2026.1 Series Release Notes

22.0.0-2

Prelude

The Kolla Ansible 22.0.0 (Prelude) release continues the momentum of the previous cycle with a strong focus on service modernisation, role restructuring, and operator quality-of-life improvements. Highlights include:

• Service retirements and removals.

  • Zun and Kuryr dropped (Zun is broken in 2026.1).

  • InfluxDB (community EOL v1) and Telegraf removed.

  • Venus removed due to the project being inactive.

  • Neutron Linux Bridge mechanism driver support removed following its upstream retirement.

• Role restructuring.

  • The common role has been renamed to kolla_toolbox (inventory group kolla-toolbox → kolla_toolbox).

  • Log-rotation tasks extracted into a dedicated cron role.

  • Log collection tasks extracted into a dedicated kolla_logs role.

  • Host bootstrap tasks moved into ansible-collection-kolla.

• Unified uWSGI for all API services.

  • All OpenStack API services now run under uWSGI using the shared service-uwsgi-config role, dropping Apache WSGI support entirely.

  • The remaining services (Barbican, Designate, Glance, and Magnum) have been migrated in this cycle.

  • The now-unnecessary glance-tls-proxy container is removed during upgrade.

  • HTTP chunked input and configurable thread counts are available to all uWSGI services.

• RabbitMQ 4.2 support and upgrade paths.

  • Dynamic upgrade path validation via rabbitmq_allowed_upgrades and seamless 4.2 upgrade paths are provided out of the box.

  • Management interface TLS support via rabbitmq_enable_tls.

  • Stream retention policy configurable via rabbitmq_stream_max_segment_size_bytes and rabbitmq_stream_segment_max_age.

• Cinder deployment group changes.

  • cinder-volume and cinder-backup now default to the cinder (control) group instead of storage.

  • New inventory groups cinder-volume-lvm, cinder-volume-multiple, cinder-backup-lvm, and cinder-backup-multiple support advanced LVM back-end topologies.

• Neutron and OVN enhancements.

  • neutron-ovn-vpn-agent is now deployable to enable VPNaaS in OVN environments.

  • Neutron agent wrappers are enabled by default, allowing DHCP and L3 agents to restart without disturbing the main container processes and reducing dataplane disruption.

  • OVN metadata-agent HAProxy processes run in separate wrapper containers.

  • ovn-northd command-line arguments and OVN DB environment variables are configurable.

• Observability additions.

  • New OpenStack Network Exporter for Prometheus gathers OVS/OVN metrics.

  • Valkey Exporter for Prometheus is now supported.

  • Grafana gains an Alertmanager datasource and optional LDAP authentication.

  • OpenSearch Dashboards index patterns are created automatically.

  • Fluentd ships logs directly to OpenSearch node IPs and OpenSearch Dashboards connects directly to data nodes, removing intermediate HAProxy hops.

  • API health-check endpoints have been standardised across all services.

• Ironic improvements.

  • Multiple Nova Compute Ironic instances on the same host are now supported for large bare-metal deployments.

  • The experimental ironic-pxe-filter service is available.

  • Legacy (non-rolling) Ironic upgrade support has been dropped.

  • DNS configuration can now be supplied through Ironic DHCP ranges for IPA NTP and FQDN endpoint reachability.

• Security hardening.

  • HAProxy TLS settings hardened to follow Mozilla SSL Modern recommendations for HAProxy 2.8+ / OpenSSL 3.x.

  • Skyline gains TLS 1.2/1.3 support for HTTPS upstream endpoints.

  • Keystone mod_auth_openidc now supports templated OIDC metadata files and customisable authentication error pages.

• Ansible version bump. The minimum supported version is now Ansible 12 (ansible-core 2.19) and the maximum is Ansible 13 (ansible-core 2.20).

Bug Fixes

• Fixes overly restrictive permissions on certificates in /var/lib/kolla/share/ca-certificates path in containers that require access to these certificates.

22.0.0

New Features

• Adds support for LDAP authentication in Grafana. Users can now enable LDAP by setting grafana_ldap_enabled to true and providing an ldap.toml configuration file in the {{ node_custom_config }}/grafana/ directory.

• Standardized health check endpoints for OpenStack API services and supporting components (Grafana, etcd, influxdb, rabbitmq). Both HAProxy and Docker health checks now use dedicated endpoints like /healthcheck, /api/health, or service-specific paths for consistent and reliable detection.

  Health checks now explicitly expect HTTP 200 status codes and use standardized curl commands across all services.

  Docker container health checks have been unified with HAProxy configurations, using the same dedicated endpoints.

• Adds support for deploying multiple instances of the Nova Compute Ironic service on the same host. This is useful in large baremetal deployments.

• Adds support for deploying OpenStack Network Exporter for gathering OVS/OVN related metrics. This is enabled by default when using Prometheus.

• Adds support for deploying prometheus-valkey-exporter to enable monitoring of Valkey servers.

• Added a validation check to ensure the number of neutron_external_interface entries matches the number of neutron_bridge_name entries in the configuration. This prevents misconfigurations that could cause deployment failures or incorrect networking behavior. LP#1864832

• Added TLS support for the RabbitMQ management API and UI. When rabbitmq_enable_tls is set to true, TLS is now also enabled for the RabbitMQ management interface.

• Automated the creation of the default OpenSearch Dashboards index pattern. During deployment or reconfiguration, Kolla Ansible now automatically provisions an index pattern based on the opensearch_log_index_prefix (defaulting to flog-*) with @timestamp configured as the time field. This removes the need for operators to manually configure the initial index pattern upon their first login to the Dashboards UI.

• Add support for libvirt vTPM (swtpm) configuration. LP#2106219

• Increased the default value of innodb_log_file_size from 96MB to 2GB. This change improves overall MariaDB performance, though crash recovery may take longer as a tradeoff. Users can adjust the value by overriding the mariadb_innodb_log_file_size_mb variable. The allowed range is 4MB to 524288MB (512GB).

• Ironic DHCP can now be configured to supply DNS servers via ironic_dnsmasq_dhcp_ranges. This enables the inspection ramdisk (IPA) to reach FQDN API endpoints.

• The HAProxy TLS configuration has been hardened following Mozilla SSL Modern recommendations for HAProxy 2.8.15 and OpenSSL 3.x (Rocky Linux and Ubuntu): https://ssl-config.mozilla.org/#server=haproxy&version=2.8.15&config=modern&openssl=3.0.13&guideline=5.7

• Add support for deploying neutron_ovn_vpn_agent. This enables the use of vpnaas in ovn environments. <https://docs.openstack.org/kolla-ansible/latest/reference/networking/neutron-extensions.html#neutron-vpnaas-vpn-as-a-service>`__

• Adds explicit support for passing through the ipa-ntp-server setting via the kernel commandline to the Ironic Python Agent.

  You can now also use ironic_kernel_append_params to provide additional arguments to the kernel command line when booting the Ironic Python Agent.

• The nova-cell role now supports operator-specified custom templates for qemu.conf and libvirtd.conf. Kolla-Ansible will now look for host-specific and global overrides before falling back to the default templates.

• New variables rabbitmq_stream_max_segment_size_bytes and rabbitmq_stream_segment_max_age are added to make RabbitMQ stream retention policy configurable. These two new variables are only applied when om_enable_rabbitmq_stream_fanout is set to true. It is recommended to tune the values based on user’s environment to prevent leaving too many ready messages in stream queues.

• Adds support for custom MariaDB Galera notification scripts. Operators can provide a wsrep-notify.sh script in the custom config directory (/etc/kolla/config/mariadb/). When detected, Kolla Ansible configures MariaDB to execute it on cluster state changes, enabling integration with Prometheus Alertmanager or custom logging.

• An Alertmanager datasource is now automatically configured in Grafana when enable_prometheus_alertmanager is set to true.

• Adds support for passing additional command-line arguments to the ovn-northd daemon via the ovn_northd_cmdline_extras variable. This allows operators to customize ovn-northd behavior, such as setting thread count (--n-threads), enabling parallel build (--use-parallel-build), or tuning the inactivity probe timeout (--inactivity-probe).

• The RabbitMQ upgrade path validation now supports explicitly allowed version jumps (e.g., major or multi-minor upgrades) via the rabbitmq_allowed_upgrades variable. This allows operators to manage supported RabbitMQ upgrade paths through role defaults or globals.yml without modifying the core Ansible task files.

• Added service_uwsgi_config_threads to configure uWSGI thread count. Horizon now applies horizon_wsgi_threads when using uWSGI.

• Sets scope_key to tenant_id in the [collect] section of the CloudKitty configuration file when Prometheus and Openstack Exporter are enabled, to ensure CloudKitty fetches valid metrics from the OpenStack Exporter.

• Keystone OpenID metadata files are now templated, enabling variable substitution and dynamic configuration.

Upgrade Notes

• If you are migrating to the new feature to deploy multiple instances of Nova Compute Ironic, you are first required to manually remove the existing Nova Compute Ironic Docker container, and config directories.

• Minimum supported Ansible version is now 12 (ansible-core 2.19) and maximum supported is 13 (ansible-core 2.20).

• barbican-api uWSGI configuration has been migrated to use the service-uwsgi-config role, consistent with other Kolla-Ansible roles.

• The default session cache backend for Horizon has changed when Valkey is enabled. If enable_valkey is set to true, Valkey will be used as the preferred backend to improve availability.

• The default value of innodb_log_file_size has increased from 96MB to 2GB. This improves MariaDB performance but crash recovery may take longer. Before upgrading, ensure sufficient disk space is available for the larger InnoDB log file.

• By default, ML2/OVS L3 routers no longer set ha_vrrp_health_check_interval when enable_neutron_agent_ha is true. This is to prevent stability issues when Neutron is unable to keep up with L3 router state changes.

• Support for deploying influxdb has been dropped. Kolla delivered the community end-of-life version v1, and there are no plans to upgrade to v2. Users should migrate to an alternative monitoring solution and remove influxdb containers and their configuration manually.

• Support for deploying telegraf has been dropped after earlier deprecation. Existing users need to remove telegraf containers and their configuration manually.

• Support for deploying zun has been dropped due to the service being broken in 2026.1. kuryr has been dropped as well, due to it being only used by zun.

• The legacy (non-rolling) ironic upgrade mechanism has been dropped. Ironic upgrades now exclusively use the rolling upgrade mechanism.

• kolla_logs role has been split from common role, please update your inventory accordingly to include kolla_logs group.

• lightbits_JWT variable has been renamed to lightbits_jwt

• cinder-volume and cinder-backup containers are now deployed by default on cinder group - which effectively is control by default (earlier it defaulted to storage).

• New Ansible inventory groups have been introduced to support properly Cinder LVM backend setup:

  • cinder-backup-lvm

  • cinder-backup-multiple

  • cinder-volume-lvm

  • cinder-volume-multiple

  Please update your inventory overrides accordingly.

• Adds support for seamless RabbitMQ 4.2 upgrades by defining the required version jump paths in the default configuration.

• The global variable distro_python_version has been removed as it is no longer needed. Python path handling is now done at the image level.

• common Ansible role has been renamed to kolla_toolbox. Also the kolla-toolbox Ansible inventory group has been renamed to kolla_toolbox to be in line with Ansible requirements. The tag for kolla_toolbox deployment task has also been renamed. Users should update their inventories and inventory overrides to reflect this change.

• kolla-toolbox and all kolla_toolbox based invocations of Ansible openstack.cloud modules have been reworked to use clouds.yaml. openstack_auth variable is only used for passing keystone admin password for services bootstrap runs.

• designate-api is now running under uWSGI and supports backend TLS.

• glance-api is now running under uWSGI and supports backend TLS without the additional haproxy container. The glance-tls-proxy container will be removed during the upgrade process.

• magnum-api is now running under uWSGI and supports backend TLS.

Deprecation Notes

• Remove option to set OIDCHTMLErrorTemplate in Debian 13 and Rocky 10. As this option was removed in 2.4.14 version of modoidc auth plugin. It is still present in Ubuntu Noble and can be used there. This applies only when using keystone_wsgi_provider: apache, which is not the default.

Bug Fixes

• Fixes an issue where OpenSearch log retention check would fail due to plugins not being fully loaded, resulting in a timeout error. This was caused by the task that checks for the existence of a log. Added a check before plugin tasks to ensure plugins are fully loaded.

• Improves Horizon availability when cache nodes fail by adding support for Valkey as a session cache backend. LP#2093414

• Fixed an issue where neutron-server and other neutron agents would fail to start when kolla_copy_ca_into_containers was enabled but backend TLS was disabled. The configuration now correctly distinguishes between the requirement for backend certificates (neutron-cert.pem) and the optional copying of CA certificates. LP#2121694

• Make generation of prometheus.yml consistent when using custom override files.

  Previous behaviour would lead to changes in prometheus.yml on every run when custom override files were used, as the find result was not sorted. This could lead to unnecessary restarts and unreadable diffs of the prometheus service. LP#2126635

• Fixed an issue where redundant HAProxy backend configuration was generated for the memcached service. The memcached backend entries are no longer created since no OpenStack service uses HAProxy to reach memcached. LP#2130641

• Fixed missing schemaname: nova rule in ProxySQL configuration for the default (unnamed) Nova cell. LP#2130985

• Fixes issue where ProxySQL certificates were copied over even with kolla_externally_managed_cert set to True. LP#2131993

• Fixes federation path for new keystone-httpd container. Previously the normal keystone container running apache wsgi was used. After migration to the uwsgi container the federation logic remained in the keystone-httpd container, but the federation files were never mounted there. LP#2134455.

• Adds logrotate configuration for OpenSearch Dashboards. Previously, logs located in /var/log/kolla/opensearch-dashboards/ were not included in the rotation schedule, which could lead to excessive disk space consumption. LP#2137716

• Fixes a regression in the Valkey upgrade process where the valkey_master_host variable was not defined if the Redis migration block was skipped. This led to a fatal error during the “Wait for Valkey replication sync” task due to the interaction between run_once and delegate_to. The variable is now defined globally at the start of the upgrade tasks. LP#2138440

• Fixed an issue where Valkey logs were not being correctly parsed by Fluentd. The timestamp format in the Fluentd configuration has been updated to match the format used by Valkey, ensuring logs are properly collected and indexed in the logging backend. LP#2138451

• Fixed a critical issue in kolla-mergepwd where the migration from Redis to Valkey resulted in authentication failures. The tool now automatically inherits the existing redis_master_password into the new valkey_master_password field during upgrades. This prevents serious cluster damage in deployments using custom Keystone caching solutions and ensures Octavia remains stable throughout the upgrade process, avoiding global HTTP 401 Unauthorized errors caused by password mismatches. LP#2138461

• Fixed an issue where Neutron sub-services (RPC server, maintenance and periodic workers) would crash when enable_neutron_vpnaas was set to yes due to missing neutron_vpnaas.conf file injection. LP#2138498

• Fixed an issue during upgrades from 2025.1 to 2025.2 where the Valkey role unconditionally referenced the redis inventory group. Since Redis is no longer present in the default inventories, this caused the upgrade to fail with an AnsibleUndefinedVariable error. The upgrade logic now correctly handles inventories without a redis group.

• Fixed an issue where the masakari-api container was unnecessarily restarted during every reconfigure operation. The container handler now correctly includes the healthcheck configuration, ensuring idempotency by matching the container’s runtime definition with the service defaults. LP#2143979

• Fixes an issue where iterated containers were restarted all at once when only a subset were detected as changed. LP#2144917

• Fixes an issue where Prometheus would not scrape ProxySQL or Valkey metrics if Alertmanager was disabled. The configuration blocks for these exporters were incorrectly nested within the Alertmanager conditional block. LP#2148279

• Fixes duplicate Keystone logs in WSGI and keystone.log. LP#2148545

• Fix kolla-ansible rabbitmq-reset-state on RabbitMQ 4.2 or later. Khepri is the new default metadata store starting from RabbitMQ 4.2, and it does not support rabbitmqctl force_reset, which causes the reset to fail. This patch adds a fallback to rabbitmqctl reset to ensure the operation completes successfully. LP#2150536

• Fix RabbitMQ HAProxy config missing auth in health checks. This caused backend to be marked DOWN and HTTP 500 errors. LP#2150569

• Fixed an intermittent Zuul CI failure in the MariaDB backup test. LP#2129930

• Fixes Bifrost bootstrap by disabling the new Bifrost OCI artifact registry which is not compatible with running Bifrost inside a container. LP#2138705

• Fixes bootstrapping of prometheus-mysqld-exporter which is failing creating mariadb user when monitoring group is configured to be deployed on separate hosts.

• Fixes a placement problem for cyborg api and conductor services, that would be also be scheduled on compute nodes, rather than being exclusively on control plane. LP#2087552

• Fixes a failure in the destroy workflow when cleaning up the Octavia interface service by running the task with elevated privileges.

• Fixes default ulimits for Debian-family container engines when using containerd. Previously, ulimits were not enforced by default, which could lead to missing nofile limits and service startup failures.

  This change introduces sane default ulimit values for Debian-based distributions while keeping existing EL9 behavior unchanged.

  LP#2132378

• Fixed an issue in Glance where enabling kolla_copy_ca_into_containers forced a check for missing service certificates. The glance-api container now only requires glance-cert.pem if glance_enable_tls_backend is explicitly set to yes.

• Fixed TLS errors in Skyline’s nginx configuration when upstream endpoints use HTTPS. LP#2091935 LP#1951437

• Prevents users installing plugins via the Grafana UI which will cause Grafana instances to become out-of-sync in multinode deployments. LP#2122587

• Fix generating passwords longer than 72 characters. This fixes prometheus configuration. LP#2126975

Other Notes

• Add more CI coverage for Federation codepath. Migrate ansible to use openstack.cloud ansible collection modules for configuring federation. Previously it was done using python-openstackclient.

• This release exposes additional configuration options for OpenStack Compute consoles which utilize the SPICE protocol. These configuration options have been defaulted to the previous implied values, so do not need to be set if you’re happy with the current behavior. The Kolla-Ansible Nova guide has been updated with further details of these new configuration options.

• The structure of the templates for log rotate cron jobs has been simplified to reduce repetition. If you have local changes which add to or modify these templates you may need to update your modifications.