Stein Series Release Notes


New Features

  • Kolla Ansible can now configure deployed docker for Zun. Enable docker_configure_for_zun (disabled by default to retain backwards compatibility).

  • Neutron port_forwarding service plugin, and l3 extension can be enabled with variable enable_neutron_port_forwarding.

  • Merge action plugins (for config/ini and yaml files) now allow relative imports in the same way that upstream template modules does, e.g. one can now include subtemplate from the same directory as base template.

  • Cinder coordination backend can now be configured via cinder_coordination_backend variable. Coordination is optional and can now be set to either redis or etcd.

Upgrade Notes

  • RHEL-based targets no longer require EPEL repository. It can be safely removed from target hosts if not used otherwise.

Deprecation Notes



The Kolla Ansible 8.0.0 release is the first release in the Stein cycle. Highlights include full support for the OpenStack Monasca project, support for the Placement service which has been extracted from Nova, and support for performing full or incremental backups of the MariaDB database.

New Features

  • Adds support for deploying a ceilometer_ipmi container for collecting Ceilometer metrics on IPMI.

  • Adds support in Cinder and Nova for Quobyte volumes

  • Adds support for deploying the OpenStack Cyborg service. Cyborg is a service for managing hardware accelerators.

  • Adds support for a dedicated migration network. This is configured via the variables migration_interface and migration_interface_address.

  • Adds support for deploying the Monasca fork of Grafana, which includes Keystone integration.

  • Adds support for deploying the Monasca Log Metrics service. This service is responsible for generating metrics from log files.

  • Add support for deploying the Monasca Notification service. The Notification service is responsible for notifiying users when an alert, as defined via the Monasca API, is generated by the Monasca Thresh topology.

  • Adds support for deploying the Monasca Persister process. The Persister is responsible for reading metrics, alarms and events from Kafka and storing them in a variety of backends.

  • Adds support for deploying the Monasca thresh service, an Apache Storm topology for alerting.

  • Adds support for deploying the Neutron metering agent.

  • Adds support for configuring custom policies in Octavia.

  • Adds support for using a separate network for Octavia. This is configured via octavia_network_interface and octavia_network_interface_address.

  • Adds an option, haproxy_nova_serialconsole_proxy_tunnel_timeout, to configure the nova_serialconsole_proxy tunnel timeout. The default is to keep the websocket connection alive for 10 minutes.

  • Configures Prometheus as a Vitrage datasource automatically.

  • Adds support for deploying the Monasca Agent, which provides host and application specific monitoring data collection and forwarding.

  • Adds support for configuring the maximum files and processes limits in the nova_libvirt container, via the qemu_max_files and qemu_max_processes variables. The default values for these are 32768 and 131072 respectively. This is useful when Nova uses Ceph as a backend, since the default limit of 1024 is often not enough.

  • Adds support for configuring ulimit in containers, extending the dimension support added in Rocky release.

  • Adds a configuration option enable_keepalived to allow disabling the keepalived service. This is useful when using an external load balancer in front of HAProxy.

  • Adds support for configuring vendor info in Nova via the release file. To do this place a file called release in one of the following locations:

    • /etc/kolla/config/nova/release

    • /etc/kolla/config/nova_compute/release

    • /etc/kolla/config/nova_compute/{{ inventory_hostname }}/release

    An example of the file can be seen at

  • Adds support for installing Docker Community Edition (CE) using the kolla-ansible bootstrap-servers command. Existing support uses the legacy packages from New packages are distributed via, and that location is now supported and used by default. Use of the legacy packages is enabled by setting the variable docker_legacy_packages to true.

    It is also now possible to skip configuration of the Docker repository, by setting the variable enable_docker_repo to false.

  • Adds ability to configure custom fluentd formatting.

    In some scenarios it may be useful to configure custom fluentd formatting to, for example, convert events to JSON.

    Configuration of custom fluentd formatting is possible by placing output configuration files in /etc/kolla/config/fluentd/format/*.conf.

  • Adds ability to configure custom fluentd inputs.

    Configuration of custom fluentd inputs is possible by placing input configuration files in /etc/kolla/config/fluentd/input/*.conf.

  • Adds support for configuring glance-cache, enabled with enable_glance_image_cache. The cache size is configured via glance_cache_max_size.

  • Implements Neutron rolling upgrade logic, applied for Neutron server, VPNaaS and FWaaS because only these projects have support for rolling upgrade database migration.

  • Implements Nova rolling upgrade logic.

  • Implements Swift rolling upgrade logic, enabled via swift_enable_rolling_upgrade, which is true by default.

  • Adds support for the Ironic Inspector dnsmasq PXE filter that provides improved scalability over the default IPTables PXE filter. This is now used by default instead of the iptables PXE filter. The iptables filter can be enabled by setting ironic_inspector_pxe_filter to iptables.

  • Adds a new flag, enable_openstack_core, which defaults to yes. Setting this flag to no will disable the core OpenStack services, including Glance, Heat, Horizon, Keystone, Neutron, and Nova.

  • Improves the default configuration of OpenStack Ironic when used in standalone mode.

  • Adds support for providing custom kibana configuration via /etc/kolla/config/kibana/kibana.yml.

  • Docker logs are no longer allowed to grow unbounded and have been limited to a fixed size per container. Two new variables have been added, docker_log_max_file and docker_log_max_size which default to 5 and 50MB respectively. This means that for each container, there should be no more than 250MB of Docker logs.

  • Adds a symbolic link from the kolla_logs docker volume to /var/log/kolla, making it easier to find log files. The volume path is compatible with docker-engine and docker-ce.

  • Adds support for taking a backup of all MariaDB-hosted databases using Percona XtraBackup.

  • Adds support for loading kernel modules required by containers. This is required since kolla images removed support for loading kernel modules from within the container in the Stein release.

  • opendaylight_release variable is removed, version is discovered automatically while booting features.

  • Exposed a config option to enable the ceph manager prometheus plugin, this also enables the exporter on the prometheus-server configuration for each ceph-mgr host.

  • HAProxy configuration is now split per service, which makes creating and updating service configurations much simpler.

  • Adds support for stopping a service with the kolla-ansible stop command. This feature allows specific services to be stopped with --tags and --limit to limit the changes to a subset of hosts.

  • Added new parameter in kolla_docker to support configuring TTY in containers, value is False by default

  • Adds support to seperate Swift access and replication traffic from other storage traffic.

    In a deployment where both Ceph and Swift have been deployed, this changes adds functionalality to support optional seperation of storage network traffic. This adds two new network interfaces swift_storage_interface and swift_replication_interface which maintain backwards compatibility.

    The Swift access network interface is configured via swift_storage_interface, which defaults to storage_interface. The Swift replication network interface is configured via swift_replication_interface, which defaults to swift_storage_interface.

    If a separate replication network is used, Kolla Ansible now deploys separate replication servers for the accounts, containers and objects, that listen on this network. In this case, these services handle only replication traffic, and the original account-, container- and object- servers only handle storage user requests.

  • Adds configuration variables to enable/disable custom horizon policy files per-service even if the service is not being deployed by kolla-ansible.

Upgrade Notes

  • Updates the minimum required version of Ansible to 2.5.

  • Changes the default path for certificates generated via kolla-ansible certificates from {[ node_config_directory }}/certificates to {{ node_config }}. {{ node_config }} is the directory containing globals.yml, which by default is /etc/kolla/. This makes certificates consistent with other locally generated files, such as

  • The default value for docker_legacy_packages is false, which means that the Docker Community Edition (CE) should be installed. If the kolla-ansible bootstrap-servers command is used on a previously deployed host that is running a legacy Docker engine, it would result in the Docker engine being upgraded to use the Docker Community Edition packages, which will result in a restart of the Docker engine and the containers running on that host. Use the kolla-ansible --serial or --limit arguments to avoid losing quorum in clustered services such as MariaDB by restarting all containers at once.

  • The Keystone fernet key rotation scheduling algorithm has been modified to avoid issues with over-rotation of keys.

    The variables fernet_token_expiry, fernet_token_allow_expired_window and fernet_key_rotation_interval may be set to configure the token expiry and key rotation schedule.

    By default, fernet_token_expiry is 86400, fernet_token_allow_expired_window is 172800, and fernet_key_rotation_interval is the sum of these two variables. This allows for the minimum number of active keys - 3.

    See bug 1809469 for details.

  • Adds swift as a gnocchi storage option. Here is the list of storage options for gnocchi: a) Use swift if swift is enabled. b) Use ceph if ceph is enabled. c) Default to file if swift and ceph are enabled. User has to explicitly set to swift or ceph if both are enabled.

  • The Bare Metal Inspection service is now configured to store logs from the inspection ramdisk in the kolla_logs Docker volume.

  • The default PXE filter used by Ironic Inspector is now dnsmasq rather than iptables. This change has been made to work around an issue introduced by moving to Docker CE, where the daemon sets the default policy on the iptables FORWARD chain to DROP. This policy can interact with the Ironic Inspector iptables PXE filter to cause DHCP packets from bare metal nodes to get dropped, which prevents provisioning.

  • Previously deprecated compute groups inner-compute and external-compute have now been removed in favor of the more simple compute group. Please be sure to update your inventory. Set neutron_compute_dvr_mode on nodes with which you wish to customise the value for neutron’s agent_mode.

  • All HAProxy-related variables have been moved from the haproxy role to the haproxy-common role, with the exception of the following which were also split and renamed after the move:

    • haproxy_listen_tcp_extra becomes haproxy_frontend_tcp_extra and haproxy_backend_tcp_extra

    • haproxy_listen_http_extra becomes haproxy_frontend_http_extra and haproxy_backend_http_extra

  • The following additional haproxy related variables have been created in the haproxy-common role:

    • haproxy_http_request_timeout: default http request timeout for haproxy

    • haproxy_queue_timeout: default queue timeout for haproxy

    • haproxy_connect_timeout: default connect timeout for haproxy

    • haproxy_check_timeout: default check timeout for haproxy

    • haproxy_health_check: default health check string for haproxy

    • haproxy_service_template: select which haproxy config style to use

  • Rabbitmq has been updated to 3.7.x. This comes with a new config format which is now called rabbitmq.conf rather than rabbitmq.config.

Deprecation Notes

  • Deprecates support for deploying Ceph. In a future release support for deploying Ceph will be removed from Kolla Ansible. Prior to this we will ensure a migration path to another tool such as Ceph Ansible is available. For new deployments it is recommended to use another tool to deploy Ceph to avoid a future migration. This can be integrated with OpenStack by following the external Ceph guide.

  • The cinder_iscsi_helper variable has been renamed to cinder_target_helper. Use of cinder_iscsi_helper is deprecated, and will be removed during or after the Train release.

Security Issues

  • When the MariaDB backup option is enabled, it will create a new database which is used to keep track of backup-related metadata, along with a new backup user with a specific set of permissions limited to backup-related actions only.

Bug Fixes

  • Adds system hostnames to /etc/hosts, if different from short hostnames. This can fix live migration of Nova instances in some contexts. See bug 1830023 for details.

Other Notes

  • While Kolla Ansible now avoids duplicating Nova cells when messaging or database connection information are changed, operators of existing deployments should perform a manual cleanup of duplicate cells using the nova-manage cell_v2 command from a container running the nova_api image, leaving only two cells, one named cell0 and another one with the right connection information.