Zed Series Release Notes¶
18.0.0.0b1-379¶
New Features¶
Enable VeNCrypt authentication scheme from noVNC proxy to compute nodes. When using HTTPS, the TLS encryption only applies to data between the tenant user and proxy server. To provide protection from the noVNC proxy to the Compute Nodes, it is necessary to enable the VeNCrypt authentication scheme for VNC.
A pre-existing PKI (Public Key Infrastructure) setup is required.
Initially to help with the transition from unencrypted VNC to VeNCrypt, compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable nova_vencrypt_auth_scheme, this will be removed in future releases.
This role now optionally enables your compute nodes’ KVM kernel module nested virtualization capabilities, by setting nova_nested_virt_enabled to true. Depending on your distribution and libvirt version, you might need to set additional variables to fully enabled nested virtualization. For details, please see https://docs.openstack.org/nova/latest/admin/configuration/hypervisor-kvm.html#nested-guest-support.
It is now possible to use NFS mountpoints with the role by using the nova_nfs_client variable, which is useful for using NFS for instance data and saves.
Implemented new variable
connection_recycle_time
responsible for SQLAlchemy’s connection recycling
The nova configuration is updated to always specify an LXD storage pool name when ‘nova_virt_type’ is ‘lxd’. The variable ‘lxd_storage_pool’ is defaulted to ‘default’, the LXD default storage pool name. A new variable ‘lxd_init_storage_pool’ is introduced which specifies the underlying storage pool name. ‘lxd_init_storage_pool’ is used by lxd init when setting up the storage pool. If not provided, lxd init will not use this parameter at all. Please see the lxd man page for further information about the storage pool parameter.
You can now set the Libvirt CPU model and feature flags from the appropriate entry under the
nova_virt_types
dictionary variable (normallykvm
).nova_cpu_model
is a string value that sets the CPU model; this value is ignored if you set anynova_cpu_mode
other thancustom
.nova_cpu_model_extra_flags
is a list that allows you to specify extra CPU feature flags not normally passed through withhost-model
, or thecustom
CPU model of your choice.
A new variable nova_ironic_console_type is added to enable the deployment of one of the nova console proxies in the ironic_console ansible group. The only supported setting at this time is disabled or serialconsole.
The service setup in keystone for nova will now be executed through delegation to the
nova_service_setup_host
which, by default, islocalhost
(the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override inuser_variables.yml
.nova_service_setup_host: "{{ groups['utility_all'][0] }}"
Re-added
nova_dhcp_domain
variable that defaults to thedhcp_domain
. When set to empty string, only the hostname without a domain will be configured for the instances.
Added variable nova_scheduler_extra_filters which allows to extend list of defaulted nova_scheduler_default_filters
New variables
nova_glance_rbd_inuse
andnova_glance_images_rbd_pool
have been implemented that allows deployer to easily configure nova to retrieve glance images from RBD directly, if nova uses local storage for ephemeral drives.
The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the
nova_install_method
variable todistro
.
Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in nova.
Nova now defaults to to using the “QEMU-native TLS” feature for live migrations, rather than the deprecated SSH method. A pre-existing PKI (Public Key Infrastructure) setup is required.
QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261.
More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html
Known Issues¶
With the release of CentOS 7.5, all pike releases are broken due to a mismatch in version between the libvirt-python library specified by the OpenStack community, and the version provided in CentOS 7.5. As such OSA is unable build the appropriate python library for libvirt. The only recourse for this is to upgrade the environment to the latest queens release.
Upgrade Notes¶
If your configuration previously set the
libvirt/cpu_model
and/orlibvirt/cpu_model_extra_flags
variables in anova_nova_conf_overrides
dictionary, you should consider moving those tonova_cpu_model
andnova_cpu_model_extra_flags
in the appropriate entry (normallykvm
) in thenova_virt_types
dictionary.
During upgrade your current Nova cell mapings will be converted to usage of the Template URLs. This means, that your changes of transport_url or [database]/connection in
nova.conf
will be reflected by nova-conductor in cells just after service restart, without need to explicitly runnova-manage cell_v2 update_cell
.
String value of nova_scheduler_default_filters is converted to the list At the moment there is compatability for overriden values, that are string, but this support will be removed in the future releases. So deployers are recommended to replace their string overrides with list ones.
The default nova console type has been changed to novnc. Spice is still supported however due to novnc being more actively maintained it is now a better default option.
The following Nova tunables have been removed, users need to start using the nova_nova_conf_overrides dictionary to override them. If those values were not previously overridden, there should be no need to override them. - nova_quota_cores - nova_quota_injected_file_content_bytes - nova_quota_injected_file_path_length - nova_quota_injected_files - nova_quota_instances - nova_quota_key_pairs - nova_quota_metadata_items - nova_quota_ram - nova_quota_server_group_members - nova_quota_server_groups - nova_max_instances_per_host - nova_scheduler_available_filters - nova_scheduler_weight_classes - nova_scheduler_driver - nova_scheduler_driver_task_period - nova_rpc_conn_pool_size - nova_rpc_thread_pool_size - nova_rpc_response_timeout - nova_force_config_drive - nova_enable_instance_password - nova_default_schedule_zone - nova_fatal_deprecations - nova_resume_guests_state_on_host_boot - nova_cross_az_attach - nova_remove_unused_resized_minimum_age_seconds - nova_cpu_model - nova_cpu_model_extra_flags
The following Nova variables have been removed because they have no effect in the current release of Nova. - nova_max_age - nova_osapi_compute_workers - nova_metadata_workers
Deprecation Notes¶
Variable
nova_glance_api_servers
has been removed and has no effect due to corresponsive upstream api_servers being deprecated.
The PowerVM driver has been removed as it is not tested and it has been broken since late 2016 due to the driver name being renamed to powervm_ext instead of powervm.
The variable
nova_compute_pip_packages
is no longer used and has been removed.
The variable
nova_requires_pip_packages
is no longer required and has therefore been removed.
Variables
nova_novncproxy_agent_enabled
,nova_serialconsoleproxy_enabled
andnova_console_agent_enabled
are removed and won’t have any effect in the future. If you want to disable console functionality, setnova_console_type: disabled
in your user_variables.yml
nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.
Variable
nova_enabled_vgpu_types
has been deprecated and is replaced withnova_enabled_mdev_types
.
Variable
nova_memcached_servers
has been deprecated and replaced withnova_cache_servers
that defaults tomemcached_servers
. For backpwards compatabilitynova_memcached_servers
is still respected but will be removed in future releases.
nova-placement-api has been removed from the os_nova role, along with all nova_placement_* variables. Please review the os_placement role for information about how to configure the new placement service.
Variables
nova_external_ssl
andnova_secure_proxy_ssl_header
have been removed since secure_proxy_ssl_header option from nova.conf they controlled has been deprecated and has no effect.
The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - nova_oslomsg_rpc_servers replaces nova_rabbitmq_servers - nova_oslomsg_rpc_port replaces nova_rabbitmq_port - nova_oslomsg_rpc_use_ssl replaces nova_rabbitmq_use_ssl - nova_oslomsg_rpc_userid replaces nova_rabbitmq_userid - nova_oslomsg_rpc_vhost replaces nova_rabbitmq_vhost - nova_oslomsg_notify_servers replaces nova_rabbitmq_telemetry_servers - nova_oslomsg_notify_port replaces nova_rabbitmq_telemetry_port - nova_oslomsg_notify_use_ssl replaces nova_rabbitmq_telemetry_use_ssl - nova_oslomsg_notify_userid replaces nova_rabbitmq_telemetry_userid - nova_oslomsg_notify_vhost replaces nova_rabbitmq_telemetry_vhost - nova_oslomsg_notify_password replaces nova_rabbitmq_telemetry_password
The nova-lxd driver is no longer supported upstream, and the git repo for it’s source code has been retired on the master branch. All code for deploying or testing nova-lxd has been removed from the os_nova ansible role. The following variables have been removed:
nova_supported_virt_types ‘lxd’ list entry
nova_compute_lxd_pip_packages
lxd_bind_address
lxd_bind_port
lxd_storage_backend
lxd_trust_password
lxd_storage_create_device
Bug Fixes¶
Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.
Fixes the absence of
libvirtd.service
on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.
In order to prevent further issues with a libvirt and python-libvirt version mismatch, KVM-based compute nodes will now use the distribution package python library for libvirt. This should resolve the issue seen with pike builds on CentOS 7.5.
Fixed behaviour of variable
nova_spice_console_agent_enabled
. It can be safely used now to disable spice agent when needed.
Other Notes¶
Set new default values for db pooling variables which are inherited from the global ones.