Xena Series Release Notes

24.4.0

New Features

  • Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable neutron_vpnaas_custom_config. deployers should define neutron_vpnaas_custom_config in ‘user_variables.yml’. Example:

    neutron_vpnaas_custom_config:
      - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
        dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
      - src: "/etc/openstack_deploy/strongswan/strongswan.d"
        dest: "/etc/strongswan.d"
      - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template"
        dest: "{{ neutron_conf_dir }}/ipsec.conf.template"
      - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template"
        dest: "{{ neutron_conf_dir }}/ipsec.secret.template"
    

    We should be also define neutron_l3_agent_ini_overrides in ‘user_variables.yml’ to tell l3_agent use the new config file. Example:

    neutron_l3_agent_ini_overrides:
      ipsec:
        enable_detailed_logging: True
      strongswan:
        strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template"
      openswan:
        ipsec_config_template:  "{{ neutron_conf_dir }}/ipsec.conf.template"
    
  • Implemented variables rally_openstack_git_repo and rally_openstack_git_install_branch that allow to override installation source for rally-openstack package as well as control installed version of the package.

Upgrade Notes

  • Erlang version is changed from 24.1-1 to 24.1.3-1. Depending on when deployment was done, that could be different minor releases. This means that your erlang version might be either minorly upgraded or downgraded. This should not lead to incompatabilities with RabbitMQ in any scenario.

  • If you have defined haproxy_tuning_params in your deployment, make sure that before upgrade all keys are valid haproxy options. For example, instead of chksize: 16384 you should set tune.chksize: 16384. Otherwise invalid config will be generated and haproxy will fail on startup. No upgrade scripts are provided for this change as well as no backwards compatability.

Security Issues

Bug Fixes

  • Fixed Erlang installation from Cloudsmith repository for CentOS 8 Stream by adjusting version that will be installed.

  • Erlang version is now synced between Ubuntu/Debian and CentOS 8 Stream.

  • By default we increase tune.maxrewrite as otherwise while using CSP headers, their size could exceed allowed buffer. Also deployers can override this value if needed.

Other Notes

  • Restriction on parameters that can be passed to haproxy_tuning_params has been released. This means, that any tuning parameter can be passed in key/value format.

  • Default source of rabbitmq and erlang packages has been switched to cloudsmith.io

24.3.0

New Features

  • New variables galera_tmp_dir and galera_ignore_db_dirs were implemented to control path to tmp dir and what directories should be ignored when listing databases.

Upgrade Notes

  • If you have database named as #tmp you should change galera_tmp_dir path and adjust galera_ignore_db_dirs or rename database.

Bug Fixes

  • Fixes a Content Security Policy error which prevented image uploads via the Horizon interface.

  • Fixed facts gathering when tags were provided with playbook run.

24.2.0

New Features

  • Introduced new variable cinder_volume_usage_audit_send_actions_enabled to allow the deployer to disable the send actions option in cinder-volume-usage-audit service unit. To have lowest possible footprint, the default value would be true to not change the behaviour of the cinder-volume-usage-audit in existing deployments.

  • Added variable rabbitmq_manage_hosts_entries that controls if rabbitmq_server role will attempt to adjust /etc/hosts file

Bug Fixes

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Do not duplicate records in /etc/hosts file by rabbitmq role when hosts file is already managed by OSA.

24.0.1

Known Issues

  • In the Xena release, TLS for VNC is enabled by default, for existing deployments this will prevent console access to existing virtual machines, as this configuration change does not apply to existing virtual machines. Virtual machines created after the configuration change are not affected.

    The virtual machines will run correctly, but your are not able to access them via the console. There are three possible solutions to enable console access for existing virtual machines; disable TLS for VNC, restart the virtual machine or live migrate the virtual machine.

    TLS for VNC can be disabled by setting nova_qemu_vnc_tls variable to 0 in the /etc/openstack_deploy/user_variables.yml file.

24.0.0

New Features

  • Enable VeNCrypt authentication scheme from noVNC proxy to compute nodes. When using HTTPS, the TLS encryption only applies to data between the tenant user and proxy server. To provide protection from the noVNC proxy to the Compute Nodes, it is necessary to enable the VeNCrypt authentication scheme for VNC.

    A pre-existing PKI (Public Key Infrastructure) setup is required.

    Initially to help with the transition from unencrypted VNC to VeNCrypt, compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable nova_vencrypt_auth_scheme, this will be removed in future releases.

  • UEFI boot support has been added. To migrate from Legacy BIOS mode, define boot_mode:uefi as a capability for baremetal nodes that support UEFI. In addition, corresponding flavor(s) will need to be created or modified to include boot_mode:uefi as a capability for scheduling to occur against UEFI nodes.

  • Ceph-ansible has been switched to version 6.0 and Ceph Pacific is used by default.

  • Implemented new variable connection_recycle_time responsible for SQLAlchemy’s connection recycling

  • Galera role now leverages PKI role for creation and distribution of the certificates and certificate authorities. This introduces bunch of new variables which controls CA and certificates generation details. If user SSL certificates are provided - they would be used instead of the generated ones.

    The following new variables were introduced:

    • galera_ssl_verify

    • galera_pki_dir

    • galera_pki_create_ca

    • galera_pki_regen_ca

    • galera_pki_certificates

    • galera_pki_regen_cert

    • galera_pki_authorities

    • galera_pki_install_ca

    • galera_pki_keys_path

    • galera_pki_certs_path

    • galera_pki_intermediate_cert_name

    • galera_pki_intermediate_cert_path

    • galera_pki_install_certificates

  • MariaDB now uses TLS encryption by default. Certificate will be issued and signed with internal CA using PKI role. Deployers can disable encrypting MariaDB connections by setting galera_use_ssl: false in their user_variables.yml Client certificates could be still provided and they will be distributed with PKI role as well.

  • Added variable horizon_policy_overrides which allows to customize horizon specific policies. As we don’t want to carry and maintain horizon policies with OSA, they’re retrieved from horizon hosts and adjusted in-place, which means that they won’t rollback in case you just remove override. horizon_policy_overrides has also non-standart format, as it’s nested dictionary, where 1st level key represents service which policy needs to be overriden, and it’s value is normal policy override format.

  • Support for the networking-baremetal mechanism driver and agent has been implemented. The ironic-neutron-agent is a neutron agent that populates the host to physical network mapping for baremetal nodes in neutron. Neutron uses this to calculate the segment to host mapping information. This feature may be enabled by adding ml2.baremetal to the neutron_plugin_types list in /etc/openstack_deploy/user_variables.yml.

  • The provider_networks library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add the network_bond_interfaces key to the respective provider network definition in openstack_user_config.yml. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.

  • Added variables systemd_run_dir and systemd_lock_dir that allows to control run and lock path for directories that will be used by systemd services. Variables should not include service name since it will be added by default at the end of the provided path. These variables could be also defined as keys inside systemd_services and this will have prescedence over default behaviour.

  • Default run path for systemd services has been changed to /run and lock path to /run/lock.

Known Issues

  • There’s a known issue with upgrade to Ceph Pacific release prior to version 16.2.7. Please, make sure that 16.2.7 or later has been released before performing Ceph upgrade. Otherwise, override ceph_stable_release: octopus in your user_variables.yml

Upgrade Notes

  • We have changed default values for variables related to database connection pooling. For some services(like nova) default pool sizes will be significantly lower, we have also decreased default connection_recycle_time to 10 minutes. It should not cause any issues, but we recommended to double check these values, especially for large environments.

Deprecation Notes

  • For consistency reasons, octavia_db_pool_size was deprecated in favor of octavia_db_max_pool_size which is in a standardized format used in other repositories. octavia_db_pool_size support it will be removed in Yoga release.

  • For consistency reasons, neutron_db_pool_size was deprecated in favor of neutron_db_max_pool_size which is in a standardized format used in other repositories. However, it will be supported until Yoga release.

  • For consistency reasons, the following variables were deprecated in favor of the new ones in a standardized format used in other repositories. keystone_database_pool_timeout -> keystone_db_pool_timeout keystone_database_max_pool_size -> keystone_db_max_pool_size keystone_database_idle_timeout -> keystone_db_connection_recycle_time However, they will be supported until next Yoga release.

  • keystone_database_min_pool_size was deprecated as it’s deprecated in oslo.db

  • OVN-related HAProxy configuration is deprecated and has been replaced with built-in clustering functionality. OVN-related endpoints will be completely removed in the Z release.

  • Variable systemd_lock_path has been dropped and has no effect now. In order to customize lock dir path please use systemd_lock_dir. Please keep in mind, that for systemd_lock_dir you don’t need to provide full path like it was with systemd_lock_path since service name is added to the end of the path.

  • With the retirement of upstram Panko project, os_panko role has been deprecated. Panko service API endpoint will be removed during upgrade. If you want to preserve Panko API working, you should override haproxy_panko_api_service.

  • Following variables were removed in favor of PKI ones and have no effect anymore:

    • galera_ssl_self_signed_regen

    • galera_ssl_self_signed_subject

    • galera_ssl_ca_self_signed_subject

  • We removed multiple web server support for keystone and left only Apache since nginx is missing features required for federation setup. With this change following variables are deprecated and have no effect:

    • keystone_web_server

    • keystone_centos_nginx_mirror

    • keystone_centos_nginx_key

    • keystone_nginx_access_log_format_combined

    • keystone_nginx_access_log_format_extras

    • keystone_nginx_ports

    • keystone_nginx_extra_conf

    Nginx web server will be removed and replaced with Apache during upgrade.

  • Variable nova_enabled_vgpu_types has been deprecated and is replaced with nova_enabled_mdev_types.

Security Issues

  • The following security headers were added to the haproxy Horizon service: strict-transport-security, x-content-type-options, referrer-policy and content-security-policy. Care should be taken when deploying the strict-transport-security header, as this header implements Trust on First Use security, meaning that after a browser first visits the page the browser will enforce the use of HTTPS until the max age time has expired. For the time being the strict-transport-security preload token which indicates that you are happy to have your site included in the HSTS preload list that is built into browsers has been excluded. The headers can be disabled by setting haproxy_security_headers: [] and the CSP (Content Security Policy) for Horizon can be overridden to support things like federated login by setting haproxy_horizon_csp. There is the option to extend to all haproxy services in the future, but as the headers are only used by browsers there maybe limited benefit to doing this other than for keystone and console services.

Bug Fixes

  • Fixed inconsistency in haproxy_frontend_raw key naming between documentation and service template. Previously, template generation was expecting haproxy_raw instead of the haproxy_frontend_raw.

  • For deployers using Keystone as an OIDC-based Service Provider there has been a spelling fix for the OIDCScope setting. Please use keystone_sp.trusted_idp_list.0.oidc_scope instead of keystone_sp.trusted_idp_list.0.idc_scope.

  • This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade.

Other Notes

  • Set a new default value for galera_wait_timeout which is inherited from global openstack_db_connection_recycle_time.

  • Set new default values for db pooling variables which are inherited from the global ones.