Wallaby Series Release Notes¶
23.4.0¶
New Features¶
Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable
neutron_vpnaas_custom_config
. deployers should defineneutron_vpnaas_custom_config
in ‘user_variables.yml’. Example:neutron_vpnaas_custom_config: - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template" dest: "{{ neutron_conf_dir }}/strongswan.conf.template" - src: "/etc/openstack_deploy/strongswan/strongswan.d" dest: "/etc/strongswan.d" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template" dest: "{{ neutron_conf_dir }}/ipsec.conf.template" - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template" dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
We should be also define
neutron_l3_agent_ini_overrides
in ‘user_variables.yml’ to telll3_agent
use the new config file. Example:neutron_l3_agent_ini_overrides: ipsec: enable_detailed_logging: True strongswan: strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template" openswan: ipsec_config_template: "{{ neutron_conf_dir }}/ipsec.conf.template"
Implemented variables
rally_openstack_git_repo
andrally_openstack_git_install_branch
that allow to override installation source for rally-openstack package as well as controll installed version of the package.
Security Issues¶
MariaDB has been updated to version 10.5.16 by default. This covers following CVEs:
Other Notes¶
Default source of rabbitmq and erlang packages has been switched to cloudsmith.io
23.3.0¶
New Features¶
Introduced new variable
cinder_volume_usage_audit_send_actions_enabled
to allow the deployer to disable the send actions option in cinder-volume-usage-audit service unit. To have lowest possible footprint, the default value would be true to not change the behaviour of the cinder-volume-usage-audit in existing deployments.
Added variable
rabbitmq_manage_hosts_entries
that controls if rabbitmq_server role will attempt to adjust /etc/hosts file
Bug Fixes¶
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Do not duplicate records in /etc/hosts file by rabbitmq role when hosts file is already managed by OSA.
23.2.0¶
Upgrade Notes¶
For Ubuntu Focal (20.04) with minor upgrade UCA repo will be added. Deployments using
distro
install method will result in major OpenStack version upgrade.
Bug Fixes¶
Fixed inconsistency in
haproxy_frontend_raw
key naming between documentation and service template. Previously, template generation was expectinghaproxy_raw
instead of thehaproxy_frontend_raw
.
Ubuntu Cloud Archive (UCA) repo has not been added properly for Ubuntu 20.04 setups.
23.1.1¶
Security Issues¶
This release eliminates following security issues:
OSSA-2021-005: https://security.openstack.org/ossa/OSSA-2021-005.html
OSSA-2021-006: https://security.openstack.org/ossa/OSSA-2021-006.html
23.1.0¶
Bug Fixes¶
This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade.
23.0.0¶
Prelude¶
Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.
New Features¶
Implemented
openstack_hosts_package_manager_extra_conf
variable. It allows to add extra content into package manager’s configuration (works with apt,yum and dnf).
Add support for encryption of databases. This is disabled by default and can be enabled by setting
galera_mariadb_encryption_enabled
totrue
. For now only thefile_key_management
encryption plugin is supported. You can override enryption options withgalera_encryption_overrides
. The role createsgalera_db_encryption_keys
for you, if they’re not specified. To specify your on encryption keys, provide them like this.galera_db_encryption_keys: | 1;5bbc03648be8db3d2087815717eabdec9fbc310f2b7fd53705b36fbdc80333e3 2;5bbc03648be8db3d2087815717eabdec9fbc310f2b7fd53705b36ebdc80333e3
Added variable
blazar_policy_overrides
that aims to allow deploying policy.yaml file with provided overrides for Blazar service.
Added experimental support for Debian Bullseye. Deployment path with distro packages is not available at the moment.
In deployments where a separate host is used to manage the OpenStack Ansible configuration, the ‘/etc/hosts’ file on that host will now include a section adding hostname to IP resolution for all hosts in the inventory. This can be enabled/disabled via ‘openstack_host_manage_deploy_hosts_file’.
Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. On compute and network nodes this previously took a significant amount of time, and gathering minimal facts will speed this up. Facts are instead gathered for interfaces specified in provider_networks for the storage, overlay and management networks.
Added variable
security_rhel7_enable_aide
that is designed to avoid installation and initialization of the aide related STIGs
Added variable
glance_image_cache_stall_time
to control glance cache time if needed. Defaults to86400
.
Added new variable
haproxy_hatop_install
, that allows to conditionally enable or disable hatop installation.
Created series of variables
haproxy_*_service
that contain specific to the service haproxy configuration block. This allows deployers to selectively adjust haproxy frontend/backend configuration for specific service only, without need to override whole haproxy_default_services.
Implemented horizon WEBSSO auto redirects. Following new variables were added to manage redirects configuration:
horizon_websso_default_redirect
horizon_websso_default_redirect_region
horizon_websso_default_redirect_logout
New variables ‘keepalived_internal_ping_address’ and ‘keepalived_external_ping_address’ allow deployments to decouple liveness checks for HAProxy accessibility via internal and external networks. The previous ‘keepalived_ping_address’ variable is maintained for backwards compatibility.
Added variable
galera_init_overrides
that can be leveraged to override default set of systemd unit file for mariadb. This also brings requirement of systemd_service role.
Added variables
masakari_monitor_corosync_multicast_ports
andmasakari_monitor_corosync_ipmi_check
that allow to define ports used by corosync service and to enable IPMI checks in case ipmi RA is set in pacemaker.
In order to use dedicated net nodes, override of env.d is no longer required. Deployers can set
network-infra_hosts
to their infra (LXC) hosts andnetwork-agent_hosts
to their net nodes inside their openstack_user_config.yml or conf.d files.
Re-added
nova_dhcp_domain
variable that defaults to thedhcp_domain
. When set to empty string, only the hostname without a domain will be configured for the instances.
You can override the default
iptables_hybrid
firewall driver for Open vSwitch by settingneutron_firewall_driver: openvswitch
A new ansible role (ansible-role-pki) is introduced to manage the creation of server certificates and certificate authorities. A self signed Root CA and Intermediate CA are created on the deploy host and are used to provide TLS for RabbitMQ, and with the default configuration also a self-signed server certificate for HAProxy. A set of new variables with the prefix openstack_pki_* are introduced which allow a deployer to customise and extend the set of certificate authorities which are created. Root certificate authorities are installed into the trust store of all hosts and containers allowing a complete trust chain to be formed across the deployment which has never previously been possible.
The repository server can now retrieve and cache upper-constraints files and serve them as required to pip during the build of python wheels. By default the relevant version of upper-constraints will be downloaded once from https://releases.openstack.org/constraints/upper/, or the url in a new override user_requirements_git_url. Additional constraints files can be placed in /etc/openstack_deploy/upper-constraints on the deploy host and these will be copied to the repo server and will be available to reference in other overrides such as magnum_upper_constraints_url. This is useful if deploying a different branch of a service such as magnum/master onto a deployment of openstack/victoria. If the target hosts are in an air-gapped environment, setting requirements_git_repo to an empty string will disable downloading of upper-constraints to the repo server and rely on the deployer providing suitable copies of upper-constraints in through the deploy host /etc/openstack_deploy/upper-constraints directory.
New variable
openstack_ca_bundle_path
has been added which defines the path to the ca-bundle certificate which contains all system-trusted CA and will be used by the Python Requests module.
Added variable
openstack_systemd_global_overrides
that defines some defaults for all systemd services. It will be deployed to all hosts and containers, but can be controlled with group_vars or host_vars as well if needed.
Added option to be able to mount s3fs with systemd as shared filesystem. Type should be stated as ‘fuse.s3fs’, and extra key ‘credentials’ should be set for systemd_mounts. S3 url should be placed in the options. Please follow https://github.com/s3fs-fuse/s3fs-fuse#examples for docs regarding s3fs.
Added new variable haproxy_stick_table_enabled to haproxy_service_configs, that allows you to conditionally enable or disable the default stick-table.
Added systemd_overrides and systemd_overrides_only keys to the systemd_services dictionary. With help of the systemd_overrides you can define systemd native overrides, which will be placed in /etc/systemd/system/service_name.service.d/overrides. systemd_overrides_only shows that no service_name.service should not be created and create only overrides.
Added sockets key to configure systemd-sockets for the systemd service.
Added variable
keepalived_sysctl_tcp_retries
that allows to control number of retries kernel will make to give up on connection. It controls net.ipv4.tcp_retries2 sysctl setting which default value of which is 15. Default value ofkeepalived_sysctl_tcp_retries
is 8, so VIP failover time will be ~1min. Settingkeepalived_sysctl_tcp_retries
to 0 will remove mentioned sysctl setting.
Added guest image upload functionality into Trove role. In order to use this functionality, you need to define
trove_guestagent_images
variable which may contain list of images that are required for upload and set required tags for them.
Added variable
trove_management_security_groups
to set list of security groups that will be set for management interface of Trove guest instances.
Added following variables to control endpoint types that trove will search in the catalog:
trove_service_endpoint_type
trove_service_neutron_endpoint_type
trove_service_cinder_endpoint_type
trove_service_nova_endpoint_type
trove_service_glance_endpoint_type
trove_service_swift_endpoint_type
trove_guest_endpoint_type
Added following variables to control when to add specific service blocks to the config file and enable support for these services:
trove_swift_enabled
trove_designate_enabled
trove_cinder_enabled
Added following variables to ease designate integration with trove:
trove_dns_domain_name
trove_dns_domain_id
trove_notifications_designate
Added Trove guest specific variables to be able to use standalone rabbitmq along with defaulting behaviour to enable guests to use
trove_container_net_name
for rabbitmq servers:trove_guest_oslomsg_rpc_hostgroup
trove_guest_oslomsg_notify_hostgroup
Adds a ‘zun-docker-cleanup’ script to the Zun compute virtualenv which can be used to clean up cached Docker images held on compute hosts. This can be run on a timer by setting the ‘zun_docker_prune_images’ variable or executed manually by adding ‘–force’ to the script.
Added variable
zun_policy_overrides
that aims to allow deploying policy.yaml file with provided overrides for Zun service.
Known Issues¶
Where a single OSA deploy host is used to manage multiple deployments, some delegated Ansible tasks are performed using hostnames rather than IP addresses due to Ansible issue 72776. Hostnames such as ‘infra1’ will be ambiguous, so use of separate hosts for each deployment is recommended.
Upgrade Notes¶
Adds the
subnet_dns_publish_fixed_ip
option extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.
In order to accomodate Centos-8 Stream support, it is necessary require the minimum version of Centos-8 Classic to be 8.3. There are breaking changes between Stream and Classic versions prior to 8.3 which break ansible code that detects major/minor versions of Centos. Before upgrading to Wallaby, deployers should ensure that their Centos hosts are updated to 8.3.
Variable
cinder_enable_v2_api
is set toFalse
by default. This will result in Cinder v2 API removal from keystone catalog during upgrade. If you want to preserve v2 API you must overridecinder_enable_v2_api
in user_variables.yml
For Designate
designate_pool_uuid
was hardcoded in os_designate role. Now it’s dynamically generated in secrets.yml and unique per deployment. However, before upgrade you must setdesignate_pool_uuid
to the current uuid. Most likely it is 794ccc2c-d751-44fe-b57f-8894c9f5c842 since that value has been defaulted in the role and it would remain the same unless explicitly overwritten. You can check your pool uuid with the command /openstack/venvs/designate-20.1.1.dev7/bin/designate-manage pool show_config that should be executed from the Designate venv.
Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. If overrides are in use for setting the neutron tunnel address, or various storage or management addresses which rely on ansible fact gathering to provide variables of the form ansible_<interface>, it is likley that these facts will no longer be gathered by default. The new variable dynamic_address_gather_filter is available to specify a shell-style (fnmatch) wildcard to specify the set of facts gathered early in the neutron/nova/cinder playbooks.
Galera privileged username has changed from
root
toadmin
. Old ‘root’@’%’ user can be removed after upgrade process.
MariaDB version 10.5.9 is know to have bug which results in broken root permissions after upgrade. We have implemented a workarond for it which will be triggered automatically. This note is informative only.
gnocchi_service_project_name
now set by toservice
even for deployments involving Swift. Nowadays cielometer.middleware excludeservice
project by default, so no additional protection is required. In case you want to preserve currentgnocchi_service_project_name
, define it equal tognocchi_swift
in your user_variables.yml
Variable
haproxy_hatop_downloader
has been removed, Deployers supposed to usehaproxy_hatop_download_url
override if needed to install in deployments with limited internet connection.
HAProxy
haproxy_whitelist_networks
key insidehaproxy_service_configs
dictionary has been replaced withhaproxy_allowlist_networks
.
Variable
cinder_service_internaluri_insecure
has been replaced withkeystone_service_internaluri_insecure
that is used across all roles for the exact same purpose.
All supported operating systems now build their LXC images locally on the lxc container hosts rather than relying on external pre-built base images. debootstrap and dnf are used on debian and Centos variants respectively. All variables controlling the download of images have been removed from the lxc_hosts role, and a new override, lxc_apt_mirror is added to allow local mirrors to be specified for debootstrap. Centos systems will use the mirror configuration already present on the host when building the container rootfs with dnf.
During upgrade your current Nova cell mapings will be converted to usage of the Template URLs. This means, that your changes of transport_url or [database]/connection in
nova.conf
will be reflected by nova-conductor in cells just after service restart, without need to explicitly runnova-manage cell_v2 update_cell
.
Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.
It is now mandatory to use a verifiable SSL certificate and Certificate Authority trust chain for the RabbitMQ installation. This can be achieved automatically through the new ansible role ansibe-role-pki with appropriate addition of openstack_pki_* variables. Any existing deployments which use the rabbitmq_user_ssl_* variables must ensure that the supplied certificates can be verified by a CA certificate installed into the trust store of each host and container. This can be achieved through supplying the CA certificate on the deploy host and using overrides from the openstack_hosts role to install it.
The Wallaby release of openstack-ansible does not support deployment of the control plane in nspawn containers.
If a deployment uses local copies or caches of the openstack requirements repo or upper-constraints files, the repo server is now able to natively host copies of the relevant upper-constraints files and serve them to pip during wheel builds. It is now also possible to supply custom constraints files in the deploy host /etc/openstack_deploy/upper-constraints directory. Deployers should take account of the new capability in the repo server and adjust any special handling of downloading upper-constraints that they may have made via overrides, in particular requirements_git_url.
cloudkitty_package_state inherits package_state and defaults to “latest”
cloudkitty_uwsgi_bind_address inherits openstack_service_bind_address and defaults to 0.0.0.0
cloudkitty_galera_port inherits galera_port and defaults to “3306”
cloudkitty_service_region inherits service_region and defaults to “RegionOne”
Trove service specific config files, like
trove-conductor.conf
andtrove-taskmanager.conf
, were removed and all functionality was merged to thetrove.conf
file. So you need to ensure, that all overriden options are now placed for the trove.conf file.
Default Trove service username has been changed from
admin_trove_user
totrove
. You might want to manually deleteadmin_trove_user
after upgrade or override new default.
Default Trove service project name has been changed from
trove_for_trove_usage
toservice
. You might want to manually deletetrove_for_trove_usage
project after upgrade or override new default.
Default value for
trove_service_net_subnet_cidr
has been changed from “192.168.20.0/24” to “172.29.252.0/22”. Along with that pool start and pool end has changed as well, which is represented with variablestrove_service_net_allocation_pool_start
andtrove_service_net_allocation_pool_end
. Please, define these variables user_variables in case you used default values in production endironments.
Deprecation Notes¶
The following variables have been deprecated and will have no effect:
haproxy_ssl_cert_path
haproxy_ssl_key
haproxy_ssl_pem
haproxy_ssl_ca_cert
These variables were responsible for the path haproxy looked for certificates on the destination hosts.
Variables were replaced in favor of
haproxy_ssl_cert_path
since the exact path to certificates will be dynamically set based on the VIP that is used for the frontend
Variable
masakari_policy_json_overrides
has been deprecated in favor of themasakari_policy_overrides
and will be removed after X release. As for nowmasakari_policy_overrides
defaults tomasakari_policy_json_overrides
for compatability.
The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;
neutron_firewall_driver: openvswitch
Variables
nova_novncproxy_agent_enabled
,nova_serialconsoleproxy_enabled
andnova_console_agent_enabled
are removed and won’t have any effect in the future. If you want to disable console functionality, setnova_console_type: disabled
in your user_variables.yml
The variables haproxy_ssl_self_signed_regen and haproxy_ssl_self_signed_subject are removed and the equivalent functionaility from the ansible-role-pki variables should be used instead.
Remove
octavia_amp_image_id
option as the corresponding configuration option in Octaviaamp_image_id
is deprected and image tags should be used instead.
Renamed
tempest_test_whitelist
totempest_test_includelist
andtempest_test_blacklist
totempest_test_excludelist
Dependant projects should update to use the new variables
Since certificates and CA distribution are now handled with PKI role, variable
openstack_host_ca_location
has been deprecated and removed.
Support for an Open vSwitch dataplate with NSH support using the
ovs_nsh_support
variable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.
cloudkitty_collected_services is deprecated and should instead be configured in Cloudkitty metrics config
Variable swift_gnocchi_enabled has been removed and won’t have any effect
Variables
trove_taskmanager_config_overrides
andtrove_conductor_config_overrides
were removed along with affected config files. You should usetrove_config_overrides
to override trove configuration.
Removed variable
trove_provider_ip_from_q
andtrove_container_net_name
. If you need to change network which will be used for guests inside trove containers, please use variablestrove_provider_network
ortrove_provider_net_iface
.
Removed variables
trove_admin_user_name
andtrove_service_tenant_name
. Please usetrove_service_user_name
andtrove_service_project_name
correspondingly to manage username and project name which will be used for auth in keystone.
Critical Issues¶
This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.
Bug Fixes¶
Fixed behaviour of variable
nova_spice_console_agent_enabled
. It can be safely used now to disable spice agent when needed.
Other Notes¶
Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.