Zed Series Release Notes


Bug Fixes

  • Change of horizon_webroot variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.


New Features

  • Add rabbitmq_additional_config to be able to add additional configuration e.g. to add configuration for plugins.

Bug Fixes

  • After adding localhost to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside /etc/hosts file. This is now fixed and record for will be removed from managed by Ansible blocks inside /etc/hosts file.


Upgrade Notes

  • Keystone OIDC parameter ‘oidc_redirect_uri’ is replaced with ‘oidc_redirect_path’. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.

Bug Fixes

  • Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.

Other Notes

  • The localhost target was explicitly added to OSA inventory due to bug #2041717. As a result, the ‘all’ group now contains localhost, and custom playbooks targeting ‘all’ may need adjustment, e.g.: hosts: all:!localhost


New Features

  • Added variables galera_backups_full_init_overrides and galera_backups_increment_init_overrides that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .

Deprecation Notes

  • nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.

Bug Fixes

  • Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.


New Features

  • Implemented variable lxc_image_cache_expiration that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.

  • Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.

    • --compress=True|False

    • --compressor=<compressor>

    Also introduces new Ansible variables that control the above mentioned parameters.

    • galera_mariadb_backups_compress

    • galera_mariadb_backups_compressor

    Each backup archive is stored in a dedicated directory, alongside the backup metadata.

Upgrade Notes

  • CentOS/Rocky linux deployments will get major update of OVS version from 2.17 to 3.1 and OVN from 22.12 to 23.03. RDO has stopped building packages for previous OVS/OVN versions which means they will not recieve any upstream bugfixes or security patches.

    If you still want to preserve old versions of OVS/OVN, you can define a following variable:

      - name: rdo-deps
        file: rdo-deps
        description: rdo-deps
        baseurl: "{{ openstack_hosts_rdo_deps_url }}"
        gpgcheck: no
        module_hotfixes: yes
          - '*rdo-openvswitch*3.1*'
          - '*rdo-ovn*3.1*'
  • Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set galera_mariadb_backups_compress to True. Choose a compression tool with galera_mariadb_backups_compressor, default is gzip.

Bug Fixes

  • LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.


Deprecation Notes

Security Issues

  • Includes SHA bumps for Nova, Cinder and Glance to cover OSSA-2023-003.

Bug Fixes

  • Fixes incorrect definition of ceilometer polling_namespaces, when host is part of both central and compute groups (ie metal/aio scenario)

  • Fixes the absence of libvirtd.service on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.


Security Issues

  • This release includes SHA bump for Cinder, Nova and Glance that covers OSSA-2023-002 vulnarability (CVE-2022-47951).

Bug Fixes

  • Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.



Default neutron plugin has been switched from LinuxBridge to OVN. This is effective for all new deployments. At the same time OpenStack-Ansible does not provide any in-house tooling for completing upgrade from ml2.lxb to ml2.ovn. Please, reffer to upgrade section for more details on how to upgrade OpenStack-Ansible.

New Features

  • Added zookepeer role which deploys zookeeper cluster that can be used as a coordination driver for services like cinder, designate, octavia, etc. For deployment you need to specify coordination_hosts in your conf.d or openstack_user_config.yml and run zookeeper-install.yml playbook.

  • Added following variables that are designed to control coordination configuration. Reasonable defaults are set for services to work out of the box.

    • coordination_driver

    • coordination_group

    • coordination_client_ssl

    • coordination_verify_cert

    • coordination_port

    Also each service that uses coordination have following variables defined:

    • <service>_coordination_enable

    • <service>_coordination_url

  • Additional user-specified username and password pairs can now be set up during the Galera installation process by defining them in the ‘galera_additional_users’ list.

  • Added variables haproxy_bind_external_lb_vip_interface and haproxy_bind_internal_lb_vip_interface that allows deployer to bind haproxy on the specific interface only.

  • Added variable haproxy_tls_vip_binds that allows to fully override haproxy bindings, that are generated by the role if some assumptions are not valid for some scenarios. It is list of mappings, that include address and interface. Interface key is optional and can be ommited.

  • New variables have been added to manage used cache backends:

    • openstack_cache_backend: defines driver, that will be used for caching. Default: oslo_cache.memcache_pool

    • openstack_cache_backend_map: maps selected backend to the oslo driver that should be installed and configured for it.

  • Added variable ceph_cluster_name that allows ceph_client role to work with clusters that have non-default cluster name. It defaults to ceph.

  • A new variable haproxy_stick_table can be defined to apply a customised stick-table to all backends on the loadbalancer. In addition, haproxy_stick_table can be set in each service definition to have a customised stick-table for a particular backend.

  • Added variable openstack_host_custom_hosts_records that allows deployer to add custom records to /etc/hosts file. It’s structure a simple list where each element is a string wich should be placed to /etc/hosts.

  • The os_ironic ansible role can now upload the ironic deploy image to glance. Several new variables are defined as ironic_deploy_image_* which control this. It is possible to disable the upload to glance and also to specify custom locations to stage the images from if required.

  • Add merge with haproxy_<service>_overrides variables (e.g.: haproxy_cloudkitty_api_service), which can be used for partial overrides for haproxy services configurations.

  • Horizon now has the ability to run directly from uWSGI. To support this feature the new Boolean variable horizon_use_uwsgi has been added. The new variable, when set to true, will omit the apache2 install process and instead run horizon from a uWSGI process leveraging a systemd service file.

  • Add keepalived_instances_overrides variable, which allows passing custom options for keepalived_instances.

  • The keystone role now supports the option keystone_use_uwsgi, which will allow deployers the ability to run keystone via uWSGI without needing the apache webserver. When the keystone_use_uwsgi option is enabled, it will setup the uWSGI process on port 5000.

  • The lxc_hosts role now supports the ability to omit lxc network interface deployment. The option lxc_net_managed is a Boolean operator and defaults to true. When this option is set to false the role will not deploy an interface file or attempt to manage the state of the interface.

  • Add mistral_api_use_uwsgi which allows running mistral-api service without uWSGI (set to true by default).

  • A new variable nova_ironic_console_type is added to enable the deployment of one of the nova console proxies in the ironic_console ansible group. The only supported setting at this time is disabled or serialconsole.

  • With adding zookeeper as coordination backend Octavia will be configured to use amphorav2 as default provider driver. This will result in creating a new database and jobboard configuration. You can control database name with variable octavia_galera_persistence_database and existing octavia db user will be granted ALL permissions to that database.

  • A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set –mtu command line.

  • OVN is now protected via SSL. you can disable it via neutron_ovn_ssl. It is not supported to switch from non-ssl to ssl.

  • Implemented variables rally_openstack_git_repo and rally_openstack_git_install_branch that allow to override installation source for rally-openstack package as well as control installed version of the package.

  • Add parameters galera_mariadb_backups_full_randomized_delay_sec and galera_mariadb_backups_incremental_randomized_delay_sec to run the systemd timers for mariabackup with a randomized delay. This is useful if backups are done of more than one node to avoid running it at the exact same time.

  • Support Rocky Linux 9 as a Deployment and Target host

  • Now you can define execstartpres and execstopposts keys for the systemd_services structure. They will allow to define pre-start and post-stop service executables and must be defined as lists.

  • Added possibility to source environment variables from a user file that will have prescedence over all environemnt variables loaded after openstack-ansible.rc and have prescedence over all variables defined there By default path to the user file is /etc/openstack_deploy/user.rc.

  • Default ansible-core version has been switched to 2.13 series

  • ceph-ansible version has been switched to v7 series

  • Default ceph version has been switched to Quincy

Known Issues

  • As of today ceph community repository (download.ceph.com) does not provide packages for Ubuntu 22.04 (Jammy). Based on that OpenStack-Ansible does install ceph packages from distro-provided repositories. Thus, you can not control packages version that will be installed and ceph support should be considered as experimental.

Upgrade Notes

  • If you are using cinder in active/active mode (ie with Ceph backend), it’s highly recommended to define coordination_hosts before upgrade to deploy zookeeper coordination cluster which is required for proper work of cinder active/active mode.

  • A default stick-table was previously applied to all backends by default but did not have any specific purpose. This is now removed, and the variable haproxy_stick_table should be used to supply a list of config lines to be applied to each backend to control stick-table functionality.

  • The variables ironic_inspector_ipa_initrd_name and ironic_inspector_ipa_initrd_name are removed from the os_ironic role and more flexible functionality is now provided with the ironic_deplo_image_* variables. Review any overrides you have for the ironic service and adjust these new variables if necessary.

  • Along with mistral_api_use_uwsgi, cron_trigger.enabled would be set to false by default, disabling Cron Triggers on all existing installations as per suggestion.

  • A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set –mtu command line.

  • With marking ML2/LinuxBridge driver as ‘Experimental’ in the upstream Neutron project OpenStack-Ansible has switched a default mechanism driver to ML2/OVN. In order to upgrade any existing deployment that was relying on defaults to the new OpenStack-Ansible version you must ensure that following variables are defined explicitly to ensure parity with existing functionality:

    neutron_plugin_type: ml2.lxb
    neutron_ml2_drivers_type: "flat,vlan,vxlan,local"
      - router
      - metering

    Failure to define any of these variables will result in playbook failures and neutron misconfiguration.

    We have covered this step with upgrade script that will create a user_neutron_migration.yml file with assumed defaults.

  • OVN is now configured with SSL enabled by default, upgrading existing ovn deployment is not tested. When upgrading it might be wise to set neutron_ovn_ssl to false and manage the ssl configuration at a later stage.

  • The RabbitMQ management interface surfaced via HAProxy defaults to using TLS from the Yoga release. Note that when using TLS the default port switches from 15672 to 15671. TLS can be disabled if required by adjusting ‘rabbitmq_management_ssl’.

  • Since Yoga release service role is being assigned to all service users. Though, service_token_roles_required was set to False for upgrade purposes. Now service_token_roles_required is set to True by default. If you still want to preserve old behaviour, you can define openstack_service_token_roles_required: False in your user_variables.

Deprecation Notes

  • The pxe_append_params configuration option has been deprecated by Ironic and replaced with kernel_append_params. The corresponding configuration override, ironic_pxe_append_params, has been replaced by ironic_kernel_append_params but will continue to be supported until a future undetermined release.

  • Variable nova_memcached_servers has been deprecated and replaced with nova_cache_servers that defaults to memcached_servers. For backpwards compatability nova_memcached_servers is still respected but will be removed in future releases.

  • Roles rsyslog_client and rsyslog_server are deprecated and removed from OpenStack-Ansible. Since Train service were configured to save logs in journald instead of regular log files. Journald from containers passed to hosts, so you can read and manipulate logs from metal hosts. Journald can be transformed and collected by many tools, including rsyslog. At the same time rsyslog is not ideal as it stores data in plain text, which is hard to index and search later, while journald has is structured so logs can be consumed way more efficiently with other tools. You can also check out our ELK role from OPS repository as alternative.

Bug Fixes

  • Wheels build for multi-arch and multi-distro setups is fixed. For that you still need to have set of venv_build_targets that will define targets for each operating system and architecture.

  • Variables haproxy_fall and haproxy_rise are now respected again and will be used for defining amount of checks before haproxy will mark backend as UP or DOWN. Keys backend_rise and haproxy_fall that are set inside service definition are still respected and will have prescedence over global ones.

  • Mistral Cron Triggers do not create Workflow Executions, when mistral-api service runs within uWSGI, so we introduce mistral_api_use_uwsgi which bounds Cron Trigger service status with Mistral API execution environment.

Other Notes

  • File /etc/openstack_deploy/openstack_hostnames_ips.yml is not used anymore and can be safely removed from your deployment configuration.

  • external_lb_vip_address was added to the default value for glance_cors_allowed_origin regardless of other variables.

  • Default value for glance_show_multiple_locations has changed to False, regardless of other variables.

  • When the option horizon_use_uwsgi is enabled, operators need to be aware that not all horizon capabilities will be present. The minimal uSGI process is just that, minimal, and not full featured. If the deployment requires full featured capabilities, the apache based deployment should remain enabled.

  • The keystone role can now has the ability to run a minimal uWSGI process for keystone when the option keystone_use_uwsgi is set true. This feature provides operators the ability to run a minimal install without apache. While the minimal deployment is functional, it is not featureful. Things like modshib and oath are not supported when running the minimal setup.

  • Implemented tempest_extra_plugins variable which allows to define extra tempest plugins without overriding the whole tempest_plugins list.