2023.1 Series Release Notes¶
Keystone OIDC parameter ‘oidc_redirect_uri’ is replaced with ‘oidc_redirect_path’. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.
localhosttarget was explicitly added to OSA inventory due to bug #2041717. As a result, the ‘all’ group now contains localhost, and custom playbooks targeting ‘all’ may need adjustment, e.g.:
HAProxy services that use backend nodes that are not in the Ansible inventory can now have the
backend_portspecified in the list, along with
ip_addrsettings. This allow to have the service bound to different port on different backend servers.
galera_backups_increment_init_overridesthat can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .
HAProxy services can now override the path of the certificate with
haproxy_ssl_pathif set under the service definition.
openstack_host_journald_configthat allows to supply arbitrary configuration for systemd-journald as a mapping.
nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.
common-playbooks/nova.ymlhas been deprecated and removed. All content from it now resides inside
Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.
lxc_image_cache_expirationthat controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.
Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.
Also introduces new Ansible variables that control the above mentioned parameters.
Each backup archive is stored in a dedicated directory, alongside the backup metadata.
Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set
True. Choose a compression tool with
galera_mariadb_backups_compressor, default is
LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.
All compute nodes are not added as OVN gateways by default and
network-gateway_hostsdefinition is respected.
It is now possible to create and manage third-party services, mount points and networks on hosts managed by OpenStack-Ansible. This also inlcudes networks, that are required for OpenStack-Ansible installation, like br-mgmt or br-storage. In order to configure specific resources on selected set of hosts, usage of group_vars or host_vars is appreciated.
uwsgi_bind_addresscan now be a single IP address passed as a string, or a list of IP addresses passed in a yaml list to the uwsgi role. This allows uwsgi to listen on a specific set of IP addresses rather than just a single one.
Support and documentation is added to the ceph_client role for enabling the Ceph Immutable Object Cache and the Peristent Write Log cache.
Added option to periodically clean-up deleted records from Cinder database. For this purpose a new service``cinder-purge-deleted`` was introduced. It will be called periodically using corresponsive systemd timer on the first cinder-api host.
By default this service is disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variable
A new key
haproxy_default_backendcan be defined for each service configured in the haproxy loadbalancer. Configuring this variable writes a value for the
default_backenddirective into the config for the service frontend. It can be useful to provide a specific default backend as a fall-through option when other backends are selected using ACLs, and to also allow the name of the default backend to be different from
Automatic generation of
ansible_<variable>fact vars is now disabled when using the
openstack-ansiblecommand. There is now less data to pass to the target hosts when executing ansible modules. The same values are now accessed as follows:
The configuration for serving port 80/443 in haproxy was previously associated with the Horizon service, but additional features such as handling certificate issuance with certbot and serving security.txt also need configuration in the same haproxy frontend. The existing variable
haproxy_horizon_servicenow only describes the haproxy backend for horizon, and a new variable
haproxy_base_serviceconfigures the haproxy frontend for any services using port 80/443.
A new key haproxy_map_entries is now able to be configured for each haproxy service definition to allow arbitrary entries to be placed in any number of haproxy map files which may then be referenced in other directives in the haproxy config file such as
http-request. The complete map files are constructed from the fragments defined across all the service definitions and are assembled into a complete map file in alphanumeric sort order, or optionally with a user defined ordering.
management_ipoption, that can be defined in conf.d or openstack_user_config.yml files for hosts. It might be useful if SSH network for accessing hosts differs from OpenStack management network. Option
management_ipshould be set to an IP address that represents management network on the host, while
ipoption remains to represent SSH address that will be used to access host by Ansible.
ironic_drivers_enabledvariable from the os_ironic role includes a driver which uses the
ipmitool-socatconsole interface, that interface is now enabled automatically in the
enabled_console_interfacesconfig option. New variables
ironic_socat_port_rangeare added to support further customisation of the serial console data flow.
lxc_net_bridge_typethat allows to control type for lxcbr0: it can be set either to linuxbridge or openvswitch as of today. Default value is linuxbridge that preserves previous behaviour.
A new driver type
no_driveris defined in the os_ironic role which enables the
no-inspectinterfaces in the ironic configuration. This driver is added to the defaults set of drivers configured by the ironic ansible role.
Support is added to the os_nova ansible role to deploy resource provider config files to nova compute nodes. This allows automatic configuraion of resource providers without having to use the openstack API or command line.
Added option to periodically clean-up deleted records from Nova database. Having a lot of records for the deleted instances affects service performance. With that 2 new services are being introduced:
nova-purge-deletedthat will be called periodically using corresponsive systemd timers on the first nova-conductor host.
By default these services are disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variables
nova-archive-deletedwill execute nova-manage db archive_deleted_rows while
nova-archive-deletedwill execute nova-manage db purge. Please correspond to nova-manage documentation for more information on what these commands do: https://docs.openstack.org/nova/latest/cli/nova-manage.html
Added new varaibles that allow users to configure extra systemd services, networks or mounts on openstack hosts. While services and mounts can be configured on any targeted hosts, networks will be created only on bare metal nodes. In order to configure extra networks in containers please reffer to
openstack_user_config.ymldocumentation. A list of new variables that were added:
venv_pip_install_envthat allows to set extra environment variables during wheels build or venv installation.
pki_handler_cert_installedthat control name of meta handlers which role triggers when included. This might be useful if multiple roles that leverage the pki role are inlcuded withing same playbook and you want to have better control over handler execution.
Haproxy services are now configured separately at the beginning of each service playbook.
openstack_github_base_urlhave been implemented that allow to quickly change base url of repositories for all used service. This might be useful for environments with limited connectivity or in case of issues with one of the mirrors.
venv_build_groupthat allows to provide an ansible group name, that will be used to find wheels build targets. Default is repo_all
Any external or 3rd party integrations with openstack-ansible that use the
openstack-ansiblecommand line wrapper around
ansible-playbookand access ansible facts via the
ansible_<variable>pattern must be refactored to access those variables as follows:
ansible_facts['variable']. If this is not possible, the environment variable
ANSIBLE_INJECT_FACT_VARScan be set to
Trueto restore the previous behaviour.
keystone_security_txt_contentvariable name has changed to
haproxy_security_txt_content. Security.txt file is now served directly from haproxy.
keystone_sslwas deprecated in favor of
If you’re using NSX or Nuage network drivers, make sure you have replaced definition of
nova_nova_conf_overrides. Please, consult with os_neutron documenteation on the required overrides.
Default provider driver for Octavia has been changed to
amphorav2, since amphora and octavia drivers are deprecated for removal.
Default values for variables
octavia_enable_anti_affinityhas been switched to
Trueaccordingly to reflect most reasonable production setup. You can define these variables to their previous defaults if you want to preserve behaviour.
Default value for
octavia_security_group_rule_cidris changed and defined to the CIDR of Octavia management network. To preserve previous behaviour, please override the variable to 0.0.0.0/0.
Support for the calico ml2 driver is removed. It will not be possible to upgrade an existing deployment using calico networking.
Certbot-auto is deprecated since 2020. It was removed from haproxy_server role.
is_container_addressthat is used for definition of the provider_networks has been renamed to
is_management_address, to avoid confusion for bare metal deployments. Backwards compatability was kept.
container_addresshas been deprecated in favor of
management_addressis available since Victoria release and was defaulted to the value of
horizon_ssl_self_signed_subjectare deprecated. Horizon role uses ansible-role-pki now so they are no longer needed.
nova_network_serviceshave been deptecated and will be silently ignored in the future. Please, use
nova_nova_conf_overridesif you need to define
ovs_bridgeoption for specific network drivers, like nsx or nuage.
RabbitMQ packages are no longer provided by PackageCloud due to the upstream repository being no longer available after 2023-05-28. Installations will now utilize a community mirror of CloudSmith repositories for rabbitmq and erlang.
haproxy_service_configsformat was simplified. Now it’s just a list of dicts. Usage of
haproxy_service_configselements is deprecated and will be removed in 2023.2 release.
Fixes incorrect definition of ceilometer
polling_namespaces, when host is part of both central and compute groups (ie metal/aio scenario)
Fixes the absence of
libvirtd.serviceon compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.
Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.
After haproxy base service was added, dummy letsencrypt service is no longer needed for deployments without horizon and should be removed.
horizon_enable_sslhas been renamed to
horizon_backend_sslfor consistency reasons.
Default value for
horizon_enable_sslhas changed to False. (or
openstack_service_backend_sslif it is defined)
openstack_service_accept_both_protocolswas implemented to temporarily accept both HTTP and HTTPS traffic on haproxy frontends. It is useful when changing protocol of service endpoints.
Version of RabbitMQ is bumped to 3.11.7, Erlang version is bumped to 25.2.
SHA of services that are used during source install were moved from playbooks/defaults/repo_packages folder to inventory/group_vars/<service_group>/source_git.yml files that correspond to each individual service.
Haproxy service definitions(along with their overrides) are no longer stored in haproxy group vars. They were moved to service variables, so for example
glance_haproxy_servicesare stored in glance_all group variables.
The structure of
haproxy_extra_serviceswas simplified. Now it’s just a list of dicts. It has the same format as
uWSGI support was implemented to os_blazar role.
Default value of
venv_wheel_build_enablehas been changed. Now wheels are built when there is at least a single host in
venv_build_group. Previously it was depending on the amount of hosts targeted for the play.