Prelude
This new release adds support for tenant deployment and Zuul configuration management from the resources.
Doc
Here is the documentation of the 3.1 release.
Release Notes (2018-10-16)
Fixes
- A bug in graph-render prevented grafana auto configuration when nodepool wasn't configured with any cloud provider.
Updated Packages
- sf-config-3.1.2-4.el7
Release Notes (2018-08-20)
Security
- A new cgit version fix a directory traversal vulnerability. Update packages and reload the httpd service. References: https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html and https://git.zx2c4.com/cgit/commit/?id=53efaf30b.
Updated Packages
- cgit-1.2.1-2.el7
Release Notes (2018-08-08)
Fixes
- A bug in openstacksdk prevented nodepool to recover from cloud failure.
Upgrade Notes
- Update the packages and restart the nodepool services:
- ansible -m yum -a "name=* state=latest" nodepool-launcher:nodepool-builder
- ansible -m service -a "name=rh-python35-nodepool-launcher state=restarted" nodepool-launcher
- ansible -m service -a "name=rh-python35-nodepool-builder state=restarted" nodepool-builder
Updated Packages
- rh-python35-python-cryptography-2.1.4-1.el7
- rh-python35-python-openstacksdk-0.17.2-1.el7
Release Notes (2018-08-03)
sf-config-3.1.1
New Features
- A new zuul.ara_report option in sfconfig.yaml lets operators set the default behavior to copy ara report database. Set it to 'failure' to only copy the result when a job fails.
- sfconfig checks for correct hostnames and sets them if needed before installing services to prevent DNS issues.
- New tls_cert_file, tls_chain_file and tls_key_file sfconfig.yaml option let user set cutom TLS certificates.
- A new cgit component is available to host a fast web frontend for gerrit repositories at https://fqdn/cgit.
- A new default-tenant-name setting in sfconfig.yaml lets operators change the "local" tenant name.
- A new config-location setting enables deployments where the config and jobs repository are hosted remotely, for example on an external gerrit or github.
- SSL is enabled on zuul gearman service. A gearman-client script is installed on the scheduler host to enable direct connection.
- A new app_name setting is added to sfconfig.yaml's github_connections list to auto-configure the github gate pipeline.
- A new label_name setting is added to sfconfig.yaml's github_connections list to auto-configure a label requirement to github gate.
- A tenant object is managed in config resources. It defines the local default tenant and the configured connections.
- A new log-classify tech-preview post action is available and can be de-activated using the logclassify_optin job variable. Job reports can be injected as a job result using the logclassify_report job variable
- A new sfconfig.yaml option called clouds_file enables setting user-defined os-client-config clouds.yaml file.
- Regular Expressions for the pre-release and release pipelines are now configurable via sfconfig.yaml, use the setting prerelease_regexp and release_regexp. Default values are set to be compliant with Semantic Versioning.
- A SAML2-enabled Identity Provider can be configured as an authentication backend.
- New tenant-deployment settings enables deployment where zuul and nodepool are running remotely.
- The canonical hostname can be set in sfconfig.yaml for zuul connections.
- Github App key can be defined as a file path instead of inlined content in sfconfig.yaml
- The Zuul MQTT driver is automatically configured when the firehose component is enabled. The default topic can be updated with the custom-vars, zuul_mqtt_start_topic, zuul_mqtt_success_topic and zuul_mqtt_failure_topic.
- Services public keys are now available on https://fqdn/keys.
Known Issues
- Gerrit users are no longer deleted through the managesf API. To fully delete a gerrit user, a new 'delete-gerrit-user.sh' script is provided.
- The SAML session is discarded immediately after the authentication is successful, the session is still handled by auth_pubtkt in cauth. This means that terminating a user's session on the Identity Provider will not terminate it on Software Factory. The administrator should configure Software Factory's cookie timeout to match the Identity Provider's own session timeout.
Upgrade Notes
- The ceph repository needs to be manually removed before installing the 3.1 repository using this command: yum remove -y centos-release-ceph-jewel
- The ansible version provided by CentOS extras is replaced by the one already packaged in scl for Zuul.
- The hypervisor-oci component is renamed hypervisor-runc. Any nodesets using the default centos-oci needs to be adapted to use the new runc-centos label.
- A _internal.yaml file is created with the default managed config/resources. Config project and acls are removed from common files.
- The nodepool-builder service package upgrades may fail when there is a dedicated mountpoint for /var/opt/rh/rh-python35/cache/nodepool that contains leaked dib mounts. Make sure the nodepool cache is un-mounted and update your fstab to use /var/cache/nodepool instead.
- Gerrit HTTP passwords are removed during the upgrade. The Gerrit REST API is now available using the API key provided by cauth. Users need to re-generate an API key (this can be done from the user settings page) and replace the old password using the new key.
Deprecation Notes
- The --zuul-ssh-key, --zuul-upstream-zuul-jobs and --zuul-external-gerrit sfconfig command line arguments are no longer supported. Use the sfconfig.yaml configuration file to configure those options.
Bug Fixes
- Zuul scheduler keys are now properly backed up
- Install-server restore now keeps the desired target arch.yaml
- The default admin password is now automatically set to a random string.
Other Notes
- Gerrit All-projects project.config Software Factory default ACLs additions are checked/updated at every sfconfig run.
cauth-0.12.1
- API keys are now set to gerrit http password when the service is available.
- A gerrit option 'register_user' has been added to toggle user creation.
- The GitHub OAuth application doesn't request organization read access when the allowed_organizations restriction is not set.
managesf-0.18.1
New Features
- The resources model got a new connection object to fully describe repository location.
- The resources model got a new tenant object, the root model object for the Tenant capability of Software Factory.
Upgrade Notes
- HTTP password controller is removed, this is now managed by Cauth's API key.
Other Notes
- MySQL connector changed to PyMySQL https://github.com/PyMySQL/PyMySQL/
Updated Packages
- ara-0.15.0-1.el7
- bubblewrap-0.2.1-1.el7
- cauth-0.12.1-8.el7
- gerrit-2.14.7-1.el7
- gerritbot-0.4.0-1.el7
- lecm-0.0.7-3.el7
- lodgeit-0.2-1.el7
- managesf-0.18.1-6.el7
- python-log2gearman-0.1-3.20171211gitc646602.el7
- python-pkginfo-1.4.2-1.el7
- python-requests-toolbelt-0.8.0-1.el7
- python-sfmanager-0.5.0-4.el7
- python-testinfra-1.14.1-1.el7
- python-twine-1.11.0-1.el7
- repoxplorer-1.3.1-1.20180726.a05b6af.el7
- rh-python35-GitPython-2.1.10-1.el7
- rh-python35-ansible-2.5.5-1.el7
- rh-python35-ara-0.15.0-1.el7
- rh-python35-diskimage-builder-2.15.1-1.el7
- rh-python35-dlrn-0.8.0-1.el7
- rh-python35-nodepool-3.2.0-2.el7
- rh-python35-python-APScheduler-3.5.1-1.el7
- rh-python35-python-CacheControl-0.12.4-1.el7
- rh-python35-python-gear-0.12.0-1.el7
- rh-python35-python-gitdb-2.0.3-1.el7
- rh-python35-python-jwt-1.6.4-1.el7
- rh-python35-python-keystoneauth1-3.8.0-1.el7
- rh-python35-python-openstacksdk-0.16.0-1.el7
- rh-python35-python-psutil-5.4.5-1.el7
- rh-python35-python-pyasn1-0.4.3-1.el7
- rh-python35-python-pycparser-2.18-1.el7
- rh-python35-python-shade-1.28.0-1.el7
- rh-python35-python-uvloop-0.9.1-1.el7
- rh-python35-python-webob-1.8.2-1.el7
- rh-python35-rdopkg-0.46.3-2.el7
- rh-python35-zuul-3.2.0-3.el7
- rh-python35-zuul-jobs-0.1-0.12.20180731git5e5ecdb.el7
- sf-config-3.1.1-4.el7
- sf-docs-3.1.0-1.el7
- sf-elements-0.6.0-2.el7
- sf-release-3.1.2-3.el7
- sf-web-assets-1.0-5.el7
New Packages
- cgit-1.1-8.el7
- python-tqdm-4.19.6-1.el7
- rh-python35-Cython-0.28.3-1.el7
- rh-python35-dlrnapi-client-0.5.0-1.el7
- rh-python35-logreduce-0.1.3-1.el7
- rh-python35-python-SecretStorage-3.0.1-1.el7
- rh-python35-python-bottle-0.12.13-1.el7
- rh-python35-python-cachetools-2.0.1-1.el7
- rh-python35-python-cherrypy-8.9.1-3.el7
- rh-python35-python-dictdiffer-0.7.1-1.el7
- rh-python35-python-fasteners-0.14.1-10.el7
- rh-python35-python-future-0.16.0-1.el7
- rh-python35-python-gevent-1.2.2-2.el7
- rh-python35-python-gflags-2.0-10.el7
- rh-python35-python-google-auth-1.4.2-1.el7
- rh-python35-python-greenlet-0.4.13-2.el7
- rh-python35-python-httplib2-0.10.3-2.el7
- rh-python35-python-jeepney-0.3-1.el7
- rh-python35-python-keyring-11.0.0-2.el7
- rh-python35-python-kubernetes-6.0.0-3.el7
- rh-python35-python-oauth2client-4.1.2-2.el7
- rh-python35-python-oauthlib-2.0.1-4.el7
- rh-python35-python-openshift-0.6.0-2.el7
- rh-python35-python-os-service-types-1.2.0-2.el7
- rh-python35-python-pycurl-7.43.0-14.el7
- rh-python35-python-repoze-lru-0.4-17.el7
- rh-python35-python-requests-oauthlib-0.8.0-3.el7
- rh-python35-python-routes-2.4.1-4.el7
- rh-python35-python-rsa-3.4.2-4.el7
- rh-python35-python-ruamel-yaml-0.13.14-1.el7
- rh-python35-python-string-utils-0.6.0-1.el7
- rh-python35-python-tornado-4.5.2-2.el7
- rh-python35-python-websocket-client-0.47.0-1.el7
- rh-python35-python-ws4py-0.5.1-1.el7
Digest
The packages are signed with this key: E46E04A2344803E5A808BDD7E8C203A71C3BAE4B - release@softwarefactory-project.io
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 8deb28380c6dc537077650023a0a576b809099d784fa92211ef206d1d5c6238a sf-release-3.1.2-3.el7.noarch.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJbYuSPAAoJEOjCA6ccO65LTD4P/iXOxFGTj8SUgKjYo6/gnWY7 8Nlbw0kqhDUTg4ufFwzQ3AFA+1E5DFkEolkXVgXksIlukK+c6ilwWGrbVcc82OQo WKuSEDzPmOGX8b9Mb1kZv9L8B13fmH9DT8aAyIZzZvEDRrPheKnk0tp6gTFqmTx6 vBRXh7jrAU5UbypxJ/7bxZGza+AKTDaujwtngibBc/0V+iWpbhZtQDkDJ6Up1yCv Ydqd6qPzUgLTiqJIQTCIZbdSDDslIetc17RgAtT0x203pj1xpCVyI//l7o3b5OUf PRx03tqEOR7sB5975fz5zyEl7RkR7uuSpHQQDq08A2BnDdmIJ/eOP8+NwivuigHT p3uwDGcQN5Jw0ItIhDUDlurbhokm53/2FWLi5mA2VM1LmCY9RhoNGAq1jT6CmjJJ GCQiYWaTEs/gpMwhlF2Iu41xYXr9/UYABq+4UnbVoopDg89n3CctSrHipjIkziVw SRTDqw+S5m53eADLOFmFezaPJLRaOixUsQ1MNvsIU2Jh/HWwYy4M0wtaFxFFyZTT zY/sbq6aBIZHraS5idyes+fYxlm590PhjuVZphETeHWe2gLlyXPixhw8e33+Ztvl IWJ8R9li7527c7VSRsQI2DRvlFffNX8SXqfZpWS7mxEm4e152HtR4cWUu1outkiX 27++v8At5aPoz+Edfe7D =dhQf -----END PGP SIGNATURE-----