Rocky Series Release Notes


New Features

  • The interface tripleo::<service name>::mysql_user was created. It allows service writes to create databases, database users and grants via hieradata instead of having to modify puppet-tripleo.

  • Under pressure, the default monitor timeout value of 20 seconds is not enough to prevent unnecessary failovers of the ovn-dbs pacemaker resource. While spawning a few VMs in the same time this could lead to unnecessary movements of master DB, then re-connections of ovn-controllers (slaves are read-only), further peaks of load on DBs, and at the end it could lead to snowball effect. Now this value can be configurable by dbs_timeout in tripleo::profile::pacemaker::ovn_dbs_bundle and by default is set to 60s.

Bug Fixes

  • Allow using upper case names for SRIOV interface names.


Known Issues

  • Allow a hiera key to add an additional rabbitmq policy in the resource agend.

Upgrade Notes

  • All manifests no longer use the bootstrap_nodeid hiera key, since this was generated per role and can result in multiple bootstrap nodes when a service on more than one role. The SERVICE_short_bootstrap_node_name key is used instead, which is automatically generated in tripleo-heat-templates based on the service_name key of the service template role_data.

Other Notes

  • Add dateext and related paramters for containerized logrotate service to find easily when logfiles were rotated.


New Features

  • Add the ability to configure the nfs_snapshot_support parameter associated with Cinder’s NFS backend.


New Features

  • Support setting values for cephfs_volume_mode parameter which controls the rwx mode of the cephfs volumes, snapshots, and groups of these that back manila shares.

  • Add support to enable ODL deployment on IPv6 networks

  • Added Dell EMC SC multipath support This change adds support for cinder::backend::dellsc_iscsi::use_multipath_for_image_xfer.

  • Add new parameter haproxy_log_facility.

  • Adds support to configure disjoint address pools for Ironic Inspector. When Inspector is deployed as a HA service disjoint address pools should be served by the DHCP instances to avoid address conflict issues.

Bug Fixes

  • Masquerading and forwarding rules are now correctly created when using routed networks. (See bug: 1797455.)

  • With nova metadata api running via wsgi we do not need the ssl proxy when configure tls-everywhere as we terminate ssl direct in the httpd wsgi. With this change we only create the ssl proxy vhost if we do not run nova metadata via wsgi.


New Features

  • Add the ability to create Cinder’s default volume type. This capability will be used to fix bug 1782217.

  • Usage of eventlet of all the WSGI-run nova services get deprecated, including nova-api and nova-metadata-api. See for more details. With this change we move nova-metadata to run via httpd wsgi.

  • Allows to configure bond over two virtual functions in mellanox interfaces.

Upgrade Notes

  • Logrotate’s copytruncate is used by default for containerized services logs rotation. The default period to keep old logs remains unchanged (14 days).

  • Use of the class manila::backend::cephfsnative is no longer supported. manila::backend::cephfs can be used to achieve the same functionality.

Bug Fixes

  • with tls-everywhere enabled the connection from haproxy to the nova novnc proxy was not encrypted. Now we request a certificate and configue haproxy and the novnc proxy to encrypt this remaining part in a vnc connection to be encrypted as well.


New Features

  • Added support for networking-ansible ML2 plugin.

  • Added support to IPV6 and SSL parameters for Dell EMC Unity manila backend.

  • Added support to IPV6 and SSL parameters for Dell EMC VNX manila backend

Deprecation Notes

  • Glance nfs mount would run via ansible in t-h-t, since the common mount task has been added to host_prep_task for both containerized & baremetal case, puppet-tripleo glance nfs_mount.pp would no longer be used.

Bug Fixes

Other Notes

  • The default for tripleo::profile::base::docker_registry::enable_container_images_build is now false by default, so any users relying on this to install openstack-kolla will need to explicitly set this to true in their local hieradata.


New Features

  • Added parameters to generate wrapper scripts for the neutron dhcp and l3 agents to run dnsmasq and keepalived, respectively, in separate containers.

  • Added tripleo::profile::base::docker::additional_sockets to allow configuring additional domain sockets bindings on dockerd. This facilitates creating containers that need to access dockerd without having to mount /run.

  • Support separate oslo.messaging services for RPC and Notifications. Enable separate messaging backend servers.

Upgrade Notes

  • The following hieradata updates for cinder netapp integration should be done. cinder::backend::netapp::netapp_pool_name_search_pattern should be used as cinder::backend::netapp::netapp_storage_pools and cinder::backend::netapp::netapp_volume_list have been removed. cinder::backend::netapp::netapp_host_type should be configured instead of cinder::backend::netapp::netapp_eseries_host_type

  • Rotated logs of containerized services in /var/log/containers will be purged with the next containerized logrotate run triggered via cron, if the rotated logs have been kept longer than purge_after_days (defaults to a 14 days).

    The logrotate maxage parameter is set to purge_after_days as well.

    The size parameter does not honor time-based constraints and is disabled as not GDPR compliant. From now on, it configures maxsize instead. Minsize is set to a 1 byte to put all /var/log/containers logs under the containerized logrotate control.

    New param rotation additionally allows to alter logrotate rotation interval, like ‘hourly’ or ‘weekly’.

Deprecation Notes

  • tripleo::profile::base::docker(_registry) are deprecated (replaced by ansible-role-container-registry) and will be removed in the next release.

  • Deployment of a managed Ceph cluster using puppet-ceph is not supported from the Pike release. From the Queens release it is not supported to use puppet-ceph when configuring OpenStack with an external Ceph cluster. In Rocky any support file necessary for the deployment with puppet-ceph is removed completely.

Security Issues

  • Retention rules of files in /var/log/containers additionally defined in the containerized logrotate postrotate script and based on any of the listed criteria met:

    • time of last access of contents (atime) exceeds purge_after_days,

    • time of last modification of contents (mtime) exceeds purge_after_days,

    • time of last modification of the inode (metadata, ctime) exceeds purge_after_days.

    Expired files will be purged forcibly with each containerized logrotate run triggered via cron. Note that the files creation time (the Birth attribute) is not taken into account as it cannot be accessed normally by system operators (depends on FS type). Retention policies based on the creation time must be managed elsewhere.

Bug Fixes

Other Notes

  • Add the compress option for the containerized logrotate service to compress rotated logs by default.


New Features

  • Adds a new parameter to validate whether run the archive or purge manifest for deleted instances in Nova.

  • Add the ability to deploy an NFS backend for the Cinder Backup service.

  • Add support for specifying a table name when creating IPtables rules with the firewall class.

  • Adds support for Ironic Networking Baremetal. Networking Baremetal is used to integrate the Bare Metal service with the Networking service.

  • Add support for either rabbitmq server nodes or new oslo.messaging service nodes for separated rpc and notify communications

  • Added variables for endpoint_proxy_nova, endpoint_config_nova, and Apache mod_proxy configuration to proxy nova service just like similar services

  • Add support via hiera keys like ‘tripleo::haproxy::${name}::listen_options’ to customize the options of an haproxy service stanza. For example passing the by setting the ‘tripleo::haproxy::cinder::options’ hiera key to a hash made composed of: ‘timeout client’: ‘90m’ ‘timeout server’: ‘90m’

  • Split up neutron-lbaas service plugin and agent

Upgrade Notes

  • Class tripleo::profile::base::neutron::lbaas will only configure the Neutron LBaaS service plugin from now on. Use class tripleo::profile::base::neutron::agents::lbaas to configure the Neutron LBaaS agent.

Security Issues

  • TLS v1.0 connections are no longer accepted by our HAProxy configuration.

Bug Fixes

  • Removes neutron ownership of certificates.

  • Fixes a bug where TLS certificates for ODL could not be generated correctly for deployment due to wrong owner/group applied to the files.

Other Notes

  • Added unit test for tripleo::keepalived class.

  • Added network_vips parameter to the tripleo::keepalived class where previously it was only exposed via the network_virtual_ips hiera data key. The new parameter still uses the network_virtual_ips hiera data for the default value or falls back to an empty hash.