We jubilantly announce the release of: openstack-ansible 24.0.0: Ansible playbooks for deploying OpenStack This release is part of the xena release series. The source is available from: https://opendev.org/openstack/openstack-ansible Download the package from: https://tarballs.openstack.org/openstack-ansible/ Please report issues through: https://bugs.launchpad.net/openstack-ansible/+bugs For more details, please see below. 24.0.0 ^^^^^^ New Features ************ * Enable VeNCrypt authentication scheme from noVNC proxy to compute nodes. When using HTTPS, the TLS encryption only applies to data between the tenant user and proxy server. To provide protection from the noVNC proxy to the Compute Nodes, it is necessary to enable the VeNCrypt authentication scheme for VNC. A pre-existing PKI (Public Key Infrastructure) setup is required. Initially to help with the transition from unencrypted VNC to VeNCrypt, compute nodes auth scheme allows for both encrypted and unencrypted sessions using the variable *nova_vencrypt_auth_scheme*, this will be removed in future releases. * UEFI boot support has been added. To migrate from Legacy BIOS mode, define *boot_mode:uefi* as a capability for baremetal nodes that support UEFI. In addition, corresponding flavor(s) will need to be created or modified to include *boot_mode:uefi* as a capability for scheduling to occur against UEFI nodes. * Implemented new variable "connection_recycle_time" responsible for SQLAlchemy's connection recycling * Galera role now leverages PKI role for creation and distribution of the certificates and certificate authorities. This introduces bunch of new variables which controls CA and certificates generation details. If user SSL certificates are provided - they would be used instead of the generated ones. The following new variables were introduced: * galera_ssl_verify * galera_pki_dir * galera_pki_create_ca * galera_pki_regen_ca * galera_pki_certificates * galera_pki_regen_cert * galera_pki_authorities * galera_pki_install_ca * galera_pki_keys_path * galera_pki_certs_path * galera_pki_intermediate_cert_name * galera_pki_intermediate_cert_path * galera_pki_install_certificates * MariaDB now uses TLS encryption by default. Certificate will be issued and signed with internal CA using PKI role. Deployers can disable encrypting MariaDB connections by setting "galera_use_ssl: false" in their user_variables.yml Client certificates could be still provided and they will be distributed with PKI role as well. * Added variable *horizon_policy_overrides* which allows to customize horizon specific policies. As we don't want to carry and maintain horizon policies with OSA, they're retrieved from horizon hosts and adjusted in-place, which means that they won't rollback in case you just remove override. *horizon_policy_overrides* has also non- standart format, as it's nested dictionary, where 1st level key represents service which policy needs to be overriden, and it's value is normal policy override format. * Support for the networking-baremetal mechanism driver and agent has been implemented. The ironic-neutron-agent is a neutron agent that populates the host to physical network mapping for baremetal nodes in neutron. Neutron uses this to calculate the segment to host mapping information. This feature may be enabled by adding "ml2.baremetal" to the "neutron_plugin_types" list in "/etc/openstack_deploy/user_variables.yml". * The "provider_networks" library has been updated to support the definition of bond member interfaces that can automatically be added as bond ports to OVS provider bridges setup during a deployment. This feature is currently limited to DPDK-based deployments. To activate this feature, add the "network_bond_interfaces" key to the respective provider network definition in "openstack_user_config.yml". For more information, refer to the latest Open vSwitch w/ DPDK deployment guide. * Added variables "systemd_run_dir" and "systemd_lock_dir" that allows to control run and lock path for directories that will be used by systemd services. Variables should not include service name since it will be added by default at the end of the provided path. These variables could be also defined as keys inside "systemd_services" and this will have prescedence over default behaviour. * Default run path for systemd services has been changed to "/run" and lock path to "/run/lock". * Nova now defaults to to using the "QEMU-native TLS" feature for live migrations, rather than the deprecated SSH method. A pre- existing PKI (Public Key Infrastructure) setup is required. QEMU-native TLS requires all compute hosts to accept TCP connections on port 16514 and port range 49152 to 49261. More information can be found here: https://docs.openstack.org/nova/latest/admin/secure-live-migration- with-qemu-native-tls.html Deprecation Notes ***************** * For consistency reasons, "octavia_db_pool_size" was deprecated in favor of "octavia_db_max_pool_size" which is in a standardized format used in other repositories. "octavia_db_pool_size" support it will be removed in Yoga release. * For consistency reasons, "neutron_db_pool_size" was deprecated in favor of "neutron_db_max_pool_size" which is in a standardized format used in other repositories. However, it will be supported until Yoga release. * For consistency reasons, the following variables were deprecated in favor of the new ones in a standardized format used in other repositories. "keystone_database_pool_timeout" -> "keystone_db_pool_timeout" "keystone_database_max_pool_size" -> "keystone_db_max_pool_size" "keystone_database_idle_timeout" -> "keystone_db_connection_recycle_time" However, they will be supported until next Yoga release. * "keystone_database_min_pool_size" was deprecated as it's deprecated in oslo.db * Variable "systemd_lock_path" has been dropped and has no effect now. In order to customize lock dir path please use "systemd_lock_dir". Please keep in mind, that for "systemd_lock_dir" you don't need to provide full path like it was with "systemd_lock_path" since service name is added to the end of the path. * Following variables were removed in favor of PKI ones and have no effect anymore: * galera_ssl_self_signed_regen * galera_ssl_self_signed_subject * galera_ssl_ca_self_signed_subject * We removed multiple web server support for keystone and left only Apache since nginx is missing features required for federation setup. With this change following variables are deprecated and have no effect: * keystone_web_server * keystone_centos_nginx_mirror * keystone_centos_nginx_key * keystone_nginx_access_log_format_combined * keystone_nginx_access_log_format_extras * keystone_nginx_ports * keystone_nginx_extra_conf Nginx web server will be removed and replaced with Apache during upgrade. * Variable "nova_enabled_vgpu_types" has been deprecated and is replaced with "nova_enabled_mdev_types". Bug Fixes ********* * Fixed inconsistency in "haproxy_frontend_raw" key naming between documentation and service template. Previously, template generation was expecting "haproxy_raw" instead of the "haproxy_frontend_raw". * For deployers using Keystone as an OIDC-based Service Provider there has been a spelling fix for the OIDCScope setting. Please use "keystone_sp.trusted_idp_list.0.oidc_scope" instead of "keystone_sp.trusted_idp_list.0.idc_scope". * This release addresses an issue which could cause wheels to fail to be built when upgrading from one operating system to another. Upgrading to this release is recommended before attempting an operating system upgrade. Other Notes *********** * Set a new default value for "galera_wait_timeout" which is inherited from global "openstack_db_connection_recycle_time". * Set new default values for db pooling variables which are inherited from the global ones. Changes in openstack-ansible 23.0.0.0rc1..24.0.0 ------------------------------------------------ b88a4783f Bump OpenStack-Ansible for Xena RC2 and release eda30de65 Set galera to use TLS for connections by default d33e0bcd2 Change haproxy variable used to set security headers to haproxy_frontend_raw 9c17fd726 [doc] Add Xena compatible OS 97060d391 Fix ceph-ansible shallow_since 50c8a2283 Add documentation of security improvements made to Openstack Ansible c2f3bfe6a [doc] Clean out project index page for stable branches 9fd96ddc9 Update TOX_CONSTRAINTS_FILE for stable/xena d3e2e3f99 Update .gitreview for stable/xena a0cfc507e Freeze roles for Xena RC1 97b837826 Add nfs deployment scenario b58dbee2a Remove retrievement of config_tempalte as a module 3c76df5f7 Reduce manila CI check memory consumption 76cd97b1e Reduce ceph memory overhead for AIO by setting is_hci to true 1fd3e0c44 Do not fail when nova console is disabled a433db53a Update ceph-ansible release to pacific be16cc841 From now on, we will change default values for database connection pooling in each role 2ea412bae Ensure hardware facts are gathered for galera hosts. b6fe07ecf Add security headers to HAProxy Horizon service b859d5897 Add config_tempalte to collections 92f8639ec Configure HAProxy to check Horizon's login page fbbf1e275 Globally define systemd_lock_dir db79a0f27 Pin uWSGI version 678b14c21 Do not upgrade packages without upgrades 68d8bd272 Remove provider_networks from neutron playbook d7b5f6cda Increase Apache thread limit for keystone 8b7a5e4d0 Deprecate OVN-related haproxy configuration c564ad9a0 Minor update of openstack collection 3504694b4 Fix error in dynamic-address-fact task 3e4fffec9 Bump ansible and collection versions 067df8fb7 Remove note about metal/horizon compatability d27d4daed Add playbook to generate any user defined certificates e62392648 Switch services to track stable/xena 002fb0910 Remove reference to deprecated python-ceilometerclient 834cd874c [doc] Fix netplan sample 78d9a8596 Fix manila haproxy manage 5505d4a14 Use cinder defaults for cinder_management_address 7a2be19d6 Implements framework for ironic_neutron_agent and Neutron 'baremetal' plugin 1c75669df Remove unnecessary pki step in haproxy install a74caa919 Bump OpenStack-Ansible master 6e9da4753 Add serial execution to all playbooks f05092277 Change pki_create_ca condition aeb20518f Bump ansible version to 2.11.5 464d7e5d3 Bump collection versions ffd5f8859 Revert "Add integrated build job to use in sahara repo" 172779f54 Replace deprecated include statement 5e8b57ad0 Bump OpenStack-Ansible master 430a0bc1f Include openstack_services for murano role d1e727ed3 Replace deprecated collection names 6e50398f0 Update pip version e1937b3f1 Switch ceph-ansible to Pacific c9f403099 Enable tempest tests for sahara 2dc1611f1 Add heat service when scenario includes sahara 3d59c738f Add integrated build job to use in sahara repo 6e45de76f Switch CentOS upgrade jobs to Stream ones 5451778f4 Move galera tasks to pre_tasks afebcb984 Set bullseye jobs to voting e48485b83 Add guide for distribution upgrades to docs 3cb74de15 Set doc jobs to voting 9e535931a skip -W on sphinx-build for translation. ed035fb27 Add shallow_since to parallel git clone e1adb7d9f Bump master branch a332bda37 Fix permissions for files created on repo server 9b9d6b883 Revert "set non-voting for broken tox-doc test" 17f92b0f5 haproxy: decrease check interval for letsencrypt back ends de64a324e set non-voting for broken tox-doc test cea883dfc Do not use https for metadata service with calico networking 3088fe204 Deprecate os-panko role 0965d2a22 Moving IRC network reference to OFTC 6e22c20cd Imported Translations from Zanata aab4de765 Start Xena cycle 1ee9b1bbe Update master for stable/wallaby Diffstat (except docs and test files) ------------------------------------- .gitreview | 2 +- ansible-collection-requirements.yml | 15 +- ansible-role-requirements.yml | 235 +++++++++-------- deploy-guide/source/conf.py | 4 +- deploy-guide/source/configure.rst | 2 - .../admin/upgrades/distribution-upgrades.rst | 281 +++++++++++++++++++++ .../admin/upgrades/os-compatibility-matrix.html | 25 ++ etc/netplan/01-static.yml | 2 +- etc/openstack_deploy/conf.d/ceph.yml.aio | 4 + etc/openstack_deploy/conf.d/panko.yml.aio | 3 - etc/openstack_deploy/conf.d/panko.yml.example | 8 - etc/openstack_deploy/env.d/aio_metal.yml.example | 3 - etc/openstack_deploy/user_secrets.yml | 4 - global-requirement-pins.txt | 5 +- inventory/env.d/neutron.yml | 4 + inventory/group_vars/all/all.yml | 14 +- inventory/group_vars/all/ceph.yml | 2 +- inventory/group_vars/all/infra.yml | 1 + inventory/group_vars/all/nova.yml | 4 + inventory/group_vars/cinder_all.yml | 3 - inventory/group_vars/haproxy/haproxy.yml | 74 ++---- inventory/inventory.ini | 6 +- playbooks/ceph-rgw-keystone-setup.yml | 10 +- playbooks/certificate-authority.yml | 2 +- playbooks/certificate-generate.yml | 32 +++ playbooks/common-playbooks/neutron.yml | 20 -- playbooks/common-tasks/dynamic-address-fact.yml | 6 +- playbooks/defaults/distro_install.yml | 1 - playbooks/defaults/repo_packages/gnocchi.yml | 2 +- playbooks/defaults/repo_packages/nova_consoles.yml | 4 +- .../defaults/repo_packages/openstack_services.yml | 220 ++++++++-------- playbooks/etcd-install.yml | 1 + playbooks/galera-install.yml | 19 +- playbooks/haproxy-install.yml | 8 +- playbooks/library/git_requirements.py | 64 +++-- playbooks/memcached-install.yml | 1 + playbooks/os-aodh-install.yml | 1 + playbooks/os-barbican-install.yml | 1 + playbooks/os-blazar-install.yml | 1 + playbooks/os-ceilometer-install.yml | 1 + playbooks/os-cinder-install.yml | 16 +- playbooks/os-designate-install.yml | 1 + playbooks/os-glance-install.yml | 6 +- playbooks/os-gnocchi-install.yml | 1 + playbooks/os-heat-install.yml | 1 + playbooks/os-horizon-install.yml | 1 + playbooks/os-ironic-install.yml | 1 + playbooks/os-magnum-install.yml | 1 + playbooks/os-manila-install.yml | 5 +- playbooks/os-masakari-install.yml | 2 + playbooks/os-mistral-install.yml | 1 + playbooks/os-murano-install.yml | 2 + playbooks/os-neutron-install.yml | 8 +- playbooks/os-octavia-install.yml | 1 + playbooks/os-panko-install.yml | 40 --- playbooks/os-placement-install.yml | 1 + playbooks/os-sahara-install.yml | 1 + playbooks/os-senlin-install.yml | 1 + playbooks/os-tacker-install.yml | 1 + playbooks/os-trove-install.yml | 1 + playbooks/os-zun-install.yml | 1 + playbooks/qdrouterd-install.yml | 2 +- playbooks/rabbitmq-install.yml | 4 +- playbooks/repo-install.yml | 1 + playbooks/setup-hosts.yml | 1 + playbooks/setup-openstack.yml | 1 - playbooks/unbound-install.yml | 1 + playbooks/utility-install.yml | 1 + .../notes/VNC-proxy-security-520e6dac6bad0018.yaml | 16 ++ .../adds-uefi-boot-support-18ad99dd21f7e8be.yaml | 7 + .../notes/ceph_pacific-9952da2810a737c1.yaml | 12 + .../notes/db-pooling-14f33d291a246203.yaml | 2 + .../notes/db-pooling-15b6222fedc2cb8c.yaml | 7 + .../notes/db-pooling-7c42f3aed39d5fc9.yaml | 2 + .../notes/db-pooling-91ac966776313feb.yaml | 7 + .../notes/db-pooling-cec321004b4a8a79.yaml | 4 + .../notes/db-pooling-f078d5d7668377b2.yaml | 11 + ...eprecate-ovn-haproxy-vips-061652cd82342819.yaml | 6 + ...precate_systemd_lock_path-fba3aff8b1b4468d.yaml | 9 + .../notes/dperecate_os_panko-0d2f6822ffc8fd43.yaml | 7 + .../notes/galera_pki-2d6d77a86e8475cd.yaml | 34 +++ .../notes/galera_use_ssl-e906b5ba8b2e62ef.yaml | 9 + .../haproxy_frontend_raw-0811d5d445a66b41.yaml | 6 + .../horizon_policy_overrides-ca84702ef993ea92.yaml | 10 + .../keystone_drop_nginx-5e7791d22f0be48a.yaml | 16 ++ ...etal-plugin-agent-support-cfb06fa4faf85bdc.yaml | 8 + .../notes/neutron-dpdk-bonds-4dd98fc0b341ebfb.yaml | 10 + .../notes/nova_mdev_types-df92fb3d1ce339ec.yaml | 5 + ...e-oidc-scope-spelling-fix-3051b95adeb37901.yaml | 7 + ...-upgrade-requirements-fix-bcc81b049339e9b5.yaml | 7 + .../notes/security-headers-87de60203899fdbb.yaml | 19 ++ .../systemd_run_lock_dir-5b4b0cad9c860ce0.yaml | 12 + .../notes/tls-migration-3ed93cc04dab5eee.yaml | 13 + releasenotes/source/index.rst | 1 + releasenotes/source/wallaby.rst | 6 + scripts/bootstrap-ansible.sh | 2 +- scripts/gate-check-commit.sh | 2 +- scripts/get-ansible-role-requirements.yml | 5 +- scripts/openstack-ansible.rc | 5 +- scripts/run-upgrade.sh | 12 +- .../bootstrap-host/tasks/prepare_aio_config.yml | 16 +- .../templates/user_variables.aio.yml.j2 | 5 +- .../templates/user_variables_ceph.yml.j2 | 1 + .../templates/user_variables_manila.yml.j2 | 6 +- .../templates/user_variables_murano.yml.j2 | 2 +- .../templates/user_variables_nfs.yml.j2 | 9 + .../templates/user_variables_sahara.yml.j2 | 26 +- tox.ini | 5 +- zuul.d/jobs.yaml | 26 +- zuul.d/project-templates.yaml | 22 +- 134 files changed, 1585 insertions(+), 720 deletions(-)