Current Series Release Notes

New Features

  • Ceph-ansible has been switched to version 6.0 and Ceph Pacific is used by default.

  • MariaDB now uses TLS encryption by default. Certificate will be issued and signed with internal CA using PKI role. Deployers can disable encrypting MariaDB connections by setting galera_use_ssl: false in their user_variables.yml Client certificates could be still provided and they will be distributed with PKI role as well.

  • A new ‘ssl_cipher_suite_tls13’ variable is added for global control of TLS v1.3 cipher suites.

Known Issues

  • There’s a known issue with upgrade to Ceph Pacific release prior to version 16.2.7. Please, make sure that 16.2.7 or later has been released before performing Ceph upgrade. Otherwise, override ceph_stable_release: octopus in your user_variables.yml

Upgrade Notes

  • We have changed default values for variables related to database connection pooling. For some services(like nova) default pool sizes will be significantly lower, we have also decreased default connection_recycle_time to 10 minutes. It should not cause any issues, but we recommended to double check these values, especially for large environments.

  • The Yoga release of OpenStack-Ansible removes support for Ubuntu Bionic. Deployments should be upgraded from Bionic to Focal before or during the Xena release before upgrading to Yoga.

  • The Yoga release of OpenStack-Ansible removes support for Debian Buster. Deployments should be upgraded from Buster to Bullseye before or during the Xena release before upgrading to Yoga.

  • The Yoga release of OpenStack-Ansible removes support for Centos-8. Deployments should be upgraded from Centos-8 to an alternative supported operating system during the Xena release before upgrading to Yoga.

  • During upgrade password for galera_monitoring_user_password will be generated and set while running galera-server role. In case any third-party software relies on this user, it should be updated to use password. You can also override variable to galera_monitoring_user_password: "" to not use password for auth and preserve previous behaviour.

Deprecation Notes

  • OVN-related HAProxy configuration is deprecated and has been replaced with built-in clustering functionality. OVN-related endpoints will be completely removed in the Z release.

  • With the retirement of upstram Panko project, os_panko role has been deprecated. Panko service API endpoint will be removed during upgrade. If you want to preserve Panko API working, you should override haproxy_panko_api_service.

  • The variable ‘ssl_cipher_suite’ is deprecated in favour of ‘ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

Security Issues

  • The following security headers were added to the haproxy Horizon service: strict-transport-security, x-content-type-options, referrer-policy and content-security-policy. Care should be taken when deploying the strict-transport-security header, as this header implements Trust on First Use security, meaning that after a browser first visits the page the browser will enforce the use of HTTPS until the max age time has expired. For the time being the strict-transport-security preload token which indicates that you are happy to have your site included in the HSTS preload list that is built into browsers has been excluded. The headers can be disabled by setting haproxy_security_headers: [] and the CSP (Content Security Policy) for Horizon can be overridden to support things like federated login by setting haproxy_horizon_csp. There is the option to extend to all haproxy services in the future, but as the headers are only used by browsers there maybe limited benefit to doing this other than for keystone and console services.

Bug Fixes

  • Fixed facts gathering when tags were provided with playbook run.

New Features

  • Added variable galera_init_overrides that can be leveraged to override default set of systemd unit file for mariadb. This also brings requirement of systemd_service role.

  • In order to use dedicated net nodes, override of env.d is no longer required. Deployers can set network-infra_hosts to their infra (LXC) hosts and network-agent_hosts to their net nodes inside their openstack_user_config.yml or conf.d files.

  • New variable openstack_ca_bundle_path has been added which defines the path to the ca-bundle certificate which contains all system-trusted CA and will be used by the Python Requests module.

  • Added variable openstack_systemd_global_overrides that defines some defaults for all systemd services. It will be deployed to all hosts and containers, but can be controlled with group_vars or host_vars as well if needed.

  • Added new variable haproxy_stick_table_enabled to haproxy_service_configs, that allows you to conditionally enable or disable the default stick-table.

Upgrade Notes

  • HAProxy haproxy_whitelist_networks key inside haproxy_service_configs dictionary has been replaced with haproxy_allowlist_networks.

Deprecation Notes

  • The following variables have been deprecated and will have no effect:

    • haproxy_ssl_cert_path

    • haproxy_ssl_key

    • haproxy_ssl_pem

    • haproxy_ssl_ca_cert

    These variables were responsible for the path haproxy looked for certificates on the destination hosts.

    Variables were replaced in favor of haproxy_ssl_cert_path since the exact path to certificates will be dynamically set based on the VIP that is used for the frontend

  • Renamed tempest_test_whitelist to tempest_test_includelist and tempest_test_blacklist to tempest_test_excludelist Dependant projects should update to use the new variables

  • Since certificates and CA distribution are now handled with PKI role, variable openstack_host_ca_location has been deprecated and removed.