Ocata Series Release Notes

15.1.28-10

Upgrade Notes

  • The default method for download roles has been switched from galaxy to git-clone. This has no functional effect, but is now required in order to successfully download the ceph-ansible repository. In order to prevent clashes between the old and new roles, the existing /etc/ansible/roles/ceph* folders should be removed prior to running scripts/bootstrap-ansible.sh during the minor upgrade process.

Bug Fixes

  • The ceph-ansible individual role repositories were all removed from github on around 16 January 2019, causing the bootstrap-ansible script to fail for any new deployments, or during upgrades for environments which had these roles previously. To replace them, the ceph-ansible git repository is used instead.

15.1.23

New Features

  • The variable lxc_net_manage_iptables has been added. This variable can be overridden by deployers if system wide iptables rules are already in place or managed by deployers chioce.

Known Issues

  • With the release of CentOS 7.5, all pike releases are broken due to a mismatch in version between the libvirt-python library specified by the OpenStack community, and the version provided in CentOS 7.5. As such OSA is unable build the appropriate python library for libvirt. The only recourse for this is to upgrade the environment to the latest queens release.

Deprecation Notes

  • The variable nova_compute_pip_packages is no longer used and has been removed.

Bug Fixes

  • In order to prevent further issues with a libvirt and python-libvirt version mismatch, KVM-based compute nodes will now use the distribution package python library for libvirt. This should resolve the issue seen with pike builds on CentOS 7.5.

15.1.22

Known Issues

  • All OSA releases earlier than 17.0.5, 16.0.4, and 15.1.22 will fail to build the rally venv due to the release of the new cmd2-0.9.0 python library. Deployers are encouraged to update to the latest OSA release which pins to an appropriate version which is compatible with python2.

  • Recently the spice-html5 git repository was entirely moved from https://github.com/SPICE/spice-html5 to https://gitlab.freedesktop.org/spice/spice-html5. This results in a failure in the git clone stage of the repo-build.yml playbook for OSA ocata releases earlier than 15.1.22. To fix the issue, deployers may upgrade to the most recent release, or may implement the following override in user_variables.yml.

    nova_spicehtml5_git_repo: https://gitlab.freedesktop.org/spice/spice-html5.git
    

Upgrade Notes

  • The distribution package lookup and data output has been removed from the py_pkgs lookup so that the repo-build use of py_pkgs has reduced output and the lookup is purpose specific for python packages only.

Bug Fixes

  • Newer releases of CentOS ship a version of libnss that depends on the existance of /dev/random and /dev/urandom in the operating system in order to run. This causes a problem during the cache preparation process which runs inside chroot that does not contain this, resulting in errors with the following message:

    error: Failed to initialise NSS library

    This has been resolved by introducing a /dev/random and /dev/urandom inside the chroot-ed environment.

15.1.21

Known Issues

  • In the lxc_hosts role execution, we make use of the images produced on a daily basis by images.linuxcontainers.org. Recent changes in the way those images are produced have resulted in changes to the default /etc/resolve.conf in that default image. As such, when executing the cache preparation it fails. For ocata releases prior to 15.1.21 the workaround to get past the error is to add the following to the /etc/openstack_deploy/user_variables.yml file.

    lxc_cache_prep_pre_commands: "rm -f /etc/resolv.conf || true"
    lxc_cache_prep_post_commands: "ln -s ../run/resolvconf/resolv.conf /etc/resolv.conf -f"
    

15.1.20

New Features

  • When venvwithindex=True and ignorerequirements=True are both specified in tempest_git_install_fragments (as was previously the default), this results in tempest being installed from PyPI without any constraints being applied. This could result in the version of tempest being installed in the integrated build being different than the version being installed in the independent role tests. Going forward, we remove the tempest_git_* overrides in playbooks/defaults/repo_packages/openstack_testing.yml so that the integrated build installs tempest from PyPI, but with appropriate constraints applied.

15.1.17

Known Issues

  • For all ocata releases up to 15.1.16 when executing the os-nova-install.yml playbook the nova-novncproxy and nova-spicehtml5proxy services will fail. The workaround to resolve this issue is to restart the services.

    cd /opt/rpc-openstack/openstack-ansible/playbooks
    # start the service again
    # replace nova-novncproxy with nova-spicehtml5proxy when appropriate
    ansible nova_console -m service -a 'name=nova-novncproxy state=restarted'
    # set the appropriate facts to prevent the playbook trying
    # to reload it again when the playbook is run again
    ansible nova_console -m ini_file -a 'dest=/etc/ansible/facts.d/openstack_ansible.fact section=nova option=need_service_restart value=False'
    

    This issue has been resolved in the 15.1.17 release.

Other Notes

  • The max_fail_percentage playbook option has been used with the default playbooks since the first release of the playbooks back in Icehouse. While the intention was to allow large-scale deployments to succeed in cases where a single node fails due to transient issues, this option has produced more problems that it solves. If a failure occurs that is transient in nature but is under the set failure percentage the playbook will report a success, which can cause silent failures depending on where the failure happened. If a deployer finds themselves in this situation the problems are are then compounded because the tools will report there are no known issues. To ensure deployers have the best deployment experience and the most accurate information a change has been made to remove the max_fail_percentage option from all of the default playbooks. The removal of this option has the side effect of requiring the deploy to skip specific hosts should one need to be omitted from a run, but has the benefit of eliminating silent, hard to track down, failures. To skip a failing host for a given playbook run use the –limit ‘!$HOSTNAME’ CLI switch for the specific run. Once the issues have been resolved for the failing host rerun the specific playbook without the –limit option to ensure everything is in sync.

15.1.16

Known Issues

  • For all ocata releases prior to OpenStack-Ansible 15.1.16, several of the magnum requirements were not constrained. This resulted in the kubernetes version changing over time unexpectedly, rather than by intention. Most recently this lack of constraint causes the repo build to fail when trying to build the magnum venv due to incompatible requirements.

    The kubernetes version deployed with ocata is now constrained to version 2.0.0, matching the same version as deployed in all pike releases.

  • All the ocata versions 15.1.15 and before use mariadb-server 10.1 with no minor version frozen. The latest version, 10.1.31, has presented problems with the state transfer for multi-node environments when the variable galera_wsrep_sst_method is set to xtrabackup-v2 (the default value). This causes a new cluster to fail, or an existing cluster to be unable to transfer state when a node is rebooted.

    To work around this issue, the recommendation is to set the following overrides in /etc/openstack_deploy/user_variables.yml to ensure that the last known good version of MariaDB is used.

    From 15.1.16 onwards, these values are set as defaults and will be updated from time to time after verifying that the new versions work. As such, setting these overrides is not required for 15.1.16 onwards.

    # Use these values for Ubuntu
    galera_repo_url: https://downloads.mariadb.com/MariaDB/mariadb-10.1.30/repo/ubuntu
    galera_client_repo_url:  "{{ galera_repo_url }}"
    
    # Use these overrides for CentOS/RHEL:
    galera_repo_url: https://downloads.mariadb.com/MariaDB/mariadb-10.1.30/yum/centos7-amd64/
    galera_client_repo_url:  "{{ galera_repo_url }}"
    
    # Use these values for SuSE
    galera_repo_url: https://downloads.mariadb.com/MariaDB/mariadb-10.1.30/yum/opensuse42-amd64
    galera_client_repo_url:  "{{ galera_repo_url }}"
    

    The problem has been registered upstream and progresson the issue can be followed there: https://jira.mariadb.org/browse/MDEV-15254

15.1.15

New Features

  • HAProxy services that use backend nodes that are not in the Ansible inventory can now be specified manually by setting haproxy_backend_nodes to a list of name and ip_addr settings.

15.1.14

New Features

  • The galera cluster now supports cluster health checks over HTTP using port 9200. The new cluster check ensures a node is healthy by running a simple query against the wsrep sync status using monitoring user. This change will provide for a more robust cluster check ensuring we have the most fault tolerant galera cluster possible.

  • Galera healthcheck has been improved, and relies on an xinetd service. By default, the service is unaccessible (filtered with the no_access directive). You can override the directive by setting any xinetd valid value to galera_monitoring_allowed_source.

15.1.13

Deprecation Notes

  • The gnocchi_keystone_auth_plugin variable has been deprecated. gnocchi_keystone_auth_type should be used instead to configure authentication type.

15.1.12

Known Issues

  • If the protocol of either the keystone admin or internal endpoints is ‘https’ and SSL is being terminated at a load balancer, tasks which verify that services are responsive and perform the initial service setup through through the keystone hosts’ web server ports may fail.

    Set keystone_mod_wsgi_enabled to false to deploy Keystone under Uwsgi and allow the web server to be bypassed during these tasks.

    See Launchpad Bug 1699191 for more details.

15.1.11

Bug Fixes

  • The sysstat package was installed on all distributions, but it was only configured to run on Ubuntu and OpenSUSE. It would not run on CentOS due to bad SELinux contexts and file permissions on /etc/cron.d/sysstat. This has been fixed and sysstat now runs properly on CentOS.

15.1.10

New Features

  • Extra headers can be added to Keystone responses by adding items to keystone_extra_headers. Example:

    keystone_extra_headers:
      - parameter: "Access-Control-Expose-Headers"
        value: "X-Subject-Token"
      - parameter: "Access-Control-Allow-Headers"
        value: "Content-Type, X-Auth-Token"
      - parameter: "Access-Control-Allow-Origin"
        value: "*"
    
  • The default ulimit for RabbitMQ is now 65536. Deployers can still adjust this limit using the rabbitmq_ulimit Ansible variable.

Security Issues

  • The net.bridge.bridge-nf-call-* kernel parameters were set to 0 in previous releases to improve performance and it was left up to neutron to adjust these parameters when security groups are applied. This could cause situations where bridge traffic was not sent through iptables and this rendered security groups ineffective. This could allow unexpected ingress and egress traffic within the cloud.

    These kernel parameters are now set to 1 on all hosts by the openstack_hosts role, which ensures that bridge traffic is always sent through iptables.

Bug Fixes

  • The sysctl configuration task was not skipping configurations where enabled was set to no. Instead, it was removing configurations when enabled: no was set.

    There is now a fix in place that ensures any sysctl configuration with enabled: no will be skipped and the configuration will be left unaltered on the system.

15.1.9

New Features

  • The config_template template module now supports writing out valueless INI options without suffixing them with ‘=’ or ‘:’. This is done via the ‘ignore_none_type’ attribute. If ignore_none_type is set to true, these key/value entries will be ignored, if it’s set to false, then ConfigTemplateParser will write out only the option name without the ‘=’ or ‘:’ suffix. The default is true.

Upgrade Notes

  • The following variables have been removed from the haproxy_server role as they are no longer necessary or used. - haproxy_repo - haproxy_gpg_keys - haproxy_required_distro_packages

Security Issues

  • PermitRootLogin in the ssh configuration has changed from yes to without-password. This will only allow ssh to be used to authenticate root via a key.

Bug Fixes

  • In Ubuntu the dnsmasq package actually includes init scripts and service configuration which conflict with LXC and are best not included. The actual dependent package is dnsmasq-base. The package list has been adjusted and a task added to remove the dnsmasq package and purge the related configuration files from all LXC hosts.

  • Mysql cnf files can now be properly overridden. The config_template module has been extended to support valueless options, such as those that are found in the my.cnf file(i.e. quick under the mysqldump section). To use valueless options, use the ignore_none_type attribute of the config_template module.

15.1.8

New Features

  • The os_nova role now provides for doing online data migrations once the db sync has been completed. The data migrations will not be executed until the boolean variable nova_all_software_updated is true. This variable will need to be set by the playbook consuming the role.

15.1.7

New Features

  • The os_swift role now supports the swift3 middleware, allowing access to swift via the Amazon S3 API. This feature can enabled by setting swift_swift3_enabled to true.

  • The os_cinder role now provides for doing online data migrations once the db sync has been completed. The data migrations will not be executed until the boolean variable cinder_all_software_updated is true. This variable will need to be set by the playbook consuming the role.

  • A new repository for installing modern erlang from ESL (erlang solutions) has been added giving us the ability to install and support modern stable erlang over numerous operating systems.

  • The ability to set the RabbitMQ repo URL for both erlang and RabbitMQ itself has been added. This has been done to allow deployers to define the location of a given repo without having to fully redefine the entire set of definitions for a specific repository. The default variables rabbitmq_gpg_keys, rabbitmq_repo_url, and rabbitmq_erlang_repo_url have been created to facilitate this capability.

  • It’s now possible to disable heat stack password field in horizon. horizon_enable_heatstack_user_pass variable has been added and default to True.

  • The os-nova-install.yml playbook will now execute a rolling upgrade of nova including database migrations as per the procedure described in the nova documentation.

Known Issues

  • MemcacheD sets PrivateDevices=true in its systemd unit file to add extra security around mount namespaces. While this is useful when running MemcacheD on a bare metal host with other services, it is less useful when MemcacheD is already in a container with its own namespaces. In addition, LXC 2.0.8 presents /dev/ptmx as a bind mount within the container and systemd 219 (on CentOS 7) cannot make an additional bind mount of /dev/ptmx when PrivateDevices is enabled.

    Deployers can memcached_disable_privatedevices to yes to set PrivateDevices=false in the systemd unit file for MariaDB on CentOS 7. The default is no, which keeps the default systemd unit file settings from the MemcacheD package.

    For additional information, refer to the following bugs:

  • MariaDB 10.1+ includes PrivateDevices=true in its systemd unit files to add extra security around mount namespaces for MariaDB. While this is useful when running MariaDB on a bare metal host with other services, it is less useful when MariaDB is already in a container with its own namespaces. In addition, LXC 2.0.8 presents /dev/ptmx as a bind mount within the container and systemd 219 (on CentOS 7) cannot make an additional bind mount of /dev/ptmx when PrivateDevices is enabled.

    Deployers can galera_disable_privatedevices to yes to set PrivateDevices=false in the systemd unit file for MariaDB on CentOS 7. The default is no, which keeps the default systemd unit file settings from the MariaDB package.

    For additional information, refer to the following bugs:

Upgrade Notes

  • Changing to the ESL repos has no upgrade impact. The version of erlang provided by ESL is newer than that what is found in the distro repos. Furthermore, a pin has been added to ensure that APT always uses the ESL repos as it’s preferred source which has been done to simply ensure APT is always pointed at ESL.

  • The entire repo build process is now idempotent. From now on when the repo build is re-run, it will only fetch updated git repositories and rebuild the wheels/venvs if the requirements have changed, or a new release is being deployed.

  • The git clone part of the repo build process now only happens when the requirements change. A git reclone can be forced by using the boolean variable repo_build_git_reclone.

  • The python wheel build process now only happens when requirements change. A wheel rebuild may be forced by using the boolean variable repo_build_wheel_rebuild.

  • The python venv build process now only happens when requirements change. A venv rebuild may be forced by using the boolean variable repo_build_venv_rebuild.

  • The repo build process now only has the following tags, providing a clear path for each deliverable. The tag repo-build-install completes the installation of required packages. The tag repo-build-wheels completes the wheel build process. The tag repo-build-venvs completes the venv build process. Finally, the tag repo-build-index completes the manifest preparation and indexing of the os-releases and links folders.

Bug Fixes

15.1.6

New Features

  • The os-cinder-install.yml playbook will now execute a rolling upgrade of cinder including database migrations (both schema and online) as per the procedure described in the cinder documentation. When haproxy is used as the load balancer, the backend being changed will be drained before changes are made, then added back to the pool once the changes are complete.

  • The horizon_images_allow_location variable is added to support the IMAGES_ALLOW_LOCATION setting in the horizon_local_settings.py file to allow to specify and external location during the image creation.

  • The os-neutron-install.yml playbook will now execute a rolling upgrade of neutron including database migrations (both expand and contract) as per the procedure described in the neutron documentation.

Known Issues

  • OpenStack-Ansible sets a new variable, galera_disable_privatedevices, that controls whether the PrivateDevices configuration in MariaDB’s systemd unit file is enabled.

    If the galera_server role is deployed on a bare metal host, the MariaDB default is maintained (PrivateDevices=true). If the galera_server role is deployed within a container, the PrivateDevices configuration is set to true to work around a systemd bug with a bind mounted /dev/ptmx.

    See Launchpad Bug 1697531 for more details.

  • OpenStack-Ansible sets a new variable, memcached_disable_privatedevices, that controls whether the PrivateDevices configuration in MemcacheD’s systemd unit file is enabled.

    If the memcached_server role is deployed on a bare metal host, the default is maintained (PrivateDevices=true). If the role is deployed within a container, the PrivateDevices configuration is set to true to work around a systemd bug with a bind mounted /dev/ptmx.

    See Launchpad Bug 1697531 for more details.

15.1.5

New Features

  • The os_ceilometer role now includes a facility where you can place your own templates in /etc/openstack_deploy/ceilometer (by default) and it will be deployed to the target host after being interpreted by the template engine. If no file is found there, the fallback of the git sourced template is used.

  • For the os_designate role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the designate_*_init_config_overrides variables which use the config_template task to change template defaults.

  • The os_gnocchi role now includes a facility where you can place your own default api-paste.ini or policy.json file in /etc/openstack_deploy/gnocchi (by default) and it will be deployed to the target host after being interpreted by the template engine.

  • The new option haproxy_backend_arguments can be utilized to add arbitrary options to a HAProxy backend like tcp-check or http-check.

  • The ability to disable the certificate validation when checking and interacting with the internal cinder endpoint has been implemented. In order to do so, set the following in /etc/openstack_deploy/user_variables.yml.

    cinder_service_internaluri_insecure: yes
    

Upgrade Notes

  • For the os_designate role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the designate_*_init_config_overrides variables which use the config_template task to change template defaults.

  • The endpoint which designate uses to communicate with neutron has been set to the internalURL by default. This change has been done within the template designate.conf.j2 and can be changed using the designate_designate_conf_overrides variable.

  • The magnum client interaction will now make use of the public endpoints by default. Previously this was set to use internal endpoints.

  • The keystone endpoints for instances spawned by magnum will now be provided with the public endpoints by default. Previously this was set to use internal endpoints.

Deprecation Notes

  • The variable keepalived_uca_enable is deprecated, and replaced by keepalived_ubuntu_src. The keepalived_uca_enable variable will be removed in future versions of the keepalived role. The value of keepalived_ubuntu_src should be either “uca”, “ppa”, or “native”, for respectively installing from the Ubuntu Cloud archive, from keepalived stable ppa, or not installing from an external source.

  • The variable keepalived_use_latest_stable is deprecated, and replaced by keepalived_package_state. The keepalived_use_latest_stable variable will be removed in future versions of the keepalived role. The value of keepalived_package_state should be either “latest” or “present”.

  • The upstream noVNC developers recommend that the keymap be automatically detected for virtual machine consoles. The defaults for three Ansible variables have been removed:

    • nova_console_keymap

    • nova_novncproxy_vnc_keymap

    • nova_spice_console_keymap

    The nova.conf template still includes these variables and it sets the keymap configuration option. Deployers who have customized this setting will not see a change in their nova.conf.

Security Issues

  • The magnum client interaction will now make use of the public endpoints by default. Previously this was set to use internal endpoints.

  • The keystone endpoints for instances spawned by magnum will now be provided with the public endpoints by default. Previously this was set to use internal endpoints.

15.1.4

New Features

  • New variables have been added to allow a deployer to customize a designate systemd unit file to their liking.

  • The task dropping the designate systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

Bug Fixes

  • Upgrading from Newton to Ocata will now correctly add existing Nova instances to the nova_cell1_name cell. For more information see bug 1682169.

  • Upstream is now depending on version 2.1.0 of ldappool.

15.1.3

New Features

  • New variables have been added to allow a deployer to customize a aodh systemd unit file to their liking.

  • The task dropping the aodh systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_aodh role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the aodh_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_barbican role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the barbican_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a ceilometer systemd unit file to their liking.

  • The task dropping the ceilometer systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_ceilometer role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ceilometer_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a cinder systemd unit file to their liking.

  • The task dropping the cinder systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • New variables have been added to allow a deployer to customize a glance systemd unit file to their liking.

  • The task dropping the glance systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_glance role, the systemd unit RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. This value can be adjusted by using the glance_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a gnocchi systemd unit file to their liking.

  • The task dropping the gnocchi systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_gnocchi role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the gnocchi_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a heat systemd unit file to their liking.

  • The task dropping the heat systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_heat role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the heat_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a ironic systemd unit file to their liking.

  • The task dropping the ironic systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_ironic role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ironic_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a keystone systemd unit file to their liking.

  • The task dropping the keystone systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a magnum systemd unit file to their liking.

  • The task dropping the magnum systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_magnum role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the magnum_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a neutron systemd unit file to their liking.

  • The task dropping the neutron systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_neutron role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the neutron_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a nova systemd unit file to their liking.

  • The task dropping the nova systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_nova role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the nova_*_init_config_overrides variables which use the config_template task to change template defaults.

  • In the Ocata release, Trove added support for encrypting the rpc communication between the guest DBaaS instances and the control plane. The default values for trove_taskmanager_rpc_encr_key and trove_inst_rpc_key_encr_key should be overridden to specify installation specific values.

  • New variables have been added to allow a deployer to customize a sahara systemd unit file to their liking.

  • The task dropping the sahara systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_sahara role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the sahara_*_init_config_overrides variables which use the config_template task to change template defaults.

  • New variables have been added to allow a deployer to customize a swift systemd unit file to their liking.

  • The task dropping the swift systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • New variables have been added to allow a deployer to customize a trove systemd unit file to their liking.

  • The task dropping the trove systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_trove role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the trove_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

  • For the os_aodh role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the aodh_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_barbican role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the barbican_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_ceilometer role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ceilometer_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_glance role, the systemd unit RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. This value can be adjusted by using the glance_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_gnocchi role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the gnocchi_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_heat role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the heat_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_ironic role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ironic_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_magnum role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the magnum_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_neutron role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the neutron_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_nova role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the nova_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_sahara role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the sahara_*_init_config_overrides variables which use the config_template task to change template defaults.

  • For the os_trove role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the trove_*_init_config_overrides variables which use the config_template task to change template defaults.

15.1.2

New Features

  • A variable named bootstrap_user_variables_template has been added to the bootstrap-host role so the user can define the user variable template filename for AIO deployments

  • Implements SSL connection ability to MySQL. galera_use_ssl option has to be set to true (default), in this case playbooks create self-signed SSL bundle and sets up MySQL configs to use it or distributes user-provided bundle throughout Galera nodes.

  • Removed dependency for cinder_backends_rbd_inuse in nova.conf when setting rbd_user and rbd_secret_uuid variables. Cinder delivers all necessary values via RPC when attaching the volume, so those variables are only necessary for ephemeral disks stored in Ceph. These variables are required to be set up on cinder-volume side under backend section.

Critical Issues

  • A bug that caused the Keystone credential keys to be lost when the playbook is run during a rebuild of the first Keystone container has been fixed. Please see launchpad bug 1667960 for more details.

Bug Fixes

  • Nova features that use libguestfs (libvirt password/key injection) now work on compute hosts running Ubuntu. When Nova is deployed to Ubuntu compute hosts and either nova_libvirt_inject_key or nova_libvirt_inject_password are set to True, then kernels stored in /boot/vmlinuz-* will be made readable to nova user. See launchpad bug 1507915.

15.1.1

New Features

  • Capping the default value for the variable swift_proxy_server_workers to 16 when the user doesn’t configure this variable and if the swift proxy is in a container. Default value is half the number of vCPUs available on the machine if the swift proxy is not in a container. Default value is half the number of vCPUs available on the machine with a capping value of 16 if the proxy is in a container.

  • Add support for the cinder v3 api. This is enabled by default, but can be disabled by setting the cinder_enable_v3_api variable to false.

  • For the os_cinder role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the cinder_*_init_config_overrides variables which use the config_template task to change template defaults.

  • Haproxy-server role allows to set up tunable parameters. For doing that it is necessary to set up a dictionary of options in the config files, mentioning those which have to be changed (defaults for the remaining ones are programmed in the template). Also “maxconn” global option made to be tunable.

Deprecation Notes

  • The variables cinder_sigkill_timeout and cinder_restart_wait have been deprecated and will be removed in Pike.

Bug Fixes

  • The openstack service uri protocol variables were not being used to set the Trove specific uris. This resulted in ‘http’ always being used for the public, admin and internal uris even when ‘https’ was intended.

15.1.0

New Features

  • Capping the default value for the variable aodh_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is twice the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable gnocchi_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is twice the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable ironic_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is one fourth the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable sahara_api_workers to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Tags have been added to all of the common tags with the prefix “common-”. This has been done to allow a deployer to rapidly run any of the common on a need basis without having to rerun an entire playbook.

  • The COPR repository for installing LXC on CentOS 7 is now set to a higher priority than the default to ensure that LXC packages always come from the COPR repository.

  • The galera_client role will default to using the galera_repo_url URL if the value for it is set. This simplifies using an alternative mirror for the MariaDB server and client as only one variable needs to be set to cover them both.

  • The default behaviour of ensure_endpoint in the keystone module has changed to update an existing endpoint, if one exists that matches the service name, type, region and interface. This ensures that no duplicate service entries can exist per region.

  • The repo server file system structure has been updated to allow for multiple Operating systems running multiple architectures to be run at the same time and served from a single server without impacting pools, venvs, wheel archives, and manifests. The new structure follows the following pattern $RELEASE/$OS_TYPE-$ARCH and has been applied to os-releases, venvs, and pools.

  • The deployer can now define an environment variable GROUP_VARS_PATH with the folders of its choice (separated by the colon sign) to define an user space group_vars folder. These vars will apply but be (currently) overriden by the OpenStack-Ansible default group vars, by the set facts, and by the user_* variables. If the deployer defines multiple paths, the variables found are merged, and precedence is increasing from left to right (the last defined in GROUP_VARS_PATH wins)

  • The deployer can now define an environment variable HOST_VARS_PATH with the folders of its choice (separated by the colon sign) to define an user space host_vars folder. These vars will apply but be (currently) overriden by the OpenStack-Ansible default host vars, by the set facts, and by the user_* variables. If the deployer defines multiple paths, the variables found are merged, and precedence is increasing from left to right (the last defined in HOST_VARS_PATH wins)

Known Issues

  • There is currently an Ansible bug in regards to HOSTNAME. If the host .bashrc holds a var named HOSTNAME, the container where the lxc_container module attaches will inherit this var and potentially set the wrong $HOSTNAME. See the Ansible fix which will be released in Ansible version 2.3.

Upgrade Notes

  • The repo server file system structure has been updated to allow for multiple Operating systems running multiple architectures to be run at the same time and served from a single server without impacting pools, venvs, wheel archives, and manifests. The new structure follows the following pattern $RELEASE/$OS_TYPE-$ARCH and has been applied to os-releases, venvs, and pools.

  • The EPEL repository is now removed in favor of the RDO repository.

    This is a breaking change for existing CentOS deployments. The yum package manager will have errors when it finds that certain packages that it installed from EPEL are no longer available. Deployers may need to rebuild container or reinstall packages to complete this change.

  • The openstack_tempest_gate.sh script has been removed as it requires the use of the run_tempest.sh script which has been deprecated in Tempest. In order to facilitate the switch, the default for the variable tempest_run has been set to yes, forcing the role to execute tempest by default. This default can be changed by overriding the value to no. The test whitelist may be set through the list variable tempest_test_whitelist.

Deprecation Notes

  • The variables galera_client_apt_repo_url and galera_client_yum_repo_url are deprecated in favour of the common variable galera_client_repo_url.

  • The update state for the ensure_endpoint method of the keystone module is now deprecated, and will be removed in the Queens cycle. Setting state to present will achieve the same result.

Security Issues

  • The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting security_reset_perm_ownership to yes.

  • The tasks that search for .shosts and shosts.equiv files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.

Other Notes

15.0.0

Prelude

Functionality to support Ubuntu Trusty (14.04) has been removed from the code base.

New Features

  • CentOS7/RHEL support has been added to the ceph_client role.

  • Only Ceph repos are supported for now.

  • There is now experimental support to deploy OpenStack-Ansible on CentOS 7 for both development and test environments.

  • Experimental support has been added to allow the deployment of the OpenStack Designate service when hosts are present in the host group dnsaas_hosts.

  • Support has been added for the horizon designate-ui dashboard. The dashboard will be automatically enabled if any hosts are in the dnsaas_hosts inventory group.

  • The os_horizon role now has support for the horizon designate-ui dashboard. The dashboard may be enabled by setting horizon_enable_designate_ui to True in /etc/openstack_deploy/user_variables.yml.

  • Support has been added for the horizon trove-ui dashboard. The dashboard will be automatically enabled if any hosts are defined in the trove-infra_hosts inventory group.

  • Deployers can now define the override cinder_rpc_executor_thread_pool_size which defaults to 64

  • Deployers can now define the override cinder_rpc_response_timeout which defaults to 60

  • Experimental support has been added to allow the deployment of the OpenStack trove service when hosts are present in the host group trove-infra_hosts.

  • It is now possible to customise the location of the configuration file source for the All-In-One (AIO) bootstrap process using the bootstrap_host_aio_config_path variable.

  • It is now possible to customise the location of the scripts used in the All-In-One (AIO) boostrap process using the bootstrap_host_aio_script_path variable.

  • It is now possible to customise the name of the user_variables.yml file created by the All-In-One (AIO) bootstrap process using the bootstrap_host_user_variables_filename variable.

  • It is now possible to customise the name of the user_secrets.yml file created by the All-In-One (AIO) bootstrap process using the bootstrap_host_user_secrets_filename variable.

  • The filename of the apt source for the ubuntu cloud archive can now be defined with the variable uca_apt_source_list_filename.

  • The filename of the apt source for the ubuntu cloud archive used in ceph client can now be defined by giving a filename in the uca part of the dict ceph_apt_repos.

  • The filename of the apt source for the ubuntu cloud archive can now be defined with the variable uca_apt_source_list_filename.

  • The filename of the apt/yum source can now be defined with the variable mariadb_repo_filename.

  • The filename of the apt source can now be defined with the variable filename inside the dicts galera_repo and galera_percona_xtrabackup_repo.

  • The filename of the apt source for the ubuntu cloud archive can now be defined with the variable uca_apt_source_list_filename.

  • Support has been added to allow the deployment of the OpenStack barbican service when hosts are present in the host group key-manager_hosts.

  • The number of worker threads for neutron will now be capped at 16 unless a specific value is specified. Previously, the calculated number of workers could get too high on systems with a large number of processors. This was particularly evident on POWER systems.

  • Capping the default value for the variables ceilometer_api_workers and ceilometer_notification_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable cinder_osapi_volume_workers to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable galera_wsrep_slave_threads to 16 when the user doesn’t configure this variable. Default value is the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable galera_max_connections to 1600 when the user doesn’t configure this variable. Default value is 100 times the number of vCPUs available on the machine with a capping value of 1600.

  • Capping the default value for the variables glance_api_workers and glance_registry_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variables heat_api_workers and heat_engine_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variables horizon_wsgi_processes and horizon_wsgi_threads to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable keystone_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variables neutron_api_workers, neutron_num_sync_threads and neutron_metadata_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variables nova_wsgi_processes, nova_osapi_compute_workers, nova_metadata_workers and nova_conductor_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Capping the default value for the variable repo_nginx_workers to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • The ceilometer configuration files other than ceilometer.conf are now retrieved from upstream. You can override the repository from which these are retrieved by setting the ceilometer_git_config_lookup_location variable which defaults to the git.openstack.org.

  • Several configuration files that were not templated for the os_ceilometer role are now retrieved from git. The git repository used can be changed using the ceilometer_git_config_lookup_location variable. By default this points to git.openstack.org. These files can still be changed using the ceilometer_x_overrides variables.

  • Playbooks for ceph-ansible have been added to facilitate gate testing of the OpenStack-Ansible integration with Ceph clusters, and can be used to integrate the two projects so that OpenStack-Ansible can deploy and consume its own Ceph installation using ceph-ansible. This should be considered an experimental integration until further testing is been completed by deployers and the OpenStack-Ansible gate to fine tune its stability and completeness. The ceph-install playbook can be activated by adding hosts to the ceph-mon_hosts and ceph-osd_hosts in the OSA inventory. A variety of ceph-ansible specific variables will likely need to be configured in user_variables.yml to configure ceph-ansible for your environment. Please reference the ceph-ansible repo for a list of variables the project supports.

  • The installation of chrony is still enabled by default, but it is now controlled by the security_enable_chrony variable.

  • Deployers can set heat_cinder_backups_enabled to enable or disable the cinder backups feature in heat. If heat has cinder backups enabled, but cinder’s backup service is disabled, newly built stacks will be undeletable.

    The heat_cinder_backups_enabled variable is set to false by default.

  • A new switch pip_install_build_packages is introduced to allow toggling compiler and development library installation. The legacy behavior of installing the compiler and development libraries is maintained as the switch is enabled by default.

  • Deployers can set openstack_host_nf_conntrack_max to control the maximum size of the netfilter connection tracking table. The default of 262144 should be increased if virtual machines will be handling large amounts of concurrent connections.

  • LXC containers will now generate a fixed mac address on all network interfaces when the option lxc_container_fixed_mac is set to true. This feature was implemented to resolve issues with dynamic mac addresses in containers generally experienced at scale with network intensive services.

  • The os-designate role now supports Ubuntu 16.04 and SystemD.

  • The Designate pools.yaml file can now be generated via the designate_pools_yaml attribute, if desired. This allows users to populate the Designate DNS server configuration using attributes from other plays and obviates the need to manage the file outside of the Designate role.

  • The rabbitmq_server role now supports disabling listeners that do not use TLS. Deployers can override the rabbitmq_disable_non_tls_listeners variable, setting a value of True if they wish to enable this feature.

  • Neutron DHCP options have been set to allow a DHCP server running dnsmasq to coexist with other DHCP servers within the same network. This works by instructing dnsmasq to ignore any clients which are not specified in dhcp-host files.

  • Neutron DHCP options have been set to provide for logging which makes debugging DHCP and connectivity issues easier by default.

  • Variable ceph_extra_confs has been expanded to support retrieving additional ceph.conf and keyrings from multiple ceph clusters automatically.

  • Additional libvirt ceph client secrets can be defined to support attaching volumes from different ceph clusters.

  • Additional volume-types can be created by defining a list named extra_volume_types in the desired backend of the variable(s) cinder_backends

  • Container boot ordering has been implemented on container types where it would be beneficial. This change ensures that stateful systems running within a container are started ahead of non-stateful systems. While this change has no impact on a running deployment it will assist with faster recovery should any node hosting container go down or simply need to be restarted.

  • A new task has been added to the “os-lxc-container-setup.yml” common-tasks file. This new task will allow for additional configurations to be added without having to restart the container. This change is helpful in cases where non-impacting config needs to be added or updated to a running containers.

  • The galera_client_package_install option can now be specified to handle whether packages are installed as a result of the openstack-ansible-galera_client role running. This will default to true, but can be set to false to prevent package installs. This is useful when deploying the my.cnf client configuration file on hosts that already have Galera installed.

  • You can specify the galera_package_arch variable to force a specific architecture when installing percona and qpress packages. This will be automatically calculated based on the architecture of the galera_server host. Acceptable values are x86_64 for Ubuntu-16.04 and RHEL 7, and ppc64le for Ubuntu-16.04.

  • Add get_networks command to the neutron library. This will return network information for all networks, and fail if the specified net_name network is not present. If no net_name is specified network information will for all networks will be returned without performing a check on an existing net_name network.

  • Set the glance_swift_store_auth_insecure variable to override the swift_store_auth_inscure value in /etc/glance/glance-api.conf. Set this value when using an external Swift store that does not have the same insecure setting as the local Keystone.

  • Specify the gnocchi_auth_mode var to set the auth_mode for gnocchi. This defaults to basic which has changed from noauth to match upstream. If gnocchi_keystone_auth is true or yes this value will default to keystone.

  • Specify the gnocchi_git_config_lookup_location value to specify the git repository where the gnocchi config files can be retrieved. The api-paste.ini and policy.json files are now retrieved from the specified git repository and are not carried in the os_gnocchi role.

  • Several configuration files that were not templated for the os_gnocchi` role are now retrieved from git. The git repository used can be changed using the ``gnocchi_git_config_lookup_location variable. By default this points to git.openstack.org. These files can still be changed using the gnocchi_x_overrides variables.

  • If the cinder backup service is enabled with cinder_service_backup_program_enabled: True, then heat will be configured to use the cinder backup service. The heat_cinder_backups_enabled variable will automatically be set to True.

  • It’s now possible to change the behavior of DISALLOW_IFRAME_EMBED by defining the variable horizon_disallow_iframe_embed in the user variables.

  • The --check parameter for dynamic_inventory.py will now raise warnings if there are any groups defined in the user configuration that are not also found in the environment definition.

  • Add support for neutron as an enabled_network_interface.

  • The ironic_neutron_provisioning_network_name and ironic_neutron_cleaning_network_name variable can be set to the name of the neutron network to use for provisioning and cleaning. The ansible tasks will determine the appropriate UUID for that network. Alternatively, ironic_neutron_provisioning_network_uuid or ironic_neutron_cleaning_network can be used to directly specify the UUID of the networks. If both ironic_neutron_provisioning_network_name and ironic_neutron_provisioning_network_uuid are specified, the specified UUID will be used. If only the provisioning network is specified, the cleaning network will default to the same network.

  • Added support for ironic-OneView drivers. Check the documentation on how to enable them.

  • When using a copy-on-write backing store, the lxc_container_base_name can now include a prefix defined by lxc_container_base_name_prefix.

  • LXC on CentOS is now installed via package from a COPR repository rather than installed from the upstream source.

  • IPv6 support has been added for the LXC bridge network. This can be configured using lxc_net6_address, lxc_net6_netmask, and lxc_net6_nat.

  • The variable lxc_cache_environment has been added. This dictionary can be overridden by deployers to set HTTP proxy environment variables that will be applied to all lxc container download tasks.

  • The new provider network attribute sriov_host_interfaces is added to support SR-IOV network mappings inside Neutron. The provider_network adds new items network_sriov_mappings and network_sriov_mappings_list to the provider_networks dictionary. Multiple interfaces can be defined by comma separation.

  • The dragonflow plugin for neutron is now available. You can set the neutron_plugin_type to ml2.dragonflow to utilize this code path. The dragonflow code path is currently experimental.

  • Neutron SR-IOV can now be optionally deployed and configured. For details about the what the service is and what it provides, see the SR-IOV Installation Guide for more information.

  • The nova-placement service is now configured by default. nova_placement_service_enabled can be set to False to disable the nova-placement service.

  • The nova-placement api service will run as its own ansible group nova_api_placement.

  • Nova cell_v2 support has been added. The default cell is cell1 which can be overridden by the nova_cell1_name. Support for multiple cells is not yet available.

  • The copy of the /etc/openstack-release file is now optional. To disable the copy of the file, set openstack_distrib_file to no.

  • The location of the /etc/openstack-release file placement can now be changed. Set the variable openstack_distrib_file_path to place it in a different path.

  • A new variable, tempest_flavors, has been added to the os_tempest role allowing users to define nova flavors to be during tempest testing.

  • CentOS7/RHEL support has been added to the os_aodh role.

  • CentOS7/RHEL support has been added to the os_ceilometer role.

  • CentOS7/RHEL support has been added to the os_designate role.

  • CentOS7/RHEL support has been added to the os_gnocchi role.

  • CentOS7/RHEL support has been added to the os_heat role.

  • CentOS7/RHEL support has been added to the os_horizon role.

  • CentOS7/RHEL support has been added to the os_neutron role.

  • CentOS7/RHEL support has been added to the os_nova role.

  • CentOS7/RHEL support has been added to the os_swift role.

  • The openstack-ansible-security role is now configured to apply the security configurations from the Red Hat Enterprise Linux 7 STIG to OpenStack-Ansible deployments.

  • The os_barbican role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting barbican_package_state to present.

  • The os_designate role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting designate_package_state to present.

  • The PATH environment variable that is configured on the remote system can now be set using the openstack_host_environment_path list variable.

  • Deployers can now define the varible cinder_qos_specs to create qos specs and assign those specs to desired cinder volume types.

  • RabbitMQ Server can now be installed from different methods: a deb file (default), from standard repository package and from external repository. Current behavior is unchanged. Please define rabbitmq_install_method: distro to use packages provided by your distribution or rabbitmq_install_method: external_repo to use packages stored in an external repo. In the case external_repo is used, the process will install RabbitMQ from the packages hosted by packagecloud.io, as recommended by RabbitMQ.

  • The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:

    stig_version: rhel6
    
  • The swift_rsync_reverse_lookup option has been added. This setting will handle whether rsync performs reverse lookups on client IP addresses, and will default to False. We recommend leaving this option at False, unless DNS or host entries exist for each swift host’s replication address.

  • The security-hardening playbook hosts target can now be filtered using the security_host_group var.

  • When using the pypy python interpreter you can configure the garbage collection (gc) settings for pypy. Set the minimum GC value using the swift_pypy_gc_min variable. GC will only happen when the memory size is above this value. Set the maximum GC value using the swift_pypy_gc_max variable. This is the maximum memory heap size for pypy. Both variables are not defined by default, and will only be used if the values are defined and swift_pypy_enabled is set to True.

  • Swift tempauth users now be specified. The swift_tempauth_users variable can be defined as a list of tempauth users, and their permissions. You will still need to specify the appropriate Swift middleware using the swift_middleware_list variable, in order to utilise tempauth.

  • Swift versioned_writes middleware is added to the pipeline by default. Additionally the allow_versioned_writes settings in the middleware configuration is set to True. This follows the Swift defaults, and enables the use of the X-History-Location metadata Header.

  • Adds support for the horizon trove-ui dashboard. The dashboard will be automatically enabled if any trove hosts are defined.

  • The Trove dashboard is available in Horizon. Deployers can enable the panel by setting the following Ansible variable:

    horizon_enable_trove_ui: True
    
  • The variable trove_conductor_workers can be configured for defining the number of workers for the trove conductor service. The default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Added new variable tempest_volume_backend_names and updated templates/tempest.conf.j2 to point backend_names at this variable

  • The os_barbican role now supports deployment on Ubuntu 16.04 using SystemD.

Known Issues

  • The variables haproxy_keepalived_(internal|external)_cidr now has a default set to 169.254.(2|1).1/24. This is to prevent Ansible undefined variable warnings. Deployers must set values for these variables for a working haproxy with keepalived environment when using more than one haproxy node.

Upgrade Notes

  • The global override cinder_nfs_client is replaced in favor of fully supporting multi backends configuration via the cinder_backends stanza.

  • The Designate pools.yaml file can now be generated via the designate_pools_yaml attribute, if desired. This ability is toggled by the designate_use_pools_yaml_attr attribute. In the future this behavior may become default and designate_pools_yaml may become a required variable.

  • The galera_client role now installs MariaDB client version 10.1.

  • For systems using the APT package manager, the sources file for the MariaDB repo now has a consistent name, ‘MariaDB.list’.

  • The galera_server role now installs MariaDB server version 10.1.

  • For systems using the APT package manager, the sources files for the MariaDB and Percona repos now have consistent names, ‘MariaDB.list’ and ‘Percona.list’.

  • The galera_mariadb_apt_server_package and galera_mariadb_yum_server_package variables have been renamed to galera_mariadb_server_package.

  • The galera_apt_repo_url and galera_yum_repo_url variables have been renamed to galera_repo_url.

  • The latest stable release of Ceph, Jewel, is now used as the default client version since Hammer was scheduled for EOL in November 2016.

  • The variables used to produce the /etc/openstack-release file have been changed in order to improve consistency in the name spacing according to their purpose.

    openstack_code_name –> openstack_distrib_code_name openstack_release –> openstack_distrib_release

    Note that the value for openstack_distrib_release will be taken from the variable openstack_release if it is set.

  • The variable neutron_dhcp_domain has been renamed to neutron_dns_domain.

  • The nova-cert service has been deprecated, is marked for removal in the Ocata release, and will no longer be deployed by the os_nova role.

  • Installation of designate and its dependent pip packages will now only occur within a Python virtual environment. The designate_venv_enabled, designate_venv_bin, designate_venv_etc_dir and designate_non_venv_etc_dir variables have been removed.

  • The os_barbican role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option barbican_package_state should be set to present.

  • The os_designate role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option designate_package_state should be set to present.

  • The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set security_package_state to latest to ensure that all packages installed by the security role are up to date.

  • The glance library has been removed from OpenStack-Ansible’s plugins. Upstream Ansible modules for managing OpenStack image resources should be used instead.

  • The variable proxy_env_url is now used by the apt-cacher-ng jinja2 template to set up an HTTP/HTTPS proxy if needed.

  • The gnocchi_archive_policies and gnocchi_archive_policy_rules variables never had full support in the role so were ineffective at the intended purpose. The task references to them have been removed and the library to perform gnocchi operations has also been removed. This eliminates the need for the gnocchi client to be installed outside the virtual environment as well.

  • The following secrets are no longer used by OpenStack-Ansible and can be removed from user_secrets.yml:

    • container_openstack_password

    • keystone_auth_admin_token

    • cinder_v2_service_password

    • nova_ec2_service_password

    • nova_v3_service_password

    • nova_v21_service_password

    • nova_s3_service_password

    • swift_container_mysql_password

  • The variables tempest_requirements_git_repo and tempest_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables horizon_requirements_git_repo and horizon_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables swift_requirements_git_repo and swift_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables ironic_requirements_git_repo and ironic_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables neutron_requirements_git_repo and neutron_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables heat_requirements_git_repo and heat_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables magnum_requirements_git_repo and magnum_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables sahara_requirements_git_repo and sahara_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables cinder_requirements_git_repo and cinder_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables trove_requirements_git_repo and trove_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables gnocchi_requirements_git_repo and gnocchi_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables glance_requirements_git_repo and glance_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables keystone_requirements_git_repo and keystone_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables aodh_requirements_git_repo and aodh_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables barbican_requirements_git_repo and barbican_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables nova_requirements_git_repo and nova_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables nova_lxd_requirements_git_repo and nova_lxd_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables rally_requirements_git_repo and rally_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables ceilometer_requirements_git_repo and ceilometer_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • Deployers should review the new RHEL 7 STIG variables in defaults/main.yml to provide custom configuration for the Ansible tasks.

  • The default behaviour of rsync, to perform reverse lookups, has been changed to False. This can be set to True by setting the swift_rsync_reverse_lookup variable to True.

  • Functionality to support Ubuntu Trusty (14.04) has been removed from the code base.

  • Gnocchi service endpoint variables were not named correctly. Renamed variables to be consistent with other roles.

  • The variable gnocchi_required_pip_packages was incorrectly named and has been renamed to gnocchi_requires_pip_packages to match the standard across all roles.

  • The cinder project removed the shred value for the volume_clear option. The default for the os_cinder OpenStack-Ansible role has changed to zero.

Deprecation Notes

  • The vars to set source_sample_interval for the os_ceilometer role are deprecated and will be removed in the Queen cycle. To override these variables after Queen, utilize the ceilometer_pipeline_yaml_overrides file.

  • The ceilometer_gnocci_resources_yaml_overrides variable is deprecated and scheduled for removal in the Pike cycle. This is replaced with the correctly spelled variable, which should now be used ceilometer_gnocchi_resources_yaml_overrides.

  • The gnocchi_keystone_auth is deprecated, and will be removed in the Queen cycle. Setting gnocchi_auth_mode to keystone will achieve the same result.

  • The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.

  • Removed tempest_volume_backend1_name and tempest_volume_backend1_name since backend1_name and backend2_name were removed from tempest in commit 27905cc (merged 26/04/2016)

Bug Fixes

  • When a task fails while executing a playbook, the default behaviour for Ansible is to fail for that host without executing any notifiers. This can result in configuration changes being executed, but services not being restarted. OpenStack-Ansible now sets ANSIBLE_FORCE_HANDLERS to True by default to ensure that all notified handlers attempt to execute before stopping the playbook execution.

  • LXC containers will now have the ability to use a fixed mac address on all network interfaces when the option lxc_container_fixed_mac is set true. This change will assist in resolving a long standing issue where network intensive services, such as neutron and rabbitmq, can enter a confused state for long periods of time and require rolling restarts or internal system resets to recover.

  • The ‘container_cidr’ key has been restored back to openstack_inventory.json The fix to remove deleted global override keys mistakenly deleted the ‘container_cidr’ key, as well. This was used by downstream consumers, and cannot be reconstructed with other information inside the inventory file. Regression tests were also added.

  • SSLv3 is now disabled in the haproxy daemon configuration by default.

  • Properly distrubute client keys to nova hypervisors when extra ceph clusters are being deployed.

  • Properly remove temporary files used to transfer ceph client keys from the deploy host and hypervisors.

  • Systems using systemd (like Ubuntu Xenial) were incorrectly limited to a low amount of open files. This was causing issues when restarting galera. A deployer can still define the maximum number of open files with the variable galera_file_limits (Defaults to 65536).

  • Metal hosts were being inserted into the lxc_hosts group, even if they had no containers (Bug 1660996). This is now corrected for newly configured hosts. In addition, any hosts that did not belong in lxc_hosts will be removed on the next inventory run or playbook call.

  • Errors relating to groups containing both hosts and other groups as children now raise a more descriptive error. See inventory documentation for more details. Fixes bug

  • Setting the haproxy_bind list on a service is now used as an override to the other VIPs defined in the environment. Previously it was being treated as an append to the other VIPs so there was no path to override the VIP binds for a service. For example, haproxy_bind could be used to bind a service to the internal VIP only.

  • The haproxy daemon is now able to bind to any port on CentOS 7. The haproxy_connect_any SELinux boolean is now set to on.

  • The percona repository stayed in placed even after a change of the variable use_percona_upstream. From now on, the percona repository will not be present unless the deployer decides to use_percona_upstream. This also fixes a bug of the presence of this apt repository after an upgdrade from Mitaka.

  • The URL of NovaLink uses ‘ftp’ protocol to provision apt key. It causes apt_key module to fail to retrieve NovaLink gpg public key file. Therefore, change the protocol of URL to ‘http’. For more information, see bug 1637348.

  • The apt-cacher-ng daemon does not use the proxy server specified in environment variables. The proxy server specified in the proxy_env_url variable is now set inside the apt-cacher-ng configuration file.

  • Setup for the PowerVM driver was not properly configuring the system to support RMC configuration for client instances. This fix introduces an interface template for PowerVM that properly supports mixed IPV4/IPV6 deploys and adds documentation for PowerVM RMC. For more information see bug 1643988.

Other Notes

  • XtraBackup is currently on version 2.4.5 for ppc64le architecture when pulling deb packages from the repos.

  • XtraBackup is currently on version 2.4.5 for amd64 architecture when pulling rpm/deb packages from the repos. To pull the latest available 2.4 branch version from the yum/apt repository set the use_percona_upstream variable to True. The default behavior using deb packages is unchanged.

  • From now on, external repo management (in use for RDO/UCA for example) will be done inside the pip-install role, not in the repo_build role.