Ussuri Series Release Notes


Bug Fixes

  • When we install libvirt on a host, the system parameter fs.aio-max-nr is to 1048576. Since we containerized libvirtd, we lost this system parameter. We now make sure it’s defined by adding it from the nova-libvirt-common template.


New Features

  • Added new heat role specific parameter option ‘DdpPackage’ to select the required DDP Package.

  • Added new heat role specific param OVNAvailabilityZone to set availability-zones for ovn. This param replace seting availability-zones throught OVNCMSOptions

  • Added OVN DBs clustering support. In this service model, a clustered database runs across multiple hosts in multi-active mode.

  • To help operators protect their workload, they can now enable the KernelArgsDeferReboot role parameter. This will prevent the tripleo-kernel ansible module from automatically rebooting nodes even if KernelArgs were changed unexpectedly.

  • Add param NeutronAgentDownTime to configure neutron server agent_down_time Seconds to regard the agent as down; should be at least twice report_interval, to be sure the agent is down for good. agent_down_time is a config for neutron-server, set by class neutron::server report_interval is a config for neutron agents, set by class neutron

  • New config options for Neutron logging service plugin configuration were added. There are options added for L3 Agent: NeutronL3AgentLoggingRateLimit, NeutronL3AgentLoggingBurstLimit, NeutronL3AgentLoggingLocalOutputLogBase, for OVS agent: NeutronOVSAgentLoggingRateLimit, NeutronOVSAgentLoggingBurstLimit, NeutronOVSAgentLoggingLocalOutputLogBase and for ML2/OVN backend: NeutronOVNLoggingRateLimit, NeutronOVNLoggingBurstLimit, NeutronOVNLoggingLocalOutputLogBase.

  • With conditional monitoring enabled in OVN, southbound ovsdb-serve takes lot of time in handling the monitoring and sending the updates to all its connected clients. Its takes lot of CPU. With monitor-all option, all ovn-controllers do not enable conditional monitoring there by reducing the load on the Southbound ovsdb-server.

  • A heat parameter IronicPowerStateChangeTimeout has been added which sets the number of seconds to wait for power operations to complete, i.e., so that a baremetal node is in the desired power state. If timed out, the power operation is considered a failure. The default is 60 seconds, which is the same as the current Ironic default.

Upgrade Notes

  • Upgrades from OVN non-HA and OVN DBs pacemaker to OVN DBs clustered are currently not supported.

  • The default UEFI iPXE bootfile is now snponly.efi. The boolean parameter IronicIPXEUefiSnpOnly was added to allow custom configuration. When set to true snponly is used, when false the previous default ipxe.efi is used. See bug: 1959726.

Security Issues

  • The OVN database servers in an OVN DBs clustering and TLS-everywhere deployment will listen on all IP addresses ( This is a caveat that can only be addressed once RHBZ 1952038 is fixed.

Bug Fixes

  • The neutron agent report interval was recently changed from the 30s default to 300s. This caused issues whith timeouts when providing baremetal nodes. A new parameter IronicNeutronAgentReportInterval has been added with a default of 30s so that the report interval specifically for the networking baremetal agent is restored. See bug: 1940838.

Other Notes

  • The description of cinder’s own __DEFAULT__ volume type is updated to indicate the actual default volume type is the one established by the CinderDefaultVolumeType parameter.


New Features

  • The following parameters add support for mounting Cinder’s image conversion directory on an external NFS share.

    • CinderImageConversionNfsShare

    • CinderImageConversionNfsOptions

  • The new MemcacheUseAdvancedPool parameter is added which enables usage of advanced poll for memcached connections in keystone middleware. This parameter is set to true by default to avoind bursting connections in some services like neutron.

  • Add support for OVS DPDK pmd auto balance parameters. This feature adds 3 new role specific THT parameters to set pmd-auto-lb-load-threshold, pmd-auto-lb-improvement-threshold, and pmd-auto-lb-rebal-interval in OVS through OvsPmdLoadThreshold, OvsPmdImprovementThreshold and OvsPmdRebalInterval respectively.

  • Introduce new parameter to configure OVS PMD Auto Load Balance for OVS DPDK

Bug Fixes

  • InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile do not point to the default IPA ca.crt file and instead are requested to be loaded to component specific CA files (even if they are the same). This can lead to a race where the CA cert is not being written by certmonger in time. Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to use the IPA system cacert file ‘/etc/ipa/ca.crt’ per default starting with the wallaby release using the ansible role. This change backports to also use the IPA system cacert file ‘/etc/ipa/ca.crt’ to previous release when managing the certs via puppet-tripleo.

Other Notes

  • These parameters can now be set per-role - DnfStreams, UpgradeInitCommand, UpgradeLeappCommandOptions, UpgradeLeappDevelSkip, UpgradeLeappToRemove, UpgradeLeappToInstall


New Features

  • Added new options for deploying Barbican with PKCS#11 backends: BarbicanPkcs11CryptoTokenLabels and BarbicanPkcs11CryptoOsLockingOk

  • The OS::TripleO::{{}}::PreNetworkConfig resource has been restored. This resource can be used to implement any configuration steps executed before network configurations are applied.

  • The MariaDB tuning parameter for Innodb_buffer_pool_size can now be set via a new TripleO Heat Template parameter ‘MysqlInnodbBufferPoolSize’. By default this is undefined.

  • QemuDefaultTLSVerify will allow operators to enable or disable TLS client certificate verification. Enabling this option will reject any client who does not have a certificate signed by the CA in /etc/pki/qemu/ca-cert.pem. The default is true and matches libvirt’s. We will want to disable this by default in train.

  • The nova-ironic setting for ‘max_concurrent_builds’ can now be set via the use of a new TripleO Heat templates parameter ‘IronicMaxConcurrentBuilds’. It is set to the service default of 10 by default in TripleO Heat templates.

  • Adding ptp parameters for timemaster service configuration on overcloud compute node.Timemaster will use already present chrony parameters. PTPMessageTransport, PTPInterfaces are added new.

Deprecation Notes

  • The BarbicanPkcs11CryptoTokenLabel option has been deprecated and replaced with the BarbicanPkcs11CryptoTokenLabels option.

Bug Fixes

  • Now ExtraConfigPre resource and NodeExtraConfig resource are executed after network configurations are applied in nodes. This is consitent with the previous version with heat software deployment mechanism instead of config-download.

  • Previously access to the sshd running by the nova-migration-target container is only limited via the sshd_config. While login is not possible from other networks, the service is reachable via all networks. This change limits the access to the NovaLibvirt and NovaApi networks which are used for cold and live-migration.

  • Nova vnc configuration right now uses NovaVncProxyNetwork, NovaLibvirtNetwork and NovaApiNetwork to configure the different components (novnc proxy, nova-compute and libvirt) for vnc. If one of the networks get changed from internal_api, the service configuration between libvirt, nova-compute and novnc proxy gets inconsistent and the console is broken. This changed to just use NovaLibvirtNetwork for configuring the vnc endpoints and removes NovaVncProxyNetwork completely.


New Features

  • The new parameter GlanceCinderMountPointBase has been added which will be used for mounting NFS volumes on glance nodes. When glance uses cinder as store and cinder backend is NFS, this parameter must be set to match cinder’s mount point.

  • The logic to configure the connection from barbican to nShield HSMs has been augmented to parse a nshield_hsms parameter, which allows the specification of multiple HSMs. The underlying ansible role (ansible-role-thales-hsm) will configure the HSMs in load sharing mode to provide HA.

  • New CinderRpcResponseTimeout and CinderApiWsgiTimeout parameters provide a means for configuring Cinder’s RPC response and WSGI connection timeouts, respectively.

  • Add posibilities to configure ovn dbs monitor interval in tht by OVNDBSPacemakerMonitorInterval (default 30s). Under load, this can create extra stress and since the timeout has already been bumped, it makes sense to bump this interval to a higher value as a trade off between detecting a failure and stressing the service.

  • When a node has hugepages enabled, we can help with live migrations by enabling NovaLiveMigrationPermitPostCopy and NovaLiveMigrationPermitAutoConverge. These flags are automatically enabled if hugepages are detected, but operators can override these settings.

  • Add NovaLibvirtMaxQueues role parameter to set [libvirt]/max_queues in nova.conf of the compute. Default 0 corresponds to not set meaning the legacy limits based on the reported kernel major version will be used.

  • The new SshServerOptionsOverrides parameter has been added. This parameter can be used to override a part of sshd_config, which is defined by the SshServerOptions.

Known Issues

  • Cell_v2 discovery has been moved from the nova-compute|nova-ironic containers as this requires nova api database credentials which must not be configured for the nova-compute service. As a result scale-up deployments which explicitly omit the Controller nodes will need to make alternative arrangements to run cell_v2 discovery. Either the nova-manage command can be run manually after scale-up, or an additional helper node using the NovaManage role can be deployed that will be used for this task instead of a Controller node. See Bug: 1786961 and Bug: 1871482.

Deprecation Notes

  • Some parameters within ThalesVars have been deprecated. These are - thales_hsm_ip_address and thales_hsm_config_location. See environments/barbican-backend-pkcs11-thales.yaml for details.

Bug Fixes

  • When deploying a spine-and-leaf (L3 routed architecture) with TLS enabled for internal endpoints the deployment would fail because some roles are not connected to the network mapped to the service in ServiceNetMap. To fix this issue a role specific parameter {{}}ServiceNetMap is introduced (defaults to: {}). The role specific ServiceNetMap parameter allow the operator to override one or more service network mappings per-role. For example:

      NovaLibvirtNetwork: internal_api_leaf2

    The role specific {{}}ServiceNetMap override is merged with the global ServiceNetMap when it’s passed as a value to the {{}}ServiceChain resources, and the {{}} resource groups so that the correct network for this role is mapped to the service.

    Closes bug: 1904482.

  • Previously, HorizonDebug and Debug parameters change the value of horizon::django_debug. However, those parameters didn’t set DEBUG log level to horizon logger components. By this change, if those are true, horizon::log_level is set to ‘DEBUG’.

  • Do not relabel Swift files on every container (re-)start. These will be relabeled already in step 3 preventing additional delays.


New Features

  • Added MemcachedMaxConnections setting with a default of 8192 maximum connections in order to allow an operator to override that value in environments where memcached is heavily sollicited.

  • Add parameter NovaAllowResizeToSameHost to allow instances to resize to the host they are currently on. Normally the source host is excluded.

  • To isolate LVM volumes created by compute guests, within Cinder volumes, from the LVM volumes created/managed by the host itself, a new task has been introduced to create an allowlist and denylist of devices which should be accessible (or not) to the host, configured in lvm.conf using the global_filter key. The allowlist is generated gathering the list of existing in-use physical disks (or partitions) and appending to it any user provided device passed via LVMFilterAllowlist parameter. The denylist is configured via LVMFilterDenylist and defaults to [‘.*’], which means it blocks any device not explicitly allowed. Both the list parameters can be specified per-role. The feature is, by default, disabled and can be enabled passing LVMFilterEnabled: true; when disabled the existing lvm.conf won’t be touched and a version of it which includes the global_filter will be left, for debugging, in /tmp/tripleo_lvmfilter.conf.

  • A new multipathd-container-ansible.yaml heat template replaces the multipathd-container.yaml template. The new template adds support for the following new parameters. * MultipathdSkipKpartx * MultipathdCustomConfigFile

  • Add parameters NovaLibvirtCPUMode, NovaLibvirtCPUModels and NovaLibvirtCPUModelExtraFlags to allow configuration of CPU related parameters libvirt/cpu_mode, libvirt/cpu_model and libvirt/cpu_model_extra_flags respectively.

  • This change updates the multiple-nics and multiple-nics-vlans templates so that an external bridge is created if either the role uses the External network or the “external_bridge” tag is set in the role definition. This is done instead of checking if the role name is “Controller”. This change also assigns the “external_bridge” tag to the Controller as well as the Compute roles so that both roles can access the Neutron external bridge for floating IPs or SNAT by default so that OVN can use DVR.

  • The NovaApiMaxLimit parameter allows the operator to set Nova API max_limit using a Heat parameter in their templates.

  • Add parameter NovaVGPUTypesDeviceAddressesMapping provide mapping for multiple vgpu types and corresponding device addresses.

Upgrade Notes

  • Cinder’s legacy “volume” service and its associated endpoints are automatically removed from the keystone catalog. The “volume” service is associated with Cinder’s v1 API, which was removed in Queens.

  • When upgrading from the multipathd-container.yaml template to the new multipathd-container-ansible.yaml template, bear in mind the new MultipathdSkipKpartx parameter will configure the corresponding skip_kpartx setting in /etc/multipath.conf.

  • Now NotificationDriver is set to noop by default, as legacy telemetry services are disabled by default. Explicitly set NotificationDriver parameter to notifications from each services.

  • The “external_bridge” tag is now used for the Compute node. An external network bridge is required on the compute nodes in order to host floating IPs when using DVR. OVN deploys with DVR by default.

Deprecation Notes

  • The multipathd-container.yaml template is deprecated in favor of a new multipathd-container-ansible.yaml template. The new template is backward compatible with the old template, but see the features and upgrade notes for additional details.

Bug Fixes

  • As per launchpad bug 1855704, the lvmfilter task aims at hiding to the host the LVM2 volumes created by compute guests in Cinder volumes or Glance images.

  • When using the Shared File Systems service (manila), you may now use the Heat template parameter “ManilaEnabledShareProtocols” to configure the NAS protocols that users may use. If not set, the value is inferred per the storage backends that have been enabled.

  • The keystone catalog is automatically updated to remove any entries associated with Cinder’s v1 API “volume” service. This fixes bug 1897761.

  • Fixed the Octavia OctaviaTenantLogFacility setting default to 0 to align it with the project default.

  • Certificates get merged into the containers using kolla_config mechanism. If a certificate changes, or e.g. UseTLSTransportForNbd gets disabled and enabled at a later point the containers running the qemu process miss the required certificates and live migration fails. This change moves to use bind mount for the certificates and in case of UseTLSTransportForNbd ans creates the required certificates even if UseTLSTransportForNbd is set to False. With this UseTLSTransportForNbd can be enabled/disabled as the required bind mounts/certificates are already present.

  • introduced THT parameters to set libvirt/cpu_mode. The patch sets the NovaLibvirtCPUMode wrong to ‘none’ string which results in puppet-nova not to handle the default cases correct and sets libvirt/cpu_mode to none which results in ‘qemu64’ CPU model, which is highly buggy and undesirable for production usage. This changes the default to the recommended CPU mode ‘host-model’, for various benefits documented elsewhere.

  • When using RHSM Service (deployment/rhsm/rhsm-baremetal-ansible.yaml) based registration of the overcloud nodes and enabling the KSM using NovaComputeEnableKsm=True the overcloud deployment will fail because the RHSM registration and the ksm task run as host_prep task. The handling of enable/disable ksm is now handled in deploy step 1.

  • In case of cellv2 multicell environment nova-metadata is the only httpd managed service on the cell controller role. In case of tls-everywhere it is required that the cell controller host has ther needed metadata to be able to request the HTTP certificates. Otherwise the getcert request fails with “Insufficient ‘add’ privilege to add the entry ‘krbprincipalname=HTTP/cell1-cellcontrol-0….’”


New Features

  • Adds a new ContainerNovaLibvirtPidsLimit parameter in order to set the PIDs limit for nova_libvirt container. Defaults to 65536, set to 0 for unlimited.

  • The following parameters were added to support configuration of gnocchi nfs backend.

    • GnocchiNfsEnabled

    • GnocchiNfsShare

    • GnocchiNfsOptions

  • Add the NovaImageCacheTTL to the nova compute service. This exposes the remove_unused_original_minimum_age_seconds from nova.conf which controls the time (in seconds) that nova compute should continue caching an image once it is no longer used by and instances on the host. Defaults to 86400 (24hrs)

  • When SwiftRawDisks is set, try to mount the disks using uuids instead of paths. This makes mounts more stable, eg. if a kernel gets updates and device orders are changed.

  • A new Heat parameter ‘ZaqarWsTimeout’ exposes the Puppet variable ‘tripleo::haproxy::zaqar_ws_timeout_tunnel’. This allows operators to configure the Mistral API timeout. It currently defaults to four hours.

Upgrade Notes

  • The CIDR for the StorageNFS network in the sample network_data_ganesha.yaml file has been modified to provide more usable IPs for the corresponding Neutron overcloud StorageNFS provider network. Since the CIDR of an existing network cannot be modified, deployments with existing StorageNFS networks should be sure to customize the StorageNFS network definition to use the same CIDR as that in their existing deployment in order to avoid a heat resource failure when updating or upgrading the overcloud.

Deprecation Notes

  • As the fast forward upgrade workflow to skip multiple releases now relies on the very same upgrade_tasks, there is no need to mantain the fast_forward_upgrade_tasks, as well as any of its references.

Bug Fixes

  • Ansible GroupVars incorrectly keept a single subnet prefix per-network. This caused a problem when multiple subnets using different subnet prefixes where defined. Resulting in the wrong subnet prefix being referenced in the NetworkConfig for roles.

    AnsibleHostVars stores networks subnet prefixes instead. See bug: 1895899.

  • Fixed issue in the sample network_data_ganesha.yaml file where the IPv4 allocation range for the StorageNFS network occupies almost the whole of its CIDR. If network_data_ganesha.yaml is used without modification in a customer deployment then there are too few IPs left over in its CIDR for use by the corresponding overcloud Neutron StorageNFS provider network for its overcloud DHCP service. (See bug: #1889682)

  • Fix Swift ring synchronization to ensure every node on the overcloud has the same copy to start with. This is especially required when replacing nodes or using manually modifed rings.


New Features

  • Add new BarbicanClient tripleo service for configuring DCN/Edge nodes to access a barbican service running in the control plane. The client service is disabled by default, and can be enabled by including the environments/services/barbican-edge.yaml environment file when deploying a DCN/Edge stack.

  • Added new PublicTLSCAFile parameter, that is used to set the ca cert in clouds.yaml for keystone public endpoint. This defaults to empty string (‘’) assuming that the certs are already trusted.

  • Add GlanceImagePrefetcherInterval parameter to run periodic job which fetches the queued images for caching in cache directory, when image cache is enabled.

  • Add boolean parameter NovaSchedulerQueryPlacementForAvailabilityZone that sets scheduler/query_placement_for_availability_zone parameter. It allows the scheduler to look up a host aggregate with metadata key of availability zone set to the value provided by incoming request, and request result from placement be limited to that aggregate. Default value for NovaSchedulerQueryPlacementForAvailabilityZone is false.

  • Adds the “OctaviaLogOffload” setting to enable amphora log offloading.

  • Added support for VxFlexOS cinder block storage backend driver

Deprecation Notes

  • Usage of the option NeutronFirewallDriver which was used to set firewall_driver config option in the Neutron server’s config is now deprecated. Firewall driver should be set per agent in the agent’s config. It can be done using NeutronOVSFirewallDriver option. Option in the Neutron server was in there just for backward compatybility reasons but since Newton release all Neutron agents are reporting to the server what firewall driver is used so there is no need to keep this legacy, server side option anymore.

Bug Fixes

  • Ensure the barbican Key Manager settings are configured on DCN/Edge nodes when the barbican service is deployed in the control plane. See bug 1886070.

Other Notes

  • The ValidateNtp has been removed from the all nodes validation configuration. During the time sync configuration we already do a check to ensure the ntp servers are available. If they are not we will fail with an appropriate message. The ValidateNtp option came from a time before we could fail in a more explicit way.


New Features

  • Adds support for IGMP snooping (Multicast) in the Neutron ML2/OVS driver.

  • Added enhancements to Octavia’s OVN driver configuration, so it can connect to OVN_Northbound DB using SSL/TLS.

  • The new EnableCache parameter is added to enable/disable chacing using memcached services. The parameter is true by default, but should be false when memcached service is disabled in the deployment.

  • Add boolean parameter NovaSchedulerEnableIsolatedAggregateFiltering which allows to set scheduler/enable_isolated_aggregate_filtering parameter. This configures scheduler to restrict hosts in aggregates based on matching required traits in the aggregate metadata and the instance flavor/image. If an aggregate is configured with a property with key trait:$TRAIT_NAME and value required, the instance flavor extra_specs and/or image metadata must also contain trait:$TRAIT_NAME=required to be eligible to be scheduled to hosts in that aggregate. Default value for NovaSchedulerEnableIsolatedAggregateFiltering is False.

  • For baremetal operations on DHCPv6-stateful networks multiple IPv6 addresses can now be allocated for neutron ports created for provisioning, cleaning, rescue or inspection. The new parameter IronicDhcpv6StatefulAddressCount controls the number of addresses to allocate.

  • Add Heat parameter EnableMysqlAuthEd25519, which when set to true, configures MySQL user credentials to require ed25519-based authentication to the mariadb server, instead of the default SHA1-based native authentication.

  • Adding two parameters to manage vPMEM [0] configuration parameters. NovaPMEMMappings parameter set Nova’s configuration option pmem_namespaces that reflects mappings between vPMEM and physical PMEM namespaces. NovaPMEMNamespaces creates and manages physical backend PMEM namespaces which win be used as backend for vPMEM. NovaPMEMMappings example: 6GB:ns0|ns1|ns2,LARGE:ns3 will expose namespaces ns0, ns1, ns2 using label 6GB and namespace ns3 using label LARGE. NovaPMEMNamespaces example: 100G:ns0|14096M:ns1 will create two namespaces: ns0 - size 100G, ns1 - size 14096M.

  • Added the parameter PortPhysnetCidrMap in the ironic inspector service template. The parameter takes a mapping of IP subnet CIDR to physical network. When the physnet_cidr_map processing hook is enabled the physical_network property of baremetal ports is populated based on this mapping. See Bug: 1870529.

  • Support for Dell EMC SC backend cinder driver. Supports both iSCSI and FC volume drivers and support deploying one or multiple cinder SC storage backends.

  • Support for Dell EMC Xtremio backend cinder driver. Supports both iSCSI and FC volume drivers and support deploying one or multiple cinder Xtremio storage backends.

Upgrade Notes

  • Exclude /var/lib/ironic/* from rsync, this is a leftover from the initial containerization of TripleO; now we have host prep tasks, the ironic conductor and inspector bind mount /var/lib/ironic and generate the data that they need. But this data should not be in the config volume or it can conflict from each other when rsync runs at the same time. Check launchpad bug 1868934. TripleO upgrade tasks and host prep tasks will take care of removing the var directory from the config volumes and the containers will just use the bind mount, like it should be doing now. These tasks will run during a minor update, major upgrade, and fast forward upgrade.

Deprecation Notes

  • Support for Dell EMC PS Series aka Eqlx was removed, because the driver was deprecated in Train release and has been removed from cinder.

  • Resource OS::TripleO::Services::CinderBackendDellSc is no longer supported. Use the new resource OS::TripleO::Services::CinderBackendDellEMCSc.

  • Support for Sahara services is now deprecated, and will be removd in a future release.

  • The following parameters has been deprecated and are no longer used: ´´CephIPv6``, CorosyncIPv6, RabbitIPv6, MemcachedIPv6, MysqlIPv6, RedisIPv6 and NeutronOverlayIPVersion. The IP version is now detected by looking at the CIDR of network subnets instead.

  • KeepalivedRestart is deprecated and has no effect. The workaround isn’t needed anymore since we now deploy keepalived-2.0.10-4. This version has support for ‘dynamic_interfaces’ which is required when the network config was changed and os-net-config restarts the network interface.

  • Keepalived service is deprecated in Train and will be removed in the next cycle. The VIPs are now created by os-net-config for both the Undercloud and Standalone. If you need HA VIPs, please deploy Pacemaker.

  • Resource OS::TripleO::Services::CinderBackendDellEMCVMAXISCSI is no longer supported. Use the new resource OS::TripleO::Services::CinderBackendDellEMCPowermax.

  • Resource OS::TripleO::Services::CinderBackendDellEMCXTREMIOIscsi is no longer supported. Use the new resource OS::TripleO::Services::CinderBackendDellEMCXtremio.

Other Notes

  • Pacemaker is now deployed by default on the Overcloud and Standalone deployments. It has become the de-facto service to handle services in HA and also Virtual IPs.


New Features

  • Added parameters NovaVNCProxySSLCiphers and NovaVNCProxySSLMinimumVersion to manage the allowed TLS ciphers and minimum protocol version to enforce for incoming client connections to the VNC proxy service.

  • Adds NovaMaxDiskDevicesToAttach parameter that controls compute/max_disk_devices_to_attach parameter in Nova. This parameter sets maximum number of disk devices allowed to attach to a single server.

  • Introduce “{{}}ExtraGroupVars” which allows to define a dictionary of Ansible group vars per role. These extra group vars will override any pre-defined group var from a service.

  • Add parameters for configuring multiple glance-api backends. The existing GlanceBackend parameter represents the default backend, and a new GlanceMultistoreConfig parameter is a hash representing the configuration of additional backends. A new GlanceStoreDescription parameter provides a means of describing each backend.

    The configuration can specify any combination of supported backend types. Multiple rbd backends can be specified, but cinder, file and swift backends are limited to one each.

  • Now virtlogd will output its logs into an independent log file, /var/log/containers/libvirt/virtlogd.log, instead of host journal.

  • LibvirtVirtlogdLogLevel and LibvirtVirtlogdLogFilters were added to set logging parameters in virtlogd.

  • Add boolean parameter NeutronDhcpAgentDnsmasqEnableAddr6List to support the dnsmasq_enable_addr6_list option in dhcp agent settings. (See bug: #1861032)

  • Add boolean parameter NovaSchedulerPlacementAggregateRequiredForTenants which allows to set scheduler/placement_aggregate_required_for_tenants parameter. It controls whether or not a tenant with no aggregate affinity will be allowed to schedule to any available node. If aggregates are used to limit some tenants but not all, then this should be False. If all tenants should be confined via aggregate, then this should be True. Default value for NovaSchedulerPlacementAggregateRequiredForTenants is false.

  • Adds support for IGMP snooping (Multicast) in the OVN driver. Defaults to False. IGMP snooping requires OVN version 2.12 or above.

  • Add posibilities to configure replication_probe_interval for ovsdb-server by OVNDBSReplicationInterval. It configure probe interval for connection for ovsdb-server when it is in backup mode and connects to the active ovsdb-server for replication

Upgrade Notes

  • Adds a new parameter NeutronMetadataWorkers for OVN. This parameters allows users to configure the number of OVN metadata workers separately from the value of NeutronWorkers. The OVN metadata workers are deployed onto the compute nodes and not on the controllers/gateways as the OVS ones.

  • Removed the environments/standalone.yaml. This file should not be used and the environments/standalone/standalone-tripleo.yaml should be used instead.

Bug Fixes

  • The parameter ControlPlaneSubnetCidr was missing in the network/ports/net_vip_map_external.j2.yaml and network/ports/net_vip_map_external_v6.j2.yaml template files. This caused deployment failure since the VipMap resource pass this property. (See Bug: #1864912)

  • Fixed an issue where disabling one or more networks in network_data.yaml caused deployment failure. (See bug: #1842001)

  • Fixes an issue where the parameter CloudNameStorageManagement was used for all custom networks with service_net_map_replace defined. (See bug: 1862679.)

  • Fixed an issue where containers octavia_api and octavia_driver_agent would fail to start on node reboot.


New Features

  • Added the configuration option to set reserved_huge_pages. When NovaReservedHugePages is set, “reserved_huge_pages” is set to the value of NovaReservedHugePages. If NovaReservedHugePages is unset and OvsDpdkSocketMemory is set, reserved_huge_pages value is calcuated from KernelArgs and OvsDpdkSocketMemory. KernelArgs helps determine the default huge page size used, the default is set to 2048kb and OvsDpdkSocketMemory helps determine the number of hugepages to reserve.

  • Adds parameter for configuring heat client_retry_limit config option to increase the number of retries for transient errors.

  • Added the Octavia anti-affinity parameters.

  • The new parameter CephExternalMultiConfig may be used to configure OpenStack to use multiple external Ceph clusters.

  • Introduces two new parameters to configure the archive deleted instances cron job. 1) NovaCronArchiveDeleteAllCells To make sure deleted instances get archived also from the cell0 in a single cell deployment and also in additional cell databases in case of a multi cell deployment.

    2) NovaCronArchiveDeleteRowsAge –before is required to prevent the orphaning of libvirt guests if/when nova-compute is down when a db archive cron job fires.

    This change also modifies 1) the default from 100 to 1000 for NovaCronArchiveDeleteRowsMaxRows to match the default from the nova-manage command instead the default of 100 from the puppet-nova parameter.

    2) changes the default for NovaCronPurgeShadowTablesAllCells from false to true also the nova-manage db purge command needs to run for all cells instead of only the default cell.

  • Added a TripleO service OvsDpdkNetcontrold to enable netcontrold PMD rebalance tool for OvS-DPDK deployments.

  • HA services use a special container image name derived from the one configured in Heat parameter plus a fixed tag part, i.e. ‘<registry>/<namespace>/<servicename>:pcmklatest’. To implement rolling update without service disruption, this ‘pcmklatest’ tag is adjusted automatically during minor update every time a new image is pulled. A new Heat parameter ClusterCommonTag can now control the prefix part of the container image name. When set to true, the container name for HA services will look like ‘container-common-tag/<servicename>:pcmklatest’. This allows rolling update of HA services even when the <namespace> changes in Heat.

  • Enable the new container image naming scheme for HA services. They are now configured in pacemaker to use container image name like ‘container-common-tag/<servicename>:pcmklatest’. This allows rolling update of HA services even when the <namespace> changes in Heat.

  • Add the ability to deploy the glance-api service at DCN/Edge sites. Glance service at the Edge shares the same database as the Glance service in the central control plane, but allows other services such as Cinder and Nova to access a Glance endpoint that is local to the DCN/Edge site.

  • Enabling additional healtchecks for Swift to monitor account, container and object replicators as well as the rsync process.

  • The ansible tripleo-hosts-entries is now used for adding individual entries to /etc/hosts for each overcloud node. This role is used instead of the output data from the Heat stack.

Deprecation Notes

  • NovaEnableNUMALiveMigration was removed and has no effect, becuase the corresponding parameter in nova was deprecated in Train release.

  • The deployed-server bootstrap environments, templates, and scripts that were previously deprecated are now removed. These removals include deployed-server/ deployed-server/deployed-server-bootstrap-centos.yaml deployed-server/ deployed-server/deployed-server-bootstrap-rhel.yaml environments/deployed-server-bootstrap-environment-centos.yaml environments/deployed-server-bootstrap-environment-rhel.yaml

  • The environment file at environments/service/neutron-server.yaml has been removed in ussuri as it was previously deprecated in train.

  • Environment file host-config-and-reboot.yaml has been removed and the required functionality is part of BootParams service.

  • ExternalPublicUrl, ExternalAdminUrl and ExternalInternalUrl are deprecated. ExternalSwiftPublicUrl, ExternalSwiftAdminUrl and ExternalSwiftInternalUrl should now be used.

Bug Fixes

  • After we switch default neutron driver to ovn also NeutronPluginExtensions should contain dns because “qos,port_security,dns” is default value for ovn

  • All roles now default to using the net-config-static-bridge.yaml nic config when using deployed-server. Since OVN is the default in TripleO, Compute roles need to have br-ex. Previously when using deployed-server, the default nic config for the non-Controller roles was net-config-static.yaml, which did not create br-ex.

  • Fixes an issue where filtering of networks for kerberos service principals was too aggressive, causing deployment failure. See bug 1854846.

  • The WSGI timeout for Heat API is now set to 600 seconds to match the HAProxy timeout and the RPC response timeout. Previously, it was set to 60 seconds, which resulted in API requests timing out.

  • HA container naming scheme has been updated to look like ‘container.common.tag/<servicename>:pcmklatest’, in order for podman to not prepend any host suffix in front of this tag, otherwise this confuses the podman resource agent in pacemaker.

  • Fixes an issue where TripleO fails to set the Barbican key ID for Swift with a permission error if the config files are not relabeled.

Other Notes

  • Not a functionnal change, only cosmetics. For better understanding and readability, changing all the svirt_sandbox_file_t to shorter, nicer container_file_t


New Features

  • Added the “connection_logging” parameter for the Octavia service.

  • Added support for running the Octavia driver agent in a container. This will enable features such as the OVN load balancer provider in octavia as well as other third party providers.

  • Added the Octavia log offload parameters.

  • Inclusion and configuration of ReaR service to undercloud and overcloud nodes.

  • The ManageNetworks parameter has been added. The parameter controls management of the network and related resources (subnets and segments) with either create, update, or delete operations (depending on the stack operation). Does not apply to ports which will always be managed as needed. Defaults to true. For multi-stack use cases where the network related resources have already been managed by a separate stack, this parameter can be set to false.

  • Provides the option to set the “ovn_emit_need_to_frag” configuration option to the “ovn” section of etc/neutron/plugins/ml2_conf.ini. This option tells ovn whether it should emit ICMP “need to frag” packets in case of MTU mismatch. Before enabling this configuration make sure that it’s supported by the host kernel (version >= 5.2) or by checking the output of the following command ‘ovs-appctl -t ovs-vswitchd dpif/show-dp-features br-int | grep “Check pkt length action”’. Defaults to False.

  • This parameter sets inactive probe interval of the JSON session from ovn-metadata to the OVN SB database. By default this it is 5s which not be sufficient in loaded systems or during high control-plane activity spikes, leading to unnecessary reconnections to OVSDB server. Now it is extended by default to 1 min and it is configurable by param OVNRemoteProbeInterval.

  • Added new heat param OVNOpenflowProbeInterval to set ovn_openflow_probe_interval which is inactivity probe interval of the OpenFlow connection to the OpenvSwitch integration bridge, in seconds. If the value is zero, it disables the connection keepalive feature, by default this value is set on 60s. If the value is nonzero, then it will be forced to a value of at least 5s.

  • Under pressure, the default monitor timeout value of 20 seconds is not enough to prevent unnecessary failovers of the ovn-dbs pacemaker resource. While spawning a few VMs in the same time this could lead to unnecessary movements of master DB, then re-connections of ovn-controllers (slaves are read-only), further peaks of load on DBs, and at the end it could lead to snowball effect. Now this value can be configurable by OVNDBSPacemakerTimeout which will configure tripleo::profile::pacemaker::ovn_dbs_bundle (default is set to 60s).

  • TripleO will now configure iptables using the TripleO-Ansible role, tripleo-firewall. This role implements all of the same interfaces and behaviors as the puppet manifest.

  • A new parameter has been added, ExtraFirewallRules. This parameter provides a user interface to configure additional iptables rules.

Upgrade Notes

  • If deprecated parameter InotifyIntancesMax is used in deployment, then user should use parameter InotifyInstancesMax with correct spelling during upgrade.

Deprecation Notes

  • Deprecated InotifyIntancesMax parameter as it is misspelt.

  • The OS::TripleO::Services::NeutronServer service mapping is deprecated in favor of using OS::TripleO::Services::NeutronApi. Any role definitions still using OS::TripleO::Services::NeutronServer need to either be updated to use OS::TripleO::Services::NeutronApi instead, or they can make use of the environment file at environments/services/neutron-server.yaml to enable the old mapping. The environment file will be removed in the ussuri release.

  • The roles file at deployed-server/deployed-server-roles-data.yaml is deprecated in train. It’s contents are the same as roles_data.yaml, and no special roles files are needed when using deployed-server.

  • The roles file at deployed-server/deployed-server-roles-data.yaml is now removed in ussuri as it was deprecated in train. Note that the default roles_data.yaml file can now be used when using deployed-server.

  • OpenDaylight service templates and environment files have been removed. It was deprecated in Stein and removed in Train.

  • The heat template tripleo-firewall-baremetal-puppet.yaml has been deprecated. While this template can still be used to configure the TripleO-Firewall service, it is no longer preferred and will be removed in a future release.

  • Configuring firewall rules with extraconfig is no longer being supported. All firewall rules should be converted such that they’re set within the user defined parameter ExtraFirewallRules.

Bug Fixes

  • Fixed an issue where Octavia controller services were not properly configured.

  • Added new parameter with correct spelling InotifyInstancesMax.

  • Restart certmnonger after registering system with IPA. This prevents cert requests not completely correctly when doing a brownfield update.

Other Notes

  • Add “radvd_user” configuration parameter to the Neutron L3 container. This parameter defines the user pased to radvd. The default value is “root”.