Victoria Series Release Notes


Upgrade Notes

  • For Ubuntu Focal (20.04) with minor upgrade UCA repo will be added. Deployments using distro install method will result in major OpenStack version upgrade.

Bug Fixes

  • Fixed inconsistency in haproxy_frontend_raw key naming between documentation and service template. Previously, template generation was expecting haproxy_raw instead of the haproxy_frontend_raw.

  • Ubuntu Cloud Archive (UCA) repo has not been added properly for Ubuntu 20.04 setups.


Security Issues


Bug Fixes

  • This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade.


Upgrade Notes

  • cloudkitty_package_state inherits package_state and defaults to “latest”

  • cloudkitty_uwsgi_bind_address inherits openstack_service_bind_address and defaults to

  • cloudkitty_galera_port inherits galera_port and defaults to “3306”

  • cloudkitty_service_region inherits service_region and defaults to “RegionOne”

Deprecation Notes

  • cloudkitty_collected_services is deprecated and should instead be configured in Cloudkitty metrics config

Bug Fixes

  • This release addresses an issue when upgrading from Ubuntu Bionic to Ubuntu Focal during the Victoria release cycle. By default the same RabbitMQ version will now be installed for both Bionic and Focal to avoid a downgrade from being attempted. It is strongly recommended to upgrade to this release before attempting an upgrade to Ubuntu Focal.


New Features

  • Support has been added to allow the deployment of the Cloudkitty service when hosts are present in the host group cloudkitty_hosts in openstack_user_config or conf.d files. os-cloudkitty-install.yml has been added and is now part of setup-openstack.yml


New Features

  • Implemented openstack_hosts_package_manager_extra_conf variable. It allows to add extra content into package manager’s configuration (works with apt,yum and dnf).

  • In deployments where a separate host is used to manage the OpenStack Ansible configuration, the ‘/etc/hosts’ file on that host will now include a section adding hostname to IP resolution for all hosts in the inventory. This can be enabled/disabled via ‘openstack_host_manage_deploy_hosts_file’.

Known Issues

  • Where a single OSA deploy host is used to manage multiple deployments, some delegated Ansible tasks are performed using hostnames rather than IP addresses due to Ansible issue 72776. Hostnames such as ‘infra1’ will be ambiguous, so use of separate hosts for each deployment is recommended.

Deprecation Notes

  • Remove octavia_amp_image_id option as the corresponding configuration option in Octavia amp_image_id is deprected and image tags should be used instead.


Other Notes

  • Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.


New Features

  • Added variable security_rhel7_enable_aide that is designed to avoid installation and initialization of the aide related STIGs

  • Created series of variables haproxy_*_service that contain specific to the service haproxy configuration block. This allows deployers to selectively adjust haproxy frontend/backend configuration for specific service only, without need to override whole haproxy_default_services.

Upgrade Notes

  • For Barbican in [simple_crypto_plugin] section of the barbican.conf kek has been hardcoded. Now it’s dynamically generated in secrets.yml and unique per deployment. However, before upgrade you must set barbican_simple_crypto_key to the current value, which is passed through base64 decoding first. Most likely decoded value will be abcdefghijklmnopqrstuvwxyz123456 since that value has been hardcoded in the template. Upgrade script will set the value of barbican_simple_crypto_key in user_secrets.yml to the abcdefghijklmnopqrstuvwxyz123456 unless variable has been already defined. So everyone who used overrides to modify kek for simple_crypto_plugin should manually define valid barbican_simple_crypto_key in user_secrets.yml


Upgrade Notes

  • Older deployments should check for the presence of legacy ‘’ entries in their /etc/hosts files. These will need to be removed before upgrading, particularly on RabbitMQ hosts and containers.


New Features

  • Support is added for deploying OpenStack on CentOS 8 with source and distro based installs. However, nspawn support can’t be offered, as machinectl relies on btrfs which has been dropped by CentOS.

  • Support is added for deploying OpenStack on Ubuntu Focal (20.04) with source based installs. Ubuntu Cloud Archive is not available for Focal at this point so it is not possible to offer distro package based installs for Focal.

  • New variables have been added to allow a deployer to enable iPXE support for Ironic Conductor, which uses HTTP rather than TFTP, and can speed up baremetal provisioning considerably. To enable, simply set the ironic_ipxe_enabled override to True.

  • Added new variables barbican_backends_config and barbican_plugins_config along with barbican.conf cleanup to support multibackend scenario and more handy Barbican backends configuration.

  • Added variable barbican_user_libraries for deploying custom lib files from deploy host to barbican continers that might be required for PKCS#11 or other plugins.

  • Openstack services and infrastructure such as galera, rabbitmq and memcached already have defaults in their ansible roles to control the IP address which those services bind to. Prior to this release the default of was used. A global setting in the openstack-ansible group variables now overrides those default bind address to be the local address on the openstack management network (typically br-mgmt) for the relevant host or container.

  • Added variables cinder_active_active_cluster and cinder_active_active_cluster_name that allow to explicitly enable or disable active/active feature, and set cluster name.

  • It is now possible to have a service which only have a frontend. by using haproxy_frontend_only inside your service.

  • Add the possibility to have a haproxy_frontend_raw entry to control haproxy config for the frontend, the entry will be literally copied in to the service. You can set a list under the key haproxy_frontend_raw

  • Added new variable haproxy_hatop_install, that allows to conditionally enable or disable hatop installation.

  • Added variable haproxy_ssl_letsencrypt_certbot_challenge which is default to http-01. As for now really tested in only http-01 but we keep door open for adding support for more challanges, like dns-01. For http-01 all required arguments are passed, but oth other challanges you might want to use haproxy_ssl_letsencrypt_setup_extra_params to pass missing arguments.

  • OpenStack-Ansible now provided corosync and pacemaker cluster setup as part of the os-masakari-install playbook. Corosync/pacemaker cluster is required for the proper work of masakari hostmonitors, as they identify hosts state with help of corosync.

  • Added variable nova_scheduler_extra_filters which allows to extend list of defaulted nova_scheduler_default_filters

  • Experimental support has been added to allow the deployment of the OpenStack Adjutant service when hosts are present in the host group registration_hosts.

  • Experimental support has been added to allow the deployment of the OpenStack Senlin service when hosts are present in the host group senlin-infra_hosts.

  • Added variable ceilometer_pipeline_default_file_path to be able to define user provided pipeline file like for other ceilometer configs. In order to avoid deployment of pipeline.yaml you can set in your user variables: _ceilometer_pipeline_yaml_overrides: {}

  • The role now supports creating system scoped credentials alongside project scoped credentials. The default behavior of the role did not changed, until openrc_system_scope variable was set to true. If the openrc_system_scope is true the default cloud in clouds.yaml will set to system scoped credentials and another credentials named default_project_scope will get created with project scoped credentials. Due to usage of openrc file in other roles, the opposite logic applies to openrc files, which means if openrc_system_scope is set to true the credentials in openrc will set to project scoped credentials and another openrc filec named openrc.system_scope will get created with system scoped credentials and will be placed in destination of openrc_system_file_dest variable.

  • Added variable uwsgi_ini_overrides and uwsgi_init_config_overrides which might be useful if deployer wants to adjust some uwsgi parameter for all services, so that there was no necessity to use bunch of the overrides for each service.

Known Issues

  • Ubuntu Cloud Archive (UCA) does not contain Ubuntu Bionic distro packages for Victoria, so only source install/upgrade path (default) will work correctly for Ubuntu 18.04.

Upgrade Notes

  • Remove CONF.scenario.img_dir option as it is being removed from Tempest after ~4 year deprecation period. CONF.scenario.img_file option needs to contain the full path to an image to upload to glance.

  • The default bind address for all openstack services and infrastructure services such as galera, rabbitmq and memcached has changed from to the IP address of the openstack mangement network on the relevent host or container. Deployers should ensure that any additional systems that expect to communicate with internal components of their openstack-ansible deployment do so over the managment network. Services which are bound to the management network IP will not be accessible via other interfaces.

  • Deployments which follows distro path (services are installed from distro packages rather then in virtualenvs) should upgrade Ubuntu 18.04 -> 20.04 before performing OpenStack Ussuri -> Victoria upgrade, since Ubuntu Cloud Archive does not provide Victoria system packages for 18.04.

  • Variable haproxy_hatop_downloader has been removed, Deployers supposed to use haproxy_hatop_download_url override if needed to install in deployments with limited internet connection.

  • There’s no need in providing neither http-01-address nor http-01-port options with haproxy_ssl_letsencrypt_setup_extra_params, as they are now configured with corresponding variables haproxy_ssl_letsencrypt_certbot_bind_address and haproxy_ssl_letsencrypt_certbot_backend_port

  • There’s no need in keeping letsencrypt service in haproxy_extra_services as well as copying and maintaining whole haproxy_default_services in order to get overrides for horizon. From now on required adjustments are provided by defualt and letsecrypt installation path has been simplified.

  • String value of nova_scheduler_default_filters is converted to the list At the moment there is compatability for overriden values, that are string, but this support will be removed in the future releases. So deployers are recommended to replace their string overrides with list ones.

  • We have changed a way of the deployment of ceilometer pipeline.yml. Now we use overrides to leave the behaviour and defaults, however you might want to double check if no conflicts with your current overrides exist.

  • As support for Centos-7 is removed from openstack-ansible in the Victoria release it is no longer necessary to support LXC2 configuration syntax in the lxc_container_create ansible role. The version of LXC is now assumed to be 3 or greater, and any LXC configuration keys that are being overriden by the deployer in the variable lxc_container_config_list should be updated to be LXC3 syntax as these will no longer be be converted by ansible code..

Deprecation Notes

  • To provide compatibility with Centos-8 the LXC cache preparation has been greatly simplified to remove the requirement for machinectl and btrfs, which is a combination not available on Centos-8. This has the side effect of machinectl no longer being a supported backing store for LXC.

  • Glance registry service has been finally removed

Bug Fixes

  • Since Ubuntu has dropped older base images, which resulted in all previous tags being broken, we’ve switched to downloading always latest base image available. This should guarantee that we retrieve relevant images only.

  • When defining provider networks, vlan ranges are no longer required. When a vlan range is not specified, the provider label net_name still be set in network_vlan_ranges, but automatic VLAN allocation will not be available.

    Implementation Example:

    host_bind_override: "bond1"
    type: "vlan"
    net_name: "physnet1"
    - neutron_linuxbridge_agent

Other Notes

  • HAProxy now verifies if repo server is healthy by repo_sync_complete file that is created with repo_server role. This should prevent non-synced repo containers from participating in load balancing.

  • script will generate always 32 char string instead of random choice between 24 or 32 length.