Zed Series Release Notes

18.0.0.0b1-380

New Features

  • Enable VeNCrypt authentication scheme from noVNC proxy to compute nodes. When using HTTPS, the TLS encryption only applies to data between the tenant user and proxy server. To provide protection from the noVNC proxy to the Compute Nodes, it is necessary to enable the VeNCrypt authentication scheme for VNC.

    A pre-existing PKI (Public Key Infrastructure) setup is required.

    Initially to help with the transition from unencrypted VNC to VeNCrypt, compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable nova_vencrypt_auth_scheme, this will be removed in future releases.

  • It is now possible to use NFS mountpoints with the role by using the nova_nfs_client variable, which is useful for using NFS for instance data and saves.

  • Implemented new variable connection_recycle_time responsible for SQLAlchemy’s connection recycling

  • The nova configuration is updated to always specify an LXD storage pool name when ‘nova_virt_type’ is ‘lxd’. The variable ‘lxd_storage_pool’ is defaulted to ‘default’, the LXD default storage pool name. A new variable ‘lxd_init_storage_pool’ is introduced which specifies the underlying storage pool name. ‘lxd_init_storage_pool’ is used by lxd init when setting up the storage pool. If not provided, lxd init will not use this parameter at all. Please see the lxd man page for further information about the storage pool parameter.

  • You can now set the Libvirt CPU model and feature flags from the appropriate entry under the nova_virt_types dictionary variable (normally kvm). nova_cpu_model is a string value that sets the CPU model; this value is ignored if you set any nova_cpu_mode other than custom. nova_cpu_model_extra_flags is a list that allows you to specify extra CPU feature flags not normally passed through with host-model, or the custom CPU model of your choice.

  • A new variable nova_ironic_console_type is added to enable the deployment of one of the nova console proxies in the ironic_console ansible group. The only supported setting at this time is disabled or serialconsole.

  • The service setup in keystone for nova will now be executed through delegation to the nova_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

    nova_service_setup_host: "{{ groups['utility_all'][0] }}"

  • Re-added nova_dhcp_domain variable that defaults to the dhcp_domain. When set to empty string, only the hostname without a domain will be configured for the instances.

  • Added variable nova_scheduler_extra_filters which allows to extend list of defaulted nova_scheduler_default_filters

  • New variables nova_glance_rbd_inuse and nova_glance_images_rbd_pool have been implemented that allows deployer to easily configure nova to retrieve glance images from RBD directly, if nova uses local storage for ephemeral drives.

  • The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the nova_install_method variable to distro.

  • Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in nova.

Known Issues

  • With the release of CentOS 7.5, all pike releases are broken due to a mismatch in version between the libvirt-python library specified by the OpenStack community, and the version provided in CentOS 7.5. As such OSA is unable build the appropriate python library for libvirt. The only recourse for this is to upgrade the environment to the latest queens release.

Upgrade Notes

  • If your configuration previously set the libvirt/cpu_model and/or libvirt/cpu_model_extra_flags variables in a nova_nova_conf_overrides dictionary, you should consider moving those to nova_cpu_model and nova_cpu_model_extra_flags in the appropriate entry (normally kvm) in the nova_virt_types dictionary.

  • During upgrade your current Nova cell mapings will be converted to usage of the Template URLs. This means, that your changes of transport_url or [database]/connection in nova.conf will be reflected by nova-conductor in cells just after service restart, without need to explicitly run nova-manage cell_v2 update_cell.

  • String value of nova_scheduler_default_filters is converted to the list At the moment there is compatability for overriden values, that are string, but this support will be removed in the future releases. So deployers are recommended to replace their string overrides with list ones.

  • The default nova console type has been changed to novnc. Spice is still supported however due to novnc being more actively maintained it is now a better default option.

  • The following Nova tunables have been removed, users need to start using the nova_nova_conf_overrides dictionary to override them. If those values were not previously overridden, there should be no need to override them. - nova_quota_cores - nova_quota_injected_file_content_bytes - nova_quota_injected_file_path_length - nova_quota_injected_files - nova_quota_instances - nova_quota_key_pairs - nova_quota_metadata_items - nova_quota_ram - nova_quota_server_group_members - nova_quota_server_groups - nova_max_instances_per_host - nova_scheduler_available_filters - nova_scheduler_weight_classes - nova_scheduler_driver - nova_scheduler_driver_task_period - nova_rpc_conn_pool_size - nova_rpc_thread_pool_size - nova_rpc_response_timeout - nova_force_config_drive - nova_enable_instance_password - nova_default_schedule_zone - nova_fatal_deprecations - nova_resume_guests_state_on_host_boot - nova_cross_az_attach - nova_remove_unused_resized_minimum_age_seconds - nova_cpu_model - nova_cpu_model_extra_flags

  • The following Nova variables have been removed because they have no effect in the current release of Nova. - nova_max_age - nova_osapi_compute_workers - nova_metadata_workers

Deprecation Notes

  • Variable nova_glance_api_servers has been removed and has no effect due to corresponsive upstream api_servers being deprecated.

  • The PowerVM driver has been removed as it is not tested and it has been broken since late 2016 due to the driver name being renamed to powervm_ext instead of powervm.

  • The variable nova_compute_pip_packages is no longer used and has been removed.

  • The variable nova_requires_pip_packages is no longer required and has therefore been removed.

  • Variables nova_novncproxy_agent_enabled, nova_serialconsoleproxy_enabled and nova_console_agent_enabled are removed and won’t have any effect in the future. If you want to disable console functionality, set nova_console_type: disabled in your user_variables.yml

  • nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.

  • Variable nova_enabled_vgpu_types has been deprecated and is replaced with nova_enabled_mdev_types.

  • Variable nova_memcached_servers has been deprecated and replaced with nova_cache_servers that defaults to memcached_servers. For backpwards compatability nova_memcached_servers is still respected but will be removed in future releases.

  • nova-placement-api has been removed from the os_nova role, along with all nova_placement_* variables. Please review the os_placement role for information about how to configure the new placement service.

  • Variables nova_external_ssl and nova_secure_proxy_ssl_header have been removed since secure_proxy_ssl_header option from nova.conf they controlled has been deprecated and has no effect.

  • The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - nova_oslomsg_rpc_servers replaces nova_rabbitmq_servers - nova_oslomsg_rpc_port replaces nova_rabbitmq_port - nova_oslomsg_rpc_use_ssl replaces nova_rabbitmq_use_ssl - nova_oslomsg_rpc_userid replaces nova_rabbitmq_userid - nova_oslomsg_rpc_vhost replaces nova_rabbitmq_vhost - nova_oslomsg_notify_servers replaces nova_rabbitmq_telemetry_servers - nova_oslomsg_notify_port replaces nova_rabbitmq_telemetry_port - nova_oslomsg_notify_use_ssl replaces nova_rabbitmq_telemetry_use_ssl - nova_oslomsg_notify_userid replaces nova_rabbitmq_telemetry_userid - nova_oslomsg_notify_vhost replaces nova_rabbitmq_telemetry_vhost - nova_oslomsg_notify_password replaces nova_rabbitmq_telemetry_password

  • The nova-lxd driver is no longer supported upstream, and the git repo for it’s source code has been retired on the master branch. All code for deploying or testing nova-lxd has been removed from the os_nova ansible role. The following variables have been removed:

    • nova_supported_virt_types ‘lxd’ list entry

    • nova_compute_lxd_pip_packages

    • lxd_bind_address

    • lxd_bind_port

    • lxd_storage_backend

    • lxd_trust_password

    • lxd_storage_create_device

Bug Fixes

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Fixes the absence of libvirtd.service on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.

  • In order to prevent further issues with a libvirt and python-libvirt version mismatch, KVM-based compute nodes will now use the distribution package python library for libvirt. This should resolve the issue seen with pike builds on CentOS 7.5.

  • Fixed behaviour of variable nova_spice_console_agent_enabled. It can be safely used now to disable spice agent when needed.

Other Notes

  • Set new default values for db pooling variables which are inherited from the global ones.

18.0.0.0b1

New Features

  • Added the ability to configure vendor data for Nova in order to be able to push things via the metadata service or config drive.

  • The default variable nova_default_schedule_zone was previously set by default to nova. This default has been removed to allow the default to be set by the nova code instead. Deployers wishing to maintain the default availability zone of nova must now set the variable as a user_variables.yml or group_vars override.

17.0.0.0rc1

Deprecation Notes

  • The nova_placement database which was implemented in the ocata release of OpenStack-Ansible was never actually used for anything due to reverts in the upstream code. The database should be empty and can be deleted. With this the following variables also no longer have any function and have been removed.

    • nova_placement_galera_user

    • nova_placement_galera_database

    • nova_placement_db_max_overflow

    • nova_placement_db_max_pool_size

    • nova_placement_db_pool_timeout

17.0.0.0b3

Other Notes

  • The variables nova_scheduler_use_baremetal_filters and nova_metadata_host have been removed, matching upstream nova changes. The nova_virt_types dict no longer needs the nova_scheduler_use_baremetal_filters and nova_firewall_driver keys as well.

17.0.0.0b2

New Features

  • Enable Kernel Shared Memory support by setting nova_compute_ksm_enabled to True.

Upgrade Notes

  • KSM configuration is changed to disabled by default on Ubuntu. If you overcommit the RAM on your hypervisor it’s a good idea to set nova_compute_ksm_enabled to True.

16.0.0.0rc1

New Features

  • The nova-api, and nova-metadata services have moved to run as uWSGI applications. You can override their uwsgi configuration files using the nova_api_os_compute_uwsgi_ini_overrides, and nova_api_metadata_uwsgi_ini_overrides settings.

Upgrade Notes

  • The nova-placement service now runs as a uWSGI application that is not fronted by an nginx web-server by default. After upgrading, if the nova-placement service was running on a host or container without any other services requiring nginx, you should manually remove nginx.

Deprecation Notes

  • Settings related to nginx and the placement will no longer serve any purpose, and should be removed. Those settings are as follows - nova_placement_nginx_access_log_format_extras, nova_placement_nginx_access_log_format_combined, nova_placement_nginx_extra_conf, nova_placement_uwsgi_socket_port, and nova_placement_pip_packages.

16.0.0.0b3

New Features

  • The os_nova role now provides for doing online data migrations once the db sync has been completed. The data migrations will not be executed until the boolean variable nova_all_software_updated is true. This variable will need to be set by the playbook consuming the role.

Deprecation Notes

  • The nova_cpu_mode Ansible variable has been removed by default, to allow Nova to detect the default value automatically. Hard-coded values can cause problems. You can still set nova_cpu_mode to enforce a cpu_mode for Nova. Additionally, the default value for the qemu libvirt_type is set to none to avoid issues caused with qemu 2.6.0.

16.0.0.0b2

New Features

  • New variables have been added to allow a deployer to customize a nova systemd unit file to their liking.

  • The task dropping the nova systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.

  • For the os_nova role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the nova_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

  • For the os_nova role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the nova_*_init_config_overrides variables which use the config_template task to change template defaults.

Deprecation Notes

  • The upstream noVNC developers recommend that the keymap be automatically detected for virtual machine consoles. Three Ansible variables have been removed:

    • nova_console_keymap

    • nova_novncproxy_vnc_keymap

    • nova_spice_console_keymap

    Deployers can still set a specific keymap using a nova configuration override if necessary.

16.0.0.0b1

New Features

  • Capping the default value for the variables nova_wsgi_processes, nova_osapi_compute_workers, nova_metadata_workers and nova_conductor_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.

  • Removed dependency for cinder_backends_rbd_inuse in nova.conf when setting rbd_user and rbd_secret_uuid variables. Cinder delivers all necessary values via RPC when attaching the volume, so those variables are only necessary for ephemeral disks stored in Ceph. These variables are required to be set up on cinder-volume side under backend section.

  • Nova may now use an encrypted database connection. This is enabled by setting nova_galera_use_ssl to True.

Upgrade Notes

  • When upgrading nova the cinder catalog_info will change to use the cinderv3 endpoint. Ensure that you have upgraded cinder so that the cinderv3 endpoint exists in the keystone catalog.

Deprecation Notes

  • Several nova.conf options that were deprecated have been removed from the os_nova role. The following OpenStack-Ansible variables are no longer used and should be removed from any variable override files. * nova_dhcp_domain * nova_quota_fixed_ips * nova_quota_floating_ips * nova_quota_security_group_rules * nova_quota_security_groups

Security Issues

  • Nova may now use an encrypted database connection. This is enabled by setting nova_galera_use_ssl to True.

15.0.0.0rc1

New Features

  • The nova-placement service is now configured by default. nova_placement_service_enabled can be set to False to disable the nova-placement service.

  • The nova-placement api service will run as its own ansible group nova_api_placement.

  • Nova cell_v2 support has been added. The default cell is cell1 which can be overridden by the nova_cell1_name. Support for multiple cells is not yet available.

15.0.0.0b3

New Features

  • The filename of the apt source for the ubuntu cloud archive can now be defined with the variable uca_apt_source_list_filename.

15.0.0.0b2

Bug Fixes

  • Setup for the PowerVM driver was not properly configuring the system to support RMC configuration for client instances. This fix introduces an interface template for PowerVM that properly supports mixed IPV4/IPV6 deploys and adds documentation for PowerVM RMC. For more information see bug 1643988.

15.0.0.0b1

New Features

  • CentOS7/RHEL support has been added to the os_nova role.

Upgrade Notes

  • The nova-cert service has been deprecated, is marked for removal in the Ocata release, and will no longer be deployed by the os_nova role.

  • The variables nova_requirements_git_repo and nova_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

  • The variables nova_lxd_requirements_git_repo and nova_lxd_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

Bug Fixes

  • The URL of NovaLink uses ‘ftp’ protocol to provision apt key. It causes apt_key module to fail to retrieve NovaLink gpg public key file. Therefore, change the protocol of URL to ‘http’. For more information, see bug 1637348.

14.0.0.0rc1

New Features

  • The os_nova role can now deploy the a custom /etc/libvirt/qemu.conf file by defining qemu_conf_dict.

14.0.0.0b3

New Features

  • The os_nova role can now deploy the nova-lxd hypervisor. This can be achieved by setting nova_virt_type to lxd on a per-host basis in openstack_user_config.yml or on a global basis in user_variables.yml.

  • The os_nova role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting nova_package_state to present.

Upgrade Notes

  • The os_nova role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option nova_package_state should be set to present.

14.0.0.0b2

New Features

  • The nova SSH public key distribution has been made a lot faster especially when deploying against very large clusters. To support larger clusters the role has moved away from the “authorized_key” module and is now generating a script to insert keys that may be missing from the authorized keys file. The script is saved on all nova compute nodes and can be found at /usr/local/bin/openstack-nova-key.sh. If ever there is a need to reinsert keys or fix issues on a given compute node the script can be executed at any time without directly running the ansible playbooks or roles.

  • The os_nova role can now detect and support basic deployment of a PowerVM environment. This sets the virtualization type to ‘powervm’ and installs/updates the PowerVM NovaLink package and nova-powervm driver.

  • Nova UCA repository support is implemented by default. This will allow the users to benefit from the updated packages for KVM. The nova_uca_enable variable controls the install source for the KVM packages. By default this value is set to True to make use of UCA repository. User can set to False to disable.

Upgrade Notes

  • Adding a new nova.conf entry, live_migration_uri. This entry will default to a qemu-ssh:// uri, which uses the ssh keys that have already been distributed between all of the compute hosts.

  • Installation of nova and its dependent pip packages will now only occur within a Python virtual environment. The nova_venv_enabled, nova_venv_bin variables have been removed.

  • The following variables have been renamed in order to make the variable names neutral for multiple operating systems.

    • nova_apt_packages -> nova_distro_packages

    • nova_spice_apt_packages -> nova_spice_distro_packages

    • nova_novnc_apt_packages -> nova_novnc_distro_packages

    • nova_compute_kvm_apt_packages -> nova_compute_kvm_distro_packages

Other Notes

  • nova_libvirt_live_migration_flag is now phased out. Please create a nova configuration override with live_migration_tunnelled: True if you want to force the flag VIR_MIGRATE_TUNNELLED to libvirt. Nova “chooses a sensible default” otherwise.

  • nova_compute_manager is now phased out.

14.0.0.0b1

New Features

  • The os_nova role can now detect a PowerNV environment and set the virtualization type to ‘kvm’.

Upgrade Notes

  • Cleanup tasks are added to remove the nova console git directories /usr/share/novnc and /usr/share/spice-html5, prior to cloning these inside the nova vnc and spice console playbooks. This is necessary to guarantee that local modifications do not break git clone operations, especially during upgrades.

  • The database create and user creates have been removed from the os_nova role. These tasks have been relocated to the playbooks.

Bug Fixes

  • The /var/lib/libvirt/qemu/save directory is now a symlink to {{ nova_system_home_folder }}/save to resolve an issue where the default location used by the libvirt managed save command can result with the root partitions on compute nodes becoming full when nova image-create is run on large instances.