Train Series Release Notes


New Features

  • Split off Ceph related container images

    This change releases an update on the default tripleo_containers jinja template, splitting off the Ceph related container images. With this new approach pulling the ceph containers is optional, and can be avoided by setting the ceph_images boolean to False. e.g., passing something like the following:

      -   push_destination: true
              name_prefix: openstack-
              name_suffix: ''
              neutron_driver: ovn
              rhel_containers: false
              tag: current-tripleo
              ceph_images: false
      ContainerImagePrepareDebug: true
      ContainerImageRegistryCredentials: {}

    avoid the ceph containers being pulled in the undercloud. To make this possible, a new jinja template processing approach has been introduced, and a template basedir parameter (required by the jinja loader) has been added to the BaseImageManager.

Bug Fixes

  • Fix high water mark memory usage on Cinder Volume and Backup services and reduce peak memory usage.


New Features

  • Added modify_only_with_source to the ContainerImagePrepare set that can be used to limit modify container images to a specific image_source as defined in the services to container images mapping.

  • Introduce new HEALTHCHECK_DEBUG variable in order to toggle verbosity, defaults to 0 (no verbosity). Setting it to 1 will activate -x flag, among other things.

  • This patch moves away from “ss” execs, using lsof instead. This allows to drop most of the piping and subshells, making things stronger.

  • Introduce new HEALTHCHECK_DEBUG variable in order to toggle verbosity, defaults to 0 (no verbosity). Setting it to 1 will activate -x flag, among other things.

  • Push some verbose output to a third descriptor, visible only if we set the healthcheck to debug.

  • Removed support for troubleshooting network issues using Skydive.

Bug Fixes

  • When the default tag doesn’t exist in the container repo during container image prepare, and a tag wasn’t set in the actual input for ContainerImagePrepare, the latest tag from the repo will be used instead of failing with a not found error.

  • Fix bug 1887692 so limit_hosts will take precedence over the blacklisted_hostnames. And therefore Ansible won’t be run with two –limit if both limit hosts and blacklisted hostnames are in use. When we want to run Ansible on specific hosts, we will ignore the blacklisted nodes and assume we know what we do. In the case of the scale-down scenario, the unreachable nodes are ignored.

  • The qemu user on the host gets created using uid/gid 107. Certificates on the host, but also the vhost-user sockets created by ovs use this uid/gid. With the move to TCIB images the default kolla ids were reverted and the previous overwrite dropped. This make e.g. the qemu processes to fail to use the libvirt-vnc bind mounted certificates. This change brings back the previous overwrite of the qemu user uid/gid.

  • When using specifying ContainerImagePrepare if a tag is explicitly provided in a set, the tag_from_label functionality will not be run as we use the defined tag for the containers. Previously we would still attempt tag lookups even if we wanted a specific tag.

Other Notes

  • container-images/tripleo_containers.yaml.j2 is now used to determine what containers are used for which services when running the container image prepare process runs.


New Features

  • Added overcloud-images-ceph.yaml, overcloud-images-ceph-centos8.yaml, and overcloud-images-ceph-rhel8.yaml to allow an operator to build an image that can be used for dedicated ceph nodes. This overcloud-ceph image would not have the openstack client, ha or openvswitch related packages.

Bug Fixes

  • The RootStackName parameter is now added to the plan in plan-environment.yaml on both stack create and update. Previously it was only added on create.


New Features

  • Adds additional healtchecks for Swift to monitor account, container and object replicators as well as the rsync process.


Bug Fixes

  • openstack cli doesn’t negotiate a microversion. Live migration and multiattach are 2 examples of operations which require arcane incantations to make them work correctly, and therefore usually don’t. This adds OS_COMPUTE_API_VERSION=2.latest to the overcloudrc file to fix it.


Deprecation Notes

  • The SkopeoImageUploader is deprecated. It does not work with the Stein image repository and will be removed in a future release.


Upgrade Notes

  • Support for the cisco-ucs-managed and cisco-ucs-standalone hardware types has been removed since these hardware types have been removed from Ironic due to lack of maintenance.

Bug Fixes

  • Previously, trash_output was not honored if a queue was not being used to post messages. The behavior has changed so that trash_output will be honored even if a queue is not being used, and all stdout/stderr will be discarded.

  • In case of cell stacks we need to pass redis_vip as an input to be able to use redis on the central controllers. This moves the redis_vip setting to all_nodes and only set it if it is not an additional cell.

  • When deploying a large amount of nodes, the create_admin_via_ssh workflow could fail due to the large amount of ansible output generated. This patch updates the tripleo.ansible-playbook action in the workflow with trash_output:true so that the output is not saved in the mistral DB. There is a log file saved already in case the output is needed for debug purposes.


New Features

  • The bindep.txt file located in the project root contains all of the basic required packages needed when running local tests.

  • Developers can now use bindep to list system requirements. The bindep command will load the list of packages for the given platform using the bindep.txt file.

  • Bindep can now be leveraged via tox using the environment bindep. This tox environment will use bindep via the bindep-install script to install any missing packages on the local system which are required for development purposes.

Bug Fixes

  • The verbosity of the config-download ansible tasks now defaults to 0 instead of 1. This makes the tasks not verbose by default. The verbosity specified on the command line with the deployment command is now honored and can be used to disable verbosity or increase the verbosity level as needed.

  • The passphrase for config option ‘server_certs_key_passphrase’, is used as a Fernet key in Octavia and thus must be 32 bytes long. TripleO will now auto-generate 32 bytes long passphrase for OctaviaServerCertsKeyPassphrase.


New Features

  • If the AdditionalArchitectures parameter has entries then the container image prepare will prepare images for all architectures instead of just the default one. A new boolean field multi_arch can also be set in ContainerImagePrepare entries to determine the multi arch behaviour for images in that entry. If any entry sets a multi_arch value then AdditionalArchitectures is ignored.

  • tripleo-container-rm is the new role that replaces tripleo-docker-rm which is in charge of tearing down containers running in Docker or Podman. If the container_cli is Podman, the role takes care of systemd cleanup for both the container and its healthcheck if it does exist.

Security Issues

  • Fixed a vulnerability where an attacker may cause new Octavia amphorae to run based on any arbitrary image (CVE-2019-3895).

Bug Fixes

  • As of Rocky [1], the nova-consoleauth service has been deprecated and cell databases are used for storing token authorizations. All new consoles will be supported by the database backend and existing consoles will be reset. Console proxies must be run per cell because the new console token authorizations are stored in cell databases.

    nova-consoleauth was deprecated in tripleo with: I68485a6c4da4476d07ec0ab5e7b5a4c528820a4f

    This change now removes the NovaConsoleauth Service.


  • Fixed an issue were amphora load balancers would fail to create. The problem was because Octavia certificate files were being created in a wrong path and with invalid content.

  • Ensure [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting.