Rocky Series Release Notes


New Features

  • Adds additional healtchecks for Swift to monitor account, container and object replicators as well as the rsync process.

Bug Fixes

  • Fixed a configuration issue where required settings for Octavia services were missing.

  • Previously, trash_output was not honored if a queue was not being used to post messages. The behavior has changed so that trash_output will be honored even if a queue is not being used, and all stdout/stderr will be discarded.

  • Fixed an issue were amphora load balancers would fail to create. The problem was because Octavia certificate files were being created in a wrong path and with invalid content.

  • When deploying a large amount of nodes, the create_admin_via_ssh workflow could fail due to the large amount of ansible output generated. This patch updates the tripleo.ansible-playbook action in the workflow with trash_output:true so that the output is not saved in the mistral DB. There is a log file saved already in case the output is needed for debug purposes.


Bug Fixes

  • The passphrase for config option ‘server_certs_key_passphrase’, is used as a Fernet key in Octavia and thus must be 32 bytes long. TripleO will now auto-generate 32 bytes long passphrase for OctaviaServerCertsKeyPassphrase.


New Features

  • tripleo-deploy-openshift script now understands the –plan option to run the openshift-ansible playbooks for a deployment named differently than “openshift”.

  • Introduce a –playbook option to the tripleo-deploy-openshift script in order to be able to run openshift-ansible playbook directly on already deployed servers.

Deprecation Notes

  • The –config-download-dir option to the tripleo-deploy-openshift script is deprecated in favor of –plan.

Security Issues

  • Fixed a vulnerability where an attacker may cause new Octavia amphorae to run based on any arbitrary image (CVE-2019-3895).

Bug Fixes

  • Ensure [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting.

  • Fixes running the baremetal provide workflow with node names.


New Features

  • The ironic-staging-drivers are now installed in the ironic-conductor container so that these drivers can be used without rebuilding the container. The Ironic Staging Drivers is used to hold out-of-tree Ironic drivers which doesn’t have means to provide a 3rd Party CI at this point in time which is required by Ironic.

  • Increase the size of the security hardened images to 40G. With the move to containers more disk space is needed and the disk layout has been modified. It needs a global size of 40G to work.

Upgrade Notes

  • Package octavia-amphora-image (RHEL) will no longer be installed by role octavia-undercloud, and it now installs image files in directory /usr/share/openstack-octavia-amphora-images/. Please ensure you have the latest package version installed in the undercloud node beforehand deploying or updating the overcloud.

Bug Fixes

  • Fixes bug 1793605 so when nodes are blacklisted, they are not included in the Overcloud config. A warning will show that the server_id that was ignored if the it can’t be found in the stack.

  • Node update now works correctly when capabilities are specified as a dict.

  • The config_download_deploy workflow now has a config_download_timeout input that will honor the user requested timeout. Previously, no timeout was honored even though the user could request one via tripleoclient.

  • The tripleo-bootstrap ansible role will no longer fail if yum fails to install the required packages. This fixed behavior aligns with previous requirements where enabled package repositories and a working package manager are not required on the initially deployed images. Errors are ignored on the package install task, and then a subsequent task will cause a failure indicating the required packages are not present.

  • tripleo.access.v1.enable_ssh_admin now honors the server blacklist if one is set. Servers in the blacklist will not be used by the workflow.

  • Previously, running ansible-playbook with –check would cause a failure during the individual server deployments when checking the result of a previous attempt.

  • The tripleo.deployment.v1.get_deployment_status workflow will no longer error when requesting the deployment status for a non-existant plan. A message is sent in the output instead of failing the workflow.

  • While we have a dedicated nova_metadata healthcheck script, the nova_metadata and nova_api container the same image and the current nova api healtcheck script still checks the non wsgi implementation. This changes the nova_api healthcheck script to check the metadata wsgi vhost config for details instead of the details in nova.conf.

  • Add missing httpd and mod_ssl packages to octavia container image to support TLS proxy for internal TLS.

  • The ServerAliveInterval and ServerAliveCountMax SSH options are now set in the mistral ansible action so that when networking configuration is performed on the overcloud nodes SSH will not drop the connection.

  • Workaround bug 1810932 by scripting an in-place update of ssh_known_hosts

  • A new workflow, config_download_export, for exporting the config-download files via a Swift tempurl is added so that the openstack overcloud config download tripleoclient command can use the API.

Other Notes

  • Individual server deployments that are of type group:hiera now support check mode, and when running under check mode, also support diff mode.


New Features

  • Creates a worflow to get flattened deployment parameters, so the related action does not need to be called directly.

  • Creates a workbook to update and get heat capabilities, so the related actions do not need to be called directly.

  • Add disable-nouveau element to tripleo images This ensures nouveau is not loaded at boot, as this can prevent PCI passthrough or loading the NVIDIA binary drivers that are required for vGPU support.

  • Adds nova_metadata healthcheck script when nova metadata api is run via httpd wsgi to check service status.

  • If nova novnc proxy is configured to ssl only, (see LP 178570) we need to make sure to also use ssl with the healthcheck script. With this change we verify if ssl_only is configured in nova.conf and set https as the proto to use for the novnc healthcheck.


New Features

  • The config_download_deploy workflow now uses a consistent working directory for the config-download directory. Since the directory is now managed by git, it can be reused across executions.

  • Initialize a git repository in the config-download directory and automatically snapshot changes made to the repository.

  • The GetOvercloudConfig action now sets a commit message that indicates the config was downloaded by the Mistral action and what user/project were used to execute the action.

  • Since the config download directory is now managed by git, the GetOvercloudConfig action will now first download the existing config container (default of overcloud-config), so that the git history is preserved and new changes will reuse the same git repo. Each new change to the config-download directory creates a new git commit.

  • New workflows are added for manipulating the deployment status, including tripleo.deployment.v1.set_deployment_status_success, tripleo.deployment.v1.set_deployment_status_failed, and tripleo.deployment.v1.set_deployment_status_deploying.

  • Generating roles_data.yaml file has been enhanced to generate the defined roles’s properties with a differnet name, so that a cluster can have multiple roles with same set of service, without manual edit. Adds the support to provide role name input as Compute:ComputeA so that the role ComputeA can be generated from the defined role Compute, by only chaning the name.

  • We are changing nova metadata api to be served via httpd wsgi. Therefore we’ll have a new config volume for the nova_metadata container.

    Adding DockerNovaMetadataConfigImage for this.

Upgrade Notes

  • The tripleo.plan_management.v1.create_default_deployment_plan workflow has been removed, since it’s been deprecated since the pike release and is no longer used in TripleO. Any other users of this workflow should switch to tripleo.plan_management.v1.create_deployment_plan instead.

Deprecation Notes

  • Un-deprecated pm_service_profile option support at the UCS ironic driver.

Bug Fixes

  • The tripleo.plan_management.v1.update_roles workflow didn’t pass the plan name (container name) or Zaqar queue name to the sub-workflow it triggered. This caused the behaviour to be incorrect when using a name other than the default. It now correctly passes on these parameters.

  • Previously, ironic nodes that only differ in pm_service_profile or ucs_service_profile would override one another ultimately leaving just one of them in ironic configuration. This fix un-deprecates pm_service_profile option support at the UCS ironic driver.


New Features

  • Adds a workflow to create a container so the underlying action does not need to be called directly.

  • Add a workflow to generate fencing parameters so action tripleo.parameters.generate_fencing does not need to be called directly.

  • Allow uploading files bigger than 5GB to swift. Currently we have support for uploading files to swift using the swift client class, this class does not allow to upload files bigger than 5GB. This change enables the upload of files bigger than 5GB by using the swift service class and adjusting the headers to allow this operations. This new helper will be used for the Undercloud backup, to be able to store files bigger than 5GB.

  • Adds a workflow to generate the overcloudrc files in a given deployment so the tripleo.deployment.overcloudrc action does not need to be called directly.

  • Adds support to specify additional parameters for Bare Metal ports when registering nodes.

    The mac key in nodes_json (instackenv.json) is replaced by the new ports key. Each port-entry supports the following keys: address, physical_network and local_link_connection. (The keys in ports mirror a subset off the Bare Metal service API .)

    Example specifying port mac address only:

    "ports": [
        "address": "52:54:00:87:c8:2e"

    Example specifying additional parameters:

    "ports": [
        "address": "52:54:00:87:c8:2f",
        "physical_network": "network",
        "local_link_connection": {
          "switch_info": "switch",
          "port_id": "gi1/0/11",
          "switch_id": "a6:18:66:33:cb:49"
  • Install Octavia amphora image on the undercloud if Red Hat.

  • Sets rescue_kernel and rescue_ramdisk to the same values as deploy_kernel and deploy_ramdisk on node enrollment or configuration.

  • Adds support for rescue_interface when enrolling nodes.

  • On enrollment, all classic drivers are replaced with their hardware type equivalents (e.g. pxe_ipmitool is replaced with ipmi). The fake_pxe classic driver is replaced with the manual-management hardware type (which must be enabled in the undercloud).

  • Create keypair for SSH access to Octavia amphorae.

  • ContainerImagePrepare entries can now take an includes option, which like excludes will take a list of regex patterns. includes will filter entries which do not match at least one of the include expressions.

  • Enhance lb-mgmt-subnet to be a class B subnet, so the global amount of Octavia loadbalancers won’t be constrained to a very low number.

Deprecation Notes

  • The mac key in nodes_json is replaced by ports. The ports key expect a list of dictionaries specifying address (mac address), and optional keys physical_network and local_link_connection.

  • The os_auth argument to the generate_fencing_parameters workflow is deprecated and should not be provided. It will be removed in a future version.

Bug Fixes

  • Fix bug 1760659 by updating the derived parameters workflow to use scheduler hints associated with a given role. The scheduler hints are used to identify overcloud nodes associated with the role, and take precedence over nodes identified by their profile/flavor.

  • Fixes handling hardware types (new-style Ironic drivers) when generating fencing parameters. Also completely removes support for no longer existing pxe_ssh driver.

  • Fix Octavia amphora image RPM install on undercloud node for Red Hat based deployments (bug 1772880 <>)

  • Check pub key file permissions and default to pub key data for Octavia.

  • Fix syntax error in octavia-undercloud role.


Upgrade Notes

  • openstack overcloud config download now writes directly to the directory specified by --config-dir. The directory contents will be overwritten, preserving any contents not originating from the stack. A --no-preserve-config option is provided which will cause the --config-dir to be deleted and recreated if the``–config-dir`` location exists. Tmpdirs are no longer used.


New Features

  • Adds a workflow to list deployment plans so the tripleo.plan.list action does not need to be called directly.

  • Added role-specific parameter validation workflow.

  • Adds a workflow to update the parameters in a given deployment plan so the tripleo.parameters.update action does not need to be called directly.

Deprecation Notes

  • The tripleo.roles.list action is deprecated. Please use the tripleo.plan_management.v1.list_roles workflow instead. Calling actions directly is no longer supported.

Bug Fixes

  • Fixes OpenDaylight healthcheck for TLS and regular deployments.

Other Notes

  • The inventory code is updated to use hostnames as the host alias. Since the hostname may not always be resolvable, ansible_host is added as a hostvar and set to the host’s IP address. Using hostnames produces a much more user friendly result in the ansible output showing task result and play recap.