2023.1 Series Release Notes

27.6.1

Known Issues

  • Due to the underlying bug in Ansible collections for OpenStack, Default domain name can be renamed to default under certain conditions. One known example is having domain: default defenition under keystone_sp -> trusted_idp_list -> federated_identities structure.

Upgrade Notes

  • Please, make sure that in case of federation usage you define domain name instead of it’s ID (ie. Default instead of default) under keystone_sp -> trusted_idp_list -> federated_identities

27.6.0

Upgrade Notes

  • Default for Neutron API has been switched from using uWSGI to old eventlet due to found compatability issues for the current OpenStack release. You can find more infromation in Neutron bug report You can preserve current behaviour by setting neutron_use_uwsgi: True

Bug Fixes

  • In case of switching Neutron from uWSGI to old eventlet, neutron-rpc-server service will be disabled and stopped by the role.

27.5.1

Security Issues

  • Includes safe (non-vulnerable) versions of services regarding OSSA-2024-002

Other Notes

  • In order to align with oslo.messaging reverted default of heartbeat_in_pthread value we remove own logic of handling the value based on host groups. You still can use oslomsg_heartbeat_in_pthread or specific role variables to alter the behaviour.

27.5.0

New Features

  • Added variable cinder_manage_volume_types that allows to skip volume type creation and management by os_cinder role.

Upgrade Notes

  • Support is added to enable all stable RabbitMQ feature flags by default. This happens automatically post upgrade, and avoids compatibility issues which could occur when installing a new version of RabbitMQ.

  • Stable RabbitMQ feature flags will be enabled automatically pre-upgrade in order to prevent failures during the upgrade process.

Deprecation Notes

  • The variable keystone_external_ssl was deprecated and is no longer used. You still can control if communication between HAProxy and Keystone should be covered with TLS through keystone_backend_ssl or haproxy_ssl/haproxy_ssl_all_vips for communication between clients and HAProxy on frontend.

Security Issues

  • Includes safe (non-vulnerable) versions of services regarding OSSA-2024-001

Bug Fixes

  • Python wheels build no longer fails in case of issues with a repo host and should succeed as long as there at least one reachable repo host with matching Distro/Version/Architecture.

27.4.3

Upgrade Notes

  • When using RabbitMQ in a high availability cluster (non-quorum queues), transient ‚reply_‘ queues are now included in the HA policy where they previously were not. Note that this will increase the load on the RabbitMQ cluster, particularly for deployments with large numbers of compute nodes.

Deprecation Notes

  • Format of client key inside ceph_extra_components variable has been deprecated in favor of a mapping with one required attribute name. Having client key defined as a simple list is kept for backwards compatibility but will be removed in future releases.

Bug Fixes

  • Fixes user-collection-requirements bootstrap process, when defied by deployer collection uses „git+file“ as a source scheme. Previously an unexpected version of collection could get installed when using „git+file“ scheme.

  • Backwards compatibility of client key inside ceph_extra_components variable has been fixed to support both a list and a list of mappings.

27.4.2

Known Issues

Bug Fixes

  • Change of horizon_webroot variable is now respected and will be reflected in Apache configuration to serve static files and define wsgi path accordingly.

27.4.0

New Features

  • Add rabbitmq_additional_config to be able to add additional configuration e.g. to add configuration for plugins.

Known Issues

  • With recent changes to config_template module, it is not possible anymore to have variables as dictionary keys in overrides. Example below will not be renderred properly:

    config_overrides:
      "{{ inventory_hostname }}":
        cruel: world
    

    This limitation boils down to Ansible design and will be true for any other module as well. In order to overcome it, you can transform the dictionary to a Jinja2 format:

    config_overrides: |-
      {{
        {
          inventory_hostname: {
            'cruel': 'world'
          }
        }
      }}
    

Deprecation Notes

  • Variables controlling systemd-networkd default filename templating when one is not supplied were deprecated and has no effect from now on.

    • systemd_networkd_filename

    • systemd_networkd_filename_alt

    It is highly recommended to provide filename parameter explicitly whenever you define systemd_netdevs or systemd_networks structures.

Bug Fixes

  • Fixes format of ceph_conf_overrides_rgw variable by converting override dictionary to Jinja2 format to workaround Ansible limitation on usage of variables as keys in dictionary.

  • After adding localhost to inventory explicitly this resulted in potential FQDN change due to adding a record for localhost into managed block inside /etc/hosts file. This is now fixed and record for 127.0.0.1 will be removed from managed by Ansible blocks inside /etc/hosts file.

  • Multiple routes can be supplied to the systemd network and they will be placed to a separate configuration file /etc/systemd/network/{{ filename }}.d/routes.conf

    Previously defining multiple routes will result in squashing them together under same section name, while for them to work properly each descriped route must be placed in it’s own section.

27.3.0

Upgrade Notes

  • Keystone OIDC parameter ‚oidc_redirect_uri‘ is replaced with ‚oidc_redirect_path‘. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.

Bug Fixes

  • Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.

Other Notes

  • The localhost target was explicitly added to OSA inventory due to bug #2041717. As a result, the ‚all‘ group now contains localhost, and custom playbooks targeting ‚all‘ may need adjustment, e.g.: hosts: all:!localhost

27.2.0

New Features

  • HAProxy services that use backend nodes that are not in the Ansible inventory can now have the backend_port specified in the list, along with name or ip_addr settings. This allow to have the service bound to different port on different backend servers.

  • Added variables galera_backups_full_init_overrides and galera_backups_increment_init_overrides that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .

  • HAProxy services can now override the path of the certificate with haproxy_ssl_path if set under the service definition.

  • Added variable openstack_host_journald_config that allows to supply arbitrary configuration for systemd-journald as a mapping.

Deprecation Notes

  • nova_pci_passthrough_whitelist is now deprecated in favor of nova_device_spec.

  • common-playbooks/nova.yml has been deprecated and removed. All content from it now resides inside os-nova-install.yml directly.

Bug Fixes

  • Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.

27.1.0

New Features

  • Implemented variable lxc_image_cache_expiration that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.

  • Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.

    • --compress=True|False

    • --compressor=<compressor>

    Also introduces new Ansible variables that control the above mentioned parameters.

    • galera_mariadb_backups_compress

    • galera_mariadb_backups_compressor

    Each backup archive is stored in a dedicated directory, alongside the backup metadata.

Upgrade Notes

  • Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set galera_mariadb_backups_compress to True. Choose a compression tool with galera_mariadb_backups_compressor, default is gzip.

Bug Fixes

  • LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.

  • All compute nodes are not added as OVN gateways by default and network-gateway_hosts definition is respected.

27.0.0

Prelude

It is now possible to create and manage third-party services, mount points and networks on hosts managed by OpenStack-Ansible. This also inlcudes networks, that are required for OpenStack-Ansible installation, like br-mgmt or br-storage. In order to configure specific resources on selected set of hosts, usage of group_vars or host_vars is appreciated.

New Features

  • The variable uwsgi_bind_address can now be a single IP address passed as a string, or a list of IP addresses passed in a yaml list to the uwsgi role. This allows uwsgi to listen on a specific set of IP addresses rather than just a single one.

  • Support and documentation is added to the ceph_client role for enabling the Ceph Immutable Object Cache and the Peristent Write Log cache.

  • Added option to periodically clean-up deleted records from Cinder database. For this purpose a new service``cinder-purge-deleted`` was introduced. It will be called periodically using corresponsive systemd timer on the first cinder-api host.

    By default this service is disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variable cinder_purge_deleted.

  • A new key haproxy_default_backend can be defined for each service configured in the haproxy loadbalancer. Configuring this variable writes a value for the default_backend directive into the config for the service frontend. It can be useful to provide a specific default backend as a fall-through option when other backends are selected using ACLs, and to also allow the name of the default backend to be different from haproxy_service_name.

  • Automatic generation of ansible_<variable> fact vars is now disabled when using the openstack-ansible command. There is now less data to pass to the target hosts when executing ansible modules. The same values are now accessed as follows: ansible_facts['variable']

  • The configuration for serving port 80/443 in haproxy was previously associated with the Horizon service, but additional features such as handling certificate issuance with certbot and serving security.txt also need configuration in the same haproxy frontend. The existing variable haproxy_horizon_service now only describes the haproxy backend for horizon, and a new variable haproxy_base_service configures the haproxy frontend for any services using port 80/443.

  • A new key haproxy_map_entries is now able to be configured for each haproxy service definition to allow arbitrary entries to be placed in any number of haproxy map files which may then be referenced in other directives in the haproxy config file such as use_backend or http-request. The complete map files are constructed from the fragments defined across all the service definitions and are assembled into a complete map file in alphanumeric sort order, or optionally with a user defined ordering.

  • Added new management_ip option, that can be defined in conf.d or openstack_user_config.yml files for hosts. It might be useful if SSH network for accessing hosts differs from OpenStack management network. Option management_ip should be set to an IP address that represents management network on the host, while ip option remains to represent SSH address that will be used to access host by Ansible.

  • If the ironic_drivers_enabled variable from the os_ironic role includes a driver which uses the ipmitool-socat console interface, that interface is now enabled automatically in the ironic.conf enabled_console_interfaces config option. New variables ironic_socat_bind_address and ironic_socat_port_range are added to support further customisation of the serial console data flow.

  • Added variable lxc_net_bridge_type that allows to control type for lxcbr0: it can be set either to linuxbridge or openvswitch as of today. Default value is linuxbridge that preserves previous behaviour.

  • A new driver type no_driver is defined in the os_ironic role which enables the no-console, no-raid and no-inspect interfaces in the ironic configuration. This driver is added to the defaults set of drivers configured by the ironic ansible role.

  • Support is added to the os_nova ansible role to deploy resource provider config files to nova compute nodes. This allows automatic configuraion of resource providers without having to use the openstack API or command line.

  • Added option to periodically clean-up deleted records from Nova database. Having a lot of records for the deleted instances affects service performance. With that 2 new services are being introduced: nova-archive-deleted and nova-purge-deleted that will be called periodically using corresponsive systemd timers on the first nova-conductor host.

    By default these services are disabled/stopped and database cleanup is not performed. You can enable this behaviour by defining variables nova_archive_deleted and nova_purge_deleted.

    Service nova-archive-deleted will execute nova-manage db archive_deleted_rows while nova-archive-deleted will execute nova-manage db purge. Please correspond to nova-manage documentation for more information on what these commands do: https://docs.openstack.org/nova/latest/cli/nova-manage.html

  • Added new varaibles that allow users to configure extra systemd services, networks or mounts on openstack hosts. While services and mounts can be configured on any targeted hosts, networks will be created only on bare metal nodes. In order to configure extra networks in containers please reffer to openstack_user_config.yml documentation. A list of new variables that were added:

    • openstack_hosts_systemd_mounts

    • openstack_hosts_systemd_networkd_devices

    • openstack_hosts_systemd_networkd_networks

    • openstack_hosts_systemd_networkd_prefix

    • openstack_hosts_systemd_services

    • openstack_hosts_systemd_slice

  • Added variables venv_pip_build_env and venv_pip_install_env that allows to set extra environment variables during wheels build or venv installation.

  • Added variables pki_handler_ca_changed, pki_handler_cert_changed and pki_handler_cert_installed that control name of meta handlers which role triggers when included. This might be useful if multiple roles that leverage the pki role are inlcuded withing same playbook and you want to have better control over handler execution.

  • Haproxy services are now configured separately at the beginning of each service playbook.

  • New variables openstack_opendev_base_url and openstack_github_base_url have been implemented that allow to quickly change base url of repositories for all used service. This might be useful for environments with limited connectivity or in case of issues with one of the mirrors.

  • Added variable venv_build_group that allows to provide an ansible group name, that will be used to find wheels build targets. Default is repo_all

Upgrade Notes

  • Any external or 3rd party integrations with openstack-ansible that use the openstack-ansible command line wrapper around ansible-playbook and access ansible facts via the ansible_<variable> pattern must be refactored to access those variables as follows: ansible_facts['variable']. If this is not possible, the environment variable ANSIBLE_INJECT_FACT_VARS can be set to True to restore the previous behaviour.

  • keystone_security_txt_content variable name has changed to haproxy_security_txt_content. Security.txt file is now served directly from haproxy.

  • Variable keystone_ssl was deprecated in favor of keystone_backend_ssl.

  • If you’re using NSX or Nuage network drivers, make sure you have replaced definition of nova_network_type to appropriate nova_nova_conf_overrides. Please, consult with os_neutron documenteation on the required overrides.

  • Default provider driver for Octavia has been changed to amphorav2, since amphora and octavia drivers are deprecated for removal.

  • Default values for variables octavia_loadbalancer_topology and octavia_enable_anti_affinity has been switched to ACTIVE_STANDBY and True accordingly to reflect most reasonable production setup. You can define these variables to their previous defaults if you want to preserve behaviour.

  • Default value for octavia_security_group_rule_cidr is changed and defined to the CIDR of Octavia management network. To preserve previous behaviour, please override the variable to 0.0.0.0/0.

  • Support for the calico ml2 driver is removed. It will not be possible to upgrade an existing deployment using calico networking.

Deprecation Notes

  • Certbot-auto is deprecated since 2020. It was removed from haproxy_server role.

  • Key is_container_address that is used for definition of the provider_networks has been renamed to is_management_address, to avoid confusion for bare metal deployments. Backwards compatability was kept.

  • Variable container_address has been deprecated in favor of management_address. Variable management_address is available since Victoria release and was defaulted to the value of container_address.

  • Variables horizon_ssl_self_signed_regen and horizon_ssl_self_signed_subject are deprecated. Horizon role uses ansible-role-pki now so they are no longer needed.

  • Variables nova_network_type and nova_network_services have been deptecated and will be silently ignored in the future. Please, use nova_nova_conf_overrides if you need to define ovs_bridge option for specific network drivers, like nsx or nuage.

  • haproxy_service_configs format was simplified. Now it’s just a list of dicts. Usage of service key in haproxy_service_configs elements is deprecated and will be removed in 2023.2 release.

Bug Fixes

  • Fixes incorrect definition of ceilometer polling_namespaces, when host is part of both central and compute groups (ie metal/aio scenario)

  • Fixes the absence of libvirtd.service on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.

  • Fixed issue where neutron-metadata-agent and neutron-dhcp-agent were started on network_hosts for OVN scenario along with neutron-ovn-metadata-agent. These services will be disabled and masked for existing environments. Manual clean-up of systemd services and correpsonsive neutron agents is still needed. New deployments won’t have these services deployed from the beginning.

Other Notes

  • After haproxy base service was added, dummy letsencrypt service is no longer needed for deployments without horizon and should be removed.

  • horizon_enable_ssl has been renamed to horizon_backend_ssl for consistency reasons.

  • Default value for horizon_enable_ssl has changed to False. (or openstack_service_backend_ssl if it is defined)

  • Variable openstack_service_accept_both_protocols was implemented to temporarily accept both HTTP and HTTPS traffic on haproxy frontends. It is useful when changing protocol of service endpoints.

  • Version of RabbitMQ is bumped to 3.11.7, Erlang version is bumped to 25.2.

  • SHA of services that are used during source install were moved from playbooks/defaults/repo_packages folder to inventory/group_vars/<service_group>/source_git.yml files that correspond to each individual service.

  • Haproxy service definitions(along with their overrides) are no longer stored in haproxy group vars. They were moved to service variables, so for example glance_haproxy_services are stored in glance_all group variables.

  • The structure of haproxy_default_services and haproxy_extra_services was simplified. Now it’s just a list of dicts. It has the same format as haproxy_service_configs.

  • uWSGI support was implemented to os_blazar role.

  • Default value of venv_wheel_build_enable has been changed. Now wheels are built when there is at least a single host in venv_build_group. Previously it was depending on the amount of hosts targeted for the play.