that repo build arch grouping always runs 4c18f3d Fixed assumed utility pip install for specific clients a06d93d [DOCS] Clarify is_metal is required if using iSCSI 3210274 Revert "Disable SSL use for RabbitMQ" c496fc5 Move storage diagrams 2e355b3 [DOCS] Rename upgrade documentation to upgrade guide 02ca69a [DOC]Added missing yml file and example for test and production environments. e2341fc Optimize and fix known container hosts group abec787 Move pip_lock_to_internal_repo to group_vars cf52fa7 Ensure tempest always has an Ansible config export 752c9c9 Revert role SHA pins for Newton RC prep 6bd8f3c Add vars for Swift telemetry settings 9096b0d Disable SSL use for RabbitMQ 8d3b3e2 [docs] Add storage diagrams 91032ef Enable Gnocchi and Aodh when inv groups non-empty 73ee3eb Address missing variable in common tasks 46b662d [DOCS] Moving the draft install guide to the install-guide folder 851ac18 Fix role SHA's for Newton-3 release 7669501 Fixed hosts inclusion when requiring the lxc_hosts role 5ee185e Ensure that the filters_path is correctly updated 992e616 Implement container bind mount for all logs 58e9c8d Fix deprecation warning for undefined variables a648951 Add RC source to scripts library 943676b Adding a playbook for deploying Sahara d651ed7 Unbound DNS resolution containers 981db90 Remove pip.conf during upgrade on all hosts c51fe9b Updated from global requirements 192efa5 [DOCS} Further edits, corrects to draft install 8be9f55 Update all SHAs for Newton 2016-08-25 29f29e6 Add Magnum deployment to setup-openstack playbook a889885 Updated from global requirements 75b3628 Support multiple rabbitmq clusters fe55aa2 DOC - note that stable/mitaka on Ubuntu works at most with 14.04 9767d12 Add the BGP dynamic routing neutron plugin 423c409 Remove the ansible.cfg file c89f277 Add play to deploy Rally to the utility containers cebce0c Project Calico integration 16bccd9 [DOCS] Add interface configuration content df49eeb [DOCS] Correcting the appendix letters 92ad610 Tell existing shell about upgraded pip f37351d DOC - remove quotation for code-blocks 6bcfc47 Removed variable changes table from the doc. 6f028ff Fix error when repo_build_git_cache is undefined 382f4be Set default/fix version numbers in upgrade script 8b2cdb3 Automatically detect whether to test all integrated roles 07123eb Fix wrong version of pip used in bootstrap b1483c8 Automatically detect whether to test ceilometer/aodh 5ec339c Automatically enable the cinder backup service ea7e218 Allow the repo-build to index utility pip packages 6a647d5 Remove security hardening toggle from AIO user_variables.yml 64c6307 Automatically set swift as the glance default store 704246d DOC - use 'shell-session' to render root user commands c4efadd [DOCS] Clean up of draft install guide adebdb8 Allow the use of a pre-staged git cache ac35c1d [DOCS] Remove ceph and HAProxy from dev docs ecf73b3 Move ceph_client and haproxy_server to IRR 31280a3 Make all linting tests use upper-constraints 5f396dd Loopback cinder image must insert before exit 0 2683082 Updated from global requirements f7babef Implement inventory API docs 0103e0d Set a long package cache timeout for OpenStack-CI 89f088e Add aodh-api init removal upgrade docs and script d68e65b Add an inventory config check option 9d8177f Update all SHAs for Newton 2016-08-15 b32b5d5 Support pulling architecture-tagged venv artifacts ebc9af1 Remove old inventory conditional support 4049357 Reduce minimum data disk size for the AIO to 50GB 8d2caac Restrict Ansible fact gathering to base subset 45b9642 Limit LXC hosts playbook to container hosts only 2f87f8c Robust base dir support for bootstrapping 49c303a Create config test base class 619b40c Print remaining tasks on failed upgrade correctly abc1663 Add ability to change apt/yum package state globally 07ef158 [docs] fix invalid hyperlink in overview-security.rst 36cd1de [DOC] Add cinder service when cleaning up aio host 28b1fc7 [docs] fix a link in overview-host-layout.rst 199e33c [DOCS] Updates to deploy config f87b141 [DOCS] Update gate job names d493444 [DOCS]Edited the path to installation workflow diagram in install-guide-draft b5dc44c [DOCS] Removing and moving nova and neutron docs ab887ee Include python requirements to resolve SNI issue for Ansible venv b6d9220 Remove "optional" in the o_u_c example for repos 0d1c6ec Fix deprecation warning for ceph_client role. 12d4c7e Do not discard when creating XFS loopback 0461d79 Adding Magnum-UI Horizon support 55de7dd Move package cache configuration to common tasks 627429b [DOCS] Add storage architecture information 7146e82 Relocate Swift configuration docs to os_swift role e9dd96e [DOC] Added automatic fetched latest tags. 57ea99a [DOCS] Ensuring deploy-config accurately reflects changes c278267 [DOCS] Delete horizon docs 085e57d Enable Gnocchi by default 412b863 [DOCS] Delete ceilometer and aodh dev docs 6e432e8 Fix keepalived sync groups var name 19d9064 Remove SSL protocol/cipher from AIO user_variables.yml 5aa7998 Add haproxy_service_enabled boolean 162f530 Add ability to change apt/yum package state for the ceph_client role 62bcac9 Add ability to change apt/yum package state for the haproxy_server role e18c636 Split package update/install commands ab3a192 [DOCS] Remove apt proxy when rebuilding AIO 9b314bf Move other-requirements.txt to bindep.txt e9e79a6 Manual upgrade doc fix 108ea96 Add discovery and build for multiple CPU architectures b921676 [DOC] Modified conf.py to fetch the latest tag automatically 32b0b54 [DOCS] Remove ops-logging Doc 343d9d6 [DOCS] Remove and move keystone federation documentation bc7b0a7 [DOCS] Move RabbitMQ configuration info 2e53019 [DOCS] Fix the appendix order 656543d Ensure that the LXC container log is also destroyed b19f783 [Docs] Remove and move cinder config docs 783ad41 [DOCS] Remove and move ironic role docs 90884cd [DOCS] Remove and move glance documentation 37e7700 Adding support for Magnum c69c031 [docs] Revise deployment host and target hosts chapter d95eaf5 Add test for setting existing used IPs. 6535ec3 Disable V-38660 for OpenStack-CI 233eb80 Refactor "get_instance_info" gathering d3e5487 Fix incorrect operations link in run-playbooks.sh 5dc89d8 Do not override Horizon ServerName in playbook 6cb3b1e Updated from global requirements fd690e1 Better control of mariadb restarts in upgrades 6ae2266 Docs: Minor security overview update 85fde9f [DOCS] - Cleanup Telemetry docs c69a07c [docs] Move ops content and fix build errors 5bf8c53 Update all SHAs for Newton 2016-08-01 b2629de Define retries on ceph keyring fetch task 6c7c870 Remove return_netmask function c790092 Docs: Enabling LBaaSv2 horizon panel 5cc9d0b [docs] Revise deployment configuration chapter a2ed5c3 [docs] Edit the installation chapter 59bdfb9 Add options to allow for selective git clone 17db059 Add SNI support via OS/python packages cf875c8 Update Ansible pin to v2.1.1.0 f2f280b Update the home-page info with the developer documentation d3f240e [docs] Modify host layout diagrams 48ed46e Add Horizon Ironic dashboard plugin 24403e7 Add openrc_region_name to define the service region for openrc files. ccb1036 Added docs for removing compute host 2d965dc Add SNI support via OS packages b52c21e [docs] Remove duplicated content 2c20e5f Revert role SHA pin for Newton-3 development 4cbd2f4 Restore telemetry service deployment d2a2b72 Confirm container data destroys 767662b Fix get_url SNI issues in CentOS 7 9137874 Allow empty container dicts in env overrides 30c0ca3 Add nova-lxd virt driver git repo c9925be Enable the use of a package manager cache a4c836c Fix override of ANSIBLE_PACKAGE variable b3def9d Update all SHAs for Newton 2016-07-27 dcfdc93 Fix role SHA's for Newton-2 release b8b1491 If /var/log/lxc exists, move it to the log aggregation parent 99ffcf3 Implement git server HAP backend 2b422db [DOCS] Fix up validation failures e3526a8 Fix distribution detection in bootstrap e481744 Remove pip_install role execution from RabbitMQ playbook 9812d6d Fix deprecation warning for undefined variables ae8bc70 Address Ansible bare variable usage a7884ba Move UCA repo URL var to role defaults 95adb62 Optimise pip install tasks 413151f Change pip install task state to 'latest' 3fa780d Move LXC AppArmor profile setting to the inventory ade366a Disable ansible retry files 48eedc7 Remove callback plugins 8f1b33d Update the sources-branch-updater 993515c Fix 'D000: Check RST validity' documentation lint failures 30dacdf Dynamically determine whether ceilometer should be enabled c54736f Removing the infra_hosts and infra_containers groups e2663c6 Support other architectures in apt sources.list 6bf159f Move LXC logs to /openstack/log ed4bc6b Add CentOS7 support to the utility playbook 7b75c22 Updated from global requirements 91deb13 Cleanup/standardize common tasks 5455543 Moving neutron play vars to the group_vars for neutron e37f524 Test LBaaSv2 in AIO 43f585a Support for Open vSwitch Distributed Virtual Routing e6ad4cf Update all SHAs for Newton 2016-07-20 5510103 Implement overlayfs as the backing store for the AIO 88ae508 Install Ansible from pypi instead of from a git clone 5c4d8b2 [DOCS] Update 'Practice B' with note e9f6acc Fix 'D001 Line too long' documentation lint failures a982e3a [DOCS] Adding storage arch to install guide draft 8af2c12 Add other-requirements.txt 60bad86 Change requirements pin method 47bd970 Updated from global requirements 7836911 Resolve 'E501 line too long' linters error 4709455 Ensure that gate test does not remove ~/.ansible/tmp 439831f [DOCS] Adding in note for pretend_min_part_hours_passed 9427a99 [DOCS] Clarify variable usage in global_overrides 24e63ab Fix 'D001 Line too long' documentation lint failures 3ef1297 Fix tox functional test 68d68c2 Remove os-detection script 63b4989 Update mongodb bootstrap tasks d312147 Removed the default pip install options from upgrade.sh 63012f0 Add upgrade playbook to update database collations 8e9b800 Added git package to the utility container 98e77ca Remove excessive tags 7518743 Adding requests to bootstrap ansible 57fa0b9 Decouple galera client role from OSA inventory groups 0304137 Docs: Implement Manuals Theme and doc8 checks 89d82b0 Fix 'D002 Trailing whitespace' doc errors 14f6650 Introduce a playbook for deploying Gnocchi 31e6cd0 Remove pip_lock_down requirement 430cb36 [DOCS] PIP install via deployment host 8fb6a3b Fix skipping Ceph client linking a146b7a Document env.d changes in install guide 35c4b55 Fix Neutron local_ip fallback 08beb6f glance_api_servers must contain a valid url with protocol 8d73290 Fail Fast when trying to upgrade with LBaaS v1 enabled bb2d4ad [docs] Remove duplicated content in the current install guide f870707 Doc: Update documentation for lxc_net_mtu config 255de98 Update tox configuration cba8bd5 Document swift in the host layout section 8a49b0c Remove aodh vars present in group_vars 3403f05 Remove duplicate exit_early execution 693911d HAProxy extra endpoints b511791 HAProxy: configure either novnc or spice 7b288ea Use in-tree env.d files, provide override support 523822b Fix memcached flush if -l is in hostname 976d62f Remove cinder vars present in group_vars 5c31795 Remove ceilometer vars present in group_vars a4053a9 [docs] Revise overview chapter in OSA install guide 2a03ba0 Enable OpenStack-Infra Ubuntu Cloud Archive mirror 59e5a7c Define galera_address in the all group_vars 8972dec [docs] Address tox errors dff646c Remove _net_address_search from dynamic inventory 3b51d07 Fix HAProxy config and install version when ssl is disabled d524386 Flush memcached on first listen IP only 4a7e954 Confirm container destroys 912de0f Make pip_lock_to_internal_repo a playbook var 42f1e4b DOC - Fix YAML format in cidr_networks example e84cc94 Remove references to unused heat vars fe9fc36 Trivial typo fixes to dynamic_inventory.py 9be0662 Refactor run-playbooks 23708a6 Docs: Enable LBaaS v2 Horizon panel a471cbc Removing duplicate gather_facts in playbooks e46c1c5 Enable human readable logging fbac5f8 [docs] Fix build errors cc7bd49 Change USED_IPS variable to a Python set 2321424 Address Ansible bare variable usage 97eb3b3 Remove remaining container_release properties 6ac4aa1 Ignore Ansible .retry files 4aa13d4 DOC - Remove instructions to run haproxy-install.yml play 5f06376 Fix typos in openstack-ansible/doc ad69389 Update lists of skipped security role tasks a232676 Gate: Restrict Ansible fact gathering to base subset 2a5a2a1 Add an easy way to run cmds in utility container 7b2a995 Disable root private key distribution by the utility playbook d3f7e80 Remove libvirt bootstrapping from AIO b8802f5 Add conditional for overlay network settings f68bebd Auto-enable Ceilometer + Aodh integration bdb856c [docs] Migrate ops and appendix content effa83d Fix keystone DB Access variable f426eb9 Remove deleted override vars from inventory 53bb55d Ensure that AIO extra indexes config is well formed 875c5e4 [docs] Revise upgrade guide structure 19ac766 Address Ansible bare variable usage f5b39a0 Docs: Fix missing instructions for newton manual upgrades ade33a3 Temporarily disable UCA usage in OpenStack-CI fe60f1e Add release file prep script e5622ad Speed up gate: avoid gathering facts more than necessary 238257b [docs] Migrate deployment configuration options 5db330d Configuring AODH DB now that it uses MySQL. 4402fd3 Docs: Add role development maturity guidelines e679951 Actually remove Ironic container creation from AIO preparation 3fafd24 DOC - fix links in upgrade-playbooks 49c5d1d [docs] Add draft install guide directory d59a2ff Reduce and organize group vars 1133ea8 Remove the AIO metadata checksum fix from run-playbooks 4970801 DOC - Adjust tag usage instructions for VPNaaS 18d4350 Switch Ironic role repo to use git.o.o 07357dd Remove Ironic container creation from AIO preparation 12ba130 Extract and test inventory and backup I/O 7c8533a DOC add note about building AIO more than once f479a21 Do not use cpu_map_update.py anymore 16c0193 change host_containers group names in inventory 06e5aba Revert to test role master branches for Newton-2 development bb69b66 Update all SHAs for Newton-1 2016-06-02 810e0a7 Use combined pip_install role dbdc1c7 Update ansible to version 2.1 3d62933 Consistency for multi-os in the includes d790aa8 DOC New Appendix - custom component layouts 1d29082 RFC1034/5 hostname upgrade e31dee1 Remove AIO cache resolver configuration b5b2bb9 Add RabbitMQ mgmt UI through HAProxy b3683de Remove unneeded playbook vars bd33008 Clarify static route requirements check 729c06c Correct nova admin endpoint version e32d850 Note to deployers overriding MTUs 246d10e DOCS: Clarify guidance for deploy hosts 4303174 Cleanup horizon vars in hosts.yml 8ae5127 Update HAProxy for multi-OS support f7369d9 lxc_cache_resolvers [u'nameserver1',u'nameserver2'] fixing 1211668 [DOCS] Adding missing kernel modules for VPNaaS c904de2 Isolate Ansible from the deployment host 3bb1c40 DOCS: Clean up of the Newton upgrade guide 7f70ca7 Set AIO to use an OpenStack-Infra wheel mirror 4b051d7 Test _ensure_inventory_uptodate function 7ebe085 Reduce reliance on global state for testing 5a1bf48 Ensure all role dependencies are consistently specified 96443f5 Automatically enable neutron ha router capabilities b4f5e13 Expose upgrade guide in base index 86fbc79 Add tests for the _net_address_search function 894e0c4 Test static route settings 213d028 Create ceph python library symlinks 30c59b2 Updates all SHAs for Newton 2016-05-19 96d0dd0 Added option to set the role fetch mode d49494b Add nova-powervm repo for initial PowerVM support b15363c Remove paramiko restriction 69f60a8 Remove AIO container cache apt configuration edee94d Change to using ANSIBLE_FORKS and update related tip 25bb84a Ignore the .coverage temp file 085c31d Bump swift SHA c52755e Docs: Add note about slow galera recovery 59694c7 Network service docs cleanup 6a61321 Add docs for LBaaSv2 Horizon panels 0cdaa5c Various fixes to the proxy default conf and doc 2f81ec1 Updated the link as per comments 6e9db90 Verbose option has been deprecated from oslo.log 0984490 Fix install guide link in contributor guide a372277 Docs: Add note about releasenotes local build fbd1f3f Docs: Troubleshooting info for 3.13 kernel upgrade 602ddac DOC - AIO build expected to be performed as root user 3e4c9df Docs: Cross ref local tests on contribution guide f0c46ca Docs: Document SSH key exchange for Ceph client a44d075 Docs: Fix bulleted lists and spacing 3a0523a DOC: Change swift mountpoint to /srv/node 12d9ef2 Docs: Update Liberty & Mitaka release status a88778f Initial commit to enable mitaka>newton upgrades 601487b Add documentation guidance to the contributor guide 45d5ee5 Refactor ceph_client for multi-OS and ceph 0d3b531 Document the Release Notes build 28340ab DOCS: Deployment host section - cleanup 71554ca DOCS: Configuration section - cleanup cff6ea0 Added the DB and DB user create to the plays 1124a5e Test inventory backup file creation bb5b306 Doc: Correct the note about the LXC host ssh key check e78c9e3 DOCS: Configuration section - cleanup 02f8d3d Test and refactor argument parsing 8b6fb77 DOC - Removing incorrect doc about installation workflow 8399965 Check for two IP addresses assigned to same host dfc642c Docs: Mandatory ssh public key 6be15b8 Isolate Ansible bootstrap from repo servers 60247f2 Add group vars to prep for os_tempest role changes 8e663d7 Add neutron_openvswitch_agent to env.d files 2f45772 Revert "Fix container hostname for RFC 1034/1035" 21c2478 install rabbitmq-server in serial 349e134 DOCS - Installation with limited network connectivity 9a2df7c Mention of the supported locales in the documentation 4b84a8c Use task state instead of output to create haproxy log directory 87e32dc Automatically increment the patch ver with sources-branch-updater 7e8d629 Doc: Configuring the network refactor 55155f3 DOCS: Configuration section - cleanup 0086227 Doc: Configuring the network on target refactor c441849 Ensure that the sources-branch-updater updates the Ironic role 32fd0e7 Fix dynamic_inventory.py test bug a0bceb9 Removed container_release property from environment files 12f0c68 Doc: Notice to disable security hardening role during minor upgrades 4330b4c DOC - Adding footer to Nuage Appendix doc 18ddf7b Add .swp files to .gitignore d80d6f9 Make tox use python2.7 more specifically eee35cc Build wheel for neutron-lbaas-dashboard e971e15 Integrated updates after the multi-distro changes 6bcb3d1 Add release note for paramiko issue workaround afc9ec9 Docs: Appendix section - cleanup 7a82904 Docs: Ops section - cleanup 89963f6 Docs: Installation section - cleanup 2703e4b Docs: Target hosts section - cleanup 3a5672b Check for IP addresses assigned to multiple hosts 5443833 Docs: Overview section - cleanup 51441fe Disable security role during major upgrades 1b4550b Add dependencies for paramiko 2.0 2c5edcf Docs: Clean up multiple make html warnings ef347ab Remove unused var pip_no_index 5a931c7 Add error test coverage and adjust test setup 0cf2c9b Fix typo in overview-hostlayout.rst 2a2ad3a Remove teardown.sh and update related docs 92eb98e Enable SSL termination for all services c361fae Improved logging for memcached (OSA calling part) dbcfdec Add docs for limiting access to services 34ddd52 Fix LBaaSv2 neutron_plugin_base entry in docs e22641a Execute rabbitmq sorts for config tags 909bf76 Set test python executable to python2 644c57b Docs: Update PLUMgrid neutron services dict override 3107fdd Docs: Cleanup page to configure to docs standards 43ff983 [User Guides] Link Updates - openstack-ansible 2fc728d Update Newton SHA's 2016-04-22 72c593c Add docs for HAProxy ping checks 8387b68 Change keystone admin/internal insecure flags e8ae4cb Update sources-branch-updater to handle release note copying 608640c Add missing line number report, fix coverage dep ebdff9e DOCS: Update aio docs for Mitaka edda55e Docs: Split Network Services section into multiple files 7280c90 Docs: Add pip configuration removal to AIO re-deployment process aa1f09f [DOCS] Adding Ironic configuration docs to Ansible install guide b50a190 Nuage Neutron Plugin OSA Install guide 2ffb776 Change keystone admin/internal insecure flags 928e907 Refactor main inventory function for testability 559d2dc Add coverage reporting to inventory testing 9a737ad Fix container hostname for RFC 1034/1035 27e65b2 DOC - Adding warning about changing passwords/secrets ca73998 Add option to auto enable from VPNaaS in Horizon dfe4f10 Docs: Change invalid reference to FWaaS in VPNaaS documentation ae99efd Adding modularity to keepalived configuration 5fceb78 Added horizon documentation section for cinder bb1db35 Doc: Improved documentation about LVM overwrite behaviour f8c30f0 make hostname,network and ip-address on all examples consistent 4604950 blacklist Ansible 1.9.6 0d9530c Addironicswifttempurlsecretkey` the secrets
60603c3 Adjust ansible-role-requirements-editor file open options
12555d7 ceph configuration for nova glance and cinder
2d82d41 Move inventory environment loading to function
fac5030 Update source-branch-updater to work with IRR's
35ed804 Add installation support for os
ironic
12a3fba Fixing keepalived bug when 2+ backup nodes have the same priority
fa7218d Minor fix to correct passive to active voice
13de5ff Fix idempotency bug in AIO bootstrap
a2c1d8c Fix configuration string for haproxy
4f3b266 Refactor user config loading into function
f56c9c6 Modify the haproxy play for ansible2 compat
6d3eea3 Add project scoped token when obtaning token
2288151 Add convenience links for install workflow doc
dde53b1 Add tempestlogdir variable
b6a5c9a Apply host security hardening by default
d87fdf2 Specify allocation pool for public subnet
cc416a1 Doc index update
bb61cc0 Add debug and verbose to user variables
6485728 Add trustybackports note to requirements
beafa5b Add Ceilometer instructions to new compute node instructions
36a8151 Update documentation index page
1cc4c11 Set SHA's for master to OpenStack master SHA's
4317c3e Update reno for stable/mitaka
4e5e52a set up the unreleased page for reno
d72e3a6 Fix typo in swift.yml.example file
6eb3c34 Ensure the OpenStack gate has access to the logs
797dbb6 Remove hard-coded pip indexes from repo-build playbook
fa063b9 removed duplicate key
6f9ef5f Set lxc
containercaches not to use repopipdefaultindex
496bc49 Removing unneeded ismetal param from userdefined_setup
00207d3 Include security role in setup-hosts.yml

Diffstat (except docs and test files)


.gitignore | 16 +-
.gitreview | 2 +-
ansible-role-requirements.yml | 154 ++--
bindep.txt | 23 +
.../installation-hosts-limited-connectivity.rst | 182 ++++
.../developer-docs/ops-remove-computehost.rst | 51 ++
.../install-guide/app-advanced-config-affinity.rst | 50 ++
.../install-guide/app-advanced-config-options.rst | 15 +
.../install-guide/app-advanced-config-override.rst | 267 ++++++
.../install-guide/app-advanced-config-security.rst | 39 +
.../app-advanced-config-sslcertificates.rst | 141 +++
.../install-guide/app-advanced-role-docs.rst | 92 ++
.../install-guide/configure-cinder-backup.rst | 79 --
.../configure-configurationintegrity.rst | 29 -
.../configure-federation-idp-adfs.rst | 42 -
.../install-guide/configure-federation-idp.rst | 77 --
.../install-guide/configure-federation-mapping.rst | 168 ----
.../configure-federation-sp-overview.rst | 60 --
.../install-guide/configure-federation-sp.rst | 124 ---
.../configure-federation-use-case.rst | 298 -------
.../install-guide/configure-federation-wrapper.rst | 78 --
.../install-guide/configure-network-services.rst | 191 -----
.../install-guide/configure-sslcertificates.rst | 137 ---
.../install-guide/configure-swift-config.rst | 328 -------
.../install-guide/configure-swift-devices.rst | 106 ---
.../install-guide/configure-swift-glance.rst | 70 --
.../install-guide/configure-swift-overview.rst | 23 -
.../install-guide/configure-swift-policies.rst | 51 --
.../figures/arch-layout-production.png | Bin 0 -> 217767 bytes
.../figures/arch-layout-production.svg | 3 +
.../install-guide/figures/arch-layout-test.png | Bin 0 -> 220515 bytes
.../install-guide/figures/arch-layout-test.svg | 3 +
.../install-guide/figures/arch-layout.graffle | Bin 0 -> 6161 bytes
.../install-guide/figures/environment-overview.png | Bin 72806 -> 0 bytes
.../installation-workflow-configure-deployment.png | Bin 0 -> 49639 bytes
.../installation-workflow-deploymenthost.png | Bin 0 -> 48857 bytes
.../figures/installation-workflow-overview.png | Bin 0 -> 46557 bytes
.../installation-workflow-run-playbooks.png | Bin 0 -> 48037 bytes
.../figures/installation-workflow-targethosts.png | Bin 0 -> 48201 bytes
.../installation-workflow-verify-openstack.png | Bin 0 -> 50368 bytes
.../figures/installation-workflow.graffle | Bin 0 -> 2583 bytes
.../figures/production-storage-cinder.png | Bin 0 -> 102217 bytes
.../production-storage-cinder.svg/image3.wmf | Bin 0 -> 19378 bytes
.../production-storage-cinder.svg | 3 +
.../figures/production-storage-glance.png | Bin 0 -> 87006 bytes
.../production-storage-glance.svg/image3.wmf | Bin 0 -> 19378 bytes
.../production-storage-glance.svg | 3 +
.../figures/production-storage-nova.png | Bin 0 -> 84263 bytes
.../figures/production-storage-nova.svg/image3.wmf | Bin 0 -> 19378 bytes
.../production-storage-nova.svg | 3 +
.../figures/production-storage-swift.png | Bin 0 -> 108150 bytes
.../figures/production-storage-swift.svg | 3 +
.../figures/production-storage.graffle/data.plist | Bin 0 -> 8497 bytes
.../figures/production-storage.graffle/image3.wmf | Bin 0 -> 19378 bytes
.../install-guide/figures/production-storage.svg | 3 +
.../figures/workflow-configdeployment.png | Bin 29232 -> 0 bytes
.../figures/workflow-deploymenthost.png | Bin 28635 -> 0 bytes
.../figures/workflow-foundationplaybooks.png | Bin 29126 -> 0 bytes
.../figures/workflow-infraplaybooks.png | Bin 29198 -> 0 bytes
.../figures/workflow-openstackplaybooks.png | Bin 28949 -> 0 bytes
.../install-guide/figures/workflow-overview.png | Bin 26878 -> 0 bytes
.../install-guide/figures/workflow-targethosts.png | Bin 28892 -> 0 bytes
.../install-guide/install-infrastructure.rst | 96 ---
.../overview-service-architecture.rst | 122 +++
.../install-guide/targethosts-networkconfig.rst | 26 +
.../install-guide/targethosts-networkexample.rst | 166 ----
.../install-guide/targethosts-networkrefarch.rst | 140 ---
.../upgrade-guide/reference-upgrade-playbooks.rst | 125 +++
.../interfaces.d/openstackinterface.cfg.example | 123 ---
.../openstack
interface.cfg.prod.example | 132 +++
.../openstackinterface.cfg.test.example | 94 ++
etc/openstack
deploy/conf.d/ceilometer.yml.example | 7 +-
etc/openstackdeploy/conf.d/cinder.yml.aio | 16 +
etc/openstack
deploy/conf.d/glance.yml.aio | 4 +
etc/openstackdeploy/conf.d/gnocchi.yml.aio | 19 +
etc/openstack
deploy/conf.d/heat.yml.aio | 4 +
etc/openstackdeploy/conf.d/horizon.yml.aio | 4 +
etc/openstack
deploy/conf.d/ironic.yml.aio | 4 +
etc/openstackdeploy/conf.d/keystone.yml.aio | 4 +
etc/openstack
deploy/conf.d/magnum.yml.aio | 3 +
etc/openstackdeploy/conf.d/magnum.yml.example | 8 +
etc/openstack
deploy/conf.d/neutron.yml.aio | 5 +
etc/openstackdeploy/conf.d/nova.yml.aio | 8 +
etc/openstack
deploy/conf.d/sahara.yml.aio | 16 +
etc/openstackdeploy/conf.d/swift.yml.example | 8 +-
etc/openstack
deploy/conf.d/unbound.conf.aio | 3 +
etc/openstackdeploy/conf.d/unbound.conf.example | 8 +
etc/openstack
deploy/env.d/aodh.yml | 35 -
etc/openstackdeploy/env.d/ceilometer.yml | 60 --
.../env.d/cinder-volume.yml.container.example | 12 +
etc/openstack
deploy/env.d/cinder.yml | 79 --
.../env.d/extracontainer.yml.example | 2 -
etc/openstack
deploy/env.d/galera.yml | 32 -
etc/openstackdeploy/env.d/glance.yml | 36 -
etc/openstack
deploy/env.d/haproxy.yml | 39 -
etc/openstackdeploy/env.d/heat.yml | 51 --
etc/openstack
deploy/env.d/horizon.yml | 31 -
etc/openstackdeploy/env.d/infra.yml | 22 -
etc/openstack
deploy/env.d/keystone.yml | 40 -
etc/openstackdeploy/env.d/memcache.yml | 31 -
etc/openstack
deploy/env.d/neutron.yml | 74 --
etc/openstackdeploy/env.d/nova.yml | 113 ---
etc/openstack
deploy/env.d/os-infra.yml | 22 -
etc/openstackdeploy/env.d/pkgrepo.yml | 39 -
etc/openstackdeploy/env.d/rabbitmq.yml | 31 -
etc/openstack
deploy/env.d/rsyslog.yml | 39 -
etc/openstackdeploy/env.d/shared-infra.yml | 22 -
etc/openstack
deploy/env.d/swift-remote.yml | 40 -
etc/openstackdeploy/env.d/swift.yml | 81 --
etc/openstack
deploy/env.d/utility.yml | 31 -
etc/openstackdeploy/openstackuserconfig.yml.aio | 46 +-
.../openstack
userconfig.yml.example | 86 +-
.../openstack
userconfig.yml.prod.example | 282 ++++++
.../openstack
userconfig.yml.test.example | 144 ++++
etc/openstack
deploy/usersecrets.yml | 35 +-
etc/openstack
deploy/uservariables.yml | 40 +-
.../user
variables.yml.prod.example | 9 +
global-requirement-pins.txt | 16 +-
playbooks/ansible.cfg | 24 -
playbooks/common-tasks/mysql-db-user.yml | 36 +
playbooks/common-tasks/os-log-dir-setup.yml | 42 +
playbooks/common-tasks/os-lxc-container-setup.yml | 128 +++
playbooks/common-tasks/package-cache-proxy.yml | 49 ++
playbooks/common-tasks/rabbitmq-vhost-user.yml | 36 +
playbooks/defaults/repopackages/gnocchi.yml | 38 +
playbooks/defaults/repo
packages/novaconsoles.yml | 39 +
.../defaults/repo
packages/openstackother.yml | 43 -
.../defaults/repo
packages/openstackservices.yml | 104 ++-
.../defaults/repo
packages/openstacktesting.yml | 39 +
playbooks/defaults/repo
packages/projectcalico.yml | 23 +
playbooks/etcd-install.yml | 31 +
playbooks/galera-install.yml | 65 +-
playbooks/haproxy-install.yml | 119 +--
playbooks/inventory/dynamicinventory.py | 601 +++++++++----
playbooks/inventory/env.d/aodh.yml | 34 +
playbooks/inventory/env.d/ceilometer.yml | 57 ++
playbooks/inventory/env.d/cinder.yml | 75 ++
playbooks/inventory/env.d/galera.yml | 40 +
playbooks/inventory/env.d/glance.yml | 44 +
playbooks/inventory/env.d/gnocchi.yml | 41 +
playbooks/inventory/env.d/haproxy.yml | 38 +
playbooks/inventory/env.d/heat.yml | 58 ++
playbooks/inventory/env.d/horizon.yml | 39 +
playbooks/inventory/env.d/ironic.yml | 64 ++
playbooks/inventory/env.d/keystone.yml | 38 +
playbooks/inventory/env.d/magnum.yml | 39 +
playbooks/inventory/env.d/memcache.yml | 39 +
playbooks/inventory/env.d/neutron.yml | 80 ++
playbooks/inventory/env.d/nova.yml | 115 +++
playbooks/inventory/env.d/os-infra.yml | 22 +
playbooks/inventory/env.d/pkg
repo.yml | 38 +
playbooks/inventory/env.d/rabbitmq.yml | 39 +
playbooks/inventory/env.d/rsyslog.yml | 38 +
playbooks/inventory/env.d/sahara.yml | 38 +
playbooks/inventory/env.d/shared-infra.yml | 22 +
playbooks/inventory/env.d/swift-remote.yml | 39 +
playbooks/inventory/env.d/swift.yml | 77 ++
playbooks/inventory/env.d/unbound.yml | 36 +
playbooks/inventory/env.d/utility.yml | 39 +
playbooks/inventory/groupvars/all.yml | 425 ++++++++-
playbooks/inventory/group
vars/allcontainers.yml | 24 +-
playbooks/inventory/group
vars/aodhall.yml | 20 +
playbooks/inventory/group
vars/ceilometerall.yml | 29 +
playbooks/inventory/group
vars/cinderall.yml | 28 +
playbooks/inventory/group
vars/cindervolume.yml | 17 +
playbooks/inventory/group
vars/galeraall.yml | 19 +
playbooks/inventory/group
vars/glanceall.yml | 23 +
playbooks/inventory/group
vars/gnocchiall.yml | 29 +
playbooks/inventory/group
vars/haproxyall.yml | 20 +
playbooks/inventory/group
vars/heatall.yml | 20 +
playbooks/inventory/group
vars/horizonall.yml | 34 +
playbooks/inventory/group
vars/hosts.yml | 279 +-----
playbooks/inventory/groupvars/ironicall.yml | 21 +
playbooks/inventory/groupvars/keystoneall.yml | 23 +
playbooks/inventory/groupvars/magnumall.yml | 28 +
playbooks/inventory/groupvars/memcached.yml | 19 +
playbooks/inventory/group
vars/neutronagent.yml | 20 +
playbooks/inventory/group
vars/neutronall.yml | 24 +
.../group
vars/neutroncalicodhcpagent.yml | 99 +++
playbooks/inventory/group
vars/novaall.yml | 23 +
playbooks/inventory/group
vars/rabbitmqall.yml | 22 +
playbooks/inventory/group
vars/repoall.yml | 47 +
playbooks/inventory/group
vars/rsyslog.yml | 19 +
playbooks/inventory/groupvars/saharaall.yml | 17 +
playbooks/inventory/groupvars/swiftall.yml | 27 +
playbooks/inventory/groupvars/utilityall.yml | 54 ++
playbooks/lxc-containers-create.yml | 9 +-
playbooks/lxc-containers-destroy.yml | 39 +-
playbooks/lxc-hosts-setup.yml | 35 +-
playbooks/memcached-install.yml | 44 +-
playbooks/openstack-hosts-setup.yml | 5 +-
playbooks/os-aodh-install.yml | 95 +-
playbooks/os-ceilometer-install.yml | 103 +--
playbooks/os-cinder-install.yml | 201 ++---
playbooks/os-glance-install.yml | 162 ++--
playbooks/os-gnocchi-install.yml | 70 ++
playbooks/os-heat-install.yml | 134 +--
playbooks/os-horizon-install.yml | 86 +-
playbooks/os-ironic-install.yml | 63 ++
playbooks/os-keystone-install.yml | 172 ++--
playbooks/os-magnum-install.yml | 64 ++
playbooks/os-neutron-install.yml | 187 ++--
playbooks/os-nova-install.yml | 181 ++--
playbooks/os-rally-install.yml | 34 +
playbooks/os-sahara-install.yml | 74 ++
playbooks/os-swift-install.yml | 164 +---
playbooks/os-swift-setup.yml | 156 ----
playbooks/os-swift-sync.yml | 5 +-
playbooks/os-tempest-install.yml | 16 +-
playbooks/rabbitmq-install.yml | 73 +-
playbooks/repo-build.yml | 102 ++-
playbooks/repo-server.yml | 87 +-
playbooks/roles/cephclient/defaults/main.yml | 89 --
playbooks/roles/ceph
client/handlers/main.yml | 25 -
playbooks/roles/cephclient/meta/main.yml | 6 -
playbooks/roles/ceph
client/tasks/cephall.yml | 43 -
playbooks/roles/ceph
client/tasks/cephauth.yml | 151 ----
playbooks/roles/ceph
client/tasks/cephconfig.yml | 61 --
.../roles/ceph
client/tasks/cephgetmonhost.yml | 40 -
playbooks/roles/ceph
client/tasks/cephinstall.yml | 47 -
.../roles/ceph
client/tasks/cephpreinstall.yml | 77 --
playbooks/roles/ceph
client/tasks/main.yml | 29 -
.../cephclient/templates/ceph.client.keyring.j2 | 2 -
playbooks/roles/ceph
client/templates/ceph.conf.j2 | 7 -
.../roles/cephclient/templates/cephpin.pref.j2 | 5 -
.../roles/cephclient/templates/secret.xml.j2 | 7 -
playbooks/roles/ceph
client/vars/main.yml | 51 --
playbooks/roles/haproxyserver/CONTRIBUTING.rst | 85 --
playbooks/roles/haproxy
server/LICENSE | 202 -----
playbooks/roles/haproxyserver/README.rst | 26 -
playbooks/roles/haproxy
server/defaults/main.yml | 86 --
.../roles/haproxyserver/files/haproxy-logging.cfg | 6 -
.../roles/haproxy
server/files/haproxy.default | 8 -
playbooks/roles/haproxyserver/files/haproxy.sh | 171 ----
playbooks/roles/haproxy
server/handlers/main.yml | 33 -
playbooks/roles/haproxyserver/meta/main.yml | 32 -
.../haproxy
server/tasks/haproxyaddpparepo.yml | 103 ---
.../roles/haproxy
server/tasks/haproxyinstall.yml | 66 --
.../haproxy
server/tasks/haproxypostinstall.yml | 44 -
.../haproxyserver/tasks/haproxypreinstall.yml | 41 -
.../tasks/haproxy
serviceconfig.yml | 23 -
.../tasks/haproxy
sslconfiguration.yml | 69 --
playbooks/roles/haproxy
server/tasks/main.yml | 26 -
.../roles/haproxyserver/templates/haproxy.cfg.j2 | 36 -
.../haproxy
server/templates/haproxypin.pref.j2 | 5 -
.../roles/haproxy
server/templates/service.j2 | 56 --
playbooks/rsyslog-install.yml | 62 +-
playbooks/security-hardening.yml | 10 +-
playbooks/setup-hosts.yml | 1 +
playbooks/setup-infrastructure.yml | 4 +-
playbooks/setup-openstack.yml | 11 +
playbooks/unbound-install.yml | 94 ++
playbooks/utility-install.yml | 129 ++-
playbooks/vars/configs/haproxyconfig.yml | 219 +++--
playbooks/vars/configs/keepalived
haproxy.yml | 70 +-
...and-1035-container-update-6e880e4b45e11cf0.yaml | 15 +
.../notes/RFC1034-5hostname-1ee18e06e8f57853.yaml | 8 +
...FC1034-5
hostnameupgrade-677da788600edbca.yaml | 5 +
.../notes/add-ca-certs-2398cb4856356028.yaml | 6 +
.../add-disk-image-type-932898aca944f14a.yaml | 4 +
.../add-gnocchi-integrations-40eef52bf255ab0b.yaml | 7 +
...-ironic-dashboard-support-3eb5168d71e4dddd.yaml | 5 +
...-ironic-dashboard-support-769d60881f0e12d9.yaml | 5 +
...-magnum-dashboard-support-4fcddedffb83bc28.yaml | 5 +
...-magnum-dashboard-support-e41ac6fb6bc14946.yaml | 5 +
...stone-admin-roles-setting-83198a721c64ee3c.yaml | 5 +
...-container-restart-option-8c7f5b20b9414ead.yaml | 8 +
.../notes/add-magnum-to-repo-548f243b3a253b04.yaml | 5 +
...dd-network-name-variables-d658745d7113110e.yaml | 8 +
...nova-extensions-blacklist-8ed18f45aba6a7fb.yaml | 11 +
.../notes/add-nova-lxd-f094438e4bf36d52.yaml | 6 +
.../notes/add-qemu-conf-d42337dfd42bac6f.yaml | 4 +
.../notes/add-v38438-3f7e905892be4b4f.yaml | 21 +
.../notes/add-xenial-support-3dc3711e5b1bdc34.yaml | 4 +
.../notes/add-xenial-support-5c117335b7b7b407.yaml | 3 +
.../notes/add-xenial-support-7c24aa813289aa40.yaml | 3 +
.../notes/add-xenial-support-e285a643a39f0438.yaml | 4 +
.../notes/adding-v38526-381a407caa566b14.yaml | 8 +
.../notes/adding-v38548-9c51b30bf9780ff3.yaml | 8 +
.../notes/aide-exclude-run-4d3c97a2d08eb373.yaml | 6 +
.../aide-initialization-fix-16ab0223747d7719.yaml | 17 +
.../ansible-fact-subset-08e582fcf7ba4e4e.yaml | 13 +
.../notes/ansible-forks-fa70caf5155c5d25.yaml | 4 +
.../ansible-role-fetch-mode-cd163877e96d504a.yaml | 5 +
...ackage-pinning-dependency-6e2e94d829508859.yaml | 4 +
...pecific-package-locations-e76512288aaf6fa0.yaml | 8 +
...diting-mac-policy-changes-fb83e0260a6431ed.yaml | 15 +
.../notes/augenrules-restart-39fe3e1e2de3eaba.yaml | 5 +
.../base-container-lvm-cow-2faa824f6cd4b083.yaml | 14 +
.../base-container-overlayfs-ec7eeda2f5807e96.yaml | 11 +
.../notes/bindmount-logs-3c23aab5b5ed3440.yaml | 25 +
.../broader-image-support-69241983e5a36018.yaml | 30 +
...-default-os-endpoint-type-3adf9db32764ddf3.yaml | 6 +
.../notes/centos-7-support-d96233f41f63cfb8.yaml | 3 +
.../ceph-from-uca-and-distro-2fa04e03c39a61bc.yaml | 21 +
.../change-default-collation-260d932780ef4553.yaml | 5 +
.../notes/combine
piproles-ba524dbaa601e1a1.yaml | 6 +
.../compress-customization-a7d03162d837085f.yaml | 5 +
.../config
checkargument-5a1126c779e3e8f5.yaml | 7 +
...plate-MultiStrOps-support-c28e33fd5044e14d.yaml | 29 +
...figurable-martian-logging-370ede40b036db0b.yaml | 13 +
...figurable
inventorygroup-9f5b193221b7006d.yaml | 7 +
.../container-bind-mounts-1a3a763178255841.yaml | 12 +
.../container-config-list-a98937ae0ff94cf0.yaml | 10 +
...container-create-commands-b3aa578309fa665b.yaml | 8 +
.../container-create-lvm-cow-77c049188b8a2676.yaml | 6 +
...ontainer-create-overlayfs-46f3c4c0ecacaadf.yaml | 7 +
...container-repo-host-match-2be99b14642e0591.yaml | 12 +
...ntainer-resolv-host-match-c6e3760cf4a8e5cd.yaml | 6 +
...iner-static-mac-addresses-9aae098fdc8a57cc.yaml | 15 +
.../db-create-in-playbooks-6fb8232da53fe1e1.yaml | 8 +
...riadb-waittimeout-setting-ddaae0f2e1d31ee1.yaml | 5 +
...e-host-security-hardening-eb73923218abbc2c.yaml | 7 +
...enstack-host-apt-packages-b4d7af53d55d980d.yaml | 5 +
...ate-rabbitmq
aptpackages-b85ea1b449dc136e.yaml | 5 +
...precate-repo-apt-packages-f8c4a22fc60828bf.yaml | 5 +
...ect-cinder-backup-service-7dc68f532741be87.yaml | 13 +
...lance-default-store-swift-b9c36f4a2fe05ec4.yaml | 11 +
.../notes/detect
power-a6a679c8c3dd3262.yaml | 4 +
...tionary-variables-removed-957c7b7b2108ba1f.yaml | 9 +
...iled-access-audit-logging-789dc01c8bcbef17.yaml | 6 +
...sable-graphical-interface-5db89cd1bef7e12d.yaml | 13 +
.../disable-list-extend-3a9547de9034f9ba.yaml | 10 +
...isable-netconsole-service-915bb33449b4012c.yaml | 7 +
...leslaverepoduringsync-2aaabf90698221e3.yaml | 9 +
.../disabling-rdisc-centos-75115b3509941bfa.yaml | 8 +
...mic-ceilometer-enablement-18be0bb994ede62a.yaml | 7 +
.../dynamictunneltypes-3eb1aa46a0ca9a19.yaml | 12 +
.../notes/enable-lbaas-aio-9a428c459a10aeda.yaml | 3 +
.../notes/enable-lsm-bae903e463079a3f.yaml | 14 +
...ble-tcp-syncookes-boolean-4a884a66a3a0e4d7.yaml | 11 +
...nablepipinstalloptions-7c2131c89f90b2c6.yaml | 6 +
.../notes/export-hosts-flag-9c9f170eb89798ea.yaml | 6 +
.../extra-ceph-clusters-00ad154ffb0589a6.yaml | 7 +
.../notes/extra-ceph-conf-337b9371b49219ff.yaml | 5 +
...-audit-log-permission-bug-81a772e2e6d0a5b3.yaml | 10 +
.../fix-check-mode-with-tags-bf798856a27c53eb.yaml | 7 +
.../notes/force-dep-order-2c529683509e45da.yaml | 9 +
...force-cluster-name-change-b4ce1e225daa840c.yaml | 15 +
releasenotes/notes/git-cache-df0afe90d4029f68.yaml | 6 +
.../notes/git-cache-staged-b9cb0e277478b19a.yaml | 9 +
.../glance-1604-support-e65870170a925bfe.yaml | 3 +
.../glance-packages-rename-abd348b0725e4b7b.yaml | 4 +
.../gnocchi-metrics-service-6a7bdda8e7e71dda.yaml | 9 +
...ndling-sshd-match-stanzas-fa40b97689004e46.yaml | 7 +
.../haproxy-centos-support-de39c19d6a89b6a5.yaml | 11 +
.../haproxy-endpoint-toggle-aa9e7e3efc4d6861.yaml | 4 +
.../haproxy-extra-configs-67a77803494d3e97.yaml | 8 +
...aproxy-git-server-backend-862e004e61a43292.yaml | 8 +
...oxy-package-cache-backend-da096228387bc1f4.yaml | 13 +
.../haproxy
sslterminiation-cdf0092a5bfa34b5.yaml | 31 +
.../hipe-compile-option-c100e8676a806950.yaml | 7 +
.../horizon-arbitrary-config-8a36e4bd6818afe1.yaml | 6 +
...ble-password-autocomplete-5f8f78a6c8f1edb3.yaml | 5 +
.../horizon-servername-fix-1ac632f205c45ee9.yaml | 5 +
.../horizon
customthemes-4ee1fd9444b8a5ae.yaml | 6 +
...implement-centos7-support-cf6b6ee0d606223f.yaml | 3 +
.../implement-xenial-support-0de6444c53337d46.yaml | 12 +
.../notes/implemented-v38524-b357edec95128307.yaml | 12 +
.../improved-audit-rule-keys-9fa85f758386446c.yaml | 5 +
.../notes/install-local-019edab04ffc8347.yaml | 8 +
.../intree-and-override-envd-371cf9a809b51fe0.yaml | 14 +
.../inventory-debug-flag-ead0ae2a2a1d7b90.yaml | 6 +
...y-main-function-arguments-8c43e4c7175937d3.yaml | 6 +
...ry
hostcontainersnaming-d1f42a0c91d68154.yaml | 11 +
.../ironic-1604-support-b9ebb12ee4d78275.yaml | 3 +
.../notes/ironic-integration-264c4ed622a3a04e.yaml | 6 +
...e-mysql-password-variable-ec33f37ba6c4fac1.yaml | 16 +
.../notes/isolate-ansible-3e8fcfdff9962a9b.yaml | 9 +
...d-default-cidr-workaround-8f2b5a0b074898e1.yaml | 9 +
.../notes/keepalived-upgrade-e63a11b7d4dcba20.yaml | 22 +
...userandprojectsupport-e35b0b335b6522e9.yaml | 42 +
.../lbaasv2-horizon-panel-8f99026b025ca2fd.yaml | 9 +
...2-service-provider-config-57d394bdc64f632e.yaml | 5 +
.../notes/list-extend-toggle-46a75ded97b7ce02.yaml | 6 +
...ration-default-set-to-ssh-6add1dbdeea43509.yaml | 5 +
.../notes/lxc-cache-gpg-156169a867d4653f.yaml | 7 +
...xc-container-multi-distro-f495f73951fafd1a.yaml | 29 +
...lxc-container-start-delay-d7917f69d9469316.yaml | 6 +
.../lxc-host-setup-refactor-e43559764af67fea.yaml | 29 +
.../notes/lxc-hosts-limit-9784050b888ea7c8.yaml | 7 +
.../notes/lxchosts-group-a5643e7010d6b151.yaml | 6 +
.../make-ha-router-a-toggle-9d87d688e8d506c9.yaml | 4 +
.../make-ha-router-a-toggle-eefd61fc7978240d.yaml | 4 +
.../notes/make-ipv6-a-toggle-63d9c839e204cdda.yaml | 14 +
...ment
networkconfigcheck-66778387f38b9e0c.yaml | 8 +
.../mariadb-rolling-upgrades-323510425c3c7751.yaml | 8 +
.../memcached-logging-change-8825c2bdbcf824b9.yaml | 10 +
...server-add-nofile-setting-504e0c50e10a4ea6.yaml | 9 +
.../metadata-proxy-cleanup-eed6ff482035dc83.yaml | 10 +
.../mitaka-deprecations-72bec69c1395261d.yaml | 10 +
.../notes/multi-arch-build-1ad512acdf6cabb9.yaml | 7 +
.../notes/multi-arch-support-a8762f6ea7fdbcef.yaml | 8 +
.../notes/multi-distro-add-0e53560f66394691.yaml | 6 +
.../multiple-ips-for-host-f27cb1f1e878640d.yaml | 4 +
...tron-agent-dynamic-enable-47f0c709ef0dfe55.yaml | 15 +
.../notes/neutron-bgp-552e6e1f6d37f38d.yaml | 9 +
.../notes/neutron-calico-2332b0972708af8a.yaml | 5 +
...n-conditional-overlay-net-eeb6ffefbe01c188.yaml | 7 +
.../notes/neutron-dhcp-mtu-8767de6f541b04c1.yaml | 8 +
.../neutron-mtu-cleanup-ce73693b4f7aef0d.yaml | 9 +
...neutron-network-variables-ff6d2c7f8c7c3ccd.yaml | 10 +
...neutron-networking-calico-b05b08f989f768ee.yaml | 5 +
...n-openvswitch-agent-group-a63da4af11202790.yaml | 9 +
.../neutron-ovs-powervm-116662f169e17175.yaml | 18 +
.../notes/neutron-vpnaas-5c7c6508f2cc05c5.yaml | 8 +
.../notes/neutronovsdvr-7fca77cac0545441.yaml | 11 +
.../ng-instance-management-f9134fc283aa289c.yaml | 16 +
.../nova-admin-endpoint-fix-d52cc00caa5ab5dd.yaml | 6 +
...console-proxy-git-cleanup-cdeffd3f0d040275.yaml | 8 +
...-largecluster-key-inserts-afc8cac63af41087.yaml | 12 +
.../notes/nova-powervm-b4eddae30abbd08e.yaml | 5 +
.../notes/nova-uca-support-409b2e6afbce47b1.yaml | 10 +
...ind-local-interfaces-only-05f03de632e81097.yaml | 5 +
.../online-lxc-network-add-3cfc84ea28e5eab0.yaml | 5 +
.../openvswitch-support-1b71ae52dde81403.yaml | 14 +
...egy-and-connection-plugin-bc476fa3607dcc4a.yaml | 11 +
...-glance-only-install-venv-0271d3238c0d561c.yaml | 6 +
...gnocchi-only-install-venv-4e532f44fcf5cda5.yaml | 6 +
...os-heat-only-install-venv-e3e8e466dd67c2bc.yaml | 5 +
...apache-log-format-support-34c9ef74b3bcce31.yaml | 5 +
...horizon-only-install-venv-0fd3292d2b61e840.yaml | 6 +
...-ironic-only-install-venv-0da32fc36bfeae2b.yaml | 5 +
...in-token-auth-deprecation-24e84a18f8a56814.yaml | 17 +
...apache-log-format-support-7232177f835222ee.yaml | 4 +
...pache-mpm-tunable-support-1c72f2f99cd502bc.yaml | 17 +
...eystone-only-install-venv-b766568ee8d40354.yaml | 5 +
...e-uwsgi-and-nginx-options-2157f8e40a7a8156.yaml | 22 +
...dleinternalonlyrouters-e46092d6f1f7c4b0.yaml | 7 +
...os
aodh-only-install-venv-3c80a0a66824fcd7.yaml | 5 +
...lometer-only-install-venv-f3cd57b4a1d025c5.yaml | 5 +
releasenotes/notes/oscinder-1604-support.yaml | 3 +
...os
cinder-centos7-support-732f8feac7241e2a.yaml | 4 +
...cinder-only-install-venv-914d5655dd645213.yaml | 5 +
...os
glance-centos7-support-21cb81e361831c9f.yaml | 4 +
...keystone-centos7-support-0a5d97f81ac42e44.yaml | 4 +
.../os
magnum-install-venv-30263e29e51a2610.yaml | 5 +
...um-xenial-systemd-support-2e1ee4253dff2b5c.yaml | 4 +
...neutron-only-install-venv-ca3bf63ed0507e4b.yaml | 6 +
.../osnova-install-venv-6c6c2ba28f67a891.yaml | 5 +
.../os
rally-install-venv-71cbd1f6ce4fd983.yaml | 5 +
...sahara-only-install-venv-8ead48687897ce0b.yaml | 6 +
...s
swift-only-install-venv-fdd5d41759433cf8.yaml | 5 +
...package-list-name-changes-007cacee4faf8ee6.yaml | 10 +
...package-list-name-changes-38f1554097b6bbe9.yaml | 4 +
...package-list-name-changes-4a42f561dac5754e.yaml | 4 +
...package-list-name-changes-4d5ad2e6ff5ecae2.yaml | 4 +
...package-list-name-changes-6f74fbf336030242.yaml | 8 +
...package-list-name-changes-7c8a6dd652b271cf.yaml | 8 +
...package-list-name-changes-7fcd5583f0db0eb6.yaml | 6 +
...package-list-name-changes-a26d94a44c24de2f.yaml | 6 +
...package-list-name-changes-a5571c0b72faadf2.yaml | 4 +
...package-list-name-changes-a86f7e7c805c2d81.yaml | 10 +
...package-list-name-changes-b484be7645bbe66a.yaml | 4 +
...package-list-name-changes-e351db8b482f1326.yaml | 6 +
...package-list-name-changes-e6f88d12f3bd9fa0.yaml | 4 +
...package-list-name-changes-e7a3fc551d742d23.yaml | 4 +
...package-list-name-changes-fdf9c6573bfa1083.yaml | 4 +
.../notes/package-state-003ff33c557af3b5.yaml | 13 +
.../notes/package-state-1d27f4c7f8618cef.yaml | 13 +
.../notes/package-state-2e8e2eb4b24475c4.yaml | 13 +
.../notes/package-state-38187ec5242a005b.yaml | 13 +
.../notes/package-state-3bf07796262fc9b9.yaml | 13 +
.../notes/package-state-441864557ee5d75b.yaml | 13 +
.../notes/package-state-48e933a395bbdc0c.yaml | 13 +
.../notes/package-state-505f9772bb0d668e.yaml | 14 +
.../notes/package-state-55fceaf0cd23147e.yaml | 13 +
.../notes/package-state-63a870de53dd5cd8.yaml | 13 +
.../notes/package-state-646b25638f523411.yaml | 13 +
.../notes/package-state-6684c5634bdf127a.yaml | 13 +
.../notes/package-state-6f5ce66be8ddf119.yaml | 12 +
.../notes/package-state-711a1eb4814311cc.yaml | 13 +
.../notes/package-state-7caea8f1db708a2e.yaml | 13 +
.../notes/package-state-7cbc7179b51ecdde.yaml | 13 +
.../notes/package-state-7d62ea1e50ad391b.yaml | 13 +
.../notes/package-state-8b0189f8824b7568.yaml | 13 +
.../notes/package-state-979c963fb18f7a25.yaml | 13 +
.../notes/package-state-9a2f60adb4ab68cd.yaml | 13 +
.../notes/package-state-ab251d8987422f59.yaml | 13 +
.../notes/package-state-b032231a3cc99ee0.yaml | 13 +
.../notes/package-state-b41a0e911ad95d1c.yaml | 13 +
.../notes/package-state-b7a3d3c242e2c3aa.yaml | 13 +
.../notes/package-state-bb93a1d4b272425d.yaml | 13 +
.../notes/package-state-c9c7e01e77b596d0.yaml | 14 +
.../notes/package-state-ed22b9a6683690b3.yaml | 13 +
.../notes/package-state-f2309b07440d0ae8.yaml | 13 +
.../notes/package-state-fb7d26a4b7c41a77.yaml | 13 +
.../notes/package-state-fda322f5e667bbec.yaml | 13 +
.../notes/package-var-rename-6ec3af6242073a2e.yaml | 4 +
.../notes/packagevarrename-9a55f7030595fdef.yaml | 4 +
...paramiko-2-0-dependencies-9a7c7fe9aeb394e4.yaml | 6 +
.../notes/path-customization-e7e0ae0f93e5283b.yaml | 4 +
.../notes/pip-source-store-d94ff2b68a99481a.yaml | 10 +
.../notes/pkg-cacher-cfeae8fb990904a4.yaml | 6 +
.../notes/policy-override-522df5699f09c417.yaml | 6 +
...tmw-management-ui-haproxy-e9f9ec0343484f2d.yaml | 17 +
.../notes/rallyplay-82fa27d8ba2ce22d.yaml | 3 +
.../reduce-auditd-logging-633677a74aee5481.yaml | 25 +
.../notes/remove-ansible.cfg-e65e4f17bc30cce7.yaml | 17 +
.../remove-container-release-fa49ff23ca8c1324.yaml | 6 +
.../notes/remove-lbaasv1-26044c48b5d3b508.yaml | 8 +
...nfig-from-openstack-hosts-efb7d0b3a22d49df.yaml | 6 +
.../notes/remove-overrides-17ef7d0496f6a6c7.yaml | 5 +
...move-rsyslog
clientrepos-055ce574bee8bd14.yaml | 4 +
...emove-upgrade-gate-checks-3fbe339e06094681.yaml | 3 +
.../notes/remove-xtrabackup-0513a40593f2d0e3.yaml | 7 +
.../notes/remove
infragroup-45e7747e341d97cf.yaml | 9 +
.../notes/remove
verbosevar-c22f4946eedbc5f2.yaml | 5 +
.../notes/remove
verbosevar-e88f65e0c7c440f4.yaml | 4 +
.../removed-aodh-api-init-9e2406629196efff.yaml | 4 +
...moved-ceilometer-api-init-a4bfc4cbabcbcb16.yaml | 4 +
.../removed-db-create-tasks-276095a2293ed4ee.yaml | 5 +
.../removed-db-create-tasks-3deea562441871c6.yaml | 5 +
.../removed-db-create-tasks-4560d4b960383c4e.yaml | 5 +
.../removed-db-create-tasks-8ae301041fe46cfb.yaml | 5 +
.../removed-db-create-tasks-8d931286d6347bc6.yaml | 5 +
.../removed-db-create-tasks-eed527e915f23ee0.yaml | 5 +
.../removed-neutron-ha-tool-dd7a4717e03163f9.yaml | 13 +
.../rename-pip-packages-tmp-f40dc7599684466a.yaml | 5 +
...e-repo-build-apt-packages-df1ca334b857787a.yaml | 5 +
...ild-fix-upper-constraints-9e24c56520538df2.yaml | 5 +
...-build-use-uca-by-default-bde8ded7d72cd42c.yaml | 4 +
.../notes/rhel-gpg-check-0b483a824314d1b3.yaml | 7 +
...og-client-centos7-support-bf5dd55ef6488a20.yaml | 4 +
...-client-logrotate-options-02dde942779493bb.yaml | 6 +
...log-remote-log-separation-76de4b64f0c18edb.yaml | 8 +
.../run-playbooks-refactor-c89400feb692cd91.yaml | 6 +
...a-data-processing-service-8e63ebed6baf08bc.yaml | 5 +
.../sahara-horizon-panel-d80d17da528b4c07.yaml | 9 +
...rch-for-unlabeled-devices-cb047c5f767e93ce.yaml | 6 +
.../selective-git-clone-77d766cc0eaa2175.yaml | 8 +
.../selective-venv-build-dd9f0e40cd1cc076.yaml | 8 +
.../selective-wheel-build-34b1c154bb548ed7.yaml | 8 +
.../notes/service-conf-path-b27cab31dbc72ad4.yaml | 6 +
.../notes/ssh-pub-key-check-c42309653dbe3493.yaml | 5 +
.../static
routeerrorcheck-5e7ed6ddf9eb1d1f.yaml | 11 +
...support-for-centos-xenial-2b89c318cc3df4b0.yaml | 5 +
...balenvironmentvariables-46cd4d90279fd0e9.yaml | 5 +
.../support-ubuntu-xenial-958e8128ed6578cd.yaml | 3 +
.../notes/swift-conf-b8dd5e1199f8e4a8.yaml | 9 +
.../swift-fallocate-reserve-ff513025da68bfed.yaml | 11 +
.../swift-force-hash-change-45b09eeb8b0368a6.yaml | 14 +
.../swift-fs-file-limits-a57ab8b4c3c944e4.yaml | 11 +
.../swift-pretend-mph-passed-7e5c15eeb35861c3.yaml | 17 +
.../notes/swift-pypy-support-9706519c4b88a571.yaml | 15 +
...onfigure-xfs-from-mlocate-e4844e6c0469afd6.yaml | 5 +
.../swift-rings-port-change-4a95bbd9b63fb201.yaml | 11 +
...ft-rsync-module-per-drive-79b05af8276e7d6e.yaml | 12 +
.../swift-staticweb-support-b280fbebf271820b.yaml | 9 +
.../swift-syslog-log-perms-5a116171a1adeae3.yaml | 6 +
...virtsavedirtonovadir-3b1b278cb7e5831f.yaml | 8 +
.../notes/ubuntu-ppc64le-cab45e63dca77017.yaml | 4 +
.../notes/ubuntu
ppc64le-581e5fcd5950186e.yaml | 6 +
.../notes/unbound-dns-e0b591be4fa2b050.yaml | 6 +
...unique-variable-migration-c0639030b495438f.yaml | 20 +
.../update-aodh-integration-fd2a27e8864bd8ff.yaml | 10 +
...dated-neutron-pluginbase-25b5dcacc87acd0f.yaml | 2 +-
.../notes/upgrade-lxc-4750ba9aea7b5cd1.yaml | 6 +
...pper-constraints-override-6853ffec6c07d7f5.yaml | 9 +
.../notes/use-galera-storage-d1a51c051d2740ad.yaml | 14 +
.../notes/use-uca-by-default-070751b0b388fcbe.yaml | 4 +
...utility
containersshkey-44b1d15a1c06395e.yaml | 6 +
.../notes/var-deprecations-417d87b9d386466a.yaml | 11 +
...trabackup-compact-disable-8ae9215207147ebc.yaml | 4 +
releasenotes/source/conf.py | 42 +-
releasenotes/source/index.rst | 3 +-
releasenotes/source/mitaka.rst | 7 +-
releasenotes/source/unreleased.rst | 5 +
requirements.txt | 29 +-
scripts/ansible-role-requirements-editor.py | 104 +++
scripts/bootstrap-aio.sh | 2 +-
scripts/bootstrap-ansible.sh | 110 ++-
scripts/fastest-infra-wheel-mirror.py | 170 ++++
scripts/federated-login.sh | 2 +-
scripts/gate-check-commit.sh | 52 +-
scripts/get-pypi-pkg-version.py | 8 +-
scripts/inventory-manage.py | 309 +------
scripts/manageinventory.py | 370 ++++++++
scripts/openstack-ansible.rc | 49 ++
scripts/os-cmd | 56 ++
scripts/os-detection.py | 25 -
scripts/release-yaml-file-prep.py | 133 +++
scripts/run-playbooks.sh | 222 ++---
scripts/run-tempest.sh | 8 +-
scripts/run-upgrade.sh | 130 ++-
scripts/scripts-library.sh | 189 ++--
scripts/sources-branch-updater.sh | 260 ++++--
scripts/teardown.sh | 282 ------
.../playbooks/ansible
factcleanup.yml | 25 +
.../playbooks/aodh-api-init-delete.yml | 47 +
.../playbooks/db-collation-alter.yml | 57 ++
.../playbooks/deploy-config-changes.yml | 64 ++
.../playbooks/galera-cluster-rolling-restart.yml | 58 ++
.../playbooks/lbaas-version-check.yml | 27 +
.../playbooks/mariadb-apt-cleanup.yml | 24 +
.../playbooks/memcached-flush.yml | 23 +
.../playbooks/old-hostname-compatibility.yml | 145 ++++
.../playbooks/pip-conf-removal.yml | 24 +
.../playbooks/user-secrets-adjustment.yml | 45 +
.../scripts/ansible
factcleanup.sh | 18 +
.../upgrade-utilities/scripts/make
rsttable.py | 45 +
.../scripts/migrate
openstackvars.py | 70 ++
.../scripts/test
migrateopenstackvars.py | 86 ++
setup.cfg | 2 +-
setup.py | 11 +-
test-requirements.txt | 28 +-
.../bootstrap-host/tasks/check-requirements.yml | 16 +-
.../bootstrap-host/tasks/prepareaioconfig.yml | 144 ++--
.../bootstrap-host/tasks/preparedatadisk.yml | 10 +-
.../tasks/preparelibvirtservice.yml | 53 --
.../tasks/prepareloopbackcinder.yml | 1 +
.../tasks/prepareloopbackswift.yml | 1 +
.../tasks/preparemongodbservice.yml | 61 --
.../bootstrap-host/tasks/preparemongodbusers.yml | 41 -
.../bootstrap-host/tasks/preparenetworking.yml | 38 +-
.../bootstrap-host/tasks/prepare
sshkeys.yml | 14 +-
.../templates/osa
interfacesmultinode.cfg.j2 | 28 +
.../templates/user
variables.aio.yml.j2 | 75 +-
tox.ini | 186 ++--
721 files changed, 17195 insertions(+), 13538 deletions(-)

Requirements updates


diff --git a/requirements.txt b/requirements.txt
index 0d5fad6..2938075 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,13 +1,16 @@
-Jinja2>=2.6 # ansible
-netaddr>=0.7.12 # playbooks/inventory/dynamicinventory.py
-paramiko>=1.13.0 # ansible
-PrettyTable>=0.7,<0.8 # scripts/inventory-manage.py
-pycrypto>=2.6 # ansible
-PyYAML>=3.1.0 # ansible
-###
-### These are pinned to ensure exactly the same behaviour forever! ###
-### These pins are updated through the sources-branch-updater script ###
-###
-pip==8.1.1
-setuptools==20.6.7
-wheel==0.29.0
+# The order of packages is significant, because pip processes them in the order
+# of appearance. Changing the order has an impact on the overall integration
+# process, which may cause wedges in the gate later.
+pip>=6.0 # MIT
+setuptools!=24.0.0,>=16.0 # PSF/ZPL
+wheel # MIT
+pyasn1 # BSD
+pyOpenSSL>=0.14 # Apache-2.0
+requests>=2.10.0 # Apache-2.0
+ndg-httpsclient>=0.4.2;python
version<'3.0' # BSD
+netaddr!=0.7.16,>=0.7.13 # BSD
+PrettyTable<0.8,>=0.7 # BSD
+pycrypto>=2.6 # Public Domain
+python-memcached>=1.56 # PSF
+PyYAML>=3.1.0 # MIT
+virtualenv # MIT
diff --git a/test-requirements.txt b/test-requirements.txt
index 1e3f8b5..86fae7a 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,8 +1,12 @@
-ansible>1.9,<2.0
-ansible-lint>=2.0.3,<=2.3.6
-bashate==0.5.0 # Apache-2.0
-flake8==2.2.4
-hacking>=0.10.0,<0.11
-mccabe==0.2.1 # capped for flake8
-pep8==1.5.7
-pyflakes==0.8.1
+# The order of packages is significant, because pip processes them in the order
+# of appearance. Changing the order has an impact on the overall integration
+# process, which may cause wedges in the gate later.
+bashate>=0.2 # Apache-2.0
+coverage>=3.6 # Apache-2.0
+flake8<2.6.0,>=2.5.4 # MIT
+hacking<0.11,>=0.10.0
+mccabe==0.2.1 # MIT License
+mock>=2.0 # BSD
+pep8==1.5.7 # MIT
+pyflakes==0.8.1 # MIT
+virtualenv # MIT
@@ -11,3 +15,5 @@ pyflakes==0.8.1
-sphinx!=1.2.0,!=1.3b1,<1.3,>=1.1.2
-oslosphinx>=2.5.0 # Apache-2.0
-reno>=0.1.1 # Apache-2.0
+sphinx!=1.3b1,<1.3,>=1.2.1 # BSD
+oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0
+openstackdocstheme>=1.5.0 # Apache-2.0
+doc8 # Apache-2.0
+reno>=1.8.0 # Apache2


OpenStack-announce mailing list
OpenStack-announce@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce
asked Oct 20, 2016 in openstack-announce by no-reply_at_openstac (33,960 points)   2 14 28
...