Yoga Series Release Notes

25.6.0

Upgrade Notes

  • Keystone OIDC parameter ‘oidc_redirect_uri’ is replaced with ‘oidc_redirect_path’. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.

Bug Fixes

  • Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.

  • Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.

Other Notes

  • The localhost target was explicitly added to OSA inventory due to bug #2041717. As a result, the ‘all’ group now contains localhost, and custom playbooks targeting ‘all’ may need adjustment, e.g.: hosts: all:!localhost

25.5.0

New Features

  • Added variables galera_backups_full_init_overrides and galera_backups_increment_init_overrides that can be leveraged to override default set of systemd unit file for mariadb backups. Similar to change I7b3b0f4da047f82a49266ef57fba2fbaa24cebdc .

  • Implemented variable lxc_image_cache_expiration that controlls for how long cached LXC image will be valid. Default value is 1year. Variable format should be compatible with community.general.to_time_unit filter.

  • Adds optional compression for backups created with mariabackup. Adds two new CLI parameters to the mariabackup script that are used to enable compression and to choose a compression tool.

    • --compress=True|False

    • --compressor=<compressor>

    Also introduces new Ansible variables that control the above mentioned parameters.

    • galera_mariadb_backups_compress

    • galera_mariadb_backups_compressor

    Each backup archive is stored in a dedicated directory, alongside the backup metadata.

Upgrade Notes

  • Backup compression is disabled by default, so no changes need to be made for existing deployments. Should compression be desired, set galera_mariadb_backups_compress to True. Choose a compression tool with galera_mariadb_backups_compressor, default is gzip.

Bug Fixes

  • LXC image cache expiration mechanism has being fixed. Previously LXC images were valid forever.

  • Variables haproxy_fall and haproxy_rise are now respected again and will be used for defining amount of checks before haproxy will mark backend as UP or DOWN. Keys backend_rise and haproxy_fall that are set inside service definition are still respected and will have prescedence over global ones.

25.4.0

Upgrade Notes

  • Due to OSSA-2023-003, value of openstack_service_token_roles_required has been changed to true. With that, major upgrades to Yoga release might struggle from prolonged dowtimes. Sensetive to API downtime environments can perform major upgrade to any prior release with subsequent minor upgrade that will enable openstack_service_token_roles_required and install safe versions of services. Other way around would be to manually create and assign service role to all “service” users.

Deprecation Notes

Security Issues

  • Includes SHA bumps for Nova, Cinder and Glance to cover OSSA-2023-003.

Bug Fixes

  • Fixes incorrect definition of ceilometer polling_namespaces, when host is part of both central and compute groups (ie metal/aio scenario)

  • Fixes the absence of libvirtd.service on compute nodes. With CentOS upgrading the libvirt version to 9.3.0, they do not install libvirt-deamon as a dependency to libvirt-deamon-kvm anymore. libvirt-deamon is installed explicitly now.

25.3.1

Other Notes

  • Erlang will is updated to version 25.0.4, RabbitMQ will be upgraded to version 3.10.7. This will also harmonize RabbitMQ/Erlang versioning for Debian Bullseye.

25.3.0

New Features

  • A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set –mtu command line.

Upgrade Notes

  • A new parameter octavia_provider_network_mtu is added to set the MTU to 1500 by default. This is important for deployments which allow jumbo frames while setting the management to the standard Ethernet MTU. The MTU can be still changed at any point during the initial octavia deployment or with the openstack network set –mtu command line.

Security Issues

  • Erlang version was bumped to 24.3.4.7 to cover CVE-2022-37026 which has critical severity

  • This release includes SHA bump for Cinder, Nova and Glance that covers OSSA-2023-002 vulnarability (CVE-2022-47951).

25.2.0

New Features

  • Support Rocky Linux 9 as a Deployment and Target host

Known Issues

  • As of today ceph community repository (download.ceph.com) does not provide packages for Ubuntu 22.04 (Jammy). Based on that OpenStack-Ansible does install ceph packages from distro-provided repositories. Thus, you can not control packages version that will be installed and ceph support should be considered as experimental.

Upgrade Notes

  • Default MariaDB version is set to 10.6.10. When running minor upgrade don’t forget to provide -e galera_upgrade=true to openstack-ansible command. With that MariDB version installed for CentOS 9 Stream, Rocky 9 and Ubuntu 22.04 will switch from distro provided version to 10.6.10 installed from MariaDB repository, which might be a major version upgrade.

25.1.0

New Features

  • Implemented variables rally_openstack_git_repo and rally_openstack_git_install_branch that allow to override installation source for rally-openstack package as well as control installed version of the package.

Upgrade Notes

  • The RabbitMQ management interface surfaced via HAProxy defaults to using TLS from the Yoga release. Note that when using TLS the default port switches from 15672 to 15671. TLS can be disabled if required by adjusting ‘rabbitmq_management_ssl’.

Bug Fixes

  • Wheels build for multi-arch and multi-distro setups is fixed. For that you still need to have set of venv_build_targets that will define targets for each operating system and architecture.

25.0.0

New Features

  • Added variable uwsgi_tls which when added to a uwsgi_services item enables TLS for that service. uwsgi_tls is a dict and should contain 2 keys crt and key, which define the path to the certificate and its corresponding key respectively. The certificate file should contain any intermediate certificates required by a client to verify trust.

  • Introduces 3 new variables cinder_default_availability_zone, octavia_cinder_volume_size and octavia_cinder_volume_type. using these variables, enables Octavia to use different Cinder configurations.

  • UEFI boot support has been added. To migrate from Legacy BIOS mode, define boot_mode:uefi as a capability for baremetal nodes that support UEFI. In addition, corresponding flavor(s) will need to be created or modified to include boot_mode:uefi as a capability for scheduling to occur against UEFI nodes.

  • A new variable centos_mirror_url is introduced to the openstack_hosts role to allow a single deployment wide variable to control the location of the centos package mirror.

  • Ceph-ansible has been switched to version 6.0 and Ceph Pacific is used by default.

  • Added a support for both Credential Provider Mechanisms(dynamic credentials and pre-provisioned credentials).

  • Implemented variable galera_data_dir that control datadir for MariaDB databases. Defaults to /var/lib/mysql.

  • New variables galera_tmp_dir and galera_ignore_db_dirs were implemented to control path to tmp dir and what directories should be ignored when listing databases.

  • MariaDB now uses TLS encryption by default. Certificate will be issued and signed with internal CA using PKI role. Deployers can disable encrypting MariaDB connections by setting galera_use_ssl: false in their user_variables.yml Client certificates could be still provided and they will be distributed with PKI role as well.

  • A new variable openstack_hosts_apt_pinned_packages is added which allows deployment wide apt pins to be defined in user_variables. The variable defaults to pinning the UCA repository to a priority lower than the Ubuntu repositories for any binary packages generated from the ceph source package. The intention is to ensure that Ceph packages are always installed from the Ubuntu repositories, or alternatively the official ceph repositories if the ceph_client role is run later against a host. The ceph packages for a particular openstack release may not be the same version as those expected by the rest of openstack-ansible so this change ensures consistency in the deployed ceph version.

  • Implemented possibility to natively define gnocchi_incoming_driver separately from gnocchi_storage_driver. Default behaviour is that [incoming] is left unconfigured which means [storage] is used when gnocchi_incoming_driver and gnocchi_storage_driver are equal. Role will install incoming driver dependencies if required.

    To implement that following variables introduced:

    • gnocchi_storage_file_basepath

    • gnocchi_storage_swift_container_prefix

    • gnocchi_incoming_driver

    • gnocchi_incoming_file_basepath

    • gnocchi_incoming_swift_container_prefix

    • gnocchi_ceph_incoming_pool

    • gnocchi_ceph_incoming_username

  • Implemented variable gnocchi_metricd_workers that is designed to controll amount of gnocchi-metricd workers spawned. By default it is equal to number of CPU cores, but no more than 16 workers.

  • Variables gnocchi_storage_redis_url and gnocchi_incoming_redis_url were added to manage redis connection if it’s picked as an storage/incoming driver. Default value is redis://localhost:6379/ Please mention, that OpenStack-Ansible does not provide isntallation of Redis as of today.

  • Implemented variable magnum_conductor_workers that is designed to controll amount of magnum-conductor workers spawned. By default it is equal to number of CPU cores, but no more then 16 workers.

  • The provider_networks library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add the network_bond_interfaces key to the respective provider network definition in openstack_user_config.yml. For more information, refer to the latest Open vSwitch w/ DPDK deployment guide.

  • Neutron VPN as a Service (VPNaaS) with customized configuration files can now be defined with the variable neutron_vpnaas_custom_config. deployers should define neutron_vpnaas_custom_config in ‘user_variables.yml’. Example:

    neutron_vpnaas_custom_config:
  - src: "/etc/openstack_deploy/strongswan/strongswan.conf.template"
    dest: "{{ neutron_conf_dir }}/strongswan.conf.template"
  - src: "/etc/openstack_deploy/strongswan/strongswan.d"
    dest: "/etc/strongswan.d"
  - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.conf.template"
    dest: "{{ neutron_conf_dir }}/ipsec.conf.template"
  - src: "/etc/openstack_deploy/{{ neutron_vpnaas_distro_packages }}/ipsec.secret.template"
    dest: "{{ neutron_conf_dir }}/ipsec.secret.template"

    We should be also define neutron_l3_agent_ini_overrides in ‘user_variables.yml’ to tell l3_agent use the new config file. Example:

    neutron_l3_agent_ini_overrides:
  ipsec:
    enable_detailed_logging: True
  strongswan:
    strongswan_config_template : "{{ neutron_conf_dir }}/strongswan.conf.template"
  openswan:
    ipsec_config_template:  "{{ neutron_conf_dir }}/ipsec.conf.template"

  • New variables nova_glance_rbd_inuse and nova_glance_images_rbd_pool have been implemented that allows deployer to easily configure nova to retrieve glance images from RBD directly, if nova uses local storage for ephemeral drives.

  • Introduced new variable cinder_volume_usage_audit_send_actions_enabled to allow the deployer to disable the send actions option in cinder-volume-usage-audit service unit. To have lowest possible footprint, the default value would be true to not change the behaviour of the cinder-volume-usage-audit in existing deployments.

  • New variables that provide better control over RabbitMQ management interface have been implemented:

    • rabbitmq_management_bind_tcp_port

    • rabbitmq_management_bind_tls_port

    • rabbitmq_management_ssl

  • Added variable rabbitmq_init_overrides that allows to control rabbitmq overrides that will be applied to the systemd service. Previously values were hardcoded without possibility for override.

  • Added variable rabbitmq_manage_hosts_entries that controls if rabbitmq_server role will attempt to adjust /etc/hosts file

  • The mechanism used previously to syncronise repo server contents between highly available sets of repo servers in a multinode deployment (lsyncd and rsync over ssh) is removed and replaced with a shared filesystem mount. This permits much easier support for multi operating system and multi processor architectures in the deployment when building and serving python wheels using the repo server. The default deployment will run a glusterfs server in each repo server host, and mount the glusterfs fileystem at /var/www/repo using the system_mount ansible role. If a deployment wishes to use an alternative external shared filesystem, the new variable openstack_repo_server_enable_glusterfs can be set to false and alternative mounts created by overriding the new repo_server_systemd_mounts variable. It is mandatory to use some type of shared filesystem for the repo server in all deployments.

  • Implemented variables tempest_public_net_create, tempest_private_net_create, tempest_router_create, tempest_images_create, tempest_flavors_create, tempest_projects_create which allow to skip creating specific resources.

  • Allow to create templated services Now for systemd_services you are allowed to provide template_arguments, which can contain a list of arguments with which templated services would be created.

  • The HAProxy role now supports TLS v1.3 by default, alongside TLS v1.2.

  • A new ‘ssl_cipher_suite_tls13’ variable is added for global control of TLS v1.3 cipher suites.

  • Functionality of venv_rebuild has been adjusted to the correct scope. Now setting this variable to true will not trigger wheels rebuild - it will just remove and re-create your virtualenv. If you want to rebuild wheels, a new variable venv_wheels_rebuild has been implemented.

Known Issues

  • There’s a known issue with upgrade to Ceph Pacific release prior to version 16.2.7. Please, make sure that 16.2.7 or later has been released before performing Ceph upgrade. Otherwise, override ceph_stable_release: octopus in your user_variables.yml

Upgrade Notes

  • Existing use of the variable openstack_hosts_centos_mirror_url will continue to work as in previous releases, but the new variable centos_mirror_url can be used to define the mirror location for the whole deployment.

  • We have changed default values for variables related to database connection pooling. For some services(like nova) default pool sizes will be significantly lower, we have also decreased default connection_recycle_time to 10 minutes. It should not cause any issues, but we recommended to double check these values, especially for large environments.

  • The octaiva_db_pool_size variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.

  • The following keystone role variables were previously deprecated, and are now removed. Replacement variables were introduced in the Xena release. keystone_database_pool_timeout keystone_database_max_pool_size keystone_database_idle_timeout

  • The neutron_db_pool_size variable was previously deprecated and is now removed. A replacement variable was introduced in the Xena release.

  • The Yoga release of OpenStack-Ansible removes support for Ubuntu Bionic. Deployments should be upgraded from Bionic to Focal before or during the Xena release before upgrading to Yoga.

  • The Yoga release of OpenStack-Ansible removes support for Debian Buster. Deployments should be upgraded from Buster to Bullseye before or during the Xena release before upgrading to Yoga.

  • The Yoga release of OpenStack-Ansible removes support for Centos-8. Deployments should be upgraded from Centos-8 to an alternative supported operating system during the Xena release before upgrading to Yoga.

  • The use of the nginx package repository on RedHat derived operating systems is no longer required as there is a new enough version of the nginx package in the standard distro repos now. The variables repo_centos_nginx_mirror and repo_centos_nginx_key are removed from the repo_server role and no longer have any effect.

  • Galera will now additionally listen on port 3307 by default, with this port being used by the monitoring user to check cluster status. Ensure that any firewall rules permit access to this port before upgrading. If an ‘extra_port’ was already configured, ensure that any conflicting configuration is removed and set your preferred values via ‘galera_monitoring_port’ and ‘galera_monitoring_max_connections’.

  • During upgrade password for galera_monitoring_user_password will be generated and set while running galera-server role. In case any third-party software relies on this user, it should be updated to use password. You can also override variable to galera_monitoring_user_password: "" to not use password for auth and preserve previous behaviour.

  • If you have database named as #tmp you should change galera_tmp_dir path and adjust galera_ignore_db_dirs or rename database.

  • The new variable openstack_hosts_apt_pinned_packages is added to the openstack_hosts ansible role and sets the value of apt_pinned_packages for the apt_package_pinning role run as a dependancy of the openstack_hosts role. Existing use of the apt_pinned_packages variable by deployers in user_variables should be reviewed to ensure that those pins are applied by the intended ansible roles, and swapped to this new variable if necessary.

  • If you have defined haproxy_tuning_params in your deployment, make sure that before upgrade all keys are valid haproxy options. For example, instead of chksize: 16384 you should set tune.chksize: 16384. Otherwise invalid config will be generated and haproxy will fail on startup. No upgrade scripts are provided for this change as well as no backwards compatability.

  • The keystone installation now uses ansible-role-pki to create and install a server certificate for Apache when keystone_ssl is true. The same role is also used to create a CA certificate and key for SAML federation when keystone_idp is populated by the deployer. For an existing keystone SAML setup the certificate and key will be re-created which may be undesirable, unless the existing ones are first copied to the relevant directories in /etc/openstack_deploy/pki/roots on the deploy host. The variables keystone_ssl_self_signed_regen and keystone_ssl_self_signed_subject are removed and are replaced with equivalent functionality via the new keystone_pki_* variables.

  • Keystone now uses common uwsgi role for uWSGI deployment. Along with that variable keystone_services has been extended with required arguments for uWSGI. If you override this variable locally make sure to update it’s structure accordingly.

  • RabbitMQ was migrated to the new-style config, which resides in /etc/rabbitmq/rabbitmq.conf. Old config rabbitmq.config will be removed during upgrade.

  • Cinder v2 API is now fully removed from Cinder service. With that os_cinder role ensures v2 endpoint is not present anymore in the catalog and remove endpoints if they’re present.

  • The xinetd script and configuration to run the ‘clustercheck’ script is replaced with a systemd socket activated service.

  • The repo server hosts will stop and uninstall existing lsyncd and rsync services from the repo server hosts. This functionality will be replaced by default with a glusterfs shared filesystem. If a deployment uses a firewall on the control plane, the rules should be updated to allow the glusterfs traffic between the repo server hosts. Alternative external shared filesystems (eg NFS, cephfs, others) may be used if required and the new variables repo_server_systemd_mounts and openstack_repo_server_enable_glusterfs allow a deployment to override the default use of glusterfs.

  • Changed default value for tempest_projects variable. Now this list contains only one element ‘tempest’. Previously it was ‘demo’ and ‘alt_demo’ which was quite confusing.

Deprecation Notes

  • OVN-related HAProxy configuration is deprecated and has been replaced with built-in clustering functionality. OVN-related endpoints will be completely removed in the Z release.

  • Vaiables tempest_service_available_congress and tempest_service_available_nova_lxd have been removed and have no effect since corresponding services are not supported anymore.

  • Variable nova_glance_api_servers has been removed and has no effect due to corresponsive upstream api_servers being deprecated.

  • With the retirement of upstram Panko project, os_panko role has been deprecated. Panko service API endpoint will be removed during upgrade. If you want to preserve Panko API working, you should override haproxy_panko_api_service.

  • Following tempest related variables were deprecated and have no effect:

    • tempest_compute_ssh_user

    • tempest_compute_console_output_enabled

    • tempest_compute_resize_enabled

    • tempest_compute_snapshot_enabled

    • tempest_compute_change_password

    • tempest_image_api_v1_enabled

    • tempest_image_api_v2_enabled

    • tempest_swift_container_sync

    • tempest_swift_object_versioning

    • tempest_swift_discoverable_apis

    • tempest_volume_backup_enabled

    • tempest_volume_multi_backend_enabled

    • tempest_enable_instance_password

    • tempest_volume_backend_names

  • Variable glance_nfs_local_directory has been renamed to glance_images_local_directory to better reflect purpose of the variable. glance_nfs_local_directory remains for backwards compatability but will be removed in Zed release.

  • Variable glance_nfs_client has been replaced with glance_remote_client. New variable has new keys for defining mounts to cover wider range of supported filesystems. Compatability for glance_nfs_client has been kept until Zed release.

  • Variables nova_external_ssl and nova_secure_proxy_ssl_header have been removed since secure_proxy_ssl_header option from nova.conf they controlled has been deprecated and has no effect.

  • variable tempest_network_tenant_network_cidr has been deprecated

  • variable tempest_network_tenant_network_mask_bits has been deprecated

  • variable tempest_fatal_deprecations has been deprecated

  • The variable ‘keystone_ssl_cipher_suite’ is deprecated in favour of ‘keystone_ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

  • The variable ‘haproxy_ssl_cipher_suite’ is deprecated in favour of ‘haproxy_ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

  • The variable ‘ssl_cipher_suite’ is deprecated in favour of ‘ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

  • The variable ‘horizon_ssl_cipher_suite’ is deprecated in favour of ‘horizon_ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

Security Issues

  • The following security headers were added to the haproxy Horizon service: strict-transport-security, x-content-type-options, referrer-policy and content-security-policy. Care should be taken when deploying the strict-transport-security header, as this header implements Trust on First Use security, meaning that after a browser first visits the page the browser will enforce the use of HTTPS until the max age time has expired. For the time being the strict-transport-security preload token which indicates that you are happy to have your site included in the HSTS preload list that is built into browsers has been excluded. The headers can be disabled by setting haproxy_security_headers: [] and the CSP (Content Security Policy) for Horizon can be overridden to support things like federated login by setting haproxy_horizon_csp. There is the option to extend to all haproxy services in the future, but as the headers are only used by browsers there maybe limited benefit to doing this other than for keystone and console services.

Bug Fixes

  • Fixes a Content Security Policy error which prevented image uploads via the Horizon interface.

  • Fixed facts gathering when tags were provided with playbook run.

  • By default we increase tune.maxrewrite as otherwise while using CSP headers, their size could exceed allowed buffer. Also deployers can override this value if needed.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Fixes a file descriptor leak which may impact services which use the oslo.messaging RabbitMQ heartbeat mechanism.

  • Do not duplicate records in /etc/hosts file by rabbitmq role when hosts file is already managed by OSA.

Other Notes

  • Restriction on parameters that can be passed to haproxy_tuning_params has been released. This means, that any tuning parameter can be passed in key/value format.

  • Default source of rabbitmq and erlang packages has been switched to cloudsmith.io

  • Added new variable tempest_endpoint_type to avoid having endpoint type hardcoded in tempest.conf