Rocky Series Release Notes


New Features

  • Cinder coordination backend can now be configured via cinder_coordination_backend variable. Coordination is optional and can now be set to either redis or etcd.

Bug Fixes

  • Fixes native openvswitch firewall driver in the regular agent, released patch fixed only xenapi. LP#1869832 (related to LP#1867506)

  • This patch adds kolla-ansible internal logrotate config for Logstash. Logstash 2.4 uses integrated in container logrotate configuration which tries to rotate logs in /var/log/logstash while kolla-ansible deployed Logstash logs are in /var/log/kolla/logstash. LP#1886787

  • This patch fixes a bug, when kolla_toolbox Ansible module failed due to Python deprecation warnings caused by paramiko/cryptography. LP#1888657


Bug Fixes

  • Fix qemu loading of ceph.conf (permission error). LP#1861513

  • Remove /run bind mounts in Neutron services causing dbus host-level errors and add /run/netns for neutron-dhcp-agent and neutron-l3-agent. LP#1861792

  • Use more permissive regex to remove the offending line from /etc/hosts. LP#1862739

  • Each Prometheus mysqld exporter points now to its local mysqld instance (MariaDB) instead of VIP address. LP#1863041

  • Cinder Backup has now access to kernel modules to load e.g. iscsi_tcp module. LP#1863094

  • Makes RabbitMQ hostname address resolution precheck stronger by requiring uniqueness of resolution to avoid later issues. LP#1863363

  • Fixes neutron-openvswitch-agent native openvswitch firewall driver. LP#1867506

  • Fixes ceph deployment reconfiguration error, when Gathering OSDs step would fail due to Kolla-Ansible user not having access to /var/lib/ceph/osd/_FSID_/whoami. LP#1867946

  • Remove the meta field of the Swift rings from the default rsync_module template. Having it by default, undocumented, can lead to unexpected behavior when the Swift documentation states that this field is not processed.

  • Fixes an issue with the HAProxy monitor VIP precheck when some instances of HAProxy are running and others are not. See bug 1866617.

  • Removes the [http]/max-row-limit = 10000 setting from the default InfluxDB configuration, which resulted in the CloudKitty v1 API returning only 10000 dataframes when using InfluxDB as a storage backend. See bug 1862358 for details.


New Features

  • Neutron port_forwarding service plugin, and l3 extension can be enabled with variable enable_neutron_port_forwarding.

Upgrade Notes

  • Changes the default value of docker_legacy_packages to false. This means that kolla-ansible bootstrap-servers will now configure the Docker CE repositories at, rather than the legacy Docker repositories at This is due to Docker removing access to the legacy repositories.

  • Modifies the path for custom configuration of swift.conf from /etc/kolla/config/swift/<service>.conf to /etc/kolla/config/swift/<service>/swift.conf, to avoid a collision with custom configuration for <service>.conf. Here, <service> may be proxy-server, account-*, container-* or object-*.

  • The Heat role has stopped disabling deprecated plugins. To apply this change to existing deployments, the file `/etc/kolla/heat-engine/_deprecated.yaml is automatically removed during the upgrade.

Bug Fixes

  • Fixes an issue with Docker client timeouts where Docker reports ‘Read timed out’. The client timeout may be configured via docker_client_timeout. The default timeout has been increased to 120 seconds. See bug for details.

  • Fixes an issue where a failure in pulling an image could lead to a container being removed and not replaced. See bug 1852572 for details.

  • Fixes Swift volume mounting failing on kernel 4.19 and later due to removal of nobarrier from XFS mount options. See bug 1800132 for details.

  • Fixes an issue with fluentd parsing of WSGI logs for Aodh, Masakari, Qinling, Vitrage and Zun. See bug 1720371 for details.


Upgrade Notes

  • The Keystone fernet key rotation scheduling algorithm has been modified to avoid issues with over-rotation of keys.

    The variables fernet_token_expiry, fernet_token_allow_expired_window and fernet_key_rotation_interval may be set to configure the token expiry and key rotation schedule.

    By default, fernet_token_expiry is 86400, fernet_token_allow_expired_window is 172800, and fernet_key_rotation_interval is the sum of these two variables. This allows for the minimum number of active keys - 3.

    See bug 1809469 for details.

Bug Fixes

  • Adds system hostnames to /etc/hosts, if different from short hostnames. This can fix live migration of Nova instances in some contexts. See bug 1830023 for details.

Other Notes

  • While Kolla Ansible now avoids duplicating Nova cells when messaging or database connection information are changed, operators of existing deployments should perform a manual cleanup of duplicate cells using the nova-manage cell_v2 command from a container running the nova_api image, leaving only two cells, one named cell0 and another one with the right connection information.


New Features

  • Add support for deploying the Monasca fork of Grafana, which includes Keystone integration.

  • Add the Monasca Log Metrics service. This service is responsible for generating metrics from log files.

  • Add support for deploying the Monasca Notification service. The Notification service is responsible for notifiying users when an alert, as defined via the Monasca API, is generated by the Monasca Thresh topology.

  • Add support for deploying the Monasca Persister process. The Persister is responsible for reading metrics, alarms and events from Kafka and storing them in a variety of backends.

  • Add support for deploying the Monasca thresh service, an Apache Storm topology for alerting.

  • Add the Monasca Agent which provides host and application specific monitoring data collection and forwarding.

  • Docker logs are no longer allowed to grow unbounded and have been limited to a fixed size per container. Two new variables have been added, docker_log_max_file and docker_log_max_size which default to 5 and 50MB respectively. This means that for each container, there should be no more than 250MB of Docker logs.


New Features

  • Adds support for installing Docker Community Edition (CE) using the kolla-ansible bootstrap-servers command. Existing support uses the legacy packages from New packages are distributed via, and that location is now supported and used by default. Use of the new packages is enabled by setting the variable docker_legacy_packages to false. New packages are enabled by default only for Ubuntu 18.04+, which does not support the legacy packages.

    It is also now possible to skip configuration of the Docker repository, by setting the variable enable_docker_repo to false.

  • Exposed a config option to enable the ceph manager prometheus plugin, this also enables the exporter on the prometheus-server configuration for each ceph-mgr host.

Upgrade Notes

  • The default value for docker_legacy_packages is true on all OS distributions except Ubuntu 18.04+. If this is set to false, the Docker Community Edition (CE) will be installed. If the kolla-ansible bootstrap-servers command is used on a previously deployed host that is running a legacy Docker engine, it would result in the Docker engine being upgraded to use the Docker Community Edition packages, which will result in a restart of the Docker engine and the containers running on that host. Use the kolla-ansible --serial or --limit arguments to avoid losing quorum in clustered services such as MariaDB by restarting all containers at once.

Other Notes

  • Link kolla_logs docker volume to /var/log/kolla. Shorter log path will help to debug from log. The volume path is compatible with docker-engine and docker-ce.


New Features

  • Added new parameter in kolla_docker to support configuring TTY in containers, value is False by default



Since Ceph Luminous release, bluestore OSDs are recommended. Kolla Ceph currently only supports filestore. Bluestore is required in Kolla Ceph.

New Features

  • Add blazar-dashboard to horizon.

  • Add congress-dashboard to horizon.

  • Adds a new argument to the kolla-ansible command, --forks NUM. This argument is passed through directly to ansible-playbook.

  • Add a kolla-ansible role for freezer-scheduler

  • The settings file {{ node_custom_config}}/horizon/custom_local_settings can be used in Horizon to overwrite the default local_settings without a need to sync it at image build time.

  • Add a role for deploying Apache Kafka, a distributed streaming platform. See for more details. Requires Apache Zookeeper to be configured.

  • Add support for deploying the Monasca Log API which forms part of the Monasca distributed monitoring and logging as a service platform. See for more details.

  • Add support for deploying the Monasca Log Persister. The Log Persister is responsible for reading logs from the Kafka processed logs topic and writing them to Elasticsearch.

  • Add support for deploying the Monasca Log Transformer for providing log standardisation in Monasca.

  • Add support for the configuration of Infoblox as a pluggable IPAM driver in neutron. Configure by selecting ‘infoblox’ as the ‘neutron_ipam_driver’. In addition to handling IP address management within neutron, an agent will be started to automatically manage DNS entries within the Infoblox appliance.

  • Add Octavia Horizon plugin

  • Add “enable_trove_singletenant” option to enable the Trove single tenant functionnality. This feature will allow Trove to create Nova instances in a different tenant than the user tenant.

  • Add a configuration option enable_nova_ssh to allow disabling the service. This is useful when an operator is not supporting cold-migration and does not want to manage additional SSH keys.

  • Allow overriding the variable glance_backend_swift to enable the swift backend for glance, without requiring swift to be enabled in kolla-ansible. This allows operators to enable an external swift endpoint as the glance backend.

  • Adds support for installing python dependencies into a virtualenv on remote hosts.

    Installing python packages directly to the system site-packages can cause various problems, in particular when pip overwrites a system package. Python virtualenvs are one solution to this issue, as they allow python packages to be installed in an isolated environment. Typically we will need to enable use of system site-packages from within this virtualenv, to support the use of modules such as yum, apt, and selinux, which are not available on PyPI.

    The path to the virtualenv is configured via the virtualenv variable, and access to site-packages is controlled via virtualenv_site_packages. The default value for virtualenv is None, in which case the old behaviour of installing packages directly to the system site-packages is maintained.

    When executing other kolla-ansible commands, the variable ansible_python_interpreter should be set to the python interpreter installed in virtualenv. Note that this variable cannot be templated.

  • Add custom option for docker daemon by configure the docker service. An operator named “docker_custom_option” will be added.

  • [blueprint Replace inner-/external computes with a dvr mode variable] A new variable “neutron_compute_dvr_mode” is introduced. This variable controls whether a compute host has external connection and is allowed to do full-blown DVR or distributed routing is only used for tenant networking. Corresponding values are “dvr” and “dvr_no_external” The variable has to be set either globally or per group (per host) to get desired behavior.

  • enable chrony by default.

  • Automatically expire MariaDB binary logs after 14 days.

  • Introduces support to use extra ml2 plugins non maintained by kolla-ansible, an operator may add a file /etc/kolla/config/neutron/plugins/awesome_plugin.ini and will be copied into ml2 plugins folder during runtime.

  • Added the ironic_inspector_kernel_cmdline_extras option to append additional kernel parameters to the kernel used for inspection.

  • HAProxy - Add ability for operators to specify additional options per HTTP or TCP listener stanza.

  • Introduces a new variable, horizon_keystone_url, which facilitates overriding the URL used by Horizon to talk to the identity service (Keystone). Defaults to the identity service’s internal URL.

  • Implement Glance zero-downtime upgrade logic.

  • Implement Ironic rolling upgrade logic, enabled by default at ironic_enable_rolling_upgrade: “yes” in etc/kolla/globals.yml file.

  • Adds support for configuring a default gateway to be used in the Ironic Inspector inspection network. This is configured via the ironic_dnsmasq_default_gateway variable, and is not set by default.

  • Support Kolla Ceph to deploy bluestore OSDs in Rocky release.

  • Add support of custom configuration files for grafana.

  • Add support for the VMware NSX Transformers plugin

  • Add onos support, Networking-onos is Neutron’s sub-project to provide connectivity between Neutron/Neutron’s sub-project’s and ONOS.

  • opendaylight_release variable is removed, version is discovered automatically while booting features.

  • Adds support for skipping the configuration of sudoers files in the kolla-ansible bootstrap-servers command. This depends on the create_kolla_user_sudoers variable, which defaults to the same value as create_kolla_user.

  • Deploy prometheus ( as the timeseries database. Containers for node_exporter, haproxy_exporter and mysqld_exporter are provided and added to prometheus as scrape targets.

  • Add support for ceph-dashboard. It enables ‘dashboard’ module in ceph cluster. Its uses command ‘ceph mgr module enable dashboard’.

  • Support ansible check and diff module for generate configrations. You could use EXTRA_OPTS='--check --diff' kolla-ansible genconfig to check what the configration file will be like in dry-run mode.

  • Set docker runtime directory by configure the docker daemon.An operator named “docker_runtime_directory” will be add.

  • Adds support for booting bare metal nodes with Ironic using iPXE. This is enabled via the enable_ironic_ipxe flag.

  • Add support for configuration of the Ironic Neutron Agent, and the Neutron networking-baremetal ML2 plugin.

Known Issues

  • As of Ceph Luminous 12.2.1 the maximum number of PGs per OSD before the monitor issues a warning has been reduced from 300 to 200 PGs. In addition, Ceph now fails with an error rather than a warning in the case of exeeding the max value. In order to allow Kolla to continue to be used out of the box we have reduced the default values for pg_num and pgp_num from 128 to 8. This will allow a deploy of Kolla with all possible services enabled and then some, with the minimum recommended three OSDs. Operators are highly recommended to review the Ceph documentation regarding these values in order to ensure optimal performance for their own cluster.

Upgrade Notes

  • Added default_docker_volume_type for magnum which is required to specify the default cinder volume type to be used for container storage volume in clusters that specify the docker-volume-size option. For example gp1, io1 etc.

  • Disable ntp service as kolla use chrony container by default.

  • Add option docker_registry_insecure to enable the SSL verification for the docker registry. Default value is true when a private registry is defined.

  • All hosts from “[inner-compute]” and “[external-compute]” can be moved to “[compute]” to avoid problems in OpenStack S release, though the groups still will function well in this release.

  • The neutron-vpnaas-agent has been loaded just inside of the existing l3 agent rather than requiring operators to run a completely different binary with a subclass of the existing L3 agent.

Deprecation Notes

  • Disable glance registry as it is deprecated.

  • Splitting of compute group into inner and external compute hosts is deprecated and will be removed in OpenStack S release.

  • As neutron-vpnaas-agent can be loaded by the neutron l3 agent, neutron-vpnaas standalone mode is not supported. We have already removed the neutron-vpnaas-agent container, currently, there is no need to keep this role.

Security Issues

  • Disable TLS 1.1 on haproxy for external network if tls is enabled.

Bug Fixes

  • External bridge setup on compute hosts that depends on whether DVR mode is enabled is also accompanied by a check for the new variable.

  • fixed ansible warning when using ansible>2.2

  • avoid using ansible reserved action and serial word in playbooks. use kolla_action and kolla_serial instead.

  • Load custom ceph.conf and keyring file from <<node_custom_config>>/gnocchi folder rathen than each folder of gnocchi components.

  • Remove uuid option form keystone_token_provider due to it’s removed in Keystone.