We enthusiastically announce the release of: kolla-ansible 11.4.0: Ansible Deployment of Kolla containers This release is part of the victoria stable release series. The source is available from: https://opendev.org/openstack/kolla-ansible Download the package from: https://tarballs.openstack.org/kolla-ansible/ Please report issues through: https://bugs.launchpad.net/kolla-ansible/+bugs For more details, please see below. 11.4.0 ^^^^^^ New Features ************ * Adds a "tls_connect" module to the Prometheus blackbox exporter. This can be used to test connectivity of TLS servers. * Implements container healthchecks for ironic-neutron-agent service. See blueprint * Adds support for libvirt SASL authentication. It is enabled by default. LP#1964013 Known Issues ************ * Existing fluentd log rotation failed to delete old haproxy, swift, glance-tls-proxy and neutron-tls-proxy logs. These will not be deleted by the new logrotate config and will have to be removed manually. Upgrade Notes ************* * The addition of libvirt SASL authentication requires a new password in "passwords.yml", "libvirt_sasl_password". This may be generated using the existing "kolla-genpwd" and "kolla-mergepwd" tooling. * The addition of libvirt SASL authentication requires both the "nova_libvirt" and "nova_compute" containers to be updated simultaneously, using new images with the necessary Cyrus SASL dependencies, as well as configuration containing the SASL credentials. * update the default value of node_custom_config to {{ node_config }}/config, when specified using --configdir Security Issues *************** * Explicitly removes the "net.ipv4.ip_forward" sysctl from "/etc/sysctl.conf" on hosts with Neutron L3 Agent. In the absence of another source for this sysctl, it should revert to the default of 0 after the next reboot. This is a follow up to a previous change which stopped setting the sysctl, but leaves existing systems with the original value of 1 set. A deployer looking to more aggressively change the value may set "neutron_l3_agent_host_ipv4_ip_forward" to 0 using a Yoga release of Kolla Ansible. This option will be removed in future. Any deployments still relying on the previous value may set "neutron_l3_agent_host_ipv4_ip_forward" to 1. LP#1945453 * Fixes an issue where the default configuration of libvirt did not use authentication for the API exposed over TCP on the internal API network. This allowed anyone with access to the internal API network read-write access to libvirt. While the internal API network is typically trusted, other services on this network generally at least require authentication. SASL authentication is now enabled for libvirt by default. Kolla Ansible supports libvirt TLS since the Train release, and this is recommended to provide a higher level of security. LP#1964013 Bug Fixes ********* * Continue to run all actions if one action failed in Elasticsearch curator. LP#1954720 * Fixes Nova resize failing when "migration_interface" is customised. LP#1956976 * Fixes Glance with Cinder iSCSI backend failing due to lack of lock_path setting. LP#1959663 * Fixes logrotate config missing for openvswitch and prometheus services. LP#1961795 * Fixes an issue with Ironic's PXE components not getting updated on upgrade. LP#1963752 * Fixes configuration of the Prometheus HTTP API URL when using the Prometheus collector in CloudKitty. LP#1961615 * Fixes the baremetal role to avoid an error "Unable to remove "libvirtd". Now the symlink /etc/apparmor.d/disable/usr.sbin.libvirtd is created by the role. LP#1960302 * Existing fluentd log rotation failed to delete old haproxy, swift, glance-tls-proxy and neutron-tls-proxy logs. Standardise rotation and deletion of logs using logrotate. * adds back the option to configure the rabbitmq clustering interface via kolla *LP#1900160 <https://bugs.launchpad.net/kolla- ansible/+bug/1900160>* * Fixes an issue where the Libvirt AppArmor profile is disable and the bootstrap-servers process tries to remove it. See bug 1909874 for details. * Fixes an issue seen when using Jinja2 3.1.0. * Fixes the configuration option setting the type of endpoint used by Neutron to send requests to Placement. LP#1960503 * Fixes a configuration issue with Node Exporter causing all file system metrics of a host to be identical. LP#1961438 * Fixes an issue where RabbitMQ was configured to mirror classic transient queues for all services. According to the RabbitMQ documentation this is not a supported configuration, and contributed to numerous bug reports. In order to avoid making unexpected changes to the RabbitMQ cluster, it is necessary to set "rabbitmq_remove_ha_all_policy" to "yes" in order to apply this fix. This variable will be removed in the Yoga release. LP#1954925 * Fixes an issue with Cinder upgrade where Cinder services would remain pinned to the previous release's RPC & object versions. LP#1954932 Changes in kolla-ansible 11.3.0..11.4.0 --------------------------------------- ff40c4b46 [CI] Make kolla-build quiet 2764844ee Allow removal of classic queue mirroring for internal RabbitMQ a4e2d5a15 Use jinja2.pass_context instead of contextfilter 9b135d965 re-add rabbitmq config for clustering interface cc09abda3 designate: fix external backend deployment ef8b02f7b Ironic: rebootstrap ironic-pxe on upgrade d2b62b50c cinder: restart services after upgrade 9e3e0d112 CI: pin ansible-lint to <6 536ffc3f7 libvirt: support SASL authentication 1885df05d Explicitly unset net.ipv4.ip_forward sysctl c2fadc230 Remove grafana [session] configuration 7d2bbbad0 Add openvswitch and prometheus to logrotate c7530df58 Fix location of release note for ironic-neutron-agent healthcheck 84eaf2fb2 cloudkitty: fix URL used for Prometheus collector e4f93a60a Configure node-exporter to report correct file system metrics a759ca44f Fix fluentd v1 buffer syntax issue e8d94e01c Refactor fluentd syslog logging f0294fb5b Fix remove libvirt apparmor disabled profile 13ac92167 [CI] Check fluentd errors c37bf3e06 Fix Apparmor libvirt profile removal 535632672 CI: Fix new ansible-lint failures d5bd75180 neutron: fix placement endpoint type configuration aaa56405d Fix log rotation for fluentd created files 3cf4fe128 [CI] Replace parted with lsblk f8ae355c5 Glance: add lock_path setting d69b7008a prometheus: add tls_connect blackbox module a967556da Fix usage of Subject Alternative Name for TLS 4e3945336 update the default value of node_custom_config 7593c1153 Make nova_ssh listen on api_interface as well 149e6dd79 Use Docker healthchecks for ironic-neutron-agent services 7fefa5a54 Continue to run all actions if one action failed in curator Diffstat (except docs and test files) ------------------------------------- .ansible-lint | 6 + ansible/group_vars/all.yml | 2 +- ansible/roles/baremetal/tasks/install.yml | 2 +- ansible/roles/baremetal/tasks/post-install.yml | 13 +- .../roles/certificates/tasks/generate-backend.yml | 2 + ansible/roles/certificates/tasks/generate.yml | 4 + .../templates/openssl-kolla-internal.cnf.j2 | 4 +- .../certificates/templates/openssl-kolla.cnf.j2 | 4 +- ansible/roles/cinder/defaults/main.yml | 9 + ansible/roles/cinder/handlers/main.yml | 20 ++ ansible/roles/cinder/tasks/reload.yml | 10 + ansible/roles/cinder/tasks/upgrade.yml | 2 + ansible/roles/cloudkitty/defaults/main.yml | 2 +- ansible/roles/common/defaults/main.yml | 24 +++ ansible/roles/common/tasks/config.yml | 5 +- .../conf/filter/00-record_transformer.conf.j2 | 27 +-- .../common/templates/conf/output/00-local.conf.j2 | 214 ++------------------- .../common/templates/conf/output/01-es.conf.j2 | 6 +- .../templates/conf/output/02-monasca.conf.j2 | 4 +- .../templates/cron-logrotate-haproxy.conf.j2 | 2 +- .../templates/cron-logrotate-openvswitch.conf.j2 | 3 + .../templates/cron-logrotate-prometheus.conf.j2 | 3 + ansible/roles/common/templates/fluentd.json.j2 | 27 +-- ansible/roles/designate/tasks/backend_external.yml | 2 + .../templates/elasticsearch-curator-actions.yml.j2 | 14 +- ansible/roles/glance/templates/glance-api.conf.j2 | 3 + ansible/roles/grafana/templates/grafana.ini.j2 | 8 - ansible/roles/ironic/tasks/bootstrap.yml | 19 -- ansible/roles/ironic/tasks/bootstrap_service.yml | 19 ++ ansible/roles/neutron/defaults/main.yml | 15 ++ ansible/roles/neutron/tasks/config-host.yml | 2 + ansible/roles/neutron/templates/neutron.conf.j2 | 2 +- ansible/roles/nova-cell/defaults/main.yml | 8 + ansible/roles/nova-cell/handlers/main.yml | 15 ++ ansible/roles/nova-cell/tasks/config.yml | 20 ++ ansible/roles/nova-cell/tasks/precheck.yml | 17 +- ansible/roles/nova-cell/templates/auth.conf.j2 | 6 + ansible/roles/nova-cell/templates/libvirtd.conf.j2 | 3 +- .../roles/nova-cell/templates/nova-compute.json.j2 | 8 +- .../roles/nova-cell/templates/nova-libvirt.json.j2 | 12 ++ ansible/roles/nova-cell/templates/sasl.conf.j2 | 2 + ansible/roles/nova-cell/templates/sshd_config.j2 | 3 + ansible/roles/prometheus/defaults/main.yml | 3 +- .../templates/prometheus-blackbox-exporter.yml.j2 | 4 + .../templates/prometheus-node-exporter.json.j2 | 2 +- ansible/roles/rabbitmq/defaults/main.yml | 2 + ansible/roles/rabbitmq/tasks/config.yml | 18 ++ ansible/roles/rabbitmq/tasks/deploy.yml | 3 + .../roles/rabbitmq/tasks/remove-ha-all-policy.yml | 29 +++ ansible/roles/rabbitmq/tasks/upgrade.yml | 3 + .../roles/rabbitmq/templates/advanced.config.j2 | 7 + .../roles/rabbitmq/templates/definitions.json.j2 | 4 + ansible/roles/rabbitmq/templates/rabbitmq.json.j2 | 6 + etc/kolla/globals.yml | 2 +- etc/kolla/passwords.yml | 5 + kolla_ansible/filters.py | 14 +- kolla_ansible/kolla_address.py | 8 +- kolla_ansible/put_address_in_context.py | 21 +- .../blackbox-tls-connect-517cd8ebdf87f16e.yaml | 5 + .../notes/bug-1945453-2-287bfcaf060689d8.yaml | 16 ++ .../notes/bug-1954720-4fc48610a56f3e98.yaml | 6 + .../notes/bug-1956976-8a2623ca1fbfd546.yaml | 5 + .../notes/bug-1959663-afda889b9aa4c63f.yaml | 6 + .../notes/bug-1961795-16fb2ac27152fc03.yaml | 6 + .../notes/bug-1963752-ee12e15c17c24bb0.yaml | 6 + ...cloudkitty-prometheus-url-ee14bc486e810631.yaml | 6 + ...r-libvirt-profile-removal-01db6ca6dd66879f.yaml | 7 + .../fix-haproxy-logrotate-e299a0000728fd8f.yaml | 12 ++ ...q-interface-configuration-b39c954fb8763d9c.yaml | 6 + ...apparmor-disabled-profile-2cab584eec729b71.yaml | 6 + ...-for-ironic-neutron-agent-61ec4d0d237da075.yaml | 6 + .../jinja2-pass-context-2afc328ade8c407b.yaml | 4 + .../notes/libvirt-sasl-404199143610fb75.yaml | 27 +++ ...n-placement-endpoint-type-90073ba5ecc9e663.yaml | 6 + ...porter-filesystem-metrics-d3ae7b0a892d2957.yaml | 6 + ...ue-mirroring-for-rabbitmq-d54b9e7e25e57a88.yaml | 10 + .../notes/unpin-cinder-rpcs-8eb7e0858a91b9b8.yaml | 6 + ...update-node-custom-config-7b378b25ce22779f.yaml | 5 + test-requirements.txt | 2 +- 84 files changed, 613 insertions(+), 327 deletions(-) Requirements updates -------------------- diff --git a/test-requirements.txt b/test-requirements.txt index cab4df184..4eb87aa46 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2 +2 @@ -ansible-lint>=4.2.0,!=4.3.0 # MIT +ansible-lint>=4.2.0,!=4.3.0,<6.0.0 # MIT