Current Series Release Notes


Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.

New Features

  • Implemented openstack_hosts_package_manager_extra_conf variable. It allows to add extra content into package manager’s configuration (works with apt,yum and dnf).

  • Added variable blazar_policy_overrides that aims to allow deploying policy.yaml file with provided overrides for Blazar service.

  • In deployments where a separate host is used to manage the OpenStack Ansible configuration, the ‘/etc/hosts’ file on that host will now include a section adding hostname to IP resolution for all hosts in the inventory. This can be enabled/disabled via ‘openstack_host_manage_deploy_hosts_file’.

  • Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. On compute and network nodes this previously took a significant amount of time, and gathering minimal facts will speed this up. Facts are instead gathered for interfaces specified in provider_networks for the storage, overlay and management networks.

  • Added variable security_rhel7_enable_aide that is designed to avoid installation and initialization of the aide related STIGs

  • Added variable glance_image_cache_stall_time to control glance cache time if needed. Defaults to 86400.

  • Added new variable haproxy_hatop_install, that allows to conditionally enable or disable hatop installation.

  • Created series of variables haproxy_*_service that contain specific to the service haproxy configuration block. This allows deployers to selectively adjust haproxy frontend/backend configuration for specific service only, without need to override whole haproxy_default_services.

  • New variables ‘keepalived_internal_ping_address’ and ‘keepalived_external_ping_address’ allow deployments to decouple liveness checks for HAProxy accessibility via internal and external networks. The previous ‘keepalived_ping_address’ variable is maintained for backwards compatibility.

  • You can override the default iptables_hybrid firewall driver for Open vSwitch by setting neutron_firewall_driver: openvswitch

  • The repository server can now retrieve and cache upper-constraints files and serve them as required to pip during the build of python wheels. By default the relevant version of upper-constraints will be downloaded once from, or the url in a new override user_requirements_git_url. Additional constraints files can be placed in /etc/openstack_deploy/upper-constraints on the deploy host and these will be copied to the repo server and will be available to reference in other overrides such as magnum_upper_constraints_url. This is useful if deploying a different branch of a service such as magnum/master onto a deployment of openstack/victoria. If the target hosts are in an air-gapped environment, setting requirements_git_repo to an empty string will disable downloading of upper-constraints to the repo server and rely on the deployer providing suitable copies of upper-constraints in through the deploy host /etc/openstack_deploy/upper-constraints directory.

  • Added option to be able to mount s3fs with systemd as shared filesystem. Type should be stated as ‘fuse.s3fs’, and extra key ‘credentials’ should be set for systemd_mounts. S3 url should be placed in the options. Please follow for docs regarding s3fs.

  • Added systemd_overrides and systemd_overrides_only keys to the systemd_services dictionary. With help of the systemd_overrides you can define systemd native overrides, which will be placed in /etc/systemd/system/service_name.service.d/overrides. systemd_overrides_only shows that no service_name.service should not be created and create only overrides.

  • Added sockets key to configure systemd-sockets for the systemd service.

  • Adds a ‘zun-docker-cleanup’ script to the Zun compute virtualenv which can be used to clean up cached Docker images held on compute hosts. This can be run on a timer by setting the ‘zun_docker_prune_images’ variable or executed manually by adding ‘–force’ to the script.

Known Issues

  • Where a single OSA deploy host is used to manage multiple deployments, some delegated Ansible tasks are performed using hostnames rather than IP addresses due to Ansible issue 72776. Hostnames such as ‘infra1’ will be ambiguous, so use of separate hosts for each deployment is recommended.

Upgrade Notes

  • Adds the subnet_dns_publish_fixed_ip option extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.

  • In order to accomodate Centos-8 Stream support, it is necessary require the minimum version of Centos-8 Classic to be 8.3. There are breaking changes between Stream and Classic versions prior to 8.3 which break ansible code that detects major/minor versions of Centos. Before upgrading to Wallaby, deployers should ensure that their Centos hosts are updated to 8.3.

  • For Designate designate_pool_uuid was hardcoded in os_designate role. Now it’s dynamically generated in secrets.yml and unique per deployment. However, before upgrade you must set designate_pool_uuid to the current uuid. Most likely it is 794ccc2c-d751-44fe-b57f-8894c9f5c842 since that value has been defaulted in the role and it would remain the same unless explicitly overwritten. You can check your pool uuid with the command /openstack/venvs/designate-20.1.1.dev7/bin/designate-manage pool show_config that should be executed from the Designate venv.

  • Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. If overrides are in use for setting the neutron tunnel address, or various storage or management addresses which rely on ansible fact gathering to provide variables of the form ansible_<interface>, it is likley that these facts will no longer be gathered by default. The new variable dynamic_address_gather_filter is available to specify a shell-style (fnmatch) wildcard to specify the set of facts gathered early in the neutron/nova/cinder playbooks.

  • Galera privileged username has changed from root to admin. Old ‘root’@’%’ user can be removed after upgrade process.

  • Variable haproxy_hatop_downloader has been removed, Deployers supposed to use haproxy_hatop_download_url override if needed to install in deployments with limited internet connection.

  • Variable cinder_service_internaluri_insecure has been replaced with keystone_service_internaluri_insecure that is used across all roles for the exact same purpose.

  • Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.

  • The Wallaby release of openstack-ansible does not support deployment of the control plane in nspawn containers.

  • If a deployment uses local copies or caches of the openstack requirements repo or upper-constraints files, the repo server is now able to natively host copies of the relevant upper-constraints files and serve them to pip during wheel builds. It is now also possible to supply custom constraints files in the deploy host /etc/openstack_deploy/upper-constraints directory. Deployers should take account of the new capability in the repo server and adjust any special handling of downloading upper-constraints that they may have made via overrides, in particular requirements_git_url.

Deprecation Notes

  • Variable masakari_policy_json_overrides has been deprecated in favor of the masakari_policy_overrides and will be removed after X release. As for now masakari_policy_overrides defaults to masakari_policy_json_overrides for compatability.

  • The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;

    neutron_firewall_driver: openvswitch

  • Remove octavia_amp_image_id option as the corresponding configuration option in Octavia amp_image_id is deprected and image tags should be used instead.

  • Support for an Open vSwitch dataplate with NSH support using the ovs_nsh_support variable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.

Critical Issues

  • This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.

Other Notes

  • Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.

New Features

  • It is now possible to have a service which only have a frontend. by using haproxy_frontend_only inside your service.

  • Add the possibility to have a haproxy_frontend_raw entry to control haproxy config for the frontend, the entry will be literally copied in to the service. You can set a list under the key haproxy_frontend_raw