Ussuri Series Release Notes

18.0.0.0b1-153

New Features

  • Octavia requires SSL certificates for communication with the amphora. This adds the automatic creation of self signed certificates for this purpose. It uses different certificate authorities for amphora and control plane thus insuring maximum security.

  • Octavia is creating vms, securitygroups, and other things in its project. In most cases the default quotas are not big enough. This will adjust them to (configurable) reasonable values.

  • Now you can set up octavia_management_net_subnet_gateway variable to create the management subnet with default gateway set. By default the subnet created without gateway.

  • The service setup in keystone for octavia will now be executed through delegation to the octavia_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    octavia_service_setup_host: "{{ groups['utility_all'][0] }}"
    
  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the octavia_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in octavia.

  • Now you can use cinder-volume with Octavia. To enable the feature set octavia_cinder_enabled to True. Also you may need to override the default settings:

    octavia_octavia_conf_overrides:
      cinder:
        volume_type: 'my-volume-type'
        volume_size: 32
    

Deprecation Notes

  • The variable octavia_requires_pip_packages is no longer required and has therefore been removed.

  • The variable octavia_image_downloader has been removed. The image download now uses the same host designated by the octavia_service_setup_host for the image download.

  • The variable octavia_ansible_endpoint_type has been removed. The endpoint used for ansible tasks has been hard set to the ‘admin’ endpoint as is commonly used across all OSA roles.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - octavia_oslomsg_rpc_servers replaces octavia_rabbitmq_servers - octavia_oslomsg_rpc_port replaces octavia_rabbitmq_port - octavia_oslomsg_rpc_use_ssl replaces octavia_rabbitmq_use_ssl - octavia_oslomsg_rpc_userid replaces octavia_rabbitmq_userid - octavia_oslomsg_rpc_vhost replaces octavia_rabbitmq_vhost - octavia_oslomsg_notify_servers replaces octavia_rabbitmq_telemetry_servers - octavia_oslomsg_notify_port replaces octavia_rabbitmq_telemetry_port - octavia_oslomsg_notify_use_ssl replaces octavia_rabbitmq_telemetry_use_ssl - octavia_oslomsg_notify_userid replaces octavia_rabbitmq_telemetry_userid - octavia_oslomsg_notify_vhost replaces octavia_rabbitmq_telemetry_vhost - octavia_oslomsg_notify_password replaces octavia_rabbitmq_telemetry_password

  • Remove octavia_amp_image_id option as the corresponding configuration option in Octavia amp_image_id is deprected and image tags should be used instead.

Security Issues

  • It is recommended that the certificate generation is always reviewed by security professionals since algorithms and key-lengths considered secure change all the time.

  • Avoid setting the quotas too high for your cloud since this can impact the performance of other servcies and lead to a potential Denial-of-Service attack if Loadbalancer quotas are not set properly or RBAC is not properly set up.

Bug Fixes

  • The quota for security group rules was erroneously set to 100 with the aim to have 100 security group rules per security group instead of to 100*#security group rules. This patch fixes this discrepancy.