Zed Series Release Notes¶
17.0.0-56¶
New Features¶
Two instances of the glance-api service are now deployed per the recommendations outlined in OSSN-0090. The user facing service does not provide access to image location data, whereas a new internal glance-api service provides location data to administrators and services that need it (e.g. cinder and nova), and is accessible via the admin and internal keystone endpoints.
Added paramter
IronicEnableNovaPowerNotifications
(defaults to:true
). The parameter controls the[nova]/send_power_notifications
option in ironic.conf which is used to enable/disable the power state change callbacks to nova.
Add support for overriding the default cipher used by galera. This is useful for cases like FIPS where the default ‘AES128-SHA256’ is not allowed.
Enable NVMe as a new protocol driver for the Pure Storage FlashArray Cinder driver and add the
pure_nvme_transport
parameter to define which transport layer the NVMe driver uses. Addpure_nvme_cidr
andpure_nvme_cidr_list
support for the Pure Storage FlashArray Cinder driver.
Upgrade Notes¶
A new OS::TripleO::Services::GlanceApiInternal service is introduced to handle deploying the internal instance of the glance-api service. When upgrading an overcloud deployed with a custom roles file, the new GlanceApiInternal service must be added to every role that includes the GlanceApi service. Roles that include the GlanceApiEdge service should not include the new GlanceApiInternal service.
Deployment of the new internal glance-api service is generally transparent, and includes updating glance’s endpoints in the keystone catalog. In a Distributed Compute Node (DCN) deployment, the control plane and all DCN sites need to be updated in order to fully deploy the new internal glance-api service.
For Nova computes that need to keep running EL8, you can replace
OS::TripleO::Services::NovaLibvirt
service withOS::TripleO::Services::NovaLibvirtLegacy
in its role files to run the monolithic libvirt. Unlike the modular deamons consumable with EL9 computes, that legacy service should only be used for Train to Wallaby skip-level (fast-forward) upgrades, and should not be used in new deployments.
Deprecation Notes¶
The GlanceShowMultipleLocations parameter is deprecated.
CephHciOsdType and CephHciOsdCount parameters, used by the deprecated derive parameters feature, have been removed.
Bug Fixes¶
Cinder NVMe-oF: Use the right port
4420
instead of4460
and add the appropriate iptables rule for LVM+nvmet to work.
Cinder NVMe-oF: Cinder nodes where not loading
nvme-fabrics
kernel module, so nvme-of would not work correctly on controller nodes.
The undercloud now disables
[nova]/send_power_notifications
in the ironic service. This fixes an issue where ironic-conductor on the undercloud would try to report power state changes to nova and fail because nova service is not runnint on the undercloud. See bug: 2000308.
17.0.0¶
Prelude¶
The default ovsdb-server deployment mode has been switched from active/backup with Pacemaker to the native active/active RAFT clustering.
New Features¶
Added support for Unbound to forward DNS resolution requests to other DNS resolvers (DNS resolver forwarding).
Added parameter OVNEncapTos to indicates the value to be applied to the OVN tunnel inteface’s option:tos, as specified in the Open_vSwitch database Interface table. The default value is “0”. “inherit” allows to copy the inner ToS into the outer packet header.
Add new parameter
CeilometerTenantNameDiscovery
, enabling this parameter will identify user and project names using the resource UUIDs for every polled sample. Upon a successful discovery, the identified names are added to the corresponding sample.
Added new OctaviaLogOffloadProtocol setting that allows to select either UDP (default) or TCP as protocol for log offloading.
Add
DisableOvnDhcpForBaremetalPorts
parameter which allows disabling OVN’s DHCP for baremetal ports
Added a new parameter OVNOvsdbProbeInterval to configure ovsdb_probe_interval for neutron ml2-ovn plugin and ovn metadata agent.
Added a new parameter OVNOvsdbProbeInterval to configure OVSDB Connection.probe_interval. This requires setting the a single Connection entry for all RAFT servers which listens on all interfaces. To address the security implications, the iptables rules are set to limit traffic to the proper subnet.
Support deploying multiple Cinder Dell EMC Unity storage backends. CinderDellEMCUnityBackendName is enhanced to support a list of backend names, and a new
CinderDellEMCUnityMultiConfig
parameter provides a way to specify parameter values for each backend.
Support deploying multiple Cinder Dell EMC VNX storage backends. CinderDellEMCVNXBackendName is enhanced to support a list of backend names, and a new
CinderDellEMCVNXMultiConfig
parameter provides a way to specify parameter values for each backend.
Support deploying multiple Cinder NFS storage backends. CinderNfsBackendName is enhanced to support a list of backend names, and the following new parameters are added.
CinderNfsMultiConfig
provides a way to specify parameter values for each backend.CinderNfsSharesConfig
allows you to pass NFS shares config for a backend instead of hard coded input.
When the cinder-backup service is deployed, it now defaults to active-active and not active-passive.
Relocate the existing cinder NFS parameters in their own template. There are no new parameters, and the existing parameters retain the same default values.
Add option to override the default corosync token_timeout value. There are cases where the default allotted time (10s) is not enough. This only works during cluster setup (first deployment).
‘dns_domain_ports’ extension driver is now enabled by default and this allows ‘dns_domain’ to be set for ports.
The new
HeatDelegatedRoles
parameter has been added. This parameter defines list of trustor to be delegated to heat.
When deploying a new HA overcloud, the mysql/galera service can now be configured to use mariabackup for State Snapshot Transfers (SST) by configuring the new Heat parameter MysqlGaleraSSTMethod. Mariabackup SST uses a dedicated SQL user with the appropriate grants to transfer the database content across nodes. The user credentials can be configured via two additional Heat parameters MysqlMariabackupUser and MysqlMariabackupPassword.
The new
HorizonHstsHeaderValue
parameter has been added. When this parameter is set, haproxy adds HTTP Strict-Transport-Security header to HTTP response to enforce SSL.
The new
IronicWorkers
parmaeter has been added. This parameter can be used to tune number of workers for Ironic services.
Containerized Libvirt swtpm logs will be placed into /var/log/containers/libvirt/swtpm host path.
Add parameter NovaMDEVTypes to provide support for generic mdev_type.
The new
NovaInstanceUsageAudit
parameter has been added.
The new
{{role.name}}ContainerImagePrepare
parameter has been added. This parameter overrides the globalContainerImagePrepare
parameter and allows customizing container image prepare workflow for specific roles.
The TimeZone parameter gets used for configuring the Octavia amphora timezone now.
DeploymentServerBlacklist parameter now supports both heat and actual hostnames.
Known Issues¶
To operate well at scale, it is important that OVS 2.17+ is used when deploying with RAFT clustering. Specifically, python-ovs >= 2.17.1 is required.
The
iscsid
service has been removed from undercloud. This service is no longer used since Ironic removed theironic
deployment interface.
Upgrade Notes¶
The
KeystoneChangePasswordUponFirstUse
parameter is now enforced to be a boolean value.
Operators using the audit service must change the way they provide custom configuration, and use a new “AuditdConfig” dict in the parameter_defaults
Puppet implementation to manage CA certificates has been replaced by Ansible implementation. Deployment templates should be updated to use the new template file (-baremetal-ansible.yaml) during update.
Cinder’s API endpoints are updated to no longer use tenant_id templating. This is because cinder no longer requires a project_id in its API URLs.
Cinder backup service will be switched from active-passive to active-active if the service was originally deployed using the cinder-backup.yaml environment file. Cloud administrators who wish to keep it active-passive should use the new cinder-backup-active-passive.yaml env file.
Although the cinder NFS parameters have been moved to their own file, there is no impact on upgrades because the parameters themselves are unchanged.
The
OS::TripleO::Services::HeatApiCloudwatch
service should be removed from roles data during upgrade.
The
OS::TripleO::Services::Xinetd
service has been removed. Its actual implementation was already removed several cycles ago. Please remove this from roles data during upgrade.
When upgrading from a non-RAFT deployment, the old Pacemaker ovn-dbs-bundle containers will still exist and need to be cleaned up. They will not interfere with the function of the cluster, as all services connecting to ovsdb-server will be configured to connect to the server’s individual IP addresses and not the Pacemaker ovsdb-server VIP.
The new support for mariabackup SST for the mysql/galera service is currently limited to new overcloud deployments. Doing a stack update to change SST method from rsync to mariabackup or the other way around is currently not supported.
All firewall rules are implemented by nftables instead of iptables. This means we don’t need to edit anything anymore on the generated iptables/ip6tables files, and keep only the cleaning of service and files in the upgrade tasks.
The
OS::TripleO::Services::NeutronCorePluginML2OVN
service should be removed from roles data during upgrade, because the service has been removed.
The
OS::TripleO::Services::NovaPlacement
service has been removed. It should be removed from roles data during upgrade.
Support for Docker has been removed. Now the
ContainerCli
parameter accepts onlypodman
. Also, theDockerAdditionalSockets
has been removed because the parameter is used only when Docker is used.
The templates to install ReaR via heat have been removed. Rear can be installed using Ansible via the command openstack overcloud backup –setup-rear.
The template files to manage network resources(eg. ports) by heat have been all removed. All network resources should be pre-created by the separate network privisioning process.
The
ManageNetwork
parameter has been removed. This parameter had no effect when network resources are pre-deployed by the network provisioning process.
The
InotifyIntancesMax
parameter has been removed. TheInotifyInstancesMax
parameter should be used instead.
Support for NSX Neutron plugin has been removed. Because of this removal, the
OS::TripleO::Services::NeutronCorePluginNSX
service should be removed from roles data during upgrade.
The StackAction/StackUpdateType parameters have been removed because they have no significance with deployment using ephemeral heat.
The following parameters (and the related deprecated parameters) have been removed since these have had no effect since Nova was removed from Undercloud.
KeyName
Overcloud{{role.name}}Flavor
{{role.name}}SchedulerHints
{{role.name}}Image
The configuration hook using cloud-init and node user data has been removed becuase this method is no longer available since Nova was removed from Undercloud. Because of this change, any reference to the following two resource types should be removed during upgrade.
OS::TripleO::NodeUserData
OS::TripleO::{{role.name}}::NodeUserData
The
GlanceNotifierStrategy
parameter and theGlanceLogFile
parameter have been removed. These two parameters have had no effect for several cycles.
The deprecated template file
cinder-backend-dellsc-puppet.yaml
is removed ascinder-backend-dellemc-sc-puppet.yaml
enables both iSCSI and FC support for Dell EMC SC.
The following deprecated parameters are removed.
CinderNetappStoragePools
CinderNetappVolumeList
ControllerEnableSwiftStorage
Deprecation Notes¶
All of the hiera value for the service configuration are deprecated, and replaced by a new “AuditdConfig” dict to be passed in the parameter_defaults
The tripleo-heat-templates parameter DnsServers has been deprecated.
The dns_nameservers from the ctlplane subnets has been used by default for overcloud node nameservers for a long time, see: https://review.opendev.org/579582.
Since Wallaby network configuration is applied prior to the Heat stack create, during overcloud node provisioning. In this case the THT parameter DnsServers is not available when network configuration is applied. Effectively the DnsServers parameter cannot be used in Wallaby and later releases.
The NovaVGPUTypesDeviceAddressesMapping paramter has been deprecated in favour of NovaMDEVTypes parameter added in [1]. [1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/835439
The parameter SshServerOptionsOverrides has been deprecated since Wallaby. Use SshServerOptions to override partial sshd_config.
The
DockerNovaMigrationSshdPort
parameter has been deprecated. This will be completely merged to theMigrationSshPort
parameter.
Support for the
networking-ansible
plugin has been deprecated. It will be removed after the Zed release.
Support for linuxbridge mechanism driver has been deprecated and will be removed in a future release.
Support for the networking-l2gw plugin and the networking-bgpvpn plugin has been deprecated and will be removed in a future release.
The following two parameters have been deprecated and have no effect now. These two parameters are used for 7mode systems which are no longer supported by cinder.
CinderNetappVfiler
CinderNetappPartnerBackendName
The following three parameters have been deprecated and have no effect now. These three parameters are used for E-Series systems which are no longer supported by cinder.
CinderNetappControllerIPs
CinderNetappSaPassword
CinderNetappWebservicePath
The
OS::TripleO::Services::Snmp
service has been deprecated and is no longer enabled by default. The service will be removed in a future release.
CephPoolDefaultPgNum and CephPoolDefaultSize have been deprecated and no longer affect the Ceph deployment because the Ceph deployment is run before these parameters are used. I.e. Ceph is deployed by TripleO via ‘openstack overcloud ceph deploy’ which does not use these parameters. It is no longer required to pass a PG number when creating Ceph pools but it is recommended to use CephPools to override target_size_ratio (or PG number) so pools do not inherit the default PG replica values depending on the Ceph release. Since Ceph pg_autoscale_mode is enabled by default in Pacific, PG numbers will adjust themselves correctly. However, data migration can be reduced by setting target_size_ratio (or PG number) in advance.
Removes the “masquerade-networks-baremetal-puppet” deployment file, since it has been replaced by a 100% ansible implementation; this removal won’t affect operators, since the inclusion of the actual services/masquerade-networks is done from within the Undercloud deployment only, when we set the “masquerade” parameter to true for selected networks.
Security Issues¶
TripleO is now configuring the firewall using nftables instead of iptables.
The firewall layout is now a bit different, since all of the TripleO managed rules are in dedicated chains, such as TRIPLEO_INPUT. Jumps are added in the original chains.
The INPUT chain has now a “drop” policy, meaning we do not need the final “drop” rule like we had while using iptables. This means any packet that don’t match a rule will be dropped. This also mean rule ordering is less important.
Bug Fixes¶
This fixes LP#1964733 and the deprecation/abandon of puppet-auditd module.
Fixed wrong usage of the
PasswordMinLen
parameter and thePasswordWarnAge
parameter.
Remove the processes plugin from the default collectd plugins list as it can cause logging to be flooded with messages such as ‘procs_running not found’.
Fixed the
HeatConfigureDelegatedRoles
parameter which has had no effect previously.
Fixes an issue where gateway ping validations performed during deployment would fail. When setting the ManageNetworks parameter to false and no gateway was configured, the list of gateway IP addresses to ping would include empty strings for networks with no gateway. The validation would attempt to run a ping command without the address to ping, which caused the deployment to fail. See bug: 1973866.
Fix missing roles for Octavia services.
The periodic notifications of instance usage by Nova is now disabled by default. These notifications are not consumed unless Telemtry services are enabled.
Do not change ownership recursive for Swift. This was required when deployments upgraded from baremetal to containerized deployments. However, by now all deployments should be containerized, and running chown recursive against a large amount of data might timeout during upgrades.
Avoid Octavia HAProxy logs showing “[ssl_c_s_dn]” instead of the client certificate DN string. TripleO uses Octavia’s own default user_log_format setting now if possible.
Other Notes¶
Mandatory fields of DnfStreams parameter was extended with new field ‘distribution_version’ which specifies distribution version of the OS to check against during enabled dnf streams check. DnfStreams parameter defines list of dnf module streams to be configured before updating packages both on undercloud and overcloud.
iptables cli cannot see nftables content we inject, since we’re using the “inet” family. Therefore, please use the “nft” CLI from now on. Doc has been updated accordingly.
16.0.0¶
New Features¶
Add parameter to set the auth type for the snmpd_user. Possible options are MD5 (which is what was hardcoded before and is the default now) and SHA. This should be set to SHA on FIPS environments.
Add IronicDefaultBootInterface parameter to allow users to set / override the default boot interface used by ironic. This may not work if a hardware type does not support the set boot interface. This overrides create-time defaults. The ordered union of the enabled boot interfaces and hardware type determines, under normal circumstances, what the default will be.
Since genisoimage was removed from CentOS9 / RHEL9, the nova’s default
mkisofs_cmd
option will not work anymore. In RHEL/CentOS realm,mkisofs
is an alias to alternatives that either map toxorriso
(9) orgenisoimage
(8).
Added the Octavia TLS parameters.
RabbitMQ can be configured to run in FIPS mode via the new configuration option RabbitFIPS. The default value is false.
Admin endpoint of Keystone listens on Internal API network by default.
Logging for the designate bind backend is now more fully configured. DNS query logging can be enabled by setting DesignateBindQueryLogging to true.
Neutron can now be configured to support secure RBAC using EnforceSecureRbac. Note, you may not be able to use this until Neutron upstream has support for common RBAC personas.
Keystone can now be configured to support secure RBAC personas with the EnforceSecureRbac setting. Note that deployments with mixed permission models will have unexpected side-effects. Setting this option won’t have meaningful effect until all services in your deployment support secure RBAC personas.
The new parameter
EnforceSecureRbac
has been added to enforce authorization based on common RBAC personas. Currently in glance the support is only available for project-admin, project-member and project-reader personas and system personas will come in a later release.
The new
KeystoneNotificationDriver
parameter has been added. This parameter overrides the globalNotificationDriver
parameter and allows customizing notification driver only in Keystone, which is required to use notification listner function in Barbican.
Add NovaShowHostStatus to allow overriding API policies to access the compute host status in the requested Nova server details. The default value ‘hidden’ allows only admins to access it. Setting it to ‘all’ (‘unknown-only’) without additional fine-grained tuning of NovaApiHostStatusPolicy shows the full (limited) host_status to the system/project readers.
Add NovaApiHostStatusPolicy that defines a custom API policy for os_compute_api:servers:show:host_status and `os_compute_api:servers:show:host_status:unknown-only. These rules, or roles, replace the admins-only policies based on the given NovaShowHostStatus: ‘unknown-only’ shows the limited host status UNKNOWN whenever a heartbeat was not received within the configured threshold, and ‘all’ also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server details. Finally, NovaShowHostStatus: ‘hidden’ puts it back being visible only for admins. Additional policies specified using NovaApiPolicies get merged with this policy.
A heat parameter
IronicPowerStateChangeTimeout
has been added which sets the number of seconds to wait for power operations to complete, i.e., so that a baremetal node is in the desired power state. If timed out, the power operation is considered a failure. The default is 60 seconds, which is the same as the current Ironic default.
Added
pure_iscsi_cidr
andpure_host_personality
anderadicate_on_delete
support for the Pure Storage FlashArray Cinder driver.
Added
NovaDisableComputeServiceCheckForFfu
parameter to configurenova::workarounds::disable_compute_service_check_for_ffu
to disable the service version check workaround for FFU.
Adding Hugepages role parameter
Hugepages management was always a manual step done by operators via the TripleO parameter
KernelArgs
. This is error prone and causing confusion.The new
Hugepages
parameter allow operators to define hugepages as dictionnary, making it easier to read and follow.To prevent unvolontary changes, there’s multiple validations before applying a change:
We convert the current running configurations to an actual dictionnary that we validate the new format against
If no change is necessary, even though the format might not be the same, there’s no kernel_args update.
By default, we don’t remove hugepages in places except when operators specifically set the
ReconfigureHugepages
to true.
This change is also opening the door to more automations and automatic tuning.
Upgrade Notes¶
Support for the following three volume drivers have been removed.
Dell EMC ScaleIO
Dell EMC VxFlexOS
Dell EMC VMAX
The following services should be removed from roles data during upgrade.
OS::TripleO::Services::CinderBackendScaleIO
OS::TripleO::Services::CinderBackendDellEMCVxFlexOS
OS::Tripleo::Services::CinderBackendDellEMCVMAXISCSI
Redis is now disabled by default in new deployments, so existing deployments have to delete the redis resource in pacemaker prior to upgrade, or include the new environment file ha-redis.yaml if they still implicitely depend on redis.
Support for networking-bigswitch has been removed, because the plugin is no longer maineined.
Support for the novajoin service has been removed.
The
OS::TripleO::Service::Novajoin
resource has been removed. It should be removed from roles data before upgrade.
The default boot mode for ironic deployed nodes is now
uefi
when no boot mode is explicitly set in the node’s driver_info, capabilities, or instance_info configuration. To restore the previous default, set the heat parameterIronicDefaultBootMode
tobios
.
The default UEFI iPXE bootfile is now snponly.efi. The boolean parameter IronicIPXEUefiSnpOnly was added to allow custom configuration. When set to true snponly is used, when false the previous default ipxe.efi is used. See bug: 1959726.
Deprecation Notes¶
The MlnxSDNUsername and MlnxSDNPassword have been deprecated and have no effect
The
MysqlIncreaseFileLimit
parameter has been deprecated and has no effect now.
The
IronicIpVersion
parameter has been deprecated and has no effect.
Using environments/enable-designate.yaml has been deprecated in favor of environments/services/designate.yaml, the current location for environment files that enable TripleO components.
With the switch to ephemeral heat for the overcloud, the UndercloudMinion is no longer viable. Deploying UndercloudMinion is not supported anymore and environments files to enable its deployment are dropped.
Bug Fixes¶
Adds the port used for directly accessing Ironic-Inspector using TLS, 13050, to the list of ports to permit inbound connections on.
Rsyslog config for haproxy (https://bugs.launchpad.net/tripleo/+bug/1953672)
Before this patch, invalid certificates would be detected close to the end of the deployment. In small environments, this comes fast but in an environment with a large number of nodes, failures would come really late after a few hours of deployment. With this validation, it now fails before step1 at host_prep_steps if the certificate is smaller than 512 bytes if UsePublicTLS is set to true and PublicSSLCertificateAutogenerated is set to false. It will also use openssl to verify the state of the certificate and fail if the certificate is invalid or expired.
When we install libvirt on a host, the system parameter
fs.aio-max-nr
is to 1048576. Since we containerized libvirtd, we lost this system parameter. We now make sure it’s defined by adding it from the nova-libvirt-common template.
Enable Swift replicators in single replica mode to ensure cleanup of old tombstone (.ts) files. Sleep interval between replication runs is set to 24 hours to prevent unneeded load on the systems if no replication is needed.
Other Notes¶
A new param MlnxSDNToken has been added to authenticate sdn controller
Steps are taken to minimize chances of confusion between the default block storage volume type established by the CinderDefaultVolumeType parameter, and cinder’s own __DEFAULT__ volume type.
In a new deployment where no volumes exist, cinder’s __DEFAULT__ type is deleted because it is redundant. In an upgrade scenerio, if volumes exist then the __DEFAULT__ type’s description is updated to indicate the actual default volume type is the one established by the CinderDefaultVolumeType parameter.
OvsDpdkDriverType
is now deprecated. Note that is had no effect since we upgraded to OVS 2.6, where we stopped supporting the configuration of DPDK driver in puppet-vswitch. Since then, we couldn’t change the driver; so we can safely deprecate this parameter and remove it in a future release.
“podman image prune” is no longer used on the undercloud to remove unused images during the undercloud update/upgrade. With the usage of ephemeral Heat, not all images will always be used by running or stopped containers, so “podman image prune” should not be used to clean up the local container image storage. Images that are no longer being used can still be removed individually with “podman rmi”.
15.1.0¶
Prelude¶
Environment file collectd-write-qdr.yaml no longer specifies a default CollectdAmqpInstances hash.
Enablement of data collection and transportation to an STF instance is now handled via existing templates.
New Features¶
Added new heat role specific parameter option ‘DdpPackage’ to select the required DDP Package.
Added new heat role specific param OVNAvailabilityZone to set availability-zones for ovn. This param replace seting availability-zones throught OVNCMSOptions
Adds two new parameters ‘IronicAuthStrategy’ and ‘NeutronAuthStrategy’ that defaults to ‘keystone’. This would allow deploying standalone ironic and neutron services without keystone using different ‘auth_strategies’ like ‘http_basic’ and ‘noauth’.
The libvirt driver has added support for hardware-offloaded OVS with vDPA (vhost Data Path Acceleration) type interfaces. vDPA allows virtio net interfaces to be presented to the guest while the datapath can be offloaded to a software or hardware implementation. This enables high performance networking with the portablity of standard virtio interfaces.
Nova added support for vhost-vdpa devices in Wallaby.
Added OVN DBs clustering support. In this service model, a clustered database runs across multiple hosts in multi-active mode.
To help operators protect their workload, they can now enable the KernelArgsDeferReboot role parameter. This will prevent the tripleo-kernel ansible module from automatically rebooting nodes even if KernelArgs were changed unexpectedly.
To support Glance Distributed Image Import, adding configuration of
worker_self_reference_url
by providing the internal API URL for each node where glance api will run with glance-direct method of image-import is enabled.
Add param NeutronAgentDownTime to configure neutron server agent_down_time Seconds to regard the agent as down; should be at least twice report_interval, to be sure the agent is down for good. agent_down_time is a config for neutron-server, set by class neutron::server report_interval is a config for neutron agents, set by class neutron
The new
ApacheTimeout
parameter has been added, which determines the timeout used for IO operations in Apache.
The following parameters add support for mounting Cinder’s image conversion directory on an external NFS share.
CinderImageConversionNfsShare
CinderImageConversionNfsOptions
A new
CinderPolicyEnforceNewDefaults
parameter adds the ability to disable Cinder’s deprecated authorization policies. The default value is False, which means Cinder’s deprecated policies are enabled. Setting the parameter to True disables the deprecated policies, which causes Cinder to enforce the project-admin, project-member, and project-reader RBAC personas. Support for system personas is planned for a future release.
Enable image copy for multiple RBD Glance stores
Previously when using multiple RBD glance stores the operator was responsible for copying the image to all stores. Nova-compute now has the ability to automatically copy an image to the local glance store when required. This change enables the feature and adds the following role specific parameters to control the behaviour.
NovaGlanceRbdCopyPollInterval
NovaGlanceRbdCopyTimeout
A new Heat parameter HAProxyConfigBackendSyntax news drives the generation of HAproxy configuration. Prior to that, every service was mapped to a ‘listen’ section in the configuration. Now a service definition is split in two sections ‘frontend’ and ‘backend’, which allow for more complex proxying configurations.
New configuration
IronicDefaultBootMode
allows to change the default boot mode to use for bare metal instances. The default for now remainsbios
for legacy BIOS boot but may switch touefi
in the future.
The new
MemcacheUseAdvancedPool
parameter is added which enables usage of advanced poll for memcached connections in keystone middleware. This parameter is set totrue
by default to avoind bursting connections in some services like neutron.
This change adds functionality to enable modular libvirt daemons. All these daemons runs in its respective container. Also the default configuration is to use modular libvirt daemons instead of monolithic libvirt daemon. Here is the list of libvirt daemon which are added in this change. - virtnodedevd - virtproxyd - virtqemud - virtsecretd - virtstoraged
It’s possible to define the individual log filters for each one of these daemon using the following new parameters: -
LibvirtVirtlogdLogFilters
-LibvirtVirtsecretdLogFilters
-LibvirtVirtnodedevdLogFilters
-LibvirtVirtstoragedLogFilters
-LibvirtVirtqemudLogFilters
-LibvirtVirtproxydLogFilters
More information regarding modular libvirt daemons is available here. Libvirt Daemons <https://libvirt.org/daemons.html> _.
Introduce new parameters {{role.name}}NetworkConfigUpdate. This will be a bool. When {{role.name}}NetworkConfigUpdate is True existing network configurations will be updated. By default, this is False and only new deployments will have the networks configured. This parameter is role based only, with no global option.
New config options for Neutron logging service plugin configuration were added. There are options added for L3 Agent:
NeutronL3AgentLoggingRateLimit
,NeutronL3AgentLoggingBurstLimit
,NeutronL3AgentLoggingLocalOutputLogBase
, for OVS agent:NeutronOVSAgentLoggingRateLimit
,NeutronOVSAgentLoggingBurstLimit
,NeutronOVSAgentLoggingLocalOutputLogBase
and for ML2/OVN backend:NeutronOVNLoggingRateLimit
,NeutronOVNLoggingBurstLimit
,NeutronOVNLoggingLocalOutputLogBase
.
Adds NovaRestrictLiveMigration boolean parmeter to enable an api policy to allow live migration only for a specific role which can be customized using NovaRestrictLiveMigrationRole. This feature is to prevent the default admin role users to be able to use live migration on coincidence. Additional policies specified using NovaApiPolicies get merged with this policy.
Adds new NovaCronArchiveDeleteRowsTaskLog parameter which controls to also archive task_log records while archiving the database. Defaults to true.
OctaviaLogOffload is now enabled by default, it creates a rsyslog container of the controllers that collects logs from the Octavia amphorae.
OctaviaWorkers and HorizonWorkers allow to configure the process workers count for the Octavia API and Horizon WSGI applications.
With conditional monitoring enabled in OVN, southbound ovsdb-serve takes lot of time in handling the monitoring and sending the updates to all its connected clients. Its takes lot of CPU. With monitor-all option, all ovn-controllers do not enable conditional monitoring there by reducing the load on the Southbound ovsdb-server.
Add support for OVS DPDK pmd auto balance parameters. This feature adds 3 new role specific THT parameters to set pmd-auto-lb-load-threshold, pmd-auto-lb-improvement-threshold, and pmd-auto-lb-rebal-interval in OVS through OvsPmdLoadThreshold, OvsPmdImprovementThreshold and OvsPmdRebalInterval respectively.
Introduce new parameter to configure OVS PMD Auto Load Balance for OVS DPDK
Users can now override or add individual entries to EndpointMap without having to specify complete EndpointMap in parameter_defaults section of an environment file.
The new
PlacementPolicies
parameter has been added.
Add support for the Pure Storage FlashBlade Manila driver
The following parmaeters have been added so that users can change timeout for communication over rpc call.
AodhRpcResponseTimeout
CeilometerRpcResponseTimeout
DesignateRpcResponseTimeout
HeatRpcResponseTimeout
IronicRpcResponseTimeout
ManilaRpcResponseTimeout
NeutronRpcResponseTimeout
NovaRpcResponseTimeout
OctaviaRpcResponseTimeout
The new
swift_recon_cron
container has been added to the SwiftStorage service, to reflect metrics related to async pendings to recon middleware in swift.
Upgrade Notes¶
Upgrades from OVN non-HA and OVN DBs pacemaker to OVN DBs clustered are currently not supported.
Changes the ironic PXE container TFTP service from
in.tftpd
to use thednsmasq
TFTP service. This is because thein.tftpd
service is not anticipated to be carried by Linux distributions moving forward, anddnsmasq
is actively maintained.
When upgrading an environment that uses collectd-write-qdr.yaml the CollectdAmqpInstances defaults previously specified need to be added to an administrator provided environment file and used during the overcloud deploy process.
When upgrading a deployment with the use of enable-stf.yaml, add the following files to your overcloud deployment command in order to maintain the existing services defined in enable-stf.yaml.
environments/metrics/collectd-write-qdr.yaml
environments/metrics/ceilometer-write-qdr.yaml
environments/metrics/qdr-edge-only.yaml
Mistral has been removed as it was Deprecated in Wallaby and is no longer in use.
With the change to EndpointMap interface, existing environments where it has been overridden have to specify ‘merge’ strategy in a new ‘parameter_merge_strategies’ section.
Support for Cavium/Liquidio has been removed.
`OS::TripleO::Services::LiquidioCompute`
has been removed and should be removed from role data during upgrade.
The
`ComputeLiquidio`
role has been removed.
The
CinderPowerStoreAppliances
parameter has been removed because it has had no effect since the actual parameter was deprecated in cinder.
Support for the HPE Lefthand cinder driver has been removed.
The
OS::TripleO::Services::CinderHPELeftHandISCSI
service was removed, so it should be removed from role data during upgrade.
The
OctaviaPostWorkflowName
parameter has been removed.
Zaqar has been removed as it was deprecated in Wallaby and is no longer in use on the undercloud. Additionally it hasn’t been supproted in the overcloud.
Deprecation Notes¶
The parameter IronicIPXEEnabled has been deprecated since Ironic uses per-node boot interfaces since Ussuri.
The environment environments/deployed-server-deployed-neutron-ports.yaml, the deployed-neutron-port.yaml template, and DeployedServerPortMap parameter are deprecated in favor of NodePortMap, ControlPlaneVipData, and VipPortMap, which can be used with the generated environments/deployed-ports.yaml.
The following parameters have been deprecated and have no effect.
ManilaIsilonDriverHandlesShareServers
ManilaVNXDriverHandlesShareServers
ManilaVMAXDriverHandlesShareServers
The
ManilaCephFSCephFSEnableSnapshots
parameter has been deprecated, and has no effect now. Manila always enables snapshot support in Ceph FS backend since Wallaby.
VPP service and Neutron ML2/VPP plugin are deprecated in Xena release. VPP service relies on puppet project which isn’t maintained for a while. Neutron ML2/VPP plugin is not actively supported in TripleO. Both services would be disabled in future releases.
This change deprecates the nova-libvirt-container-puppet.yaml heat-template which configures monolithic modular libvirt daemon. The newly added heat-template for modular libvirt daemons will be used to configure libvirt services in different containers.
This change removes NetworkDeploymentActions and {{role.name}}NetworkDeploymentActions. Since we can no longer rely on the Heat stack action when using Ephemeral Heat in tripleo.
The
Neutron(OVS|Vnic)VnicTypeBlackList
parameters are deprecated in favor of the newNeutron(OVS|Sriov)VnicTypeProhibitList
parameters.
The
NovaSchedulerQueryPlacementForAvailabilityZone
parameter has been deprecated. The parameter has no effect now.
The
AdminToken
parameter has been deprecated. Use the newKeystonePassword
parameter instead.
Security Issues¶
The OVN database servers in an OVN DBs clustering and TLS-everywhere deployment will listen on all IP addresses (0.0.0.0). This is a caveat that can only be addressed once RHBZ 1952038 is fixed.
Bug Fixes¶
The collectd-write-qdr.yaml no longer specifies a default CollectdAmqpInstances hash. When specified, it was not possible to override the parameter, resulting in a combined hash of the default values and the administrators custom values which could lead to unexpected issues.
Default of the
NovaSyncPowerStateInterval
parameter has been changed from 0 to 600, to use the default value consistent with the one defined in nova.
Fixes issues with PPC64le hardware utilization where documented steps require a
/tftpboot/ppc64le
folder to exist for artifacts to be placed as it is required path for the firmware loader in order to boot the kernel and ramdisk. The folder is now automatically created for the container.
The neutron agent report interval was recently changed from the 30s default to 300s. This caused issues whith timeouts when providing baremetal nodes. A new parameter IronicNeutronAgentReportInterval has been added with a default of 30s so that the report interval specifically for the networking baremetal agent is restored. See bug: 1940838.
NFSv4.2 is now there for long time and default in RHEL/CentOS 8. This changes the default for NovaNfsVersion to be v4.2 instead of v4 to have this the new default.
On the compute nodes, right now ssl certificates got created for libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required because the all services use the same NovaLibvirtNetwork network and therefore multiple certificates for the same hostname get created. Also from qemu point of view, if default_tls_x509_cert_dir and default_tls_x509_verify parameters get set for all certificates, there is no need to specify any of the other *_tls* config options. From Secure live migration with QEMU-native TLS
The intention (of libvirt) is that you can just use the default_tls_x509_* config attributes so that you don’t need to set any other *_tls* parameters, unless you need different certificates for some services. The rationale for that is that some services (e.g. migration / NBD) are only exposed to internal infrastructure; while some sevices (VNC, Spice) might be exposed publically, so might need different certificates. For OpenStack this does not matter, though, we will stick with the defaults.
Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile get removed (which defaulted to /etc/ipa/ca.crt anyways) and just use InternalTLSCAFile.
Also all cerfificates get created when EnableInternalTLS is true to and mount all SSL certificates from the host. This is to prevent certificate information is not available in a qemu’s process container environment if features get switched later, which has shown to be problematic.
Add the missing *Workers parameters into the low-memory footprint environment and set it to 1.
Other Notes¶
Using enable-stf.yaml now defines the expected configuration in OpenStack for use with Service Telemetry Framework. Removal of the defined resource_registry now requires passing additional environment files to enable the preferred data collectors and transport architecture, providing better flexibility to support additional architectures in the future.
The
iscsi_tcp
module is no longer loaded to support the operation of theironic-conductor
container as theiscsi
Deployment interface has been removed from Ironic.
Parameter
DhcpAgentNotification
is set toFalse
by default now. It should be set toTrue
in case when Neutron DHCP agent is going to be deployed. It shouldn’t be enabled with ML2/OVN backend.
These parameters can now be set per-role - DnfStreams, UpgradeInitCommand, UpgradeLeappCommandOptions, UpgradeLeappDevelSkip, UpgradeLeappToRemove, UpgradeLeappToInstall
15.0.0¶
New Features¶
New config option
OVNEncapType
was added to the ovn-controller-container-puppet.yaml module. It can be used to define what encapsulation type will be used in the deployment.
The parameters CephHciOsdCount and CephHciOsdType were added in order to support the derive parameters feature for hyperconverged deployments when using cephadm.
The
glance_api_cron
container has been introduced, which executes db purge job for Glance service. Use GlanceCronDbPurge* parameters to override cron parameters.
When nova_virtlogd container gets restarted the instance console auth files will not be reopened again by virtlogd. As a result either instances need to be restarted or live migrated to a different compute node to get new console logs messages logged again. Usually on receipt of SIGUSR1, virtlogd will re-exec() its binary, while maintaining all current logs and clients. This allows for live upgrades of the virtlogd service on non containerized environments where updates just by doing an RPM update. To reduce the likelihood in a containerized environment virtlogd should only be restarted on manual request, or on compute node reboot. It should not be restarted on a minor update without migration off instances. This introduces a nova_virtlogd_wrapper container and virtlogd wrapper script, to only restart virtlogd on either manual or compute node restart.
New parameter RbdDiskCachemodes allows to override the disk cache modes for RBD. Defaults to [‘network=writeback’].
Added Heat container tear down to the HeatEphemeral service to occur during upgrades. This will convert an undercloud from non-ephemeral heat to ephemeral heat when the service is enabled.
This changes the ServiceNetMap and VipSubnetMap interfaces to allow for server side env merging. This would, for example, allow for adding network for a new services without having to specify complete ServiceNetMap in parameter_defaults section of an environment file.
Upgrade Notes¶
With the change to ServiceNetMap/VipSubnetMap interface, existing environments where they are overridden have to specify ‘merge’ strategy for the parameters in a new ‘parameter_merge_strategies’ section.
Other Notes¶
In Wallaby, dcn-hci.yaml has been renamed to dcn-storage.yaml though a copy of dcn-hci.yaml was kept in place for backwards compatability until Xena. With the Xena release dcn-hci.yaml has been removed.