2023.1 Series Release Notes¶
27.6.1¶
Known Issues¶
Due to the underlying bug in Ansible collections for OpenStack,
Default
domain name can be renamed todefault
under certain conditions. One known example is havingdomain: default
defenition underkeystone_sp -> trusted_idp_list -> federated_identities
structure.
Upgrade Notes¶
Please, make sure that in case of federation usage you define domain name instead of it’s ID (ie.
Default
instead ofdefault
) underkeystone_sp -> trusted_idp_list -> federated_identities
27.6.0¶
Upgrade Notes¶
Default for Neutron API has been switched from using uWSGI to old eventlet due to found compatability issues for the current OpenStack release. You can find more infromation in Neutron bug report You can preserve current behaviour by setting
neutron_use_uwsgi: True
Bug Fixes¶
In case of switching Neutron from uWSGI to old eventlet, neutron-rpc-server service will be disabled and stopped by the role.
27.5.1¶
Security Issues¶
Includes safe (non-vulnerable) versions of services regarding OSSA-2024-002
Other Notes¶
In order to align with oslo.messaging reverted default of
heartbeat_in_pthread
value we remove own logic of handling the value based on host groups. You still can useoslomsg_heartbeat_in_pthread
or specific role variables to alter the behaviour.
27.5.0¶
New Features¶
Added variable
cinder_manage_volume_types
that allows to skip volume type creation and management by os_cinder role.
Upgrade Notes¶
Support is added to enable all stable RabbitMQ feature flags by default. This happens automatically post upgrade, and avoids compatibility issues which could occur when installing a new version of RabbitMQ.
Stable RabbitMQ feature flags will be enabled automatically pre-upgrade in order to prevent failures during the upgrade process.
Deprecation Notes¶
The variable
keystone_external_ssl
was deprecated and is no longer used. You still can control if communication between HAProxy and Keystone should be covered with TLS throughkeystone_backend_ssl
orhaproxy_ssl
/haproxy_ssl_all_vips
for communication between clients and HAProxy on frontend.
Security Issues¶
Includes safe (non-vulnerable) versions of services regarding OSSA-2024-001
Bug Fixes¶
Python wheels build no longer fails in case of issues with a repo host and should succeed as long as there at least one reachable repo host with matching Distro/Version/Architecture.
27.4.3¶
Upgrade Notes¶
When using RabbitMQ in a high availability cluster (non-quorum queues), transient ‚reply_‘ queues are now included in the HA policy where they previously were not. Note that this will increase the load on the RabbitMQ cluster, particularly for deployments with large numbers of compute nodes.
Deprecation Notes¶
Format of
client
key insideceph_extra_components
variable has been deprecated in favor of a mapping with one required attributename
. Havingclient
key defined as a simple list is kept for backwards compatibility but will be removed in future releases.
Bug Fixes¶
Fixes user-collection-requirements bootstrap process, when defied by deployer collection uses „git+file“ as a source scheme. Previously an unexpected version of collection could get installed when using „git+file“ scheme.
Backwards compatibility of
client
key insideceph_extra_components
variable has been fixed to support both a list and a list of mappings.
27.4.2¶
Known Issues¶
Upgrading from Ubuntu from Focal Fossa (20.04) to Jammy Jellyfish (22.04) while using ML2.OVN Neutron driver is known to have issues. Please check Bug Report for more details: https://bugs.launchpad.net/openstack-ansible/+bug/2059721
Bug Fixes¶
Change of
horizon_webroot
variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.
27.4.0¶
New Features¶
Add
rabbitmq_additional_config
to be able to add additional configuration e.g. to add configuration for plugins.
Known Issues¶
With recent changes to config_template module, it is not possible anymore to have variables as dictionary keys in overrides. Example below will not be renderred properly:
config_overrides: "{{ inventory_hostname }}": cruel: world
This limitation boils down to Ansible design and will be true for any other module as well. In order to overcome it, you can transform the dictionary to a Jinja2 format:
config_overrides: |- {{ { inventory_hostname: { 'cruel': 'world' } } }}
Deprecation Notes¶
Variables controlling systemd-networkd default filename templating when one is not supplied were deprecated and has no effect from now on.
systemd_networkd_filename
systemd_networkd_filename_alt
It is highly recommended to provide
filename
parameter explicitly whenever you definesystemd_netdevs
orsystemd_networks
structures.
Bug Fixes¶
Fixes format of
ceph_conf_overrides_rgw
variable by converting override dictionary to Jinja2 format to workaround Ansible limitation on usage of variables as keys in dictionary.
After adding
localhost
to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside/etc/hosts
file. This is now fixed and record for127.0.0.1
will be removed from managed by Ansible blocks inside /etc/hosts file.
Multiple routes can be supplied to the systemd network and they will be placed to a separate configuration file /etc/systemd/network/{{ filename }}.d/routes.conf
Previously defining multiple routes will result in squashing them together under same section name, while for them to work properly each descriped route must be placed in it’s own section.
27.3.0¶
Upgrade Notes¶
Keystone OIDC parameter ‚oidc_redirect_uri‘ is replaced with ‚oidc_redirect_path‘. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.
Bug Fixes¶
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.
Other Notes¶
The
localhost
target was explicitly added to OSA inventory due to bug #2041717. As a result, the ‚all‘ group now contains localhost, and custom playbooks targeting ‚all‘ may need adjustment, e.g.:hosts: all:!localhost
27.2.0¶
New Features¶
HAProxy services that use backend nodes that are not in the Ansible inventory can now have the
backend_port
specified in the list, along withname
orip_addr
settings. This allow to have the service bound to different port on different backend servers.
Added variables
galera_backups_full_init_overrides
andgalera_backups_increment_init_overrides
that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .
HAProxy services can now override the path of the certificate with
haproxy_ssl_path
if set under the service definition.
Added variable
openstack_host_journald_config
that allows to supply arbitrary configuration for systemd-journald as a mapping.
Deprecation Notes¶
nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.
common-playbooks/nova.yml
has been deprecated and removed. All content from it now resides insideos-nova-install.yml
directly.
Bug Fixes¶
Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.
27.1.0¶
New Features¶
Implemented variable
lxc_image_cache_expiration
that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.
Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.
--compress=True|False
--compressor=<compressor>
Also introduces new Ansible variables that control the above mentioned parameters.
galera_mariadb_backups_compress
galera_mariadb_backups_compressor
Each backup archive is stored in a dedicated directory, alongside the backup metadata.
Upgrade Notes¶
Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set
galera_mariadb_backups_compress
toTrue
. Choose a compression tool withgalera_mariadb_backups_compressor
, default isgzip
.
Bug Fixes¶
LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.
All compute nodes are not added as OVN gateways by default and
network-gateway_hosts
definition is respected.
27.0.0¶
Prelude¶
It is now possible to create and manage third-party services, mount points and networks on hosts managed by OpenStack-Ansible. This also inlcudes networks, that are required for OpenStack-Ansible installation, like br-mgmt or br-storage. In order to configure specific resources on selected set of hosts, usage of group_vars or host_vars is appreciated.
New Features¶
The variable
uwsgi_bind_address
can now be a single IP address passed as a string, or a list of IP addresses passed in a yaml list to the uwsgi role. This allows uwsgi to listen on a specific set of IP addresses rather than just a single one.
Support and documentation is added to the ceph_client role for enabling the Ceph Immutable Object Cache and the Peristent Write Log cache.
Added option to periodically clean-up deleted records from Cinder database. For this purpose a new service``cinder-purge-deleted`` was introduced. It will be called periodically using corresponsive systemd timer on the first cinder-api host.
By default this service is disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variable
cinder_purge_deleted
.
A new key
haproxy_default_backend
can be defined for each service configured in the haproxy loadbalancer. Configuring this variable writes a value for thedefault_backend
directive into the config for the service frontend. It can be useful to provide a specific default backend as a fall-through option when other backends are selected using ACLs, and to also allow the name of the default backend to be different fromhaproxy_service_name
.
Automatic generation of
ansible_<variable>
fact vars is now disabled when using theopenstack-ansible
command. There is now less data to pass to the target hosts when executing ansible modules. The same values are now accessed as follows:ansible_facts['variable']
The configuration for serving port 80/443 in haproxy was previously associated with the Horizon service, but additional features such as handling certificate issuance with certbot and serving security.txt also need configuration in the same haproxy frontend. The existing variable
haproxy_horizon_service
now only describes the haproxy backend for horizon, and a new variablehaproxy_base_service
configures the haproxy frontend for any services using port 80/443.
A new key haproxy_map_entries is now able to be configured for each haproxy service definition to allow arbitrary entries to be placed in any number of haproxy map files which may then be referenced in other directives in the haproxy config file such as
use_backend
orhttp-request
. The complete map files are constructed from the fragments defined across all the service definitions and are assembled into a complete map file in alphanumeric sort order, or optionally with a user defined ordering.
Added new
management_ip
option, that can be defined in conf.d or openstack_user_config.yml files for hosts. It might be useful if SSH network for accessing hosts differs from OpenStack management network. Optionmanagement_ip
should be set to an IP address that represents management network on the host, whileip
option remains to represent SSH address that will be used to access host by Ansible.
If the
ironic_drivers_enabled
variable from the os_ironic role includes a driver which uses theipmitool-socat
console interface, that interface is now enabled automatically in theironic.conf
enabled_console_interfaces
config option. New variablesironic_socat_bind_address
andironic_socat_port_range
are added to support further customisation of the serial console data flow.
Added variable
lxc_net_bridge_type
that allows to control type for lxcbr0: it can be set either to linuxbridge or openvswitch as of today. Default value is linuxbridge that preserves previous behaviour.
A new driver type
no_driver
is defined in the os_ironic role which enables theno-console
,no-raid
andno-inspect
interfaces in the ironic configuration. This driver is added to the defaults set of drivers configured by the ironic ansible role.
Support is added to the os_nova ansible role to deploy resource provider config files to nova compute nodes. This allows automatic configuraion of resource providers without having to use the openstack API or command line.
Added option to periodically clean-up deleted records from Nova database. Having a lot of records for the deleted instances affects service performance. With that 2 new services are being introduced:
nova-archive-deleted
andnova-purge-deleted
that will be called periodically using corresponsive systemd timers on the first nova-conductor host.By default these services are disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variables
nova_archive_deleted
andnova_purge_deleted
.Service
nova-archive-deleted
will execute nova-manage db archive_deleted_rows whilenova-archive-deleted
will execute nova-manage db purge. Please correspond to nova-manage documentation for more information on what these commands do: https://docs.openstack.org/nova/latest/cli/nova-manage.html
Added new varaibles that allow users to configure extra systemd services, networks or mounts on openstack hosts. While services and mounts can be configured on any targeted hosts, networks will be created only on bare metal nodes. In order to configure extra networks in containers please reffer to
openstack_user_config.yml
documentation. A list of new variables that were added:openstack_hosts_systemd_mounts
openstack_hosts_systemd_networkd_devices
openstack_hosts_systemd_networkd_networks
openstack_hosts_systemd_networkd_prefix
openstack_hosts_systemd_services
openstack_hosts_systemd_slice
Added variables
venv_pip_build_env
andvenv_pip_install_env
that allows to set extra environment variables during wheels build or venv installation.
Added variables
pki_handler_ca_changed
,pki_handler_cert_changed
andpki_handler_cert_installed
that control name of meta handlers which role triggers when included. This might be useful if multiple roles that leverage the pki role are inlcuded withing same playbook and you want to have better control over handler execution.
Haproxy services are now configured separately at the beginning of each service playbook.
New variables
openstack_opendev_base_url
andopenstack_github_base_url
have been implemented that allow to quickly change base url of repositories for all used service. This might be useful for environments with limited connectivity or in case of issues with one of the mirrors.
Added variable
venv_build_group
that allows to provide an ansible group name, that will be used to find wheels build targets. Default is repo_all
Upgrade Notes¶
Any external or 3rd party integrations with openstack-ansible that use the
openstack-ansible
command line wrapper aroundansible-playbook
and access ansible facts via theansible_<variable>
pattern must be refactored to access those variables as follows:ansible_facts['variable']
. If this is not possible, the environment variableANSIBLE_INJECT_FACT_VARS
can be set toTrue
to restore the previous behaviour.
keystone_security_txt_content
variable name has changed tohaproxy_security_txt_content
. Security.txt file is now served directly from haproxy.
Variable
keystone_ssl
was deprecated in favor ofkeystone_backend_ssl
.
If you’re using NSX or Nuage network drivers, make sure you have replaced definition of
nova_network_type
to appropriatenova_nova_conf_overrides
. Please, consult with os_neutron documenteation on the required overrides.
Default provider driver for Octavia has been changed to
amphorav2
, since amphora and octavia drivers are deprecated for removal.
Default values for variables
octavia_loadbalancer_topology
andoctavia_enable_anti_affinity
has been switched toACTIVE_STANDBY
andTrue
accordingly to reflect most reasonable production setup. You can define these variables to their previous defaults if you want to preserve behaviour.
Default value for
octavia_security_group_rule_cidr
is changed and defined to the CIDR of Octavia management network. To preserve previous behaviour, please override the variable to 0.0.0.0/0.
Support for the calico ml2 driver is removed. It will not be possible to upgrade an existing deployment using calico networking.
Deprecation Notes¶
Certbot-auto is deprecated since 2020. It was removed from haproxy_server role.
Key
is_container_address
that is used for definition of the provider_networks has been renamed tois_management_address
, to avoid confusion for bare metal deployments. Backwards compatability was kept.
Variable
container_address
has been deprecated in favor ofmanagement_address
. Variablemanagement_address
is available since Victoria release and was defaulted to the value ofcontainer_address
.
Variables
horizon_ssl_self_signed_regen
andhorizon_ssl_self_signed_subject
are deprecated. Horizon role uses ansible-role-pki now so they are no longer needed.
Variables
nova_network_type
andnova_network_services
have been deptecated and will be silently ignored in the future. Please, usenova_nova_conf_overrides
if you need to defineovs_bridge
option for specific network drivers, like nsx or nuage.
RabbitMQ packages are no longer provided by PackageCloud due to the upstream repository being no longer available after 2023-05-28. Installations will now utilize a community mirror of CloudSmith repositories for rabbitmq and erlang.
https://github.com/rabbitmq/rabbitmq-server/discussions/8386
haproxy_service_configs
format was simplified. Now it’s just a list of dicts. Usage ofservice
key inhaproxy_service_configs
elements is deprecated and will be removed in 2023.2 release.
Bug Fixes¶
Fixes incorrect definition of ceilometer
polling_namespaces
, when host is part of both central and compute groups (ie metal/aio scenario)
Fixes the absence of
libvirtd.service
on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.
Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.
Other Notes¶
After haproxy base service was added, dummy letsencrypt service is no longer needed for deployments without horizon and should be removed.
horizon_enable_ssl
has been renamed tohorizon_backend_ssl
for consistency reasons.
Default value for
horizon_enable_ssl
has changed to False. (oropenstack_service_backend_ssl
if it is defined)
Variable
openstack_service_accept_both_protocols
was implemented to temporarily accept both HTTP and HTTPS traffic on haproxy frontends. It is useful when changing protocol of service endpoints.
Version of RabbitMQ is bumped to 3.11.7, Erlang version is bumped to 25.2.
SHA of services that are used during source install were moved from playbooks/defaults/repo_packages folder to inventory/group_vars/<service_group>/source_git.yml files that correspond to each individual service.
Haproxy service definitions(along with their overrides) are no longer stored in haproxy group vars. They were moved to service variables, so for example
glance_haproxy_services
are stored in glance_all group variables.
The structure of
haproxy_default_services
andhaproxy_extra_services
was simplified. Now it’s just a list of dicts. It has the same format ashaproxy_service_configs
.
uWSGI support was implemented to os_blazar role.
Default value of
venv_wheel_build_enable
has been changed. Now wheels are built when there is at least a single host invenv_build_group
. Previously it was depending on the amount of hosts targeted for the play.