2025.1 Series Release Notes

31.0.0

Prelude

In order to support efforts on aligning Cinder service type naming across various deployments and move on from version-specific service type to a generic one, a Cinder service will be named as block-storage from now on, which will be reflected in Keystone service catalog and endpoints. Please check upgrade notes for more details.

Implemented a standalone role httpd for Apache Web Server (HTTPD) configuration that aims to be included in various roles that require Apache2 (i.e. keystone, horizon, skyline, etc).

New Features

  • Added support for defining custom error files using haproxy_errorfiles. These files can be distributed alongside haproxy_static_files_extra.

  • Allow the definition of a custom sysctl config path through openstack_sysctl_file and/or haproxy_sysctl_file. Defaults to /etc/sysctl.conf to retain backwards compatibility.

  • Created a common httpd role to unify approach for managing Apache2 instalaltion and configuration across roles. Role is written in relatively agnostic way and should be suitable for usage outside of OpenStack-Ansible deployments as well.

  • Added variable repo_server_directory_root which by default points to /var/www/repo and used instead of repo_service_home_folder as Apache DirectoryRoot for the virtual host.

  • Keys for static_routes were liberalized and now can accept any parameter supported by [Route] section of systemd-networkd.

  • Added variables lxc_centos_repo_keys and lxc_centos_repos, which allows to supply a list of repositories, which will be added to lxc_host. By default, role keeps installing EPEL repository with it’s GPG key.

  • Implemented flag network_overrides_only which is applicable to systemd_networks. When this flag is used no .network or .link defenition is created - only {{ filename }}.network.d/overrides.conf configuration file, which contains arbitrary data from config_overrides This can be used to extend existing interface configuration, which is not managed by the role directly (ie managed through netplan).

  • Added routing_rules to manage routing policy rules for the network interface. It is a list of mappings, where each mapping accept keys applicable for section RoutingPolicyRule of systemd.network. You can check documentation for systemd.network for more details.

  • Implemented TLS encryption for the communication between Load Balancer (HAProxy) and Skyline backends if openstack_service_backend_ssl is set to True.

Known Issues

  • It was discovered that LXC 5.0.3 in Ubuntu 24.04 (Noble Numbat) contains packaging issue resulting in apparmor profiling conflicts. A temporary workaround has been applied in lxc_hosts role to apply a hotfix to the profile. However, it will be wiped with the next update of liblxc-common package. Please, check the bug #2110635 for more details on the issue.

  • On Ubuntu 24.04 (Noble Numbat) Ceph packages are available only from native repository or Ubuntu Cloud Archive. Thus, version selection for Ceph is not available at the moment and Ceph Squid (19.2.X) is being the only available option. This is a subject to change whenever a community repository will start building packages for Ubuntu 24.04.

Upgrade Notes

  • Please, beware that behavior for defining resulting content for pipeline.yaml in Ceilometer has changed. Now, _ceilometer_pipeline_yaml_overrides is going to be applied to all environments which do not have ceilometer_pipeline_user_content explicitly supplied. Prior behavior can be ensured by adding _ceilometer_pipeline_yaml_overrides: {} to user_variables.yml.

  • EL does not need to carry thm COPR repo to install LXC as LXC is now provided by EPEL. We remove repository during upgrade and clean dnf metadata.

  • In order to align with recommendations on Cinder service naming, os_cinder role will introduce a new service in catalog named cinder of type block-storage and corresponding set of endpoints representing them. Upgrade script will create a new file /etc/openstack_deploy/user_epoxy_upgrade.yml with defining cinder_service_v3_enabled: true which aims to keep old version-based service type and endpoints intact. If you want to remove old versioned-based endpoints and service type from catalog you may simply undefine that variable, as it is False by default.

    All new deployments will not have cinderv3/volumev3 service unless cinder_service_v3_enabled: true is defined.

  • Docker mode for zun-compute has been switched to “local” mode. This means, that supporting etcd cluster is no longer required for Zun to operate. If you want preserve old behavior, you will need to pin Docker and Containerd versions back along with adding zun_docker_kv_storage: etcd to user_variables.yml

  • For deployments with Zun, underlying software versions were upgraded to: * Docker 20.10.24 -> 27.5.1 * Containerd 1.6.20 -> 1.7.27 * Kata 3.1.0 -> 3.16.0

  • The os_skyline role was switched to using a standalone httpd role from the in-role httpd deployment.

  • The repo_server role was switched to using a standalone HTTPD role from the in-role HTTPD deployment.

  • In case of using custom path for the repo server vhost, please ensure to use repo_server_directory_root variable instead of repo_service_home_folder.

  • Following keys for static_routes list were renamed in order to match with options available in systemd-networkd configuration files:

    • cidr -> Destination

    • gateway -> Gateway

    While backwards compatability was kept, it’s highly recommended to use new keys as support for old key names will be removed in the future.

  • A ml2.lxb (linuxbridge) plugin has been removed from Neutron for this release and can not be used anymore. Please, ensure migrating to supported Neutron driver before proceeding with the upgrade to this OpenStack version. Unfortunatelly, there is no currently existing automation for such migration. You can reffer to the blog post Migrating from LinuxBridge to OVN to learn more on how such migrations were achieved previously.

  • A uWSGI for Neutron has been disabled again by default in favor of eventlet server. This also stops and disables following services needed for uWSGI mode:

    • neutron-periodic-workers

    • neutron-ovn-maintenance-worker

    • neutron-rpc-server

  • Any deployments using the amqp1 oslo.messaging driver should be migrated to use the default rabbitmq oslo.messaging driver. Previously deprecated support for amqp1 has been removed from oslo.messaging for the Epoxy release, see https://review.opendev.org/c/openstack/oslo.messaging/+/934116. Accordingly, support for amqp1 messaging and deployment of qdrouterd has been removed from OpenStack-Ansible. A migration away from amqp1 is required before any upgrade of OpenStack-Ansible to the Epoxy release. qdrouterd can be removed entirely from the deployment and ansible inventory once the migration to rabbitmq is complete.

Deprecation Notes

  • In order to accomplish Cinder service naming alignment we had revised our prior decision on deprecating following variables, which was introduced previous cycle. Following variables should NOT be considered as deprecated anymore:

    • cinder_service_description

    • cinder_service_publicuri_proto

    • cinder_service_adminuri_proto

    • cinder_service_internaluri_proto

    • cinder_service_type

    • cinder_service_publicuri

    • cinder_service_adminuri

    • cinder_service_internaluri

  • Usage of version-based (cinderv3/volumev3) endpoints and service type for Cinder is considered as a deprecated behaviour and will be removed in the future.

  • Variables zun_docker_kv_storage and zun_docker_kv_group were deprecated and will be removed in the next release.

  • The horizon_default_role_name (default member) Keystone role existence is no longer ensured by the Horizon role. It is expected that the role defined by horizon_default_role_name already exists in Keystone and was bootstrapped via keystone-bootstrap command during os_keystone execution. You can leverage opestack.osa.openstack_resources playbook to create extra roles if you need/want to use non-default value for the horizon_default_role_name variable

  • Variables for the repo_server role related to Apache (HTTPD) configuration, like repo_apache_*, as well as some repo_pki_ and repo_ssl_* were deprecated and have no effect now on due to migration to a standalone httpd role. Please, reffer to the httpd role for more details on how to manage deprecated settings.

  • Previously marked as experimental by Neutron linuxbridge (ml2.lxb) plugin has been removed from the codebase. Please make sure that you are using supported driver before upgrade.

  • Use of amqp1 messaging, previously deprecated in oslo.messaging is not supported in the Epoxy release of OpenStack-Ansible. The previously supported provider of amqp1 messaging, qdrouterd, can no longer be deployed using the OpenStack-Ansible playbooks.

Critical Issues

  • Previously marked as experimental by Neutron linuxbridge (ml2.lxb) plugin has been removed from the codebase. Please make sure that you are using supported driver before upgrade.

Bug Fixes

  • os_neutron role was ignoring actual exit code of aa-disable command, when it was exiting abnormally. It could result in unobvious failures later in neutron agents. This was fixed and the role will fail if aa-disable fails to disable required apparmor profiles instead of suppressing the issue.

  • With change of policy regarding stored versions of MariaDB in mirror.mariadb.org, currently pinned MariaDB versions were removed from the repo. With a switch to archive.mariadb.org, this should resolve failing installation for MariaDB.

  • Logic for applying enchanced pipelines for Ceilomter+Gnocchi has been fixed. Now sinks and tranformation overrides defined in pipeline.yaml will be populated with content when operator did not supply any custom content, instead of applying them on top of it.

  • A bug #2096937 related to HashRing generation has been reported when using uWSGI with Neutron. In order to quickly address the bug, uWSGI mode has been disabled again by default for Neutron until a proper fix is provided for uWSGI.

Other Notes

  • Mirror for MariaDB has been switched to archive.mariadb.org

  • Scripts openstack-ansible-inventory-manage and openstack-ansible-inventory are now symlinked to /usr/local/bin and should be available for standalone execution.