Pike Series Release Notes¶
16.0.29¶
Bug Fixes¶
The conditional that determines whether the
sso_callback_template.html
file is deployed for federated deployments has been fixed.
16.0.4¶
Security Issues¶
The following headers were added as additional default (and static) values. X-Content-Type-Options nosniff, X-XSS-Protection “1; mode=block”, and Content-Security-Policy “default-src ‘self’ https: wss:;”. Additionally, the X-Frame-Options DENY header was added, defaulting to DENY. You may override the header via the keystone_x_frame_options variable.
16.0.0¶
New Features¶
Capping the default value for the variable
keystone_wsgi_processes
to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
New variables have been added to allow a deployer to customize a keystone systemd unit file to their liking.
The task dropping the keystone systemd unit files now uses the
config_template
action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
The
os_keystone
role will now (by default) source thekeystone-paste.ini
,policy.json
andsso_callback_template.html
templates from the service git source instead of from the role. It also now includes a facility where you can place your own templates in/etc/openstack_deploy/keystone
(by default) and it will be deployed to the target host after being interpreted by the template engine.
For the
os_keystone
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thekeystone_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
Upgrade Notes¶
The keystone endpoints now have versionless URLs. Any existing endpoints will be updated.
Keystone now uses uWSGI exclusively (instead of Apache with mod_wsgi) and has the web server acting as a reverse proxy. The default web server is now set to Nginx instead of Apache, but Apache will automatically used if federation is configured.
For the
os_keystone
role, the systemd unitTimeoutSec
value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. TheRestartSec
value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using thekeystone_*_init_config_overrides
variables which use theconfig_template
task to change template defaults.
Deprecation Notes¶
The variables
keystone_apache_enabled
andkeystone_mod_wsgi_enabled
have been removed and replaced with a single variablekeystone_web_server
to optionally set the web server used for keystone.
Remove
keystone_rpc_backend
option due to deprecation of rpc_backend option in oslo.messaging.
Critical Issues¶
A bug that caused the Keystone credential keys to be lost when the playbook is run during a rebuild of the first Keystone container has been fixed. Please see launchpad bug 1667960 for more details.