Zed Series Release Notes¶
26.5.2¶
Perbaikan Bug¶
Change of
horizon_webroot
variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.
26.5.0¶
Fitur baru¶
Add
rabbitmq_additional_config
to be able to add additional configuration e.g. to add configuration for plugins.
Perbaikan Bug¶
After adding
localhost
to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside/etc/hosts
file. This is now fixed and record for127.0.0.1
will be removed from managed by Ansible blocks inside /etc/hosts file.
26.4.0¶
Catatan Upgrade¶
Keystone OIDC parameter 'oidc_redirect_uri' is replaced with 'oidc_redirect_path'. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.
Perbaikan Bug¶
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.
Catatan lain¶
The
localhost
target was explicitly added to OSA inventory due to bug #2041717. As a result, the 'all' group now contains localhost, and custom playbooks targeting 'all' may need adjustment, e.g.:hosts: all:!localhost
26.3.0¶
Fitur baru¶
Added variables
galera_backups_full_init_overrides
andgalera_backups_increment_init_overrides
that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .
Catatan Depresiasi¶
nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.
Perbaikan Bug¶
Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.
26.2.0¶
Fitur baru¶
Implemented variable
lxc_image_cache_expiration
that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.
Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.
--compress=True|False
--compressor=<compressor>
Also introduces new Ansible variables that control the above mentioned parameters.
galera_mariadb_backups_compress
galera_mariadb_backups_compressor
Each backup archive is stored in a dedicated directory, alongside the backup metadata.
Catatan Upgrade¶
CentOS/Rocky linux deployments will get major update of OVS version from 2.17 to 3.1 and OVN from 22.12 to 23.03. RDO has stopped building packages for previous OVS/OVN versions which means they will not recieve any upstream bugfixes or security patches.
If you still want to preserve old versions of OVS/OVN, you can define a following variable:
openstack_hosts_package_repos: - name: rdo-deps file: rdo-deps description: rdo-deps baseurl: "{{ openstack_hosts_rdo_deps_url }}" gpgcheck: no module_hotfixes: yes exclude: - '*rdo-openvswitch*3.1*' - '*rdo-ovn*3.1*'
Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set
galera_mariadb_backups_compress
toTrue
. Choose a compression tool withgalera_mariadb_backups_compressor
, default isgzip
.
Perbaikan Bug¶
LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.
26.1.2¶
Catatan Depresiasi¶
RabbitMQ packages are no longer provided by PackageCloud due to the upstream repository being no longer available after 2023-05-28. Installations will now utilize a community mirror of CloudSmith repositories for rabbitmq and erlang.
https://github.com/rabbitmq/rabbitmq-server/discussions/8386
Masalah keamanan¶
Includes SHA bumps for Nova, Cinder and Glance to cover OSSA-2023-003.
Perbaikan Bug¶
Fixes incorrect definition of ceilometer
polling_namespaces
, when host is part of both central and compute groups (ie metal/aio scenario)
Fixes the absence of
libvirtd.service
on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.
26.0.1¶
Masalah keamanan¶
This release includes SHA bump for Cinder, Nova and Glance that covers OSSA-2023-002 vulnarability (CVE-2022-47951).
Perbaikan Bug¶
Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won't have these services deployed from the beginning.
26.0.0¶
Prelude (pendahuluan)¶
Default neutron plugin has been switched from LinuxBridge to OVN. This is effective for all new deployments. At the same time OpenStack-Ansible does not provide any in-house tooling for completing upgrade from ml2.lxb to ml2.ovn. Please, reffer to upgrade section for more details on how to upgrade OpenStack-Ansible.
Fitur baru¶
Added
zookepeer
role which deploys zookeeper cluster that can be used as a coordination driver for services like cinder, designate, octavia, etc. For deployment you need to specifycoordination_hosts
in your conf.d or openstack_user_config.yml and runzookeeper-install.yml
playbook.
Added following variables that are designed to control coordination configuration. Reasonable defaults are set for services to work out of the box.
coordination_driver
coordination_group
coordination_client_ssl
coordination_verify_cert
coordination_port
Also each service that uses coordination have following variables defined:
<service>_coordination_enable
<service>_coordination_url
Additional user-specified username and password pairs can now be set up during the Galera installation process by defining them in the 'galera_additional_users' list.
Added variables
haproxy_bind_external_lb_vip_interface
andhaproxy_bind_internal_lb_vip_interface
that allows deployer to bind haproxy on the specific interface only.
Added variable
haproxy_tls_vip_binds
that allows to fully override haproxy bindings, that are generated by the role if some assumptions are not valid for some scenarios. It is list of mappings, that include address and interface. Interface key is optional and can be ommited.
New variables have been added to manage used cache backends:
openstack_cache_backend
: defines driver, that will be used for caching. Default: oslo_cache.memcache_poolopenstack_cache_backend_map
: maps selected backend to the oslo driver that should be installed and configured for it.
Added variable
ceph_cluster_name
that allows ceph_client role to work with clusters that have non-default cluster name. It defaults toceph
.
A new variable
haproxy_stick_table
can be defined to apply a customised stick-table to all backends on the loadbalancer. In addition,haproxy_stick_table
can be set in each service definition to have a customised stick-table for a particular backend.
Added variable
openstack_host_custom_hosts_records
that allows deployer to add custom records to /etc/hosts file. It's structure a simple list where each element is a string wich should be placed to /etc/hosts.
The os_ironic ansible role can now upload the ironic deploy image to glance. Several new variables are defined as ironic_deploy_image_* which control this. It is possible to disable the upload to glance and also to specify custom locations to stage the images from if required.
Add merge with
haproxy_<service>_overrides
variables (e.g.:haproxy_cloudkitty_api_service
), which can be used for partial overrides for haproxy services configurations.
The ability to define trusted Cross-Site Request Forgery domains hsa been added with the horizon_ssl_csrf_trusted_origins variable. The new variable is a array of strings and when defined will render the django built-in variable CSRF_TRUSTED_ORIGINS.
https://docs.djangoproject.com/en/4.1/ref/settings/#csrf-trusted-origins
Horizon now has the ability to run directly from uWSGI. To support this feature the new Boolean variable horizon_use_uwsgi has been added. The new variable, when set to true, will omit the apache2 install process and instead run horizon from a uWSGI process leveraging a systemd service file.
Add
keepalived_instances_overrides
variable, which allows passing custom options forkeepalived_instances
.
The keystone role now supports the option keystone_use_uwsgi, which will allow deployers the ability to run keystone via uWSGI without needing the apache webserver. When the keystone_use_uwsgi option is enabled, it will setup the uWSGI process on port 5000.
The lxc_hosts role now supports the ability to omit lxc network interface deployment. The option lxc_net_managed is a Boolean operator and defaults to true. When this option is set to false the role will not deploy an interface file or attempt to manage the state of the interface.
Add
mistral_api_use_uwsgi
which allows running mistral-api service without uWSGI (set to true by default).
You can configure options for dnsmasq by adding those to the newly introduced
neutron_dhcp_config_list
list. This helps to configure e.g.no-negcache
to get around https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1974230.
A new variable nova_ironic_console_type is added to enable the deployment of one of the nova console proxies in the ironic_console ansible group. The only supported setting at this time is disabled or serialconsole.
With adding zookeeper as coordination backend Octavia will be configured to use amphorav2 as default provider driver. This will result in creating a new database and jobboard configuration. You can control database name with variable
octavia_galera_persistence_database
and existing octavia db user will be granted ALL permissions to that database.
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set --mtu command line.
OVN is now protected via SSL. you can disable it via neutron_ovn_ssl. It is not supported to switch from non-ssl to ssl.
Implemented variables
rally_openstack_git_repo
andrally_openstack_git_install_branch
that allow to override installation source for rally-openstack package as well as control installed version of the package.
Add parameters
galera_mariadb_backups_full_randomized_delay_sec
andgalera_mariadb_backups_incremental_randomized_delay_sec
to run the systemd timers for mariabackup with a randomized delay. This is useful if backups are done of more than one node to avoid running it at the exact same time.
Support Rocky Linux 9 as a Deployment and Target host
Now you can define
execstartpres
andexecstopposts
keys for the systemd_services structure. They will allow to define pre-start and post-stop service executables and must be defined as lists.
Added possibility to source environment variables from a user file that will have prescedence over all environemnt variables loaded after openstack-ansible.rc and have prescedence over all variables defined there By default path to the user file is
/etc/openstack_deploy/user.rc
.
Default
ansible-core
version has been switched to 2.13 series
ceph-ansible
version has been switched to v7 series
Default ceph version has been switched to Quincy
Masalah Dikenal¶
As of today ceph community repository (download.ceph.com) does not provide packages for Ubuntu 22.04 (Jammy). Based on that OpenStack-Ansible does install ceph packages from distro-provided repositories. Thus, you can not control packages version that will be installed and ceph support should be considered as experimental.
Catatan Upgrade¶
If you are using cinder in active/active mode (ie with Ceph backend), it's highly recommended to define
coordination_hosts
before upgrade to deploy zookeeper coordination cluster which is required for proper work of cinder active/active mode.
A default stick-table was previously applied to all backends by default but did not have any specific purpose. This is now removed, and the variable
haproxy_stick_table
should be used to supply a list of config lines to be applied to each backend to control stick-table functionality.
The variables ironic_inspector_ipa_initrd_name and ironic_inspector_ipa_initrd_name are removed from the os_ironic role and more flexible functionality is now provided with the ironic_deplo_image_* variables. Review any overrides you have for the ironic service and adjust these new variables if necessary.
Along with
mistral_api_use_uwsgi
,cron_trigger.enabled
would be set to false by default, disabling Cron Triggers on all existing installations as per suggestion.
A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set --mtu command line.
With marking ML2/LinuxBridge driver as 'Experimental' in the upstream Neutron project OpenStack-Ansible has switched a default mechanism driver to ML2/OVN. In order to upgrade any existing deployment that was relying on defaults to the new OpenStack-Ansible version you must ensure that following variables are defined explicitly to ensure parity with existing functionality:
neutron_plugin_type: ml2.lxb neutron_ml2_drivers_type: "flat,vlan,vxlan,local" neutron_plugin_base: - router - metering
Failure to define any of these variables will result in playbook failures and neutron misconfiguration.
We have covered this step with upgrade script that will create a
user_neutron_migration.yml
file with assumed defaults.
OVN is now configured with SSL enabled by default, upgrading existing ovn deployment is not tested. When upgrading it might be wise to set neutron_ovn_ssl to false and manage the ssl configuration at a later stage.
The RabbitMQ management interface surfaced via HAProxy defaults to using TLS from the Yoga release. Note that when using TLS the default port switches from 15672 to 15671. TLS can be disabled if required by adjusting 'rabbitmq_management_ssl'.
Since Yoga release
service
role is being assigned to all service users. Though, service_token_roles_required was set toFalse
for upgrade purposes. Nowservice_token_roles_required
is set toTrue
by default. If you still want to preserve old behaviour, you can defineopenstack_service_token_roles_required: False
in your user_variables.
Catatan Depresiasi¶
The pxe_append_params configuration option has been deprecated by Ironic and replaced with kernel_append_params. The corresponding configuration override, ironic_pxe_append_params, has been replaced by ironic_kernel_append_params but will continue to be supported until a future undetermined release.
Variable
nova_memcached_servers
has been deprecated and replaced withnova_cache_servers
that defaults tomemcached_servers
. For backpwards compatabilitynova_memcached_servers
is still respected but will be removed in future releases.
Roles
rsyslog_client
andrsyslog_server
are deprecated and removed from OpenStack-Ansible. Since Train service were configured to save logs in journald instead of regular log files. Journald from containers passed to hosts, so you can read and manipulate logs from metal hosts. Journald can be transformed and collected by many tools, including rsyslog. At the same time rsyslog is not ideal as it stores data in plain text, which is hard to index and search later, while journald has is structured so logs can be consumed way more efficiently with other tools. You can also check out our ELK role from OPS repository as alternative.
Perbaikan Bug¶
Wheels build for multi-arch and multi-distro setups is fixed. For that you still need to have set of venv_build_targets that will define targets for each operating system and architecture.
Variables
haproxy_fall
andhaproxy_rise
are now respected again and will be used for defining amount of checks before haproxy will mark backend as UP or DOWN. Keysbackend_rise
andhaproxy_fall
that are set inside service definition are still respected and will have prescedence over global ones.
Mistral Cron Triggers do not create Workflow Executions, when mistral-api service runs within uWSGI, so we introduce
mistral_api_use_uwsgi
which bounds Cron Trigger service status with Mistral API execution environment.
Catatan lain¶
File
/etc/openstack_deploy/openstack_hostnames_ips.yml
is not used anymore and can be safely removed from your deployment configuration.
external_lb_vip_address
was added to the default value forglance_cors_allowed_origin
regardless of other variables.
Default value for
glance_show_multiple_locations
has changed to False, regardless of other variables.
When the option horizon_use_uwsgi is enabled, operators need to be aware that not all horizon capabilities will be present. The minimal uSGI process is just that, minimal, and not full featured. If the deployment requires full featured capabilities, the apache based deployment should remain enabled.
The keystone role can now has the ability to run a minimal uWSGI process for keystone when the option keystone_use_uwsgi is set true. This feature provides operators the ability to run a minimal install without apache. While the minimal deployment is functional, it is not featureful. Things like modshib and oath are not supported when running the minimal setup.
Implemented
tempest_extra_plugins
variable which allows to define extra tempest plugins without overriding the whole tempest_plugins list.