Current Series Release Notes

21.0.0.0rc1-302

New Features

  • Adds support for LDAP authentication in Grafana. Users can now enable LDAP by setting grafana_ldap_enabled to true and providing an ldap.toml configuration file in the {{ node_custom_config }}/grafana/ directory.

  • Added support for RabbitMQ management interface SSL configuration.

  • Add support for libvirt vTPM (swtpm) configuration. LP#2106219

  • Increased the default value of innodb_log_file_size from 96MB to 2GB. This change improves overall performance of MariaDB. However, the recovery of MariaDB may take longer time as a tradeoff. Users can adjust the value by overriding K-A variable mariadb_innodb_log_file_size_mb. The allowed minimum is 4MB and maximum is 524288MB (512GB)

  • Ironic DHCP can now be configured to supply DNS servers via ironic_dnsmasq_dhcp_ranges. This enables the inspection ramdisk (IPA) to reach FQDN API endpoints.

  • Adds explicit support for passing through the ipa-ntp-server setting via the kernel commandline to the Ironic Python Agent.

    You can now also use ironic_kernel_append_params to provide additional arguments to the kernel command line when booting the Ironic Python Agent.

  • The nova-cell role now supports operator-specified custom templates for qemu.conf and libvirtd.conf. Kolla-Ansible will now look for host-specific and global overrides before falling back to the default templates.

  • Added new Alertmanager datasource in Grafana.

  • Sets scope_key to tenant_id in the [collect] section of the CloudKitty configuration file when Prometheus and Openstack Exporter are enabled, to ensure CloudKitty fetches valid metrics from the OpenStack Exporter.

  • Keystone OpenID metadata files are now templated, enabling variable substitution and dynamic configuration.

Upgrade Notes

  • Minimum supported Ansible version is now 12 (ansible-core 2.19) and maximum supported is 13 (ansible-core 2.20).

  • barbican uWSGI configuration has been reworked to use the same service role as other Ansible roles.

  • The default value of innodb_log_file_size has increased from 96MB to 2GB. This improves MariaDB performance but recovery time from crash may take longer time as a tradeoff. Users are recommended to consider the recovery time with new default before upgrade. Users are recommended to check if disk space is enough with larger InnoDB log file.

  • Support for deploying influxdb has been dropped, because Kolla delivers a community end of life version v1, and there are no plans to upgrade influxdb to v2 - there are better open source alternatives out there. Existing users need to remove influxdb containers and their configuration manually.

  • Support for deploying telegraf has been dropped after earlier deprecation. Existing users need to remove telegraf containers and their configuration manually.

  • Ironic legacy upgrade mechanism has been dropped.

  • lightbits_JWT variable has been renamed to lightbits_jwt

  • The global variable distro_python_version has been removed

  • designate-api is now running under uWSGI and now supports backend TLS.

  • glance-api is now running under uWSGI and supports backend TLS without the additional haproxy container. The glance-tls-proxy container will be removed during the upgrade process.

  • magnum-api is now running under uWSGI and now supports backend TLS.

Bug Fixes

  • Fixes an issue where OpenSearch log retention check would fail due to plugins not being fully loaded, resulting in a timeout error. This was caused by the task that checks for the existence of a log. Added a check before plugin tasks to ensure plugins are fully loaded.

  • Fixed an issue where neutron-server and other neutron agents would fail to start when kolla_copy_ca_into_containers was enabled but backend TLS was disabled. The configuration now correctly distinguishes between the requirement for backend certificates (neutron-cert.pem) and the optional copying of CA certificates. LP#2121694

  • Make generation of prometheus.yml consistent when using custom override files.

    Previous behaviour would lead to changes in prometheus.yml on every run when custom override files were used, as the find result was not sorted. This could lead to unnecessary restarts and unreadable diffs of the prometheus service. LP#2126635

  • Fixed an issue where redundant HAProxy backend configuration was generated for the memcached service. The memcached backend entries are no longer created since no OpenStack service uses HAProxy to reach memcached. LP#2130641

  • Fixed missing schemaname: nova rule in ProxySQL configuration for the default (unnamed) Nova cell. LP#2130985

  • Fixes issue where ProxySQL certificates were copied over even with kolla_externally_managed_cert set to True. LP#2073159

  • Adds logrotate configuration for OpenSearch Dashboards. Previously, logs located in /var/log/kolla/opensearch-dashboards/ were not included in the rotation schedule, which could lead to excessive disk space consumption. LP#2137716

  • Fixes a regression in the Valkey upgrade process where the valkey_master_host variable was not defined if the Redis migration block was skipped. This led to a fatal error during the “Wait for Valkey replication sync” task due to the interaction between run_once and delegate_to. The variable is now defined globally at the start of the upgrade tasks. LP#2138440

  • Fixed an issue where Valkey logs were not being correctly parsed by Fluentd. The timestamp format in the Fluentd configuration has been updated to match the format used by Valkey, ensuring logs are properly collected and indexed in the logging backend. LP#2138451

  • Fixed a critical issue in kolla-mergepwd where the migration from Redis to Valkey resulted in authentication failures. The tool now automatically inherits the existing redis_master_password into the new valkey_master_password field during upgrades. This prevents serious cluster damage in deployments using custom Keystone caching solutions and ensures Octavia remains stable throughout the upgrade process, avoiding global HTTP 401 Unauthorized errors caused by password mismatches. LP#2138461

  • Fixed an issue where Neutron sub-services (RPC server, maintenance and periodic workers) would crash when enable_neutron_vpnaas was set to yes due to missing neutron_vpnaas.conf file injection. neutron: inject neutron_vpnaas.conf into auxiliary services LP#2138498

  • Fixed an issue during upgrades from 2025.1 to 2025.2 where the Valkey role unconditionally referenced the redis inventory group. Since Redis is no longer present in the default inventories, this caused the upgrade to fail with an AnsibleUndefinedVariable error. The upgrade logic now correctly handles inventories without a redis group.

  • Fixed an issue where the masakari-api container was unnecessarily restarted during every reconfigure operation. The container handler now correctly includes the healthcheck configuration, ensuring idempotency by matching the container’s runtime definition with the service defaults. LP#2143979

  • Fixes bug LP#2129930 which made Zuul CI to fail MariaDB backup test sometimes.

  • Fixes a placement problem for cyborg api and conductor services, that would be also be scheduled on compute nodes, rather than being exclusively on control plane. LP#2087552

  • Fixed an issue in Glance where enabling kolla_copy_ca_into_containers forced a check for missing service certificates. The glance-api container now only requires glance-cert.pem if glance_enable_tls_backend is explicitly set to yes.

  • Fixed TLS errors in Skyline’s nginx configuration when upstream endpoints use HTTPS. LP#2091935 LP#1951437

  • Prevents users installing plugins via the Grafana UI which will cause Grafana instances to become out-of-sync in multinode deployments. See LP#2122587.

  • Fix generating passwords longer than 72 characters. This fixes prometheus configuration. LP#2126975