+----------------+-------------+-------------+-------------+-------------+-----------------+
| neutron | ovs | ovs | ovs | ovs | X |
+----------------+-------------+-------------+-------------+-------------+-----------------+
+| neutron-bgpvpn | | | | X | |
++----------------+-------------+-------------+-------------+-------------+-----------------+
| rabbitmq | X | X | X | X | X |
+----------------+-------------+-------------+-------------+-------------+-----------------+
| mongodb | X | X | | | |
description: Enable monitoring agents
environments:
- file: environments/monitoring-environment.yaml
- title: enable monitoring agents
+ title: Enable monitoring agents
description:
requires:
- overcloud-resource-registry-puppet.yaml
description:
requires:
- overcloud-resource-registry-puppet.yaml
+ - title: Performance monitoring
+ description: Enable performance monitoring agents
+ environments:
+ - file: environments/collectd-environment.yaml
+ title: Enable performance monitoring agents
+ description:
+ requires:
+ - overcloud-resource-registry-puppet.yaml
- title: Security Options
description: Security Hardening Options
OS::TripleO::Services::ManilaScheduler: ../../puppet/services/manila-scheduler.yaml
OS::TripleO::Services::ManilaShare: ../../puppet/services/pacemaker/manila-share.yaml
OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml
+ OS::TripleO::Services::NeutronBgpVpnApi: ../../puppet/services/neutron-bgpvpn-api.yaml
# These enable Pacemaker
OS::TripleO::Tasks::ControllerPrePuppet: ../../extraconfig/tasks/pre_puppet_pacemaker.yaml
OS::TripleO::Tasks::ControllerPostPuppet: ../../extraconfig/tasks/post_puppet_pacemaker.yaml
- OS::TripleO::Services::HeatEngine
- OS::TripleO::Services::MySQL
- OS::TripleO::Services::MySQLClient
+ - OS::TripleO::Services::NeutronBgpVpnApi
- OS::TripleO::Services::NeutronDhcpAgent
- OS::TripleO::Services::NeutronL3Agent
- OS::TripleO::Services::NeutronMetadataAgent
CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ=='
CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw=='
SwiftCeilometerPipelineEnabled: false
+ NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
+ BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
parameter_defaults:
ControlPlaneDefaultRoute: 192.168.122.130
ControlPlaneSubnetCidr: "24"
- EC2MetadataIp: "192.0.2.1"
+ EC2MetadataIp: "192.168.24.1"
In this example, 192.168.122.130 is the external management IP of an
undercloud, thus it is the default route for the configured local_ip value of
-192.0.2.1.
+192.168.24.1.
os-collect-config
InstanceIdDeployment:
type: OS::Heat::StructuredDeployment
properties:
+ name: InstanceIdDeployment
config: {get_resource: InstanceIdConfig}
server: {get_resource: deployed-server}
depends_on: UpgradeInitDeployment
HostsEntryDeployment:
type: OS::Heat::SoftwareDeployment
properties:
+ name: HostsEntryDeployment
config: {get_resource: HostsEntryConfig}
server: {get_resource: deployed-server}
'--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
'--volume', '/var/lib/config-data/:/var/lib/config-data/:rw',
'--volume', 'tripleo_logs:/var/log/tripleo/',
+ # OpenSSL trusted CA injection
+ '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro',
+ '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro',
+ '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
+ '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
+ # script injection
'--volume', '%s:%s:rw' % (sh_script, sh_script) ]
for volume in volumes:
- /etc/localtime:/etc/localtime:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ upgrade_tasks:
+ - name: Stop and disable httpd service
+ tags: step2
+ service: name=httpd state=stopped enabled=no
- /etc/localtime:/etc/localtime:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ upgrade_tasks:
+ - name: Stop and disable openstack-gnocchi-metricd service
+ tags: step2
+ service: name=openstack-gnocchi-metricd.service state=stopped enabled=no
- /etc/localtime:/etc/localtime:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ upgrade_tasks:
+ - name: Stop and disable openstack-gnocchi-statsd service
+ tags: step2
+ service: name=openstack-gnocchi-statsd.service state=stopped enabled=no
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
outputs:
role_data:
description: Role data for the Keystone API role.
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+ - ''
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+ - ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
- get_attr: [NovaApiBase, role_data, config_settings]
- apache::default_vhost: false
step_config: &step_config
- get_attr: [NovaApiBase, role_data, step_config]
+ list_join:
+ - "\n"
+ - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }"
+ - {get_attr: [NovaApiBase, role_data, step_config]}
service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
- [ {get_param: DockerNamespace}, {get_param: DockerZaqarImage} ]
kolla_config:
/var/lib/kolla/config_files/zaqar.json:
- command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf
+ command: /usr/sbin/httpd -DFOREGROUND
/var/lib/kolla/config_files/zaqar_websocket.json:
command: /usr/bin/zaqar-server --config-file /etc/zaqar/zaqar.conf --config-file /etc/zaqar/1.conf
docker_config:
net: host
privileged: false
restart: always
+ # NOTE(mandre) kolla image changes the user to 'zaqar', we need it
+ # to be root to run httpd
+ user: root
volumes:
- /var/lib/kolla/config_files/zaqar.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/zaqar/etc/zaqar/:/etc/zaqar/:ro
+ - /var/lib/config-data/zaqar/etc/httpd:/etc/httpd/:ro
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
environment:
upgrade_tasks:
- name: Stop and disable zaqar service
tags: step2
- service: name=openstack-zaqar.service state=stopped enabled=no
-
+ service: name=httpd state=stopped enabled=no
parameter_defaults:
ControlPlaneSubnetCidr: '24'
- ControlPlaneDefaultRoute: 192.0.2.254
+ ControlPlaneDefaultRoute: 192.168.24.254
InternalApiNetCidr: 10.0.0.0/24
InternalApiAllocationPools: [{'start': '10.0.0.10', 'end': '10.0.0.200'}]
InternalApiDefaultRoute: 10.0.0.1
ManagementInterfaceDefaultRoute: 10.1.0.1
ExternalNetCidr: 10.2.0.0/24
ExternalAllocationPools: [{'start': '10.2.0.10', 'end': '10.2.0.200'}]
- EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud
+ EC2MetadataIp: 192.168.24.1 # Generally the IP of the Undercloud
DnsServers: ["8.8.8.8","8.8.4.4"]
VrouterPhysicalInterface: eth1
VrouterGateway: 10.0.0.1
--- /dev/null
+# This environment contains the services that can work with TLS-everywhere.
+resource_registry:
+ # This can be used when you don't want to run puppet on the host,
+ # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
+ # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+ OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
+ # The compute node still needs extra initialization steps
+ OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+
+ # NOTE: add roles to be docker enabled as we support them.
+ OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+
+ OS::TripleO::PostDeploySteps: ../docker/post.yaml
+ OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
+
+ OS::TripleO::Services: ../docker/services/services.yaml
+
+parameter_defaults:
+ # Defaults to 'tripleoupstream'. Specify a local docker registry
+ # Example: 192.168.24.1:8787/tripleoupstream
+ DockerNamespace: tripleoupstream
+ DockerNamespaceIsRegistry: false
+
+ ComputeServices:
+ - OS::TripleO::Services::NovaCompute
+ - OS::TripleO::Services::NovaLibvirt
+ - OS::TripleO::Services::ComputeNeutronOvsAgent
+ - OS::TripleO::Services::Docker
# to control your VIPs (currently one per network)
# NOTE: we will eventually move to one VIP per service
#
- ControlFixedIPs: [{'ip_address':'192.0.2.251'}]
+ ControlFixedIPs: [{'ip_address':'192.168.24.251'}]
PublicVirtualFixedIPs: [{'ip_address':'2001:db8:fd00:1000:0000:0000:0000:0005'}]
InternalApiVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:2000:0000:0000:0000:0005'}]
StorageVirtualFixedIPs: [{'ip_address':'fd00:fd00:fd00:3000:0000:0000:0000:0005'}]
# to control your VIPs (currently one per network)
# NOTE: we will eventually move to one VIP per service
#
- ControlFixedIPs: [{'ip_address':'192.0.2.251'}]
+ ControlFixedIPs: [{'ip_address':'192.168.24.251'}]
PublicVirtualFixedIPs: [{'ip_address':'10.0.0.251'}]
InternalApiVirtualFixedIPs: [{'ip_address':'172.16.2.251'}]
StorageVirtualFixedIPs: [{'ip_address':'172.16.1.251'}]
## (note the use of port 24284 for ssl connections)
#
# LoggingServers:
-# - host: 192.0.2.11
+# - host: 192.168.24.11
# port: 24284
# LoggingUsesSSL: true
# LoggingSharedKey: secret
# CIDR subnet mask length for provisioning network
ControlPlaneSubnetCidr: '24'
# Gateway router for the provisioning network (or Undercloud IP)
- ControlPlaneDefaultRoute: 192.0.2.254
- EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud
+ ControlPlaneDefaultRoute: 192.168.24.254
+ EC2MetadataIp: 192.168.24.1 # Generally the IP of the Undercloud
# Customize the IP subnets to match the local environment
InternalApiNetCidr: 172.17.0.0/24
StorageNetCidr: 172.18.0.0/24
OS::TripleO::Services::NeutronBgpVpnApi: ../puppet/services/neutron-bgpvpn-api.yaml
parameter_defaults:
- NeutronServicePlugins: 'networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
+ NeutronServicePlugins: 'router, networking_bgpvpn.neutron.services.plugin.BGPVPNPlugin'
BgpvpnServiceProvider: 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default'
OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/neutron-ml2-cisco-n1kv.yaml
parameter_defaults:
- N1000vVSMIP: '192.0.2.50'
- N1000vMgmtGatewayIP: '192.0.2.1'
+ N1000vVSMIP: '192.168.24.50'
+ N1000vMgmtGatewayIP: '192.168.24.1'
N1000vVSMDomainID: '100'
N1000vVSMHostMgmtIntf: 'br-ex'
KeystoneLDAPDomainEnable: true
KeystoneLDAPBackendConfigs:
tripleoldap:
- url: ldap://192.0.2.250
+ url: ldap://192.168.24.251
user: cn=openstack,ou=Users,dc=tripleo,dc=example,dc=com
password: Secrete
suffix: dc=tripleo,dc=example,dc=com
--- /dev/null
+parameter_defaults:
+ ControlPlaneDefaultRoute: 192.0.2.1
+ EC2MetadataIp: 192.0.2.1
# Filter null values and values that contain don't contain
# 'metadata_settings', get the values from that key and get the
# unique ones.
- expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct())
+ expression: list(coalesce($.data, []).where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct())
data: {get_param: RoleData}
# Generates entries for nova metadata with the following format:
properties:
value:
yaql:
- expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))]))
+ expression: let(fqdns => $.data.fqdns) -> dict(coalesce($.data.metadata, []).where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))]))
data:
metadata: {get_attr: [IncomingMetadataSettings, value]}
fqdns:
properties:
value:
yaql:
- expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1]))
+ expression: dict(coalesce($.data, []).where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1]))
data: {get_attr: [IncomingMetadataSettings, value]}
outputs:
+++ /dev/null
-heat_template_version: ocata
-
-parameters:
- servers:
- type: json
- SwiftRingGetTempurl:
- default: ''
- description: A temporary Swift URL to download rings from.
- type: string
-
-resources:
- SwiftRingDeployConfig:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- inputs:
- - name: swift_ring_get_tempurl
- config: |
- #!/bin/sh
- pushd /
- curl --insecure --silent "${swift_ring_get_tempurl}" | tar xz || true
- popd
-
- SwiftRingDeploy:
- type: OS::Heat::SoftwareDeployments
- properties:
- name: SwiftRingDeploy
- config: {get_resource: SwiftRingDeployConfig}
- servers: {get_param: servers}
- input_values:
- swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl}
+++ /dev/null
-heat_template_version: ocata
-
-parameters:
- servers:
- type: json
- SwiftRingPutTempurl:
- default: ''
- description: A temporary Swift URL to upload rings to.
- type: string
-
-resources:
- SwiftRingUpdateConfig:
- type: OS::Heat::SoftwareConfig
- properties:
- group: script
- inputs:
- - name: swift_ring_put_tempurl
- config: |
- #!/bin/sh
- TMP_DATA=$(mktemp -d)
- function cleanup {
- rm -Rf "$TMP_DATA"
- }
- trap cleanup EXIT
- # sanity check in case rings are not consistent within cluster
- swift-recon --md5 | grep -q "doesn't match" && exit 1
- pushd ${TMP_DATA}
- tar -cvzf swift-rings.tar.gz /etc/swift/*.builder /etc/swift/*.ring.gz /etc/swift/backups/*
- resp=`curl --insecure --silent -X PUT "${swift_ring_put_tempurl}" --write-out "%{http_code}" --data-binary @swift-rings.tar.gz`
- popd
- if [ "$resp" != "201" ]; then
- exit 1
- fi
-
- SwiftRingUpdate:
- type: OS::Heat::SoftwareDeployments
- properties:
- name: SwiftRingUpdate
- config: {get_resource: SwiftRingUpdateConfig}
- servers: {get_param: servers}
- input_values:
- swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl}
command_arguments=${command_arguments:-}
-list_updates=$(yum list updates)
-
-if [[ "$list_updates" == "" ]]; then
+# yum check-update exits 100 if updates are available
+set +e
+check_update=$(yum check-update 2>&1)
+check_update_exit=$?
+set -e
+
+if [[ "$check_update_exit" == "1" ]]; then
+ echo "Failed to check for package updates"
+ echo "$check_update"
+ exit 1
+elif [[ "$check_update_exit" != "100" ]]; then
echo "No packages require updating"
exit 0
fi
ControlPlaneDefaultRoute: # Override this via parameter_defaults
description: The default route of the control plane network.
type: string
- default: 192.0.2.1
+ default: 192.168.24.1
EC2MetadataIp: # Override this via parameter_defaults
description: The IP address of the EC2 metadata server.
type: string
OS::TripleO::Tasks::UpdateWorkflow: OS::Heat::None
OS::TripleO::Tasks::PackageUpdate: extraconfig/tasks/yum_update.yaml
- OS::TripleO::Tasks::SwiftRingDeploy: extraconfig/tasks/swift-ring-deploy.yaml
- OS::TripleO::Tasks::SwiftRingUpdate: extraconfig/tasks/swift-ring-update.yaml
-
{% for role in roles %}
OS::TripleO::{{role.name}}::PreNetworkConfig: OS::Heat::None
OS::TripleO::{{role.name}}PostDeploySteps: puppet/post.yaml
# Config specific parameters, to be provided via parameter_defaults
N1000vVSMIP:
type: string
- default: '192.0.2.50'
+ default: '192.168.24.50'
N1000vVSMDomainID:
type: number
default: 100
default: '255.255.255.0'
N1000vMgmtGatewayIP:
type: string
- default: '192.0.2.1'
+ default: '192.168.24.1'
N1000vPacemakerControl:
type: boolean
default: true
input_values:
update_identifier: {get_param: DeployIdentifier}
- {% if role.name in ['Controller', 'ObjectStorage'] %}
- {{role.name}}SwiftRingDeploy:
- type: OS::TripleO::Tasks::SwiftRingDeploy
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- {% endif %}
-
# Step through a series of configuration steps
{% for step in range(1, 6) %}
{{role.name}}Deployment_Step{{step}}:
servers: {get_param: [servers, {{role.name}}]}
input_values:
update_identifier: {get_param: DeployIdentifier}
-
- {% if role.name in ['Controller', 'ObjectStorage'] %}
- {{role.name}}SwiftRingUpdate:
- type: OS::TripleO::Tasks::SwiftRingUpdate
- depends_on:
- {% for dep in roles %}
- - {{dep.name}}Deployment_Step5
- {% endfor %}
- properties:
- servers: {get_param: [servers, {{role.name}}]}
- {% endif %}
{% endfor %}
type: OS::Heat::SoftwareDeployment
depends_on: NetworkDeployment
properties:
+ name: UpdateDeployment
config: {get_resource: UpdateConfig}
server: {get_resource: {{role}}}
input_values:
- "%{hiera('apache_remote_proxy_ips_network')}"
-
generate_service_certificates: true
+ tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
+ tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
- service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
- service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+ service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
+ service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
for_each:
default: 1048576
description: Configures sysctl kernel.pid_max key
type: number
+ KernelDisableIPv6:
+ default: 0
+ description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+ type: number
outputs:
role_data:
value: 500000
net.netfilter.nf_conntrack_max:
value: 500000
+ net.ipv6.conf.default.disable_ipv6:
+ value: {get_param: KernelDisableIPv6}
+ net.ipv6.conf.all.disable_ipv6:
+ value: {get_param: KernelDisableIPv6}
# prevent neutron bridges from autoconfiguring ipv6 addresses
net.ipv6.conf.all.accept_ra:
value: 0
- name: Install sensu package if it was disabled
tags: step3
yum: name=sensu state=latest
- when: sensu_client.rc != 0
+ when: sensu_client_enabled.rc != 0
description: vRouter physical interface
type: string
ContrailVrouterGateway:
- default: '192.0.2.1'
+ default: '192.168.24.1'
description: vRouter default gateway
type: string
ContrailVrouterNetmask:
- name: Check pacemaker cluster running before upgrade
tags: step0,validation
pacemaker_cluster: state=online check_and_fail=true
+ async: 30
+ poll: 4
- name: Stop pacemaker cluster
tags: step2
pacemaker_cluster: state=offline
# fluentd user.
yaql:
expression: >
- set($.data.groups.flatten()).where($)
+ set(($.data.default + $.data.extra + $.data.role_data.where($ != null).select($.get('logging_groups'))).flatten()).where($)
data:
- groups:
- - [{get_attr: [LoggingConfiguration, LoggingDefaultGroups]}]
- - yaql:
- expression: list($.data.role_data.where($ != null).select($.get('logging_groups')).where($ != null))
- data: {role_data: {get_attr: [ServiceChain, role_data]}}
- - [{get_attr: [LoggingConfiguration, LoggingExtraGroups]}]
+ default: {get_attr: [LoggingConfiguration, LoggingDefaultGroups]}
+ extra: {get_attr: [LoggingConfiguration, LoggingExtraGroups]}
+ role_data: {get_attr: [ServiceChain, role_data]}
config_settings: {map_merge: {get_attr: [ServiceChain, role_data, config_settings]}}
global_config_settings:
map_merge:
default: true
description: 'Use a local directory for Swift storage services when building rings'
type: boolean
+ SwiftRingGetTempurl:
+ default: ''
+ description: A temporary Swift URL to download rings from.
+ type: string
+ SwiftRingPutTempurl:
+ default: ''
+ description: A temporary Swift URL to upload rings to.
+ type: string
conditions:
swift_use_local_dir:
value:
service_name: swift_ringbuilder
config_settings:
+ tripleo::profile::base::swift::ringbuilder::swift_ring_get_tempurl: {get_param: SwiftRingGetTempurl}
+ tripleo::profile::base::swift::ringbuilder::swift_ring_put_tempurl: {get_param: SwiftRingPutTempurl}
tripleo::profile::base::swift::ringbuilder::build_ring: {get_param: SwiftRingBuild}
tripleo::profile::base::swift::ringbuilder::replicas: {get_param: SwiftReplicas}
tripleo::profile::base::swift::ringbuilder::part_power: {get_param: SwiftPartPower}
--- /dev/null
+---
+security:
+ - |
+ Add IPv6 disable option and make it configurable for user to disable IPv6
+ when it's not used, this will descrease the risk of ipv6 attack.
+ Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
+ will be explicitly set to the default value (0) which is enabled.
--- /dev/null
+---
+upgrade:
+ - |
+ The default network for the ctlplane changed from 192.0.2.0/24 to
+ 192.168.24.0/24. All references to the ctlplane network in the templates
+ have been updated to reflect this change. When upgrading from a previous
+ release, if the default network was used for the ctlplane (192.0.2.0/24),
+ then it is necessary to provide as input, via environment file, the correct
+ setting for all the parameters that previously defaulted to 192.0.2.x and
+ now default to 192.168.24.x; there is an environment file which could be
+ used on upgrade `environments/updates/update-from-192_0_2-subnet.yaml` to
+ cover a simple scenario but it won't be enough for scenarios using an
+ external load balancer, Contrail or Cisto N1KV. Follows a list of params to
+ be provided on upgrade.
+ From contrail-net.yaml: EC2MetadataIp, ControlPlaneDefaultRoute
+ From external-loadbalancer-vip-v6.yaml: ControlFixedIPs
+ From external-loadbalancer-vip.yaml: ControlFixedIPs
+ From network-environment.yaml: EC2MetadataIp, ControlPlaneDefaultRoute
+ From neutron-ml2-cisco-n1kv.yaml: N1000vVSMIP, N1000vMgmtGatewayIP
+ From contrail-vrouter.yaml: ContrailVrouterGateway