Current Series Release Notes

20.0.0-151

New Features

  • Enable the configuration of the timeout manager by OIDCStateTimeout variable. We also provide means to override the error page for the modOIDC plugin via {{ node_custom_config }}/keystone/federation/modoidc-error-page.html file.

  • ProxySQL is now automatically enabled when MariaDB is enabled. MariaDB container healthcheck method was updated as healthcheck script was replaced from Clustercheck to official MariaDB docker image’s healthcheck.sh

  • Fluentd now sends logs directly to OpenSearch node IPs instead of using a Load Balancer. This change reduces Load Balancer overhead from high log volumes. The Load Balancer for OpenSearch remains in place, as it is still used by OpenSearch Dashboards. Fluentd continues to handle node availability, automatically distributing logs via round-robin to available nodes, ensuring log delivery even if individual OpenSearch nodes become unavailable.

  • The OVN container images (ovn-nb-db, ovn-northd and ovn-sb-db) have now default environment variables in place that ease running of ovn-nbctl and ovn-sbctl commands for operators.

  • Improves performance of Prometheus deployment by separating the prometheus_node_exporter and prometheus_cadvisor services to a new prometheus-node-exporters role.

  • TLS support for MariaDB connections has been enabled for all services when using ProxySQL.

  • bootstrap-servers now always uses the system Python interpreter via auto_silent autodetection.

    octavia-certificates now use the same Python interpreter as the one running the kolla-ansible command itself.

  • Adds support for running following services using uWSGI (without using Apache+mod_wsgi) which is enabled by default. To disable it please set <service>_wsgi_provider to apache (default is uwsgi):

    Service

    Variable

    Aodh

    aodh_wsgi_provider

    Gnocchi

    gnocchi_wsgi_provider

    Heat

    heat_wsgi_provider

    Horizon

    horizon_wsgi_provider

    Ironic

    ironic_wsgi_provider

    Keystone

    keystone_wsgi_provider

    Masakari

    masakari_wsgi_provider

    Octavia

    octavia_wsgi_provider

Upgrade Notes

  • Changes haproxy and rabbitmq default trusted CA store path on EL systems to ca-bundle.crt from ca-bundle.trust.crt.

  • A cron Ansible role has been created and its deployment is not part of the common role anymore.

  • It was added a default template for the modOIDC plugin, which will handle authentication errors for federated users. The default template is found at “ansible/roles/keystone/templates/modoidc-error-page.html.j2”; it can also be replaced/overwritten. One can also overwrite, the timeout, instead of the whole page via the following variable: keystone_federation_oidc_error_page_retry_login_delay_milliseconds. The default timeout for the page redirection is 5 seconds.

  • Database loadbalancing with HAProxy and MariaDB Clustercheck is no longer supported. For the system that uses HAProxy and Clustercheck, upgrading MariaDB with kolla-ansible upgrade will deploy ProxySQL containers and remove MariaDB Clustercheck containers.

  • The ironic-inspector deployment support has been dropped following retirement of that service in Ironic project. ironic_inspector_kernel_cmdline_extras has been renamed to ironic_kernel_cmdline_extras and ironic_inspector_pxe_filter has been renamed to ironic_pxe_filter. Also the inspector.ipxe file has been renamed to ipa.ipxe.

  • bifrost support for deploying legacy ironic inspector has been dropped together with bifrost_enable_ironic_inspector variable.

  • neutron_legacy_iptables and its handling has been dropped.

  • VMWare support for various OpenStack services (e.g. Nova, Cinder, Neutron) has been dropped due to removal in respective services and no development or new versions of third party libraries.

  • A fluentd Ansible role has been created and its deployment is not part of the common role anymore.

  • Horizon default port (80/443) has been changed to 8080 when using HAProxy, while the old default has been retained for development environments using enable_haproxy set to no.

  • Neutron deployment has been reworked to use uWSGI for API workers and to run additional processes in separate containers (following changes in Neutron project). Therefore neutron-tls-proxy service has been dropped and currently TLS is terminated on the uWSGI server. In addition to this there are new containers/services:

    • neutron-ovn-maintenance-worker

    • neutron-rpc-server

    • neutron-periodic-workers

  • OpenSearch Dashboards now connects directly to OpenSearch nodes, rather than via a HAProxy endpoint. This should have no user facing impact.

  • Deployments using a file-based external certificate and Let’s Encrypt for the internal certificate (separate VIPs) default to managing the external certificate with Let’s Encrypt. To retain a file-based external certificate, set letsencrypt_external_cert_server: "".

Security Issues

  • Deny access to /server-status via the single frontend. LP#2121626

Bug Fixes

  • Fixes bug LP#2118452 which stopped the RabbitMQ upgrade from version 3.13 to 4.1 even though it is supported.

  • Fixes handler invocation failure in the ovs-dpdk role. LP#2088197

  • Configuration with letsencrypt disabled generates in haproxy unnecessary backend ‘acme_client_back’ and ‘path_reg ^/.well-known/acme-challenge/.+’. LP#2097452

  • Fixes an issue where Horizon returned HTTP 500 errors when one of the Memcached nodes was unavailable by setting ignore_exc to True in the cache backend. LP#2106557

  • In the kolla-toolbox configuration with external rabbitmq an unnecessary “comma” is generated, which is why the container does not want to start. LP#2111267

  • Fixes invalid use of drain on single-node RabbitMQ setups by using stop_app instead. LP#2111916

  • Improves query routing in ProxySQL by setting default_hostgroup for all database users and by adding user-based routing rules in addition to schema-based rules. This enhancement also fixes incorrect routing of queries that are executed before a schema is selected, such as SET AUTOCOMMIT or ROLLBACK, which could otherwise be sent to a non-existent hostgroup. LP#2112339

  • Fixed certificate script rendering in Let’s Encrypt role. LP#2115230

  • Fixes configuration of backend TLS when network nodes are separate from controllers. LP#2117084

  • Handlers to trigger a restart nova_libvirt and ovn_sb_db_relay containers have been removed and restarts of these services are now under the control of the service-check-containers role LP#2123946.

  • Fix an issue causing etcd backend TLS certificates to not be templated as the kolla_copy_backend_tls_files variable was evaluating to false due to the etcd_enable_tls_backend variable being undefined.

  • Fixes deployment of Cyborg in dev mode. LP#2030849

  • Remove reference to EXTRA_OPTS in documentation.

  • Fixes an issue where CORS can be blocked when attempting to upload an image via the Horizon user interface.

  • Fixes a bug where Cinder endpoint that Nova uses does not get overridden because of the use of invalid option. LP#2115064

  • Fixes the bug where Keystone become unable to start when the option OIDCXForwardedHeaders is set with empty string in wsgi-keystone.conf. LP#2119344

  • Fixes RabbitMQ version check which would always be skipped. LP#2102662

  • Fixes a bug where K-A can fail service deployment because it tries to copy backend TLS certificates of some hosts to containers when both hosts and containers are not part of backend TLS and do not have certificates to copy. LP#2105505

  • Fixed Fluentd configuration template to avoid generating unnecessary empty lines when optional parameters are not set.

  • Prevents accidental libvirt downgrades in nova_libvirt container image during deploy and upgrade. Adds a nova_libvirt version check that resolves the target image digest once on the first compute host and runs only on hypervisors where the running container digest differs from the target.

  • Adds a missing override for octavia_notification_topics so that operators can add their own notification topics for Octavia. By default it will send notifications to ceilometer when ceilometer is enabled.

  • Allow operators to run kolla-ansible post-deploy without escalating privileges on the deploy node when node_config is writable for that user.

  • Restore the default Let’s Encrypt ACME server for external certificates so that enabling enable_letsencrypt works out of the box again without explicitly setting letsencrypt_external_cert_server. The default is https://acme-v02.api.letsencrypt.org/directory.