Train Series Release Notes



This is minor bugfix release that brings up overall improvements and bugfixes to the roles.

New Features

  • Added variable nova_scheduler_extra_filters which allows to extend list of defaulted nova_scheduler_default_filters

  • Added deployment of the keystone_auth_default_policy.json file for Magnum.

  • Added variables cinder_active_active_cluster and cinder_active_active_cluster_name that allow to explicitly enable or disable active/active feature, and set cluster name.

Upgrade Notes

  • String value of nova_scheduler_default_filters is converted to the list At the moment there is compatability for overriden values, that are string, but this support will be removed in the Wallaby release. So deployers are recommended to replace their string overrides with list ones.

Security Issues

  • MariaDB version updated to 10.3.25, which covers CVE-2020-2574

Bug Fixes

  • uWSGI service restart is now properly triggered upon service config change

  • Notifications are enabled now if either ceilometer or designate service is present in the inventory

  • Fixed ceph_client role for distro installs

  • Since Ubuntu has dropped older base images, which resulted in all previous tags being broken, we’ve switched to downloading always latest base image available. This should guarantee that we retrieve relevant images only.


New Features

  • Added support for using mod_auth_openidc instead of shibboleth as a service provider for supporting users who have a preference to use OIDC for federation. Mod_auth_openidc is the apache module that is recommended in the keystone documentation for implementing openidc. Added a variable to called apache_mod to keystone_sp, if left undefined shibboleth will continue to be installed by default provided keystone_sp is not empty. Mod_auth_openidc will not be installed unless it is spelled correctly, any misspellings will result in a shibboleth install. Note that installing shibboleth on Debian based metal distro deployments may break services that depend on libcurl4, as shib2 requires libcurl3, and they are unable to coexist. This can be resolved when there is a shib3 package available in a future release of Ubuntu/Debian. There is currently no support for simultaneous use of shibboleth2 and mod_auth_openidc.

Deprecation Notes

  • Fedora is no longer tested in CI for each commit.


New Features

  • Added variables magnum_cluster_templates and magnum_flavors which allow deployers to define coe cluster template and nova flavors creation during role execution. These variables may contain list of resources to add. All keys supported by appropriate ansible modules may be passed as items in the list.


New Features

  • Get ceph keyrings from files, if variable``ceph_keyrings_dir`` is defined the keyrings will be extracted from files. All files in the directory must have .keyring extention and be named with its corresponding ceph_client name. For example, if cinder_ceph_client is cinder the cinder keyring file must be named cinder.keyring. Each file must contain username and the key and nothing more, below an example for cinder.keyring content.


    [client.cinder] key = XXXXXXXXXXX


Upgrade Notes

  • Variable libvirt_package in ceph_client role has been renamed to libvirt_packages and converted from string to a list.


New Features

  • Added new parameter tempest_services for setting tempest_service_available_{service_name} var automatically.

  • The ansible version used by OSA is updated from the 2.7 to the 2.8 series. This requires an upgrade of ceph-ansible to 4.0 and this in turn requires an upgrade of ceph from Mimic to Nautilus. This version dependancy applies where OSA uses ceph-ansible directly to deploy the ceph infrastructure, but not when OSA is integrated with an externally provisioned ceph cluster.

  • Each openstack service role has a new variable <role>_bind_address which defaults to A global override openstack_service_bind_address may be used by a deployer either in group_vars or user_variables to define an alternative IP address for services to bind to. This feature allows a deployer to bind all of the services to a specific network, for example the openstack management network. In this release the default binding remains, and future releases may default the binding to the management network.

  • You can set a private repository for epel, you must use repo_centos_epel_mirror for the repo URL and if you need to get the GPG key from intranet or a mirror use repo_centos_epel_key for gpg key location.

  • OpenStack-Ansible now support deployments on Debian 10 (buster)

  • Cinder is deployed with Active-Active enabled by default if you are using Ceph as a backend storage.

  • Passed –extra-vars flag to the openstack-ansible should have precedence over the user-variables*.yml now.

  • Added variable horizon_bind_address which defines IP address where Apache will listen on horizon_listen_ports

  • Add the possibility to disable openrc v2 download in the dashboard. new var horizon_show_keystone_v2_rc can be set to False to remove the entry for the openrc v2 download.

  • The ceph_client role will now look for and configure manila services to work with ceph and cephfs.

  • The os_masakari role now covers the monitors installation and configuration, completing the full service configuration.

  • The override rabbitmq_memory_high_watermark can be used to set the maximum size of the erlang Virtual Machine before the garbage collection is triggered. The default is lowered to 0.2, from 0.4 as the garbage collection can require 2x of allocated amount during its operation. This can result in a equivalent use of 0.4, resulting in 40% of memory usage, visible to the rabbitMQ container. The original default setting of 0.4 can lead to 80% memory allocation of rabbitMQ, potentially leading to a scenario where the underlying Linux kernel is killing the process due to shortage of virtual memory.

  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the octavia_install_method variable to distro.

  • Added 2 new varibles for all groups - oslomsg_notify_policies and oslomsg_rpc_policies. These variables contain default rabbitmq policies, which will be applied for every rabbitmq vhost. As for now they will enable [HA mode]( for all vhosts. If you would like to disable HA mode just set these variables to empty lists inside your user_config.yml

  • Deployments will now default to using python3 when a python3 interpreter is present in the operating system. Each openstack-ansible role has a new variable for the form <role>_venv_python_executable which defaults to python2 but a global variable openstack_venv_python_executable in the openstack-ansible group variables sets this to python3 on supporting operating systems. This enables a deployer is to selectively use python2 or python3 on a per service basis if required. The ansible-runtime venv is also created using python3 on the deploy host if possible.

  • Several environment variables have been added in the bootstrapping functions used by the gate-check-commit script. These variables can be used to skip various phases of the bootstrap during the gate-check-commit or bootstrap-ansible script execution.

    The environment variables added are:

    • SKIP_OSA_RUNTIME_VENV_BUILD: Skip bootstrapping of the OSA ansible venv in

    • SKIP_OSA_BOOTSTRAP_AIO: Skip execution of the bootstrap-aio playbook in gate-check-commit

    • SKIP_OSA_ROLE_CLONE: Skip execution of the get-role-requirements-playbook in the script

  • The galera_server role now uses mariabackup in order to complete SST operations due to the fact that this is the recommended choice from MariaDB.

  • The galera_server role now ships with the latest MariaDB release of 10.3.13.

  • All roles are migrated from usage of regular log files to systemd-journald

  • Deployers may require custom CA certificates installing on their openstack hosts or service containers. A new variable openstack_host_ca_certificates is added which is a list of certificates that should be copied from the deploy host to the target hosts. Certificates may be selectively deployed by defining the variable either in user_variables.yml or via host/group vars.

  • A new optional file /etc/openstack_deploy/user-role-requirements.yml is now available for a deployer to override individual entries in the upstream ansible-role-requirements file. This can be used to point to alternative repos containing local fixes, or to add supplementary ansible roles that are not specified in the standard ansible-role-requirements.

Known Issues

  • Due to a change in how backend_host is defined when using Ceph, all the Cinder volumes will restart under the same backend name. This will mean that any volumes which previously were assigned to the host or container that hosted the volume will no longer be managable. The workaround for this is to use the cinder-manage volume update_host command to move those volumes to the new backend host. This known issue will be resolved soon with an upgrade playbook.

  • The journald-remote is disabled from execution inside setup-infrastructure until has been incorporated in current systemd packages. The playbook can be enabled by setting journald_remote_enabled to True

  • The previous way of using a common backend_host across all deployments was not recommended by the Cinder team and it will cause duplicate messages that cause problems in the environment.

Upgrade Notes

  • Any ceph infrastructure components (OSDs, MONs etc) deployed using the OSA/ceph-ansible tooling will be upgraded to the Ceph Nautilus release. Deployers should verify that this upgrade is suitable for their environment before commencing a major upgrade to Train, and consult the ceph-ansible and ceph release notes for Nautilus. For integration with external ceph clusters where OSA does not deploy any of the ceph cluster infrastructure, overrides can be used to select the specific version of ceph repositories used by the OSA ceph_client ansible role.

  • Application credentials are now enabled by default as a keystone authentication method. If deployments do not wish to enable application credentials then the existing keystone_auth_methods variable can be overidden with the required set of authentication methods.

  • On OpenStack-Ansible Train release you should upgrade your Debian from 9 (stretch) to 10 (buster). Debian 9 support will be deprecated during the next release of OpenStack-Ansible (Ussuri).

  • It is possible that you may need to use the cinder-manage command to migrate volumes to a specific host. In addition, you will have to remove the old rbd:volumes service which will be stale.

  • horizon_listen_ports variable was transformed to the dictionary with required keys http and https to have effect not only for apache ports.conf file, but also for the virtual host.

  • The rabbitMQ high watermark is set to 0.2 rather than 0.4 to prevent possible OOM situations, which limits the maximum memory usage by rabbitMQ to 40% rather than 80% of the memory visible to the rabbitMQ container. The override rabbitmq_memory_high_watermark can be used to alter the limit.

  • The default nova console type has been changed to novnc. Spice is still supported however due to novnc being more actively maintained it is now a better default option.

  • New virtual environments will be created using python3, giving a straightforward transition from python2 to python3 during the major upgrade. The ansible-runtime virtual environment on the deployment host will also be upgraded from python2 to python3 where the operating system allows.

  • The default Mnesia dump_log_write_threshold value has changed to 300 instead of 100 for efficiency. dump_log_write_threshold specifies the maximum number of writes allowed to the transaction log before a new dump of the log is performed. Increasing this value can increase the performances during the queues/exchanges/bindings creation/destroying. The values should be between 100 and 1000. More detail [1].


  • The option rabbitmq_disable_non_tls_listeners has been removed in favor of setting the bind address and port configuration directly using a new option rabbitmq_port_bindings. This new option is a hash allowing for multiple bind addresses and port configurations.

  • The repo server no longer uses pypiserver, so it has been removed. Along with this, the following variables have also been removed.

    • repo_pypiserver_port

    • repo_pypiserver_pip_packages

    • repo_pypiserver_package_path

    • repo_pypiserver_bin

    • repo_pypiserver_working_dir

    • repo_pypiserver_start_options

    • repo_pypiserver_init_overrides

  • The following Nova tunables have been removed, users need to start using the nova_nova_conf_overrides dictionary to override them. If those values were not previously overridden, there should be no need to override them. - nova_quota_cores - nova_quota_injected_file_content_bytes - nova_quota_injected_file_path_length - nova_quota_injected_files - nova_quota_instances - nova_quota_key_pairs - nova_quota_metadata_items - nova_quota_ram - nova_quota_server_group_members - nova_quota_server_groups - nova_max_instances_per_host - nova_scheduler_available_filters - nova_scheduler_weight_classes - nova_scheduler_driver - nova_scheduler_driver_task_period - nova_rpc_conn_pool_size - nova_rpc_thread_pool_size - nova_rpc_response_timeout - nova_force_config_drive - nova_enable_instance_password - nova_default_schedule_zone - nova_fatal_deprecations - nova_resume_guests_state_on_host_boot - nova_cross_az_attach - nova_remove_unused_resized_minimum_age_seconds - nova_cpu_model - nova_cpu_model_extra_flags

  • The following Nova variables have been removed because they have no effect in the current release of Nova. - nova_max_age - nova_osapi_compute_workers - nova_metadata_workers

  • Tacker role now uses default systemd_service role. Due to this upstart is not supported anymore. Was added variable tacker_init_config_overrides, with wich deployer may override predifined options. Also variable program_override has no effect now, and tacker_service_names was removed in favor of tacker_service_name.

  • Gnocchi migrated from usage of Apache mod_wsgi or native daemon to uWSGI daemon. This means, that some variables are not available and has no effect anymore, specifically * gnocchi_use_mod_wsgi * gnocchi_apache_* * gnocchi_ssl* (except gnocchi_ssl_external - it’s still in place) * gnocchi_user_ssl_*

    During upgrade process role will drop gnocchi_service_port from apache listeners (ports.conf) and gnocchi virtualhost, which by default means misconfigured apache service (since it won’t have any listeners) unless it’s aio build and this apache server is in use by other role/service. Apache server won’t be dropped from gnocchi_api hosts, so deployers are encoureged to remove it manually.

  • Panko migrated from usage of Apache mod_wsgi or native daemon to uWSGI daemon. This means, that panko_apache_* variables are not available and has no effect anymore.

    During upgrade process role will drop panko_service_port from apache listeners (ports.conf) and panko virtualhost, which by default means misconfigured apache service (since it won’t have any listeners) unless it’s aio build and this apache server is in use by other role/service. Apache server won’t be dropped from panko_api hosts, so deployers are encoureged to remove it manually.

Deprecation Notes

  • In the ceph_client role, the only valid values for ceph_pkg_source are now ceph and distro. For Ubuntu, the Ubuntu Cloud Archive apt source is already setup by the openstack_hosts role, so there is no need for it to also be setup by the ceph_client role.

  • The compression option in the galera_server role has been removed due to the fact that it is not recommended by MariaDB anymore. This means that all the dependencies from Percona such as QPress are no longer necessary.

  • The following variables have been removed because they are no longer used. * galera_percona_xtrabackup_repo * use_percona_upstream * galera_xtrabackup_compression * galera_server_percona_distro_packages

  • The variable galera_xtrabackup_threads has been renamed to galera_mariabackup_threads to reflect the change in the SST provider.

  • The PowerVM driver has been removed as it is not tested and it has been broken since late 2016 due to the driver name being renamed to powervm_ext instead of powervm.

  • Support of the legacy neutron L3 tool has been dropped. Deployers are appreciated to use built-in l3-agent options for configuring HA.

  • The deprecated Neutron LBaaS v2 plugin has been removed from the Neutron role.

  • The deprecated Neutron LBaaS v2 plugin support has been removed from openstack-ansible.

  • nova-placement-api has been removed from the os_nova role, along with all nova_placement_* variables. Please review the os_placement role for information about how to configure the new placement service.

  • The nova-lxd driver is no longer supported upstream, and the git repo for it’s source code has been retired on the master branch. All code for deploying or testing nova-lxd has been removed from the os_nova ansible role. The following variables have been removed:

    • nova_supported_virt_types ‘lxd’ list entry

    • nova_compute_lxd_pip_packages

    • lxd_bind_address

    • lxd_bind_port

    • lxd_storage_backend

    • lxd_trust_password

    • lxd_storage_create_device

  • Removal of the netloc, netloc_no_port and netorigin filters. Please use the urlsplit filter instead. All usages of the deprecated filters in openstack repos have been updated.

  • The py_pkgs and packages_file Ansible lookups are no longer used in OSA and have been removed from the plugins repository.

  • Due to usage of systemd-journald mapping of /openstack/log/ to /var/log/$SERVICE is not present anymore. Also rsyslog_client role is not called for projects since logs are stored in journald. Also variables like service_log_dir are not supported anymore and have no effect.

Bug Fixes

  • ceilometer-polling services running on compute nodes did not have the polling namespace configured. Because of this they used the default value of running all pollsters from the central and compute namespaces. But the pollsters from the central namespace don’t have to run on every compute node. This is fixed by only running the compute pollsters on compute nodes.

  • The RyuBgpDriver is no longer available and replaced by the OsKenBgpDriver of the neutron_dynamic_routing project.