Train Series Release Notes¶
20.2.0¶
Prelude¶
This is minor bugfix release that brings up overall improvements and bugfixes to the roles.
New Features¶
Added variable nova_scheduler_extra_filters which allows to extend list of defaulted nova_scheduler_default_filters
Added deployment of the keystone_auth_default_policy.json file for Magnum.
Added variables cinder_active_active_cluster and cinder_active_active_cluster_name that allow to explicitly enable or disable active/active feature, and set cluster name.
Upgrade Notes¶
String value of nova_scheduler_default_filters is converted to the list At the moment there is compatability for overriden values, that are string, but this support will be removed in the Wallaby release. So deployers are recommended to replace their string overrides with list ones.
Security Issues¶
MariaDB version updated to 10.3.25, which covers CVE-2020-2574
Bug Fixes¶
uWSGI service restart is now properly triggered upon service config change
Notifications are enabled now if either ceilometer or designate service is present in the inventory
Fixed ceph_client role for distro installs
Since Ubuntu has dropped older base images, which resulted in all previous tags being broken, we’ve switched to downloading always latest base image available. This should guarantee that we retrieve relevant images only.
20.1.2¶
New Features¶
Added support for using mod_auth_openidc instead of shibboleth as a service provider for supporting users who have a preference to use OIDC for federation. Mod_auth_openidc is the apache module that is recommended in the keystone documentation for implementing openidc. Added a variable to called apache_mod to keystone_sp, if left undefined shibboleth will continue to be installed by default provided keystone_sp is not empty. Mod_auth_openidc will not be installed unless it is spelled correctly, any misspellings will result in a shibboleth install. Note that installing shibboleth on Debian based metal distro deployments may break services that depend on libcurl4, as shib2 requires libcurl3, and they are unable to coexist. This can be resolved when there is a shib3 package available in a future release of Ubuntu/Debian. There is currently no support for simultaneous use of shibboleth2 and mod_auth_openidc.
Deprecation Notes¶
Fedora is no longer tested in CI for each commit.
20.1.1¶
New Features¶
Added variables magnum_cluster_templates and magnum_flavors which allow deployers to define coe cluster template and nova flavors creation during role execution. These variables may contain list of resources to add. All keys supported by appropriate ansible modules may be passed as items in the list.
20.1.0¶
New Features¶
Get ceph keyrings from files, if variable``ceph_keyrings_dir`` is defined the keyrings will be extracted from files. All files in the directory must have
.keyring
extention and be named with its correspondingceph_client
name. For example, ifcinder_ceph_client
iscinder
the cinder keyring file must be namedcinder.keyring
. Each file must contain username and the key and nothing more, below an example for cinder.keyring content.[client.cinder] key = XXXXXXXXXXX
20.0.2¶
Upgrade Notes¶
Variable libvirt_package in ceph_client role has been renamed to libvirt_packages and converted from string to a list.
20.0.0¶
New Features¶
Added new parameter
tempest_services
for setting tempest_service_available_{service_name} var automatically.
The ansible version used by OSA is updated from the 2.7 to the 2.8 series. This requires an upgrade of ceph-ansible to 4.0 and this in turn requires an upgrade of ceph from Mimic to Nautilus. This version dependancy applies where OSA uses ceph-ansible directly to deploy the ceph infrastructure, but not when OSA is integrated with an externally provisioned ceph cluster.
Each openstack service role has a new variable <role>_bind_address which defaults to 0.0.0.0. A global override openstack_service_bind_address may be used by a deployer either in group_vars or user_variables to define an alternative IP address for services to bind to. This feature allows a deployer to bind all of the services to a specific network, for example the openstack management network. In this release the default binding remains 0.0.0.0, and future releases may default the binding to the management network.
You can set a private repository for epel, you must use
repo_centos_epel_mirror
for the repo URL and if you need to get the GPG key from intranet or a mirror userepo_centos_epel_key
for gpg key location.
OpenStack-Ansible now support deployments on Debian 10 (buster)
Cinder is deployed with Active-Active enabled by default if you are using Ceph as a backend storage.
Passed –extra-vars flag to the openstack-ansible should have precedence over the user-variables*.yml now.
Added variable horizon_bind_address which defines IP address where Apache will listen on horizon_listen_ports
Add the possibility to disable openrc v2 download in the dashboard. new var
horizon_show_keystone_v2_rc
can be set toFalse
to remove the entry for the openrc v2 download.
The ceph_client role will now look for and configure manila services to work with ceph and cephfs.
The
os_masakari
role now covers the monitors installation and configuration, completing the full service configuration.
The override
rabbitmq_memory_high_watermark
can be used to set the maximum size of the erlang Virtual Machine before the garbage collection is triggered. The default is lowered to0.2
, from0.4
as the garbage collection can require 2x of allocated amount during its operation. This can result in a equivalent use of0.4
, resulting in 40% of memory usage, visible to the rabbitMQ container. The original default setting of0.4
can lead to 80% memory allocation of rabbitMQ, potentially leading to a scenario where the underlying Linux kernel is killing the process due to shortage of virtual memory.
The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the
octavia_install_method
variable todistro
.
Added 2 new varibles for all groups - oslomsg_notify_policies and oslomsg_rpc_policies. These variables contain default rabbitmq policies, which will be applied for every rabbitmq vhost. As for now they will enable [HA mode](https://www.rabbitmq.com/ha.html) for all vhosts. If you would like to disable HA mode just set these variables to empty lists inside your user_config.yml
Deployments will now default to using python3 when a python3 interpreter is present in the operating system. Each openstack-ansible role has a new variable for the form <role>_venv_python_executable which defaults to python2 but a global variable openstack_venv_python_executable in the openstack-ansible group variables sets this to python3 on supporting operating systems. This enables a deployer is to selectively use python2 or python3 on a per service basis if required. The ansible-runtime venv is also created using python3 on the deploy host if possible.
Several environment variables have been added in the bootstrapping functions used by the gate-check-commit script. These variables can be used to skip various phases of the bootstrap during the gate-check-commit or bootstrap-ansible script execution.
The environment variables added are:
SKIP_OSA_RUNTIME_VENV_BUILD
: Skip bootstrapping of the OSA ansible venv in bootstrap-ansible.shSKIP_OSA_BOOTSTRAP_AIO
: Skip execution of the bootstrap-aio playbook in gate-check-commitSKIP_OSA_ROLE_CLONE
: Skip execution of the get-role-requirements-playbook in the bootstrap-ansible.sh script
The
galera_server
role now uses mariabackup in order to complete SST operations due to the fact that this is the recommended choice from MariaDB.
The
galera_server
role now ships with the latest MariaDB release of 10.3.13.
All roles are migrated from usage of regular log files to systemd-journald
Deployers may require custom CA certificates installing on their openstack hosts or service containers. A new variable openstack_host_ca_certificates is added which is a list of certificates that should be copied from the deploy host to the target hosts. Certificates may be selectively deployed by defining the variable either in user_variables.yml or via host/group vars.
A new optional file /etc/openstack_deploy/user-role-requirements.yml is now available for a deployer to override individual entries in the upstream ansible-role-requirements file. This can be used to point to alternative repos containing local fixes, or to add supplementary ansible roles that are not specified in the standard ansible-role-requirements.
Known Issues¶
Due to a change in how backend_host is defined when using Ceph, all the Cinder volumes will restart under the same backend name. This will mean that any volumes which previously were assigned to the host or container that hosted the volume will no longer be managable. The workaround for this is to use the cinder-manage volume update_host command to move those volumes to the new backend host. This known issue will be resolved soon with an upgrade playbook.
The journald-remote is disabled from execution inside setup-infrastructure until https://github.com/systemd/systemd/issues/2376 has been incorporated in current systemd packages. The playbook can be enabled by setting
journald_remote_enabled
toTrue
The previous way of using a common backend_host across all deployments was not recommended by the Cinder team and it will cause duplicate messages that cause problems in the environment.
Upgrade Notes¶
Any ceph infrastructure components (OSDs, MONs etc) deployed using the OSA/ceph-ansible tooling will be upgraded to the Ceph Nautilus release. Deployers should verify that this upgrade is suitable for their environment before commencing a major upgrade to Train, and consult the ceph-ansible and ceph release notes for Nautilus. For integration with external ceph clusters where OSA does not deploy any of the ceph cluster infrastructure, overrides can be used to select the specific version of ceph repositories used by the OSA ceph_client ansible role.
Application credentials are now enabled by default as a keystone authentication method. If deployments do not wish to enable application credentials then the existing keystone_auth_methods variable can be overidden with the required set of authentication methods.
On OpenStack-Ansible Train release you should upgrade your Debian from 9 (stretch) to 10 (buster). Debian 9 support will be deprecated during the next release of OpenStack-Ansible (Ussuri).
The journald-remote playbook is disabled from execution inside setup-infrastructure until setting
journald_remote_enabled
is set toTrue
due to https://github.com/systemd/systemd/issues/2376
It is possible that you may need to use the cinder-manage command to migrate volumes to a specific host. In addition, you will have to remove the old
rbd:volumes
service which will be stale.
horizon_listen_ports variable was transformed to the dictionary with required keys http and https to have effect not only for apache ports.conf file, but also for the virtual host.
The rabbitMQ high watermark is set to
0.2
rather than0.4
to prevent possible OOM situations, which limits the maximum memory usage by rabbitMQ to 40% rather than 80% of the memory visible to the rabbitMQ container. The overriderabbitmq_memory_high_watermark
can be used to alter the limit.
The default nova console type has been changed to novnc. Spice is still supported however due to novnc being more actively maintained it is now a better default option.
New virtual environments will be created using python3, giving a straightforward transition from python2 to python3 during the major upgrade. The ansible-runtime virtual environment on the deployment host will also be upgraded from python2 to python3 where the operating system allows.
The default Mnesia
dump_log_write_threshold
value has changed to300
instead of100
for efficiency.dump_log_write_threshold
specifies the maximum number of writes allowed to the transaction log before a new dump of the log is performed. Increasing this value can increase the performances during the queues/exchanges/bindings creation/destroying. The values should be between 100 and 1000. More detail [1].[1] http://erlang.org/doc/man/mnesia.html#dump_log_write_threshold
The option rabbitmq_disable_non_tls_listeners has been removed in favor of setting the bind address and port configuration directly using a new option rabbitmq_port_bindings. This new option is a hash allowing for multiple bind addresses and port configurations.
The repo server no longer uses pypiserver, so it has been removed. Along with this, the following variables have also been removed.
repo_pypiserver_port
repo_pypiserver_pip_packages
repo_pypiserver_package_path
repo_pypiserver_bin
repo_pypiserver_working_dir
repo_pypiserver_start_options
repo_pypiserver_init_overrides
The following Nova tunables have been removed, users need to start using the nova_nova_conf_overrides dictionary to override them. If those values were not previously overridden, there should be no need to override them. - nova_quota_cores - nova_quota_injected_file_content_bytes - nova_quota_injected_file_path_length - nova_quota_injected_files - nova_quota_instances - nova_quota_key_pairs - nova_quota_metadata_items - nova_quota_ram - nova_quota_server_group_members - nova_quota_server_groups - nova_max_instances_per_host - nova_scheduler_available_filters - nova_scheduler_weight_classes - nova_scheduler_driver - nova_scheduler_driver_task_period - nova_rpc_conn_pool_size - nova_rpc_thread_pool_size - nova_rpc_response_timeout - nova_force_config_drive - nova_enable_instance_password - nova_default_schedule_zone - nova_fatal_deprecations - nova_resume_guests_state_on_host_boot - nova_cross_az_attach - nova_remove_unused_resized_minimum_age_seconds - nova_cpu_model - nova_cpu_model_extra_flags
The following Nova variables have been removed because they have no effect in the current release of Nova. - nova_max_age - nova_osapi_compute_workers - nova_metadata_workers
Tacker role now uses default systemd_service role. Due to this upstart is not supported anymore. Was added variable tacker_init_config_overrides, with wich deployer may override predifined options. Also variable program_override has no effect now, and tacker_service_names was removed in favor of tacker_service_name.
Gnocchi migrated from usage of Apache mod_wsgi or native daemon to uWSGI daemon. This means, that some variables are not available and has no effect anymore, specifically * gnocchi_use_mod_wsgi * gnocchi_apache_* * gnocchi_ssl* (except gnocchi_ssl_external - it’s still in place) * gnocchi_user_ssl_*
During upgrade process role will drop gnocchi_service_port from apache listeners (ports.conf) and gnocchi virtualhost, which by default means misconfigured apache service (since it won’t have any listeners) unless it’s aio build and this apache server is in use by other role/service. Apache server won’t be dropped from gnocchi_api hosts, so deployers are encoureged to remove it manually.
Panko migrated from usage of Apache mod_wsgi or native daemon to uWSGI daemon. This means, that panko_apache_* variables are not available and has no effect anymore.
During upgrade process role will drop panko_service_port from apache listeners (ports.conf) and panko virtualhost, which by default means misconfigured apache service (since it won’t have any listeners) unless it’s aio build and this apache server is in use by other role/service. Apache server won’t be dropped from panko_api hosts, so deployers are encoureged to remove it manually.
Deprecation Notes¶
In the
ceph_client
role, the only valid values forceph_pkg_source
are nowceph
anddistro
. For Ubuntu, the Ubuntu Cloud Archive apt source is already setup by theopenstack_hosts
role, so there is no need for it to also be setup by theceph_client
role.
The compression option in the
galera_server
role has been removed due to the fact that it is not recommended by MariaDB anymore. This means that all the dependencies from Percona such as QPress are no longer necessary.
The following variables have been removed because they are no longer used. *
galera_percona_xtrabackup_repo
*use_percona_upstream
*galera_xtrabackup_compression
*galera_server_percona_distro_packages
The variable
galera_xtrabackup_threads
has been renamed togalera_mariabackup_threads
to reflect the change in the SST provider.
The PowerVM driver has been removed as it is not tested and it has been broken since late 2016 due to the driver name being renamed to powervm_ext instead of powervm.
Support of the legacy neutron L3 tool has been dropped. Deployers are appreciated to use built-in l3-agent options for configuring HA.
The deprecated Neutron LBaaS v2 plugin has been removed from the Neutron role.
The deprecated Neutron LBaaS v2 plugin support has been removed from openstack-ansible.
nova-placement-api has been removed from the os_nova role, along with all nova_placement_* variables. Please review the os_placement role for information about how to configure the new placement service.
The nova-lxd driver is no longer supported upstream, and the git repo for it’s source code has been retired on the master branch. All code for deploying or testing nova-lxd has been removed from the os_nova ansible role. The following variables have been removed:
nova_supported_virt_types ‘lxd’ list entry
nova_compute_lxd_pip_packages
lxd_bind_address
lxd_bind_port
lxd_storage_backend
lxd_trust_password
lxd_storage_create_device
Removal of the magnum module. Please use the ansible native module ‘os_coe_cluster_template’. More information: https://docs.ansible.com/ansible/latest/modules/os_coe_cluster_template_module.html This module was not used in the openstack repos therefore no updates were required.
Removal of the netloc, netloc_no_port and netorigin filters. Please use the urlsplit filter instead. All usages of the deprecated filters in openstack repos have been updated.
The
py_pkgs
andpackages_file
Ansible lookups are no longer used in OSA and have been removed from the plugins repository.
Due to usage of systemd-journald mapping of /openstack/log/ to /var/log/$SERVICE is not present anymore. Also rsyslog_client role is not called for projects since logs are stored in journald. Also variables like service_log_dir are not supported anymore and have no effect.
Bug Fixes¶
ceilometer-polling services running on compute nodes did not have the polling namespace configured. Because of this they used the default value of running all pollsters from the central and compute namespaces. But the pollsters from the central namespace don’t have to run on every compute node. This is fixed by only running the compute pollsters on compute nodes.
The RyuBgpDriver is no longer available and replaced by the OsKenBgpDriver of the neutron_dynamic_routing project.