[release-announce] openstack-ansible 24.0.0 (xena)
no-reply at openstack.org
no-reply at openstack.org
Wed Dec 22 08:49:01 UTC 2021
We jubilantly announce the release of:
openstack-ansible 24.0.0: Ansible playbooks for deploying OpenStack
This release is part of the xena release series.
The source is available from:
https://opendev.org/openstack/openstack-ansible
Download the package from:
https://tarballs.openstack.org/openstack-ansible/
Please report issues through:
https://bugs.launchpad.net/openstack-ansible/+bugs
For more details, please see below.
24.0.0
^^^^^^
New Features
************
* Enable VeNCrypt authentication scheme from noVNC proxy to compute
nodes. When using HTTPS, the TLS encryption only applies to data
between the tenant user and proxy server. To provide protection from
the noVNC proxy to the Compute Nodes, it is necessary to enable the
VeNCrypt authentication scheme for VNC.
A pre-existing PKI (Public Key Infrastructure) setup is required.
Initially to help with the transition from unencrypted VNC to
VeNCrypt, compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable *nova_vencrypt_auth_scheme*,
this will be removed in future releases.
* UEFI boot support has been added. To migrate from Legacy BIOS
mode, define *boot_mode:uefi* as a capability for baremetal nodes
that support UEFI. In addition, corresponding flavor(s) will need to
be created or modified to include *boot_mode:uefi* as a capability
for scheduling to occur against UEFI nodes.
* Implemented new variable "connection_recycle_time" responsible for
SQLAlchemy's connection recycling
* Galera role now leverages PKI role for creation and distribution
of the certificates and certificate authorities. This introduces
bunch of new variables which controls CA and certificates generation
details. If user SSL certificates are provided - they would be used
instead of the generated ones.
The following new variables were introduced:
* galera_ssl_verify
* galera_pki_dir
* galera_pki_create_ca
* galera_pki_regen_ca
* galera_pki_certificates
* galera_pki_regen_cert
* galera_pki_authorities
* galera_pki_install_ca
* galera_pki_keys_path
* galera_pki_certs_path
* galera_pki_intermediate_cert_name
* galera_pki_intermediate_cert_path
* galera_pki_install_certificates
* MariaDB now uses TLS encryption by default. Certificate will be
issued and signed with internal CA using PKI role. Deployers can
disable encrypting MariaDB connections by setting "galera_use_ssl:
false" in their user_variables.yml Client certificates could be
still provided and they will be distributed with PKI role as well.
* Added variable *horizon_policy_overrides* which allows to
customize horizon specific policies. As we don't want to carry and
maintain horizon policies with OSA, they're retrieved from horizon
hosts and adjusted in-place, which means that they won't rollback in
case you just remove override. *horizon_policy_overrides* has also
non- standart format, as it's nested dictionary, where 1st level key
represents service which policy needs to be overriden, and it's
value is normal policy override format.
* Support for the networking-baremetal mechanism driver and agent
has been implemented. The ironic-neutron-agent is a neutron agent
that populates the host to physical network mapping for baremetal
nodes in neutron. Neutron uses this to calculate the segment to host
mapping information. This feature may be enabled by adding
"ml2.baremetal" to the "neutron_plugin_types" list in
"/etc/openstack_deploy/user_variables.yml".
* The "provider_networks" library has been updated to support the
definition of bond member interfaces that can automatically be added
as bond ports to OVS provider bridges setup during a deployment.
This feature is currently limited to DPDK-based deployments. To
activate this feature, add the "network_bond_interfaces" key to the
respective provider network definition in
"openstack_user_config.yml". For more information, refer to the
latest Open vSwitch w/ DPDK deployment guide.
* Added variables "systemd_run_dir" and "systemd_lock_dir" that
allows to control run and lock path for directories that will be
used by systemd services. Variables should not include service name
since it will be added by default at the end of the provided path.
These variables could be also defined as keys inside
"systemd_services" and this will have prescedence over default
behaviour.
* Default run path for systemd services has been changed to "/run"
and lock path to "/run/lock".
* Nova now defaults to to using the "QEMU-native TLS" feature for
live migrations, rather than the deprecated SSH method. A pre-
existing PKI (Public Key Infrastructure) setup is required.
QEMU-native TLS requires all compute hosts to accept TCP connections
on port 16514 and port range 49152 to 49261.
More information can be found here:
https://docs.openstack.org/nova/latest/admin/secure-live-migration-
with-qemu-native-tls.html
Deprecation Notes
*****************
* For consistency reasons, "octavia_db_pool_size" was deprecated in
favor of "octavia_db_max_pool_size" which is in a standardized
format used in other repositories. "octavia_db_pool_size" support it
will be removed in Yoga release.
* For consistency reasons, "neutron_db_pool_size" was deprecated in
favor of "neutron_db_max_pool_size" which is in a standardized
format used in other repositories. However, it will be supported
until Yoga release.
* For consistency reasons, the following variables were deprecated
in favor of the new ones in a standardized format used in other
repositories. "keystone_database_pool_timeout" ->
"keystone_db_pool_timeout" "keystone_database_max_pool_size" ->
"keystone_db_max_pool_size" "keystone_database_idle_timeout" ->
"keystone_db_connection_recycle_time" However, they will be
supported until next Yoga release.
* "keystone_database_min_pool_size" was deprecated as it's
deprecated in oslo.db
* Variable "systemd_lock_path" has been dropped and has no effect
now. In order to customize lock dir path please use
"systemd_lock_dir". Please keep in mind, that for "systemd_lock_dir"
you don't need to provide full path like it was with
"systemd_lock_path" since service name is added to the end of the
path.
* Following variables were removed in favor of PKI ones and have no
effect anymore:
* galera_ssl_self_signed_regen
* galera_ssl_self_signed_subject
* galera_ssl_ca_self_signed_subject
* We removed multiple web server support for keystone and left only
Apache since nginx is missing features required for federation
setup. With this change following variables are deprecated and have
no effect:
* keystone_web_server
* keystone_centos_nginx_mirror
* keystone_centos_nginx_key
* keystone_nginx_access_log_format_combined
* keystone_nginx_access_log_format_extras
* keystone_nginx_ports
* keystone_nginx_extra_conf
Nginx web server will be removed and replaced with Apache during
upgrade.
* Variable "nova_enabled_vgpu_types" has been deprecated and is
replaced with "nova_enabled_mdev_types".
Bug Fixes
*********
* Fixed inconsistency in "haproxy_frontend_raw" key naming between
documentation and service template. Previously, template generation
was expecting "haproxy_raw" instead of the "haproxy_frontend_raw".
* For deployers using Keystone as an OIDC-based Service Provider
there has been a spelling fix for the OIDCScope setting. Please use
"keystone_sp.trusted_idp_list.0.oidc_scope" instead of
"keystone_sp.trusted_idp_list.0.idc_scope".
* This release addresses an issue which could cause wheels to fail
to be built when upgrading from one operating system to another.
Upgrading to this release is recommended before attempting an
operating system upgrade.
Other Notes
***********
* Set a new default value for "galera_wait_timeout" which is
inherited from global "openstack_db_connection_recycle_time".
* Set new default values for db pooling variables which are
inherited from the global ones.
Changes in openstack-ansible 23.0.0.0rc1..24.0.0
------------------------------------------------
b88a4783f Bump OpenStack-Ansible for Xena RC2 and release
eda30de65 Set galera to use TLS for connections by default
d33e0bcd2 Change haproxy variable used to set security headers to haproxy_frontend_raw
9c17fd726 [doc] Add Xena compatible OS
97060d391 Fix ceph-ansible shallow_since
50c8a2283 Add documentation of security improvements made to Openstack Ansible
c2f3bfe6a [doc] Clean out project index page for stable branches
9fd96ddc9 Update TOX_CONSTRAINTS_FILE for stable/xena
d3e2e3f99 Update .gitreview for stable/xena
a0cfc507e Freeze roles for Xena RC1
97b837826 Add nfs deployment scenario
b58dbee2a Remove retrievement of config_tempalte as a module
3c76df5f7 Reduce manila CI check memory consumption
76cd97b1e Reduce ceph memory overhead for AIO by setting is_hci to true
1fd3e0c44 Do not fail when nova console is disabled
a433db53a Update ceph-ansible release to pacific
be16cc841 From now on, we will change default values for database connection pooling in each role
2ea412bae Ensure hardware facts are gathered for galera hosts.
b6fe07ecf Add security headers to HAProxy Horizon service
b859d5897 Add config_tempalte to collections
92f8639ec Configure HAProxy to check Horizon's login page
fbbf1e275 Globally define systemd_lock_dir
db79a0f27 Pin uWSGI version
678b14c21 Do not upgrade packages without upgrades
68d8bd272 Remove provider_networks from neutron playbook
d7b5f6cda Increase Apache thread limit for keystone
8b7a5e4d0 Deprecate OVN-related haproxy configuration
c564ad9a0 Minor update of openstack collection
3504694b4 Fix error in dynamic-address-fact task
3e4fffec9 Bump ansible and collection versions
067df8fb7 Remove note about metal/horizon compatability
d27d4daed Add playbook to generate any user defined certificates
e62392648 Switch services to track stable/xena
002fb0910 Remove reference to deprecated python-ceilometerclient
834cd874c [doc] Fix netplan sample
78d9a8596 Fix manila haproxy manage
5505d4a14 Use cinder defaults for cinder_management_address
7a2be19d6 Implements framework for ironic_neutron_agent and Neutron 'baremetal' plugin
1c75669df Remove unnecessary pki step in haproxy install
a74caa919 Bump OpenStack-Ansible master
6e9da4753 Add serial execution to all playbooks
f05092277 Change pki_create_ca condition
aeb20518f Bump ansible version to 2.11.5
464d7e5d3 Bump collection versions
ffd5f8859 Revert "Add integrated build job to use in sahara repo"
172779f54 Replace deprecated include statement
5e8b57ad0 Bump OpenStack-Ansible master
430a0bc1f Include openstack_services for murano role
d1e727ed3 Replace deprecated collection names
6e50398f0 Update pip version
e1937b3f1 Switch ceph-ansible to Pacific
c9f403099 Enable tempest tests for sahara
2dc1611f1 Add heat service when scenario includes sahara
3d59c738f Add integrated build job to use in sahara repo
6e45de76f Switch CentOS upgrade jobs to Stream ones
5451778f4 Move galera tasks to pre_tasks
afebcb984 Set bullseye jobs to voting
e48485b83 Add guide for distribution upgrades to docs
3cb74de15 Set doc jobs to voting
9e535931a skip -W on sphinx-build for translation.
ed035fb27 Add shallow_since to parallel git clone
e1adb7d9f Bump master branch
a332bda37 Fix permissions for files created on repo server
9b9d6b883 Revert "set non-voting for broken tox-doc test"
17f92b0f5 haproxy: decrease check interval for letsencrypt back ends
de64a324e set non-voting for broken tox-doc test
cea883dfc Do not use https for metadata service with calico networking
3088fe204 Deprecate os-panko role
0965d2a22 Moving IRC network reference to OFTC
6e22c20cd Imported Translations from Zanata
aab4de765 Start Xena cycle
1ee9b1bbe Update master for stable/wallaby
Diffstat (except docs and test files)
-------------------------------------
.gitreview | 2 +-
ansible-collection-requirements.yml | 15 +-
ansible-role-requirements.yml | 235 +++++++++--------
deploy-guide/source/conf.py | 4 +-
deploy-guide/source/configure.rst | 2 -
.../admin/upgrades/distribution-upgrades.rst | 281 +++++++++++++++++++++
.../admin/upgrades/os-compatibility-matrix.html | 25 ++
etc/netplan/01-static.yml | 2 +-
etc/openstack_deploy/conf.d/ceph.yml.aio | 4 +
etc/openstack_deploy/conf.d/panko.yml.aio | 3 -
etc/openstack_deploy/conf.d/panko.yml.example | 8 -
etc/openstack_deploy/env.d/aio_metal.yml.example | 3 -
etc/openstack_deploy/user_secrets.yml | 4 -
global-requirement-pins.txt | 5 +-
inventory/env.d/neutron.yml | 4 +
inventory/group_vars/all/all.yml | 14 +-
inventory/group_vars/all/ceph.yml | 2 +-
inventory/group_vars/all/infra.yml | 1 +
inventory/group_vars/all/nova.yml | 4 +
inventory/group_vars/cinder_all.yml | 3 -
inventory/group_vars/haproxy/haproxy.yml | 74 ++----
inventory/inventory.ini | 6 +-
playbooks/ceph-rgw-keystone-setup.yml | 10 +-
playbooks/certificate-authority.yml | 2 +-
playbooks/certificate-generate.yml | 32 +++
playbooks/common-playbooks/neutron.yml | 20 --
playbooks/common-tasks/dynamic-address-fact.yml | 6 +-
playbooks/defaults/distro_install.yml | 1 -
playbooks/defaults/repo_packages/gnocchi.yml | 2 +-
playbooks/defaults/repo_packages/nova_consoles.yml | 4 +-
.../defaults/repo_packages/openstack_services.yml | 220 ++++++++--------
playbooks/etcd-install.yml | 1 +
playbooks/galera-install.yml | 19 +-
playbooks/haproxy-install.yml | 8 +-
playbooks/library/git_requirements.py | 64 +++--
playbooks/memcached-install.yml | 1 +
playbooks/os-aodh-install.yml | 1 +
playbooks/os-barbican-install.yml | 1 +
playbooks/os-blazar-install.yml | 1 +
playbooks/os-ceilometer-install.yml | 1 +
playbooks/os-cinder-install.yml | 16 +-
playbooks/os-designate-install.yml | 1 +
playbooks/os-glance-install.yml | 6 +-
playbooks/os-gnocchi-install.yml | 1 +
playbooks/os-heat-install.yml | 1 +
playbooks/os-horizon-install.yml | 1 +
playbooks/os-ironic-install.yml | 1 +
playbooks/os-magnum-install.yml | 1 +
playbooks/os-manila-install.yml | 5 +-
playbooks/os-masakari-install.yml | 2 +
playbooks/os-mistral-install.yml | 1 +
playbooks/os-murano-install.yml | 2 +
playbooks/os-neutron-install.yml | 8 +-
playbooks/os-octavia-install.yml | 1 +
playbooks/os-panko-install.yml | 40 ---
playbooks/os-placement-install.yml | 1 +
playbooks/os-sahara-install.yml | 1 +
playbooks/os-senlin-install.yml | 1 +
playbooks/os-tacker-install.yml | 1 +
playbooks/os-trove-install.yml | 1 +
playbooks/os-zun-install.yml | 1 +
playbooks/qdrouterd-install.yml | 2 +-
playbooks/rabbitmq-install.yml | 4 +-
playbooks/repo-install.yml | 1 +
playbooks/setup-hosts.yml | 1 +
playbooks/setup-openstack.yml | 1 -
playbooks/unbound-install.yml | 1 +
playbooks/utility-install.yml | 1 +
.../notes/VNC-proxy-security-520e6dac6bad0018.yaml | 16 ++
.../adds-uefi-boot-support-18ad99dd21f7e8be.yaml | 7 +
.../notes/ceph_pacific-9952da2810a737c1.yaml | 12 +
.../notes/db-pooling-14f33d291a246203.yaml | 2 +
.../notes/db-pooling-15b6222fedc2cb8c.yaml | 7 +
.../notes/db-pooling-7c42f3aed39d5fc9.yaml | 2 +
.../notes/db-pooling-91ac966776313feb.yaml | 7 +
.../notes/db-pooling-cec321004b4a8a79.yaml | 4 +
.../notes/db-pooling-f078d5d7668377b2.yaml | 11 +
...eprecate-ovn-haproxy-vips-061652cd82342819.yaml | 6 +
...precate_systemd_lock_path-fba3aff8b1b4468d.yaml | 9 +
.../notes/dperecate_os_panko-0d2f6822ffc8fd43.yaml | 7 +
.../notes/galera_pki-2d6d77a86e8475cd.yaml | 34 +++
.../notes/galera_use_ssl-e906b5ba8b2e62ef.yaml | 9 +
.../haproxy_frontend_raw-0811d5d445a66b41.yaml | 6 +
.../horizon_policy_overrides-ca84702ef993ea92.yaml | 10 +
.../keystone_drop_nginx-5e7791d22f0be48a.yaml | 16 ++
...etal-plugin-agent-support-cfb06fa4faf85bdc.yaml | 8 +
.../notes/neutron-dpdk-bonds-4dd98fc0b341ebfb.yaml | 10 +
.../notes/nova_mdev_types-df92fb3d1ce339ec.yaml | 5 +
...e-oidc-scope-spelling-fix-3051b95adeb37901.yaml | 7 +
...-upgrade-requirements-fix-bcc81b049339e9b5.yaml | 7 +
.../notes/security-headers-87de60203899fdbb.yaml | 19 ++
.../systemd_run_lock_dir-5b4b0cad9c860ce0.yaml | 12 +
.../notes/tls-migration-3ed93cc04dab5eee.yaml | 13 +
releasenotes/source/index.rst | 1 +
releasenotes/source/wallaby.rst | 6 +
scripts/bootstrap-ansible.sh | 2 +-
scripts/gate-check-commit.sh | 2 +-
scripts/get-ansible-role-requirements.yml | 5 +-
scripts/openstack-ansible.rc | 5 +-
scripts/run-upgrade.sh | 12 +-
.../bootstrap-host/tasks/prepare_aio_config.yml | 16 +-
.../templates/user_variables.aio.yml.j2 | 5 +-
.../templates/user_variables_ceph.yml.j2 | 1 +
.../templates/user_variables_manila.yml.j2 | 6 +-
.../templates/user_variables_murano.yml.j2 | 2 +-
.../templates/user_variables_nfs.yml.j2 | 9 +
.../templates/user_variables_sahara.yml.j2 | 26 +-
tox.ini | 5 +-
zuul.d/jobs.yaml | 26 +-
zuul.d/project-templates.yaml | 22 +-
134 files changed, 1585 insertions(+), 720 deletions(-)
More information about the Release-announce
mailing list