diff --git a/ansible-role-requirements.yml b/ansible-role-requirements.yml index 37e02a3530..23bc0d6110 100644 --- a/ansible-role-requirements.yml +++ b/ansible-role-requirements.yml @@ -1,31 +1,31 @@ - name: ansible-hardening scm: git src: https://git.openstack.org/openstack/ansible-hardening - version: master + version: 46a94c72518f83d27b25a5fa960dde7130956215 - name: apt_package_pinning scm: git src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning - version: master + version: eba07d7dd7962d90301c49fc088551f9b35f367a - name: pip_install scm: git src: https://git.openstack.org/openstack/openstack-ansible-pip_install - version: master + version: 32c27505c6e0ee00ea0fb4a1c62240c60f17a0e3 - name: galera_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_client - version: master + version: 9a8302cbba24ea4e5907567e5f93e874d30d79df - name: galera_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_server - version: master + version: aa452989d7295111962f67a3f3a96d96bc408846 - name: ceph_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-ceph_client - version: master + version: 34a04f7b24c80297866bc5ab56618e2211b1d5f9 - name: haproxy_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-haproxy_server - version: master + version: 9966fd96fede46c3b00c9e069e402eae90c66f17 - name: keepalived scm: git src: https://github.com/evrardjp/ansible-keepalived @@ -33,135 +33,135 @@ - name: lxc_container_create scm: git src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create - version: master + version: 68f81c679be88577633f98e8b9252a62bdcef754 - name: lxc_hosts scm: git src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts - version: master + version: 84ac3442e542aeedf1396c88e0387b4ea1548eb1 - name: memcached_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-memcached_server - version: master + version: ae6f721dc0342e1e7b45ff2448ab51f7539dc01f - name: openstack_hosts scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts - version: master + version: 05c7f09d181de1809fd596cc0d879c49e3f86bbf - name: os_keystone scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_keystone - version: master + version: cd9d4ef7d8614d241fa40ba33c1c205fd2b47fa1 - name: openstack_openrc scm: git src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc - version: master + version: d594c2debc249daa5b7f6f2890f546093efd1ee5 - name: os_aodh scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_aodh - version: master + version: ce871dee75511f94bfd24dde8f97e573cf6d3ead - name: os_barbican scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_barbican - version: master + version: c3e191037d0978479e3cb95a59b2986adab28c69 - name: os_ceilometer scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_ceilometer - version: master + version: 55bb04eaad4dd5c7fdad742b3557dc30dc9d45bf - name: os_cinder scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_cinder - version: master + version: 536dd3446e0fc7fc68ab42b982ac9affc4215787 - name: os_designate scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_designate - version: master + version: a65d7a3394aef340ff94587dd0bb48133ed00763 - name: os_glance scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_glance - version: master + version: 43aa00424f233a6125f7a9216cec42da1d8ca4c5 - name: os_gnocchi scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_gnocchi - version: master + version: b1f7574dc529f8298a983d8d0e09520e90b571a8 - name: os_heat scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_heat - version: master + version: 8fcd29197797eef409254605f0ce73ef8d1bda6b - name: os_horizon scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_horizon - version: master + version: 28f21f56b74a612c2e3b6f9c4866391128a91219 - name: os_ironic scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_ironic - version: master + version: a90558f7a216e5e661c5d1a4048dbe30559542d1 - name: os_magnum scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_magnum - version: master + version: 736d1707339cb99396578018a6bda7af9184fb02 - name: os_molteniron scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_molteniron - version: master + version: 9b4c104a252c453bcd798fec9dbae7224b3d8001 - name: os_neutron scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_neutron - version: master + version: 962cd92243641092412b6ef09a41bbf5e698c4a1 - name: os_nova scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_nova - version: master + version: 53df001c9034f198b9349def3c9158f8bbe43ff3 - name: os_octavia scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_octavia - version: master + version: 02ad3c68802287a1ba54cf10de085dcd14c324d8 - name: os_rally scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_rally - version: master + version: bc9075dba204e64d11cb397017d32b0c2297eed0 - name: os_sahara scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_sahara - version: master + version: 3c45121050ba21bd284f054d7b82a338f347157f - name: os_swift scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_swift - version: master + version: f31217bb097519f15755f2337165657d7eb6b014 - name: os_tacker scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_tacker - version: master + version: d95902891c4e6200510509c066006c921cfff8df - name: os_tempest scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_tempest - version: master + version: 703ea4ad12332e1f98b46f6c3c4ad8ac18189e28 - name: os_trove scm: git src: https://git.openstack.org/openstack/openstack-ansible-os_trove - version: master + version: b425fa316999d0863a44126f239a33d8c3fec3a6 - name: plugins scm: git src: https://git.openstack.org/openstack/openstack-ansible-plugins - version: master + version: d2f60237761646968a4b39b15185fb5c84e7386f - name: rabbitmq_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server - version: master + version: 311f76890c8f99cb0b46958775d84de614609323 - name: repo_build scm: git src: https://git.openstack.org/openstack/openstack-ansible-repo_build - version: master + version: 59a3f444c263235d8f0f584da8768656179fa02a - name: repo_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-repo_server - version: master + version: 7889f37cdd2a90b4b98e8ef2e886f1fd4950fc0a - name: rsyslog_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_client - version: master + version: 310cfe9506d3742be10790533ad0d16100d81498 - name: rsyslog_server scm: git src: https://git.openstack.org/openstack/openstack-ansible-rsyslog_server - version: master + version: ba7bb699c0c874c7977add86ca308ca18be8f9a8 - name: sshd scm: git src: https://github.com/willshersystems/ansible-sshd diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml index d598b1af3e..5ded2dbf10 100644 --- a/group_vars/all/all.yml +++ b/group_vars/all/all.yml @@ -14,7 +14,7 @@ # limitations under the License. ## OpenStack Source Code Release -openstack_release: master +openstack_release: 17.0.0.0b2 ## Verbosity Options debug: False diff --git a/releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml b/releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml new file mode 100644 index 0000000000..ecd318f5d7 --- /dev/null +++ b/releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + The following headers were added as additional default (and static) values. + `X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and + `Content-Security-Policy "default-src 'self' https: wss:;"`. Additionally, + the `X-Frame-Options DENY` header was added, defaulting to DENY. You may + override the header via the `keystone_x_frame_options` variable. diff --git a/releasenotes/notes/clustecheck-9311d05fb32f13b3.yaml b/releasenotes/notes/clustecheck-9311d05fb32f13b3.yaml new file mode 100644 index 0000000000..f40f9799dd --- /dev/null +++ b/releasenotes/notes/clustecheck-9311d05fb32f13b3.yaml @@ -0,0 +1,7 @@ +--- +features: + - The galera cluster now supports cluster health checks over HTTP using port + 9200. The new cluster check ensures a node is healthy by running a simple + query against the wsrep sync status using monitoring user. This change will + provide for a more robust cluster check ensuring we have the most fault + tolerant galera cluster possible. diff --git a/releasenotes/notes/custom_eventstreamer_queue_url-a1dcd1f6769816c5.yaml b/releasenotes/notes/custom_eventstreamer_queue_url-a1dcd1f6769816c5.yaml new file mode 100644 index 0000000000..ce58dbe000 --- /dev/null +++ b/releasenotes/notes/custom_eventstreamer_queue_url-a1dcd1f6769816c5.yaml @@ -0,0 +1,17 @@ +--- +features: + - | + A typical OSA install will put the neutron and octavia queues on different + vhosts thus preventing the event streamer from working While octavia is + streaming to its own queue the consumer on the neutron side listens to the + neutron queue. With a recent octavia enhancement a separate queue for the + event streamer can be configured. This patch will set up the event + streamer to post into the neutron queue using neutron's credentials. Thus + reaching the consumer on the neutron-lbaas side and allowing for + streaming. +security: + - | + Since we use neutron's credentials to access the queue, security conscious + people might want to set up an extra user for octavia on the neutron queue + restricted to the topics octavia posts to. + diff --git a/releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml b/releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml new file mode 100644 index 0000000000..f32f2de1c9 --- /dev/null +++ b/releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Generating and validating checksums for all files installed by packages is now + disabled by default. The check causes delays in playbook runs and it can + consume a significant amount of CPU and I/O resources. Deployers can re-enable + the check by setting ``security_check_package_checksums`` to ``yes``. diff --git a/releasenotes/notes/disable-ksm-670aeb175826b7ca.yaml b/releasenotes/notes/disable-ksm-670aeb175826b7ca.yaml new file mode 100644 index 0000000000..f3eba636da --- /dev/null +++ b/releasenotes/notes/disable-ksm-670aeb175826b7ca.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - KSM configuration is changed to disabled by default on Ubuntu. + If you overcommit the RAM on your hypervisor it's a good + idea to set ``nova_compute_ksm_enabled`` to ``True``. diff --git a/releasenotes/notes/gid-and-uid-cinder-system-user-support-f69b87b4876c0dd8.yaml b/releasenotes/notes/gid-and-uid-cinder-system-user-support-f69b87b4876c0dd8.yaml new file mode 100644 index 0000000000..86ca88d25d --- /dev/null +++ b/releasenotes/notes/gid-and-uid-cinder-system-user-support-f69b87b4876c0dd8.yaml @@ -0,0 +1,5 @@ +--- +other: + - Added support for specifying GID and UID for cinder system user by defining + ``cinder_system_user_uid`` and ``cinder_system_group_gid``. This setting is + optional. \ No newline at end of file diff --git a/releasenotes/notes/glance-v2-api-only-0d4a61b0d4dade18.yaml b/releasenotes/notes/glance-v2-api-only-0d4a61b0d4dade18.yaml new file mode 100644 index 0000000000..8ca76496be --- /dev/null +++ b/releasenotes/notes/glance-v2-api-only-0d4a61b0d4dade18.yaml @@ -0,0 +1,22 @@ +--- +upgrade: + - | + The glance v1 API is now disabled by default as the API is scheduled + to be removed in Queens. + - | + The glance registry service is now disabled by default as it is not + required for the v2 API and is scheduled to be removed in the future. + The service can be enabled by setting ``glance_enable_v2_registry`` + to ``True``. +deprecations: + - | + The ``glance_enable_v1_registry`` variable has been removed. When using + the glance v1 API the registry service is required, so having a variable + to disable it makes little sense. The service is now enabled/disabled + for the v1 API using the ``glance_enable_v1_api`` variable. +fixes: + - | + When the ``glance_enable_v2_registry`` variable is set to ``True`` the + corresponding ``data_api`` setting is now correctly set. Previously it + was not set and therefore the API service was not correctly informed + that the registry was operating. diff --git a/releasenotes/notes/horizon-arbitrary-config-8a36e4bd6818afe1.yaml b/releasenotes/notes/horizon-arbitrary-config-8a36e4bd6818afe1.yaml index 66a8dccca5..a6271fb944 100644 --- a/releasenotes/notes/horizon-arbitrary-config-8a36e4bd6818afe1.yaml +++ b/releasenotes/notes/horizon-arbitrary-config-8a36e4bd6818afe1.yaml @@ -3,4 +3,4 @@ features: - Horizon now has the ability to set arbitrary configuration options using global option ``horizon_config_overrides`` in YAML format. The overrides follow the same pattern found within the other OpenStack service - overrides. `General documentation on overrides can be found here `_. + overrides. `General documentation on overrides can be found here `_. diff --git a/releasenotes/notes/launch-instance-defaults-support-533844543082b2f4.yaml b/releasenotes/notes/launch-instance-defaults-support-533844543082b2f4.yaml index bd9ab8e63f..0953ce5733 100644 --- a/releasenotes/notes/launch-instance-defaults-support-533844543082b2f4.yaml +++ b/releasenotes/notes/launch-instance-defaults-support-533844543082b2f4.yaml @@ -3,4 +3,4 @@ features: - It is now possible to use the horizon_launch_instance_defaults variable that allows customizing the default values for properties found in the Launch Instance modal, using the LAUNCH_INSTANCE_DEFAULTS config option. - See https://docs.openstack.org/developer/horizon/install/settings.html#launch-instance-defaults + See https://docs.openstack.org/horizon/latest/configuration/settings.html#launch-instance-defaults diff --git a/releasenotes/notes/lxc-cache-prep-timeout-97dc18882f7b1e76.yaml b/releasenotes/notes/lxc-cache-prep-timeout-97dc18882f7b1e76.yaml new file mode 100644 index 0000000000..781e46e40e --- /dev/null +++ b/releasenotes/notes/lxc-cache-prep-timeout-97dc18882f7b1e76.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + The maximum amount of time to wait until forcibly failing the + LXC cache preparation process is now configurable using the + ``lxc_cache_prep_timeout`` variable. The value is specified + in seconds, with the default being 20 minutes. diff --git a/releasenotes/notes/neutron-bgp-552e6e1f6d37f38d.yaml b/releasenotes/notes/neutron-bgp-552e6e1f6d37f38d.yaml index 468f7a1831..e1c4ddfd45 100644 --- a/releasenotes/notes/neutron-bgp-552e6e1f6d37f38d.yaml +++ b/releasenotes/notes/neutron-bgp-552e6e1f6d37f38d.yaml @@ -2,7 +2,7 @@ features: - "Neutron BGP dynamic routing plugin can now optionally be deployed and configured. Please see `OpenStack Networking Guide: BGP dynamic routing - `_ + `_ for details about what the service is and what it provides." upgrade: - Database migration tasks have been added for the dynamic routing neutron diff --git a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml index 3048dad9a6..2042d69b49 100644 --- a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml +++ b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml @@ -2,9 +2,9 @@ features: - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and configured. Please see the `FWaaS Configuration Reference - `_ + `_ for details about the what the service is and what it provides. See the - `FWaaS Install Guide `_ + `FWaaS Install Guide `_ for implementation details. upgrade: - Database migration tasks have been added for the FWaaS neutron plugin. diff --git a/releasenotes/notes/neutron-vpnaas-5c7c6508f2cc05c5.yaml b/releasenotes/notes/neutron-vpnaas-5c7c6508f2cc05c5.yaml index 2fe9709ed0..178163823c 100644 --- a/releasenotes/notes/neutron-vpnaas-5c7c6508f2cc05c5.yaml +++ b/releasenotes/notes/neutron-vpnaas-5c7c6508f2cc05c5.yaml @@ -2,7 +2,7 @@ features: - Neutron VPN as a Service (VPNaaS) can now optionally be deployed and configured. Please see the `OpenStack Networking Guide - `_ for details + `_ for details about the what the service is and what it provides. See the - `VPNaaS Install Guide `_ + `VPNaaS Install Guide `_ for implementation details. diff --git a/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml new file mode 100644 index 0000000000..8707d2979e --- /dev/null +++ b/releasenotes/notes/new_healthcheck-9e559565745defd0.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Galera healthcheck has been improved, and relies on an xinetd service. + By default, the service is unaccessible (filtered with the no_access + directive). You can override the directive by setting any xinetd + valid value to ``galera_monitoring_allowed_source``. diff --git a/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml b/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml index 9d2ccefef9..a5784e379b 100644 --- a/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml +++ b/releasenotes/notes/ng-instance-management-f9134fc283aa289c.yaml @@ -2,7 +2,7 @@ features: - The horizon next generation instance management panels have been enabled by default. This changes horizon to use the upstream defaults - instead of the legacy panels. `Documentation can be found here `_. + instead of the legacy panels. `Documentation can be found here `_. upgrade: - | The default horizon instance launch panels have been changed to the diff --git a/releasenotes/notes/openvswitch-nsh-support-a9f86a929e072cea.yaml b/releasenotes/notes/openvswitch-nsh-support-a9f86a929e072cea.yaml new file mode 100644 index 0000000000..9a1749cd38 --- /dev/null +++ b/releasenotes/notes/openvswitch-nsh-support-a9f86a929e072cea.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Open vSwitch dataplane with NSH support has been implemented. + This feature may be activated by setting ``ovs_nsh_support: True`` + in ``/etc/openstack_deploy/user_variables.yml``. diff --git a/releasenotes/notes/os-tempest-roles-cead45b2cd38811f.yaml b/releasenotes/notes/os-tempest-roles-cead45b2cd38811f.yaml new file mode 100644 index 0000000000..6012779403 --- /dev/null +++ b/releasenotes/notes/os-tempest-roles-cead45b2cd38811f.yaml @@ -0,0 +1,5 @@ +--- +features: + - A new variable, ``tempest_roles``, has been added to the + os_tempest role allowing users to define keystone roles + to be during tempest testing. diff --git a/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml new file mode 100644 index 0000000000..ebe6b02f88 --- /dev/null +++ b/releasenotes/notes/permitrootlogin_options-a62e33ccc4a69657.yaml @@ -0,0 +1,8 @@ +--- +features: + - The ``security_sshd_permit_root_login`` setting can + now be set to change the ``PermitRootLogin`` setting + in ``/etc/ssh/sshd_config`` to any of the possible + options. Set ``security_sshd_permit_root_login`` to + one of ``without-password``, ``prohibit-password``, + ``forced-commands-only``, ``yes`` or ``no``. diff --git a/releasenotes/notes/pypiserver-pypi-cache-216e9e087f6d3f24.yaml b/releasenotes/notes/pypiserver-pypi-cache-216e9e087f6d3f24.yaml new file mode 100644 index 0000000000..b43d0123fe --- /dev/null +++ b/releasenotes/notes/pypiserver-pypi-cache-216e9e087f6d3f24.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The repo server now implements nginx as a reverse proxy for python + packages sourced from pypi. The initial query will be to a local + deployment of pypiserver in order to serve any locally built packages, + but if the package is not available locally it will retry + the query against the upstream pypi mirror set in the variable + ``repo_nginx_pypi_upstream`` (defaults to pypi) and cache the response. diff --git a/releasenotes/notes/remove-duplicated-download-99a9ec5bfe4ba749.yaml b/releasenotes/notes/remove-duplicated-download-99a9ec5bfe4ba749.yaml new file mode 100644 index 0000000000..c02b3535f8 --- /dev/null +++ b/releasenotes/notes/remove-duplicated-download-99a9ec5bfe4ba749.yaml @@ -0,0 +1,37 @@ +--- +features: + - | + The ``tempest_images`` data structure for the ``os_tempest`` role + now expects the values for each image to include ``name`` (optionally) + and ``format`` (the disk format). Also, the optional variable ``checksum`` + may be used to set the checksum expected for the file in the format + ``:``. + - | + The default location for the image downloads in the ``os_tempest`` + role set by the ``tempest_image_dir`` variable has now been changed + to be ``/opt/cache/files`` in order to match the default location + in nodepool. This improves the reliability of CI testing in + OpenStack CI as it will find the file already cached there. + - | + A new variable has been introduced into the ``os_tempest`` role + named ``tempest_image_downloader``. When set to ``deployment-host`` + (which is the default) it uses the deployment host to handle the + download of images to be used for tempest testing. The images are + then uploaded to the target host for uploading into Glance. +deprecations: + - | + The following variables have been removed from the ``os_tempest`` + role to simplify it. They have been replaced through the use of + the data structure ``tempest_images`` which now has equivalent + variables per image. + - cirros_version + - tempest_img_url + - tempest_image_file + - tempest_img_disk_format + - tempest_img_name + - tempest_images.sha256 (replaced by checksum) +fixes: + - | + The ``os_tempest`` tempest role was downloading images twice - once + arbitrarily, and once to use for testing. This has been consolidated + into a single download to a consistent location. diff --git a/releasenotes/notes/remove_use_neutron-76135a385ef1345d.yaml b/releasenotes/notes/remove_use_neutron-76135a385ef1345d.yaml new file mode 100644 index 0000000000..51f82899a2 --- /dev/null +++ b/releasenotes/notes/remove_use_neutron-76135a385ef1345d.yaml @@ -0,0 +1,3 @@ +--- +other: + - The use_neutron option was marked to be removed in sahara. diff --git a/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml b/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml new file mode 100644 index 0000000000..495eac9d63 --- /dev/null +++ b/releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + The tasks within the ansible-hardening role are now based on Version 1, + Release 3 of the Red Hat Enteprise Linux Security Technical Implementation + Guide. + - | + The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to + ``2`` by default. This matches the default of most modern Linux + distributions and it ensures that Address Space Layout Randomization + (ASLR) is enabled. + - | + The Datagram Congestion Control Protocol (DCCP) kernel module is now + disabled by default, but a reboot is required to make the change + effective. diff --git a/releasenotes/notes/specific_kernel_modules_with_group_vars-8d169f564ffd450c.yaml b/releasenotes/notes/specific_kernel_modules_with_group_vars-8d169f564ffd450c.yaml new file mode 100644 index 0000000000..a9f3da87bc --- /dev/null +++ b/releasenotes/notes/specific_kernel_modules_with_group_vars-8d169f564ffd450c.yaml @@ -0,0 +1,25 @@ +--- +upgrade: + - | + If you have overriden your + ``openstack_host_specific_kernel_modules``, please + remove its group matching, and move that override + directly to the appropriate group. + + Example, for an override like: + + .. code-block:: yaml + + - name: "ebtables" + pattern: "CONFIG_BRIDGE_NF_EBTABLES" + group: "network_hosts" + + You can create a file for the network_host group, + inside its group vars folder + ``/etc/openstack_deploy/group_vars/network_hosts``, + with the content: + + .. code-block:: yaml + + - name: "ebtables" + pattern: "CONFIG_BRIDGE_NF_EBTABLES" diff --git a/releasenotes/notes/static_uca_filename-849a6f491acae9c5.yaml b/releasenotes/notes/static_uca_filename-849a6f491acae9c5.yaml new file mode 100644 index 0000000000..76ac5d4d1b --- /dev/null +++ b/releasenotes/notes/static_uca_filename-849a6f491acae9c5.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + Any user that is coming from Pike or below on Ubuntu should modify + its ``user_external_repos_list``, switching its ubuntu cloud archive + repository from ``state: present`` to ``state: absent``. + From now on, UCA will be defined with the filename ``uca``. If the deployer + wants to use its mirror, he can still override the variable ``uca_repo`` + to point to its mirror. Alternatively, the deployer can completely define + which repos to add and remove, ignoring our defaults, by overriding + ``openstack_hosts_package_repos``. diff --git a/releasenotes/notes/support-ksm-fe6993158768a14e.yaml b/releasenotes/notes/support-ksm-fe6993158768a14e.yaml new file mode 100644 index 0000000000..b3349b17ea --- /dev/null +++ b/releasenotes/notes/support-ksm-fe6993158768a14e.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Enable Kernel Shared Memory support by setting + ``nova_compute_ksm_enabled`` to ``True``. diff --git a/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml b/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml new file mode 100644 index 0000000000..a5cc973cc3 --- /dev/null +++ b/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Searching for world-writable files is now disabled by default. The search + causes delays in playbook runs and it can consume a significant amount of + CPU and I/O resources. Deployers can re-enable the search by setting + ``security_find_world_writable_dirs`` to ``yes``.