Current Series Release Notes

21.0.0.0rc1-439

New Features

• Adds support for LDAP authentication in Grafana. Users can now enable LDAP by setting grafana_ldap_enabled to true and providing an ldap.toml configuration file in the {{ node_custom_config }}/grafana/ directory.

• Standardized health check endpoints for OpenStack API services and supporting components (Grafana, etcd, influxdb, rabbitmq). Both HAProxy and Docker health checks now use dedicated endpoints like /healthcheck, /api/health, or service-specific paths for consistent and reliable detection.

  Health checks now explicitly expect HTTP 200 status codes and use standardized curl commands across all services.

  Docker container health checks have been unified with HAProxy configurations, using the same dedicated endpoints.

• Adds support for deploying multiple instances of the Nova Compute Ironic service on the same host. This is useful in large baremetal deployments.

• Adds support for deploying OpenStack Network Exporter for gathering OVS/OVN related metrics. This is enabled by default when using Prometheus.

• Adds support for deploying prometheus-valkey-exporter to enable monitoring of Valkey servers.

• Added a validation check to ensure the number of neutron_external_interface entries matches the number of neutron_bridge_name entries in the configuration. This prevents misconfigurations that could cause deployment failures or incorrect networking behavior. LP#1864832

• Added TLS support for the RabbitMQ management API and UI. When rabbitmq_enable_tls is set to true, TLS is now also enabled for the RabbitMQ management interface.

• Add support for libvirt vTPM (swtpm) configuration. LP#2106219

• Increased the default value of innodb_log_file_size from 96MB to 2GB. This change improves overall MariaDB performance, though crash recovery may take longer as a tradeoff. Users can adjust the value by overriding the mariadb_innodb_log_file_size_mb variable. The allowed range is 4MB to 524288MB (512GB).

• Ironic DHCP can now be configured to supply DNS servers via ironic_dnsmasq_dhcp_ranges. This enables the inspection ramdisk (IPA) to reach FQDN API endpoints.

• The HAProxy TLS configuration has been hardened following Mozilla SSL Modern recommendations for HAProxy 2.8.15 and OpenSSL 3.x (Rocky Linux and Ubuntu): https://ssl-config.mozilla.org/#server=haproxy&version=2.8.15&config=modern&openssl=3.0.13&guideline=5.7

• Add support for deploying neutron_ovn_vpn_agent. This enables the use of vpnaas in ovn environments. <https://docs.openstack.org/kolla-ansible/latest/reference/networking/neutron-extensions.html#neutron-vpnaas-vpn-as-a-service>`__

• Adds explicit support for passing through the ipa-ntp-server setting via the kernel commandline to the Ironic Python Agent.

  You can now also use ironic_kernel_append_params to provide additional arguments to the kernel command line when booting the Ironic Python Agent.

• The nova-cell role now supports operator-specified custom templates for qemu.conf and libvirtd.conf. Kolla-Ansible will now look for host-specific and global overrides before falling back to the default templates.

• New variables rabbitmq_stream_max_segment_size_bytes and rabbitmq_stream_segment_max_age are added to make RabbitMQ stream retention policy configurable. These two new variables are only applied when om_enable_rabbitmq_stream_fanout is set to true. It is recommended to tune the values based on user’s environment to prevent leaving too many ready messages in stream queues.

• Adds support for custom MariaDB Galera notification scripts. Operators can provide a wsrep-notify.sh script in the custom config directory (/etc/kolla/config/mariadb/). When detected, Kolla Ansible configures MariaDB to execute it on cluster state changes, enabling integration with Prometheus Alertmanager or custom logging.

• An Alertmanager datasource is now automatically configured in Grafana when enable_prometheus_alertmanager is set to true.

• Adds support for passing additional command-line arguments to the ovn-northd daemon via the ovn_northd_cmdline_extras variable. This allows operators to customize ovn-northd behavior, such as setting thread count (--n-threads), enabling parallel build (--use-parallel-build), or tuning the inactivity probe timeout (--inactivity-probe).

• The RabbitMQ upgrade path validation now supports explicitly allowed version jumps (e.g., major or multi-minor upgrades) via the rabbitmq_allowed_upgrades variable. This allows operators to manage supported RabbitMQ upgrade paths through role defaults or globals.yml without modifying the core Ansible task files.

• Added service_uwsgi_config_threads to configure uWSGI thread count. Horizon now applies horizon_wsgi_threads when using uWSGI.

• Sets scope_key to tenant_id in the [collect] section of the CloudKitty configuration file when Prometheus and Openstack Exporter are enabled, to ensure CloudKitty fetches valid metrics from the OpenStack Exporter.

• Keystone OpenID metadata files are now templated, enabling variable substitution and dynamic configuration.

Upgrade Notes

• If you are migrating to the new feature to deploy multiple instances of Nova Compute Ironic, you are first required to manually remove the existing Nova Compute Ironic Docker container, and config directories.

• Minimum supported Ansible version is now 12 (ansible-core 2.19) and maximum supported is 13 (ansible-core 2.20).

• barbican-api uWSGI configuration has been migrated to use the service-uwsgi-config role, consistent with other Kolla-Ansible roles.

• The default session cache backend for Horizon has changed when Valkey is enabled. If enable_valkey is set to true, Valkey will be used as the preferred backend to improve availability.

• The default value of innodb_log_file_size has increased from 96MB to 2GB. This improves MariaDB performance but crash recovery may take longer. Before upgrading, ensure sufficient disk space is available for the larger InnoDB log file.

• By default, ML2/OVS L3 routers no longer set ha_vrrp_health_check_interval when enable_neutron_agent_ha is true. This is to prevent stability issues when Neutron is unable to keep up with L3 router state changes.

• Support for deploying influxdb has been dropped. Kolla delivered the community end-of-life version v1, and there are no plans to upgrade to v2. Users should migrate to an alternative monitoring solution and remove influxdb containers and their configuration manually.

• Support for deploying telegraf has been dropped after earlier deprecation. Existing users need to remove telegraf containers and their configuration manually.

• Support for deploying zun has been dropped due to the service being broken in 2026.1. kuryr has been dropped as well, due to it being only used by zun.

• The legacy (non-rolling) ironic upgrade mechanism has been dropped. Ironic upgrades now exclusively use the rolling upgrade mechanism.

• kolla_logs role has been split from common role, please update your inventory accordingly to include kolla_logs group.

• lightbits_JWT variable has been renamed to lightbits_jwt

• cinder-volume and cinder-backup containers are now deployed by default on cinder group - which effectively is control by default (earlier it defaulted to storage).

• New Ansible inventory groups have been introduced to support properly Cinder LVM backend setup:

  • cinder-backup-lvm

  • cinder-backup-multiple

  • cinder-volume-lvm

  • cinder-volume-multiple

  Please update your inventory overrides accordingly.

• Adds support for seamless RabbitMQ 4.2 upgrades by defining the required version jump paths in the default configuration.

• The global variable distro_python_version has been removed as it is no longer needed. Python path handling is now done at the image level.

• common Ansible role has been renamed to kolla_toolbox. Also the kolla-toolbox Ansible inventory group has been renamed to kolla_toolbox to be in line with Ansible requirements. The tag for kolla_toolbox deployment task has also been renamed. Users should update their inventories and inventory overrides to reflect this change.

• kolla-toolbox and all kolla_toolbox based invocations of Ansible openstack.cloud modules have been reworked to use clouds.yaml. openstack_auth variable is only used for passing keystone admin password for services bootstrap runs.

• designate-api is now running under uWSGI and supports backend TLS.

• glance-api is now running under uWSGI and supports backend TLS without the additional haproxy container. The glance-tls-proxy container will be removed during the upgrade process.

• magnum-api is now running under uWSGI and supports backend TLS.

Deprecation Notes

• Remove option to set OIDCHTMLErrorTemplate in Debian 13 and Rocky 10. As this option was removed in 2.4.14 version of modoidc auth plugin. It is still present in Ubuntu Noble and can be used there. This applies only when using keystone_wsgi_provider: apache, which is not the default.

Bug Fixes

• Fixes an issue where OpenSearch log retention check would fail due to plugins not being fully loaded, resulting in a timeout error. This was caused by the task that checks for the existence of a log. Added a check before plugin tasks to ensure plugins are fully loaded.

• Improves Horizon availability when cache nodes fail by adding support for Valkey as a session cache backend. LP#2093414

• Fixed an issue where neutron-server and other neutron agents would fail to start when kolla_copy_ca_into_containers was enabled but backend TLS was disabled. The configuration now correctly distinguishes between the requirement for backend certificates (neutron-cert.pem) and the optional copying of CA certificates. LP#2121694

• Make generation of prometheus.yml consistent when using custom override files.

  Previous behaviour would lead to changes in prometheus.yml on every run when custom override files were used, as the find result was not sorted. This could lead to unnecessary restarts and unreadable diffs of the prometheus service. LP#2126635

• Fixed an issue where redundant HAProxy backend configuration was generated for the memcached service. The memcached backend entries are no longer created since no OpenStack service uses HAProxy to reach memcached. LP#2130641

• Fixed missing schemaname: nova rule in ProxySQL configuration for the default (unnamed) Nova cell. LP#2130985

• Fixes issue where ProxySQL certificates were copied over even with kolla_externally_managed_cert set to True. LP#2131993

• Fixes federation path for new keystone-httpd container. Previously the normal keystone container running apache wsgi was used. After migration to the uwsgi container the federation logic remained in the keystone-httpd container, but the federation files were never mounted there. LP#2134455.

• Adds logrotate configuration for OpenSearch Dashboards. Previously, logs located in /var/log/kolla/opensearch-dashboards/ were not included in the rotation schedule, which could lead to excessive disk space consumption. LP#2137716

• Fixes a regression in the Valkey upgrade process where the valkey_master_host variable was not defined if the Redis migration block was skipped. This led to a fatal error during the “Wait for Valkey replication sync” task due to the interaction between run_once and delegate_to. The variable is now defined globally at the start of the upgrade tasks. LP#2138440

• Fixed an issue where Valkey logs were not being correctly parsed by Fluentd. The timestamp format in the Fluentd configuration has been updated to match the format used by Valkey, ensuring logs are properly collected and indexed in the logging backend. LP#2138451

• Fixed a critical issue in kolla-mergepwd where the migration from Redis to Valkey resulted in authentication failures. The tool now automatically inherits the existing redis_master_password into the new valkey_master_password field during upgrades. This prevents serious cluster damage in deployments using custom Keystone caching solutions and ensures Octavia remains stable throughout the upgrade process, avoiding global HTTP 401 Unauthorized errors caused by password mismatches. LP#2138461

• Fixed an issue where Neutron sub-services (RPC server, maintenance and periodic workers) would crash when enable_neutron_vpnaas was set to yes due to missing neutron_vpnaas.conf file injection. LP#2138498

• Fixed an issue during upgrades from 2025.1 to 2025.2 where the Valkey role unconditionally referenced the redis inventory group. Since Redis is no longer present in the default inventories, this caused the upgrade to fail with an AnsibleUndefinedVariable error. The upgrade logic now correctly handles inventories without a redis group.

• Fixed an issue where the masakari-api container was unnecessarily restarted during every reconfigure operation. The container handler now correctly includes the healthcheck configuration, ensuring idempotency by matching the container’s runtime definition with the service defaults. LP#2143979

• Fixes an issue where iterated containers were restarted all at once when only a subset were detected as changed. LP#2144917

• Fixes an issue where Prometheus would not scrape ProxySQL or Valkey metrics if Alertmanager was disabled. The configuration blocks for these exporters were incorrectly nested within the Alertmanager conditional block. LP#2148279

• Fixed an intermittent Zuul CI failure in the MariaDB backup test. LP#2129930

• Fixes Bifrost bootstrap by disabling the new Bifrost OCI artifact registry which is not compatible with running Bifrost inside a container. LP#2138705

• Fixes bootstrapping of prometheus-mysqld-exporter which is failing creating mariadb user when monitoring group is configured to be deployed on separate hosts.

• Fixes a placement problem for cyborg api and conductor services, that would be also be scheduled on compute nodes, rather than being exclusively on control plane. LP#2087552

• Fixes a failure in the destroy workflow when cleaning up the Octavia interface service by running the task with elevated privileges.

• Fixes default ulimits for Debian-family container engines when using containerd. Previously, ulimits were not enforced by default, which could lead to missing nofile limits and service startup failures.

  This change introduces sane default ulimit values for Debian-based distributions while keeping existing EL9 behavior unchanged.

  LP#2132378

• Fixed an issue in Glance where enabling kolla_copy_ca_into_containers forced a check for missing service certificates. The glance-api container now only requires glance-cert.pem if glance_enable_tls_backend is explicitly set to yes.

• Fixed TLS errors in Skyline’s nginx configuration when upstream endpoints use HTTPS. LP#2091935 LP#1951437

• Prevents users installing plugins via the Grafana UI which will cause Grafana instances to become out-of-sync in multinode deployments. LP#2122587

• Fix generating passwords longer than 72 characters. This fixes prometheus configuration. LP#2126975

Other Notes

• Add more CI coverage for Federation codepath. Migrate ansible to use openstack.cloud ansible collection modules for configuring federation. Previously it was done using python-openstackclient.

• This release exposes additional configuration options for OpenStack Compute consoles which utilize the SPICE protocol. These configuration options have been defaulted to the previous implied values, so do not need to be set if you’re happy with the current behavior. The Kolla-Ansible Nova guide has been updated with further details of these new configuration options.

• The structure of the templates for log rotate cron jobs has been simplified to reduce repetition. If you have local changes which add to or modify these templates you may need to update your modifications.