Current Series Release Notes

18.0.0.0b1-429

New Features

• Enable VeNCrypt authentication scheme from noVNC proxy to compute nodes. When using HTTPS, the TLS encryption only applies to data between the tenant user and proxy server. To provide protection from the noVNC proxy to the Compute Nodes, it is necessary to enable the VeNCrypt authentication scheme for VNC.

  A pre-existing PKI (Public Key Infrastructure) setup is required.

  Initially to help with the transition from unencrypted VNC to VeNCrypt, compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable nova_vencrypt_auth_scheme, this will be removed in future releases.

• This role now optionally enables your compute nodes’ KVM kernel module nested virtualization capabilities, by setting nova_nested_virt_enabled to true. Depending on your distribution and libvirt version, you might need to set additional variables to fully enabled nested virtualization. For details, please see https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#nested-guest-support.

• It is now possible to use NFS mountpoints with the role by using the nova_nfs_client variable, which is useful for using NFS for instance data and saves.

• Added extra variables to allow control Blazar integration with Nova:

  • nova_blazar_enabled (bool) - Control if Blazar integration should be configured

  • nova_blazar_scheduler_filters (list) - Extra filters that will be enabled in Nova scheduler

  • nova_blazar_pip_packages (list) - Extra Python packages that will be installed on Nova scheduler hosts

• Added variable nova_ssh_custom_config which allows to apply extra configuration for SSH connection established by Nova Compute while perfroming offline migrations or resizes. Can be leveraged to define a custom SSH port or ProxyJump.

• Implemented new variable connection_recycle_time responsible for SQLAlchemy’s connection recycling

• The nova configuration is updated to always specify an LXD storage pool name when ‘nova_virt_type’ is ‘lxd’. The variable ‘lxd_storage_pool’ is defaulted to ‘default’, the LXD default storage pool name. A new variable ‘lxd_init_storage_pool’ is introduced which specifies the underlying storage pool name. ‘lxd_init_storage_pool’ is used by lxd init when setting up the storage pool. If not provided, lxd init will not use this parameter at all. Please see the lxd man page for further information about the storage pool parameter.

• Added variable nova_cell_force_update that can be set to True during runtime to force update cell records. This might be useful in case of password rotation for DB users for cell0 or any other changes in connection configuration.

• You can now set the Libvirt CPU model and feature flags from the appropriate entry under the nova_virt_types dictionary variable (normally kvm). nova_cpu_model is a string value that sets the CPU model; this value is ignored if you set any nova_cpu_mode other than custom. nova_cpu_model_extra_flags is a list that allows you to specify extra CPU feature flags not normally passed through with host-model, or the custom CPU model of your choice.

• A new variable nova_ironic_console_type is added to enable the deployment of one of the nova console proxies in the ironic_console ansible group. The only supported setting at this time is disabled or serialconsole.

• Support is added to the os_nova ansible role to deploy resource provider config files to nova compute nodes. This allows automatic configuraion of resource providers without having to use the openstack API or command line.

• The service setup in keystone for nova will now be executed through delegation to the nova_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

  nova_service_setup_host: "{{ groups['utility_all'][0] }}"
  

• Added nova_console_proxy_types list variable for use when deployments have a mix of nova console types for different compute nodes.

• Added option to periodically clean-up deleted records from Nova database. Having a lot of records for the deleted instances affects service performance. With that 2 new services are being introduced: nova-archive-deleted and nova-purge-deleted that will be called periodically using corresponsive systemd timers on the first nova-conductor host.

  By default these services are disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variables nova_archive_deleted and nova_purge_deleted.

  Service nova-archive-deleted will execute nova-manage db archive_deleted_rows while nova-archive-deleted will execute nova-manage db purge. Please correspond to nova-manage documentation for more information on what these commands do: https://docs.openstack.org/nova/latest/cli/nova-manage.html

• Re-added nova_dhcp_domain variable that defaults to the dhcp_domain. When set to empty string, only the hostname without a domain will be configured for the instances.

• Added variable nova_scheduler_extra_filters which allows to extend list of defaulted nova_scheduler_default_filters

• New variables nova_glance_rbd_inuse and nova_glance_images_rbd_pool have been implemented that allows deployer to easily configure nova to retrieve glance images from RBD directly, if nova uses local storage for ephemeral drives.

• The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the nova_install_method variable to distro.

• Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in nova.

• Nova now defaults to to using the “QEMU-native TLS” feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.

  QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.

  More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html

Known Issues

• With the release of CentOS 7.5, all pike releases are broken due to a mismatch in version between the libvirt-python library specified by the OpenStack community, and the version provided in CentOS 7.5. As such OSA is unable build the appropriate python library for libvirt. The only recourse for this is to upgrade the environment to the latest queens release.

Upgrade Notes

• For deployments with nova_backend_ssl: True TLS certificates for Nova API backends will be re-generated during upgrade. From now on they will be suffixed with _api.

• If your configuration previously set the libvirt/cpu_model and/or libvirt/cpu_model_extra_flags variables in a nova_nova_conf_overrides dictionary, you should consider moving those to nova_cpu_model and nova_cpu_model_extra_flags in the appropriate entry (normally kvm) in the nova_virt_types dictionary.

• During upgrade your current Nova cell mapings will be converted to usage of the Template URLs. This means, that your changes of transport_url or [database]/connection in nova.conf will be reflected by nova-conductor in cells just after service restart, without need to explicitly run nova-manage cell_v2 update_cell.

• String value of nova_scheduler_default_filters is converted to the list At the moment there is compatability for overriden values, that are string, but this support will be removed in the future releases. So deployers are recommended to replace their string overrides with list ones.

• If you’re using NSX or Nuage network drivers, make sure you have replaced definition of nova_network_type to appropriate nova_nova_conf_overrides. Please, consult with os_neutron documenteation on the required overrides.

• The default nova console type has been changed to novnc. Spice is still supported however due to novnc being more actively maintained it is now a better default option.

• The following Nova tunables have been removed, users need to start using the nova_nova_conf_overrides dictionary to override them. If those values were not previously overridden, there should be no need to override them. - nova_quota_cores - nova_quota_injected_file_content_bytes - nova_quota_injected_file_path_length - nova_quota_injected_files - nova_quota_instances - nova_quota_key_pairs - nova_quota_metadata_items - nova_quota_ram - nova_quota_server_group_members - nova_quota_server_groups - nova_max_instances_per_host - nova_scheduler_available_filters - nova_scheduler_weight_classes - nova_scheduler_driver - nova_scheduler_driver_task_period - nova_rpc_conn_pool_size - nova_rpc_thread_pool_size - nova_rpc_response_timeout - nova_force_config_drive - nova_enable_instance_password - nova_default_schedule_zone - nova_fatal_deprecations - nova_resume_guests_state_on_host_boot - nova_cross_az_attach - nova_remove_unused_resized_minimum_age_seconds - nova_cpu_model - nova_cpu_model_extra_flags

• The following Nova variables have been removed because they have no effect in the current release of Nova. - nova_max_age - nova_osapi_compute_workers - nova_metadata_workers

Deprecation Notes

• Variable nova_glance_api_servers has been removed and has no effect due to corresponsive upstream api_servers being deprecated.

• The PowerVM driver has been removed as it is not tested and it has been broken since late 2016 due to the driver name being renamed to powervm_ext instead of powervm.

• The variable nova_compute_pip_packages is no longer used and has been removed.

• The variable nova_requires_pip_packages is no longer required and has therefore been removed.

• Variables nova_novncproxy_agent_enabled, nova_serialconsoleproxy_enabled and nova_console_agent_enabled are removed and won’t have any effect in the future. If you want to disable console functionality, set nova_console_type: disabled in your user_variables.yml

• nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.

• Variable nova_enabled_vgpu_types has been deprecated and is replaced with nova_enabled_mdev_types.

• Variable nova_memcached_servers has been deprecated and replaced with nova_cache_servers that defaults to memcached_servers. For backpwards compatability nova_memcached_servers is still respected but will be removed in future releases.

• Variables nova_network_type and nova_network_services have been deptecated and will be silently ignored in the future. Please, use nova_nova_conf_overrides if you need to define ovs_bridge option for specific network drivers, like nsx or nuage.

• nova-placement-api has been removed from the os_nova role, along with all nova_placement_* variables. Please review the os_placement role for information about how to configure the new placement service.

• nova_ram_weight_multiplier was deprecated. Multipliers should be defined using nova_nova_conf_overrides. Please note that default value for nova_ram_weight_multiplier was previously set to 5, while nova default is 1. This deprecation will slightly change weighing behavior in OSA.

• Variables nova_external_ssl and nova_secure_proxy_ssl_header have been removed since secure_proxy_ssl_header option from nova.conf they controlled has been deprecated and has no effect.

• The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - nova_oslomsg_rpc_servers replaces nova_rabbitmq_servers - nova_oslomsg_rpc_port replaces nova_rabbitmq_port - nova_oslomsg_rpc_use_ssl replaces nova_rabbitmq_use_ssl - nova_oslomsg_rpc_userid replaces nova_rabbitmq_userid - nova_oslomsg_rpc_vhost replaces nova_rabbitmq_vhost - nova_oslomsg_notify_servers replaces nova_rabbitmq_telemetry_servers - nova_oslomsg_notify_port replaces nova_rabbitmq_telemetry_port - nova_oslomsg_notify_use_ssl replaces nova_rabbitmq_telemetry_use_ssl - nova_oslomsg_notify_userid replaces nova_rabbitmq_telemetry_userid - nova_oslomsg_notify_vhost replaces nova_rabbitmq_telemetry_vhost - nova_oslomsg_notify_password replaces nova_rabbitmq_telemetry_password

• The nova-lxd driver is no longer supported upstream, and the git repo for it’s source code has been retired on the master branch. All code for deploying or testing nova-lxd has been removed from the os_nova ansible role. The following variables have been removed:

  • nova_supported_virt_types ‘lxd’ list entry

  • nova_compute_lxd_pip_packages

  • lxd_bind_address

  • lxd_bind_port

  • lxd_storage_backend

  • lxd_trust_password

  • lxd_storage_create_device

Bug Fixes

• PKI role idempotence has been fixed for the metal scenario when nova-compute was placed on the same hosts as nova-api. Previously, certificates were re-generated each run due to non-unique names.

• Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

• Fixes the absence of libvirtd.service on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.

• In order to prevent further issues with a libvirt and python-libvirt version mismatch, KVM-based compute nodes will now use the distribution package python library for libvirt. This should resolve the issue seen with pike builds on CentOS 7.5.

• Fixed behaviour of variable nova_spice_console_agent_enabled. It can be safely used now to disable spice agent when needed.

• Due to missing parameter Nova cell0 used to be configured to not use TLS for MySQL communication even when nova_galera_use_ssl was explicitly enabled. It is fixed now and cell0 should be updated on the next playbook run.

Other Notes

• Set new default values for db pooling variables which are inherited from the global ones.

• In order to align with oslo.messaging reverted default of heartbeat_in_pthread value we remove own logic of handling the value based on host groups. You still can use oslomsg_heartbeat_in_pthread or specific role variables to alter the behaviour.