Wallaby Series Release Notes¶
This release eliminates following security issues:
This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade.
Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. Now the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.
openstack_hosts_package_manager_extra_confvariable. It allows to add extra content into package manager’s configuration (works with apt,yum and dnf).
Add support for encryption of databases. This is disabled by default and can be enabled by setting
true. For now only the
file_key_managementencryption plugin is supported. You can override enryption options with
galera_encryption_overrides. The role creates
galera_db_encryption_keysfor you, if they’re not specified. To specify your on encryption keys, provide them like this.
galera_db_encryption_keys: | 1;5bbc03648be8db3d2087815717eabdec9fbc310f2b7fd53705b36fbdc80333e3 2;5bbc03648be8db3d2087815717eabdec9fbc310f2b7fd53705b36ebdc80333e3
blazar_policy_overridesthat aims to allow deploying policy.yaml file with provided overrides for Blazar service.
Added experimental support for Debian Bullseye. Deployment path with distro packages is not available at the moment.
In deployments where a separate host is used to manage the OpenStack Ansible configuration, the ‘/etc/hosts’ file on that host will now include a section adding hostname to IP resolution for all hosts in the inventory. This can be enabled/disabled via ‘openstack_host_manage_deploy_hosts_file’.
Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. On compute and network nodes this previously took a significant amount of time, and gathering minimal facts will speed this up. Facts are instead gathered for interfaces specified in provider_networks for the storage, overlay and management networks.
security_rhel7_enable_aidethat is designed to avoid installation and initialization of the aide related STIGs
glance_image_cache_stall_timeto control glance cache time if needed. Defaults to
Added new variable
haproxy_hatop_install, that allows to conditionally enable or disable hatop installation.
Created series of variables
haproxy_*_servicethat contain specific to the service haproxy configuration block. This allows deployers to selectively adjust haproxy frontend/backend configuration for specific service only, without need to override whole haproxy_default_services.
Implemented horizon WEBSSO auto redirects. Following new variables were added to manage redirects configuration:
New variables ‘keepalived_internal_ping_address’ and ‘keepalived_external_ping_address’ allow deployments to decouple liveness checks for HAProxy accessibility via internal and external networks. The previous ‘keepalived_ping_address’ variable is maintained for backwards compatibility.
galera_init_overridesthat can be leveraged to override default set of systemd unit file for mariadb. This also brings requirement of systemd_service role.
masakari_monitor_corosync_ipmi_checkthat allow to define ports used by corosync service and to enable IPMI checks in case ipmi RA is set in pacemaker.
In order to use dedicated net nodes, override of env.d is no longer required. Deployers can set
network-infra_hoststo their infra (LXC) hosts and
network-agent_hoststo their net nodes inside their openstack_user_config.yml or conf.d files.
nova_dhcp_domainvariable that defaults to the
dhcp_domain. When set to empty string, only the hostname without a domain will be configured for the instances.
You can override the default
iptables_hybridfirewall driver for Open vSwitch by setting
A new ansible role (ansible-role-pki) is introduced to manage the creation of server certificates and certificate authorities. A self signed Root CA and Intermediate CA are created on the deploy host and are used to provide TLS for RabbitMQ, and with the default configuration also a self-signed server certificate for HAProxy. A set of new variables with the prefix openstack_pki_* are introduced which allow a deployer to customise and extend the set of certificate authorities which are created. Root certificate authorities are installed into the trust store of all hosts and containers allowing a complete trust chain to be formed across the deployment which has never previously been possible.
The repository server can now retrieve and cache upper-constraints files and serve them as required to pip during the build of python wheels. By default the relevant version of upper-constraints will be downloaded once from https://releases.openstack.org/constraints/upper/, or the url in a new override user_requirements_git_url. Additional constraints files can be placed in /etc/openstack_deploy/upper-constraints on the deploy host and these will be copied to the repo server and will be available to reference in other overrides such as magnum_upper_constraints_url. This is useful if deploying a different branch of a service such as magnum/master onto a deployment of openstack/victoria. If the target hosts are in an air-gapped environment, setting requirements_git_repo to an empty string will disable downloading of upper-constraints to the repo server and rely on the deployer providing suitable copies of upper-constraints in through the deploy host /etc/openstack_deploy/upper-constraints directory.
openstack_ca_bundle_pathhas been added which defines the path to the ca-bundle certificate which contains all system-trusted CA and will be used by the Python Requests module.
openstack_systemd_global_overridesthat defines some defaults for all systemd services. It will be deployed to all hosts and containers, but can be controlled with group_vars or host_vars as well if needed.
Added option to be able to mount s3fs with systemd as shared filesystem. Type should be stated as ‘fuse.s3fs’, and extra key ‘credentials’ should be set for systemd_mounts. S3 url should be placed in the options. Please follow https://github.com/s3fs-fuse/s3fs-fuse#examples for docs regarding s3fs.
Added new variable haproxy_stick_table_enabled to haproxy_service_configs, that allows you to conditionally enable or disable the default stick-table.
Added systemd_overrides and systemd_overrides_only keys to the systemd_services dictionary. With help of the systemd_overrides you can define systemd native overrides, which will be placed in /etc/systemd/system/service_name.service.d/overrides. systemd_overrides_only shows that no service_name.service should not be created and create only overrides.
Added sockets key to configure systemd-sockets for the systemd service.
keepalived_sysctl_tcp_retriesthat allows to control number of retries kernel will make to give up on connection. It controls net.ipv4.tcp_retries2 sysctl setting which default value of which is 15. Default value of
keepalived_sysctl_tcp_retriesis 8, so VIP failover time will be ~1min. Setting
keepalived_sysctl_tcp_retriesto 0 will remove mentioned sysctl setting.
Added guest image upload functionality into Trove role. In order to use this functionality, you need to define
trove_guestagent_imagesvariable which may contain list of images that are required for upload and set required tags for them.
trove_management_security_groupsto set list of security groups that will be set for management interface of Trove guest instances.
Added following variables to control endpoint types that trove will search in the catalog:
Added following variables to control when to add specific service blocks to the config file and enable support for these services:
Added following variables to ease designate integration with trove:
Added Trove guest specific variables to be able to use standalone rabbitmq along with defaulting behaviour to enable guests to use
trove_container_net_namefor rabbitmq servers:
Adds a ‘zun-docker-cleanup’ script to the Zun compute virtualenv which can be used to clean up cached Docker images held on compute hosts. This can be run on a timer by setting the ‘zun_docker_prune_images’ variable or executed manually by adding ‘–force’ to the script.
zun_policy_overridesthat aims to allow deploying policy.yaml file with provided overrides for Zun service.
Where a single OSA deploy host is used to manage multiple deployments, some delegated Ansible tasks are performed using hostnames rather than IP addresses due to Ansible issue 72776. Hostnames such as ‘infra1’ will be ambiguous, so use of separate hosts for each deployment is recommended.
subnet_dns_publish_fixed_ipoption extension in ml2 plugin. The subnet-dns-publish-fixed-ip extension adds a new attribute to the definition of the subnet resource. When set to true it will allow publishing DNS records for fixed IPs.
In order to accomodate Centos-8 Stream support, it is necessary require the minimum version of Centos-8 Classic to be 8.3. There are breaking changes between Stream and Classic versions prior to 8.3 which break ansible code that detects major/minor versions of Centos. Before upgrading to Wallaby, deployers should ensure that their Centos hosts are updated to 8.3.
cinder_enable_v2_apiis set to
Falseby default. This will result in Cinder v2 API removal from keystone catalog during upgrade. If you want to preserve v2 API you must override
designate_pool_uuidwas hardcoded in os_designate role. Now it’s dynamically generated in secrets.yml and unique per deployment. However, before upgrade you must set
designate_pool_uuidto the current uuid. Most likely it is 794ccc2c-d751-44fe-b57f-8894c9f5c842 since that value has been defaulted in the role and it would remain the same unless explicitly overwritten. You can check your pool uuid with the command /openstack/venvs/designate-20.1.1.dev7/bin/designate-manage pool show_config that should be executed from the Designate venv.
Only minimal facts are gathered when calculating the ‘dynamic address fact’ for the neutron, nova and cinder playbooks. If overrides are in use for setting the neutron tunnel address, or various storage or management addresses which rely on ansible fact gathering to provide variables of the form ansible_<interface>, it is likley that these facts will no longer be gathered by default. The new variable dynamic_address_gather_filter is available to specify a shell-style (fnmatch) wildcard to specify the set of facts gathered early in the neutron/nova/cinder playbooks.
Galera privileged username has changed from
admin. Old ‘root’@’%’ user can be removed after upgrade process.
MariaDB version 10.5.9 is know to have bug which results in broken root permissions after upgrade. We have implemented a workarond for it which will be triggered automatically. This note is informative only.
gnocchi_service_project_namenow set by to
serviceeven for deployments involving Swift. Nowadays cielometer.middleware exclude
serviceproject by default, so no additional protection is required. In case you want to preserve current
gnocchi_service_project_name, define it equal to
gnocchi_swiftin your user_variables.yml
haproxy_hatop_downloaderhas been removed, Deployers supposed to use
haproxy_hatop_download_urloverride if needed to install in deployments with limited internet connection.
haproxy_service_configsdictionary has been replaced with
cinder_service_internaluri_insecurehas been replaced with
keystone_service_internaluri_insecurethat is used across all roles for the exact same purpose.
All supported operating systems now build their LXC images locally on the lxc container hosts rather than relying on external pre-built base images. debootstrap and dnf are used on debian and Centos variants respectively. All variables controlling the download of images have been removed from the lxc_hosts role, and a new override, lxc_apt_mirror is added to allow local mirrors to be specified for debootstrap. Centos systems will use the mirror configuration already present on the host when building the container rootfs with dnf.
During upgrade your current Nova cell mapings will be converted to usage of the Template URLs. This means, that your changes of transport_url or [database]/connection in
nova.confwill be reflected by nova-conductor in cells just after service restart, without need to explicitly run
nova-manage cell_v2 update_cell.
Introduce this feature to empty compute nodes, and migrate VMs over once the agents have been restarted.
It is now mandatory to use a verifiable SSL certificate and Certificate Authority trust chain for the RabbitMQ installation. This can be achieved automatically through the new ansible role ansibe-role-pki with appropriate addition of openstack_pki_* variables. Any existing deployments which use the rabbitmq_user_ssl_* variables must ensure that the supplied certificates can be verified by a CA certificate installed into the trust store of each host and container. This can be achieved through supplying the CA certificate on the deploy host and using overrides from the openstack_hosts role to install it.
The Wallaby release of openstack-ansible does not support deployment of the control plane in nspawn containers.
If a deployment uses local copies or caches of the openstack requirements repo or upper-constraints files, the repo server is now able to natively host copies of the relevant upper-constraints files and serve them to pip during wheel builds. It is now also possible to supply custom constraints files in the deploy host /etc/openstack_deploy/upper-constraints directory. Deployers should take account of the new capability in the repo server and adjust any special handling of downloading upper-constraints that they may have made via overrides, in particular requirements_git_url.
cloudkitty_package_state inherits package_state and defaults to “latest”
cloudkitty_uwsgi_bind_address inherits openstack_service_bind_address and defaults to 0.0.0.0
cloudkitty_galera_port inherits galera_port and defaults to “3306”
cloudkitty_service_region inherits service_region and defaults to “RegionOne”
Trove service specific config files, like
trove-taskmanager.conf, were removed and all functionality was merged to the
trove.conffile. So you need to ensure, that all overriden options are now placed for the trove.conf file.
Default Trove service username has been changed from
trove. You might want to manually delete
admin_trove_userafter upgrade or override new default.
Default Trove service project name has been changed from
service. You might want to manually delete
trove_for_trove_usageproject after upgrade or override new default.
Default value for
trove_service_net_subnet_cidrhas been changed from “192.168.20.0/24” to “172.29.252.0/22”. Along with that pool start and pool end has changed as well, which is represented with variables
trove_service_net_allocation_pool_end. Please, define these variables user_variables in case you used default values in production endironments.
The following variables have been deprecated and will have no effect:
These variables were responsible for the path haproxy looked for certificates on the destination hosts.
Variables were replaced in favor of
haproxy_ssl_cert_pathsince the exact path to certificates will be dynamically set based on the VIP that is used for the frontend
masakari_policy_json_overrideshas been deprecated in favor of the
masakari_policy_overridesand will be removed after X release. As for now
The custom PowerVM code has been removed as it is not tested. The code in question can be replaced with the following setting;
nova_console_agent_enabledare removed and won’t have any effect in the future. If you want to disable console functionality, set
nova_console_type: disabledin your user_variables.yml
The variables haproxy_ssl_self_signed_regen and haproxy_ssl_self_signed_subject are removed and the equivalent functionaility from the ansible-role-pki variables should be used instead.
octavia_amp_image_idoption as the corresponding configuration option in Octavia
amp_image_idis deprected and image tags should be used instead.
tempest_test_excludelistDependant projects should update to use the new variables
Since certificates and CA distribution are now handled with PKI role, variable
openstack_host_ca_locationhas been deprecated and removed.
Support for an Open vSwitch dataplate with NSH support using the
ovs_nsh_supportvariable has been immediately deprecated and removed due to built-in support for NSH in recent Open vSwitch releases. The prior PPA provided a custom release of OVS 2.9, which is no longer appropriate for recent releases of OSA and respective operating systems.
cloudkitty_collected_services is deprecated and should instead be configured in Cloudkitty metrics config
Variable swift_gnocchi_enabled has been removed and won’t have any effect
trove_conductor_config_overrideswere removed along with affected config files. You should use
trove_config_overridesto override trove configuration.
trove_container_net_name. If you need to change network which will be used for guests inside trove containers, please use variables
trove_service_tenant_name. Please use
trove_service_project_namecorrespondingly to manage username and project name which will be used for auth in keystone.
This feature requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer. Kernel version 4.3 or newer includes conntrack support. Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.
Fixed behaviour of variable
nova_spice_console_agent_enabled. It can be safely used now to disable spice agent when needed.
Gate jobs for OpenDaylight, SFC, and OVS w/ NSH have been removed in preparation for deprecation of those deployment scenarios and related code.