Yoga Series Release Notes¶
25.6.0¶
Catatan Upgrade¶
Keystone OIDC parameter 'oidc_redirect_uri' is replaced with 'oidc_redirect_path'. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.
Perbaikan Bug¶
Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.
Catatan lain¶
The
localhost
target was explicitly added to OSA inventory due to bug #2041717. As a result, the 'all' group now contains localhost, and custom playbooks targeting 'all' may need adjustment, e.g.:hosts: all:!localhost
25.5.0¶
Fitur baru¶
Added variables
galera_backups_full_init_overrides
andgalera_backups_increment_init_overrides
that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .
Implemented variable
lxc_image_cache_expiration
that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.
Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.
--compress=True|False
--compressor=<compressor>
Also introduces new Ansible variables that control the above mentioned parameters.
galera_mariadb_backups_compress
galera_mariadb_backups_compressor
Each backup archive is stored in a dedicated directory, alongside the backup metadata.
Catatan Upgrade¶
Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set
galera_mariadb_backups_compress
toTrue
. Choose a compression tool withgalera_mariadb_backups_compressor
, default isgzip
.
Perbaikan Bug¶
LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.
Variables
haproxy_fall
andhaproxy_rise
are now respected again and will be used for defining amount of checks before haproxy will mark backend as UP or DOWN. Keysbackend_rise
andhaproxy_fall
that are set inside service definition are still respected and will have prescedence over global ones.
25.4.0¶
Catatan Upgrade¶
Due to OSSA-2023-003, value of
openstack_service_token_roles_required
has been changed totrue
. With that, major upgrades to Yoga release might struggle from prolonged dowtimes. Sensetive to API downtime environments can perform major upgrade to any prior release with subsequent minor upgrade that will enableopenstack_service_token_roles_required
and install safe versions of services. Other way around would be to manually create and assignservice
role to all "service" users.
Catatan Depresiasi¶
RabbitMQ packages are no longer provided by PackageCloud due to the upstream repository being no longer available after 2023-05-28. Installations will now utilize a community mirror of CloudSmith repositories for rabbitmq and erlang.
https://github.com/rabbitmq/rabbitmq-server/discussions/8386
Masalah keamanan¶
Includes SHA bumps for Nova, Cinder and Glance to cover OSSA-2023-003.
Perbaikan Bug¶
Fixes incorrect definition of ceilometer
polling_namespaces
, when host is part of both central and compute groups (ie metal/aio scenario)
Fixes the absence of
libvirtd.service
on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.
25.3.1¶
Catatan lain¶
Erlang will is updated to version 25.0.4, RabbitMQ will be upgraded to version 3.10.7. This will also harmonize RabbitMQ/Erlang versioning for Debian Bullseye.
25.3.0¶
Fitur baru¶
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set --mtu command line.
Catatan Upgrade¶
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set --mtu command line.
Masalah keamanan¶
Erlang version was bumped to 24.3.4.7 to cover CVE-2022-37026 which has critical severity
This release includes SHA bump for Cinder, Nova and Glance that covers OSSA-2023-002 vulnarability (CVE-2022-47951).
25.2.0¶
Fitur baru¶
Support Rocky Linux 9 as a Deployment and Target host
Masalah Dikenal¶
As of today ceph community repository (download.ceph.com) does not provide packages for Ubuntu 22.04 (Jammy). Based on that OpenStack-Ansible does install ceph packages from distro-provided repositories. Thus, you can not control packages version that will be installed and ceph support should be considered as experimental.
Catatan Upgrade¶
Default MariaDB version is set to 10.6.10. When running minor upgrade don't forget to provide
-e galera_upgrade=true
to openstack-ansible command. With that MariDB version installed for CentOS 9 Stream, Rocky 9 and Ubuntu 22.04 will switch from distro provided version to 10.6.10 installed from MariaDB repository, which might be a major version upgrade.
25.1.0¶
Fitur baru¶
Implemented variables
rally_openstack_git_repo
andrally_openstack_git_install_branch
that allow to override installation source for rally-openstack package as well as control installed version of the package.
Catatan Upgrade¶
The RabbitMQ management interface surfaced via HAProxy defaults to using TLS from the Yoga release. Note that when using TLS the default port switches from 15672 to 15671. TLS can be disabled if required by adjusting 'rabbitmq_management_ssl'.
Perbaikan Bug¶
Wheels build for multi-arch and multi-distro setups is fixed. For that you still need to have set of venv_build_targets that will define targets for each operating system and architecture.
25.0.0¶
Fitur baru¶
Added variable uwsgi_tls which when added to a uwsgi_services item enables TLS for that service. uwsgi_tls is a dict and should contain 2 keys crt and key, which define the path to the certificate and its corresponding key respectively. The certificate file should contain any intermediate certificates required by a client to verify trust.
Introduces 3 new variables cinder_default_availability_zone, octavia_cinder_volume_size and octavia_cinder_volume_type. using these variables, enables Octavia to use different Cinder configurations.
UEFI boot support has been added. To migrate from Legacy BIOS mode, define boot_mode:uefi as a capability for baremetal nodes that support UEFI. In addition, corresponding flavor(s) will need to be created or modified to include boot_mode:uefi as a capability for scheduling to occur against UEFI nodes.
A new variable
centos_mirror_url
is introduced to the openstack_hosts role to allow a single deployment wide variable to control the location of the centos package mirror.
Ceph-ansible has been switched to version 6.0 and Ceph Pacific is used by default.
Added a support for both Credential Provider Mechanisms(dynamic credentials and pre-provisioned credentials).
Implemented variable
galera_data_dir
that control datadir for MariaDB databases. Defaults to /var/lib/mysql.
New variables
galera_tmp_dir
andgalera_ignore_db_dirs
were implemented to control path to tmp dir and what directories should be ignored when listing databases.
MariaDB now uses TLS encryption by default. Certificate will be issued and signed with internal CA using PKI role. Deployers can disable encrypting MariaDB connections by setting
galera_use_ssl: false
in their user_variables.yml Client certificates could be still provided and they will be distributed with PKI role as well.
A new variable openstack_hosts_apt_pinned_packages is added which allows deployment wide apt pins to be defined in user_variables. The variable defaults to pinning the UCA repository to a priority lower than the Ubuntu repositories for any binary packages generated from the ceph source package. The intention is to ensure that Ceph packages are always installed from the Ubuntu repositories, or alternatively the official ceph repositories if the ceph_client role is run later against a host. The ceph packages for a particular openstack release may not be the same version as those expected by the rest of openstack-ansible so this change ensures consistency in the deployed ceph version.
Implemented possibility to natively define
gnocchi_incoming_driver
separately fromgnocchi_storage_driver
. Default behaviour is that[incoming]
is left unconfigured which means[storage]
is used when gnocchi_incoming_driver and gnocchi_storage_driver are equal. Role will install incoming driver dependencies if required.To implement that following variables introduced:
gnocchi_storage_file_basepath
gnocchi_storage_swift_container_prefix
gnocchi_incoming_driver
gnocchi_incoming_file_basepath
gnocchi_incoming_swift_container_prefix
gnocchi_ceph_incoming_pool
gnocchi_ceph_incoming_username
Implemented variable
gnocchi_metricd_workers
that is designed to controll amount of gnocchi-metricd workers spawned. By default it is equal to number of CPU cores, but no more than 16 workers.
Variables
gnocchi_storage_redis_url
andgnocchi_incoming_redis_url
were added to manage redis connection if it's picked as an storage/incoming driver. Default value is redis://localhost:6379/ Please mention, that OpenStack-Ansible does not provide isntallation of Redis as of today.
Implemented variable
magnum_conductor_workers
that is designed to controll amount of magnum-conductor workers spawned. By default it is equal to number of CPU cores, but no more then 16 workers.
The
provider_networks
library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add thenetwork_bond_interfaces
key to the respective provider network definition inopenstack_user_config.yml
. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.
Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable
neutron_vpnaas_custom_config
. deployers should defineneutron_vpnaas_custom_config
in 'user_variables.yml'. Example:neutron_vpnaas_custom_config: - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template" dest: "{{ neutron_conf_dir }}/strongswan.conf.template" - src: "/etc/openstack_deploy/strongswan/strongswan.d" dest: "/etc/strongswan.d" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template" dest: "{{ neutron_conf_dir }}/ipsec.conf.template" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template" dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
We should be also define
neutron_l3_agent_ini_overrides
in 'user_variables.yml' to telll3_agent
use the new config file. Example:neutron_l3_agent_ini_overrides: ipsec: enable_detailed_logging: True strongswan: strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template" openswan: ipsec_config_template: "{{ neutron_conf_dir }}/ipsec.conf.template"
New variables
nova_glance_rbd_inuse
andnova_glance_images_rbd_pool
have been implemented that allows deployer to easily configure nova to retrieve glance images from RBD directly, if nova uses local storage for ephemeral drives.
Introduced new variable
cinder_volume_usage_audit_send_actions_enabled
to allow the deployer to disable the send actions option in cinder-volume-usage-audit service unit. To have lowest possible footprint, the default value would be true to not change the behaviour of the cinder-volume-usage-audit in existing deployments.
New variables that provide better control over RabbitMQ management interface have been implemented:
rabbitmq_management_bind_tcp_port
rabbitmq_management_bind_tls_port
rabbitmq_management_ssl
Added variable
rabbitmq_init_overrides
that allows to control rabbitmq overrides that will be applied to the systemd service. Previously values were hardcoded without possibility for override.
Added variable
rabbitmq_manage_hosts_entries
that controls if rabbitmq_server role will attempt to adjust /etc/hosts file
The mechanism used previously to syncronise repo server contents between highly available sets of repo servers in a multinode deployment (lsyncd and rsync over ssh) is removed and replaced with a shared filesystem mount. This permits much easier support for multi operating system and multi processor architectures in the deployment when building and serving python wheels using the repo server. The default deployment will run a glusterfs server in each repo server host, and mount the glusterfs fileystem at /var/www/repo using the system_mount ansible role. If a deployment wishes to use an alternative external shared filesystem, the new variable openstack_repo_server_enable_glusterfs can be set to false and alternative mounts created by overriding the new repo_server_systemd_mounts variable. It is mandatory to use some type of shared filesystem for the repo server in all deployments.
Implemented variables
tempest_public_net_create
,tempest_private_net_create
,tempest_router_create
,tempest_images_create
,tempest_flavors_create
,tempest_projects_create
which allow to skip creating specific resources.
Allow to create templated services Now for systemd_services you are allowed to provide template_arguments, which can contain a list of arguments with which templated services would be created.
The HAProxy role now supports TLS v1.3 by default, alongside TLS v1.2.
A new 'ssl_cipher_suite_tls13' variable is added for global control of TLS v1.3 cipher suites.
Functionality of
venv_rebuild
has been adjusted to the correct scope. Now setting this variable to true will not trigger wheels rebuild - it will just remove and re-create your virtualenv. If you want to rebuild wheels, a new variablevenv_wheels_rebuild
has been implemented.
Masalah Dikenal¶
There's a known issue with upgrade to Ceph Pacific release prior to version 16.2.7. Please, make sure that 16.2.7 or later has been released before performing Ceph upgrade. Otherwise, override
ceph_stable_release: octopus
in your user_variables.yml
Catatan Upgrade¶
Existing use of the variable
openstack_hosts_centos_mirror_url
will continue to work as in previous releases, but the new variablecentos_mirror_url
can be used to define the mirror location for the whole deployment.
We have changed default values for variables related to database connection pooling. For some services(like nova) default pool sizes will be significantly lower, we have also decreased default connection_recycle_time to 10 minutes. It should not cause any issues, but we recommended to double check these values, especially for large environments.
The
octaiva_db_pool_size
variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.
The following keystone role variables were previously deprecated, and are now removed. Replacement variables were introduced in the Xena release.
keystone_database_pool_timeout
keystone_database_max_pool_size
keystone_database_idle_timeout
The
neutron_db_pool_size
variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.
The Yoga release of OpenStack-Ansible removes support for Ubuntu Bionic. Deployments should be upgraded from Bionic to Focal before or during the Xena release before upgrading to Yoga.
The Yoga release of OpenStack-Ansible removes support for Debian Buster. Deployments should be upgraded from Buster to Bullseye before or during the Xena release before upgrading to Yoga.
The Yoga release of OpenStack-Ansible removes support for Centos-8. Deployments should be upgraded from Centos-8 to an alternative supported operating system during the Xena release before upgrading to Yoga.
The use of the nginx package repository on RedHat derived operating systems is no longer required as there is a new enough version of the nginx package in the standard distro repos now. The variables
repo_centos_nginx_mirror
andrepo_centos_nginx_key
are removed from the repo_server role and no longer have any effect.
Galera will now additionally listen on port 3307 by default, with this port being used by the monitoring user to check cluster status. Ensure that any firewall rules permit access to this port before upgrading. If an 'extra_port' was already configured, ensure that any conflicting configuration is removed and set your preferred values via 'galera_monitoring_port' and 'galera_monitoring_max_connections'.
During upgrade password for
galera_monitoring_user_password
will be generated and set while running galera-server role. In case any third-party software relies on this user, it should be updated to use password. You can also override variable togalera_monitoring_user_password: ""
to not use password for auth and preserve previous behaviour.
If you have database named as
#tmp
you should changegalera_tmp_dir
path and adjustgalera_ignore_db_dirs
or rename database.
The new variable openstack_hosts_apt_pinned_packages is added to the openstack_hosts ansible role and sets the value of apt_pinned_packages for the apt_package_pinning role run as a dependancy of the openstack_hosts role. Existing use of the apt_pinned_packages variable by deployers in user_variables should be reviewed to ensure that those pins are applied by the intended ansible roles, and swapped to this new variable if necessary.
If you have defined
haproxy_tuning_params
in your deployment, make sure that before upgrade all keys are valid haproxy options. For example, instead ofchksize: 16384
you should settune.chksize: 16384
. Otherwise invalid config will be generated and haproxy will fail on startup. No upgrade scripts are provided for this change as well as no backwards compatability.
The keystone installation now uses ansible-role-pki to create and install a server certificate for Apache when keystone_ssl is true. The same role is also used to create a CA certificate and key for SAML federation when keystone_idp is populated by the deployer. For an existing keystone SAML setup the certificate and key will be re-created which may be undesirable, unless the existing ones are first copied to the relevant directories in
/etc/openstack_deploy/pki/roots
on the deploy host. The variableskeystone_ssl_self_signed_regen
andkeystone_ssl_self_signed_subject
are removed and are replaced with equivalent functionality via the newkeystone_pki_*
variables.
Keystone now uses common uwsgi role for uWSGI deployment. Along with that variable
keystone_services
has been extended with required arguments for uWSGI. If you override this variable locally make sure to update it's structure accordingly.
RabbitMQ was migrated to the new-style config, which resides in
/etc/rabbitmq/rabbitmq.conf
. Old configrabbitmq.config
will be removed during upgrade.
Cinder v2 API is now fully removed from Cinder service. With that os_cinder role ensures v2 endpoint is not present anymore in the catalog and remove endpoints if they're present.
The xinetd script and configuration to run the 'clustercheck' script is replaced with a systemd socket activated service.
The repo server hosts will stop and uninstall existing lsyncd and rsync services from the repo server hosts. This functionality will be replaced by default with a glusterfs shared filesystem. If a deployment uses a firewall on the control plane, the rules should be updated to allow the glusterfs traffic between the repo server hosts. Alternative external shared filesystems (eg NFS, cephfs, others) may be used if required and the new variables repo_server_systemd_mounts and openstack_repo_server_enable_glusterfs allow a deployment to override the default use of glusterfs.
Changed default value for
tempest_projects
variable. Now this list contains only one element 'tempest'. Previously it was 'demo' and 'alt_demo' which was quite confusing.
Catatan Depresiasi¶
OVN-related HAProxy configuration is deprecated and has been replaced with built-in clustering functionality. OVN-related endpoints will be completely removed in the Z release.
Vaiables
tempest_service_available_congress
andtempest_service_available_nova_lxd
have been removed and have no effect since corresponding services are not supported anymore.
Variable
nova_glance_api_servers
has been removed and has no effect due to corresponsive upstream api_servers being deprecated.
With the retirement of upstram Panko project, os_panko role has been deprecated. Panko service API endpoint will be removed during upgrade. If you want to preserve Panko API working, you should override haproxy_panko_api_service.
Following tempest related variables were deprecated and have no effect:
tempest_compute_ssh_user
tempest_compute_console_output_enabled
tempest_compute_resize_enabled
tempest_compute_snapshot_enabled
tempest_compute_change_password
tempest_image_api_v1_enabled
tempest_image_api_v2_enabled
tempest_swift_container_sync
tempest_swift_object_versioning
tempest_swift_discoverable_apis
tempest_volume_backup_enabled
tempest_volume_multi_backend_enabled
tempest_enable_instance_password
tempest_volume_backend_names
Variable
glance_nfs_local_directory
has been renamed toglance_images_local_directory
to better reflect purpose of the variable.glance_nfs_local_directory
remains for backwards compatability but will be removed in Zed release.
Variable
glance_nfs_client
has been replaced withglance_remote_client
. New variable has new keys for defining mounts to cover wider range of supported filesystems. Compatability forglance_nfs_client
has been kept until Zed release.
Variables
nova_external_ssl
andnova_secure_proxy_ssl_header
have been removed since secure_proxy_ssl_header option from nova.conf they controlled has been deprecated and has no effect.
variable
tempest_network_tenant_network_cidr
has been deprecated
variable
tempest_network_tenant_network_mask_bits
has been deprecated
variable
tempest_fatal_deprecations
has been deprecated
The variable 'keystone_ssl_cipher_suite' is deprecated in favour of 'keystone_ssl_cipher_suite_tls12' which will continue to manage configuration of ciphers for TLS v1.2 and earlier.
The variable 'haproxy_ssl_cipher_suite' is deprecated in favour of 'haproxy_ssl_cipher_suite_tls12' which will continue to manage configuration of ciphers for TLS v1.2 and earlier.
The variable 'ssl_cipher_suite' is deprecated in favour of 'ssl_cipher_suite_tls12' which will continue to manage configuration of ciphers for TLS v1.2 and earlier.
The variable 'horizon_ssl_cipher_suite' is deprecated in favour of 'horizon_ssl_cipher_suite_tls12' which will continue to manage configuration of ciphers for TLS v1.2 and earlier.
Masalah keamanan¶
The following security headers were added to the haproxy Horizon service: strict-transport-security, x-content-type-options, referrer-policy and content-security-policy. Care should be taken when deploying the strict-transport-security header, as this header implements Trust on First Use security, meaning that after a browser first visits the page the browser will enforce the use of HTTPS until the max age time has expired. For the time being the strict-transport-security preload token which indicates that you are happy to have your site included in the HSTS preload list that is built into browsers has been excluded. The headers can be disabled by setting haproxy_security_headers: [] and the CSP (Content Security Policy) for Horizon can be overridden to support things like federated login by setting haproxy_horizon_csp. There is the option to extend to all haproxy services in the future, but as the headers are only used by browsers there maybe limited benefit to doing this other than for keystone and console services.
Perbaikan Bug¶
Fixes a Content Security Policy error which prevented image uploads via the Horizon interface.
Fixed facts gathering when tags were provided with playbook run.
By default we increase
tune.maxrewrite
as otherwise while using CSP headers, their size could exceed allowed buffer. Also deployers can override this value if needed.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Do not duplicate records in /etc/hosts file by rabbitmq role when hosts file is already managed by OSA.
Catatan lain¶
Restriction on parameters that can be passed to
haproxy_tuning_params
has been released. This means, that any tuning parameter can be passed in key/value format.
Default source of rabbitmq and erlang packages has been switched to cloudsmith.io
Added new variable
tempest_endpoint_type
to avoid having endpoint type hardcoded in tempest.conf