[release-announce] kolla-ansible 11.4.0 (victoria)
no-reply at openstack.org
no-reply at openstack.org
Thu Apr 28 10:30:40 UTC 2022
We enthusiastically announce the release of:
kolla-ansible 11.4.0: Ansible Deployment of Kolla containers
This release is part of the victoria stable release series.
The source is available from:
https://opendev.org/openstack/kolla-ansible
Download the package from:
https://tarballs.openstack.org/kolla-ansible/
Please report issues through:
https://bugs.launchpad.net/kolla-ansible/+bugs
For more details, please see below.
11.4.0
^^^^^^
New Features
************
* Adds a "tls_connect" module to the Prometheus blackbox exporter.
This can be used to test connectivity of TLS servers.
* Implements container healthchecks for ironic-neutron-agent
service. See blueprint
* Adds support for libvirt SASL authentication. It is enabled by
default. LP#1964013
Known Issues
************
* Existing fluentd log rotation failed to delete old haproxy, swift,
glance-tls-proxy and neutron-tls-proxy logs. These will not be
deleted by the new logrotate config and will have to be removed
manually.
Upgrade Notes
*************
* The addition of libvirt SASL authentication requires a new
password in "passwords.yml", "libvirt_sasl_password". This may be
generated using the existing "kolla-genpwd" and "kolla-mergepwd"
tooling.
* The addition of libvirt SASL authentication requires both the
"nova_libvirt" and "nova_compute" containers to be updated
simultaneously, using new images with the necessary Cyrus SASL
dependencies, as well as configuration containing the SASL
credentials.
* update the default value of node_custom_config to {{ node_config
}}/config, when specified using --configdir
Security Issues
***************
* Explicitly removes the "net.ipv4.ip_forward" sysctl from
"/etc/sysctl.conf" on hosts with Neutron L3 Agent. In the absence of
another source for this sysctl, it should revert to the default of 0
after the next reboot. This is a follow up to a previous change
which stopped setting the sysctl, but leaves existing systems with
the original value of 1 set.
A deployer looking to more aggressively change the value may set
"neutron_l3_agent_host_ipv4_ip_forward" to 0 using a Yoga release of
Kolla Ansible. This option will be removed in future. Any
deployments still relying on the previous value may set
"neutron_l3_agent_host_ipv4_ip_forward" to 1. LP#1945453
* Fixes an issue where the default configuration of libvirt did not
use authentication for the API exposed over TCP on the internal API
network. This allowed anyone with access to the internal API network
read-write access to libvirt. While the internal API network is
typically trusted, other services on this network generally at least
require authentication.
SASL authentication is now enabled for libvirt by default. Kolla
Ansible supports libvirt TLS since the Train release, and this is
recommended to provide a higher level of security. LP#1964013
Bug Fixes
*********
* Continue to run all actions if one action failed in Elasticsearch
curator. LP#1954720
* Fixes Nova resize failing when "migration_interface" is
customised. LP#1956976
* Fixes Glance with Cinder iSCSI backend failing due to lack of
lock_path setting. LP#1959663
* Fixes logrotate config missing for openvswitch and prometheus
services. LP#1961795
* Fixes an issue with Ironic's PXE components not getting updated on
upgrade. LP#1963752
* Fixes configuration of the Prometheus HTTP API URL when using the
Prometheus collector in CloudKitty. LP#1961615
* Fixes the baremetal role to avoid an error "Unable to remove
"libvirtd". Now the symlink
/etc/apparmor.d/disable/usr.sbin.libvirtd is created by the role.
LP#1960302
* Existing fluentd log rotation failed to delete old haproxy, swift,
glance-tls-proxy and neutron-tls-proxy logs. Standardise rotation
and deletion of logs using logrotate.
* adds back the option to configure the rabbitmq clustering
interface via kolla *LP#1900160 <https://bugs.launchpad.net/kolla-
ansible/+bug/1900160>*
* Fixes an issue where the Libvirt AppArmor profile is disable and
the bootstrap-servers process tries to remove it. See bug 1909874
for details.
* Fixes an issue seen when using Jinja2 3.1.0.
* Fixes the configuration option setting the type of endpoint used
by Neutron to send requests to Placement. LP#1960503
* Fixes a configuration issue with Node Exporter causing all file
system metrics of a host to be identical. LP#1961438
* Fixes an issue where RabbitMQ was configured to mirror classic
transient queues for all services. According to the RabbitMQ
documentation this is not a supported configuration, and contributed
to numerous bug reports. In order to avoid making unexpected changes
to the RabbitMQ cluster, it is necessary to set
"rabbitmq_remove_ha_all_policy" to "yes" in order to apply this fix.
This variable will be removed in the Yoga release. LP#1954925
* Fixes an issue with Cinder upgrade where Cinder services would
remain pinned to the previous release's RPC & object versions.
LP#1954932
Changes in kolla-ansible 11.3.0..11.4.0
---------------------------------------
ff40c4b46 [CI] Make kolla-build quiet
2764844ee Allow removal of classic queue mirroring for internal RabbitMQ
a4e2d5a15 Use jinja2.pass_context instead of contextfilter
9b135d965 re-add rabbitmq config for clustering interface
cc09abda3 designate: fix external backend deployment
ef8b02f7b Ironic: rebootstrap ironic-pxe on upgrade
d2b62b50c cinder: restart services after upgrade
9e3e0d112 CI: pin ansible-lint to <6
536ffc3f7 libvirt: support SASL authentication
1885df05d Explicitly unset net.ipv4.ip_forward sysctl
c2fadc230 Remove grafana [session] configuration
7d2bbbad0 Add openvswitch and prometheus to logrotate
c7530df58 Fix location of release note for ironic-neutron-agent healthcheck
84eaf2fb2 cloudkitty: fix URL used for Prometheus collector
e4f93a60a Configure node-exporter to report correct file system metrics
a759ca44f Fix fluentd v1 buffer syntax issue
e8d94e01c Refactor fluentd syslog logging
f0294fb5b Fix remove libvirt apparmor disabled profile
13ac92167 [CI] Check fluentd errors
c37bf3e06 Fix Apparmor libvirt profile removal
535632672 CI: Fix new ansible-lint failures
d5bd75180 neutron: fix placement endpoint type configuration
aaa56405d Fix log rotation for fluentd created files
3cf4fe128 [CI] Replace parted with lsblk
f8ae355c5 Glance: add lock_path setting
d69b7008a prometheus: add tls_connect blackbox module
a967556da Fix usage of Subject Alternative Name for TLS
4e3945336 update the default value of node_custom_config
7593c1153 Make nova_ssh listen on api_interface as well
149e6dd79 Use Docker healthchecks for ironic-neutron-agent services
7fefa5a54 Continue to run all actions if one action failed in curator
Diffstat (except docs and test files)
-------------------------------------
.ansible-lint | 6 +
ansible/group_vars/all.yml | 2 +-
ansible/roles/baremetal/tasks/install.yml | 2 +-
ansible/roles/baremetal/tasks/post-install.yml | 13 +-
.../roles/certificates/tasks/generate-backend.yml | 2 +
ansible/roles/certificates/tasks/generate.yml | 4 +
.../templates/openssl-kolla-internal.cnf.j2 | 4 +-
.../certificates/templates/openssl-kolla.cnf.j2 | 4 +-
ansible/roles/cinder/defaults/main.yml | 9 +
ansible/roles/cinder/handlers/main.yml | 20 ++
ansible/roles/cinder/tasks/reload.yml | 10 +
ansible/roles/cinder/tasks/upgrade.yml | 2 +
ansible/roles/cloudkitty/defaults/main.yml | 2 +-
ansible/roles/common/defaults/main.yml | 24 +++
ansible/roles/common/tasks/config.yml | 5 +-
.../conf/filter/00-record_transformer.conf.j2 | 27 +--
.../common/templates/conf/output/00-local.conf.j2 | 214 ++-------------------
.../common/templates/conf/output/01-es.conf.j2 | 6 +-
.../templates/conf/output/02-monasca.conf.j2 | 4 +-
.../templates/cron-logrotate-haproxy.conf.j2 | 2 +-
.../templates/cron-logrotate-openvswitch.conf.j2 | 3 +
.../templates/cron-logrotate-prometheus.conf.j2 | 3 +
ansible/roles/common/templates/fluentd.json.j2 | 27 +--
ansible/roles/designate/tasks/backend_external.yml | 2 +
.../templates/elasticsearch-curator-actions.yml.j2 | 14 +-
ansible/roles/glance/templates/glance-api.conf.j2 | 3 +
ansible/roles/grafana/templates/grafana.ini.j2 | 8 -
ansible/roles/ironic/tasks/bootstrap.yml | 19 --
ansible/roles/ironic/tasks/bootstrap_service.yml | 19 ++
ansible/roles/neutron/defaults/main.yml | 15 ++
ansible/roles/neutron/tasks/config-host.yml | 2 +
ansible/roles/neutron/templates/neutron.conf.j2 | 2 +-
ansible/roles/nova-cell/defaults/main.yml | 8 +
ansible/roles/nova-cell/handlers/main.yml | 15 ++
ansible/roles/nova-cell/tasks/config.yml | 20 ++
ansible/roles/nova-cell/tasks/precheck.yml | 17 +-
ansible/roles/nova-cell/templates/auth.conf.j2 | 6 +
ansible/roles/nova-cell/templates/libvirtd.conf.j2 | 3 +-
.../roles/nova-cell/templates/nova-compute.json.j2 | 8 +-
.../roles/nova-cell/templates/nova-libvirt.json.j2 | 12 ++
ansible/roles/nova-cell/templates/sasl.conf.j2 | 2 +
ansible/roles/nova-cell/templates/sshd_config.j2 | 3 +
ansible/roles/prometheus/defaults/main.yml | 3 +-
.../templates/prometheus-blackbox-exporter.yml.j2 | 4 +
.../templates/prometheus-node-exporter.json.j2 | 2 +-
ansible/roles/rabbitmq/defaults/main.yml | 2 +
ansible/roles/rabbitmq/tasks/config.yml | 18 ++
ansible/roles/rabbitmq/tasks/deploy.yml | 3 +
.../roles/rabbitmq/tasks/remove-ha-all-policy.yml | 29 +++
ansible/roles/rabbitmq/tasks/upgrade.yml | 3 +
.../roles/rabbitmq/templates/advanced.config.j2 | 7 +
.../roles/rabbitmq/templates/definitions.json.j2 | 4 +
ansible/roles/rabbitmq/templates/rabbitmq.json.j2 | 6 +
etc/kolla/globals.yml | 2 +-
etc/kolla/passwords.yml | 5 +
kolla_ansible/filters.py | 14 +-
kolla_ansible/kolla_address.py | 8 +-
kolla_ansible/put_address_in_context.py | 21 +-
.../blackbox-tls-connect-517cd8ebdf87f16e.yaml | 5 +
.../notes/bug-1945453-2-287bfcaf060689d8.yaml | 16 ++
.../notes/bug-1954720-4fc48610a56f3e98.yaml | 6 +
.../notes/bug-1956976-8a2623ca1fbfd546.yaml | 5 +
.../notes/bug-1959663-afda889b9aa4c63f.yaml | 6 +
.../notes/bug-1961795-16fb2ac27152fc03.yaml | 6 +
.../notes/bug-1963752-ee12e15c17c24bb0.yaml | 6 +
...cloudkitty-prometheus-url-ee14bc486e810631.yaml | 6 +
...r-libvirt-profile-removal-01db6ca6dd66879f.yaml | 7 +
.../fix-haproxy-logrotate-e299a0000728fd8f.yaml | 12 ++
...q-interface-configuration-b39c954fb8763d9c.yaml | 6 +
...apparmor-disabled-profile-2cab584eec729b71.yaml | 6 +
...-for-ironic-neutron-agent-61ec4d0d237da075.yaml | 6 +
.../jinja2-pass-context-2afc328ade8c407b.yaml | 4 +
.../notes/libvirt-sasl-404199143610fb75.yaml | 27 +++
...n-placement-endpoint-type-90073ba5ecc9e663.yaml | 6 +
...porter-filesystem-metrics-d3ae7b0a892d2957.yaml | 6 +
...ue-mirroring-for-rabbitmq-d54b9e7e25e57a88.yaml | 10 +
.../notes/unpin-cinder-rpcs-8eb7e0858a91b9b8.yaml | 6 +
...update-node-custom-config-7b378b25ce22779f.yaml | 5 +
test-requirements.txt | 2 +-
84 files changed, 613 insertions(+), 327 deletions(-)
Requirements updates
--------------------
diff --git a/test-requirements.txt b/test-requirements.txt
index cab4df184..4eb87aa46 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -2 +2 @@
-ansible-lint>=4.2.0,!=4.3.0 # MIT
+ansible-lint>=4.2.0,!=4.3.0,<6.0.0 # MIT
More information about the Release-announce
mailing list