Wallaby Series Release Notes

23.1.1

Security Issues

23.1.0

Bug Fixes

  • This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade.

23.0.0

Prelude

Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.

New Features

  • Implemented openstack_hosts_package_manager_extra_conf variable. It allows to add extra content into package manager’s configuration (works with apt,yum and dnf).

  • Add support for encryption of databases. This is disabled by default and can be enabled by setting galera_mariadb_encryption_enabled to true. For now only the file_key_management encryption plugin is supported. You can override enryption options with galera_encryption_overrides. The role creates galera_db_encryption_keys for you, if they’re not specified. To specify your on encryption keys, provide them like this.

    galera_db_encryption_keys: |
       1;5bbc03648be8db3d2087815717eabdec9fbc310f2b7fd53705b36fbdc80333e3
       2;5bbc03648be8db3d2087815717eabdec9fbc310f2b7fd53705b36ebdc80333e3
    
  • Added variable blazar_policy_overrides that aims to allow deploying policy.yaml file with provided overrides for Blazar service.

  • Added experimental support for Debian Bullseye. Deployment path with distro packages is not available at the moment.

  • In deployments where a separate host is used to manage the OpenStack Ansible configuration, the ‘/etc/hosts’ file on that host will now include a section adding hostname to IP resolution for all hosts in the inventory. This can be enabled/disabled via ‘openstack_host_manage_deploy_hosts_file’.

  • Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. On compute and network nodes this previously took a significant amount of time, and gathering minimal facts will speed this up. Facts are instead gathered for interfaces specified in provider_networks for the storage, overlay and management networks.

  • Added variable security_rhel7_enable_aide that is designed to avoid installation and initialization of the aide related STIGs

  • Added variable glance_image_cache_stall_time to control glance cache time if needed. Defaults to 86400.

  • Added new variable haproxy_hatop_install, that allows to conditionally enable or disable hatop installation.

  • Created series of variables haproxy_*_service that contain specific to the service haproxy configuration block. This allows deployers to selectively adjust haproxy frontend/backend configuration for specific service only, without need to override whole haproxy_default_services.

  • Implemented horizon WEBSSO auto redirects. Following new variables were added to manage redirects configuration:

    • horizon_websso_default_redirect

    • horizon_websso_default_redirect_region

    • horizon_websso_default_redirect_logout

  • New variables ‘keepalived_internal_ping_address’ and ‘keepalived_external_ping_address’ allow deployments to decouple liveness checks for HAProxy accessibility via internal and external networks. The previous ‘keepalived_ping_address’ variable is maintained for backwards compatibility.

  • Added variable galera_init_overrides that can be leveraged to override default set of systemd unit file for mariadb. This also brings requirement of systemd_service role.

  • Added variables masakari_monitor_corosync_multicast_ports and masakari_monitor_corosync_ipmi_check that allow to define ports used by corosync service and to enable IPMI checks in case ipmi RA is set in pacemaker.

  • In order to use dedicated net nodes, override of env.d is no longer required. Deployers can set network-infra_hosts to their infra (LXC) hosts and network-agent_hosts to their net nodes inside their openstack_user_config.yml or conf.d files.

  • Re-added nova_dhcp_domain variable that defaults to the dhcp_domain. When set to empty string, only the hostname without a domain will be configured for the instances.

  • You can override the default iptables_hybrid firewall driver for Open vSwitch by setting neutron_firewall_driver: openvswitch

  • A new ansible role (ansible-role-pki) is introduced to manage the creation of server certificates and certificate authorities. A self signed Root CA and Intermediate CA are created on the deploy host and are used to provide TLS for RabbitMQ, and with the default configuration also a self-signed server certificate for HAProxy. A set of new variables with the prefix openstack_pki_* are introduced which allow a deployer to customise and extend the set of certificate authorities which are created. Root certificate authorities are installed into the trust store of all hosts and containers allowing a complete trust chain to be formed across the deployment which has never previously been possible.

  • The repository server can now retrieve and cache upper-constraints files and serve them as required to pip during the build of python wheels. By default the relevant version of upper-constraints will be downloaded once from https://releases.openstack.org/constraints/upper/, or the url in a new override user_requirements_git_url. Additional constraints files can be placed in /etc/openstack_deploy/upper-constraints on the deploy host and these will be copied to the repo server and will be available to reference in other overrides such as magnum_upper_constraints_url. This is useful if deploying a different branch of a service such as magnum/master onto a deployment of openstack/victoria. If the target hosts are in an air-gapped environment, setting requirements_git_repo to an empty string will disable downloading of upper-constraints to the repo server and rely on the deployer providing suitable copies of upper-constraints in through the deploy host /etc/openstack_deploy/upper-constraints directory.

  • New variable openstack_ca_bundle_path has been added which defines the path to the ca-bundle certificate which contains all system-trusted CA and will be used by the Python Requests module.

  • Added variable openstack_systemd_global_overrides that defines some defaults for all systemd services. It will be deployed to all hosts and containers, but can be controlled with group_vars or host_vars as well if needed.

  • Added option to be able to mount s3fs with systemd as shared filesystem. Type should be stated as ‘fuse.s3fs’, and extra key ‘credentials’ should be set for systemd_mounts. S3 url should be placed in the options. Please follow https://github.com/s3fs-fuse/s3fs-fuse#examples for docs regarding s3fs.

  • Added new variable haproxy_stick_table_enabled to haproxy_service_configs, that allows you to conditionally enable or disable the default stick-table.

  • Added systemd_overrides and systemd_overrides_only keys to the systemd_services dictionary. With help of the systemd_overrides you can define systemd native overrides, which will be placed in /etc/systemd/system/service_name.service.d/overrides. systemd_overrides_only shows that no service_name.service should not be created and create only overrides.

  • Added sockets key to configure systemd-sockets for the systemd service.

  • Added variable keepalived_sysctl_tcp_retries that allows to control number of retries kernel will make to give up on connection. It controls net.ipv4.tcp_retries2 sysctl setting which default value of which is 15. Default value of keepalived_sysctl_tcp_retries is 8, so VIP failover time will be ~1min. Setting keepalived_sysctl_tcp_retries to 0 will remove mentioned sysctl setting.

  • Added guest image upload functionality into Trove role. In order to use this functionality, you need to define trove_guestagent_images variable which may contain list of images that are required for upload and set required tags for them.

  • Added variable trove_management_security_groups to set list of security groups that will be set for management interface of Trove guest instances.

  • Added following variables to control endpoint types that trove will search in the catalog:

    • trove_service_endpoint_type

    • trove_service_neutron_endpoint_type

    • trove_service_cinder_endpoint_type

    • trove_service_nova_endpoint_type

    • trove_service_glance_endpoint_type

    • trove_service_swift_endpoint_type

    • trove_guest_endpoint_type

  • Added following variables to control when to add specific service blocks to the config file and enable support for these services:

    • trove_swift_enabled

    • trove_designate_enabled

    • trove_cinder_enabled

  • Added following variables to ease designate integration with trove:

    • trove_dns_domain_name

    • trove_dns_domain_id

    • trove_notifications_designate

  • Added Trove guest specific variables to be able to use standalone rabbitmq along with defaulting behaviour to enable guests to use trove_container_net_name for rabbitmq servers:

    • trove_guest_oslomsg_rpc_hostgroup

    • trove_guest_oslomsg_notify_hostgroup

  • Adds a ‘zun-docker-cleanup’ script to the Zun compute virtualenv which can be used to clean up cached Docker images held on compute hosts. This can be run on a timer by setting the ‘zun_docker_prune_images’ variable or executed manually by adding ‘–force’ to the script.

  • Added variable zun_policy_overrides that aims to allow deploying policy.yaml file with provided overrides for Zun service.

Known Issues

  • Where a single OSA deploy host is used to manage multiple deployments, some delegated Ansible tasks are performed using hostnames rather than IP addresses due to Ansible issue 72776. Hostnames such as ‘infra1’ will be ambiguous, so use of separate hosts for each deployment is recommended.

Upgrade Notes

  • Adds the subnet_dns_publish_fixed_ip option extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.

  • In order to accomodate Centos-8 Stream support, it is necessary require the minimum version of Centos-8 Classic to be 8.3. There are breaking changes between Stream and Classic versions prior to 8.3 which break ansible code that detects major/minor versions of Centos. Before upgrading to Wallaby, deployers should ensure that their Centos hosts are updated to 8.3.

  • Variable cinder_enable_v2_api is set to False by default. This will result in Cinder v2 API removal from keystone catalog during upgrade. If you want to preserve v2 API you must override cinder_enable_v2_api in user_variables.yml

  • For Designate designate_pool_uuid was hardcoded in os_designate role. Now it’s dynamically generated in secrets.yml and unique per deployment. However, before upgrade you must set designate_pool_uuid to the current uuid. Most likely it is 794ccc2c-d751-44fe-b57f-8894c9f5c842 since that value has been defaulted in the role and it would remain the same unless explicitly overwritten. You can check your pool uuid with the command /openstack/venvs/designate-20.1.1.dev7/bin/designate-manage pool show_config that should be executed from the Designate venv.

  • Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. If overrides are in use for setting the neutron tunnel address, or various storage or management addresses which rely on ansible fact gathering to provide variables of the form ansible_<interface>, it is likley that these facts will no longer be gathered by default. The new variable dynamic_address_gather_filter is available to specify a shell-style (fnmatch) wildcard to specify the set of facts gathered early in the neutron/nova/cinder playbooks.

  • Galera privileged username has changed from root to admin. Old ‘root’@’%’ user can be removed after upgrade process.

  • MariaDB version 10.5.9 is know to have bug which results in broken root permissions after upgrade. We have implemented a workarond for it which will be triggered automatically. This note is informative only.

  • gnocchi_service_project_name now set by to service even for deployments involving Swift. Nowadays cielometer.middleware exclude service project by default, so no additional protection is required. In case you want to preserve current gnocchi_service_project_name, define it equal to gnocchi_swift in your user_variables.yml

  • Variable haproxy_hatop_downloader has been removed, Deployers supposed to use haproxy_hatop_download_url override if needed to install in deployments with limited internet connection.

  • HAProxy haproxy_whitelist_networks key inside haproxy_service_configs dictionary has been replaced with haproxy_allowlist_networks.

  • Variable cinder_service_internaluri_insecure has been replaced with keystone_service_internaluri_insecure that is used across all roles for the exact same purpose.

  • All supported operating systems now build their LXC images locally on the lxc container hosts rather than relying on external pre-built base images. debootstrap and dnf are used on debian and Centos variants respectively. All variables controlling the download of images have been removed from the lxc_hosts role, and a new override, lxc_apt_mirror is added to allow local mirrors to be specified for debootstrap. Centos systems will use the mirror configuration already present on the host when building the container rootfs with dnf.

  • During upgrade your current Nova cell mapings will be converted to usage of the Template URLs. This means, that your changes of transport_url or [database]/connection in nova.conf will be reflected by nova-conductor in cells just after service restart, without need to explicitly run nova-manage cell_v2 update_cell.

  • Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.

  • It is now mandatory to use a verifiable SSL certificate and Certificate Authority trust chain for the RabbitMQ installation. This can be achieved automatically through the new ansible role ansibe-role-pki with appropriate addition of openstack_pki_* variables. Any existing deployments which use the rabbitmq_user_ssl_* variables must ensure that the supplied certificates can be verified by a CA certificate installed into the trust store of each host and container. This can be achieved through supplying the CA certificate on the deploy host and using overrides from the openstack_hosts role to install it.

  • The Wallaby release of openstack-ansible does not support deployment of the control plane in nspawn containers.

  • If a deployment uses local copies or caches of the openstack requirements repo or upper-constraints files, the repo server is now able to natively host copies of the relevant upper-constraints files and serve them to pip during wheel builds. It is now also possible to supply custom constraints files in the deploy host /etc/openstack_deploy/upper-constraints directory. Deployers should take account of the new capability in the repo server and adjust any special handling of downloading upper-constraints that they may have made via overrides, in particular requirements_git_url.

  • cloudkitty_package_state inherits package_state and defaults to “latest”

  • cloudkitty_uwsgi_bind_address inherits openstack_service_bind_address and defaults to 0.0.0.0

  • cloudkitty_galera_port inherits galera_port and defaults to “3306”

  • cloudkitty_service_region inherits service_region and defaults to “RegionOne”

  • Trove service specific config files, like trove-conductor.conf and trove-taskmanager.conf, were removed and all functionality was merged to the trove.conf file. So you need to ensure, that all overriden options are now placed for the trove.conf file.

  • Default Trove service username has been changed from admin_trove_user to trove. You might want to manually delete admin_trove_user after upgrade or override new default.

  • Default Trove service project name has been changed from trove_for_trove_usage to service. You might want to manually delete trove_for_trove_usage project after upgrade or override new default.

  • Default value for trove_service_net_subnet_cidr has been changed from “192.168.20.0/24” to “172.29.252.0/22”. Along with that pool start and pool end has changed as well, which is represented with variables trove_service_net_allocation_pool_start and trove_service_net_allocation_pool_end. Please, define these variables user_variables in case you used default values in production endironments.

Deprecation Notes

  • The following variables have been deprecated and will have no effect:

    • haproxy_ssl_cert_path

    • haproxy_ssl_key

    • haproxy_ssl_pem

    • haproxy_ssl_ca_cert

    These variables were responsible for the path haproxy looked for certificates on the destination hosts.

    Variables were replaced in favor of haproxy_ssl_cert_path since the exact path to certificates will be dynamically set based on the VIP that is used for the frontend

  • Variable masakari_policy_json_overrides has been deprecated in favor of the masakari_policy_overrides and will be removed after X release. As for now masakari_policy_overrides defaults to masakari_policy_json_overrides for compatability.

  • The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;

    neutron_firewall_driver: openvswitch

  • Variables nova_novncproxy_agent_enabled, nova_serialconsoleproxy_enabled and nova_console_agent_enabled are removed and won’t have any effect in the future. If you want to disable console functionality, set nova_console_type: disabled in your user_variables.yml

  • The variables haproxy_ssl_self_signed_regen and haproxy_ssl_self_signed_subject are removed and the equivalent functionaility from the ansible-role-pki variables should be used instead.

  • Remove octavia_amp_image_id option as the corresponding configuration option in Octavia amp_image_id is deprected and image tags should be used instead.

  • Renamed tempest_test_whitelist to tempest_test_includelist and tempest_test_blacklist to tempest_test_excludelist Dependant projects should update to use the new variables

  • Since certificates and CA distribution are now handled with PKI role, variable openstack_host_ca_location has been deprecated and removed.

  • Support for an Open vSwitch dataplate with NSH support using the ovs_nsh_support variable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.

  • cloudkitty_collected_services is deprecated and should instead be configured in Cloudkitty metrics config

  • Variable swift_gnocchi_enabled has been removed and won’t have any effect

  • Variables trove_taskmanager_config_overrides and trove_conductor_config_overrides were removed along with affected config files. You should use trove_config_overrides to override trove configuration.

  • Removed variable trove_provider_ip_from_q and trove_container_net_name. If you need to change network which will be used for guests inside trove containers, please use variables trove_provider_network or trove_provider_net_iface.

  • Removed variables trove_admin_user_name and trove_service_tenant_name. Please use trove_service_user_name and trove_service_project_name correspondingly to manage username and project name which will be used for auth in keystone.

Critical Issues

  • This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.

Bug Fixes

  • Fixed behaviour of variable nova_spice_console_agent_enabled. It can be safely used now to disable spice agent when needed.

Other Notes

  • Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.