Catatan Rilis Seri Saat Ini

31.0.0.0rc1-148

Prelude (pendahuluan)

Added support for deployments on CentOS 10 Stream

Added support for deployments on derivatives of RHEL 10 such as Rocky Linux.

Fitur baru

  • For systemd_mount role added boolean key escape_name to systemd_mounts mapping which designed to prevent name escaping, when mount name is not a path. Evaluated as true by default.

  • Added variable openstack_host_blacklist_kernel_modules which allows to blacklist required kernel modules.

  • A series of changes were backported for CentOS 10 Stream support for both deploy and target hosts.

  • Added variable lxc_apt_mirror_gpg_check to either enforce or disable gpg check during LXC image preparation through debootstrap. It is enabled by default.

  • Added variable lxc_apt_mirror_gpg_file which provides path on the remote host to GPG file location, against which to verify packages from lxc_apt_mirror during debootstrap process.

  • A series of changes were backported for Rocky 10 support for both deploy and target hosts.

  • Added new variables to control MariaDB default charset and collation:

    • galera_default_charset

    • galera_default_collation

    • galera_default_collation_set

    Variable galera_default_collation_set is defined in my.cnf only for MariaDB versions >= 11.5.

  • Enable Barbican Secrets Support for Glance in OpenStack-Ansible. Glance was not being configured to use Barbican for secret management when Barbican support was enabled. This patch ensures that Glance is efficiently configured to interact with Barbican and allowing proper handling of secrets (such as image encryption keys) in OpenStack environments.

  • Added key params to the variable openstack_host_specific_kernel_modules which allows to supply module parameters as a simple string.

  • Added variables lxc_centos_repo_keys and lxc_centos_repos, which allows to supply a list of repositories, which will be added to lxc_host. By default, role keeps installing EPEL repository with it's GPG key.

  • For systemd_mount role added mount_overrides_only to systemd_mounts mapping. This key is desinged to apply systemd overrides for already existing mounts, which are not managed by the role directly.

  • If directory is defined instead of certificate files, haproxy will attempt to treat all files within as a pem bundled certs. And will fail its configuration test. To avoid this a new variable haproxy_ssl_temp_path were introduced. When it is defined certificates from the pki being put into that directory and then combined into pem in the correct directory.

    Such an approach allows us to put additional certificates to the directory outside of the haproxy_server role and keep the directory clean. This also eliminates the need to list all additional custom certificates and sum them with the ones calculate by this role.

    Additionally added a cleanup/move of the certs if haproxy_ssl_temp_path set to be different from haproxy_ssl_cert_path which allows a transition from old setup.

  • Added SSH keypair generation support to the Trove Guest Agent. When trove_guest_ssh_enabled is set to True, the role generates an SSH keypair and uploads it to Nova. It also creates a security group that permits SSH access on the DBaaS network and appends it to management_security_groups.

  • For openstack_hosts role implemented variable openstack_host_custom_grub_options which allows to modify GRUB_CMDLINE_LINUX_DEFAULT with arbitrary parameters or remove existing parameters from it.

Catatan Upgrade

  • EL does not need to carry thm COPR repo to install LXC as LXC is now provided by EPEL. We remove repository during upgrade and clean dnf metadata.

  • Default value of haproxy_ssl_letsencrypt_certbot_bind_address has changed from ansible_host, which could vary based on the deployment scenario, to management_address, which will be set to the IP of the management network. The fallback to ansible_host is present to avoid failures when management_address is not defined.

  • The format of san parameter in a pki_certificates variable was changed from a string to the dictonary of lists. New dict can contain following keys: dns, ip, uri, other. These keys should contain a list with all SANs that should be a part of the certificate.

  • Default value of galera_wsrep_address has changed from ansible_host, which could vary based on the deployment scenario, to management_address, which will be set to the IP of the management network. The fallback to ansible_host is present to avoid failures when management_address is not defined.

  • Kernel modules loaded by OpenStack-Ansible will be defined for load in their own files under /etc/modules-load.d/. Prior paths managed by OpenStack-Ansible like /etc/modules-load.d/openstack-ansible.conf for EL systems or /etc/modules for DEB systems will be cleaned out from managed modules during upgrade.

  • Default value of rabbitmq_node_address has changed from ansible_host, which could vary based on the deployment scenario, to management_address, which will be set to the IP of the management network. The fallback to ansible_host is present to avoid failures when management_address is not defined.

  • Support for Sahara plugin and Senlin plugin was removed, because these projects were retired.

  • When using standalone RabbitMQ cluster for Trove deployment, make sure to use trove_guest_rpc_host_group as a pointer to host group, rather then a pointer to a specific host. You can use variable trove_guest_oslomsg_rpc_setup_host to define a specific host which should be responsible for provisionment of RabbitMQ vhost and users instead.

Catatan Depresiasi

  • Quota management for Octavia service has been deperecated in favor of centralized approach through openstack.osa.openstack_resources playbook. As default project name was service, defining quota inside of the Octavia role was causing conflicts with other services (like Trove).

    Respective variables were deprecated and have no effect:

    • octavia_num_instances

    • octavia_ram

    • octavia_gigabytes

    • octavia_num_server_groups

    • octavia_num_server_group_members

    • octavia_num_cores

    • octavia_num_secgroups

    • octavia_num_ports

    • octavia_num_security_group_rules

    • octavia_num_volumes

    Please reffer to Octavia documentation for more information how to manage service quotas.

  • Variables zun_docker_kv_storage, zun_docker_kv_port and zun_docker_kv_group were removed and have no effect anymore.

  • Docker Swarm mode for Zun is no longer supported and only local deployment for Docker is possible.

  • pki_method was deprecated in favor of pki_backend

Perbaikan Bug

  • Added the Masakari user to the libvirt group to ensure proper permissions for accessing libvirt resources. This resolves permission issues that could prevent Masakari from monitoring and managing virtual machine instances effectively. The fix ensures that the Masakari service can successfully interact with the libvirt daemon for instance evacuation and recovery operations during host failures.

  • Fixed RabbitMQ upgrade issue for older deployments which had previously used RabbitMQ Classic Queue mirroring (HA Queues) by implementing an upgrade check and disabling leftover policies on upgrade.

  • Skyline is now functional for scenario with internal TLS coverage.

  • Fix Skyline installation problem after httpx 1.0 release due to not using OpenStack upper-constraints for installation.

  • Variable trove_guest_rpc_host_group is now used as intended and represents a host group. It is no longer directly used as "delegated host" when configuring a standalone RabbitMQ cluster for Trove.

Catatan lain

  • A behavior for AIO setup regarding network configuration has been changed. Instead of directly applying all configuration during boostrap-aio.sh script, script will produce another variable file user_variables_systemd.yml with intended configuration. Variable will be consumed and applied by openstack_hosts role, which will be launched during setup-hosts (setup-everyting) playbook.

  • Etcd role has been removed from ansible-role-requirements.yml as it's no longer required by any component. If you are relying on the role or etcd in your deployment, you can add the following to your /etc/openstack_deploy/user-role-requirements.yml:

    - name: etcd
  scm: git
  src: https://github.com/noonedeadpunk/ansible-etcd
  version: master

  • In order to align approach on playbooks location and usage, upgrade playbooks were moved from upgrade_utilities of the integrated repository to openstack.osa collection:

    • upgrade-utilities/deploy-config-changes.yml -> openstack.osa.upgrade.deploy_config_changes

    • upgrade-utilities/galera-cluster-rolling-restart.yml -> openstack.osa.tools.galera_cluster_rolling_restart

    • upgrade-utilities/nova-restore-compute-id.yml -> openstack.osa.tools.nova_restore_compute_id

31.0.0.0rc1

Fitur baru

  • Added support for defining custom error files using haproxy_errorfiles. These files can be distributed alongside haproxy_static_files_extra.

Masalah Dikenal

  • It was discovered that LXC 5.0.3 in Ubuntu 24.04 (Noble Numbat) contains packaging issue resulting in apparmor profiling conflicts. A temporary workaround has been applied in lxc_hosts role to apply a hotfix to the profile. However, it will be wiped with the next update of liblxc-common package. Please, check the bug #2110635 for more details on the issue.

Catatan Upgrade

  • Docker mode for zun-compute has been switched to "local" mode. This means, that supporting etcd cluster is no longer required for Zun to operate. If you want preserve old behavior, you will need to pin Docker and Containerd versions back along with adding zun_docker_kv_storage: etcd to user_variables.yml

  • For deployments with Zun, underlying software versions were upgraded to: * Docker 20.10.24 -> 27.5.1 * Containerd 1.6.20 -> 1.7.27 * Kata 3.1.0 -> 3.16.0

Catatan Depresiasi

  • Variables zun_docker_kv_storage and zun_docker_kv_group were deprecated and will be removed in the next release.

  • The horizon_default_role_name (default member) Keystone role existence is no longer ensured by the Horizon role. It is expected that the role defined by horizon_default_role_name already exists in Keystone and was bootstrapped via keystone-bootstrap command during os_keystone execution. You can leverage opestack.osa.openstack_resources playbook to create extra roles if you need/want to use non-default value for the horizon_default_role_name variable

Perbaikan Bug

  • os_neutron role was ignoring actual exit code of aa-disable command, when it was exiting abnormally. It could result in unobvious failures later in neutron agents. This was fixed and the role will fail if aa-disable fails to disable required apparmor profiles instead of suppressing the issue.

  • With change of policy regarding stored versions of MariaDB in mirror.mariadb.org, currently pinned MariaDB versions were removed from the repo. With a switch to archive.mariadb.org, this should resolve failing installation for MariaDB.

Catatan lain

  • Mirror for MariaDB has been switched to archive.mariadb.org