StackStorm 2.2 is up!

Feb 27, 2017
by Lindsay Hill

Here’s a nice way to start your week: StackStorm 2.2 has been released! Mistral updates, Jinja in Mistral workflows, Jinja in complex objects, new st2 login and st2 whoami commands, security improvements and more! Our release master put in some hard work over the last few days to get this out the door. Read on for more details.

Jinja Enhancements

You asked, we’ve delivered: You can now use Jinja expressions in Mistral workflows, wherever YAQL expressions are accepted. This lets you do things like manipulate the input & output data structures, perform boolean logic, and and conditional logic for evaluating and transforming data. Each expression should be encapsulated with {{ }}. Here’s an example that shows how to work with environment variables:

version: '2.0'
description: A basic workflow that illustrates how to get the workflow's env vars.
type: direct
env: "{{ env() }}"
url: "{{ _.url }}"
action: core.local
cmd: "echo{{ env().st2_execution_id }}"
url: "{{ task('task1').result.stdout }}"
ctx: "{{ env()['__actions']['st2.action']['st2_context'] }}"

Read the docs, and check the examples for more info.

Also: You can now nest Jinja variables inside array and object types.

Don’t worry though: YAQL is not going anywhere. It’s still there, and will continue to have first-class support, for those need its power and type support.

Mistral Updates

As you know, we use and contribute to the OpenStack Mistral service for complex workflows in StackStorm. With this release we’ve updated our fork to the latest master branch. We’ve been wanting to do this for a while, as it brings us stability improvements, weeds out some corner-case deadlocks, and delivers performance enhancements. Thanks to Renat and all the crew for the good work they’re doing.

CLI Authentication helpers

Want to authenticate to ST2 using the CLI, but don’t like storing your password in plaintext in your config file? Check out the new st2 login command. This is an easy way to login and cache your authentication token. Just run st2 login st2admin --password [email protected].

This also gives you a quick way to switch user. Need to check which user you’re logged in as? Use the new st2 whoami command to check!

Security Hardening

We’ve been doing some housekeeping, and we’ve tightened our default settings used by our installer script:

  • MongoDB now only listens on localhost, and creates two new users admin and stackstorm. The stackstorm user only has access to the st2 database.
  • RabbitMQ now only listens on localhost.
  • PostgreSQL only listens on localhost (this was already a default on some distributions).
  • Mistral now uses a random password for PostgreSQL authentication.

This further reduces the default attack surface. If you’re doing a manual install of StackStorm, be sure to read the new Security section.

Miscellaneous Fixes and Improvements

The usual collection of smaller changes:

  • Validation of trigger parameters and payloads is now available. You will need to enable the system.validate_trigger_payload and system.validate_trigger_parameters options to use it – it is disabled by default. Thanks to Hiroyasu Ohyama for the contribution.
  • We now support MongoDB 3.4. The installation script will still install 3.2 by default, but you are welcome to move to 3.4. In future we will make 3.4 the default version.
  • RPM packaging fixes: The logrotate and LDAP configurations will no longer be removed on RPM upgrade.
  • st2 pack install will now work with git repositories that do not use master as the default branch.

Upgrade Warnings

We previously warned that the system and user Jinja variable notation for accessing system and user scoped datastore items inside workflows and actions is going away and be replaced by the new st2kv.system and st2kv.user notation.

Well, that time has arrived. Now you really do need to update your actions and workflows to use the new scoping notation.

The database schema for Mistral has changed. The executions_v2 table is no longer used. The table has been broken down into workflow_executions_v2, task_executions_v2, and action_executions_v2. There is currently no migration script to move existing records from executions_v2 into the new tables. If you really need to read from executions_v2, either use psql or install an older version of the python-mistralclient.

As always, full changelogs are here, full upgrade notes are here, and we are always available to help on our Slack channel. Sign up here.