Release Notes

CloudBolt Software Release Notes

What’s New in CloudBolt 7.2

Blueprints

Server tiers on blueprints now support a notion of “allowable OS families”. This restricts the set of OS Build choices available to users when they order the blueprints and also when blueprint admins set the OS Build on a server tier within the blueprint. This facilitates import and setup of blueprints from the content library.

Custom Roles

CloudBolt now allows the creation of custom roles. Visit the Admin > Roles page to create a role and decide which permissions it should have, then assign it to users from either the Users page or the Users tab of a group.

CloudBolt’s out-of-the-box roles are now editable, too. You can add or remove permissions on them the way you would for custom roles. You can also restore these roles back to their default state from the Admin > Roles page at any time.

The “Powerful Requestors” and “Restrict job logs to admins” miscellaneous settings have been replaced with permissions. If you had these options enabled, CloudBolt will take them into account and add the appropriate permissions during the upgrade. However, they will not be taken into account if you later revert the roles back to their default state on the Roles page.

Resource Technologies

Azure Resource Manager

A new parameter, ‘Delete Empty ARM Resource Group’, is available for ARM environments and servers. When set to True on a server, the associated Resource Group will also be deleted if it becomes empty after deleting the server. Otherwise, the empty Resource Group will remain. For most users, this parameter can be set as a default for an entire environment. However, some use cases might have a need to set it differently on a specic blueprint or server deployment.

AWS The AWS resource handler now uses the custom SSL certicates available at Admin SSL Root Certicates . If activated, the default certicates used to connect to HTTPS endpoints via the Boto library will still be used. Additional certicates can be added to supplement the list by adding them to the SSL Root Certicates page. Alternatively, SSL Certicate validation can be deactivated via that same page.

The AWS rate hook now works on servers provisioned outside CloudBolt. It is also much faster than before, and no longer requires you to manually download the rate le before using it.

AWS GovCloud

A new resource handler has been added that can connect to AWS GovCloud (US) regions designed to host sensitive data and regulated workloads in the cloud, helping customers support their U.S. government compliance requirements. For more information, see https://aws.amazon.com/govcloud-us/.

Eucalyptus

A new resource handler has been added that can connect to Eucalyptus, an AWS-compatible private and hybrid cloud computing environment. For more information, see https://github.com/eucalyptus/eucalyptus/wiki.

Content Library

More content types can be imported from the CloudBolt Content Library. We added orchestration actions, server and service actions, rules, and recurring jobs. Go to the admin page for any of those and toggle the ‘cloud-download’ button at the top right to view and import samples hosted on the Content Library.

When importing content that has already been imported, admins now have the choice to replace existing content or not.

General Improvements

The email sent to approvers when a new order is created will now show the URL for the portal where the order was placed.

Several cross site scripting (XSS) vulnerabilities were xed. Malicious payloads on some user- supplied elds are now prevented. To prevent the database and job logs from growing too large, CloudBolt now ships with a recurring job to clean up job records older than one year. If you would like to keep jobs for a different amount of time, go to Admin Recurring jobs and edit the job to change the threshold or disable it entirely.

Upgrade Notes

Bulk user creation using a CSV le is no longer supported.

The PKI authentication backend does not support custom roles.

CloudBolt plugins for user permissions

LDAP sync scripts and other CloudBolt plugins that grant permission will need to be updated to work with the new 7.2 roles. For example, the old call group.requestors.add(profile) will need to be updated to the following:

from accounts.models import Role role = Role.objects.get(name='requestor') profile.add_role_for_group(role, group)

See the new out-of-the-box LDAP orchestration action for more examples of how the new roles work.

Rate hooks

As part of improving the AWS Rate Hook for discovered servers, a new server argument is now passed to its compute_rate method. This has 2 impacts for customers:

1. If you have modied the out-of-the-box AWS Rate Hook, you will want to look at the new out- of-the-box version after upgrade and incorporate the change we’ve made into your version of the code. 2. If you have written any of your own custom rate hooks, you will need to ensure that their compute_rate method can accept a server keyword argument. The best way to do this is simply to have all your action methods accept **kwargs .

What’s New in CloudBolt 7.1

Kubernetes

Adds support for custom cong les, for ne-grained control of your Kubernetes resources. Custom cong les support any resource type, not just Pods. The cong les can also be templatized, similar to what is possible with actions, creating le inputs that can have default values set on the Pod Blueprint Item and/or have values entered at order time. Kubernetes resources created while provisioning a blueprint will be cleaned up when the service is deleted.

General Improvements

The Django web-app framework that powers CloudBolt has been upgraded to Django 1.10.6.

New OS Families have been added: SUSE Linux, macOS, Amazon Linux, and Solaris.

When viewing a server that has snapshots, there is a new delete icon next to each snapshot that allows the user to delete the snapshot.

HTTPS requests made by CloudBolt now support the Certi library for validating SSL certicates. The default for SSL verication remains deactivated. However, it can be activated at Admin SSL Root Certicates . If activated, certicates being used to connect to any HTTPS endpoints must be trusted by this new library. More information is available at https://github.com/certi/python- certi. Additional certicates can be added to supplement the list provided by Certi by adding them to the SSL Root Certicates page.

Resource Technologies

VMware

When importing datastores, datastores that are part of datastore clusters will no longer be excluded.

Fixes bug where comma-separated datastores could not be entered.

CloudBolt Forge is now the CloudBolt Content Library

Some content from the CloudBolt Forge is now available for browsing and importing directly in the user interface. Initially, Server Actions, “base” actions, and UI extensions are supported. Simply browse to the admin pages for managing these objects and click on the “cloud-download” button in the top right to view and import remote content hosted on the Content Library. Support for more content types such as Blueprints and Rules will be implemented in the future.

The CloudBolt Forge Git repository will be deprecated in favor of this more intuitive in-product presentation. But as always, contributions to this repository of sample content are welcome. Contact CloudBolt to share your own blueprints, actions, or UI extensions with the CloudBolt community.

Upgrade Notes

NIC elds on the order form will now show even if there is only one option. Past orders created with a hidden NIC may not duplicate correctly, and CIT tests based on these orders may need to be recreated.

The conguration variable for MIDDLEWARE_CLASSES has changed to just MIDDLEWARE. Any references to that variable in customer_settings.py must also be changed.

The get_thread_logger method that was used in some actions is being deprecated. The correct approach is to use ThreadLogger instead. If you use get_thread_logger in any of the actions you created, please change it to ThreadLogger. Use of get_thread_logger will log a deprecation warning. A set of out-of-the-box actions have been changed from get_thread_logger to ThreadLogger, so if you have edited the code of these actions you will need to incorporate the changes to the out-of-the-box version into your edited code: delete-servicenow-ci.py, create- servicenow-ci.py, puppet_ent_3.X_discover_groups.py, puppet_ent_3.X_clean_cert.py, puppet_ent_3.X_get_node_facts.py, puppet_ent_2015.3_discover_groups.py, puppet_ent_2015.3_clean_cert.py. The setting of a logger in an action should look like:

from utilities.logger import ThreadLogger logger = ThreadLogger(__name__)

and not:

from utilities.logger import get_thread_logger logger = get_thread_logger(__name__)

If you have a custom log-in template in /var/opt/cloudbolt/proserv/templates/registration/login.html, it may have an old piece of code that needs to be updated. Please ensure the form’s action attribute looks like this: action="{% url 'login' %}"

and not:

action="{% url 'utilities.views.login' %}"

This is required by the upgrade to the latest Django framework and avoids an error on the log-in page.

There was an issue where existing Google Compute subnetworks were not being found when syncing networks, causing them to be replaced. That has been xed, but existing networks will need to be re-synced after upgrading and their subnetworks will need to be re-added to the appropriate environments.

What’s New in CloudBolt 7.0

Ordering

To simplify the ordering process, CloudBolt’s two distinct order forms have been consolidated into one. The New Server order form has been removed, and all ordering now uses blueprints.

The New Server link still exists, but it now points to a new out-of-the-box blueprint called Custom Server. By default, the new blueprint can be deployed by all requestors.

Parameters no longer have a concept of Hide Single Value. Instead, they will be hidden if they have only a single option. Note that parameters that have their Required attribute set to False will never have only a single option, because they include a blank/ none option.

Conguration Managers

Ansible

Ansible conguration management is now supported as a Connector in CloudBolt. Each instance of an Ansible connector can be congured to connect to a management server running Ansible. Playbooks can be mapped with their paths on the management server, and groups can be created to coordinate with inventory as it is referenced within your existing playbooks. Playbooks can be executed against a group, server, or list of servers. Ad-hoc commands can also be executed against the inventory. Playbooks can still be managed and version controlled on the management server, but inventory can be managed by CloudBolt and is pushed to the Ansible management server before executing any command or playbook.

Puppet Enterprise

It is no longer required to have your Puppet Master server managed by CloudBolt in order to have a functional Conguration Manager for Puppet Enterprise 2015+.

Load Balancers - F5 and Netscaler

CB admins can now dene connection information for these load balancers in the Admin UI, so that blueprint managers only need to select from pre-dened load balancer options, and do not need to enter connection information (including credentials) for these.

Also, resource pools named “IP Pool for F5BIGIP” and “IP Pool for Netscaler” are no longer required. You can delete these if you already have them, and create new IP pools from the load balancers’ detials pages.

More information is in the “Advanced Network Support” section of the documentation.

Resource Technologies

Azure ARM

New parameter “Azure ARM Resource Group” allows provisioning into an existing resource group. New parameter “Skip Security Group Creation” allows NIC-level security groups to be skipped in favor of subnet-level security groups. New add_extension method makes it easy to create actions that install extensions. See the CloudBolt Forge for an example of how to use the new method. Installed extensions will be shown on the server details page. The Azure ARM resource handler now has a method for deploying ARM templates. Refer to action_examples/deploy_azure_arm_template.py for more details on how to use this method.

Google Compute Engine

Google Compute subnetworks are now supported by CloudBolt. When a network is imported, its associated subnetworks will also be imported, and will be listed below the network on the resource handler’s Networks table. Adding that network to an environment will also connect any subnetworks that match the region of the environment. The network and any associated subnetworks will then be available when provisioning a server within that environment.

Amazon Web Services

New instance types are available. To add them to existing environments, use the import button under the AWS Parameters tab. Environments created after the 7.0 upgrade will have the new instance types by default.

The “Disk Size” parameter is now supported in AWS-backed environments. This gives you the ability to specify the size of the root storage device on new EC2 instances overriding the default size specied by the selected AMI.

Blueprints

The blueprint order form will now show a preview of the hostname that will be used when ordering a server tier.

Blueprints can now be congured to not create a service when they are ordered. This only applies to blueprints that consist entirely of server build items, and will result directly in server provisioning jobs.

The rate breakdown for each server tier in a blueprint is now displayed as a chart.

Blueprint managers can choose to allow a Blueprint to be deployed by any group, rather than setting specic deploy permissions.

Renaming of menus, pages, and items related to Blueprints and the Catalog has been done for improved consistency and clarity.

Applications can be specied by the requestor when ordering a blueprint. The Applications eld will automatically appear on the order form when the specied environment has applications available, unless the blueprint item has already predened applications for that server item.

Applications can be specied when ordering a blueprint via the API.

Blueprints now have a history tab that displays a list of events showing when it has been created, edited, duplicated, or exported.

Actions Excellent news: edits that you have made to out-of-the-box action code will no longer be lost on upgrade! Even better, you can now see on whether an action is using the out-of-the-box code, has out-of-the-box code but is using your edited version, or was created by a user. For remote scripts and CB plug-ins that have out-of-the-box code that you have edited, when viewing the current code you can also choose to see the out-of-the-box code in order to compare the two.

CloudBolt plug-ins now support OS family restrictions, similarly to how remote scripts did previously. Setting OS families on plug-ins is optional, but if they are set and there are servers in the context where the action is being called then those servers will be ltered by OS family. Some contexts that have servers are Server Actions, Service Actions when the service has servers, Post- Provisioning Orchestration Actions starting with Pre-Create Resource, and Blueprint actions when the blueprint has server tiers.

Actions can be given a value for max retries, which will cause the action to be re-run up to that number of times if it has an unsuccessful return status or raises an exception. Note that in the case of CloudBolt plug-ins this only applies to run methods.

Orchestration Actions can be set to continue on failure, somewhat similarly to Blueprint items. If that value is true, a failure of the Orchestration Action will not impact the rest of the job in which it runs. It will not cause the overall job to fail or change its ow. There are a few exceptions where this feature does not apply: Parameter Change, Generate Hostname Overwrite, Pre-Server Refresh, Generated Parameter Options, Order Form Validation, and Compute Server Rate.

It is now possible to dene the options for a CB plugin’s action inputs using methods in the plugin itself, rather than relying on separate actions at the Generated Parameter Options trigger point.

Orchestration Actions admin view has been streamlined.

Server Actions can be congured with a particular dialog message to show and label for the submit button, as could already be done for Service Actions.

Recurring Jobs

Admins can now set up automatic powering off of groups of servers based on the time of the day. For more information, look for the Recurring Job named “Auto-Power Control Servers in Admin > Recurring Jobs.

Add Actions as Recurring Jobs without an existing Job ID. Choose an existing or new Action that will be run on a recurring schedule. Action Inputs are also now supported on Recurring Jobs of this type. Existing out-of-the-box Recurring Jobs of type “Orchestration Action” will be converted to the new type (“Action”) on upgrade. General Improvements

ConnectionInfo objects can now include the selection of a global SSH key.

Tests in Continuous Infrastructure Testing have a new “max retries” attribute that can be used to automatically retry the test when it fails.

CloudBolt links in emails will use HTTPS instead of HTTP.

Job logs, previously only viewable by CB admins, are now visible to all users who can view the job details. You can revert to the previous behavior by enabling “Restrict Job Logs To Admins” in Miscellaneous Settings.

Environments can now be imported and exported. Much like actions and Catalog blueprints, exporting can be performed with or without instance-specic information.

Deletion of servers will create a new order that is submitted automatically, rather than adding to your cart and requiring user input to submit it. Also, if bulk server deletion includes servers in different groups, one order will be made for each group, allowing you to delete them all in one step.

The Django web-app framework that powers CloudBolt has been upgraded to Django 1.9.12.

Server lists now support nding servers by label. In the table search box, users simply type “label:” followed by any part of a label name to nd all matching records they have permission to view.

The global search feature, found in the top nav bar, is much more responsive. Searching and navigating results can be done entirely by keyboard, making it possible to nd objects across your cloud at the speed of thought.

Multiple precongurations can now have the same label, but different names. The names will be shown to the CB admin only to distinguish between precongurations with the same label. This can be useful for providing different sets of parameters and options in different environments, using a preconguration that looks the same to the end user.

API Improvements

GET /api/v2/settings/ allows you to view CloudBolt’s Miscellaneous Settings.

Upgrade Notes

Version Compatibility We have tested and veried upgrades from versions as old as CB 5.3.1. If you are running an older version, we recommend upgrading in two steps - to 6.0 rst, then 7.0.

MySQL

MySQL, if present on the CloudBolt server, will be upgraded to 5.7 during CloudBolt upgrade. Considerations:

If you have database settings dened in your customer_settings.py le, you will need to change the init_command. Edit your /var/opt/cloudbolt/proserv/customer_settings.py and replace the existing init_command with this:

"init_command": ( # Create tables using the InnoDB engine as opposed to the MyISAM engine # Django will automatically create FK mappings and support # transactions when using InnoDB based tables # this option only affects the tables at schema creation time 'SET DEFAULT_STORAGE_ENGINE=INNODB; ' # Use READ COMMITTED instead of REPEATABLE READ 'SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED' ),

If you are running MySQL on a separate server, please upgrade it to 5.7 before beginning the CloudBolt upgrade. You can have your DBAs perform this upgrade, or use a tool provided in the CloudBolt upgrader. From the upgrader directory, cd to 09-mysql57-upgrade, then run ./upgrade_standalone_mysql_server.sh

Breaking API Changes

The API collection for Blueprints is now simply ‘blueprints’. As a result, the collection specied for exporting and importing through the API should be ‘blueprints’. The sample scripts have been updated accordingly.

Similarly, the specication of a Blueprint in an install service order now has the key ‘blueprint’. The order_service sample script has also updated to reect this change, as well as the new URL mentioned above.

Two of the keys in the serialization of a Blueprint have been changed, from ‘build-service-items’ to ‘build-items’ and ‘teardown-service-items’ to ‘teardown-items’. Due to possible changes in the details of an order viewed through the API, it is recommended to look for orders created while running 7.0 when looking for examples to build calls to order a server or service through the API, rather than older orders.

Puppet Enterprise

If you have an existing Puppet Enterprise 2015+ Conguration Manager, you will need to visit the Overview tab of its details page and, in the PE Master SSH Connection, provide the appropriate information for running remote scripts on the Puppet Master in order to return it to working order.

If you have changed the out-of-the-box actions for Puppet Enterprise 2015+ (named with 2015.3), please be aware that this release has also changed those actions. You will need to merge the changes to the out-of-the-box code into your edited code.

Services

If a service consumes an IP from an internal CloudBolt IP Pool for any router or load balancer it creates, CloudBolt now tracks the IP usage throughout the lifecycle of the service.

Global Preferences

The global preferences for ‘Main List Per Page’ and ‘Sub List Per Page’ have been removed. To customize the number of items that are displayed per page in the database browser, add the variables ADMIN_LIST_PER_PAGE or ADMIN_SUBLIST_PER_PAGE to your customer_setttings.py.

Actions

The out-of-the-box actions for “Scale Service”, “Associate Servers” and “haproxy_construct_load_balancer” have been changed in this release. If you have changed those actions, you will need to merge the changes made to the out-of-the-box code into your edited version of the code.

The Generated Parameter Options actions “Generate Prov Service Item Options”, “Generate Server Options for Service”, and ”Generate LB Method Options for F5” that previously came out- of-the-box are no longer needed and should be deleted. If you have made any modications to them, rst merge those changes into the new methods in the “Scale Service”, “Associate Servers”, and ”f5_construct_load_balancer” actions and the “haproxy_construct_load_balancer” base action used behind the scenes.

Continuous Infrastructure Testing (CIT) If you are using labels for running CIT tests, note that the behavior has changed slightly. Previously if you selected multiple labels it would run only tests with all those labels, whereas now it will run any test that has any of those labels.

Duplicating Orders

If you duplicate an old order where it had a necessary parameter that was hidden due to being Hide Single Value (but not Required) and having a single option set on the Environment, the duplicated order is liable to fail. The reason is that the hidden parameter would not have had a value selected for the original order, but now it needs to because, due to not being Required, it does not actually have only a single option and therefore is not considered provided. If this causes an issue for a CIT test, you may need to recreate it.

Google Authentication

Authenticating users via Google logins is no longer supported.

Rate Calculation Hooks

The “compute_rate” method in custom rate hooks receives a new argument “disks” when calculating server rates. If you’ve written your own custom hook, you’ll need to conrm that it still works with the new argument.

Thank You!

You are awesome. Thanks for reading our release notes. It’s users like you who make the product better, and we appreciate each and every one of you for providing us feedback. Keep it coming, because it’s your requests and ideas of how we can make CloudBolt more valuable for you that drive what we work on next.

Sincerely, The CloudBolt Team