Queens Series Release Notes

17.0.0

New Features

  • Deployers can set openstack_hosts_centos_mirror_url to use their preferred mirror for the RDO repositories.

  • Persistent systemd journals are now enabled. This allows deployers to keep older systemd journals on disk for review. The disk space requirements are extremely low since the journals are stored in binary format. The default location for persistent journals is in /var/log/journal.

    Deployers can opt out of this change by setting openstack_host_keep_journals to no.

Upgrade Notes

  • If you have overriden your openstack_host_specific_kernel_modules, please remove its group matching, and move that override directly to the appropriate group.

    Example, for an override like:

    - name: "ebtables"
  pattern: "CONFIG_BRIDGE_NF_EBTABLES"
  group: "network_hosts"

    You can create a file for the network_host group, inside its group vars folder /etc/openstack_deploy/group_vars/network_hosts, with the content:

    - name: "ebtables"
  pattern: "CONFIG_BRIDGE_NF_EBTABLES"

  • Any user that is coming from Pike or below on Ubuntu should modify its user_external_repos_list, switching its ubuntu cloud archive repository from state: present to state: absent. From now on, UCA will be defined with the filename uca. If the deployer wants to use its mirror, he can still override the variable uca_repo to point to its mirror. Alternatively, the deployer can completely define which repos to add and remove, ignoring our defaults, by overriding openstack_hosts_package_repos.

Security Issues

  • The net.bridge.bridge-nf-call-* kernel parameters were set to 0 in previous releases to improve performance and it was left up to neutron to adjust these parameters when security groups are applied. This could cause situations where bridge traffic was not sent through iptables and this rendered security groups ineffective. This could allow unexpected ingress and egress traffic within the cloud.

    These kernel parameters are now set to 1 on all hosts by the openstack_hosts role, which ensures that bridge traffic is always sent through iptables.

Bug Fixes

  • The sysstat package was installed on all distributions, but it was only configured to run on Ubuntu and OpenSUSE. It would not run on CentOS due to bad SELinux contexts and file permissions on /etc/cron.d/sysstat. This has been fixed and sysstat now runs properly on CentOS.