Current Series Release Notes

20.4.0-4

Bug Fixes

  • Fixes overly restrictive permissions on certificates in /var/lib/kolla/share/ca-certificates path in containers that require access to these certificates.

  • Fixes default ulimits for Debian-family container engines when using containerd. Previously, ulimits were not enforced by default, which could lead to missing nofile limits and service startup failures.

    This change introduces sane default ulimit values for Debian-based distributions while keeping existing EL9 behavior unchanged.

    LP#2132378

20.4.0

New Features

  • Add support for deploying ProxySQL 3.0.x on OpenStack 2025.1 system. ProxySQL 2.7.x, which is the default version of ProxySQL of 2025.1, has a bug that SSL handshake does not send full certificate chain. This causes database TLS verification failure when users use intermediate certificate. This bug was only fixed on ProxySQL 3.0.x release. Users can deploy/upgrade ProxySQL to 3.0.x by setting proxysql_version to 3.

  • Adds valkey role.

  • Increased the default value of innodb_log_file_size from 96MB to 2GB. This change improves overall performance of MariaDB. However, the recovery of MariaDB may take longer time as a tradeoff. Users can adjust the value by overriding K-A variable mariadb_innodb_log_file_size_mb. The allowed minimum is 4MB and maximum is 524288MB (512GB)

  • Adds Rocky Linux 10 support alongside existing Rocky Linux 9 to allow for operating system migrations before upgrading to 2025.2 (Flamingo) or 2026.1 (Gazpacho) which the former.

Upgrade Notes

  • Adds the kolla-ansible migrate-valkey command for manual migration from Redis to Valkey. One use case is migrating a Rocky Linux 9 based 2025.1 (Epoxy) deployment to Rocky Linux 10 before upgrading to 2025.2 (Flamingo) or 2026.1 (Gazpacho).

  • The default value of innodb_log_file_size has increased from 96MB to 2GB. This improves MariaDB performance but recovery time from crash may take longer time as a tradeoff. Users are recommended to consider the recovery time with new default before upgrade. Users are recommended to check if disk space is enough with larger InnoDB log file.

Bug Fixes

  • Fixes an issue where OpenSearch log retention check would fail due to plugins not being fully loaded, resulting in a timeout error. This was caused by the task that checks for the existence of a log. Added a check before plugin tasks to ensure plugins are fully loaded.

  • Fixes an issue where Horizon returned HTTP 500 errors when one of the Memcached nodes was unavailable by setting ignore_exc to True in the cache backend. LP#2106557

  • Fixed a critical issue in kolla-mergepwd where the migration from Redis to Valkey resulted in authentication failures. The tool now automatically inherits the existing redis_master_password into the new valkey_master_password field during upgrades. This prevents serious cluster damage in deployments using custom Keystone caching solutions and ensures Octavia remains stable throughout the upgrade process, avoiding global HTTP 401 Unauthorized errors caused by password mismatches. LP#2138461

  • Fixes bug LP#2129930 which made Zuul CI to fail MariaDB backup test sometimes.

  • Fixes a placement problem for cyborg api and conductor services, that would be also be scheduled on compute nodes, rather than being exclusively on control plane. LP#2087552

  • Fixes a failure in the destroy workflow when cleaning up the Octavia interface service by running the task with elevated privileges.

  • Fixed TLS errors in Skyline’s nginx configuration when upstream endpoints use HTTPS. LP#2091935 LP#1951437

  • Fix generating passwords longer than 72 characters. This fixes prometheus configuration. LP#2126975

20.3.0

New Features

  • The OVN container images (ovn-nb-db, ovn-northd and ovn-sb-db) have now default environment variables in place that ease running of ovn-nbctl and ovn-sbctl commands for operators.

Upgrade Notes

  • Support for Linux Bridge mechanism driver has been removed. The driver was already removed from neutron.

Bug Fixes

  • Fixes an issue where vendordata.json, if defined, was not being copied to the nova-metadata directory. LP#2111328

  • Fixed certificate script rendering in Let’s Encrypt role. LP#2115230

  • Handlers to trigger a restart nova_libvirt and ovn_sb_db_relay containers have been removed and restarts of these services are now under the control of the service-check-containers role LP#2123946.

  • Fix an issue causing etcd backend TLS certificates to not be templated as the kolla_copy_backend_tls_files variable was evaluating to false due to the etcd_enable_tls_backend variable being undefined.

  • Remove reference to EXTRA_OPTS in documentation.

  • Fixes an issue where CORS can be blocked when attempting to upload an image via the Horizon user interface.

  • Adds a missing override for octavia_notification_topics so that operators can add their own notification topics for Octavia. By default it will send notifications to ceilometer when ceilometer is enabled.

20.2.0

Upgrade Notes

  • Deployments using a file-based external certificate and Let’s Encrypt for the internal certificate (separate VIPs) default to managing the external certificate with Let’s Encrypt. To retain a file-based external certificate, set letsencrypt_external_cert_server: "".

Security Issues

  • Deny access to /server-status via the single frontend. LP#2121626

Bug Fixes

  • Fixes bug LP#2118452 which stopped the RabbitMQ upgrade from version 3.13 to 4.1 even though it is supported.

  • In the kolla-toolbox configuration with external rabbitmq an unnecessary “comma” is generated, which is why the container does not want to start. LP#2111267

  • Fixes configuration of backend TLS when network nodes are separate from controllers. LP#2117084

  • Fixes a bug where Cinder endpoint that Nova uses does not get overridden because of the use of invalid option. LP#2115064

  • Fixes the bug where Keystone become unable to start when the option OIDCXForwardedHeaders is set with empty string in wsgi-keystone.conf. LP#2119344

  • Fixes RabbitMQ version check which would always be skipped. LP#2102662

  • Fixes a bug where K-A can fail service deployment because it tries to copy backend TLS certificates of some hosts to containers when both hosts and containers are not part of backend TLS and do not have certificates to copy. LP#2105505

  • Prevents accidental libvirt downgrades in nova_libvirt container image during deploy and upgrade. Adds a nova_libvirt version check that resolves the target image digest once on the first compute host and runs only on hypervisors where the running container digest differs from the target.

  • Restore the default Let’s Encrypt ACME server for external certificates so that enabling enable_letsencrypt works out of the box again without explicitly setting letsencrypt_external_cert_server. The default is https://acme-v02.api.letsencrypt.org/directory.

20.1.0

New Features

  • bootstrap-servers now always uses the system Python interpreter via auto_silent autodetection.

    octavia-certificates now use the same Python interpreter as the one running the kolla-ansible command itself.

Bug Fixes

  • Fixes handler invocation failure in the ovs-dpdk role. LP#2088197

  • Allow operators to run kolla-ansible post-deploy without escalating privileges on the deploy node when node_config is writable for that user.