- Release-announce - lists.openstack.org

kolla-ansible 20.0.0 (epoxy)
by no-reply＠openstack.org 14 May '25

14 May '25

We are tickled pink to announce the release of: kolla-ansible 20.0.0 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/kolla-ansible Download the package from: https://tarballs.openstack.org/kolla-ansible/ Please report issues through: https://bugs.launchpad.net/kolla-ansible/+bugs For more details, please see below. Changes in kolla-ansible 19.0.0.0rc1..20.0.0 -------------------------------------------- 193830ef0 cinder: check for coordination backend when HA da15011f6 Add key type for letsencrypt certificate 8945590f8 doc: remove keystone admin port cleanup 9a52b8d5f Fix duplicate names in Prometheus volumes 6baecfa2f Run ML2/OVS agents processes in separate containers 44aa76cf2 Docs: update RabbitMQ HA instructions 64cd8e007 Remove notifiers from loadbalancer config 7d1f8d1d4 Cinder: move to block-storage in service catalog aed182726 Add Pure Storage FlashBlade as Manila backend 71e60fdd7 fixed jinja2 template variable parsing fe19e7a51 Upgrade Prometheus to v3 a8addf90d Manage mysqld db user only from db related hosts da12a4be7 Fix Nova and Cinder external ceph enabled check 8fa110bb8 Upgrade RabbitMQ docs for the Epoxy release 50bbcb09d Don't allow quorum queues to be disabled 6149799a6 [CI] Use ss instead of netstat c08bd597c Correctly append --ask-vault-password as a single argument 8f0a4f672 Remove om_enable_rabbitmq_high_availability ddd6d5ab6 Document dev mode with custom repository 4614aad4c rabbitmq: Add support for using stream queues for fanout 94b91727a Improve Ironic pin_release_version configuration 865c33087 Remove service role from ironic-inspector user c803413c5 Move kolla_toolbox to high level client f1fa914a8 Bump ansible-core versions to 2.17 and 2.18 5db605ca3 Correct lock path for ironic-inspector 4f9bb2b5a Adding new placement error to expected critical msgs 664a79f42 Disable firewalld in Bifrost container 3c3a18aa5 Rabbitmq: enable quorum for transient queues bff6ee9d7 Assign labels to kolla volumes 44c2fbf62 Fix octavia.conf generation after jobboard fix 85d04aae8 Drop support for Ubuntu Jammy (22.04) 604361451 Fix config.json templates for Prometheus exporters c04611efd CI: bump amphora image to jammy 415adb019 Process Epoxy removals from TODO 062df4005 Deprecate bifrost and deploy-bifrost/deploy-servers subcommands c8645ea52 CI: Fix ipv6 scenario triggered from Kolla 6ebdbb979 setup.cfg: Replace dashes with underscores 8421d1047 Allow ignoring missing containers in service-stop 4e0c0aa76 Add oslo.messaging Queue Manager 1d7e58025 Remove notifiers from uwsgi service role adb1a9b91 Remove Swift role 37b97d46a mariadb: Use mysql_query instead of command f9790cf0b CI: Wait until containers exit health starting state 8670c3f9d ovn: Add support for OVN SB Relay 0a12ec97c Document Ubuntu Noble (24.04) as supported b588e7f58 Replace meeting time by link to the meetings page f726cfd99 Add container engine migration scenario 12aa03929 Add action for getting container names list 32cdbd23d Merge of container_facts modules 1ed6cbaa5 CI: Remove usage of Ubuntu workarounds c2d4e1285 zuul: Bump base job timeout to 2.5h c05773e1e Add nova-metadata to nova_services_require_policy_json 8f2781f25 CI: Fix documentation jobs ce9cba2cb Fix Redis Sentinel authentication for octavia's jobboard HA 94765ab46 Fix boolean representation in all configurations 9fabfd67e neutron-metadata-agent: Disable healthcheck 3dae9aa49 Fix variable name in globals.yml for enabling the memcached_exporter 4b05fa8a5 add lightbits driver support 9ed16a387 Fix typo in prechecks command 0f1b4a89f Remove oslo_concurrency from keystone.conf 99925de1b Remove deprecated secure_proxy_ssl_header option d277323b3 prometheus: Support overriding address of scrape targets 8d1b593ad Fix for external-frontend-map file not being copied eb3b79460 docs: Correct typo in variable name c8d813c09 CI: Remove unnecessary ansible values (after migration to ansible-core) f566e8f0a Remove not needed service role assignment during upgrades. 62c07e73d Fix regex for blackbox exporter targets 2e99f8553 Fix kolla_container_facts performance fc4e6cb1d ironic: change enable_ironic_neutron_agent default to no 19af5826f Move actions to kolla_container_facts 94b4adae2 Support reducing scope of delegated fact gathering 55fd5a024 Fix ironic's metrics when prometheus exporter enabled 2523ab437 Ensure consistent lock_path across all services 725d15173 Fix IPv6 addresses for prometheus exporters 7b5ff686e Fix usage of multiple OVN availability zones da2ee0ad0 [Pure Storage] Update Pure reference page in documentation e39e46a86 cinder: Allow configuring backend_name for Ceph backends 445e62958 Fix Grafana datasource update 57f526907 Revert "keystone: handle OIDC metadata & attribute mappings as template" 2f45726da cinder: Add support for using uWSGI a944fad52 Set lock_path for openstack services 454dc2a95 placement: Add support for using uWSGI fa6535890 Reintroduce kolla-ansible check 6eb6fee6e fluentd: Add placement to list of supported services 2c09d0c89 Revert "CI: Switch to stable/2024.2 tinyipa due to failures" 99b680019 CI: IPV6 - Enable Prometheus in IPV6 scenario 330e68d24 swift: Deprecate for removal in 2025.2 b59fe6cc4 Fix Grafana role support for Ansible check mode d24c42af9 CI: zun - use alpine from quay.io 72ffcfb68 Fix Magnum role support for Ansible check mode 33fa9c185 Fix Opensearch role support for Ansible check mode 54cf86acb CI: Bump mariadb_monitor_connect_timeout to 60000 af255c754 CI: Add mariadb jobs trigger on proxysql changes 6460e9708 Remove deleted nova option [api] use_forwarded_for e6b6e8858 docs: fix link to Cinder HA page 15b5606a0 docs: define OPENSTACK_RELEASE 2b45633d9 Fix reference to generating a private CA d99b080c9 CI: Fix ironic scenario image builds 904fae2a9 ironic: Change Prometheus metrics dir 3a8bfc0ac Support mounting host's /dev/shm into container 63801d1a3 nova: Add support for using uWSGI 638fb6546 fluentd: Add uwsgi config 2f9f09780 uwsgi: Add logfile-chown and logfile-chmod options 4834276f0 proxysql: Revert to upstream defaults for most settings a2273026d Define retry_tag for unprocessed Fluentd logs 891568d6d CI: Add unreadable files to check-logs.sh 9ecdf2f0a Use public keystone URL for www_authenticate_uri 884eacc70 Prometheus: Fix target when TLS for rabbitmq is disabled 795fbb104 CI: Bump mariadb_monitor_galera_healthcheck_timeout to 30 seconds 31c7317ab CI: Use Zuul cache/mirror for docker 5015e9e19 CI: Remove OpenSearch connectivity check in fluentd logs 4400e5fb9 Fix l7 haproxy check for opensearch-dashboards and prometheus-server 2e43cc231 CI: Fix fluentd log check 5a3fb2b4d fluentd: rework openstack logs match ee3dfcf87 Docs update - install missing dbus-1 on Noble 70279972b HAProxy: Switch to L7 Healthchecks 638e1e306 Retry Ansible Galaxy calls ed6dbf32d CI: Mark slurp jobs as non voting for now 198da94fe Docs update - kolla-ansible cli parameters a1d817d99 Add service-uwsgi-config role e877ec3d2 ironic: Make ironic-inspector optional 5c975611f nova: Split out metadata to a separate container cd2a09029 Revert "CI: Disable SLURP jobs for D cycle" 756b23bd4 CI: Switch previous_release to 2024.2 and slurp to 2024.1 31ab71ac4 CI: Increase mariadb_monitor_read_only_interval and RMQ timeouts 1fbb299db proxysql: Add mariadb_monitor_read_only_interval a349ca19a Add Let's Encrypt EAB support e00bb43ba common: support custom cron-logrotate-global.conf db1942595 Remove problematic comments from fluentd.conf 1916b3c2a Generate system scoped public-openrc 81a5a7cf4 Remove tacker demos from contrib and their usage in nfv CI 99e61073f magnum: Add k8s_cluster_api_rockylinux to CAPI drivers list 3d8d34d48 CI: Switch to stable/2024.2 tinyipa due to failures cf4ee97e0 [CI] Use letsencrypt/pebble from quay.io 4e2af1872 [CI] Fix Ansible 2.16.14 breakage (cephadm jobs) 0298699a4 [CI] Fix testing inventory template due Ansible 2.16.14 breakage ccf1710b1 Replace ipaddr with ansible.utils.ipaddr cb69a3e60 Support deleting services and endpoints 7223bb75c keystone: handle OIDC metadata & attribute mappings as template 0bd1313f5 docs: minor fixes to external Ceph guide 61045807e CI: skip Cinder HA precheck for zun scenario 624056be0 Fix proxysql-config's TLS DB configuration fc0e0fb82 Fix unintentional trigger of ansible handlers 345ecbf55 Refactor services' check-containers and optimise 53376aed8 Performance: Don't notify handlers during config 006ff0718 Don't notify handlers during copy-cert a675b34dd CI: Use debian/ubuntu mirrored images on build 03fc14e44 reno: Update master for unmaintained/2023.1 d2d5069d8 Add venus-dashboard into horizon 12a287a6b CI: Add group_vars/all.yml trigger for all scenarios 752592f1b systemd: Add kolla.target e4d7c6d69 Support removing user role assignments 065bc8028 mariadb: switch to use mariadb flavored commands 6a2369f38 Add size limits to Fluentd buffers 3f55994bb Fix TLS settings when letsencrypt turned on f30dd3e52 Fix external ceph cinder keyring b5d594d35 update openstack_previous_release_name var to 2024.1 20cc842f4 Avoid double quotes in HAProxy configuration 0d859959b Quickstart guide - remove Ansible dependency 66534e9dc Enhance Ceph Integration for Multiple Clusters 6faae441b Use more descriptive libvirt secret names corresponding to reality 1cec85d68 CI: Use libpod/registry for registry 4f62dd466 cli: Add check=True to catch Ansible failures 3564f9dea Updates docs to fix incorrect container example e0c095fd7 Give ironic-inspector system scope ``all`` 2f124f8e9 Update user role assignments 51fb7f92b Fix internal endpoint for the heat-cfn service 2adc14887 set haproxy for cyborg module cd8ecfc8f Fix Octavia cert generation 04873199e CI: Add pre/run.yml to files in all base jobs 2339561eb Add removal of --key parameter to CLI rewrite note a1eec2498 Fix destroy command with new python CLI fa54e69eb Fix: add common options to RabbitMQ version check d808d7163 Fix cinder etcd3gw backend_url c1e566016 Remove contrib/bash-completion and demos 1c7d17d1e Fix detection of editable installation ee9cbb7f6 Add Python 3.12 classifier f15c0d3d4 Fix typo in kolla-ansible metavar bc45e4565 Update master for stable/2024.2 2d52f7e33 Add an option to set OIDCXForwardedHeaders f5ad7829c Prevent accidental downgrades of RabbitMQ ec10a63db manila: add missing become to "Copying over existing policy file" task 050d0ea06 Use new module names from openstack.cloud ca9720e14 Add precheck for Horizon config file renames in Caracal 5a13877ae loadbalancer: fail on failed "Wait for backup * to start" handlers bb444acb4 ironic: fix tftp server address in the dnsmasq configuration 6051edba4 Skyline: use an external object store (Swift) in the dashboard 7de3f788f CI: Add post-upgrade description to post-upgrade tasks 36b8bfd2f CI: add a message for fluentd string match function 232aeaaa5 ironic: add enable_ironic_dnsmasq parameter Diffstat (except docs and test files) ------------------------------------- README.rst | 1 - ansible/gather-facts.yml | 2 +- ansible/group_vars/all.yml | 101 ++--- ansible/inventory/all-in-one | 22 +- ansible/inventory/multinode | 22 +- ansible/library/kolla_container.py | 8 +- ansible/library/kolla_container_facts.py | 197 ++++++--- ansible/library/kolla_container_volume_facts.py | 108 ----- ansible/library/kolla_toolbox.py | 348 +++++++-------- ansible/migrate-container-engine.yml | 21 + ansible/module_utils/kolla_container_worker.py | 24 -- ansible/module_utils/kolla_docker_worker.py | 19 +- ansible/module_utils/kolla_podman_worker.py | 28 +- ansible/module_utils/kolla_systemd_worker.py | 1 + ansible/post-deploy.yml | 9 + ansible/roles/aodh/defaults/main.yml | 8 + ansible/roles/aodh/handlers/main.yml | 8 - ansible/roles/aodh/tasks/check-containers.yml | 15 +- ansible/roles/aodh/tasks/check.yml | 3 + ansible/roles/aodh/tasks/config.yml | 8 - ansible/roles/aodh/tasks/precheck.yml | 2 +- ansible/roles/aodh/templates/aodh-api.json.j2 | 6 + .../roles/aodh/templates/aodh-evaluator.json.j2 | 6 + ansible/roles/aodh/templates/aodh-listener.json.j2 | 6 + ansible/roles/aodh/templates/aodh-notifier.json.j2 | 6 + ansible/roles/aodh/templates/aodh.conf.j2 | 19 +- ansible/roles/barbican/defaults/main.yml | 9 + ansible/roles/barbican/handlers/main.yml | 6 - ansible/roles/barbican/tasks/check-containers.yml | 15 +- ansible/roles/barbican/tasks/check.yml | 4 + ansible/roles/barbican/tasks/config.yml | 12 +- ansible/roles/barbican/tasks/precheck.yml | 2 +- .../roles/barbican/templates/barbican-api.json.j2 | 6 + .../templates/barbican-keystone-listener.json.j2 | 6 + .../barbican/templates/barbican-worker.json.j2 | 7 + ansible/roles/barbican/templates/barbican.conf.j2 | 20 +- ansible/roles/bifrost/tasks/bootstrap.yml | 2 +- ansible/roles/bifrost/tasks/reconfigure.yml | 28 +- ansible/roles/bifrost/tasks/stop.yml | 2 +- ansible/roles/bifrost/templates/bifrost.yml.j2 | 3 + ansible/roles/blazar/defaults/main.yml | 12 + ansible/roles/blazar/handlers/main.yml | 4 - ansible/roles/blazar/tasks/check-containers.yml | 15 +- ansible/roles/blazar/tasks/check.yml | 3 + ansible/roles/blazar/tasks/config.yml | 6 - ansible/roles/blazar/tasks/precheck.yml | 2 +- ansible/roles/blazar/templates/blazar-api.json.j2 | 6 + .../roles/blazar/templates/blazar-manager.json.j2 | 6 + ansible/roles/blazar/templates/blazar.conf.j2 | 16 +- ansible/roles/ceilometer/defaults/main.yml | 4 + ansible/roles/ceilometer/handlers/main.yml | 8 - .../roles/ceilometer/tasks/check-containers.yml | 16 +- ansible/roles/ceilometer/tasks/check.yml | 3 + ansible/roles/ceilometer/tasks/config.yml | 26 -- ansible/roles/ceilometer/tasks/register.yml | 16 - .../templates/ceilometer-central.json.j2 | 8 +- .../templates/ceilometer-compute.json.j2 | 6 + .../ceilometer/templates/ceilometer-ipmi.json.j2 | 6 + .../templates/ceilometer-notification.json.j2 | 6 + .../roles/ceilometer/templates/ceilometer.conf.j2 | 14 +- ansible/roles/certificates/tasks/generate.yml | 71 ++- ansible/roles/certificates/tasks/main.yml | 2 +- ansible/roles/cinder/defaults/main.yml | 44 +- ansible/roles/cinder/handlers/main.yml | 8 - ansible/roles/cinder/tasks/check-containers.yml | 18 +- ansible/roles/cinder/tasks/check.yml | 4 + ansible/roles/cinder/tasks/config.yml | 36 +- ansible/roles/cinder/tasks/external_ceph.yml | 20 +- ansible/roles/cinder/tasks/precheck.yml | 23 +- ansible/roles/cinder/tasks/upgrade.yml | 7 - ansible/roles/cinder/templates/cinder-api.json.j2 | 21 +- .../roles/cinder/templates/cinder-backup.json.j2 | 6 + .../cinder/templates/cinder-scheduler.json.j2 | 6 + .../roles/cinder/templates/cinder-volume.json.j2 | 6 + ansible/roles/cinder/templates/cinder.conf.j2 | 71 +-- ansible/roles/cloudkitty/defaults/main.yml | 6 + ansible/roles/cloudkitty/handlers/main.yml | 4 - .../roles/cloudkitty/tasks/check-containers.yml | 15 +- ansible/roles/cloudkitty/tasks/check.yml | 3 + ansible/roles/cloudkitty/tasks/config.yml | 10 - ansible/roles/cloudkitty/tasks/precheck.yml | 2 +- .../cloudkitty/templates/cloudkitty-api.json.j2 | 6 + .../templates/cloudkitty-processor.json.j2 | 6 + .../roles/cloudkitty/templates/cloudkitty.conf.j2 | 16 +- ansible/roles/collectd/handlers/main.yml | 2 - ansible/roles/collectd/tasks/check-containers.yml | 15 +- ansible/roles/collectd/tasks/check.yml | 3 + ansible/roles/collectd/tasks/config.yml | 4 - ansible/roles/common/defaults/main.yml | 22 +- ansible/roles/common/handlers/main.yml | 6 - ansible/roles/common/tasks/check-containers.yml | 16 +- ansible/roles/common/tasks/check.yml | 3 + ansible/roles/common/tasks/config.yml | 23 +- .../common/templates/conf/input/00-global.conf.j2 | 5 +- .../templates/conf/input/08-prometheus.conf.j2 | 2 +- .../common/templates/conf/input/13-uwsgi.conf.j2 | 18 + .../common/templates/conf/output/00-local.conf.j2 | 6 + .../common/templates/conf/output/01-es.conf.j2 | 13 +- .../templates/conf/output/03-opensearch.conf.j2 | 13 +- ansible/roles/common/templates/cron.json.j2 | 8 +- ansible/roles/common/templates/fluentd.conf.j2 | 4 - ansible/roles/common/templates/fluentd.json.j2 | 8 +- .../roles/common/templates/kolla-toolbox.json.j2 | 6 + ansible/roles/common/templates/kolla.target.j2 | 5 + .../common/templates/public-openrc-system.sh.j2 | 15 + .../container-engine-migration/defaults/main.yml | 19 + .../container-engine-migration/files/ce-cleanup.sh | 55 +++ .../tasks/check-migration.yml | 15 + .../tasks/install-target-engine.yml | 8 + .../container-engine-migration/tasks/main.yml | 8 + .../tasks/migrate-volumes.yml | 69 +++ .../tasks/ovs-cleanup.yml | 14 + .../tasks/uninstall-current-engine.yml | 20 + ansible/roles/cyborg/defaults/main.yml | 17 + ansible/roles/cyborg/handlers/main.yml | 6 - ansible/roles/cyborg/tasks/check-containers.yml | 16 +- ansible/roles/cyborg/tasks/check.yml | 3 + ansible/roles/cyborg/tasks/config.yml | 8 - ansible/roles/cyborg/tasks/precheck.yml | 2 +- .../roles/cyborg/templates/cyborg-agent.json.j2 | 6 + ansible/roles/cyborg/templates/cyborg-api.json.j2 | 6 + .../cyborg/templates/cyborg-conductor.json.j2 | 6 + ansible/roles/cyborg/templates/cyborg.conf.j2 | 14 +- ansible/roles/designate/defaults/main.yml | 11 + ansible/roles/designate/handlers/main.yml | 14 - ansible/roles/designate/tasks/backend_external.yml | 4 - ansible/roles/designate/tasks/check-containers.yml | 15 +- ansible/roles/designate/tasks/check.yml | 3 + ansible/roles/designate/tasks/config.yml | 14 - ansible/roles/designate/tasks/precheck.yml | 8 +- .../designate/templates/designate-api.json.j2 | 6 + .../templates/designate-backend-bind9.json.j2 | 8 +- .../designate/templates/designate-central.json.j2 | 6 + .../designate/templates/designate-mdns.json.j2 | 6 + .../designate/templates/designate-producer.json.j2 | 6 + .../designate/templates/designate-sink.json.j2 | 6 + .../designate/templates/designate-worker.json.j2 | 8 +- .../roles/designate/templates/designate.conf.j2 | 19 +- ansible/roles/destroy/tasks/cleanup_host.yml | 3 +- ansible/roles/etcd/defaults/main.yml | 5 + ansible/roles/etcd/handlers/main.yml | 4 - ansible/roles/etcd/tasks/check-containers.yml | 15 +- ansible/roles/etcd/tasks/check.yml | 3 + ansible/roles/etcd/tasks/config.yml | 4 +- ansible/roles/etcd/tasks/copy-certs.yml | 52 +-- ansible/roles/etcd/tasks/precheck.yml | 4 +- ansible/roles/etcd/templates/etcd.json.j2 | 6 + ansible/roles/glance/defaults/main.yml | 20 +- ansible/roles/glance/handlers/main.yml | 4 - ansible/roles/glance/tasks/check-containers.yml | 17 +- ansible/roles/glance/tasks/check.yml | 4 + ansible/roles/glance/tasks/config.yml | 34 +- ansible/roles/glance/tasks/external_ceph.yml | 10 +- ansible/roles/glance/tasks/precheck.yml | 2 +- ansible/roles/glance/templates/glance-api.conf.j2 | 33 +- ansible/roles/glance/templates/glance-api.json.j2 | 12 +- .../roles/glance/templates/glance-cache.conf.j2 | 3 + .../roles/glance/templates/glance-swift.conf.j2 | 8 - .../glance/templates/glance-tls-proxy.json.j2 | 8 +- ansible/roles/gnocchi/defaults/main.yml | 13 +- ansible/roles/gnocchi/handlers/main.yml | 6 - ansible/roles/gnocchi/tasks/check-containers.yml | 15 +- ansible/roles/gnocchi/tasks/check.yml | 3 + ansible/roles/gnocchi/tasks/config.yml | 8 - ansible/roles/gnocchi/tasks/external_ceph.yml | 14 +- ansible/roles/gnocchi/tasks/precheck.yml | 2 +- .../roles/gnocchi/templates/gnocchi-api.json.j2 | 7 +- .../gnocchi/templates/gnocchi-metricd.json.j2 | 6 + .../roles/gnocchi/templates/gnocchi-statsd.json.j2 | 6 + ansible/roles/gnocchi/templates/gnocchi.conf.j2 | 22 +- ansible/roles/grafana/defaults/main.yml | 4 + ansible/roles/grafana/handlers/main.yml | 3 - ansible/roles/grafana/tasks/check-containers.yml | 14 +- ansible/roles/grafana/tasks/check.yml | 3 + ansible/roles/grafana/tasks/config.yml | 16 +- ansible/roles/grafana/tasks/post_config.yml | 1 + ansible/roles/grafana/tasks/precheck.yml | 2 +- ansible/roles/grafana/templates/grafana.json.j2 | 8 +- ansible/roles/grafana/templates/prometheus.yaml.j2 | 1 - ansible/roles/hacluster/handlers/main.yml | 6 - ansible/roles/hacluster/tasks/check-containers.yml | 26 +- ansible/roles/hacluster/tasks/check.yml | 3 + ansible/roles/hacluster/tasks/config.yml | 10 - ansible/roles/hacluster/tasks/precheck.yml | 2 +- ansible/roles/haproxy-config/tasks/main.yml | 4 - ansible/roles/heat/defaults/main.yml | 15 +- ansible/roles/heat/handlers/main.yml | 6 - ansible/roles/heat/tasks/check-containers.yml | 15 +- ansible/roles/heat/tasks/check.yml | 3 + ansible/roles/heat/tasks/config.yml | 12 +- ansible/roles/heat/tasks/precheck.yml | 4 +- ansible/roles/heat/templates/heat-api-cfn.json.j2 | 8 +- ansible/roles/heat/templates/heat-api.json.j2 | 8 +- ansible/roles/heat/templates/heat-engine.json.j2 | 6 + ansible/roles/heat/templates/heat.conf.j2 | 21 +- ansible/roles/horizon/defaults/main.yml | 8 + ansible/roles/horizon/handlers/main.yml | 2 - ansible/roles/horizon/tasks/check-containers.yml | 16 +- ansible/roles/horizon/tasks/check.yml | 3 + ansible/roles/horizon/tasks/config.yml | 14 +- ansible/roles/horizon/tasks/precheck.yml | 2 +- .../horizon/templates/_9998-kolla-settings.py.j2 | 6 - ansible/roles/horizon/templates/horizon.json.j2 | 7 + ansible/roles/influxdb/handlers/main.yml | 2 - ansible/roles/influxdb/tasks/check-containers.yml | 14 +- ansible/roles/influxdb/tasks/check.yml | 3 + ansible/roles/influxdb/tasks/config.yml | 4 - ansible/roles/influxdb/tasks/precheck.yml | 2 +- ansible/roles/ironic/defaults/main.yml | 31 +- ansible/roles/ironic/handlers/main.yml | 14 - ansible/roles/ironic/tasks/bootstrap_service.yml | 4 +- ansible/roles/ironic/tasks/check-containers.yml | 18 +- ansible/roles/ironic/tasks/check.yml | 3 + ansible/roles/ironic/tasks/config.yml | 35 +- ansible/roles/ironic/tasks/precheck.yml | 13 +- ansible/roles/ironic/tasks/rolling_upgrade.yml | 8 +- ansible/roles/ironic/tasks/upgrade.yml | 7 - .../ironic/templates/ironic-conductor.json.j2 | 6 + .../roles/ironic/templates/ironic-dnsmasq.conf.j2 | 4 +- .../roles/ironic/templates/ironic-dnsmasq.json.j2 | 8 +- ansible/roles/ironic/templates/ironic-http.json.j2 | 8 +- .../ironic/templates/ironic-inspector.conf.j2 | 17 +- .../ironic/templates/ironic-inspector.json.j2 | 5 + .../templates/ironic-prometheus-exporter.json.j2 | 8 +- ansible/roles/ironic/templates/ironic.conf.j2 | 40 +- ansible/roles/iscsi/handlers/main.yml | 4 - ansible/roles/iscsi/tasks/check-containers.yml | 16 +- ansible/roles/iscsi/tasks/check.yml | 3 + ansible/roles/iscsi/tasks/config.yml | 2 - ansible/roles/iscsi/tasks/precheck.yml | 2 +- ansible/roles/keystone/defaults/main.yml | 16 +- ansible/roles/keystone/handlers/main.yml | 6 - ansible/roles/keystone/tasks/bootstrap_service.yml | 8 +- ansible/roles/keystone/tasks/check-containers.yml | 15 +- ansible/roles/keystone/tasks/check.yml | 4 + ansible/roles/keystone/tasks/config.yml | 20 +- ansible/roles/keystone/tasks/precheck.yml | 4 +- ansible/roles/keystone/tasks/register.yml | 2 +- .../keystone/templates/keystone-fernet.json.j2 | 6 + .../roles/keystone/templates/keystone-ssh.json.j2 | 8 +- ansible/roles/keystone/templates/keystone.conf.j2 | 20 +- ansible/roles/keystone/templates/keystone.json.j2 | 9 +- .../roles/keystone/templates/wsgi-keystone.conf.j2 | 1 + ansible/roles/kuryr/handlers/main.yml | 2 - ansible/roles/kuryr/tasks/check-containers.yml | 17 +- ansible/roles/kuryr/tasks/check.yml | 3 + ansible/roles/kuryr/tasks/config.yml | 8 - ansible/roles/kuryr/tasks/precheck.yml | 2 +- ansible/roles/kuryr/templates/kuryr.conf.j2 | 3 + ansible/roles/kuryr/templates/kuryr.json.j2 | 6 + ansible/roles/letsencrypt/defaults/main.yml | 6 +- ansible/roles/letsencrypt/handlers/main.yml | 4 - .../roles/letsencrypt/tasks/check-containers.yml | 16 +- ansible/roles/letsencrypt/tasks/check.yml | 4 + ansible/roles/letsencrypt/tasks/config.yml | 6 - ansible/roles/letsencrypt/tasks/precheck.yml | 13 +- ansible/roles/letsencrypt/templates/crontab.j2 | 10 +- .../templates/letsencrypt-lego-run.sh.j2 | 10 +- .../letsencrypt/templates/letsencrypt-lego.json.j2 | 8 +- .../templates/letsencrypt-webserver.json.j2 | 8 +- ansible/roles/loadbalancer/defaults/main.yml | 33 ++ ansible/roles/loadbalancer/handlers/main.yml | 2 + .../roles/loadbalancer/tasks/check-containers.yml | 16 +- ansible/roles/loadbalancer/tasks/check.yml | 3 + ansible/roles/loadbalancer/tasks/config.yml | 62 +-- ansible/roles/loadbalancer/tasks/copy-certs.yml | 66 ++- ansible/roles/loadbalancer/tasks/precheck.yml | 95 ++-- .../templates/haproxy-ssh/haproxy-ssh.json.j2 | 8 +- .../loadbalancer/templates/haproxy/haproxy.json.j2 | 15 +- .../templates/keepalived/keepalived.json.j2 | 8 +- .../templates/proxysql/proxysql.json.j2 | 8 +- .../templates/proxysql/proxysql.yaml.j2 | 51 ++- ansible/roles/magnum/defaults/main.yml | 6 + ansible/roles/magnum/handlers/main.yml | 4 - ansible/roles/magnum/tasks/check-containers.yml | 16 +- ansible/roles/magnum/tasks/check.yml | 3 + ansible/roles/magnum/tasks/config.yml | 8 - ansible/roles/magnum/tasks/precheck.yml | 2 +- ansible/roles/magnum/tasks/register.yml | 7 +- ansible/roles/magnum/templates/magnum-api.json.j2 | 6 + .../magnum/templates/magnum-conductor.json.j2 | 6 + ansible/roles/magnum/templates/magnum.conf.j2 | 15 +- ansible/roles/manila/defaults/main.yml | 17 +- ansible/roles/manila/handlers/main.yml | 8 - ansible/roles/manila/tasks/check-containers.yml | 16 +- ansible/roles/manila/tasks/check.yml | 3 + ansible/roles/manila/tasks/config.yml | 9 +- ansible/roles/manila/tasks/external_ceph.yml | 8 +- ansible/roles/manila/tasks/precheck.yml | 2 +- ansible/roles/manila/templates/manila-api.json.j2 | 6 + ansible/roles/manila/templates/manila-data.json.j2 | 6 + .../manila/templates/manila-scheduler.json.j2 | 6 + .../roles/manila/templates/manila-share.conf.j2 | 25 +- .../roles/manila/templates/manila-share.json.j2 | 6 + ansible/roles/manila/templates/manila.conf.j2 | 13 +- ansible/roles/mariadb/handlers/main.yml | 24 +- ansible/roles/mariadb/tasks/backup.yml | 2 +- ansible/roles/mariadb/tasks/check-containers.yml | 16 +- ansible/roles/mariadb/tasks/check.yml | 22 +- ansible/roles/mariadb/tasks/config.yml | 4 - ansible/roles/mariadb/tasks/deploy.yml | 5 + ansible/roles/mariadb/tasks/lookup_cluster.yml | 23 +- ansible/roles/mariadb/tasks/precheck.yml | 8 +- ansible/roles/mariadb/tasks/recover_cluster.yml | 21 +- ansible/roles/mariadb/tasks/restart_services.yml | 20 +- ansible/roles/mariadb/templates/mariadb.json.j2 | 2 +- ansible/roles/masakari/defaults/main.yml | 8 + ansible/roles/masakari/handlers/main.yml | 8 - ansible/roles/masakari/tasks/check-containers.yml | 16 +- ansible/roles/masakari/tasks/check.yml | 3 + ansible/roles/masakari/tasks/config.yml | 14 - ansible/roles/masakari/tasks/precheck.yml | 2 +- .../roles/masakari/templates/masakari-api.json.j2 | 6 + .../masakari/templates/masakari-engine.json.j2 | 6 + .../templates/masakari-hostmonitor.json.j2 | 8 +- .../templates/masakari-instancemonitor.json.j2 | 6 + .../masakari/templates/masakari-monitors.conf.j2 | 7 +- ansible/roles/masakari/templates/masakari.conf.j2 | 21 +- ansible/roles/memcached/handlers/main.yml | 2 - ansible/roles/memcached/tasks/check-containers.yml | 16 +- ansible/roles/memcached/tasks/check.yml | 3 + ansible/roles/memcached/tasks/config.yml | 1 - ansible/roles/memcached/tasks/precheck.yml | 2 +- ansible/roles/mistral/defaults/main.yml | 8 + ansible/roles/mistral/handlers/main.yml | 8 - ansible/roles/mistral/tasks/check-containers.yml | 15 +- ansible/roles/mistral/tasks/check.yml | 3 + ansible/roles/mistral/tasks/config.yml | 8 - ansible/roles/mistral/tasks/precheck.yml | 2 +- .../roles/mistral/templates/mistral-api.json.j2 | 6 + .../roles/mistral/templates/mistral-engine.json.j2 | 6 + .../mistral/templates/mistral-event-engine.json.j2 | 6 + .../mistral/templates/mistral-executor.json.j2 | 6 + ansible/roles/mistral/templates/mistral.conf.j2 | 18 +- ansible/roles/multipathd/handlers/main.yml | 2 - .../roles/multipathd/tasks/check-containers.yml | 15 +- ansible/roles/multipathd/tasks/check.yml | 3 + ansible/roles/multipathd/tasks/config.yml | 4 - ansible/roles/neutron/defaults/main.yml | 47 +- ansible/roles/neutron/handlers/main.yml | 46 +- ansible/roles/neutron/tasks/check-containers.yml | 17 +- ansible/roles/neutron/tasks/check.yml | 3 + ansible/roles/neutron/tasks/config.yml | 52 +-- .../neutron/tasks/neutron_plugin_agent_check.yml | 11 +- ansible/roles/neutron/tasks/precheck.yml | 2 +- ansible/roles/neutron/tasks/upgrade.yml | 7 - ansible/roles/neutron/templates/dhcp_agent.ini.j2 | 6 +- .../roles/neutron/templates/fwaas_driver.ini.j2 | 2 +- .../neutron/templates/ironic-neutron-agent.json.j2 | 8 +- ansible/roles/neutron/templates/ml2_conf.ini.j2 | 6 +- .../neutron/templates/neutron-bgp-dragent.json.j2 | 6 + .../neutron/templates/neutron-dhcp-agent.json.j2 | 6 + .../neutron/templates/neutron-eswitchd.json.j2 | 8 +- .../templates/neutron-infoblox-ipam-agent.json.j2 | 8 +- .../neutron/templates/neutron-l3-agent.json.j2 | 6 + .../templates/neutron-linuxbridge-agent.json.j2 | 8 +- .../templates/neutron-metadata-agent.json.j2 | 6 + .../templates/neutron-metering-agent.json.j2 | 6 + .../neutron/templates/neutron-mlnx-agent.json.j2 | 8 +- .../neutron-openvswitch-agent-xenapi.json.j2 | 6 + .../templates/neutron-openvswitch-agent.json.j2 | 8 +- .../neutron/templates/neutron-ovn-agent.json.j2 | 6 + .../templates/neutron-ovn-metadata-agent.json.j2 | 6 + .../roles/neutron/templates/neutron-server.json.j2 | 8 +- .../neutron/templates/neutron-sriov-agent.json.j2 | 6 + .../neutron/templates/neutron-tls-proxy.json.j2 | 8 +- ansible/roles/neutron/templates/neutron.conf.j2 | 25 +- .../roles/neutron/templates/neutron_taas.conf.j2 | 2 +- .../neutron/templates/openvswitch_agent.ini.j2 | 2 +- ansible/roles/nova-cell/defaults/main.yml | 18 +- ansible/roles/nova-cell/handlers/main.yml | 14 - ansible/roles/nova-cell/tasks/check-containers.yml | 20 +- ansible/roles/nova-cell/tasks/check.yml | 3 + .../roles/nova-cell/tasks/config-libvirt-tls.yml | 2 - ansible/roles/nova-cell/tasks/config.yml | 22 - ansible/roles/nova-cell/tasks/deploy.yml | 2 - .../roles/nova-cell/tasks/discover_computes.yml | 2 +- ansible/roles/nova-cell/tasks/external_ceph.yml | 36 +- ansible/roles/nova-cell/tasks/libvirt-cleanup.yml | 2 +- ansible/roles/nova-cell/tasks/post-config.yml | 8 - ansible/roles/nova-cell/tasks/precheck.yml | 16 +- ansible/roles/nova-cell/tasks/rolling_upgrade.yml | 2 - .../templates/nova-compute-ironic.json.j2 | 6 + .../roles/nova-cell/templates/nova-compute.json.j2 | 14 +- .../nova-cell/templates/nova-conductor.json.j2 | 8 +- .../roles/nova-cell/templates/nova-libvirt.json.j2 | 10 +- .../nova-cell/templates/nova-novncproxy.json.j2 | 8 +- .../nova-cell/templates/nova-serialproxy.json.j2 | 8 +- .../templates/nova-spicehtml5proxy.json.j2 | 8 +- ansible/roles/nova-cell/templates/nova-ssh.json.j2 | 8 +- .../templates/nova.conf.d/libvirt.conf.j2 | 10 +- ansible/roles/nova-cell/templates/nova.conf.j2 | 17 +- ansible/roles/nova-cell/templates/secret.xml.j2 | 1 + ansible/roles/nova/defaults/main.yml | 50 +++ ansible/roles/nova/handlers/main.yml | 20 +- ansible/roles/nova/tasks/check-containers.yml | 19 +- ansible/roles/nova/tasks/check.yml | 3 + ansible/roles/nova/tasks/config.yml | 49 ++- ansible/roles/nova/tasks/precheck.yml | 4 +- ansible/roles/nova/tasks/upgrade.yml | 7 - ansible/roles/nova/templates/nova-api-wsgi.conf.j2 | 22 +- ansible/roles/nova/templates/nova-api.json.j2 | 19 +- .../nova/templates/nova-metadata-wsgi.conf.j2 | 51 +++ ansible/roles/nova/templates/nova-metadata.json.j2 | 57 +++ .../roles/nova/templates/nova-scheduler.json.j2 | 8 +- .../nova/templates/nova-super-conductor.json.j2 | 8 +- ansible/roles/nova/templates/nova.conf.j2 | 33 +- ansible/roles/octavia/defaults/main.yml | 7 + ansible/roles/octavia/handlers/main.yml | 10 - ansible/roles/octavia/tasks/check-containers.yml | 15 +- ansible/roles/octavia/tasks/check.yml | 3 + ansible/roles/octavia/tasks/config.yml | 16 +- ansible/roles/octavia/tasks/get_resources_info.yml | 8 +- ansible/roles/octavia/tasks/hm-interface.yml | 2 +- ansible/roles/octavia/tasks/precheck.yml | 4 +- ansible/roles/octavia/tasks/prepare.yml | 14 +- ansible/roles/octavia/tasks/register.yml | 2 +- .../roles/octavia/templates/octavia-api.json.j2 | 10 +- .../octavia/templates/octavia-driver-agent.json.j2 | 6 + .../templates/octavia-health-manager.json.j2 | 6 + .../octavia/templates/octavia-housekeeping.json.j2 | 6 + .../roles/octavia/templates/octavia-worker.json.j2 | 6 + ansible/roles/octavia/templates/octavia.conf.j2 | 32 +- ansible/roles/opensearch/defaults/main.yml | 6 + ansible/roles/opensearch/handlers/main.yml | 4 - .../roles/opensearch/tasks/check-containers.yml | 16 +- ansible/roles/opensearch/tasks/check.yml | 3 + ansible/roles/opensearch/tasks/config.yml | 6 - ansible/roles/opensearch/tasks/post-config.yml | 9 +- ansible/roles/opensearch/tasks/precheck.yml | 2 +- .../templates/opensearch-dashboards.json.j2 | 8 +- .../roles/opensearch/templates/opensearch.json.j2 | 8 +- ansible/roles/openvswitch/handlers/main.yml | 4 - .../roles/openvswitch/tasks/check-containers.yml | 16 +- ansible/roles/openvswitch/tasks/check.yml | 3 + ansible/roles/openvswitch/tasks/config.yml | 2 - ansible/roles/openvswitch/tasks/precheck.yml | 2 +- ansible/roles/ovn-controller/handlers/main.yml | 2 - .../ovn-controller/tasks/check-containers.yml | 14 +- ansible/roles/ovn-controller/tasks/check.yml | 4 + ansible/roles/ovn-controller/tasks/config.yml | 2 - ansible/roles/ovn-controller/tasks/setup-ovs.yml | 9 +- ansible/roles/ovn-db/defaults/main.yml | 40 ++ ansible/roles/ovn-db/handlers/main.yml | 20 +- ansible/roles/ovn-db/tasks/bootstrap-db.yml | 17 + ansible/roles/ovn-db/tasks/check-containers.yml | 14 +- ansible/roles/ovn-db/tasks/check.yml | 4 + ansible/roles/ovn-db/tasks/config-relay.yml | 35 ++ ansible/roles/ovn-db/tasks/config.yml | 9 +- ansible/roles/ovn-db/tasks/lookup_cluster.yml | 7 +- ansible/roles/ovn-db/tasks/precheck.yml | 4 +- ansible/roles/ovn-db/templates/ovn-northd.json.j2 | 2 +- .../roles/ovn-db/templates/ovn-sb-db-relay.json.j2 | 18 + ansible/roles/ovn-db/templates/ovsdb-relay.json.j2 | 20 + ansible/roles/ovs-dpdk/defaults/main.yml | 2 +- ansible/roles/ovs-dpdk/handlers/main.yml | 4 - ansible/roles/ovs-dpdk/tasks/check-containers.yml | 15 +- ansible/roles/ovs-dpdk/tasks/check.yml | 3 + ansible/roles/ovs-dpdk/tasks/config.yml | 2 - ansible/roles/placement/defaults/main.yml | 12 + ansible/roles/placement/handlers/main.yml | 2 - ansible/roles/placement/tasks/check-containers.yml | 19 +- ansible/roles/placement/tasks/check.yml | 3 + ansible/roles/placement/tasks/config.yml | 33 +- ansible/roles/placement/tasks/precheck.yml | 2 +- .../placement/templates/placement-api-wsgi.conf.j2 | 2 +- .../placement/templates/placement-api.json.j2 | 19 +- .../roles/placement/templates/placement.conf.j2 | 8 +- ansible/roles/prechecks/tasks/service_checks.yml | 7 - ansible/roles/prechecks/vars/main.yml | 5 +- ansible/roles/prometheus/defaults/main.yml | 29 +- ansible/roles/prometheus/handlers/main.yml | 20 - ansible/roles/prometheus/tasks/bootstrap.yml | 1 + .../roles/prometheus/tasks/check-containers.yml | 16 +- ansible/roles/prometheus/tasks/check.yml | 3 + ansible/roles/prometheus/tasks/config.yml | 20 - ansible/roles/prometheus/tasks/precheck.yml | 20 +- ansible/roles/prometheus/tasks/upgrade.yml | 38 ++ .../templates/prometheus-alertmanager.json.j2 | 8 +- .../templates/prometheus-blackbox-exporter.json.j2 | 8 +- .../templates/prometheus-cadvisor.json.j2 | 11 +- .../prometheus-elasticsearch-exporter.json.j2 | 11 +- .../templates/prometheus-libvirt-exporter.json.j2 | 12 +- .../prometheus-memcached-exporter.json.j2 | 11 +- .../templates/prometheus-mysqld-exporter.json.j2 | 8 +- .../templates/prometheus-node-exporter.json.j2 | 11 +- .../prometheus-openstack-exporter.json.j2 | 8 +- .../prometheus/templates/prometheus-server.json.j2 | 13 +- .../roles/prometheus/templates/prometheus.yml.j2 | 37 +- ansible/roles/proxysql-config/defaults/main.yml | 1 - ansible/roles/proxysql-config/tasks/main.yml | 4 - .../roles/proxysql-config/templates/users.yaml.j2 | 3 - ansible/roles/rabbitmq/defaults/main.yml | 6 + ansible/roles/rabbitmq/handlers/main.yml | 2 - ansible/roles/rabbitmq/tasks/check-containers.yml | 16 +- ansible/roles/rabbitmq/tasks/check.yml | 3 + ansible/roles/rabbitmq/tasks/config.yml | 17 +- ansible/roles/rabbitmq/tasks/copy-certs.yml | 54 +-- ansible/roles/rabbitmq/tasks/deploy.yml | 4 +- ansible/roles/rabbitmq/tasks/precheck.yml | 69 +-- .../roles/rabbitmq/tasks/remove-ha-all-policy.yml | 2 +- ansible/roles/rabbitmq/tasks/restart_services.yml | 2 +- ansible/roles/rabbitmq/tasks/upgrade.yml | 2 - ansible/roles/rabbitmq/tasks/version-check.yml | 123 +++--- .../roles/rabbitmq/templates/definitions.json.j2 | 6 - ansible/roles/rabbitmq/templates/rabbitmq.json.j2 | 6 + ansible/roles/redis/handlers/main.yml | 4 - ansible/roles/redis/tasks/check-containers.yml | 16 +- ansible/roles/redis/tasks/check.yml | 4 + ansible/roles/redis/tasks/config.yml | 4 - ansible/roles/redis/tasks/precheck.yml | 2 +- ansible/roles/service-cert-copy/defaults/main.yml | 1 + ansible/roles/service-cert-copy/tasks/main.yml | 10 +- .../service-check-containers/tasks/iterated.yml | 36 ++ .../roles/service-check-containers/tasks/main.yml | 50 +++ ansible/roles/service-check/defaults/main.yml | 3 + ansible/roles/service-check/tasks/main.yml | 40 ++ ansible/roles/service-check/vars/main.yml | 11 + .../service-config-validate/tasks/validate.yml | 4 +- ansible/roles/service-ks-register/tasks/main.yml | 32 +- ansible/roles/service-stop/tasks/main.yml | 1 + .../roles/service-uwsgi-config/defaults/main.yml | 8 + ansible/roles/service-uwsgi-config/tasks/main.yml | 7 + .../service-uwsgi-config/templates/uwsgi.ini.j2 | 34 ++ ansible/roles/skyline/defaults/main.yml | 16 + ansible/roles/skyline/handlers/main.yml | 4 - ansible/roles/skyline/tasks/check-containers.yml | 15 +- ansible/roles/skyline/tasks/check.yml | 3 + ansible/roles/skyline/tasks/config.yml | 12 +- ansible/roles/skyline/tasks/precheck.yml | 4 +- ansible/roles/skyline/templates/nginx.conf.j2 | 12 +- .../skyline/templates/skyline-apiserver.json.j2 | 6 + .../skyline/templates/skyline-console.json.j2 | 6 + ansible/roles/skyline/templates/skyline.yaml.j2 | 4 +- ansible/roles/swift/defaults/main.yml | 106 ----- ansible/roles/swift/handlers/main.yml | 4 - ansible/roles/swift/tasks/check.yml | 1 - ansible/roles/swift/tasks/config.yml | 230 ---------- ansible/roles/swift/tasks/config_validate.yml | 1 - ansible/roles/swift/tasks/copy-certs.yml | 6 - ansible/roles/swift/tasks/deploy-containers.yml | 2 - ansible/roles/swift/tasks/deploy.yml | 10 - ansible/roles/swift/tasks/legacy_upgrade.yml | 35 -- ansible/roles/swift/tasks/loadbalancer.yml | 7 - ansible/roles/swift/tasks/main.yml | 2 - ansible/roles/swift/tasks/precheck.yml | 132 ------ ansible/roles/swift/tasks/pull.yml | 74 ---- ansible/roles/swift/tasks/reconfigure.yml | 105 ----- ansible/roles/swift/tasks/register.yml | 20 - ansible/roles/swift/tasks/rolling_upgrade.yml | 68 --- ansible/roles/swift/tasks/start.yml | 317 -------------- ansible/roles/swift/tasks/stop.yml | 151 ------- ansible/roles/swift/tasks/upgrade.yml | 6 - ansible/roles/swift/templates/account.conf.j2 | 40 -- ansible/roles/swift/templates/container.conf.j2 | 41 -- ansible/roles/swift/templates/object.conf.j2 | 52 --- ansible/roles/swift/templates/proxy-server.conf.j2 | 103 ----- ansible/roles/swift/templates/rsyncd.conf.j2 | 28 -- .../swift/templates/swift-account-auditor.json.j2 | 30 -- .../swift/templates/swift-account-reaper.json.j2 | 30 -- .../swift-account-replication-server.json.j2 | 30 -- .../templates/swift-account-replicator.json.j2 | 30 -- .../swift/templates/swift-account-server.json.j2 | 30 -- .../templates/swift-container-auditor.json.j2 | 30 -- .../swift-container-replication-server.json.j2 | 30 -- .../templates/swift-container-replicator.json.j2 | 30 -- .../swift/templates/swift-container-server.json.j2 | 30 -- .../templates/swift-container-updater.json.j2 | 36 -- .../swift/templates/swift-object-auditor.json.j2 | 44 -- .../swift/templates/swift-object-expirer.json.j2 | 50 --- .../swift-object-replication-server.json.j2 | 44 -- .../templates/swift-object-replicator.json.j2 | 44 -- .../swift/templates/swift-object-server.json.j2 | 44 -- .../swift/templates/swift-object-updater.json.j2 | 44 -- .../swift/templates/swift-proxy-server.json.j2 | 50 --- ansible/roles/swift/templates/swift-rsyncd.json.j2 | 11 - ansible/roles/swift/templates/swift.conf.j2 | 3 - ansible/roles/swift/vars/main.yml | 2 - ansible/roles/tacker/defaults/main.yml | 2 + ansible/roles/tacker/handlers/main.yml | 4 - ansible/roles/tacker/tasks/check-containers.yml | 15 +- ansible/roles/tacker/tasks/check.yml | 3 + ansible/roles/tacker/tasks/config.yml | 6 - ansible/roles/tacker/tasks/precheck.yml | 2 +- .../tacker/templates/tacker-conductor.json.j2 | 6 + .../roles/tacker/templates/tacker-server.json.j2 | 6 + ansible/roles/tacker/templates/tacker.conf.j2 | 16 +- ansible/roles/telegraf/handlers/main.yml | 2 - ansible/roles/telegraf/tasks/check-containers.yml | 15 +- ansible/roles/telegraf/tasks/check.yml | 3 + ansible/roles/telegraf/tasks/config.yml | 6 - ansible/roles/telegraf/templates/telegraf.json.j2 | 8 +- ansible/roles/trove/defaults/main.yml | 9 + ansible/roles/trove/handlers/main.yml | 6 - ansible/roles/trove/tasks/check-containers.yml | 15 +- ansible/roles/trove/tasks/check.yml | 3 + ansible/roles/trove/tasks/config.yml | 12 +- ansible/roles/trove/tasks/precheck.yml | 2 +- ansible/roles/trove/templates/trove-api.json.j2 | 8 +- .../roles/trove/templates/trove-conductor.json.j2 | 8 +- .../roles/trove/templates/trove-guestagent.conf.j2 | 14 +- .../trove/templates/trove-taskmanager.json.j2 | 6 + ansible/roles/trove/templates/trove.conf.j2 | 15 +- ansible/roles/venus/defaults/main.yml | 6 + ansible/roles/venus/handlers/main.yml | 4 - ansible/roles/venus/tasks/check-containers.yml | 15 +- ansible/roles/venus/tasks/check.yml | 3 + ansible/roles/venus/tasks/config.yml | 6 - ansible/roles/venus/tasks/precheck.yml | 2 +- ansible/roles/venus/templates/venus-api.json.j2 | 8 +- .../roles/venus/templates/venus-manager.json.j2 | 8 +- ansible/roles/venus/templates/venus.conf.j2 | 3 + ansible/roles/watcher/defaults/main.yml | 7 + ansible/roles/watcher/handlers/main.yml | 6 - ansible/roles/watcher/tasks/check-containers.yml | 15 +- ansible/roles/watcher/tasks/check.yml | 3 + ansible/roles/watcher/tasks/config.yml | 6 - ansible/roles/watcher/tasks/precheck.yml | 2 +- .../roles/watcher/templates/watcher-api.json.j2 | 6 + .../watcher/templates/watcher-applier.json.j2 | 6 + .../roles/watcher/templates/watcher-engine.json.j2 | 6 + ansible/roles/watcher/templates/watcher.conf.j2 | 13 +- ansible/roles/zun/defaults/main.yml | 9 +- ansible/roles/zun/handlers/main.yml | 21 +- ansible/roles/zun/tasks/check-containers.yml | 19 +- ansible/roles/zun/tasks/check.yml | 3 + ansible/roles/zun/tasks/config.yml | 8 - ansible/roles/zun/tasks/external_ceph.yml | 8 +- ansible/roles/zun/tasks/precheck.yml | 6 +- ansible/roles/zun/templates/zun-api.json.j2 | 6 + ansible/roles/zun/templates/zun-cni-daemon.json.j2 | 8 +- ansible/roles/zun/templates/zun-compute.json.j2 | 14 +- ansible/roles/zun/templates/zun-wsproxy.json.j2 | 6 + ansible/roles/zun/templates/zun.conf.j2 | 20 +- ansible/site.yml | 29 +- bindep.txt | 9 + contrib/bash-completion/kolla-ansible | 21 - contrib/demos/heat/README.rst | 15 - contrib/demos/heat/launch | 18 - contrib/demos/heat/steak-rg.yaml | 44 -- contrib/demos/heat/steak.yaml | 55 --- contrib/demos/magnum/redis | 5 - contrib/demos/magnum/redis-kube/README.rst | 197 --------- .../demos/magnum/redis-kube/redis-controller.yaml | 28 -- contrib/demos/magnum/redis-kube/redis-master.yaml | 34 -- contrib/demos/magnum/redis-kube/redis-proxy.yaml | 15 - .../redis-kube/redis-sentinel-controller.yaml | 24 -- .../magnum/redis-kube/redis-sentinel-service.yaml | 14 - contrib/demos/magnum/start | 34 -- contrib/demos/magnum/stop | 9 - contrib/demos/tacker/README.rst | 20 - contrib/demos/tacker/cleanup-tacker | 20 - contrib/demos/tacker/deploy-tacker-demo | 73 ---- contrib/demos/tacker/deploy-tacker-demo-sfc | 83 ---- .../kolla-for-openstack-development.rst | 8 + .../logging-and-monitoring/prometheus-guide.rst | 13 + .../reference/shared-services/glance-guide.rst | 15 - .../reference/shared-services/skyline-guide.rst | 15 + .../reference/storage/cinder-guide-lightbits.rst | 33 ++ .../reference/storage/external-ceph-guide.rst | 201 +++++---- etc/kolla/globals.yml | 81 ++-- etc/kolla/passwords.yml | 5 +- kolla_ansible/ansible.py | 4 +- kolla_ansible/cli/commands.py | 38 +- kolla_ansible/kolla_address.py | 25 +- kolla_ansible/utils.py | 46 +- lint-requirements.txt | 2 +- ...-forwarded-headers-option-d153c6292cf20b26.yaml | 8 + ...d-letsencrypt-eab-support-7951e7a572718ce9.yaml | 4 + ...its-cinder-plugin-support-f5445f2dbb1a56ed.yaml | 4 + .../notes/add-queue-manager-3ce79655ac37c345.yaml | 9 + .../add-venus-dashboard-a8efe1a93dca9f0e.yaml | 4 + .../ansible-core-bump-2-18-a131f759cf2f23c7.yaml | 6 + ...n-labels-to-kolla-volumes-4c733756a7c746d2.yaml | 9 + .../notes/bug-1863510-e39da141cdd07c41.yaml | 8 + .../notes/bug-1891469-4f8a45c29bde55e5.yaml | 13 + .../notes/bug-2044370-2285fc3952981cae.yaml | 7 + .../notes/bug-2076331-f4ef64ad0a12aa85.yaml | 21 + .../notes/bug-2086466-dc13b40f8da39542.yaml | 5 + .../notes/bug-2093335-88ecb9b12a003b20.yaml | 6 + .../notes/bug-2095607-f4d9d5aebebddfc8.yaml | 7 + .../notes/bug-2097292-1a41e87d33e7c6a8.yaml | 6 + .../notes/bug-2100927-5926d812ffa98ac4.yaml | 6 + .../bugfix-fluentd-retry-tag-383dd788a42fddd6.yaml | 7 + .../cinder-ceph-backend-name-0984e44da7905a81.yaml | 6 + ...torage-in-service-catalog-7063d6b7d1039e36.yaml | 8 + .../notes/config-handlers-fba9b642c84fc2d7.yaml | 28 ++ .../notes/copy-certs-02ff11e9041800eb.yaml | 14 + ...tom-cron-logrotate-global-5cb26fda7d1ba85b.yaml | 4 + .../delegate-facts-hosts-a3c8bd588c805ffa.yaml | 6 + .../notes/deprecate-bifrost-2819678ca6456ab1.yaml | 7 + .../deprecate-inspector-86fb3aa691099267.yaml | 10 + .../notes/deprecate-swift-7a30a80aa16c3e48.yaml | 5 + .../enable_ironic_dnsmasq-4288e3e2b5819f2d.yaml | 6 + ...e_quorum_queues_transient-020b373831acda36.yaml | 8 + ...iple-clusters-integration-d29815a12c223152.yaml | 17 + .../external-ceph-cinder_key-1a4c38fff3e2ab3c.yaml | 10 + .../notes/fix-blackbox-regex-b16f3f86563de6db.yaml | 7 + ...x-cinder-etcd-backend-url-3ca1fa04293c16b5.yaml | 6 + ...haproxy-missing-variables-2f00c677a7003005.yaml | 6 + ...ova-backend-rbd-group-var-3c057daa084c0612.yaml | 7 + ...opying-ca-into-containers-8b0429bdbd979e3c.yaml | 7 + ...rable-restarts-of-fluentd-95a3bad7de82fd56.yaml | 6 + .../notes/fluentd-buffers-86acb335b1cf3126.yaml | 9 + ...tor-user-system-scope-all-5fe5cb7f9a03ee7b.yaml | 12 + ...rafana_update_datasources-706e3cdc964c5272.yaml | 6 + ...aproxy_healthchecks_to_l7-b05e8c7b177d1544.yaml | 7 + .../haproxy_template_fix-ea89b4cf1110602f.yaml | 9 + ...rnal-endpoint-bug-2087537-0f5fb5d997e5a92b.yaml | 5 + ...ronic-pin-release-version-8f9e2b3c4d5a6b7c.yaml | 11 + .../install-deps-retries-fbe2a3abb41abb6d.yaml | 5 + ...tron_agent_change_default-aa914434b7c119f7.yaml | 7 + ...sible-stop-ignore-missing-be57276213f0a7cd.yaml | 5 + .../move-container-facts-1507cec39b2bdbe0.yaml | 10 + .../nova-metadata-split-d1c9ff2010390352.yaml | 5 + ...-remove-use-forwarded-for-69f98132b0f164c1.yaml | 5 + .../notes/ovn-sb-relay-809c170090887f68.yaml | 15 + ...prometheus-target-address-4d2d5624ee6ae5a0.yaml | 6 + .../promethus-exporters-ipv6-c87b57cd21cb6bfe.yaml | 8 + ...vert-to-upstream-defaults-235abb7fb10bfcfd.yaml | 53 +++ .../public-openrc-system-e52c9f5440b6f594.yaml | 7 + .../pure-manila-flashblade-34668c3cd91ee3f0.yaml | 5 + .../notes/python-cli-3e568065b8706e73.yaml | 22 +- .../rabbitmq-catch-downgrade-1005c7475a97bf19.yaml | 5 + ...-fanout-stream-queue-type-5b73723aa5e9b231.yaml | 10 + ...-check-add-common-options-05edc24b779a3630.yaml | 6 + .../refactor-container-check-27624449c47f5e6e.yaml | 23 + .../notes/reintroduce-check-2a385b77e044c507.yaml | 9 + ...ic-inspector-service-role-765027c3d91016d1.yaml | 7 + ...abbitmq_high_availability-0e9ecae0240c516c.yaml | 7 + .../notes/remove-swift-5ebd7b5c4a2cb5b7.yaml | 4 + ...buntu-jammy-22-04-support-46d5d441a3cbc93d.yaml | 4 + .../service-uwsgi-config-cf82829aa6457a92.yaml | 4 + .../skyline-external-swift-d9e38f696a22c117.yaml | 9 + ...ng-services-and-endpoints-78341a638b939d68.yaml | 5 + ...ing-user-role-assignments-97f5463a8a653158.yaml | 5 + ...ate-user-role-assignments-c8e487445a6cadef.yaml | 4 + .../upgrade-prometheus-to-v3-bdf73866e7a93194.yaml | 13 + ...blic-www-authenticate-uri-1144df4d205f8ebd.yaml | 8 + releasenotes/notes/uwsgi-aef85ccbc76dab3e.yaml | 17 + releasenotes/source/2023.1.rst | 2 +- releasenotes/source/2024.2.rst | 6 + releasenotes/source/index.rst | 1 + requirements-core.yml | 8 +- requirements.txt | 2 +- roles/multi-node-managed-addressing/tasks/main.yml | 2 +- roles/openstack-clients/defaults/main.yml | 4 - setup.cfg | 6 +- tools/cleanup-host | 6 - tools/validate-all-file.py | 5 +- tox.ini | 7 +- zuul.d/base.yaml | 159 +++---- zuul.d/jobs.yaml | 109 +++-- zuul.d/project.yaml | 22 +- 807 files changed, 7076 insertions(+), 7494 deletions(-) Requirements updates -------------------- diff --git a/lint-requirements.txt b/lint-requirements.txt index 1dd34e7f8..64500804f 100644 --- a/lint-requirements.txt +++ b/lint-requirements.txt @@ -1 +1 @@ -ansible>=8,<10 # GPLv3 +ansible>=10,<12 # GPLv3 diff --git a/requirements.txt b/requirements.txt index 797296f42..568d7f9b6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14 +14 @@ Jinja2>=3 # BSD License (3 clause) -ansible-core>=2.16,<2.18 # GPLv3 +ansible-core>=2.17,<2.19 # GPLv3

1 0

kolla 20.0.0 (epoxy)
by no-reply＠openstack.org 14 May '25

14 May '25

We joyfully announce the release of: kolla 20.0.0 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/kolla Download the package from: https://tarballs.openstack.org/kolla/ Please report issues through: https://bugs.launchpad.net/kolla/+bugs For more details, please see below. Changes in kolla 19.0.0.0rc1..20.0.0 ------------------------------------ a01e339ed CI: Set upgrade jobs back to voting 535b2f270 mariadb: pin to 10.11.11 06ac69bd8 CI: Fix pip mirror multiline a101add56 neutron: Add agents wrappers in the neutron-base image e33902c30 bifrost: fix creation of python3 lib symlink d85bc282b Enabling support for Thales Luna user id and group id. f1248fe58 Allow specification of a key type ac79bc9b6 Upgrade Prometheus to v3 3eb606a36 opensearch: remove example certs and securityadmin_demo.sh bd42e9d43 Update prometheus alertmanager to newest available version 74843405d rabbitmq: Bump to 4.0 80d931982 Fix preparation of /tftpboot for ironic-pxe c8fdb5550 bifrost: bump Ansible version to 11 16b3223d8 Add support for aarch64 ipxe to ironic-pxe image 6da05fc6d neutron: Add docker clients for ML2/OVS improvement 0733a13d7 Switch to 2025.1 sources a09ba2027 Deprecate bifrost 057e7ad60 CI: Sort alphabetically zuul templates 47a6ad020 Opensearch and opensearch-dashboard image size reduction dc0fbd20a CI: Switch aarch64 builds to native platform 9c6f6ae2d tests: Add cross-arch test for etcd 915189d10 fix sources.py based cross-arch builds f2fba3842 Remove swift container images 7a0c639da nova/aarch64: Fix qemu-efi build failures e1fff6252 kolla-toolbox: Bump ansible-core to 2.18 5025ab688 Ironic: Add ESP image for UEFI virtual media c6700a404 debian: Use Dalmatian extrepo release 4c9113f96 CI: Add qemu-user-static back 64f171ccf [release] Use RDO's Epoxy packages 09f706bc2 Added libvirt dependency to nova-libvirt debian based containers d2837d853 Add mtools package to ironic-conductor image 9efdcc01c [release] Use UCA Epoxy 498b793c8 CI: Add rocky support to process_build_logs.py af632db5d CI: Use ansible-lint for CI roles and playbooks 405f95019 Remove Git remote origin after cloning sources cfa266a3a Allow to use configure_user macro for external templates 96d6a9427 CI: Move pre tasks into roles ed7c8399c Fix permissions for ironic metrics 13d6a664f Install pycadf from pypi package 4cab35b1a Change Bifrost Python upper-constraints source ff55c2925 Bump pycadf version to 4.0.1 0f5c679dc Prometheus update all exporters to the latest versions 21b6d87bc swift: Deprecate for removal in 2025.2 f82b9e3b1 Add ovn-sb-db-relay image with newer ovn-ctl d3bb06d5c Fix genconfig a9c94abf5 openvswitch: Fix logs dir permission ac2bbcc9f ironic: Fix dnsmasq.log permissions 4a7af468b Adds missing nvme package in cinder-backup 0f5e39954 neutron-dhcp-agent: change dnsmasq.log rights 969cbc736 cinder: Fix log dir permission 36ef420f8 [letsencrypt] Rename script for updating certificates 7c9b560f8 Update Let's Encrypt lego version 3575d7d8b Remove deprecated AngularJS plugins from Grafana 592f341dd magnum: Add helm binary for magnum-cluster-api 6698a072d Fix EAB support in letsencrypt 7ae781561 Remove setuptools pin f33c1ef17 Revert "CI: Pin requests to <2.32 for publish jobs" 795e34785 Revert "[release] Use Dalmatian sources by default" 2d8e98ec7 Time mismatch in /etc/localtime and /etc/timezone a6a15966a CI: Stop using LABEL for ephemeral0 4adc9a103 Add Let's Encrypt EAB support 45ddb7194 Add Python 3.12 classifier d22245c71 Change copy-cacerts behaviour 08a97807b Revert "CentOS/Rocky: use CentOS Cloud SIG repo instead of Delorean (Dalmatian)" 23519e6d8 CI: Use debian/ubuntu images from quay mirror 1df09532d Move uwsgi installation to openstack-base 11f65c6c1 Add mechanism for patching files in containers d930fca08 CI: Add reno linting ba9078816 Update release-management doc with openstack-manuals step 36c12676f Fix handling configs in base image 8eaf4149b Enhance logging format for better readability ee7fe59f7 Update master for stable/2024.2 d389964ce Add libnetfilter-log to l3 agent container Diffstat (except docs and test files) ------------------------------------- .ansible-lint | 12 + .yamllint | 10 - .zuul.d/base.yaml | 2 + .zuul.d/centos.yaml | 2 +- .zuul.d/debian.yaml | 3 +- .zuul.d/project.yaml | 10 +- .zuul.d/rocky.yaml | 2 +- .zuul.d/tox.yaml | 12 + .zuul.d/ubuntu.yaml | 2 +- README.rst | 1 - .../barbican-keystone-listener/Dockerfile.j2 | 2 + .../ceilometer-notification/Dockerfile.j2 | 2 + .../cloudkitty/cloudkitty-processor/Dockerfile.j2 | 2 + .../designate-backend-bind9/Dockerfile.j2 | 2 + .../hacluster-pacemaker-remote/Dockerfile.j2 | 2 + ...haproxy-cert.sh => update-loadbalancer-cert.sh} | 0 .../ironic-prometheus-exporter/Dockerfile.j2 | 2 + .../letsencrypt-lego/letsencrypt-certificates.sh | 42 +- .../sync-and-update-certificate.sh | 4 +- .../letsencrypt-webserver/Dockerfile.j2 | 2 + .../ironic-neutron-agent/Dockerfile.j2 | 2 + .../neutron-base/neutron-keepalived-state-change | 40 ++ .../neutron-infoblox-ipam-agent/Dockerfile.j2 | 2 + .../neutron-linuxbridge-agent/Dockerfile.j2 | 2 + .../neutron/neutron-metadata-agent/Dockerfile.j2 | 2 + .../neutron/neutron-metering-agent/Dockerfile.j2 | 2 + .../neutron-openvswitch-agent/Dockerfile.j2 | 2 + .../octavia/octavia-health-manager/Dockerfile.j2 | 2 + .../opensearch/opensearch-dashboards/Dockerfile.j2 | 7 +- .../openvswitch/openvswitch-base/extend_start.sh | 2 + .../openvswitch-db-server/Dockerfile.j2 | 4 + .../openvswitch-db-server/extend_start.sh | 5 + .../openvswitch/openvswitch-vswitchd/Dockerfile.j2 | 4 + .../openvswitch-vswitchd/extend_start.sh | 5 + .../prometheus-alertmanager/Dockerfile.j2 | 4 + .../prometheus-blackbox-exporter/Dockerfile.j2 | 2 + .../prometheus/prometheus-cadvisor/Dockerfile.j2 | 1 + .../Dockerfile.j2 | 4 + .../prometheus-libvirt-exporter/Dockerfile.j2 | 2 + .../prometheus-memcached-exporter/Dockerfile.j2 | 4 + .../prometheus-mysqld-exporter/Dockerfile.j2 | 4 + .../prometheus-node-exporter/Dockerfile.j2 | 4 + .../prometheus-openstack-exporter/Dockerfile.j2 | 4 + .../prometheus-ovn-exporter/Dockerfile.j2 | 4 + .../Dockerfile.j2 | 12 +- kolla/common/config.py | 35 +- kolla/common/sources.py | 78 ++-- kolla/common/users.py | 6 +- kolla/image/build.py | 1 + kolla/image/kolla_worker.py | 46 ++- kolla/image/tasks.py | 1 + kolla/template/methods.py | 6 + kolla/template/repos.yaml | 32 +- .../notes/aarch64-ipxe-51888a5972528d77.yaml | 9 + .../notes/add-designate-c789e47f8ced394d.yaml | 3 +- ...ronic-prometheus-exporter-c793478ee5938bee.yaml | 4 +- ...d-letsencrypt-eab-support-0ec1a60f1602662e.yaml | 4 + .../add-monasca-grafana-app-ea24f8ca43fa9c7d.yaml | 3 +- .../add-networking-ansible-b27128f544f300e6.yaml | 7 +- ...e-dumb-init-config-option-26b47f6d97d7585c.yaml | 5 +- .../notes/ansible-core-2.18-582103463aba6e8a.yaml | 4 + .../notes/bifrost-ansible-11-d14b635f9f766675.yaml | 4 + ...macro-to-custom-templates-61c143326a35c7ed.yaml | 9 + .../notes/bug-1814552-a037354969dcf7e5.yaml | 4 +- .../notes/bug-1859047-d41762357da8ae0b.yaml | 4 +- .../notes/bug-1946801-5f3af3c44e567fcf.yaml | 4 +- .../notes/bug-2060855-77516da722d04761.yaml | 6 + .../notes/bug-2062572-c55c71e1045a863f.yaml | 5 +- .../notes/bug-2091161-a99c5c243c2514ac.yaml | 6 + .../notes/bug-2098904-4c5670049a7e1a66.yaml | 5 + ...-upper-constraints-source-e93cb72e88823d56.yaml | 14 + .../notes/debian-dalmatian-65fed830f10946e2.yaml | 5 + .../notes/deprecate-bifrost-dd93b6d8eb04cac6.yaml | 6 + .../deprecate-kubernetes-dbabf9f86c15a0ee.yaml | 4 +- .../deprecate-opendaylight-58b3e9dbdc359688.yaml | 4 +- .../notes/deprecate-swift-fe9f5586f698ba03.yaml | 4 + .../drop-pyhton-3-6-and-3-7-6cc88979aad423e8.yaml | 4 +- .../el-aarch64-ipxe-snponly-e7fc23bdc7edfe3d.yaml | 6 + .../notes/fix-fwaas-l3-log-aed85e0782dece8d.yaml | 10 + ...ana-opensearch-datasource-96dc8061d9721af3.yaml | 4 +- ...loyment-permissions-issue-dfc2d8c92d2eaf57.yaml | 10 + ...nc_rpm_swift_base_missing-9d106d94b52d0bad.yaml | 3 +- .../generic-customisation-b2d431caa2fc5c10.yaml | 4 +- ...na-remove-angular-plugins-4c9ea2087c5c2bf2.yaml | 5 + .../notes/ironic-esp-image-886b5fb5b01e7b56.yaml | 6 + .../notes/ironic-mtools-2938ccfe951f5dc5.yaml | 4 + .../notes/ironic_syslinux-70eac225d227dc2e.yaml | 3 +- ...kolla-container-logformat-259885637cbeb0e6.yaml | 11 + .../octavia-driver-agent-83ee17b82c577e95.yaml | 4 +- .../patch-docker-images-69764f0b1df5c9ed.yaml | 6 + .../prometheus-containers-1599a6417cc6a264.yaml | 6 +- .../notes/rabbitmq-4-0-ee1a5f2ef212f6a6.yaml | 4 + .../notes/rdo-dalmatian-bab7a517c219cb23.yaml | 5 - .../remove-fwaas-deployment-8381b454528bdae9.yaml | 4 +- .../remove-glance-registry-4a5c3d54440f7c28.yaml | 3 +- ...move-neutron-vpnaas-agent-216810affb495ad0.yaml | 13 +- ...ometheus-haproxy-exporter-22d5af88af7e4a9d.yaml | 8 +- .../notes/remove-zaqar-image-de36960a88f132c8.yaml | 3 +- .../notes/summary-json-file-96441e67076fc480.yaml | 4 +- ...pport-image-cross-compile-3b1dc348d742e96d.yaml | 4 +- ...pdate-letsencrypt-version-36a0cd7d2997c6c7.yaml | 6 + ...pdate-prometheus-services-dd195876e162251c.yaml | 17 + .../notes/upgrade-pip-44352805d60bbf7f.yaml | 4 +- .../upgrade-prometheus-to-v3-d305280498e0fcaf.yaml | 11 + .../uwsgi-openstack-base-ac583652d29ea0e4.yaml | 5 + .../notes/vitrage-containers-3bfb360357aa628b.yaml | 8 +- releasenotes/source/2024.2.rst | 6 + releasenotes/source/index.rst | 1 + roles/configure-ephemeral/meta/main.yml | 4 + roles/configure-ephemeral/tasks/main.yml | 17 +- roles/kolla-build-config/defaults/main.yml | 1 - roles/kolla-build-config/tasks/main.yml | 5 +- roles/kolla-build-deps/tasks/main.yml | 70 ++++ roles/kolla-build/tasks/main.yml | 5 + setup.cfg | 1 + test-requirements.txt | 1 + test-requirements.yml | 5 + tox.ini | 9 +- 340 files changed, 2653 insertions(+), 1017 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index ad35b8796..e9fa093f7 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -0,0 +1 @@ +ansible-lint<25 # MIT

1 0

ironic 26.1.2 (dalmatian)
by no-reply＠openstack.org 12 May '25

12 May '25

We are psyched to announce the release of: ironic 26.1.2 This release is part of the dalmatian release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 26.1.2 ^^^^^^ Security Issues *************** * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). Operators wishing to restore the original insecure behavior should set "CONF.conductor.file_url_allowed_paths" to "/". Take note that in the 2025.2 release and later, "/dev", "/sys", "/proc", "/run", and "/etc" will be unconditionally blocked as a security measure. This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Bug Fixes ********* * The set of strings used to detect cipher suite version related errors in the "ipmitool" command was expanded. If the string "Error in open session response message : invalid role" is contained in the output of a failed "ipmitool" command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 (https://launchpad.net/bugs/2085137) for more details. * When changing from glanceclient to OpenStack SDK to communicate with Glance, a bug was introduced reading image properties causing the Anaconda deploy interface to be unable to use Glance images. Other deploy interfaces continued to function but could have resulted in some properties not taking affect. See bug 2099275 (https://bugs.launchpad.net/ironic/+bug/2099953) for more details. * Fixes step validation where some of the reserved step names, "hold", and "wait", were not being properly handled by the step validation code. * Fixes an issue where operators executing complex arrangement of steps which include out-of-band and in-band steps, for example a hardware RAID "create_configuration" step followed by in-band steps inside of the agent, would effectively get the agent stuck in a "wait" state in the Cleaning, Servicing, or Deploying workflows. This was related to the way out-of-band steps are executed and monitored. Ironic, before starting to execute a new step, now cleans the polling lockout flag for the respective workflow being executed to prevent the agent from getting stuck. For more information, please see bug 2096938 (https://bugs.launchpad.net/ironic/+bug/2096938) * Fixes newly added policy rules, "baremetal:node:set_provision_state:clean_steps" and "baremetal:node:set_provision_state:service_steps``which impacted ``project scoped" users utilizing the "2024.2" release of Ironic where they were attempting to invoke "service" or "clean" provision state commands. This was due to a misunderstanding of the correct policy checker to invoke, and additional testing has been added around these functions to ensure they work as expected moving forward. * Some vendors insist that floppy images must be 1440 KiB in size and that the file name ends with ".img". Make it so. * Includes the agent token parameter in get command status requests as the endpoint now requires authentication. * The configuration option "[inspector]power_off" is now actually ignored for nodes with fast track enabled, as documented in its help. * Fixes the built-in in-band inspection implementation to power off the node after aborting inspection on user's request, unless the node is in the fast track mode or "[inspector]power_off" is set to "False". * The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no checksum requirement for file:// based images. When checksum is missing for file:// based image_source it is now calculated on-the-fly. * Fixes an error within the redfish session cache when no "redfish_password" is specified bug 2097019 (https://bugs.launchpad.net/ironic/+bug/2097019) * Update the node cache after a successful servicing and cleaning. This ensures the node information is correctly updated in the database. Changes in ironic 26.1.1..26.1.2 -------------------------------- e18bbe3af OSSA-2025-001: Disallow unsafe image file:// paths 6b8e25234 [stable-only] Fix errors building docs 651d77537 fix glance metadata layout bc565cf54 Make floppy images more floppy 5aa51d698 Pass agent token to get command results 3fec72442 Expand detected strings in check_cipher_suite_errors 0911ecae4 Fix agent from being locked out with complex steps 60248a0b8 Fix redfish session cache on missing password 3c27ebcc1 Fix hold/wait step logic in step validation 187337bc4 stable-only: Drop ironic-tox-codespell job d1872d7fc Calculate missing checksum for file:// based images 684dd6107 Update Node Cache after Successful Clean/Service 38d94ca3a Use specific fix-commit from dnsmasq 1ed8b772b Fix policy checks added with runbooks 94a72b7a7 [stable-only] [ci] Remove metal3 job 2a29676ea Actually ignore [inspector]power_off with fast track 577971afd add qemu-img to necessary dependency list f5ba0c8ae Gracefully handle bad request exception e3437d7c9 Fix actual size calculation for storage fallback logic Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 18 +- ironic/api/controllers/v1/node.py | 31 ++- ironic/api/controllers/v1/portgroup.py | 2 + ironic/common/async_steps.py | 6 +- ironic/common/checksum_utils.py | 15 +- ironic/common/glance_service/service_utils.py | 18 +- ironic/common/image_service.py | 22 ++- ironic/common/images.py | 2 +- ironic/conductor/cleaning.py | 6 + ironic/conductor/deployments.py | 4 + ironic/conductor/manager.py | 9 +- ironic/conductor/servicing.py | 7 + ironic/conductor/steps.py | 3 +- ironic/conf/conductor.py | 15 ++ ironic/conf/types.py | 55 ++++++ ironic/drivers/modules/agent_client.py | 6 + ironic/drivers/modules/image_utils.py | 8 +- ironic/drivers/modules/inspector/agent.py | 23 +-- ironic/drivers/modules/inspector/interface.py | 39 ++-- ironic/drivers/modules/ipmitool.py | 8 +- ironic/drivers/modules/redfish/utils.py | 6 +- .../unit/drivers/modules/inspector/test_agent.py | 52 ++++- .../drivers/modules/inspector/test_interface.py | 210 ++++++++++----------- .../unit/drivers/modules/test_agent_client.py | 6 +- .../unit/drivers/modules/test_deploy_utils.py | 12 ++ ...ion-ipmitools-cipher-fail-1503b4e319e77ed8.yaml | 11 ++ ...ce-image-properties-check-2a11337c9e517a5c.yaml | 10 + ...x-hold-wait-service-steps-37dc91fd7393b180.yaml | 5 + ...polling-lockout-for-steps-b9645f0cae18da1e.yaml | 13 ++ ...provision-state-subpolicy-13ae3ef7497d20c1.yaml | 12 ++ .../floppy-image-quirks-32e14d32a37b0742.yaml | 5 + ...ent-token-to-get-requests-982bacce85d95ce8.yaml | 5 + .../notes/inspect-off-099e3c73edaf6082.yaml | 9 + .../missing_file_checksum-4931c98031951486.yaml | 7 + ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 29 +++ ...sh-allow-missing-password-ce4fb161d35a6850.yaml | 6 + ...essful-servicing-cleaning-7433c493e31742b0.yaml | 6 + tools/config/ironic-config-generator.conf | 1 - tox.ini | 2 +- zuul.d/ironic-jobs.yaml | 7 - zuul.d/project.yaml | 10 - 59 files changed, 823 insertions(+), 269 deletions(-)

1 0

ironic 24.1.4 (caracal)
by no-reply＠openstack.org 12 May '25

12 May '25

We are psyched to announce the release of: ironic 24.1.4 This release is part of the caracal release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 24.1.4 ^^^^^^ Security Issues *************** * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). Operators wishing to restore the original insecure behavior should set "CONF.conductor.file_url_allowed_paths" to "/". Take note that in the 2025.2 release and later, "/dev", "/sys", "/proc", "/run", and "/etc" will be unconditionally blocked as a security measure. This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Bug Fixes ********* * The set of strings used to detect cipher suite version related errors in the "ipmitool" command was expanded. If the string "Error in open session response message : invalid role" is contained in the output of a failed "ipmitool" command execution, such error will be now considered as related to inappropriate ciphers too, and will be retried with another cipher suite version if Ironic is configured to do so. See bug 2085137 (https://launchpad.net/bugs/2085137) for more details. * Fixes an issue where operators executing complex arrangement of steps which include out-of-band and in-band steps, for example a hardware RAID "create_configuration" step followed by in-band steps inside of the agent, would effectively get the agent stuck in a "wait" state in the Cleaning, Servicing, or Deploying workflows. This was related to the way out-of-band steps are executed and monitored. Ironic, before starting to execute a new step, now cleans the polling lockout flag for the respective workflow being executed to prevent the agent from getting stuck. For more information, please see bug 2096938 (https://bugs.launchpad.net/ironic/+bug/2096938) * Some vendors insist that floppy images must be 1440 KiB in size and that the file name ends with ".img". Make it so. * Includes the agent token parameter in get command status requests as the endpoint now requires authentication. * The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no checksum requirement for file:// based images. When checksum is missing for file:// based image_source it is now calculated on-the-fly. * Fixes an error within the redfish session cache when no "redfish_password" is specified bug 2097019 (https://bugs.launchpad.net/ironic/+bug/2097019) Changes in ironic 24.1.3..24.1.4 -------------------------------- cc8d7c08c OSSA-2025-001: Disallow unsafe image file:// paths 287ac76cb [stable-only] Fix errors building docs 1e9877f4a Make floppy images more floppy 1f02a1d88 ci: automatically set the branch for IPA to match TARGET_BRANCH 4aa8310ef Pass agent token to get command results 6cbbad1ef Expand detected strings in check_cipher_suite_errors fea9a4f07 Fix agent from being locked out with complex steps 34bb2b1d4 stable-only: Drop ironic-tox-codespell job 9b97ec3bb Fix redfish session cache on missing password 4836513ee Calculate missing checksum for file:// based images cdae95e46 Fix actual size calculation for storage fallback logic Diffstat (except docs and test files) ------------------------------------- devstack/lib/ironic | 2 +- ironic/common/async_steps.py | 6 ++- ironic/common/checksum_utils.py | 15 +++++- ironic/common/image_service.py | 22 +++++++- ironic/common/images.py | 2 +- ironic/conductor/cleaning.py | 5 ++ ironic/conductor/deployments.py | 4 ++ ironic/conductor/servicing.py | 4 ++ ironic/conf/conductor.py | 16 ++++++ ironic/conf/types.py | 55 +++++++++++++++++++ ironic/drivers/modules/agent_client.py | 6 +++ ironic/drivers/modules/image_utils.py | 8 +-- ironic/drivers/modules/ipmitool.py | 8 +-- ironic/drivers/modules/redfish/utils.py | 6 ++- .../unit/drivers/modules/test_agent_client.py | 6 +-- .../unit/drivers/modules/test_deploy_utils.py | 12 +++++ ...ion-ipmitools-cipher-fail-1503b4e319e77ed8.yaml | 11 ++++ ...polling-lockout-for-steps-b9645f0cae18da1e.yaml | 13 +++++ .../floppy-image-quirks-32e14d32a37b0742.yaml | 5 ++ ...ent-token-to-get-requests-982bacce85d95ce8.yaml | 5 ++ .../missing_file_checksum-4931c98031951486.yaml | 7 +++ ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 29 ++++++++++ ...sh-allow-missing-password-ce4fb161d35a6850.yaml | 6 +++ tools/config/ironic-config-generator.conf | 1 - tox.ini | 2 +- zuul.d/ironic-jobs.yaml | 7 --- 37 files changed, 432 insertions(+), 50 deletions(-)

1 0

kolla 20.0.0.0rc1 (epoxy)
by no-reply＠openstack.org 09 May '25

09 May '25

Hello everyone, A new release candidate for kolla for the end of the Epoxy cycle is available! You can find the source code tarball at: https://tarballs.openstack.org/kolla/ Unless release-critical issues are found that warrant a release candidate respin, this candidate will be formally released as the final Epoxy release. You are therefore strongly encouraged to test and validate this tarball! Alternatively, you can directly test the stable/epoxy release branch at: https://opendev.org/openstack/kolla/src/branch/stable/epoxy Release notes for kolla can be found at: https://docs.openstack.org/releasenotes/kolla/ If you find an issue that could be considered release-critical, please file it at: https://bugs.launchpad.net/kolla/+bugs and tag it *epoxy-rc-potential* to bring it to the kolla release crew's attention.

1 0

kolla-ansible 20.0.0.0rc1 (epoxy)
by no-reply＠openstack.org 09 May '25

09 May '25

Hello everyone, A new release candidate for kolla-ansible for the end of the Epoxy cycle is available! You can find the source code tarball at: https://tarballs.openstack.org/kolla-ansible/ Unless release-critical issues are found that warrant a release candidate respin, this candidate will be formally released as the final Epoxy release. You are therefore strongly encouraged to test and validate this tarball! Alternatively, you can directly test the stable/epoxy release branch at: https://opendev.org/openstack/kolla-ansible/src/branch/stable/epoxy Release notes for kolla-ansible can be found at: https://docs.openstack.org/releasenotes/kolla-ansible/ If you find an issue that could be considered release-critical, please file it at: https://bugs.launchpad.net/kolla-ansible/+bugs and tag it *epoxy-rc-potential* to bring it to the kolla-ansible release crew's attention.

1 0

magnum-capi-helm 1.2.1
by no-reply＠openstack.org 09 May '25

09 May '25

We enthusiastically announce the release of: magnum-capi-helm 1.2.1 The source is available from: https://opendev.org/openstack/magnum-capi-helm Download the package from: https://pypi.org/project/magnum-capi-helm For more details, please see below. 1.2.1 ^^^^^ Bug Fixes * Fixed an issue where non-default node groups could not be individually deleted. The node groups would get stuck in the DELETE_IN_PROGRESS state and the underlying VMs would keep running. Node groups were only cleaned up when the entire cluster was deleted. Changes in magnum-capi-helm 1.2.0..1.2.1 ---------------------------------------- 3159a01 Improve node group deletion unit test 01548de Fix deletion of non-default node groups 8e82859 CI: Add linting to releasenotes eaccbd2 CI: Stop running py38, add py312 8a6c56d Intro docs for Magnum-CAPI-helm Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 18 +-- magnum_capi_helm/driver.py | 5 +- .../fix-nodegroup-delete-c83210c6029041d2.yaml | 8 ++ test-requirements.txt | 2 +- tox.ini | 13 ++ 10 files changed, 246 insertions(+), 26 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index e9dc685..445e8c7 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -5 +5 @@ -hacking>=3.0,<3.1 # Apache-2.0 +hacking>=7.0.0,<7.1.0 # Apache-2.0

1 0

python-zaqarclient 3.0.1 (epoxy)
by no-reply＠openstack.org 09 May '25

09 May '25

We enthusiastically announce the release of: python-zaqarclient 3.0.1 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/python-zaqarclient Download the package from: https://pypi.org/project/python-zaqarclient Please report issues through: https://bugs.launchpad.net/python-zaqarclient/+bugs For more details, please see below. Changes in python-zaqarclient 3.0.0..3.0.1 ------------------------------------------ 0233b3b Remove remaining deprecated commands ce24421 Update TOX_CONSTRAINTS_FILE for stable/2025.1 c87fe99 Update .gitreview for stable/2025.1 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + setup.cfg | 3 --- tox.ini | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-)

1 0

octavia 15.0.1 (dalmatian)
by no-reply＠openstack.org 09 May '25

09 May '25

We are glad to announce the release of: octavia 15.0.1 This release is part of the dalmatian release series. The source is available from: https://opendev.org/openstack/octavia Download the package from: https://pypi.org/project/octavia Please report issues through: https://storyboard.openstack.org/#!/project/908 For more details, please see below. 15.0.1 ^^^^^^ Bug Fixes * Remove record in amphora_health table on revert. It's necessary, because record in amphora table for corresponding amphora also deleted. It allows to avoid false positive react of failover threshold due to orphan records in amphora_health table. * Ignore serialization loadbalancer class in GetAmphoraNetworkConfigs tasks. It allows to avoid storing full graph in jobboard details. It fixes cases with enabled jobboard for huge LBs with ~2000+ resources in graph. * Fixed potential AttributeError during listener update when security group rule had no protocol defined (ie. it was null). * Fixed an issue with SINGLE topology load balancer with UDP listeners, the Amphora now sends a Gratuitous ARP packet when a UDP pool is added, it makes the VIP address more quickly reachable after a failover or when reusing a previously allocated IP address. * Fix verification of certificates signed by a private CA when using Neutron endpoints. * Fix error on revert PlugVIPAmphora task, when db_lb is not defined and get_subnet raises NotFound error. It could happen when Amphora creation failed by timeout and before it VIP network was removed. As result revert failed with exception. Changes in octavia 15.0.0..15.0.1 --------------------------------- 8e02055af Ignore load_balancer graph in task results to avoid break write data in jobboard DB 3439d458d Fix amphora image builds to use DIB bindep 82d00251b Update stable/2024.2 to use 2024.2 tests f88404541 Fix missing GARP with UDP listeners on SINGLE LB b9196fd64 Fix verification of certificates signed by a private CA 71b964dcf Remove amphora_health record on revert CreateAmphoraInDB c60d7fbea Handle undefined protocol field in security group rules correctly 57ccd896e Do not fail on revert PlugVIPAmphora due undefined db_lb df8524849 Pin pylint on 2024.2 20d97469e Update TOX_CONSTRAINTS_FILE for stable/2024.2 e55d53480 Update .gitreview for stable/2024.2 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .../amphora-agent/source-repository-amphora-agent | 4 +- elements/octavia-lib/source-repository-octavia-lib | 2 +- .../backends/agent/api_server/keepalivedlvs.py | 9 +++ octavia/amphorae/backends/agent/api_server/util.py | 37 ++++++++- octavia/common/clients.py | 8 +- .../controller/worker/v2/tasks/database_tasks.py | 16 ++-- .../controller/worker/v2/tasks/network_tasks.py | 36 ++++++--- .../drivers/neutron/allowed_address_pairs.py | 5 +- .../backends/agent/api_server/test_util.py | 90 +++++++++++++++++++++- .../worker/v2/tasks/test_database_tasks.py | 34 ++++++-- .../worker/v2/tasks/test_network_tasks.py | 65 ++++++++++++++++ .../drivers/neutron/test_allowed_address_pairs.py | 3 +- playbooks/image-build/run.yaml | 52 ++----------- ...lth_row_on_amphora_revert-082f94459ecacaa2.yaml | 7 ++ ...t-amphora-network-configs-347a0a4340ee222b.yaml | 6 ++ ...up-rule-has-protocol-none-9b7217c5477d01b6.yaml | 5 ++ ...ix-garp-for-udp-listeners-6bf2ec8d491d1e1b.yaml | 7 ++ ...te-ca-signed-certificates-b9386a0d92627b03.yaml | 5 ++ ..._db_lb_on_plug_vip_revert-5c24af124498b246.yaml | 7 ++ test-requirements.txt | 2 +- tox.ini | 8 +- zuul.d/jobs.yaml | 89 +++++++++++++++++++-- zuul.d/projects.yaml | 36 ++++----- 24 files changed, 426 insertions(+), 108 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index fa31c123f..6f9f2cb36 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -11 +11 @@ oslotest>=3.2.0 # Apache-2.0 -pylint>=2.5.3 # GPLv2 +pylint>=2.5.3,<3.2.0 # GPLv2

1 0

ironic 29.0.2 (epoxy)
by no-reply＠openstack.org 09 May '25

09 May '25

We are jazzed to announce the release of: ironic 29.0.2 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/ironic Download the package from: https://tarballs.openstack.org/ironic/ Please report issues through: https://bugs.launchpad.net/ironic/+bugs For more details, please see below. 29.0.2 ^^^^^^ Security Issues * Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths when used as image sources. This would permit any file accessible by the conductor to be used as an image to attempt deployment. Adds "CONF.conductor.file_url_allowed_paths", an allowlist configuration defaulting to "/var/lib/ironic", "/shared/html", "/opt/cache/files", "/vagrant", and "/templates", permits operators to further restrict where the conductor will fetch images for when provided a file:// URL. This default value was chosen based on known usage by projects downstream of Ironic, including Metal3, Bifrost, and OpenShift. These defaults may change to be more restrictive at a later date. Operators using file:// URLs are encouraged to explicitly set this value even if the current default is sufficient. Operators wishing to fully disable the ability to deploy with a file:// URL should set this configuration to "" (empty). Operators wishing to restore the original insecure behavior should set "CONF.conductor.file_url_allowed_paths" to "/". Take note that in the 2025.2 release and later, "/dev", "/sys", "/proc", "/run", and "/etc" will be unconditionally blocked as a security measure. This issue only poses a significant security risk when Ironic's automated cleaning process is disabled and the service is configured in such a way that permits direct deployment by an untrusted API user, such as standalone Ironic installations or environments granting ownership of nodes to projects. Changes in ironic 29.0.1..29.0.2 -------------------------------- 0506aae0c OSSA-2025-001: Disallow unsafe image file:// paths Diffstat (except docs and test files) ------------------------------------- ironic/common/image_service.py | 22 +++++++- ironic/conf/conductor.py | 15 ++++++ ironic/conf/types.py | 55 +++++++++++++++++++ ...sallow-unsafe-image-paths-670fdcfe3e4647d4.yaml | 29 ++++++++++ 8 files changed, 269 insertions(+), 10 deletions(-)

1 0