2023.2 Series Release Notes

28.4.0

Known Issues

  • Due to the underlying bug in Ansible collections for OpenStack, Default domain name can be renamed to default under certain conditions. One known example is having domain: default defenition under keystone_sp -> trusted_idp_list -> federated_identities structure.

Upgrade Notes

  • Default for Neutron API has been switched from using uWSGI to old eventlet due to found compatability issues for the current OpenStack release. You can find more infromation in Neutron bug report You can preserve current behaviour by setting neutron_use_uwsgi: True

  • Please, make sure that in case of federation usage you define domain name instead of it’s ID (ie. Default instead of default) under keystone_sp -> trusted_idp_list -> federated_identities

Bug Fixes

  • In case of switching Neutron from uWSGI to old eventlet, neutron-rpc-server service will be disabled and stopped by the role.

28.3.1

Bug Fixes

  • Python wheels build no longer fails in case of issues with a repo host and should succeed as long as there at least one reachable repo host with matching Distro/Version/Architecture.

Other Notes

  • In order to align with oslo.messaging reverted default of heartbeat_in_pthread value we remove own logic of handling the value based on host groups. You still can use oslomsg_heartbeat_in_pthread or specific role variables to alter the behaviour.

28.3.0

New Features

  • Added variable cinder_manage_volume_types that allows to skip volume type creation and management by os_cinder role.

Upgrade Notes

  • Support is added to enable all stable RabbitMQ feature flags by default. This happens automatically post upgrade, and avoids compatibility issues which could occur when installing a new version of RabbitMQ.

  • Stable RabbitMQ feature flags will be enabled automatically pre-upgrade in order to prevent failures during the upgrade process.

Deprecation Notes

  • The variable keystone_external_ssl was deprecated and is no longer used. You still can control if communication between HAProxy and Keystone should be covered with TLS through keystone_backend_ssl or haproxy_ssl/haproxy_ssl_all_vips for communication between clients and HAProxy on frontend.

Security Issues

  • Includes safe (non-vulnerable) versions of services regarding OSSA-2024-001

28.2.1

Upgrade Notes

  • When using RabbitMQ in a high availability cluster (non-quorum queues), transient ‚reply_‘ queues are now included in the HA policy where they previously were not. Note that this will increase the load on the RabbitMQ cluster, particularly for deployments with large numbers of compute nodes.

Bug Fixes

  • Fixes user-collection-requirements bootstrap process, when defied by deployer collection uses „git+file“ as a source scheme. Previously an unexpected version of collection could get installed when using „git+file“ scheme.

  • Due to missing parameter Nova cell0 used to be configured to not use TLS for MySQL communication even when nova_galera_use_ssl was explicitly enabled. It is fixed now and cell0 should be updated on the next playbook run.

28.2.0

Security Issues

  • Ansible-core was upgraded to version 2.15.9 in order to cover CVE-2023-5764 and CVE-2024-0690

Bug Fixes

  • Change of horizon_webroot variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.

28.0.1

Known Issues

  • With recent changes to config_template module, it is not possible anymore to have variables as dictionary keys in overrides. Example below will not be renderred properly:

    config_overrides:
      "{{ inventory_hostname }}":
        cruel: world
    

    This limitation boils down to Ansible design and will be true for any other module as well. In order to overcome it, you can transform the dictionary to a Jinja2 format:

    config_overrides: |-
      {{
        {
          inventory_hostname: {
            'cruel': 'world'
          }
        }
      }}
    

Deprecation Notes

  • Format of client key inside ceph_extra_components variable has been deprecated in favor of a mapping with one required attribute name. Having client key defined as a simple list is kept for backwards compatibility but will be removed in future releases.

  • Variables controlling systemd-networkd default filename templating when one is not supplied were deprecated and has no effect from now on.

    • systemd_networkd_filename

    • systemd_networkd_filename_alt

    It is highly recommended to provide filename parameter explicitly whenever you define systemd_netdevs or systemd_networks structures.

  • Generation of SSH keypairs for Ironic users has been deprecated and removed. A variable ironic_recreate_keys has been removed and has no effect.

Bug Fixes

  • Backwards compatibility of client key inside ceph_extra_components variable has been fixed to support both a list and a list of mappings.

  • Fixes format of ceph_conf_overrides_rgw variable by converting override dictionary to Jinja2 format to workaround Ansible limitation on usage of variables as keys in dictionary.

  • After adding localhost to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside /etc/hosts file. This is now fixed and record for 127.0.0.1 will be removed from managed by Ansible blocks inside /etc/hosts file.

  • Multiple routes can be supplied to the systemd network and they will be placed to a separate configuration file /etc/systemd/network/{{ filename }}.d/routes.conf

    Previously defining multiple routes will result in squashing them together under same section name, while for them to work properly each descriped route must be placed in it’s own section.

28.0.0

New Features

  • HAProxy services that use backend nodes that are not in the Ansible inventory can now have the backend_port specified in the list, along with name or ip_addr settings. This allow to have the service bound to different port on different backend servers.

  • Added variables galera_backups_full_init_overrides and galera_backups_increment_init_overrides that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .

  • Enable Ceilometer resource cache, using Memcached.

  • Added variable rabbitmq_erlang_extra_args that allows to define extra arguments for erlang.

  • Implemented variable lxc_image_cache_expiration that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.

  • It is now possible to use multiple variables with a specific prefix to define the whole contents of the tempest test include/exclude lists. Any variable from host/group or ansible extra-vars whose name is prefixed with the value in the os_tempest role default tempest_test_search_includelist_pattern or tempest_test_search_excludelist_pattern will be combined with the existing tempest_test_includelist or tempest_test_excludelist variables into a single include/exclude list.

  • Added new keys haproxy_frontend_h2 and haproxy_backend_h2 per service definition to enable HTTP/2 for a specified service.

    This also add new variables to control default behavoir for frontends and backends:

    • haproxy_frontend_h2: true

    • haproxy_backend_h2: false

    Please mention, that double stack of HTTP/1.1 and HTTP/2 is only available for TLS protected frontends. In case frontend is just TCP haproxy_frontend_h2 will be ignored.

    At the same time haproxy_backend_h2 will be respected regardless of TLS/plain TCP configuration.

  • HAProxy services can now override the path of the certificate with haproxy_ssl_path if set under the service definition.

  • Added variable openstack_host_journald_config that allows to supply arbitrary configuration for systemd-journald as a mapping.

  • Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.

    • --compress=True|False

    • --compressor=<compressor>

    Also introduces new Ansible variables that control the above mentioned parameters.

    • galera_mariadb_backups_compress

    • galera_mariadb_backups_compressor

    Each backup archive is stored in a dedicated directory, alongside the backup metadata.

  • Added nova_console_proxy_types list variable for use when deployments have a mix of nova console types for different compute nodes.

  • Add rabbitmq_additional_config to be able to add additional configuration e.g. to add configuration for plugins.

  • Add ability to set the environment variable RABBITMQ_USE_LONGNAMES via the rabbitmq-env.conf to be able to use the FQDN of a node. By default this will be set to false, the default value also set by RabbitMQ.

  • Added new variable rabbitmq_queue_replication that allows to control if any redundancy features (like quorum queues or classic mirrored queues) will be used. By default it is set to True.

  • Added support for RabbitMQ quorum queues. Quorum queues are disabled by default. Followingvariables were implemented to control the behaviour:

    • oslomsg_rabbit_quorum_queues (default: false)

    • oslomsg_rabbit_quorum_delivery_limit (default: 0)

    • oslomsg_rabbit_quorum_max_memory_bytes (default: 0)

    Simmilar variables were also implemented for each service, while variables above aim to change behaviour globally.

Upgrade Notes

  • Default value of glance_available_stores has changed. Now it is always should be represented as a list of mappings, where each item has following keys:

    • name (required)

    • type (required)

    • config (optional)

  • HTTP/2 is enabled by default for frontends that are covered with TLS. You can disable this behaviour by setting haproxy_frontend_h2: false

  • Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set galera_mariadb_backups_compress to True. Choose a compression tool with galera_mariadb_backups_compressor, default is gzip.

  • Keystone OIDC parameter ‚oidc_redirect_uri‘ is replaced with ‚oidc_redirect_path‘. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.

  • In case deployer wants to switch into using RabbitMQ quorum queues instead of traditional HA policies during OpenStack upgrade, they need to define variable oslomsg_rabbit_quorum_queues: True in user_variables.yml.

    If oslomsg_rabbit_quorum_queues is enabled, RabbitMQ vhosts will be re-created without leading /. Ensure to reflect these changes in your monitoring software if vhosts are not auto-discovered. Also changing vhost name will result in prolonged downtime for services, as not re-configured yet backends will fail to connect to RabbitMQ until restart. It also might be worth to process upgrade with extra caution for some serivices that are sensetive to RabbitMQ downtime or even disabling usage of quorum queues for these services. Good examples of such services are Trove or Neutron with ML2 LXB or ML2 OVS drivers.

  • The variable lxc_cache_map is removed as the lxc_hosts ansible role has only been able to create containers matching the host architecture and OS for several releases, and lxc_cache_map simply carried copies of data from ansible_facts.

  • The previously deprecated variables tempest_test_whitelist and tempest_test_blacklist are removed. The replacement include/exclude lists should be used instead to define tempest tests to run.

  • The variables tempest_test_includelist_file_path and tempest_test_excludelist_file_path are renamed to tempest_includelist_file_path and tempest_excludelist_file_path. Any overrides using these variables should be updated to account for the new variable names.

Deprecation Notes

  • In order to follow ansible naming conventions for variables, following variables were renamed:

    • systemd_TimeoutSec -> systemd_service_timeout_sec

    • systemd_Restart -> systemd_service_restart

    • systemd_RestartSec -> systemd_service_restart_sec

    • systemd_CPUAccounting -> systemd_service_cpu_accounting

    • systemd_BlockIOAccounting -> systemd_service_block_io_accounting

    • systemd_MemoryAccounting -> systemd_service_memory_accounting

    • systemd_TasksAccounting -> systemd_service_tasks_accounting

    • systemd_PrivateTmp -> systemd_service_private_tmp

    • systemd_PrivateDevices -> systemd_service_private_devices

    • systemd_PrivateNetwork -> systemd_service_private_network

    • systemd_PrivateUsers -> systemd_service_private_users

    Old variable names were kept for backwards compatibility but will be removed in next releases. It is highly adviced to use new variable names in your deployments.

  • SSHD and rsync are no longer installed or configured for all containers. This also deprecates usage of lxc_container_ssh_key and variable has no effect any longer.

  • Generation of SSH keypairs for Zun and Kuryr users has been deprecated and removed. A variable zun_recreate_keys has been removed and has no effect.

  • nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.

  • nova_ram_weight_multiplier was deprecated. Multipliers should be defined using nova_nova_conf_overrides. Please note that default value for nova_ram_weight_multiplier was previously set to 5, while nova default is 1. This deprecation will slightly change weighing behavior in OSA.

  • Support for OpenDaylight driver has been deprecated by Neutron team during 2023.2 (Bobcat) development cycle and it’s support has been removed from OpenStack-Ansible.

  • common-playbooks/nova.yml has been deprecated and removed. All content from it now resides inside os-nova-install.yml directly.

Bug Fixes

  • LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.

  • Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.

  • Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.

  • All compute nodes are not added as OVN gateways by default and network-gateway_hosts definition is respected.

  • Fix high water mark memory usage on Cinder Volume and Backup services and reduce peak memory usage.

Other Notes

  • The localhost target was explicitly added to OSA inventory due to bug #2041717. As a result, the ‚all‘ group now contains localhost, and custom playbooks targeting ‚all‘ may need adjustment, e.g.: hosts: all:!localhost

  • Variable openstack_service_accept_both_protocols was implemented to temporarily accept both HTTP and HTTPS traffic on haproxy frontends. It is useful when changing protocol of service endpoints.

  • S3 API is now enabled by default for deployments using integrated ceph-ansible.