We are pumped to announce the release of: kolla-ansible 12.3.0: Ansible Deployment of Kolla containers This release is part of the wallaby stable release series. The source is available from: https://opendev.org/openstack/kolla-ansible Download the package from: https://tarballs.openstack.org/kolla-ansible/ Please report issues through: https://bugs.launchpad.net/kolla-ansible/+bugs For more details, please see below. 12.3.0 ^^^^^^ New Features ************ * Adds a new variable, "disable_firewall", which defaults to "true". If set to "false", then the host firewall will not be disabled during "kolla-ansible bootstrap-servers". * Implements container healthchecks for keystone-fernet container. See blueprint * Implements container healthchecks for memcached services. See blueprint * Implements container healthchecks for nova-spicehtml5proxy service. See blueprint * Adds two new arguments to the "kolla-ansible" command, "--check" and "--diff". They are passed through directly to "ansible- playbook". * Adds "manila_cephfs_filesystem_name" variable to support multi-fs Ceph Pacific+ deloyments. Upgrade Notes ************* * To fix LP#1941940, "nova_libvirt_dimensions" now by default combines with "nova_libvirt_default_dimensions". Please consider this when customising that variable. Security Issues *************** * Fixes "net.ipv4.ip_forward" not to be enabled by Kolla Ansible on the default network namespace. It was enabled on hosts with Neutron L3 Agent (thus in most common setups with OVS and/or Linux Bridge, but not OVN) and allowed, unless users had extra iptables rules to avoid that, any traffic to be accepted for forwarding (as long as it was routable and passed other checks). Users of existing setups are advised to re-evaluate whether they need this sysctl enabled and disable if not necessary. Kolla Ansible will simply no longer try to set this sysctl at all. Neutron L3 Agent handles forwarding enablement per managed namespace. LP#1945453 * Adds mitigation for the Apache Log4j2 Remote Code Execution (RCE) Vulnerability in Elasticsearch - CVE-2021-44228. Bug Fixes ********* * Fixed broken "kolla-toolbox" container when RabbitMQ is disabled and IPv6 is used. LP#1939883 * Fixes inability to attach devices (e.g., volumes via iSCSI/FC) to instances on Debian Bullseye. LP#1941940 * Fixes "mariadb-clustercheck" not to run when there is no HAProxy. LP#1944114 * No longer creates directories for haproxy and swift logs where they are not needed. LP#1945070 * Fixes an issue with multinode MariaDB deployments which could fail the playbook execution on WSREP check due to the new behaviour of Galera 4. LP#1947485. * Fixes an issue on Debian with single node MariaDB deployments with HAProxy disabled. See bug 1947534 for details. * Fixes the generation of "wsrep_cluster_address" in "galera.cnf" when "--limit" is used while deploying MariaDB nodes. LP#1947589 * Fixes an error in placement role which prevents to deploy the placement service when custom policy file is used. LP#1948835 * Fixes missing current Ansible version in the error message. LP#1948979 * Fix octavia role doesn't set the amphora network's gateway_ip LP#1949260 * Only run "configure ovn in ovsdb" task on ovn-controller hosts The task will fail on hosts (like controller nodes) without tunnel interface LP#1953367 * Fixes an issue where the Nova API logs were written to files ending with *-wsgi.log* which affected the processing of these logs in the Fluentd pipeline. LP#1950185 * On slower nodes, the initial grafana startup could experience a timeout failure when the migrations for setting up the database took longer than expected. This has been fixed by increasing the default timeout. The timeout settings can be changed via new parameters "grafana_start_first_node_delay" and "grafana_start_first_node_retries" for the "grafana" role. LP#1769962 * Removes "fix_cephfs_owner.yaml" which related to pre-wallaby Manila's use of subfolders. Post-wallaby Manila now uses cephfs volumes instead, as such this file is no longer required. LP#1938285 LP#1935784 * Removes use of "cephfs_enable_snapshots" in Manila config as this option was removed from Manila in the Wallaby release. Changes in kolla-ansible 12.2.0..12.3.0 --------------------------------------- 3a212faef Added upgrade note for separate nova and cinder keys. 4af71d367 [docs] Mark init-runonce properly b30b42c63 ovn: configure ovn in ovsdb only on ovn-controller hosts f35e44aaf [Security] Add log4j vulnerability mitigation in Elasticsearch d7ebe7c24 Bump timeout for grafana startup 331167403 docs: Manila CephFS Driver in Wallaby upgrade note 69810fd42 Fix monasca-thresh upgrade a4c46d86f docs: stop installing kolla in quickstart a1e7fa276 CI: Test minimum and maximum supported ansible versions bf7f20932 Specify log file name for Nova API 4e07d6cb7 Replace auth_uri with www_authenticate_uri b6f28ee2e docs: Install openstack-client with upper constraints 35d8edca0 Remove unexpected } c3c8448b7 haproxy: remove unused tls check condition in config 9a9b609a6 docs: Get release name dynamically e6827412c docs: Parameterize kolla-ansible version and branch edb88e6c3 Stop creating unused cron/logrotate directory c6a04b0f2 docs: Fix python-openstackclient package name and init-runonce path 951a25fac Fix octavia doesn't set subnet gateway_ip c6b27b2a8 mariadb: use add_host to include inactive hosts in shard grouping cea9a84cf Fix broken deploy of placement service 295e86f08 Fix missing Ansible version in the error message 1a1fb8643 mariadb: Do not use wsrep-notify.sh on Debian a61d4e721 docs: Improve info about neutron external interface 94627f1c8 Update Manila deploy steps for Wallaby 8109217a7 [mariadb] Start new nodes serially 1feabf70b Add support for Ironic inspection through DHCP-relay ee32a10a7 Trivial fix shebang in keystone's fernet-node-sync.sh.j2 b9c88463f Correctly create the dhcp_agent.ini and l3_agent.ini 9c4887ae6 Do not set net.ipv4.ip_forward sysctl 229e3f41a Add check and diff options to kolla-ansible 297d1bee2 Do not create haproxy and swift log dirs needlessly b621fd827 Docs: Update to opendev.org domain b08c32e40 Do not enable mariadb-clustercheck when not needed f0169774d Do not become root when searching for custom prometheus alert rules files 3cbb45aeb CI: monasca: ignore exited monasca_thresh container 2ca82dac6 CI: stop setting ceph_nova_user 29d11508d Add disable_firewall variable 3e954e33a Fix neutron upgrade using host limit without controllers 62328e7d8 [CI] Test instance health after upgrade 7c268ee65 Bump libvirtd memlock ulimit dbe94d5fa Zun: Temporarily skip capsule test for ubuntu a42d09d46 Fix kolla-toolbox with IPv6 and disabled RabbitMQ 3bbf1a80b Use Docker healthchecks for memcached services 61917194c Use Docker healthchecks for keystone-fernet container 7755ef65d Use Docker healthchecks for nova-spicehtml5proxy service Diffstat (except docs and test files) ------------------------------------- ansible/group_vars/all.yml | 3 + ansible/roles/baremetal/defaults/main.yml | 3 + ansible/roles/baremetal/tasks/install.yml | 56 ++++++----- ansible/roles/common/tasks/config.yml | 3 +- .../common/templates/conf/output/00-local.conf.j2 | 4 + ansible/roles/common/templates/fluentd.json.j2 | 4 + .../roles/common/templates/kolla-toolbox.json.j2 | 4 +- ansible/roles/cyborg/templates/cyborg.conf.j2 | 2 +- ansible/roles/elasticsearch/defaults/main.yml | 2 +- ansible/roles/grafana/defaults/main.yml | 3 + ansible/roles/grafana/handlers/main.yml | 4 +- .../roles/haproxy/templates/haproxy_main.cfg.j2 | 2 - ansible/roles/keystone/defaults/main.yml | 14 +++ ansible/roles/keystone/tasks/config.yml | 1 + .../keystone/templates/fernet-healthcheck.sh.j2 | 6 ++ .../keystone/templates/fernet-node-sync.sh.j2 | 32 +++--- ansible/roles/keystone/templates/fernet-push.sh.j2 | 16 +++ .../keystone/templates/keystone-fernet.json.j2 | 6 ++ ansible/roles/manila/defaults/main.yml | 7 ++ ansible/roles/manila/tasks/deploy.yml | 5 - ansible/roles/manila/tasks/fix_cephfs_owner.yml | 85 ---------------- .../roles/manila/templates/manila-share.conf.j2 | 8 +- ansible/roles/mariadb/defaults/main.yml | 11 +-- ansible/roles/mariadb/handlers/main.yml | 6 ++ ansible/roles/mariadb/tasks/config.yml | 1 + ansible/roles/mariadb/tasks/main.yml | 6 +- ansible/roles/mariadb/templates/galera.cnf.j2 | 2 +- ansible/roles/mariadb/templates/mariadb.json.j2 | 2 +- ansible/roles/memcached/defaults/main.yml | 14 +++ ansible/roles/memcached/handlers/main.yml | 1 + ansible/roles/memcached/tasks/check-containers.yml | 1 + ansible/roles/monasca/tasks/upgrade.yml | 1 + ansible/roles/neutron/tasks/config-host.yml | 1 - ansible/roles/neutron/tasks/rolling_upgrade.yml | 2 +- ansible/roles/neutron/templates/dhcp_agent.ini.j2 | 2 + ansible/roles/neutron/templates/l3_agent.ini.j2 | 2 + ansible/roles/nova-cell/defaults/main.yml | 26 ++++- ansible/roles/nova/templates/nova.conf.j2 | 5 +- ansible/roles/octavia/tasks/prepare.yml | 2 +- ansible/roles/ovn/tasks/bootstrap.yml | 1 + ansible/roles/placement/tasks/config.yml | 2 +- ansible/roles/prometheus/tasks/config.yml | 1 - .../bootstrap-servers.rst | 2 + .../reference/networking/neutron-extensions.rst | 10 ++ .../reference/networking/provider-networks.rst | 21 ---- .../orchestration-and-nfv/tacker-guide.rst | 27 ++--- .../reference/storage/external-ceph-guide.rst | 14 +++ etc/kolla/globals.yml | 9 +- .../notes/bug-1939883-dbfca874b138cfe9.yaml | 6 ++ .../notes/bug-1941940-c63265ea6ea2f594.yaml | 11 +++ .../notes/bug-1944114-fa2a266c014c64a9.yaml | 5 + .../notes/bug-1945070-965635387a8581f9.yaml | 6 ++ .../notes/bug-1945453-c410cc090cb85feb.yaml | 16 +++ .../notes/bug-1947485-d059864252fb1813.yaml | 7 ++ .../notes/bug-1947534-bf3b5ed19473015f.yaml | 6 ++ .../notes/bug-1947589-52e7a6fa5d82e7fa.yaml | 6 ++ .../notes/bug-1948835-51b15ddbef04d307.yaml | 6 ++ .../notes/bug-1948979-aaf2a93cc016ffb1.yaml | 5 + .../notes/bug-1949260-34d82ecd677dd8ff.yaml | 5 + .../notes/bug-1953367-61591a7f3ecf28ce.yaml | 7 ++ ...ix-nova-api-log-file-name-9a377525e73012de.yaml | 7 ++ .../notes/disable-firewall-1e1955168c717cb5.yaml | 6 ++ ...-start-first-node-timeout-f9a6149cc68153a5.yaml | 10 ++ ...hecks-for-keystone-fernet-a63033e2b95ecb2f.yaml | 6 ++ ...ealthchecks-for-memcached-807b9036c3c92596.yaml | 6 ++ ...-for-nova-spicehtml5proxy-a9cf93c15c0a8966.yaml | 6 ++ .../notes/kolla-ansible-diff-50de16722aa155dc.yaml | 5 + .../notes/security-log4j-1be047799f8e590a.yaml | 5 + .../support-manila-wallaby-2e29e866af0d6287.yaml | 15 +++ tools/kolla-ansible | 20 +++- 84 files changed, 691 insertions(+), 279 deletions(-)