diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml index b2ee223d34..e083ad48d9 100644 --- a/ansible-role-requirements.yml +++ b/ansible-role-requirements.yml @@ -1,216 +1,216 @@ - name: ansible-hardening scm: git src: https://git.openstack.org/openstack/ansible-hardening - version: master + version: 231676a93e3f6ec2dcecedc265c86424c70a3737 - name: apt_package_pinning scm: git src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning - version: master + version: 8628b24294346c10cd26db450a29814027c8477a - name: pip_install scm: git src: https://git.openstack.org/openstack/openstack-ansible-pip_install - version: master + version: 516a2146f0adc6138e3d9f1eff881b79d1edc86b - name: galera_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_client - version: master + version: 613dfeb7ee7e733180f07c70911488a93b842810 - name: galera_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_server - version: master + version: 99ef88d64182582bf0ece55c82aea58e70cf404c - name: ceph_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-ceph_client - version: master + version: b98c36d7c9475e5fa4a2a9c8ee3e04c1a0365939 - name: haproxy_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-haproxy_server - version: master + version: a19a0b08a3263b08ede7462ccb256f2260c564fe - name: keepalived scm: git src: https://github.com/evrardjp/ansible-keepalived - version: master + version: b13e0840b09154a6d2470f71fea8eaa968525c5b - name: lxc_container_create scm: git src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create - version: master + version: 12d8fed271e78f32572b665409c07436992acc1d - name: lxc_hosts scm: git src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts - version: master + version: 4b5bc0688e5314fede4481d2aac1ddabc3b3bbd9 - name: memcached_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-memcached_server - version: master + version: 4429a4783458d698532f1e838b7a35285a70bb24 - name: openstack_hosts scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts - version: master + version: e91d744ef77fe976feb01182f52f86d60d6b7ed8 - name: os_keystone scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_keystone - version: master + version: 2f197ba458a18e88664986bfef9cd6f91c6d1ff8 - name: openstack_openrc scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc - version: master + version: 2b1a711a74dc2d629b5a6888ce776db584c215b0 - name: os_aodh scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_aodh - version: master + version: f9402cf675463286f6cd81d3c8b372ff5b78a652 - name: os_barbican scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_barbican - version: master + version: 674d9f239e86678ce7b8e13cc58bb2efbb8733b0 - name: os_ceilometer scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer - version: master + version: a4bb1305f8befb7e42e0a0448cbd31ce39c0bbf6 - name: os_cinder scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_cinder - version: master + version: 9b846910ed9604f299a02abd6b2db3abde3a5ce9 - name: os_designate scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_designate - version: master + version: 3b4e97651f9379b995be5fdda76aed87caf36fae - name: os_glance scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_glance - version: master + version: 0e8e780aff5e808b4fcf352b12344808e3f13cff - name: os_gnocchi scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_gnocchi - version: master + version: 561642a1b5ba6e32495019626971e004eb17819a - name: os_heat scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_heat - version: master + version: bb21948b1b7ea23d3def6bd953c0819c5200d36c - name: os_horizon scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_horizon - version: master + version: 20197fdc0eb11686bbebe54061ecc08be626cf15 - name: os_ironic scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_ironic - version: master + version: 58c9f44cca9b4440973988c888e89d9be33bd70f - name: os_magnum scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_magnum - version: master + version: c2d575428f8661175014424786409a504d41931f - name: os_molteniron scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_molteniron - version: master + version: a9b41ca9e454ce73d0cc0b6c9ef1b5b1d34eecca - name: os_neutron scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_neutron - version: master + version: c2150045ad483e8ccd41d2cd1825d9c907fcdc64 - name: os_nova scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_nova - version: master + version: dc53a8bcc15da3102f7b2db3874d7b410a010e7f - name: os_octavia scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_octavia - version: master + version: f66be9bccc088add3ac7182adbf310ad36889892 - name: os_rally scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_rally - version: master + version: 64304bbe97cfbc54af38b52794556a1258b0d237 - name: os_sahara scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_sahara - version: master + version: 4ae3b4184e2353abef6c8dc6cba9fa2927b0dfce - name: os_swift scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_swift - version: master + version: 0147d155d467f8dfbe3820e92cd9bd657b8d4974 - name: os_tacker scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_tacker - version: master + version: 176837ee2c0d7c98c2d7df9c3197e393f153f198 - name: os_tempest scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_tempest - version: master + version: 37439954e45baa5456fbdc9d096a6aeae49be089 - name: os_trove scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_trove - version: master + version: 64bd83ce3b63f83c1d268a479e81655cb8d462b5 - name: plugins scm: git src: https://git.openstack.org/openstack/openstack-ansible-plugins - version: master + version: a458ce40c6698b4f7e91f9482448241af1af7c76 - name: rabbitmq_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server - version: master + version: 6299fc19f47868eba17f3de29a734fdbdc8c0b65 - name: repo_build scm: git src: https://git.openstack.org/openstack/openstack-ansible-repo_build - version: master + version: c5dcfcd07b37399060cd152cc57f9d35b3ef2358 - name: repo_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-repo_server - version: master + version: da3e0b591d1731d47cafa6b403d2ada2708b40bf - name: rsyslog_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_client - version: master + version: fdf7ea49cf214779de1cf08e3c488123177d6e58 - name: rsyslog_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server - version: master + version: a78bd8557753ec00d5e36d725414096db99c67d0 - name: sshd scm: git src: https://github.com/willshersystems/ansible-sshd - version: master + version: 537b9b2bc2fd7f23301222098344727f8161993c - name: bird scm: git src: https://github.com/logan2211/ansible-bird - version: master + version: 5033c412398cf6f98097a9ac274a6f12810c807e - name: etcd scm: git src: https://github.com/logan2211/ansible-etcd - version: master + version: 3933355dfe51477822db517d3c07ad561fb61318 - name: unbound scm: git src: https://github.com/logan2211/ansible-unbound - version: master + version: 7be67d6b60718896f0c17a7d4a14b912f72a59ae - name: resolvconf scm: git src: https://github.com/logan2211/ansible-resolvconf - version: master + version: d48dd3eea22094b6ecc6aa6ea07279c8e68e28b5 - name: ceph-defaults scm: git src: https://github.com/ceph/ansible-ceph-defaults - version: master + version: 62f4a465144d2e1ad4708734957287ba8337b222 - name: ceph-common scm: git src: https://github.com/ceph/ansible-ceph-common - version: master + version: 352ea8de7081e0e9a3cb7c5cc4be3ca1efaecb48 - name: ceph-config scm: git src: https://github.com/ceph/ansible-ceph-config - version: master + version: 9ef53d2637ce507ae592afcb5f0d698e85994b63 - name: ceph-mon scm: git src: https://github.com/ceph/ansible-ceph-mon - version: master + version: 4698c244d3defed42f889f7756a57722fd25d106 - name: ceph-mgr scm: git src: https://github.com/ceph/ansible-ceph-mgr - version: master + version: 155b37074cbd399067216dca1822cb3d3e58ed42 - name: ceph-osd scm: git src: https://github.com/ceph/ansible-ceph-osd - version: master + version: 123ed680d551b8e9b7c75fbdfc78a2a2b3d9de16 - name: opendaylight scm: git src: https://git.opendaylight.org/gerrit/p/integration/packaging/ansible-opendaylight.git - version: master + version: 02842e56d32c72506dce4e2e5dca4fcee69ffffa - name: haproxy_endpoints scm: git src: https://github.com/logan2211/ansible-haproxy-endpoints - version: master + version: 49901861b16b8afaa9bccdbc649ac956610ff22b diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml index 7de88c0dd3..933516849e 100644 --- a/group_vars/all/all.yml +++ b/group_vars/all/all.yml @@ -14,7 +14,7 @@ # limitations under the License. ## OpenStack Source Code Release -openstack_release: master +openstack_release: 17.0.0.0b1 ## Verbosity Options debug: False diff --git a/releasenotes/notes/Adds-flags-to-enable--Octavia-V2-(standalone)-API-d644b92ad374f2cf.yaml b/releasenotes/notes/Adds-flags-to-enable--Octavia-V2-(standalone)-API-d644b92ad374f2cf.yaml new file mode 100644 index 0000000000..a3575513c0 --- /dev/null +++ b/releasenotes/notes/Adds-flags-to-enable--Octavia-V2-(standalone)-API-d644b92ad374f2cf.yaml @@ -0,0 +1,7 @@ +--- +features: + - Adds a new flag to enable Octavia V2 API (disabled by default) to facilitate to run Octavia + stand alone (without Neutron) + - Adds a new flag to toggle Octavia V1 API (the API needed to run in conjunction with Neutron) + and enables it by default. + diff --git a/releasenotes/notes/cache-packages-override-e89847687abddf34.yaml b/releasenotes/notes/cache-packages-override-e89847687abddf34.yaml new file mode 100644 index 0000000000..8f5c9e9cdc --- /dev/null +++ b/releasenotes/notes/cache-packages-override-e89847687abddf34.yaml @@ -0,0 +1,4 @@ +--- +features: + - The ``lxc_cache_distro_packages`` has been moved to the role defaults from vars to enable + easier overriding of the container cache package list. diff --git a/releasenotes/notes/centos-mirror-url-variable-c072a6ab21054093.yaml b/releasenotes/notes/centos-mirror-url-variable-c072a6ab21054093.yaml new file mode 100644 index 0000000000..aa360c67b1 --- /dev/null +++ b/releasenotes/notes/centos-mirror-url-variable-c072a6ab21054093.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Deployers can set ``openstack_hosts_centos_mirror_url`` to use their + preferred mirror for the RDO repositories. diff --git a/releasenotes/notes/centos-mirror-url-variable-eea9f226b5611b40.yaml b/releasenotes/notes/centos-mirror-url-variable-eea9f226b5611b40.yaml new file mode 100644 index 0000000000..73eb932248 --- /dev/null +++ b/releasenotes/notes/centos-mirror-url-variable-eea9f226b5611b40.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Deployers can set ``pip_install_centos_mirror_url`` to use their + preferred mirror for the RDO repositories. diff --git a/releasenotes/notes/dnsmasq-lxc-conflict-fix-c8968f6a16d033c6.yaml b/releasenotes/notes/dnsmasq-lxc-conflict-fix-c8968f6a16d033c6.yaml new file mode 100644 index 0000000000..e240a38cbb --- /dev/null +++ b/releasenotes/notes/dnsmasq-lxc-conflict-fix-c8968f6a16d033c6.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + In Ubuntu the ``dnsmasq`` package actually includes + init scripts and service configuration which + conflict with LXC and are best not included. The + actual dependent package is ``dnsmasq-base``. The + package list has been adjusted and a task added + to remove the ``dnsmasq`` package and purge the + related configuration files from all LXC hosts. diff --git a/releasenotes/notes/ensure-security-groups-always-applied-eb6e3bdc7b77f022.yaml b/releasenotes/notes/ensure-security-groups-always-applied-eb6e3bdc7b77f022.yaml new file mode 100644 index 0000000000..b15ea6c7c7 --- /dev/null +++ b/releasenotes/notes/ensure-security-groups-always-applied-eb6e3bdc7b77f022.yaml @@ -0,0 +1,13 @@ +--- +security: + - | + The ``net.bridge.bridge-nf-call-*`` kernel parameters were set to ``0`` + in previous releases to improve performance and it was left up to neutron + to adjust these parameters when security groups are applied. This could + cause situations where bridge traffic was not sent through iptables and + this rendered security groups ineffective. This could allow unexpected + ingress and egress traffic within the cloud. + + These kernel parameters are now set to ``1`` on all hosts by the + ``openstack_hosts`` role, which ensures that bridge traffic is always + sent through iptables. diff --git a/releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml b/releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml new file mode 100644 index 0000000000..370d33095c --- /dev/null +++ b/releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + Extra headers can be added to Keystone responses by adding items to + ``keystone_extra_headers``. Example: + + .. code-block:: yaml + + keystone_extra_headers: + - parameter: "Access-Control-Expose-Headers" + value: "X-Subject-Token" + - parameter: "Access-Control-Allow-Headers" + value: "Content-Type, X-Auth-Token" + - parameter: "Access-Control-Allow-Origin" + value: "*" diff --git a/releasenotes/notes/fedora-26-support-70a304f9c97d1b37.yaml b/releasenotes/notes/fedora-26-support-70a304f9c97d1b37.yaml new file mode 100644 index 0000000000..6e340e9df5 --- /dev/null +++ b/releasenotes/notes/fedora-26-support-70a304f9c97d1b37.yaml @@ -0,0 +1,5 @@ +--- +features: + - Fedora 26 is now supported. +deprecations: + - Fedora 25 support is deprecated and no longer tested on each commit. diff --git a/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml b/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml new file mode 100644 index 0000000000..8cc3c78335 --- /dev/null +++ b/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml @@ -0,0 +1,4 @@ +--- +features: + - FWaaS V2 has been added to neutron. To enable this service simply add + "firewall_v2" to the "neutron_plugin_base" list. diff --git a/releasenotes/notes/glance-init-config-overrides-d1c8c3dcc50c109a.yaml b/releasenotes/notes/glance-init-config-overrides-d1c8c3dcc50c109a.yaml index 10f6db86a9..1e94b37d20 100644 --- a/releasenotes/notes/glance-init-config-overrides-d1c8c3dcc50c109a.yaml +++ b/releasenotes/notes/glance-init-config-overrides-d1c8c3dcc50c109a.yaml @@ -5,6 +5,6 @@ features: - The task dropping the glance systemd unit files now uses the ``config_template`` action plugin allowing deployers access to customize the unit files as they see fit without having to - load extra options into the defaults and polute the generic + load extra options into the defaults and pollute the generic systemd unit file with jinja2 variables and conditionals. diff --git a/releasenotes/notes/global-ntp-servers-155c1daef3680025.yaml b/releasenotes/notes/global-ntp-servers-155c1daef3680025.yaml new file mode 100644 index 0000000000..d1fcd42f09 --- /dev/null +++ b/releasenotes/notes/global-ntp-servers-155c1daef3680025.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + The default list of NTP servers for chrony are now more friendly to users + outside North America. Deployers can still provide their own list of NTP + servers with the ``security_ntp_servers`` Ansible variable. diff --git a/releasenotes/notes/lxc-machinectl-template-9e65779a94cb767f.yaml b/releasenotes/notes/lxc-machinectl-template-9e65779a94cb767f.yaml new file mode 100644 index 0000000000..eca1357f79 --- /dev/null +++ b/releasenotes/notes/lxc-machinectl-template-9e65779a94cb767f.yaml @@ -0,0 +1,11 @@ +--- +features: + - A new LXC container template has been added which will allow us to better + manage containers on the host machines we support. The new template uses + the `machinectl` command to create container rootfs using the existing + cache. This in-turn will provide easier management of container images, + faster build times, and the ability to instantly clone a container (or a + given variant) without impacting a containers state. This new lxc container + create template, and the features it provides, will only impact new + containers created allowing deployers to safely adopt this change in any + existing environment. diff --git a/releasenotes/notes/lxc_container_backing_store-e0a77c48da3a57b2.yaml b/releasenotes/notes/lxc_container_backing_store-e0a77c48da3a57b2.yaml new file mode 100644 index 0000000000..3da97052ff --- /dev/null +++ b/releasenotes/notes/lxc_container_backing_store-e0a77c48da3a57b2.yaml @@ -0,0 +1,21 @@ +--- +features: + - The tag options when creating an LXC container have been simplified. The two + tags now supported by the `lxc_container_create` role are + **lxc-{create,config}**. +upgrade: + - The LXC container create option `lxc_container_backing_store` is now defined + by default and has a value of "dir". Prior to this release the backend store + option was using several auto-detection methods to try and guess the store + type based on facts fed into the role and derived from the physical host. + While the auto-detection methods worked, they created a cumbersome set of + conditionals and limited our ability to leverage additional container + stores. Having this option be a default allows deployers to mix and match + container stores to suit the needs of the deployment. Existing deployments + should set this option within group or user variables to ensure + there's no change in the backend store when new container be provisioned. +other: + - The LXC container create role will now check for the LXC volume group if + the option `lxc_container_backing_store` is set to "lvm". If this volume + group is not found, the role will halt and instruct the deployer to update + their configuration options and inspect their host setup. diff --git a/releasenotes/notes/lxc_image_cache_server-f14701a7f8f4b8ca.yaml b/releasenotes/notes/lxc_image_cache_server-f14701a7f8f4b8ca.yaml new file mode 100644 index 0000000000..8299cb83c0 --- /dev/null +++ b/releasenotes/notes/lxc_image_cache_server-f14701a7f8f4b8ca.yaml @@ -0,0 +1,14 @@ +--- +features: + - The variable ``lxc_image_cache_server_mirrors`` has been added to + the "lxc_hosts" role. This is a list type variable and gives + deployers the ability to specify multiple lxc-image mirrors at the + same time. + +deprecations: + - The variable ``lxc_image_cache_server`` has been deprecated in the + "lxc_hosts" role. By default this value will pull the first item + out of ``lxc_image_cache_server_mirrors`` list which is only done + for compatibility (legacy) purposes. The default string type + variable, ``lxc_image_cache_server``, will be removed from the + "lxc_hosts" role in the in "R" release. diff --git a/releasenotes/notes/neutron-init-config-overrides-9d1d2b3b908705ed.yaml b/releasenotes/notes/neutron-init-config-overrides-9d1d2b3b908705ed.yaml index fba1b2446e..e0f0144a50 100644 --- a/releasenotes/notes/neutron-init-config-overrides-9d1d2b3b908705ed.yaml +++ b/releasenotes/notes/neutron-init-config-overrides-9d1d2b3b908705ed.yaml @@ -5,6 +5,6 @@ features: - The task dropping the neutron systemd unit files now uses the ``config_template`` action plugin allowing deployers access to customize the unit files as they see fit without having to - load extra options into the defaults and polute the generic + load extra options into the defaults and pollute the generic systemd unit file with jinja2 variables and conditionals. diff --git a/releasenotes/notes/neutron-opendaylight-support-453dc9324eafaae7.yaml b/releasenotes/notes/neutron-opendaylight-support-453dc9324eafaae7.yaml new file mode 100644 index 0000000000..597a20e9cc --- /dev/null +++ b/releasenotes/notes/neutron-opendaylight-support-453dc9324eafaae7.yaml @@ -0,0 +1,7 @@ +--- +features: + - The ``OpenDaylight SDN Controller`` can be deployed as + a neutron ML2 backend. + You can set the ``neutron_plugin_type`` to + ``ml2.opendaylight`` to utilize this code path. + The usage of ``OpenDaylight`` is currently experimental. diff --git a/releasenotes/notes/opensuse-mirror-url-variable-6660f16c3e9bf1ff.yaml b/releasenotes/notes/opensuse-mirror-url-variable-6660f16c3e9bf1ff.yaml new file mode 100644 index 0000000000..858cc3a099 --- /dev/null +++ b/releasenotes/notes/opensuse-mirror-url-variable-6660f16c3e9bf1ff.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Deployers can set ``lxc_hosts_opensuse_mirror_url`` to use their + preferred mirror for the openSUSE repositories. They can also set the + ``lxc_hosts_opensuse_mirror_obs_url`` if they want to set a different + mirror for the OBS repositories. If they want to use the same mirror in + both cases then they can leave the latter variable to its default value. + The full list of mirrors and their capabilities can be obtained at + http://mirrors.opensuse.org/ diff --git a/releasenotes/notes/opensuse-mirror-url-variable-74d22825e808211e.yaml b/releasenotes/notes/opensuse-mirror-url-variable-74d22825e808211e.yaml new file mode 100644 index 0000000000..af83ed66be --- /dev/null +++ b/releasenotes/notes/opensuse-mirror-url-variable-74d22825e808211e.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Deployers can set ``pip_install_opensuse_mirror_url`` to use their + preferred mirror for the openSUSE repositories. They can also set the + ``pip_install_opensuse_mirror_obs_url`` if they want to set a different + mirror for the OBS repositories. If they want to use the same mirror in + both cases then they can leave the latter variable to its default value. + The full list of mirrors and their capabilities can be obtained at + http://mirrors.opensuse.org/ diff --git a/releasenotes/notes/opensuse-mirror-url-variable-865a97abb4c61430.yaml b/releasenotes/notes/opensuse-mirror-url-variable-865a97abb4c61430.yaml new file mode 100644 index 0000000000..0fa3d2114b --- /dev/null +++ b/releasenotes/notes/opensuse-mirror-url-variable-865a97abb4c61430.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Deployers can set ``galera_client_opensuse_mirror_obs_url`` to use their + preferred mirror for the galera server OBS packages. The full list of + mirrors and their capabilities can be obtained at http://mirrors.opensuse.org/ diff --git a/releasenotes/notes/optimize-centos-erlang-install-bafd1c376ffca35e.yaml b/releasenotes/notes/optimize-centos-erlang-install-bafd1c376ffca35e.yaml new file mode 100644 index 0000000000..d11cd06f5e --- /dev/null +++ b/releasenotes/notes/optimize-centos-erlang-install-bafd1c376ffca35e.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + The installation of Erlang and is now optimized for CentOS. + Erlang 19.x is now installed via a single package that is maintained by + RabbitMQ developers and it provides the minimal features required for + RabbitMQ to function. It also includes HiPE support for increased + performance. + + The version of Erlang is kept constant using yum's versionlock plugin. + - | + RabbitMQ is now installed via an RPM repository provided by RabbitMQ + developers. The version is kept constant via yum's versionlock plugin. + This allows the tasks to lock the RabbitMQ version to a particular + revision and prevent changes to that version. diff --git a/releasenotes/notes/remove-haproxy-repo-vars-051a47bbfaf6d1da.yaml b/releasenotes/notes/remove-haproxy-repo-vars-051a47bbfaf6d1da.yaml new file mode 100644 index 0000000000..59c7348771 --- /dev/null +++ b/releasenotes/notes/remove-haproxy-repo-vars-051a47bbfaf6d1da.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + The following variables have been removed from the ``haproxy_server`` role + as they are no longer necessary or used. + - haproxy_repo + - haproxy_gpg_keys + - haproxy_required_distro_packages diff --git a/releasenotes/notes/remove-v72181-e29b9f5d9c971541.yaml b/releasenotes/notes/remove-v72181-e29b9f5d9c971541.yaml new file mode 100644 index 0000000000..5d72e627c9 --- /dev/null +++ b/releasenotes/notes/remove-v72181-e29b9f5d9c971541.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + The tasks for V-72181, which include adding audit rules for the + ``pt_chown`` command, have been removed. They are not required in the RHEL + 7 STIG V1R2 release. diff --git a/releasenotes/notes/skip-sysctl-when-disabled-b32eca48df5b1437.yaml b/releasenotes/notes/skip-sysctl-when-disabled-b32eca48df5b1437.yaml new file mode 100644 index 0000000000..73f211e3d1 --- /dev/null +++ b/releasenotes/notes/skip-sysctl-when-disabled-b32eca48df5b1437.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + The sysctl configuration task was not skipping configurations where + ``enabled`` was set to ``no``. Instead, it was removing configurations + when ``enabled: no`` was set. + + There is now a fix in place that ensures any sysctl configuration with + ``enabled: no`` will be skipped and the configuration will be left + unaltered on the system. diff --git a/releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml b/releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml new file mode 100644 index 0000000000..882da89971 --- /dev/null +++ b/releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + ``PermitRootLogin`` in the ssh configuration has changed from + ``yes`` to ``without-password``. This will only allow ssh to be used + to authenticate root via a key. diff --git a/releasenotes/notes/sysstat-centos-opensuse-running-0be396c60a513562.yaml b/releasenotes/notes/sysstat-centos-opensuse-running-0be396c60a513562.yaml new file mode 100644 index 0000000000..732a58f2b0 --- /dev/null +++ b/releasenotes/notes/sysstat-centos-opensuse-running-0be396c60a513562.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + The ``sysstat`` package was installed on all distributions, but it was + only configured to run on Ubuntu and OpenSUSE. It would not run on CentOS + due to bad SELinux contexts and file permissions on + ``/etc/cron.d/sysstat``. This has been fixed and ``sysstat`` now runs + properly on CentOS. diff --git a/releasenotes/notes/trove-init-config-overrides-a78ed428a32adef8.yaml b/releasenotes/notes/trove-init-config-overrides-a78ed428a32adef8.yaml index 0b84eb4530..3b5ae0da34 100644 --- a/releasenotes/notes/trove-init-config-overrides-a78ed428a32adef8.yaml +++ b/releasenotes/notes/trove-init-config-overrides-a78ed428a32adef8.yaml @@ -5,6 +5,6 @@ features: - The task dropping the trove systemd unit files now uses the ``config_template`` action plugin allowing deployers access to customize the unit files as they see fit without having to - load extra options into the defaults and polute the generic + load extra options into the defaults and pollute the generic systemd unit file with jinja2 variables and conditionals. diff --git a/releasenotes/notes/ulimit-increased-65536-50b418d8e8ca4eef.yaml b/releasenotes/notes/ulimit-increased-65536-50b418d8e8ca4eef.yaml new file mode 100644 index 0000000000..0fbd66ca8f --- /dev/null +++ b/releasenotes/notes/ulimit-increased-65536-50b418d8e8ca4eef.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The default ulimit for RabbitMQ is now 65536. Deployers can still adjust + this limit using the ``rabbitmq_ulimit`` Ansible variable.