2023.2 Series Release Notes¶
28.4.0¶
Known Issues¶
Due to the underlying bug in Ansible collections for OpenStack,
Default
domain name can be renamed todefault
under certain conditions. One known example is havingdomain: default
defenition underkeystone_sp -> trusted_idp_list -> federated_identities
structure.
Upgrade Notes¶
Default for Neutron API has been switched from using uWSGI to old eventlet due to found compatability issues for the current OpenStack release. You can find more infromation in Neutron bug report You can preserve current behaviour by setting
neutron_use_uwsgi: True
Please, make sure that in case of federation usage you define domain name instead of it’s ID (ie.
Default
instead ofdefault
) underkeystone_sp -> trusted_idp_list -> federated_identities
Bug Fixes¶
In case of switching Neutron from uWSGI to old eventlet, neutron-rpc-server service will be disabled and stopped by the role.
28.3.1¶
Bug Fixes¶
Python wheels build no longer fails in case of issues with a repo host and should succeed as long as there at least one reachable repo host with matching Distro/Version/Architecture.
Other Notes¶
In order to align with oslo.messaging reverted default of
heartbeat_in_pthread
value we remove own logic of handling the value based on host groups. You still can useoslomsg_heartbeat_in_pthread
or specific role variables to alter the behaviour.
28.3.0¶
New Features¶
Added variable
cinder_manage_volume_types
that allows to skip volume type creation and management by os_cinder role.
Upgrade Notes¶
Support is added to enable all stable RabbitMQ feature flags by default. This happens automatically post upgrade, and avoids compatibility issues which could occur when installing a new version of RabbitMQ.
Stable RabbitMQ feature flags will be enabled automatically pre-upgrade in order to prevent failures during the upgrade process.
Deprecation Notes¶
The variable
keystone_external_ssl
was deprecated and is no longer used. You still can control if communication between HAProxy and Keystone should be covered with TLS throughkeystone_backend_ssl
orhaproxy_ssl
/haproxy_ssl_all_vips
for communication between clients and HAProxy on frontend.
Security Issues¶
Includes safe (non-vulnerable) versions of services regarding OSSA-2024-001
28.2.1¶
Upgrade Notes¶
When using RabbitMQ in a high availability cluster (non-quorum queues), transient ‘reply_’ queues are now included in the HA policy where they previously were not. Note that this will increase the load on the RabbitMQ cluster, particularly for deployments with large numbers of compute nodes.
Bug Fixes¶
Fixes user-collection-requirements bootstrap process, when defied by deployer collection uses “git+file” as a source scheme. Previously an unexpected version of collection could get installed when using “git+file” scheme.
Due to missing parameter Nova cell0 used to be configured to not use TLS for MySQL communication even when
nova_galera_use_ssl
was explicitly enabled. It is fixed now and cell0 should be updated on the next playbook run.
28.2.0¶
Security Issues¶
Ansible-core was upgraded to version 2.15.9 in order to cover CVE-2023-5764 and CVE-2024-0690
Bug Fixes¶
Change of
horizon_webroot
variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.
28.0.1¶
Known Issues¶
With recent changes to config_template module, it is not possible anymore to have variables as dictionary keys in overrides. Example below will not be renderred properly:
config_overrides: "{{ inventory_hostname }}": cruel: world
This limitation boils down to Ansible design and will be true for any other module as well. In order to overcome it, you can transform the dictionary to a Jinja2 format:
config_overrides: |- {{ { inventory_hostname: { 'cruel': 'world' } } }}
Deprecation Notes¶
Format of
client
key insideceph_extra_components
variable has been deprecated in favor of a mapping with one required attributename
. Havingclient
key defined as a simple list is kept for backwards compatibility but will be removed in future releases.
Variables controlling systemd-networkd default filename templating when one is not supplied were deprecated and has no effect from now on.
systemd_networkd_filename
systemd_networkd_filename_alt
It is highly recommended to provide
filename
parameter explicitly whenever you definesystemd_netdevs
orsystemd_networks
structures.
Generation of SSH keypairs for Ironic users has been deprecated and removed. A variable
ironic_recreate_keys
has been removed and has no effect.
Bug Fixes¶
Backwards compatibility of
client
key insideceph_extra_components
variable has been fixed to support both a list and a list of mappings.
Fixes format of
ceph_conf_overrides_rgw
variable by converting override dictionary to Jinja2 format to workaround Ansible limitation on usage of variables as keys in dictionary.
After adding
localhost
to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside/etc/hosts
file. This is now fixed and record for127.0.0.1
will be removed from managed by Ansible blocks inside /etc/hosts file.
Multiple routes can be supplied to the systemd network and they will be placed to a separate configuration file /etc/systemd/network/{{ filename }}.d/routes.conf
Previously defining multiple routes will result in squashing them together under same section name, while for them to work properly each descriped route must be placed in it’s own section.
28.0.0¶
New Features¶
HAProxy services that use backend nodes that are not in the Ansible inventory can now have the
backend_port
specified in the list, along withname
orip_addr
settings. This allow to have the service bound to different port on different backend servers.
Added variables
galera_backups_full_init_overrides
andgalera_backups_increment_init_overrides
that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .
Enable Ceilometer resource cache, using Memcached.
Added variable
rabbitmq_erlang_extra_args
that allows to define extra arguments for erlang.
Implemented variable
lxc_image_cache_expiration
that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.
It is now possible to use multiple variables with a specific prefix to define the whole contents of the tempest test include/exclude lists. Any variable from host/group or ansible extra-vars whose name is prefixed with the value in the os_tempest role default tempest_test_search_includelist_pattern or tempest_test_search_excludelist_pattern will be combined with the existing tempest_test_includelist or tempest_test_excludelist variables into a single include/exclude list.
Added new keys
haproxy_frontend_h2
andhaproxy_backend_h2
per service definition to enable HTTP/2 for a specified service.This also add new variables to control default behavoir for frontends and backends:
haproxy_frontend_h2: true
haproxy_backend_h2: false
Please mention, that double stack of HTTP/1.1 and HTTP/2 is only available for TLS protected frontends. In case frontend is just TCP haproxy_frontend_h2 will be ignored.
At the same time
haproxy_backend_h2
will be respected regardless of TLS/plain TCP configuration.
HAProxy services can now override the path of the certificate with
haproxy_ssl_path
if set under the service definition.
Added variable
openstack_host_journald_config
that allows to supply arbitrary configuration for systemd-journald as a mapping.
Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.
--compress=True|False
--compressor=<compressor>
Also introduces new Ansible variables that control the above mentioned parameters.
galera_mariadb_backups_compress
galera_mariadb_backups_compressor
Each backup archive is stored in a dedicated directory, alongside the backup metadata.
Added
nova_console_proxy_types
list variable for use when deployments have a mix of nova console types for different compute nodes.
Add
rabbitmq_additional_config
to be able to add additional configuration e.g. to add configuration for plugins.
Add ability to set the environment variable
RABBITMQ_USE_LONGNAMES
via therabbitmq-env.conf
to be able to use the FQDN of a node. By default this will be set tofalse
, the default value also set by RabbitMQ.
Added new variable
rabbitmq_queue_replication
that allows to control if any redundancy features (like quorum queues or classic mirrored queues) will be used. By default it is set toTrue
.
Added support for RabbitMQ quorum queues. Quorum queues are disabled by default. Followingvariables were implemented to control the behaviour:
oslomsg_rabbit_quorum_queues (default: false)
oslomsg_rabbit_quorum_delivery_limit (default: 0)
oslomsg_rabbit_quorum_max_memory_bytes (default: 0)
Simmilar variables were also implemented for each service, while variables above aim to change behaviour globally.
Upgrade Notes¶
Default value of
glance_available_stores
has changed. Now it is always should be represented as a list of mappings, where each item has following keys:name (required)
type (required)
config (optional)
HTTP/2 is enabled by default for frontends that are covered with TLS. You can disable this behaviour by setting
haproxy_frontend_h2: false
Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set
galera_mariadb_backups_compress
toTrue
. Choose a compression tool withgalera_mariadb_backups_compressor
, default isgzip
.
Keystone OIDC parameter ‘oidc_redirect_uri’ is replaced with ‘oidc_redirect_path’. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.
In case deployer wants to switch into using RabbitMQ quorum queues instead of traditional HA policies during OpenStack upgrade, they need to define variable
oslomsg_rabbit_quorum_queues: True
in user_variables.yml.If
oslomsg_rabbit_quorum_queues
is enabled, RabbitMQ vhosts will be re-created without leading/
. Ensure to reflect these changes in your monitoring software if vhosts are not auto-discovered. Also changing vhost name will result in prolonged downtime for services, as not re-configured yet backends will fail to connect to RabbitMQ until restart. It also might be worth to process upgrade with extra caution for some serivices that are sensetive to RabbitMQ downtime or even disabling usage of quorum queues for these services. Good examples of such services are Trove or Neutron with ML2 LXB or ML2 OVS drivers.
The variable lxc_cache_map is removed as the lxc_hosts ansible role has only been able to create containers matching the host architecture and OS for several releases, and lxc_cache_map simply carried copies of data from ansible_facts.
The previously deprecated variables tempest_test_whitelist and tempest_test_blacklist are removed. The replacement include/exclude lists should be used instead to define tempest tests to run.
The variables tempest_test_includelist_file_path and tempest_test_excludelist_file_path are renamed to tempest_includelist_file_path and tempest_excludelist_file_path. Any overrides using these variables should be updated to account for the new variable names.
Deprecation Notes¶
In order to follow ansible naming conventions for variables, following variables were renamed:
systemd_TimeoutSec -> systemd_service_timeout_sec
systemd_Restart -> systemd_service_restart
systemd_RestartSec -> systemd_service_restart_sec
systemd_CPUAccounting -> systemd_service_cpu_accounting
systemd_BlockIOAccounting -> systemd_service_block_io_accounting
systemd_MemoryAccounting -> systemd_service_memory_accounting
systemd_TasksAccounting -> systemd_service_tasks_accounting
systemd_PrivateTmp -> systemd_service_private_tmp
systemd_PrivateDevices -> systemd_service_private_devices
systemd_PrivateNetwork -> systemd_service_private_network
systemd_PrivateUsers -> systemd_service_private_users
Old variable names were kept for backwards compatibility but will be removed in next releases. It is highly adviced to use new variable names in your deployments.
SSHD and rsync are no longer installed or configured for all containers. This also deprecates usage of
lxc_container_ssh_key
and variable has no effect any longer.
Generation of SSH keypairs for Zun and Kuryr users has been deprecated and removed. A variable
zun_recreate_keys
has been removed and has no effect.
nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.
nova_ram_weight_multiplier
was deprecated. Multipliers should be defined usingnova_nova_conf_overrides
. Please note that default value fornova_ram_weight_multiplier
was previously set to 5, while nova default is 1. This deprecation will slightly change weighing behavior in OSA.
Support for OpenDaylight driver has been deprecated by Neutron team during 2023.2 (Bobcat) development cycle and it’s support has been removed from OpenStack-Ansible.
RabbitMQ packages are no longer provided by PackageCloud due to the upstream repository being no longer available after 2023-05-28. Installations will now utilize a community mirror of CloudSmith repositories for rabbitmq and erlang.
https://github.com/rabbitmq/rabbitmq-server/discussions/8386
common-playbooks/nova.yml
has been deprecated and removed. All content from it now resides insideos-nova-install.yml
directly.
Bug Fixes¶
LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.
Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.
All compute nodes are not added as OVN gateways by default and
network-gateway_hosts
definition is respected.
Fix high water mark memory usage on Cinder Volume and Backup services and reduce peak memory usage.
Other Notes¶
The
localhost
target was explicitly added to OSA inventory due to bug #2041717. As a result, the ‘all’ group now contains localhost, and custom playbooks targeting ‘all’ may need adjustment, e.g.:hosts: all:!localhost
Variable
openstack_service_accept_both_protocols
was implemented to temporarily accept both HTTP and HTTPS traffic on haproxy frontends. It is useful when changing protocol of service endpoints.
S3 API is now enabled by default for deployments using integrated ceph-ansible.