Freeze for milestone release

This would be the first milestone release of OpenStack-Ansible Stein.

Change-Id: Iff5235b6e11a6586f0836fd550331efbe4151de0

ansible-role-requirements.yml

@@ -1,236 +1,236 @@
 - name: ansible-hardening
   scm: git
   src: https://git.openstack.org/openstack/ansible-hardening
-  version: master
+  version: ef1b4170328391d55c3ca94e8183fdd56a229c34
 - name: apt_package_pinning
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
-  version: master
+  version: 83347049b8185bbb9eec4b47a75a86e2f7d7d17b
 - name: config_template
   scm: git
   src: https://git.openstack.org/openstack/ansible-config_template
-  version: master
+  version: 0e67ef2e0854b0081d5c68ebc000c1bb0a009700
 - name: pip_install
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-pip_install
-  version: master
+  version: 3e9ce35e3796522e900cb2396bcfdf4e8bb94d71
 - name: galera_client
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-galera_client
-  version: master
+  version: d53d623eedd33d9015dacd126e93a092d7548637
 - name: galera_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-galera_server
-  version: master
+  version: 632b0a8d827206857b04d86468124721ba991424
 - name: ceph_client
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-ceph_client
-  version: master
+  version: 2febce8369ae4c51c00636dec00e4ba0558c9bcc
 - name: haproxy_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-haproxy_server
-  version: master
+  version: ca23ec42ed4415d469b51851a96d03a90327f515
 - name: keepalived
   scm: git
   src: https://github.com/evrardjp/ansible-keepalived
-  version: master
+  version: 0ddbb93708b8b8c46c765f5aedf33ad38e1cf23d
 - name: lxc_container_create
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create
-  version: master
+  version: dac2b714c1cfb4ab9f95067150c1b236d1e1ddd1
 - name: lxc_hosts
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts
-  version: master
+  version: ea3ecc817ff01f065dbef78e4c2dd2dcd860ac76
 - name: memcached_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-memcached_server
-  version: master
+  version: 67c61a1dddedee6de1c62eb93e6a2d95ad924d7b
 - name: openstack_hosts
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts
-  version: master
+  version: f140a2e565dd85e9439f710de7ede89bc3e8afdd
 - name: os_keystone
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_keystone
-  version: master
+  version: f119f18963bd835be3fb7cee230ae39fd7dd38c1
 - name: openstack_openrc
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc
-  version: master
+  version: e7f34fb579acacfc37e6822a0abae4ea38f45b64
 - name: os_aodh
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_aodh
-  version: master
+  version: 2cef94163776e89c9556647cf5c834935aba9613
 - name: os_barbican
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_barbican
-  version: master
+  version: 6d2ef2d12ab6417b5f765884c579236eaa631149
 - name: os_blazar
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_blazar
-  version: master
+  version: cb561cc870af3759cff3f8ecd2c3e1b129eff807
 - name: os_ceilometer
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer
-  version: master
+  version: dfff9a818bce73a4c234834b478b40d9b8224716
 - name: os_cinder
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_cinder
-  version: master
+  version: 75019ed6c581c323507220d2425e9061b0905799
 - name: os_congress
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_congress
-  version: master
+  version: aacd9fd317c42f3d143486be7c69b9dc43128acc
 - name: os_designate
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_designate
-  version: master
+  version: c7cfc00ad63aa67d2489665e0e91901c14172810
 - name: os_glance
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_glance
-  version: master
+  version: 9539f40f7c926f582ca49c9e725f721543bbed23
 - name: os_gnocchi
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_gnocchi
-  version: master
+  version: 3038cbd0677bbe365128ee7c78756ed66f15c6b5
 - name: os_heat
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_heat
-  version: master
+  version: f96c2208e0ee0a2c180e15cdd01aaf3af7df9fa9
 - name: os_horizon
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_horizon
-  version: master
+  version: 490ab8f7febb717fd27602bfd43748890f78acef
 - name: os_ironic
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_ironic
-  version: master
+  version: 837fe2ec88d7d7d742369996575afad15af5feb7
 - name: os_magnum
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_magnum
-  version: master
+  version: b020a631b9bd43e0c2341a3e223603295c0eeea0
 - name: os_mistral
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_mistral
-  version: master
+  version: c6dd57141e06b442f07339f9d0617a2ffdb5a275
 - name: os_neutron
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_neutron
-  version: master
+  version: b1f4269ecc1f128e086bccf6d40b4adbdac0ab74
 - name: os_nova
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_nova
-  version: master
+  version: 30952d23ec4a136db2fc741534172795c0086fac
 - name: os_octavia
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_octavia
-  version: master
+  version: eee659d342644de4fc87d15522d2e27f6d3a589e
 - name: os_rally
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_rally
-  version: master
+  version: e32171e7547f0501064f41faea35b64f82eaf103
 - name: os_sahara
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_sahara
-  version: master
+  version: d0a23313ea7964c115fdf39a7300b021bfcf15b4
 - name: os_swift
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_swift
-  version: master
+  version: 430932f274b51e58884065bbefc2c572eb77c94d
 - name: os_tacker
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_tacker
-  version: master
+  version: 886ee2a45724cd7d6b722722c2299f070f5f7623
 - name: os_tempest
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_tempest
-  version: master
+  version: f633e4972526a22945bfa50afdf38d04cfe088b7
 - name: os_trove
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-os_trove
-  version: master
+  version: a2245da5efa8334adaadfda6e3be319014b9de38
 - name: plugins
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-plugins
-  version: master
+  version: 44a8205f5e6773d166b10e71a73aa8d2cbb6296e
 - name: qdrouterd
   scm: git
   src: https://git.openstack.org/openstack/ansible-role-qdrouterd
-  version: master
+  version: 549054335231bbe04590b5ab5ff4bf6b37a8f204
 - name: rabbitmq_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server
-  version: master
+  version: 3c40f53f5ee37ce9212272bcde36c832ea1f1031
 - name: repo_build
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-repo_build
-  version: master
+  version: 6638604edf05e27986bb9641dc4e04f5addcda06
 - name: repo_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-repo_server
-  version: master
+  version: 3523911b7f17a3e48fdfca2b7d13e6da6945e37d
 - name: rsyslog_client
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_client
-  version: master
+  version: f11d252212873c6eb16cd2a4276a4cee2dff63fc
 - name: rsyslog_server
   scm: git
   src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server
-  version: master
+  version: 05c8cf0210b5e9c01ecc83991096c64847e4fcdd
 - name: sshd
   scm: git
   src: https://github.com/willshersystems/ansible-sshd
-  version: master
+  version: a84bc84c22bdf97dd19be4559ead8098902305bb
 - name: bird
   scm: git
   src: https://github.com/logan2211/ansible-bird
-  version: master
+  version: 849d60e9f32c41fa13678f63ef815bec59a6822a
 - name: etcd
   scm: git
   src: https://github.com/logan2211/ansible-etcd
-  version: master
+  version: fa1c447b6a979a614fc024725b5ecad215261c4a
 - name: unbound
   scm: git
   src: https://github.com/logan2211/ansible-unbound
-  version: master
+  version: 40e4f0a65d88050f55bf158ceeb2324164d427d0
 - name: resolvconf
   scm: git
   src: https://github.com/logan2211/ansible-resolvconf
-  version: master
+  version: a2ff5ba59b47f96ddddcb7a3a67de93687c317a6
 - name: ceph-ansible
   scm: git
   src: https://github.com/ceph/ceph-ansible
-  version: stable-3.2
+  version: 224bab0d7005142d262dc23f7d42cb38b3c1669b
 - name: opendaylight
   scm: git
   src: https://github.com/opendaylight/integration-packaging-ansible-opendaylight
-  version: master
+  version: 0aebbc250b34ac5ac14b37bdf9b1a2e1cfaa5a76
 - name: haproxy_endpoints
   scm: git
   src: https://github.com/logan2211/ansible-haproxy-endpoints
-  version: master
+  version: 8e3a24a35beb16d717072dc83895c5a1f92689fb
 - name: nspawn_container_create
   src: https://git.openstack.org/openstack/openstack-ansible-nspawn_container_create
   scm: git
-  version: master
+  version: 5a7cb98319aeea34d43d915784a675f8881d7d2a
 - name: nspawn_hosts
   src: https://git.openstack.org/openstack/openstack-ansible-nspawn_hosts
   scm: git
-  version: master
+  version: 241c9fd5038be3d87a2aa025f57f59306ad5c316
 - name: systemd_service
   src: https://git.openstack.org/openstack/ansible-role-systemd_service
   scm: git
-  version: master
+  version: 07f4d977d7a4875be161e3c1b54ad7ef043833c7
 - name: systemd_mount
   src: https://git.openstack.org/openstack/ansible-role-systemd_mount
   scm: git
-  version: master
+  version: b916ed60173ec571e27d120b27a20b84680725ef
 - name: systemd_networkd
   src: https://git.openstack.org/openstack/ansible-role-systemd_networkd
   scm: git
-  version: master
+  version: dff2decc65d0f34b6fa73c508371914576986151
 - name: python_venv_build
   src: https://git.openstack.org/openstack/ansible-role-python_venv_build
   scm: git
-  version: master
+  version: 0e44d4230a4259e88e1d37e8fb2dd12ad6dcc5df

releasenotes/notes/add-cors-config-6326223fe7fa7423.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - It is possible to configure Glance to allow cross origin requests by
+    specifying the allowed origin address using the ``glance_cors_allowed_origin``
+    variable. By default, this will be the load balancer address.

releasenotes/notes/add-nested-virt-1db2270e73d1b34.yaml

@@ -0,0 +1,7 @@
+---
+features:
+    - This role now optionally enables your compute nodes' KVM kernel
+      module nested virtualization capabilities, by setting nova_nested_virt_enabled
+      to true. Depending on your distribution and libvirt version, you might need to
+      set additional variables to fully enabled nested virtualization.
+      For details, please see https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#nested-guest-support.

releasenotes/notes/add-nfs-support-5aacc81dbf3c2270.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - It is now possible to use NFS mountpoints with the role by using the
+    nova_nfs_client variable, which is useful for using NFS for instance
+    data and saves.

releasenotes/notes/add-random-devices-38671b23cb1319b8.yaml

@@ -1,7 +1,7 @@
 ---
 fixes:
   - |
-    Newer releases of CentOS ship a version of libnss that depends on the existance
+    Newer releases of CentOS ship a version of libnss that depends on the existence
     of /dev/random and /dev/urandom in the operating system in order to run.  This
     causes a problem during the cache preparation process which runs inside chroot
     that does not contain this, resulting in errors with the following message.

releasenotes/notes/add-support-for-distro-89611067ce74fc2c.yaml

@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    The ``os_tempest`` role now has the ability to install from distribution packages by setting
+    ``tempest_install_method`` to ``distro``.
+  - |
+    The new variable ``tempest_workspace`` has been introduced to set the location of the tempest
+    workspace.
+  - |
+    The default location of the default tempest configuration is now ``/etc/tempest/tempest.conf``
+    rather than the previous default of ``$HOME/.tempest/etc``.

releasenotes/notes/backup-driver-rename-ca4424a0814ee8af.yaml

@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    In Stein, Cinder stopped supporting configuring backup drivers without
+    the full class path.  This means that you must now use the following
+    values for ``cinder_service_backup_driver``.
+
+    * ``cinder.backup.drivers.swift.SwiftBackupDriver``
+    * ``cinder.backup.drivers.ceph.CephBackupDriver``
+
+    If you do not make this change, the Cinder backup service will refuse
+    to start properly.

releasenotes/notes/blacklist-format-26c6097cf4e813c9.yaml

@@ -0,0 +1,12 @@
+---
+upgrade: >
+    Data structure for ``tempest_test_blacklist`` has been updated to
+    add launchpad and/or bugzilla linked with the test being skipped.
+features:
+  - |
+    Add the launchpad and bugzilla keys in tempest_test_blacklist ansible
+    variable.
+    Developers must have a way to trackdown why a test was inserted in the
+    skiplist, and one of the ways is through bugs. This feature add the
+    information regarding it in the list of skipped tests on os_tempest
+

releasenotes/notes/blazar-horizon-panel-d5ba19273b21d7aa.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The blazar dashboard is available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_blazar_ui: True

releasenotes/notes/chrony-ntp-server-defaults-7cd2e3a80723e0bd.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - Changed the default NTP server options in ``chrony.conf``. The ``offline``
+    option has been removed, ``minpoll``/``maxpoll`` have been removed in favour of
+    the upstream defaults, while the ``iburst`` option was added to speed up
+    initial time synchronization.

releasenotes/notes/chrony-ntp-server-options-f8f87225a5282e1a.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - It is now possible to modify the NTP server options in chrony using
+    ``security_ntp_server_options``.

releasenotes/notes/chrony-rtc-sync-f46b9a526aec0889.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - Chrony got a new configuration option to synchronize the system clock back
+    to the RTC using the ``security_ntp_sync_rtc`` variable. Disabled by default.

releasenotes/notes/cloudkitty-horizon-panel-c3b616273b21d7aa.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The cloudkitty dashboard is available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_cloudkitty_ui: True

releasenotes/notes/config-template-move-a0f08aff8e54f62f.yaml

@@ -0,0 +1,7 @@
+---
+other:
+  - |
+    The ``config_template`` action module has now been moved into its own git
+    repository (``openstack/ansible-config_template``). This has been done to
+    simplify the ability to use the plugin in other non OpenStack-Ansible
+    projects.

releasenotes/notes/configurable-scheduler-filters-17ea2ed9d4aa0708.yaml

@@ -0,0 +1,25 @@
+---
+features:
+  - |
+    The list of enabled filters for the Cinder scheduler,
+    `scheduler_default_filters` in `cinder.conf`, could previously be
+    defined only via an entry in ``cinder_cinder_conf_overrides``. You now
+    have the option to instead define a list variable,
+    ``cinder_scheduler_default_filters``, that defines the enabled
+    filters. This is helpful if you either want to disable one of the
+    filters enabled by default (at the time of writing, these are
+    `AvailabilityZoneFilter`, `CapacityFilter`, and
+    `CapabilitiesFilter`), or if conversely you want to add a filter
+    that is normally not enabled, such as `DifferentBackendFilter` or
+    `InstanceLocalityFilter`.
+
+    For example, to enable the `InstanceLocalityFilter` in addition to
+    the normally enabled scheduler filters, use the following variable.
+
+    .. code-block:: yaml
+
+      cinder_scheduler_default_filters:
+        - AvailabilityZoneFilter
+        - CapacityFilter
+        - CapabilitiesFilter
+        - InstanceLocalityFilter

releasenotes/notes/default-lxd-pool-1aa179bd77868cb0.yaml

@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    The nova configuration is updated to always specify an LXD storage pool
+    name when 'nova_virt_type' is 'lxd'. The variable 'lxd_storage_pool' is
+    defaulted to 'default', the LXD default storage pool name. A new variable
+    'lxd_init_storage_pool' is introduced which specifies the underlying
+    storage pool name. 'lxd_init_storage_pool' is used by lxd init when setting
+    up the storage pool. If not provided, lxd init will not use this parameter
+    at all. Please see the lxd man page for further information about the
+    storage pool parameter.

releasenotes/notes/diffmode-e8f9a041f662a2ef.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - Compare dict vars of before and after configuration to determine whether
+    the config keys or values have changed so a configuration file will not
+    be incorrectly marked as changed when only the ordering has changed.
+  - Set diff return variable to a dict of changes applied.

releasenotes/notes/dragonflow-removed-6285225b5525cd50.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    Dragonflow is no longer maintained as an OpenStack project and has
+    therefore been removed from OpenStack-Ansible as a supported ML2
+    driver for neutron.

releasenotes/notes/drop-custom-themes-724c40e5cd69b8e2.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - The ``os_horizon`` role now supports distribution of user custom themes.
+    Deployers can use the new key ``theme_src_archive`` of ``horizon_custom_themes``
+    dictionary to provide absolute path to the archived theme.
+    Only .tar.gz, .tgz, .zip, .tar.bz, .tar.bz2, .tbz, .tbz2 archives are supported.
+    Structure inside archive should be as a standard theme, without any leading folders.
+fixes:
+  - Fixes bug https://bugs.launchpad.net/openstack-ansible/+bug/1778098 where playbook failed, if
+    ``horizon_custom_themes`` is specified, and directory for theme is not provided

releasenotes/notes/enable-tempestconf-support-0bd13c8393c9450b.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Python-tempestconf is a tool that generates a tempest.conf file, based
+    only on the credentials from an openstack installation. It uses the
+    discoverable api from openstack to check for services, features, etc.
+
+    Add the possibility to use python-tempestconf tool to generate tempest.conf
+    file, rather than use the role template.

releasenotes/notes/fix-l3-agent-ha-keepalive-helper-5f1f82c437c8a430.yaml

@@ -0,0 +1,3 @@
+---
+fixes:
+  - Fixes neutron HA routers, by enabling ``neutron-l3-agent`` to invoke the required helper script.

releasenotes/notes/fix_quota-e3d4bf0b896dc393.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Octavia is creating vms, securitygroups, and other things in its
+    project. In most cases the default quotas are not big enough. This
+    will adjust them to (configurable) reasonable values.
+security:
+  - |
+    Avoid setting the quotas too high for your cloud since this can
+    impact the performance of other servcies and lead to a potential
+    Denial-of-Service attack if Loadbalancer quotas are not set
+    properly or RBAC is not properly set up.

releasenotes/notes/fixes_sec_grp_rule_quota-2755da6c2c2ab434.yaml

@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    The quota for security group rules was erroneously set
+    to 100 with the aim to have 100 security group rules
+    per security group instead of to 100*#security group rules.
+    This patch fixes this discrepancy.
+

releasenotes/notes/galera-client-gpg-keys-8b674cee476885d0.yaml

@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The data structure for ``galera_client_gpg_keys`` has been changed to be
+    a dict passed directly to the applicable apt_key/rpm_key module. As such
+    any overrides would need to be reviewed to ensure that they do not pass
+    any key/value pairs which would cause the module to fail.
+  - |
+    The default values for ``galera_client_gpg_keys`` have been changed for
+    all supported platforms will use vendored keys. This means that the task
+    execution will no longer reach out to the internet to add the keys,
+    making offline or proxy-based installations easier and more reliable.

releasenotes/notes/galera-gpg-keys-96ed45fd1ec4cb14.yaml

@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The data structure for ``galera_gpg_keys`` has been changed to be
+    a dict passed directly to the applicable apt_key/rpm_key module. As such
+    any overrides would need to be reviewed to ensure that they do not pass
+    any key/value pairs which would cause the module to fail.
+  - |
+    The default values for ``galera_gpg_keys`` have been changed for
+    all supported platforms will use vendored keys. This means that the task
+    execution will no longer reach out to the internet to add the keys,
+    making offline or proxy-based installations easier and more reliable.

releasenotes/notes/http-access-horizon-94c27a0aadb9f1b4.yaml

@@ -0,0 +1,22 @@
+---
+features:
+  - |
+    Horizon has, since OSA's inception, been deployed with HTTPS
+    access enabled, and has had no way to turn it off. Some use-cases
+    may want to access via HTTP instead, so this patch enables
+    the following.
+
+    * Listen via HTTPS on a load balancer, but via HTTP on the
+      horizon host and have the load balancer forward the correct
+      headers. It will do this by default in the integrated build
+      due to the presence of the load balancer, so the current
+      behaviour is retained.
+
+    * Enable HTTPS on the horizon host without a load balancer.
+      This is the role's default behaviour which matches what it
+      always has been.
+
+    * Disable HTTPS entirely by setting ``haproxy_ssl: no`` (which
+      will also disable https on haproxy. This setting is inherited
+      by the new ``horizon_enable_ssl`` variable by default. This
+      is a new option.

releasenotes/notes/install-local-019edab04ffc8347.yaml

@@ -4,5 +4,5 @@ features:
     new variable ``pip_offline_install``. This can be useful
     in environments where the containers lack internet
     connectivity. Please refer to the `limited connectivity installation guide
-    <http://docs.openstack.org/developer/openstack-ansible/install-guide/app-no-internet-connectivity.html#install-pip-through-deployment-host>`_
+    <https://docs.openstack.org/openstack-ansible/latest/#install-pip-through-deployment-host>`_
     for more information.

releasenotes/notes/journal-log-cwbr789hd9b59612.yaml

@@ -0,0 +1,5 @@
+---
+deprecations:
+  - The log path, ``/var/log/blazar`` is no longer used to capture service
+    logs. All logging for the blazar service will now be sent directly to the
+    systemd journal.

releasenotes/notes/keystone-init-config-overrides-1857d5e5bc5a905f.yaml

@@ -5,6 +5,6 @@ features:
   - The task dropping the keystone systemd unit files now uses the
     ``config_template`` action plugin allowing deployers access to
     customize the unit files as they see fit without having to
-    load extra options into the defaults and polute the generic
+    load extra options into the defaults and pollute the generic
     systemd unit file with jinja2 variables and conditionals.
 

releasenotes/notes/legacy-networking-convert-networkd-5b514e604df7c429.yaml

@@ -5,5 +5,5 @@ features:
     single, common, networking functionality to across multiple distros.
   - All of the pre/post up, and pre/post down adhoc command options have been
     converted to using systemd "oneshot" services. This conversion allows all
-    supported distros to benifit from the ability to run adhoc commands before
+    supported distros to benefit from the ability to run adhoc commands before
     and after networking is available on both start-up and shut-down.

releasenotes/notes/letsencrypt-ssl-certification-129a80cb88d8e6ff.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    If Horizon dashboard of OSA installation has a public FQDN, is it
+    now possible to use LetsEncrypt certification service. Certificate
+    will be generated within HAProxy installation and a cron entry to
+    renew the certificate daily will be setup.
+    Note that there is no certificate distribution implementation at
+    this time, so this will only work for a single haproxy-server
+    environment.

releasenotes/notes/lxc-host-machine-vars-5d11b1f269167fd3.yaml

@@ -0,0 +1,15 @@
+---
+fixes:
+  - |
+    When using LXC containers with a copy-on-write back-end, the ``lxc_hosts``
+    role execution would fail due to undefined variables with the
+    ``nspawn_host_`` prefix. This issue has now been fixed.
+deprecations:
+  - |
+    The following variable name changes have been implemented in order to
+    better reflect their purpose.
+
+    * ``lxc_host_machine_quota_disabled`` -> ``lxc_host_btrfs_quota_disabled``
+    * ``lxc_host_machine_qgroup_space_limit`` -> ``lxc_host_btrfs_qgroup_space_limit``
+    * ``lxc_host_machine_qgroup_compression_limit`` -> ``lxc_host_btrfs_qgroup_compression_limit``
+

releasenotes/notes/masakari-horizon-panel-c058881e1268b3b7.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The masakari dashboard is available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_masakari_ui: True

releasenotes/notes/mysqlcheck-options-60fae226d8d4f3ca.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - It is now possible for deployers to enable or disable the `mysqlcheck`
+    capability. The Boolean option `galera_monitoring_check_enabled` has
+    been added which has a default value of **true**.
+  - It is now possible to change the port used by `mysqlcheck`. The integer
+    option `galera_monitoring_check_port` has been added with the default
+    value of **9200**.

releasenotes/notes/neutron-opendaylight-sfc-support-8b249b8f8efbc087.yaml

@@ -0,0 +1,29 @@
+---
+features:
+  - |
+    The Neutron Service Function Chaining Extension (SFC) can optionally be deployed and
+    configured by defining the following service plugins:
+
+    * ``flow_classifier``
+    * ``sfc``
+
+    .. code-block:: yaml
+
+      neutron_plugin_base:
+      - router
+      - metering
+      - flow_classifier
+      - sfc
+
+    For more information about SFC in Neutron, refer to the following:
+
+    * `Service Function Chaining Extension for OpenStack Networking
+      <https://docs.openstack.org/networking-sfc/latest/>`_
+
+upgrade:
+  - |
+    The plugin names for the classifier and sfc changed:
+
+    * networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin => flow_classifier
+
+    * networking_sfc.services.sfc.plugin.SfcPlugin => sfc

releasenotes/notes/neutron-opendaylight-support-453dc9324eafaae7.yaml

@@ -5,4 +5,4 @@ features:
     You can set the ``neutron_plugin_type`` to
     ``ml2.opendaylight`` to utilize this code path.
     The usage of ``OpenDaylight`` is currently experimental.
-    Two versions are currently supported: Nitrogen and Oxygen.
+    Two versions are currently supported - Nitrogen and Oxygen.

releasenotes/notes/neutron-ovs-interface-mappings-789902128b82e721.yaml

@@ -0,0 +1,22 @@
+---
+features:
+  - |
+    The ``provider_networks`` library has been updated to support the
+    definition of network interfaces that can automatically be added as ports
+    to OVS provider bridges setup during a deployment. To activate this feature,
+    add the ``network_interface`` key to the respective flat and/or vlan provider
+    network definition in ``openstack_user_config.yml``. For more information,
+    refer to the latest Open vSwitch deployment guide.
+upgrade:
+  - |
+    The ``provider_networks`` library has been updated to support the
+    definition of network interfaces that can automatically be added as ports
+    to OVS provider bridges setup during a deployment. As a result, the
+    ``network_interface`` value applied to the ``neutron_provider_networks``
+    override in ``user_variables.yml``, as described in previous Open vSwitch
+    deployment guides, is no longer effective. If overrides are
+    necessary, use ``network_interface_mappings`` within the provider network
+    override and specify the respective bridge-to-interface mapping
+    (e.g. "br-provider:bond1"). For more information, refer to the latest Open
+    vSwitch deployment guide.
+

releasenotes/notes/neutron-sriov-50c0099554574d01.yaml

@@ -3,5 +3,5 @@ features:
   - Neutron SR-IOV can now be optionally deployed and configured.
     For details about the what the service is and what it provides, see the
     `SR-IOV Installation Guide
-    <http://docs.openstack.org/developer/openstack-ansible-os_neutron/configure-network-services.html#sr--iov-support-optional>`_
+    <https://docs.openstack.org/openstack-ansible-os_neutron/latest/configure-network-services.html#sr--iov-support-optional>`_
     for more information.

releasenotes/notes/neutron-vpnaas-dashboard-19f4ef09faae1f70.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    VPNaaS dashboard is again available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_neutron_vpnaas: True

releasenotes/notes/nova-cpu-model-006da20048168842.yaml

@@ -0,0 +1,18 @@
+---
+features:
+  - You can now set the Libvirt CPU model and feature flags from the
+    appropriate entry under the ``nova_virt_types`` dictionary variable
+    (normally ``kvm``).
+    ``nova_cpu_model`` is a string value that sets the CPU model; this
+    value is ignored if you set any ``nova_cpu_mode`` other than
+    ``custom``.
+    ``nova_cpu_model_extra_flags`` is a list that allows you to specify
+    extra CPU feature flags not normally passed through with
+    ``host-model``, or the ``custom`` CPU model of your choice.
+upgrade:
+  - If your configuration previously set the ``libvirt/cpu_model``
+    and/or ``libvirt/cpu_model_extra_flags`` variables in a
+    ``nova_nova_conf_overrides`` dictionary, you should consider
+    moving those to ``nova_cpu_model`` and
+    ``nova_cpu_model_extra_flags`` in the appropriate entry (normally
+    ``kvm``) in the ``nova_virt_types`` dictionary.

releasenotes/notes/nova-init-config-overrides-ffce7e419061c4da.yaml

@@ -5,6 +5,6 @@ features:
   - The task dropping the designate systemd unit files now uses the
     ``config_template`` action plugin allowing deployers access to
     customize the unit files as they see fit without having to
-    load extra options into the defaults and polute the generic
+    load extra options into the defaults and pollute the generic
     systemd unit file with jinja2 variables and conditionals.
 

releasenotes/notes/octavia-service-setup-host-d57533fdea394394.yaml

@@ -12,7 +12,14 @@ features:
       octavia_service_setup_host: "{{ groups['utility_all'][0] }}"
 
 deprecations:
+  - |
+    The variable ``octavia_requires_pip_packages`` is no longer required
+    and has therefore been removed.
   - |
     The variable ``octavia_image_downloader`` has been removed. The image
     download now uses the same host designated by the
     ``octavia_service_setup_host`` for the image download.
+  - |
+    The variable ``octavia_ansible_endpoint_type`` has been removed. The
+    endpoint used for ansible tasks has been hard set to the 'admin'
+    endpoint as is commonly used across all OSA roles.

releasenotes/notes/os-keystone-remove-service-user-f2100fa3127c7c2e.yaml

@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    The tasks creating a keystone service user have been removed, along with
+    related variables ``keystone_service_user_name`` and
+    ``keystone_service_password``. This user can be deleted in existing
+    deployments.

releasenotes/notes/os_cinder-private-volume-type-9b2cc92c6c74c277.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - Deployers can now define a cinder-backend volume type
+    explicitly private or public with option ``public``
+    set to true or false.

releasenotes/notes/plugins-container-user-remote-tmp-0efec059fd04eae2.yaml

@@ -0,0 +1,6 @@
+---
+issues:
+  - |
+    When using the connection plugin's ``container_user`` option,
+    ``ansible_remote_tmp`` should be set to a system writable path
+    such as '/var/tmp/'.

releasenotes/notes/rabbitmq-gpg-keys-042a47164265ea40.yaml

@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The data structure for ``rabbitmq_gpg_keys`` has been changed to be
+    a dict passed directly to the applicable apt_key/rpm_key module. As such
+    any overrides would need to be reviewed to ensure that they do not pass
+    any key/value pairs which would cause the module to fail.
+  - |
+    The default values for ``rabbitmq_gpg_keys`` have been changed for
+    all supported platforms will use vendored keys. This means that the task
+    execution will no longer reach out to the internet to add the keys,
+    making offline or proxy-based installations easier and more reliable.

releasenotes/notes/rabbitmq-server-ha-policy-d4e9b46cb5922032.yaml

@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    The default queue policy has changed to ``^(?!(amq\.)|(.*_fanout_)|(reply_)).*``
+    instead of ``^(?!amq\.).*`` for efficiency.
+    The new HA policy excludes reply queues (these queues have a single consumer and TTL policy),
+    fanout queues (they have the TTL policy) and
+    amq queues (they are auto-delete queues, with a single consumer).

releasenotes/notes/remove-machinectl-workarounds-d67a4739f6385f54.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - With the release of CentOS 7.6, deployments were breaking and becoming very
+    slow when we restart dbus in order to catch some PolicyKit changes. However,
+    those changes were never actaully used so they were happening for no reason.
+    We no longer make any modifications to the systemd-machined configuration
+    and/or PolicyKit to maintain upstream compatibility.

releasenotes/notes/remove-pkg-cache-afba3577138dc0a0.yaml

@@ -0,0 +1,22 @@
+---
+deprecations:
+  - |
+    The package cache on the repo server has been removed. If caching of
+    packages is desired, it should be setup outside of OpenStack-Ansible
+    and the variable ``lxc_container_cache_files`` (for LXC containers)
+    or ``nspawn_container_cache_files_from_host`` (for nspawn containers)
+    can be used to copy the appropriate host configuration from the host
+    into the containers on creation. Alternatively, environment variables
+    can be set to use the cache in the host /etc/environment file prior
+    to container creation, or the ``deployment_environment_variables``
+    can have the right variables set to use it. The following variables
+    have been removed.
+
+    * ``repo_pkg_cache_enabled``
+    * ``repo_pkg_cache_port``
+    * ``repo_pkg_cache_bind``
+    * ``repo_pkg_cache_dirname``
+    * ``repo_pkg_cache_dir``
+    * ``repo_pkg_cache_owner``
+    * ``repo_pkg_cache_group``
+

releasenotes/notes/remove-proxy-no-cache-9b514030c87e7d1b.yaml

@@ -0,0 +1,14 @@
+---
+other:
+  - |
+    Code which added 'Acquire::http:No-Cache true' to the host and container
+    apt preferences when http proxy environment variables were set has been
+    removed. This setting is only required when working around issues
+    introduced by badly configured http proxies. In some cases proxies can
+    improperly cache the apt Releases and Packages files leading to package
+    installation errors. If a deployment is behind a badly configured proxy,
+    the deployer can add the necessary apt config fragment as part of host
+    provisioning. OSA will replicate that config into any containers that
+    are created. This setting can be removed from existing deployments if
+    required by manually deleting the file
+    ``/etc/apt/apt.conf.d/00apt-no-cache`` from all host and containers.

releasenotes/notes/remove-tempest-image-dir-owner-ec10dfa5bb9f87f1.yaml

@@ -0,0 +1,5 @@
+---
+upgrade:
+  - The variable ``tempest_image_dir_owner`` is removed in
+    favour of using default ansible user to create the
+    image directory.

releasenotes/notes/remove_oslomsg_server-6b5c19e03a001e85.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - The variables ``ceilometer_oslomsg_rpc_servers`` and
+    ``ceilometer_oslomsg_notify_servers`` have been
+    removed in favour of using ``ceilometer_oslomsg_rpc_host_group``
+    and ``ceilometer_oslomsg_notify_host_group`` instead.

releasenotes/notes/repo-build-venv-removed-80686a21b693b0cd.yaml

@@ -0,0 +1,21 @@
+---
+deprecations:
+  - |
+    The repo build process no longer builds packaged venvs. Instead, the venvs
+    are created on the target hosts as the install process for each service
+    needs to. This opens up the opportunity for roles to be capable of creating
+    multiple venvs, and for any role to create venvs - neither of these options
+    were possible in previous releases.
+
+    The following variables therefore have been removed.
+
+    * ``repo_build_venv_selective``
+    * ``repo_build_venv_rebuild``
+    * ``repo_build_venv_timeout``
+    * ``repo_build_concurrency``
+    * ``repo_build_venv_build_dir``
+    * ``repo_build_venv_dir``
+    * ``repo_build_venv_pip_install_options``
+    * ``repo_build_venv_command_options``
+    * ``repo_venv_default_pip_packages``
+

releasenotes/notes/smart-sources-59cd0811dcf1ae49.yaml

@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    Due to the smart-reources implementation, variables, related to custom git path
+    of exact config files were removed. Now all config files are taken from
+    upstream git repo, but overrides and client configs are still supported.
+    The following variables are not supported now:
+    * ceilometer_git_config_lookup_location
+    * ceilometer_data_meters_git_file_path
+    * ceilometer_event_definitions_git_file_path
+    * ceilometer_gnocchi_resources_git_file_path
+    * ceilometer_loadbalancer_v2_meter_definitions_git_file_path
+    * ceilometer_osprofiler_event_definitions_git_file_path
+    * ceilometer_polling_git_file_path
+    If you are maintaining custom ceilometer git repository, you still may use
+    ``ceilometer_git_repo`` variable, to provide url to your git repository.

releasenotes/notes/swift-init-config-overrides-822ec734e02a0dd1.yaml

@@ -5,6 +5,6 @@ features:
   - The task dropping the swift systemd unit files now uses the
     ``config_template`` action plugin allowing deployers access to
     customize the unit files as they see fit without having to
-    load extra options into the defaults and polute the generic
+    load extra options into the defaults and pollute the generic
     systemd unit file with jinja2 variables and conditionals.
 

releasenotes/notes/tacker-horizon-panel-c3x916273c21d70a.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The tacker dashboard is available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_tacker_ui: True

releasenotes/notes/tempest-service-setup-host-da08c1d4775ea0d1.yaml

@@ -0,0 +1,25 @@
+---
+features:
+  - |
+    The service setup in keystone for tempest will now be executed
+    through delegation to the ``tempest_service_setup_host`` which,
+    by default, is ``localhost`` (the deploy host). Deployers can
+    opt to rather change this to the utility container by implementing
+    the following override in ``user_variables.yml``.
+
+    .. code-block:: yaml
+
+      tempest_service_setup_host: "{{ groups['utility_all'][0] }}"
+  - |
+    Rather than a hard-coded set of projects and users, tempest can
+    now be configured with a custom list with the variables
+    ``tempest_projects`` and ``tempest_users``.
+
+deprecations:
+  - |
+    The variable ``tempest_requires_pip_packages`` is no longer required
+    and has therefore been removed.
+  - |
+    The variable ``tempest_image_downloader`` has been removed. The image
+    download now uses the same host designated by the
+    ``tempest_service_setup_host`` for the image download.

releasenotes/notes/tls12-only-2025a08207fd562e.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the barbican_ssl_protocol
+    variable.

releasenotes/notes/tls12-only-40fea49efdb9d4dd.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the horizon_ssl_protocol
+    variable.

releasenotes/notes/tls12-only-75222cbe8c32ad57.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS verion has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the keystone_ssl_protocol
+    variable.

releasenotes/notes/tls12-only-9b74e96cfd47a634.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the gnocchi_ssl_protocol
+    variable.

releasenotes/notes/tls12-only-a22d5f3f8198617f.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS version has been set to force-tlsv12.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the haproxy_ssl_bind_options
+    variable.

releasenotes/notes/tls12-only-d7221a33188dc7a0.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the trove_ssl_protocol
+    variable.

releasenotes/notes/top_ini_section-c28d7acadf5fe836.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - Allow the default section in an ini file to be specified
+    using the ``default_section`` variable when calling a
+    ``config_template`` task. This defaults to ``DEFAULT``.

releasenotes/notes/update-mariadb-to-10.2-a70764ae400aadf6.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The MariaDB version has been bumped to 10.2

releasenotes/notes/update-mariadb-to-10.2-b99a87ed0bb60b37.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The MariaDB version has been bumped to 10.2

releasenotes/notes/use_vendored_gpg_keys-f268bd4f4cb7d105.yaml

@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    The data structure for ``ceph_gpg_keys`` has been changed to be a list of
+    dicts, each of which is passed directly to the applicable apt_key/rpm_key
+    module. As such any overrides would need to be reviewed to ensure that they
+    do not pass any key/value pairs which would cause the module to fail.
+  - |
+    The default values for ``ceph_gpg_keys`` have been changed for all
+    supported platforms and now use vendored keys. This means that the task
+    execution will no longer reach out to the internet to add the keys,
+    making offline or proxy-based installations easier and more reliable.
+  - |
+    A new value ``epel_gpg_keys`` can be overridden to use a different GPG key
+    for the EPEL-7 RPM package repo instead of the vendored key used by default.
+

releasenotes/notes/watcher-horizon-panel-c3b616273c21d70a.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The watcher dashboard is available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_watcher_ui: True

releasenotes/notes/zun-horizon-panel-c3b616283b21d9ba.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The zun dashboard is available in Horizon. Deployers can enable
+    the panel by setting the following Ansible variable:
+
+    .. code-block:: yaml
+
+        horizon_enable_zun_ui: True