Xena Series Release Notes¶
24.6.0¶
Catatan lain¶
Erlang will is updated to version 25.0.4, RabbitMQ will be upgraded to version 3.9.28. This will also harmonize RabbitMQ/Erlang versioning for Debian Bullseye.
24.5.1¶
Masalah keamanan¶
This release includes SHA bump for Cinder, Nova and Glance that covers OSSA-2023-002 vulnarability (CVE-2022-47951).
24.5.0¶
Fitur baru¶
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set --mtu command line.
Catatan Upgrade¶
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set --mtu command line.
Catatan lain¶
Default RabbitMQ version was upgraded to
3.9.21
and erlang version to24.3.*
24.4.3¶
Perbaikan Bug¶
MariaDB version is been upgraded by default to 10.6.9 that fixes mariaback incremental backup diskspace consumption - incremental backups were containing also binlogs which was not needed.
Catatan lain¶
Default erlang for RabbitMQ version is upgraded to
24.1.7
24.4.0¶
Fitur baru¶
Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable
neutron_vpnaas_custom_config
. deployers should defineneutron_vpnaas_custom_config
in 'user_variables.yml'. Example:neutron_vpnaas_custom_config: - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template" dest: "{{ neutron_conf_dir }}/strongswan.conf.template" - src: "/etc/openstack_deploy/strongswan/strongswan.d" dest: "/etc/strongswan.d" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template" dest: "{{ neutron_conf_dir }}/ipsec.conf.template" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template" dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
We should be also define
neutron_l3_agent_ini_overrides
in 'user_variables.yml' to telll3_agent
use the new config file. Example:neutron_l3_agent_ini_overrides: ipsec: enable_detailed_logging: True strongswan: strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template" openswan: ipsec_config_template: "{{ neutron_conf_dir }}/ipsec.conf.template"
Implemented variables
rally_openstack_git_repo
andrally_openstack_git_install_branch
that allow to override installation source for rally-openstack package as well as control installed version of the package.
Catatan Upgrade¶
Erlang version is changed from
24.1-1
to24.1.3-1
. Depending on when deployment was done, that could be different minor releases. This means that your erlang version might be either minorly upgraded or downgraded. This should not lead to incompatabilities with RabbitMQ in any scenario.
If you have defined
haproxy_tuning_params
in your deployment, make sure that before upgrade all keys are valid haproxy options. For example, instead ofchksize: 16384
you should settune.chksize: 16384
. Otherwise invalid config will be generated and haproxy will fail on startup. No upgrade scripts are provided for this change as well as no backwards compatability.
Masalah keamanan¶
MariaDB has been updated to version 10.6.8 by default. This covers following CVEs:
Perbaikan Bug¶
Fixed Erlang installation from Cloudsmith repository for CentOS 8 Stream by adjusting version that will be installed.
Erlang version is now synced between Ubuntu/Debian and CentOS 8 Stream.
By default we increase
tune.maxrewrite
as otherwise while using CSP headers, their size could exceed allowed buffer. Also deployers can override this value if needed.
Catatan lain¶
Restriction on parameters that can be passed to
haproxy_tuning_params
has been released. This means, that any tuning parameter can be passed in key/value format.
Default source of rabbitmq and erlang packages has been switched to cloudsmith.io
24.3.0¶
Fitur baru¶
New variables
galera_tmp_dir
andgalera_ignore_db_dirs
were implemented to control path to tmp dir and what directories should be ignored when listing databases.
Catatan Upgrade¶
If you have database named as
#tmp
you should changegalera_tmp_dir
path and adjustgalera_ignore_db_dirs
or rename database.
Perbaikan Bug¶
Fixes a Content Security Policy error which prevented image uploads via the Horizon interface.
Fixed facts gathering when tags were provided with playbook run.
24.2.0¶
Fitur baru¶
Introduced new variable
cinder_volume_usage_audit_send_actions_enabled
to allow the deployer to disable the send actions option in cinder-volume-usage-audit service unit. To have lowest possible footprint, the default value would be true to not change the behaviour of the cinder-volume-usage-audit in existing deployments.
Added variable
rabbitmq_manage_hosts_entries
that controls if rabbitmq_server role will attempt to adjust /etc/hosts file
Perbaikan Bug¶
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Do not duplicate records in /etc/hosts file by rabbitmq role when hosts file is already managed by OSA.
24.0.1¶
Masalah Dikenal¶
In the Xena release, TLS for VNC is enabled by default, for existing deployments this will prevent console access to existing virtual machines, as this configuration change does not apply to existing virtual machines. Virtual machines created after the configuration change are not affected.
The virtual machines will run correctly, but your are not able to access them via the console. There are three possible solutions to enable console access for existing virtual machines; disable TLS for VNC, restart the virtual machine or live migrate the virtual machine.
TLS for VNC can be disabled by setting
nova_qemu_vnc_tls
variable to0
in the/etc/openstack_deploy/user_variables.yml
file.
24.0.0¶
Fitur baru¶
Enable VeNCrypt authentication scheme from noVNC proxy to compute nodes. When using HTTPS, the TLS encryption only applies to data between the tenant user and proxy server. To provide protection from the noVNC proxy to the Compute Nodes, it is necessary to enable the VeNCrypt authentication scheme for VNC.
A pre-existing PKI (Public Key Infrastructure) setup is required.
Initially to help with the transition from unencrypted VNC to VeNCrypt, compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable nova_vencrypt_auth_scheme, this will be removed in future releases.
UEFI boot support has been added. To migrate from Legacy BIOS mode, define boot_mode:uefi as a capability for baremetal nodes that support UEFI. In addition, corresponding flavor(s) will need to be created or modified to include boot_mode:uefi as a capability for scheduling to occur against UEFI nodes.
Ceph-ansible has been switched to version 6.0 and Ceph Pacific is used by default.
Implemented new variable
connection_recycle_time
responsible for SQLAlchemy's connection recycling
Galera role now leverages PKI role for creation and distribution of the certificates and certificate authorities. This introduces bunch of new variables which controls CA and certificates generation details. If user SSL certificates are provided - they would be used instead of the generated ones.
The following new variables were introduced:
galera_ssl_verify
galera_pki_dir
galera_pki_create_ca
galera_pki_regen_ca
galera_pki_certificates
galera_pki_regen_cert
galera_pki_authorities
galera_pki_install_ca
galera_pki_keys_path
galera_pki_certs_path
galera_pki_intermediate_cert_name
galera_pki_intermediate_cert_path
galera_pki_install_certificates
MariaDB now uses TLS encryption by default. Certificate will be issued and signed with internal CA using PKI role. Deployers can disable encrypting MariaDB connections by setting
galera_use_ssl: false
in their user_variables.yml Client certificates could be still provided and they will be distributed with PKI role as well.
Added variable horizon_policy_overrides which allows to customize horizon specific policies. As we don't want to carry and maintain horizon policies with OSA, they're retrieved from horizon hosts and adjusted in-place, which means that they won't rollback in case you just remove override. horizon_policy_overrides has also non-standart format, as it's nested dictionary, where 1st level key represents service which policy needs to be overriden, and it's value is normal policy override format.
Support for the networking-baremetal mechanism driver and agent has been implemented. The ironic-neutron-agent is a neutron agent that populates the host to physical network mapping for baremetal nodes in neutron. Neutron uses this to calculate the segment to host mapping information. This feature may be enabled by adding
ml2.baremetal
to theneutron_plugin_types
list in/etc/openstack_deploy/user_variables.yml
.
The
provider_networks
library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add thenetwork_bond_interfaces
key to the respective provider network definition inopenstack_user_config.yml
. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.
Added variables
systemd_run_dir
andsystemd_lock_dir
that allows to control run and lock path for directories that will be used by systemd services. Variables should not include service name since it will be added by default at the end of the provided path. These variables could be also defined as keys insidesystemd_services
and this will have prescedence over default behaviour.
Default run path for systemd services has been changed to
/run
and lock path to/run/lock
.
Nova now defaults to to using the "QEMU-native TLS" feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.
QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.
More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html
Masalah Dikenal¶
There's a known issue with upgrade to Ceph Pacific release prior to version 16.2.7. Please, make sure that 16.2.7 or later has been released before performing Ceph upgrade. Otherwise, override
ceph_stable_release: octopus
in your user_variables.yml
Catatan Upgrade¶
We have changed default values for variables related to database connection pooling. For some services(like nova) default pool sizes will be significantly lower, we have also decreased default connection_recycle_time to 10 minutes. It should not cause any issues, but we recommended to double check these values, especially for large environments.
Catatan Depresiasi¶
For consistency reasons,
octavia_db_pool_size
was deprecated in favor ofoctavia_db_max_pool_size
which is in a standardized format used in other repositories.octavia_db_pool_size
support it will be removed in Yoga release.
For consistency reasons,
neutron_db_pool_size
was deprecated in favor ofneutron_db_max_pool_size
which is in a standardized format used in other repositories. However, it will be supported until Yoga release.
For consistency reasons, the following variables were deprecated in favor of the new ones in a standardized format used in other repositories.
keystone_database_pool_timeout
->keystone_db_pool_timeout
keystone_database_max_pool_size
->keystone_db_max_pool_size
keystone_database_idle_timeout
->keystone_db_connection_recycle_time
However, they will be supported until next Yoga release.
keystone_database_min_pool_size
was deprecated as it's deprecated in oslo.db
OVN-related HAProxy configuration is deprecated and has been replaced with built-in clustering functionality. OVN-related endpoints will be completely removed in the Z release.
Variable
systemd_lock_path
has been dropped and has no effect now. In order to customize lock dir path please usesystemd_lock_dir
. Please keep in mind, that forsystemd_lock_dir
you don't need to provide full path like it was withsystemd_lock_path
since service name is added to the end of the path.
With the retirement of upstram Panko project, os_panko role has been deprecated. Panko service API endpoint will be removed during upgrade. If you want to preserve Panko API working, you should override haproxy_panko_api_service.
Following variables were removed in favor of PKI ones and have no effect anymore:
galera_ssl_self_signed_regen
galera_ssl_self_signed_subject
galera_ssl_ca_self_signed_subject
We removed multiple web server support for keystone and left only Apache since nginx is missing features required for federation setup. With this change following variables are deprecated and have no effect:
keystone_web_server
keystone_centos_nginx_mirror
keystone_centos_nginx_key
keystone_nginx_access_log_format_combined
keystone_nginx_access_log_format_extras
keystone_nginx_ports
keystone_nginx_extra_conf
Nginx web server will be removed and replaced with Apache during upgrade.
Variable
nova_enabled_vgpu_types
has been deprecated and is replaced withnova_enabled_mdev_types
.
Masalah keamanan¶
The following security headers were added to the haproxy Horizon service: strict-transport-security, x-content-type-options, referrer-policy and content-security-policy. Care should be taken when deploying the strict-transport-security header, as this header implements Trust on First Use security, meaning that after a browser first visits the page the browser will enforce the use of HTTPS until the max age time has expired. For the time being the strict-transport-security preload token which indicates that you are happy to have your site included in the HSTS preload list that is built into browsers has been excluded. The headers can be disabled by setting haproxy_security_headers: [] and the CSP (Content Security Policy) for Horizon can be overridden to support things like federated login by setting haproxy_horizon_csp. There is the option to extend to all haproxy services in the future, but as the headers are only used by browsers there maybe limited benefit to doing this other than for keystone and console services.
Perbaikan Bug¶
Fixed inconsistency in
haproxy_frontend_raw
key naming between documentation and service template. Previously, template generation was expectinghaproxy_raw
instead of thehaproxy_frontend_raw
.
For deployers using Keystone as an OIDC-based Service Provider there has been a spelling fix for the OIDCScope setting. Please use
keystone_sp.trusted_idp_list.0.oidc_scope
instead ofkeystone_sp.trusted_idp_list.0.idc_scope
.
This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade.
Catatan lain¶
Set a new default value for
galera_wait_timeout
which is inherited from globalopenstack_db_connection_recycle_time
.
Set new default values for db pooling variables which are inherited from the global ones.