Zed Series Release Notes

18.0.0.0b1-235

New Features

  • Implemented openstack_hosts_package_manager_extra_conf variable. It allows to add extra content into package manager’s configuration (works with apt,yum and dnf).

  • A new variable centos_mirror_url is introduced to the openstack_hosts role to allow a single deployment wide variable to control the location of the centos package mirror.

  • Added variable openstack_host_custom_hosts_records that allows deployer to add custom records to /etc/hosts file. It’s structure a simple list where each element is a string wich should be placed to /etc/hosts.

  • In deployments where a separate host is used to manage the OpenStack Ansible configuration, the ‘/etc/hosts’ file on that host will now include a section adding hostname to IP resolution for all hosts in the inventory. This can be enabled/disabled via ‘openstack_host_manage_deploy_hosts_file’.

  • A new variable openstack_hosts_apt_pinned_packages is added which allows deployment wide apt pins to be defined in user_variables. The variable defaults to pinning the UCA repository to a priority lower than the Ubuntu repositories for any binary packages generated from the ceph source package. The intention is to ensure that Ceph packages are always installed from the Ubuntu repositories, or alternatively the official ceph repositories if the ceph_client role is run later against a host. The ceph packages for a particular openstack release may not be the same version as those expected by the rest of openstack-ansible so this change ensures consistency in the deployed ceph version.

  • New variable openstack_ca_bundle_path has been added which defines the path to the ca-bundle certificate which contains all system-trusted CA and will be used by the Python Requests module.

  • Added variable openstack_systemd_global_overrides that defines some defaults for all systemd services. It will be deployed to all hosts and containers, but can be controlled with group_vars or host_vars as well if needed.

  • Added variable keepalived_sysctl_tcp_retries that allows to control number of retries kernel will make to give up on connection. It controls net.ipv4.tcp_retries2 sysctl setting which default value of which is 15. Default value of keepalived_sysctl_tcp_retries is 8, so VIP failover time will be ~1min. Setting keepalived_sysctl_tcp_retries to 0 will remove mentioned sysctl setting.

  • Deployers may require custom CA certificates installing on their openstack hosts or service containers. A new variable openstack_host_ca_certificates is added which is a list of certificates that should be copied from the deploy host to the target hosts. Certificates may be selectively deployed by defining the variable either in user_variables.yml or via host/group vars.

Known Issues

  • Where a single OSA deploy host is used to manage multiple deployments, some delegated Ansible tasks are performed using hostnames rather than IP addresses due to Ansible issue 72776. Hostnames such as ‘infra1’ will be ambiguous, so use of separate hosts for each deployment is recommended.

  • Ubuntu Cloud Archive (UCA) does not contain Ubuntu Bionic distro packages for Victoria, so only source install/upgrade path (default) will work correctly for Ubuntu 18.04.

Upgrade Notes

  • Variable uca_repo has been removed. Deployers are appreciated to use user_external_repos_list instead if they want to define extra repository Variable uca_apt_repo_url was renamed to apt_repo_url in order to correspond it’s usage as it also affect Debian deployments now.

  • Generation of records for /etc/hosts is now made with blockinfile ansible module. During upgrade you will have records doubled in yours /etc/hosts as we don’t drop previously created records for safety reasons if openstack_host_manage_hosts_file is set to true.

  • In order to accomodate Centos-8 Stream support, it is necessary require the minimum version of Centos-8 Classic to be 8.3. There are breaking changes between Stream and Classic versions prior to 8.3 which break ansible code that detects major/minor versions of Centos. Before upgrading to Wallaby, deployers should ensure that their Centos hosts are updated to 8.3.

  • Existing use of the variable openstack_hosts_centos_mirror_url will continue to work as in previous releases, but the new variable centos_mirror_url can be used to define the mirror location for the whole deployment.

  • CentOS/Rocky linux deployments will get major update of OVS version from 2.17 to 3.1 and OVN from 22.12 to 23.03. RDO has stopped building packages for previous OVS/OVN versions which means they will not recieve any upstream bugfixes or security patches.

    If you still want to preserve old versions of OVS/OVN, you can define a following variable:

    openstack_hosts_package_repos:
      - name: rdo-deps
        file: rdo-deps
        description: rdo-deps
        baseurl: "{{ openstack_hosts_rdo_deps_url }}"
        gpgcheck: no
        module_hotfixes: yes
        exclude:
          - '*rdo-openvswitch*3.1*'
          - '*rdo-ovn*3.1*'
    
  • Deployments which follows distro path (services are installed from distro packages rather then in virtualenvs) should upgrade Ubuntu 18.04 -> 20.04 before performing OpenStack Ussuri -> Victoria upgrade, since Ubuntu Cloud Archive does not provide Victoria system packages for 18.04.

  • The new variable openstack_hosts_apt_pinned_packages is added to the openstack_hosts ansible role and sets the value of apt_pinned_packages for the apt_package_pinning role run as a dependancy of the openstack_hosts role. Existing use of the apt_pinned_packages variable by deployers in user_variables should be reviewed to ensure that those pins are applied by the intended ansible roles, and swapped to this new variable if necessary.

Deprecation Notes

  • Since certificates and CA distribution are now handled with PKI role, variable openstack_host_ca_location has been deprecated and removed.

Bug Fixes

  • After adding localhost to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside /etc/hosts file. This is now fixed and record for 127.0.0.1 will be removed from managed by Ansible blocks inside /etc/hosts file.

Other Notes

  • Code which added ‘Acquire::http:No-Cache true’ to the host and container apt preferences when http proxy environment variables were set has been removed. This setting is only required when working around issues introduced by badly configured http proxies. In some cases proxies can improperly cache the apt Releases and Packages files leading to package installation errors. If a deployment is behind a badly configured proxy, the deployer can add the necessary apt config fragment as part of host provisioning. OSA will replicate that config into any containers that are created. This setting can be removed from existing deployments if required by manually deleting the file /etc/apt/apt.conf.d/00apt-no-cache from all host and containers.

18.0.0.0b1

New Features

  • Deployers of CentOS 7 environments can use the openstack_hosts_enable_yum_fastestmirror variable to enable or disable yum’s fastestmirror plugin. The default setting of yes ensures that fastestmirror is enabled.

  • Supported openSUSE and Ubuntu hosts ship with new enough pip, setuptools, virtualenv and wheel packages which are now being used in favor of the PIP ones.

17.0.0.0rc1

New Features

  • Persistent systemd journals are now enabled. This allows deployers to keep older systemd journals on disk for review. The disk space requirements are extremely low since the journals are stored in binary format. The default location for persistent journals is in /var/log/journal.

    Deployers can opt out of this change by setting openstack_host_keep_journals to no.

17.0.0.0b2

Upgrade Notes

  • If you have overridden your openstack_host_specific_kernel_modules, please remove its group matching, and move that override directly to the appropriate group.

    Example, for an override like:

    - name: "ebtables"
      pattern: "CONFIG_BRIDGE_NF_EBTABLES"
      group: "network_hosts"
    

    You can create a file for the network_host group, inside its group vars folder /etc/openstack_deploy/group_vars/network_hosts, with the content:

    - name: "ebtables"
      pattern: "CONFIG_BRIDGE_NF_EBTABLES"
    
  • Any user that is coming from Pike or below on Ubuntu should modify its user_external_repos_list, switching its ubuntu cloud archive repository from state: present to state: absent. From now on, UCA will be defined with the filename uca. If the deployer wants to use its mirror, he can still override the variable uca_repo to point to its mirror. Alternatively, the deployer can completely define which repos to add and remove, ignoring our defaults, by overriding openstack_hosts_package_repos.

17.0.0.0b1

New Features

  • Deployers can set openstack_hosts_centos_mirror_url to use their preferred mirror for the RDO repositories.

Security Issues

  • The net.bridge.bridge-nf-call-* kernel parameters were set to 0 in previous releases to improve performance and it was left up to neutron to adjust these parameters when security groups are applied. This could cause situations where bridge traffic was not sent through iptables and this rendered security groups ineffective. This could allow unexpected ingress and egress traffic within the cloud.

    These kernel parameters are now set to 1 on all hosts by the openstack_hosts role, which ensures that bridge traffic is always sent through iptables.

Bug Fixes

  • The sysstat package was installed on all distributions, but it was only configured to run on Ubuntu and OpenSUSE. It would not run on CentOS due to bad SELinux contexts and file permissions on /etc/cron.d/sysstat. This has been fixed and sysstat now runs properly on CentOS.

15.0.0.0rc1

New Features

  • Deployers can set openstack_host_nf_conntrack_max to control the maximum size of the netfilter connection tracking table. The default of 262144 should be increased if virtual machines will be handling large amounts of concurrent connections.

15.0.0.0b2

New Features

  • The copy of the /etc/openstack-release file is now optional. To disable the copy of the file, set openstack_distrib_file to no.

  • The location of the /etc/openstack-release file placement can now be changed. Set the variable openstack_distrib_file_path to place it in a different path.

Upgrade Notes

  • The variables used to produce the /etc/openstack-release file have been changed in order to improve consistency in the name spacing according to their purpose.

    openstack_code_name –> openstack_distrib_code_name openstack_release –> openstack_distrib_release

    Note that the value for openstack_distrib_release will be taken from the variable openstack_release if it is set.

15.0.0.0b1

New Features

  • The PATH environment variable that is configured on the remote system can now be set using the openstack_host_environment_path list variable.

14.0.0.0b3

New Features

  • The openstack_hosts role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting openstack_hosts_package_state to present.

Upgrade Notes

  • The variable openstack_host_apt_packages has been renamed to openstack_host_distro_packages.

  • The openstack_hosts role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option openstack_hosts_package_state should be set to present.

  • The LVM configuration tasks and lvm.conf template have been removed from the openstack_hosts role since they are no longer needed. All of the LVM configuration is properly handled in the os_cinder role.

14.0.0.0b2

New Features

  • The option openstack_domain has been added to the openstack_hosts role. This option is used to setup proper hostname entries for all hosts within a given OpenStack deployment.

  • The openstack_hosts role will setup an RFC1034/5 hostname and create an alias for all hosts in inventory.

Deprecation Notes

  • The openstack_host_apt_packages variable has been deprecated. openstack_host_packages should be used instead to override packages required to install on all OpenStack hosts.