Rocky Series Release Notes


Bug Fixes

  • The MTU setting was not configured for Ironic Inspector DHCP (dnsmasq) service. This caused inspection to fail when operating on a network with < 1500 bytes MTU. See bug: 1845487.


Bug Fixes

  • The verbosity of the config-download ansible tasks for deployment are now controlled by the verbosity level specified on the command line.

  • Fixes a validation issue, validation would fail when multiple ctlplane subnets were defined in undercloud.conf. Bug: 1791088.


Upgrade Notes

  • Upgrades and updates are now use tripleo-admin user to connect to the overcloud by default, which makes it work the same in this regard as fresh deployment.

Deprecation Notes

  • The –ssh-user parameter for overcloud upgrade run command and similar commands is now deprecated and will be removed. In the future, tripleo-admin user will be used always, which will make it work the same as deployment workflow.

Bug Fixes

  • The timeout specified with –timeout will now be honored with config-download. An additional cli arg, –config-download-timeout is also added that can be used to specify a specific timeout (in minutes) just for the config-download part of the deployment.

  • When requesting the deployment status of a non-existant plan, instead of showing a traceback, show a helpful message indicating there is no status.

  • openstack overcloud delete PLAN_NAME now instead of deleting the stack and the plan instead it undeploys the plan to maintain the correct status internally and deletes the stack. This is a backwards incompatible change because we are no longer deleting the plan as it was done previously.


New Features

  • Add a new feature called image-type, that accepts ‘os’ and ‘ironic-python-agent’ values. When specified, it restricts the image to upload to that type, making it easier to replace ipa/os images without having to collect the full set in our working directory.

Upgrade Notes

  • The –ceph-ansible-playbook parameter has been removed from all update- and upgrade-related commands. The parameter is not necessary anymore, as the right playbook should be selected automatically (but for cases when control is needed, overriding CephAnsiblePlaybook parameter via environment file will still take priority). Furthermore, the –ceph-ansible-playbook CLI parameter was attempting to override the detection logic which selects desired ceph-ansible playbook.

  • The openstack overcloud ceph-upgrade run command no longer works in Rocky due to internal changes to TripleO (more direct execution of Ansible). The command has been removed from the CLI. Ceph update/upgrade in Rocky is meant to be performed via openstack overcloud external-update run and openstack overcloud external-upgrade run commands, respectively.

  • New openstack overcloud external-update run and openstack overcloud external-upgrade run commands are defined. These are meant to perform updates and upgrades for services deployed via external_deploy_tasks. A separate command is used because external installers don’t fit well within the –nodes and –roles selection pattern we’ve established for the normal update run and upgrade run commands.

Other Notes

  • The roles data file may take either an absolute path or the path relative to the tripleo heat templates directory. This is now applicable for all of the commands involving roles data files.



The undercloud is now by default containerized and the deployment is not driven by instack-undercloud anymore but by TripleO Heat Templates like it’s done for the overcloud.

New Features

  • In certain situations it may be desirable to provide optimised overcloud images for deployed nodes. In order to achieve this add a --platform option to openstack overcloud image upload. This option will then be used to select appropriate images based on the combination of architecture and platform.

  • tripleo config generate ansible generates the default ansible.cfg in the given --output-dir (defaults to $HOME). The remote user setting for ansible will be set to the --deployment-user value (defaults to ‘stack’).


    Do not confuse the generated config with ~/.ansible.cfg. The latter takes the lower precedence.

    You may want to customize the generated config so it will be used with all undercloud and standalone deployments.


    Overcloud deployments use Mistral workflows to configure ansible for its own use, but the basic configuration it takes looks very similar.

  • [EXPERIMENTAL] The openstack tripleo deploy command is experimental and may change in future releases.

Upgrade Notes

  • The upgrade from a non-containerized undercloud to a containerized undercloud is supported and can be executed with openstack undercloud upgrade command (same as before).


New Features

  • In order to allow overcloud and deploy images to vary based on architecture add a --architecture option to openstack overcloud image upload. This option will add hw_architecture to the image meta-data, which will then be used my nova to limit node selection to matching CPU architectures.

  • Add undercloud_enable_selinux configuration to the undercloud.conf. This option is a boolean option to enable or disable SELinux during the undercloud installation.

  • The commands openstack tripleo container image prepare and openstack overcloud container image upload now have a –cleanup option to control what local images are removed after the image upload is complete.

Deprecation Notes

  • –use-heat parameter is deprecated in Rocky cycle and will be removed in the future. When –use-heat / –use-heat=True is set, the undercloud will be containerized and a warning will be shown for the deprecation. When –use-heat=False is set, the undercloud won’t be containerized.

Security Issues

  • Undercloud and tripleo standalone deployments support logging into a log file. In undercloud.conf the log file path may be defined via undercloud_log_file. For the standalone deployments, use the --log-file commmand line argument.

    By default, undercloud pre-flight/installation/upgrade logs will be written into install-undercloud.log in the current dir (wherefrom the client command is executed).


New Features

  • A new CLI argument, –config-download-only, has been added which can be used to skip the stack create/update and only run the config-download workflow to apply the software configuration.

  • Deprecate –ipmi-lanplus for openstack overcloud generate fencing command since now this is the default and add new option –ipmi-no-lanplus to override it.

  • A new command, openstack overcloud failures, is added to show the failures from a deployment plan when using config-download.

  • A new command, openstack overcloud status, is added to show the status of a deployment plan when using config-download.

  • The command openstack overcloud container image prepare command now has an –include argument which will filter entries if they do not match any of the include expressions.

  • The new command openstack tripleo container image prepare will do the same container image preperation which happens during undercloud and overcloud deploy, but in a standalone command. The prepare operations are driven by a heat environment file containing the parameter ContainerImagePrepare. This parameter allows multiple upload and modification operations to be specified, and the result will be a list of image parameters to use during a tripleo deployment.

    The command openstack tripleo container image prepare default will generate a ContainerImagePrepare with the recommended defaults to use for openstack tripleo container image prepare.

  • The new option “upgrade_cleanup” is set to False by default but when set to True, it’ll cleanup the packages and configurations installed on the undercloud after an upgrade. This feature is experimental now and should be used for testing only.

  • Prompt the operator before running the upgrades and suggest to perform a backup before. Can be ignored with -y/–yes.


New Features

  • The option enable_swift_encryption was added to the containerized undercloud configuration options (undercloud.conf). If enabled, it will deploy Barbican, which will be used to enable Swift Object encryption.

  • Adds a cli for fast forward upgrades, in particular the

    openstack overcloud ffwd-upgrade prepare openstack overcloud ffwd-upgrade run openstack overcloud ffwd-upgrade converge

    Which are meant to be the first, second and final step in the fast-forward upgrade workflow. See the ffwd upgrade docs for more information on how to use these cli commands, and the list of parameters is available with openstack overcloud ffwd-upgrade [prepare,run,converge] –help

  • Using –config-download is now the default. A new CLI argument, –no-config-download (or –stack-only) can be used to disable the config-download workflow.

  • Create tripleo deploy action to be used as an interface to an standalone installer.

  • Adds new command to run metadata cleaning on nodes:

    openstack overcloud node clean [--all-manageable|uuid1,uuid2,..]

Upgrade Notes

  • For minor updates, an openstack overcloud update converge command has been added and must be run to restore the deployment plan (remove no-ops of some resources) after a minor update.

Deprecation Notes

  • The default value of –http-boot changed from /httpboot to /var/lib/ironic/httpboot as containerized Ironic services expect.

  • undercloud deploy action has been deprecated. The tripleo deploy action with the –standalone option should be used instead.

  • instack-undercloud is deprecated in Rocky cycle and is replaced by the containerized undercloud efforts in python-tripleoclient.


New Features

  • TLS is now used by default for the containerized undercloud. This is done by setting the generate_service_certificate parameter to True by default.

  • Introduce deployment_user parameter, default to the current user, will feed DeploymentUser parameter in THT, primarly used to add the user to the ‘docker’ group, so our operators can run the overcloud container commands when the undercloud is containerized.

  • Add a new option to the TripleO client in order to create an Undercloud backup. Usage, openstack undercloud backup [–add-path ADD_FILES_TO_BACKUP]

  • Added a warning message if user has provided an invalid role-specific parameter in the environment file.

  • If no undercloud.conf container_images_file is set then openstack undercloud install –use-heat will deploy an undercloud with the latest containers as specified by the defaults. This allows the container_images_file option to be not mandatory.

  • Similar to what instack-undercloud does, the containerized undercloud can now take user-provided certificates/keys in the bundled PEM format. This is done through the service_certificate option and is processed tripleoclient.

  • New command line arguments –output-dir and –cleanup define the heat templates processing rules for undercloud: undercloud deploy --cleanup --output-dir /tmp/tht.

    The output_dir and cleanup configuration options for undercloud.conf may be used the same way and allow to configure undercloud install --use-heat behavior.

  • The openstack undercloud install command now has a --dry-run argument which will print the resulting install command instead of executing it.

  • Bind undercloud_nameservers defined in undercloud.conf to the DnsServers heat stack parameter. This ensures DNS configuration applied via os-net-config undercloud install time as well. That works additionally to UndercloudNameserver limited to the ctlplane subnet DNS configuration executed at post-install steps only.

  • Verbosity is disabled by default when deploying or upgrading a containerized undercloud; but it can be enabled with the option: –verbose

  • New openstack overcloud roles list and show commands were added in order to look at the roles as they are defined in the plan in the Swift container.

Upgrade Notes

  • This adds a –skip-tags parameter to the openstack overcloud upgrade run command

    openstack overcloud upgrade run --nodes compute-0 --skip-tags validation

    This is useful for skipping those step 0 tasks (tagged “validation”) that check if services are running before allowing the upgrade to proceed, especially if you must re-run the upgrade after a failed attempt and some services cannot easily be started. The currently supported values for this are validation and pre-upgrade, and they can be combined as “–skip-tags ‘validation,pre-upgrade’” if required.

  • The default location for openstack overcloud config download has changed to ~/tripleo-config. config download also no longer uses tmpdirs and will overwrite files on subsequent runs to the same --config-dir location.

  • The `action` parameter for overcloud fencing generation is now ignored. This is because recent versions of the underlying fencing agents now produce an error if the action parameter is used. Previously the use of the parameter was discouraged.

  • This adds the new –roles and –nodes parameters for the Queens major upgrade cli, specifically for the ‘openstack overcloud upgrade run’ which executes the ansible playbooks on overcloud nodes.

    openstack overcloud upgrade run –nodes compute-0 compute-1 openstack overcloud upgrade run –roles Controller

    Nodes for controlplane roles (the default ‘Controller’ role for example) need to be upgraded using the –roles parameter as these nodes must be upgraded together/in parallel.

    For non controlplane roles the –nodes parameter can be used to limit the upgrade run to one or more nodes as specified by the operator.

  • The content of the processed heat templates will be persisted under the given path as $output_dir/$tempdir/templates, for each run of the undercloud deploy or install commands, unless the cleanup mode is requested.

Deprecation Notes

  • openstack overcloud role list and openstack overcloud role show are deprecated in favour of openstack overcloud roles list and openstack overcloud roles show respectively. The new commands operate directly on the plan rather than on the local filesystem.

Bug Fixes

  • Fix undercloud heat installer renders Heat templates in /usr/share, which contains t-h-t installed from the package.