Wallaby Series Release Notes


Bug Fixes

  • Fixes an issue with Swift deployment via Kolla Ansible caused by the fix to CVE-2022-38060. The kolla-toolbox container now have its own sudoers secure_path configuration which allows the necessary binaries to execute.


Other Notes

  • Added ‘–retry 5’ to curlrc to improve curl downloads during image builds.


Upgrade Notes

  • To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE environment variables in kolla-built containers has been dropped. Now, only the single trusted path of /var/lib/kolla/config_files/config.json will be utilised for loading container config. We believe this is a reasonable tradeoff as these environment variables were not used by any known downstream and potential users in the wild can easily adapt as this does not limit the functionality per se, only making it stricter as to where the config can come from.

Security Issues

  • Fixes CVE-2022-38060, a sudo privilege escalation vulnerability. LP#1985784


Bug Fixes

  • Fixes CentOS builds of Skydive SEGV on startup. Skydive versions prior to 0.28.0 panic on newer versions of libc. This especially affects Centos 8. LP#1940862

  • Fixes problems when running with docker-py >=6. LP#1988121


Bug Fixes

  • Fixes wrong update-alternatives usage on CentOS. LP#1936947


New Features

  • Updates the OpenStack exporter for Prometheus to version 1.6.0.

  • Added an –repos-yaml argument to allow user to provide own file with definitions of external package repositories. Useful for those building in offline environments with set of internal mirrors.

Upgrade Notes

  • The updated OpenStack exporter for Prometheus uses the latest Nova API microversion by default, resulting in changes to existing metrics. To keep existing behaviour, set prometheus_openstack_exporter_compute_api_version to 2.1.

Bug Fixes

  • The apt-get update command by default didn’t fail on erroneous source repositories, it show the warning ‘W: Some index files failed to download. They have been ignored, or old ones used instead.’ and continue to work. This causes some containers (eg. rabbitmq, kolla-toolbox) successfully built, but makes them inconsistent because the official Ubuntu repository contains packages with the same names. Now we use apt-get -eany update command to stop building with an error in such cases.


New Features

  • Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256 mechanisms. These can be used for libvirt SASL authentication. LP#1964013

  • Quiet mode (enabled with --quiet argument) can be combined with --logs-dir option now. Console output will be quiet as expected while building output will be stored in separate log files.

Upgrade Notes

  • The Debian and Ubuntu images use rabbitmq and erlang from cloudsmith now. Operators might want to mirror/proxy this new source as it provides the correct set of packages unlike the previous combination.

Security Issues

  • Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE) vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.

Bug Fixes

  • Fixes an issue with Ironic deployments using UEFI and iPXE, where the default UEFI iPXE bootloader in Ironic was not available in the TFTP server. This affects all Kolla releases on CentOS, and Xena on Debian/Ubuntu. LP#1959203

  • Installs glusterfs-client in Debian and Ubuntu manila-share images to support GlusterFS across supported distributions. LP#1964140

  • Latest version of the elasticsearch gem no longer works with older (OSS) versions of Elasticsearch. This is fixed by capping the version of the elasticsearch gem installed into the fluentd container. LP#1954759

  • Fixes an issue when older version of Python OpenvSwitch bindings package was used, than the running OpenvSwitch code. LP#1961874

  • Fix AArch64 ubuntu ironic-python-agent images UEFI PXE booting failure. Also fix x86_64 lacking of GRUB efi files issue. LP#1879265

  • Fixes an issue building images that use a source with a type of git, when using a git that includes the fix for CVE-2022-24765 (2.35.2 or later). By default, this includes the gnocchi-base image, but may include other images with a non-default configuration. LP#837710

  • Fixes disabling the use of the curlrc configuration file in healthcheck_curl. LP#1967272

  • Fixes an issue seen when using Jinja2 3.1.0.

  • Fixes an issue with missing Magnum Keystone auth default policy. LP#1957159

  • Fixes the Debian and Ubuntu images to use rabbitmq and erlang from cloudsmith so that the images are still buildable and use proper versions.

  • Fixes set_configs.py configuring same permission for directories and files, causing directories lacking execute permission if not set for files.


New Features

  • Add masakari-dashboard to debian binary horizon image.

  • Support for Debian/Ubuntu binary (aka packaged) CloudKitty images.

  • Adds support for the ironic-neutron-agent image in Debian and Ubuntu binary images. Also adds support for the baremetal ML2 driver in the neutron-server image in Debian and Ubuntu binary images.

  • Improve the way offline scenario are supported:
    • Switching dumb-init installation to distribution provided packages.

  • Allow to set group for user.

Upgrade Notes

  • Debian now uses upstream MariaDB repos (thus following Ubuntu images). This is done to avoid issues like the related one and have an easy workaround of pinning to chosen MariaDB version if need arises. Operators may want to reflect this in their repo mirrors and proxies. LP#1944410

  • Gnocchi version has been updated to 4.4.1.

Bug Fixes

  • Adds an option to the monasca-thresh container which checks if the topology is currently submitted (KOLLA_BOOTSTRAP), with an option to kill it (TOPOLOGY_REPLACE). Topology names and various timeouts may be customized. LP#1808805

  • Fixes missing boto3 library required by glance_store. LP#1884259

  • Fixes an issue with logs going missing in the Fluentd pipeline by pinning td-agent to 4.0.* also on Debian. LP#1930867 [Debian]

  • Fix missing default policy files for debian-binary-horizon. LP#1933759

  • Fixes user uid inconsistency beetween base and openstack-base debian binary images. LP#1934753

  • Add missing pacemaker cli utils to Debian hacluster images. LP#1934788

  • Fixes an issue with cinder-volume missing lsscsi and nvme commands on Debian and Ubuntu. LP#1942038

  • Fixes kolla-toolbox ansible.log logging for different users than ansible. LP#1942846

  • CentOS nova-compute image has linux-firmware package removed to save image size by ~500MB. LP#1926801

  • Fixes an issue with Elasticsearch curator not working due to too new python elasticsearch library. LP#1941073

  • Fixes “Permission denied” issue for swift-recon tool that appears when swift-recon tool tries to access deafult recon_lock_path

  • Fixes an issue with the logstash image which was incompatible with the last OSS version (7.10) of Elasticsearch. Logstash is now pinned to 7.9. LP#1941754

  • Ensures the nvme-cli package is present in nova-compute images, as it expected by os-brick.


Bug Fixes

  • Fixes debian image build failure caused by the official Debian bullseye release changing the os identification. LP#1933770


New Features

  • Adds the Monasca datasource plugin to the Grafana image. This allows Monasca users to visualise metrics in Grafana without using the Monasca Grafana fork.

  • Adds prometheus-v2-server image for Prometheus version 2.x.

  • Adds a new [DEFAULT] allowed-to-fail configuration option. It can be used to define a list of images which are allowed to fail during builds without marking the whole build as failed.

    The main use of this option is to keep CI systems in a working state despite some less important images failing.

  • Debian ‘bullseye’ is now used instead of ‘buster’. Bullseye is the next stable release of Debian, and is currently in a ‘freeze’ state. Several images gained Debian support with the move to bullseye.

  • Support for Debian binary (aka packaged) Masakari images.

  • Support for Ubuntu binary (aka packaged) Masakari images.

  • octavia-driver-agent image was added to support other Octavia providers than amphora.

Upgrade Notes

  • Kolla now no longer supports CentOS 8.2 and below. This is to support CentOS 8.3 without extra workarounds (please see the fixes section for more details). The promise is to support the latest CentOS 8 release which is 8.3 now.

  • The monasca-grafana image has been dropped because it was using several deprecated components and was not buildable. Support for Monasca datasource was added into standard grafana instead.

  • Changed default of network_mode to host since Kolla-Ansible bootstrap-servers is deploying Docker without a bridge by default since Wallaby

  • RabbitMQ and Erlang packages are now installed from packagecloud.io (and PPA for Debian/Ubuntu) since bintray.com is getting shut down May 1st, 2021.

  • The Karbor project is no longer maintained and retired since Wallaby cycle . Its images and support is also removed since Wallaby cycle.

  • Docker image mariadb has been removed. mariadb-server image has been introduced in Victoria release with deprecation of mariadb image at the same time.

  • The Qinling project is no longer maintained and retired since Wallaby cycle . Its image and support is also removed since Wallaby cycle.

  • The Searchlight project is no longer maintained and retired since Wallaby cycle . Its images and support is also removed since Wallaby cycle.

  • The following images are removed per the deprecation cycle: certmonger, ec2-api, heat-all, nova-mksproxy, novajoin, ptp, radvd, rsyslog, zaqar.

  • The zaqar image and related plugins are removed per the deprecation cycle.

  • Upgrades Elasticsearch, Logstash and Kibana (ELK) 6 images to ELK 7. Please see the upgrade notes in the official documentation

  • Three Neutron plugins are no longer provided by default in images: networking-ansible, networking-mlnx and vmware-nsx. The main reason is that they lag in synchronising with OpenStack release process. Their definitions have been moved to contrib/neutron-plugins directory. Please read the included README.rst in case you depend on them. Please note they are no longer included in published images.

Deprecation Notes

  • The chrony image is deprecated and will be removed in the Xena cycle.

  • Support for building ppc64le container images has been deprecated in Wallaby cycle and will be removed in Xena.

  • Deprecates support for Prometheus v1.x. In Xena release cycle support for this image will be removed from Kolla.

  • Support for using Red Hat Enterprise Linux as base of container images was deprecated. Please migrate to using CentOS Stream 8 based images.

  • The tempest and rally images are deprecated and will be removed in the Xena cycle. The reason is that these are not services of an OpenStack cloud but its clients.

Security Issues

  • Fixes security issue in Prometheus as per advisory.

Bug Fixes

  • Fixes MariaDB incremental backup failure when full backup was not created the same day. LP#1897948

  • Fixes an issue with Swift containers failing to start in Ubuntu binary images. LP#1905279

  • Fixes builds on CentOS 8.3 failing due to renamed repos. Notice Kolla now no longer supports CentOS 8.2 and below. LP#1907213

  • Fixes an issue with the kolla_set_configs --check command when the compared files are non-Unicode. LP#1913952

  • Fixes location of monitoring_policy in Horizon, so access policy is correctly enforced. Note that by current default, admin doesn’t not have Monitoring access. LP#1928408

  • Fix support for kolla install in ~/.local. LP#1930544

  • Fixes an issue with logs going missing in the Fluentd pipeline by pinning td-agent to 4.0.*. LP#1930867

  • Fixes issues arising from the lack of Debian updates repo being enabled. LP#1931544

  • Fixes an issue with the Fluentd Monasca output plugin related to a more recent openssl library. LP#1910382

  • Fixes Mistral source images to respect upper-constraints.

  • nova-compute uses daxio to cleanup vpmem backend device on instance delete. If the daxio binary is missing in the nova-compute container instance delete fails. daxio is provided in centos via daxio, in ubuntu via the pmdk-tools package.

Other Notes

  • Debian images enable the Debian updates repo now. This is aligned with the base Debian image.

  • CentOS images are using CentOS Stream 8 as a base.