[release-announce] kolla-ansible 12.3.0 (wallaby)

no-reply at openstack.org no-reply at openstack.org
Mon Jan 3 10:36:35 UTC 2022 

We are pumped to announce the release of:

kolla-ansible 12.3.0: Ansible Deployment of Kolla containers

This release is part of the wallaby stable release series.

The source is available from:

    https://opendev.org/openstack/kolla-ansible

Download the package from:

    https://tarballs.openstack.org/kolla-ansible/

Please report issues through:

    https://bugs.launchpad.net/kolla-ansible/+bugs

For more details, please see below.

12.3.0
^^^^^^


New Features
************

* Adds a new variable, "disable_firewall", which defaults to "true".
  If set to "false", then the host firewall will not be disabled
  during "kolla-ansible bootstrap-servers".

* Implements container healthchecks for keystone-fernet container.
  See blueprint

* Implements container healthchecks for memcached services. See
  blueprint

* Implements container healthchecks for nova-spicehtml5proxy
  service. See blueprint

* Adds two new arguments to the "kolla-ansible" command, "--check"
  and "--diff". They are passed through directly to "ansible-
  playbook".

* Adds "manila_cephfs_filesystem_name" variable to support multi-fs
  Ceph Pacific+ deloyments.


Upgrade Notes
*************

* To fix LP#1941940, "nova_libvirt_dimensions" now by default
  combines with "nova_libvirt_default_dimensions". Please consider
  this when customising that variable.


Security Issues
***************

* Fixes "net.ipv4.ip_forward" not to be enabled by Kolla Ansible on
  the default network namespace. It was enabled on hosts with Neutron
  L3 Agent (thus in most common setups with OVS and/or Linux Bridge,
  but not OVN) and allowed, unless users had extra iptables rules to
  avoid that, any traffic to be accepted for forwarding (as long as it
  was routable and passed other checks). Users of existing setups are
  advised to re-evaluate whether they need this sysctl enabled and
  disable if not necessary. Kolla Ansible will simply no longer try to
  set this sysctl at all. Neutron L3 Agent handles forwarding
  enablement per managed namespace. LP#1945453

* Adds mitigation for the Apache Log4j2 Remote Code Execution (RCE)
  Vulnerability in Elasticsearch - CVE-2021-44228.


Bug Fixes
*********

* Fixed broken "kolla-toolbox" container when RabbitMQ is disabled
  and IPv6 is used. LP#1939883

* Fixes inability to attach devices (e.g., volumes via iSCSI/FC) to
  instances on Debian Bullseye. LP#1941940

* Fixes "mariadb-clustercheck" not to run when there is no HAProxy.
  LP#1944114

* No longer creates directories for haproxy and swift logs where
  they are not needed. LP#1945070

* Fixes an issue with multinode MariaDB deployments which could fail
  the playbook execution on WSREP check due to the new behaviour of
  Galera 4. LP#1947485.

* Fixes an issue on Debian with single node MariaDB deployments with
  HAProxy disabled. See bug 1947534 for details.

* Fixes the generation of "wsrep_cluster_address" in "galera.cnf"
  when "--limit" is used while deploying MariaDB nodes. LP#1947589

* Fixes an error in placement role which prevents to deploy the
  placement service when custom policy file is used. LP#1948835

* Fixes missing current Ansible version in the error message.
  LP#1948979

* Fix octavia role doesn't set the amphora network's gateway_ip
  LP#1949260

* Only run "configure ovn in ovsdb" task on ovn-controller hosts The
  task will fail on hosts (like controller nodes) without tunnel
  interface LP#1953367

* Fixes an issue where the Nova API logs were written to files
  ending with *-wsgi.log* which affected the processing of these logs
  in the Fluentd pipeline. LP#1950185

* On slower nodes, the initial grafana startup could experience a
  timeout failure when the migrations for setting up the database took
  longer than expected. This has been fixed by increasing the default
  timeout. The timeout settings can be changed via new parameters
  "grafana_start_first_node_delay" and
  "grafana_start_first_node_retries" for the "grafana" role.
  LP#1769962

* Removes "fix_cephfs_owner.yaml" which related to pre-wallaby
  Manila's use of subfolders. Post-wallaby Manila now uses cephfs
  volumes instead, as such this file is no longer required. LP#1938285
  LP#1935784

* Removes use of "cephfs_enable_snapshots" in Manila config as this
  option was removed from Manila in the Wallaby release.

Changes in kolla-ansible 12.2.0..12.3.0
---------------------------------------

3a212faef Added upgrade note for separate nova and cinder keys.
4af71d367 [docs] Mark init-runonce properly
b30b42c63 ovn: configure ovn in ovsdb only on ovn-controller hosts
f35e44aaf [Security] Add log4j vulnerability mitigation in Elasticsearch
d7ebe7c24 Bump timeout for grafana startup
331167403 docs: Manila CephFS Driver in Wallaby upgrade note
69810fd42 Fix monasca-thresh upgrade
a4c46d86f docs: stop installing kolla in quickstart
a1e7fa276 CI: Test minimum and maximum supported ansible versions
bf7f20932 Specify log file name for Nova API
4e07d6cb7 Replace auth_uri with www_authenticate_uri
b6f28ee2e docs: Install openstack-client with upper constraints
35d8edca0 Remove unexpected }
c3c8448b7 haproxy: remove unused tls check condition in config
9a9b609a6 docs: Get release name dynamically
e6827412c docs: Parameterize kolla-ansible version and branch
edb88e6c3 Stop creating unused cron/logrotate directory
c6a04b0f2 docs: Fix python-openstackclient package name and init-runonce path
951a25fac Fix octavia doesn't set subnet gateway_ip
c6b27b2a8 mariadb: use add_host to include inactive hosts in shard grouping
cea9a84cf Fix broken deploy of placement service
295e86f08 Fix missing Ansible version in the error message
1a1fb8643 mariadb: Do not use wsrep-notify.sh on Debian
a61d4e721 docs: Improve info about neutron external interface
94627f1c8 Update Manila deploy steps for Wallaby
8109217a7 [mariadb] Start new nodes serially
1feabf70b Add support for Ironic inspection through DHCP-relay
ee32a10a7 Trivial fix shebang in keystone's fernet-node-sync.sh.j2
b9c88463f Correctly create the dhcp_agent.ini and l3_agent.ini
9c4887ae6 Do not set net.ipv4.ip_forward sysctl
229e3f41a Add check and diff options to kolla-ansible
297d1bee2 Do not create haproxy and swift log dirs needlessly
b621fd827 Docs: Update to opendev.org domain
b08c32e40 Do not enable mariadb-clustercheck when not needed
f0169774d Do not become root when searching for custom prometheus alert rules files
3cbb45aeb CI: monasca: ignore exited monasca_thresh container
2ca82dac6 CI: stop setting ceph_nova_user
29d11508d Add disable_firewall variable
3e954e33a Fix neutron upgrade using host limit without controllers
62328e7d8 [CI] Test instance health after upgrade
7c268ee65 Bump libvirtd memlock ulimit
dbe94d5fa Zun: Temporarily skip capsule test for ubuntu
a42d09d46 Fix kolla-toolbox with IPv6 and disabled RabbitMQ
3bbf1a80b Use Docker healthchecks for memcached services
61917194c Use Docker healthchecks for keystone-fernet container
7755ef65d Use Docker healthchecks for nova-spicehtml5proxy service


Diffstat (except docs and test files)
-------------------------------------

ansible/group_vars/all.yml                         |   3 +
ansible/roles/baremetal/defaults/main.yml          |   3 +
ansible/roles/baremetal/tasks/install.yml          |  56 ++++++-----
ansible/roles/common/tasks/config.yml              |   3 +-
.../common/templates/conf/output/00-local.conf.j2  |   4 +
ansible/roles/common/templates/fluentd.json.j2     |   4 +
.../roles/common/templates/kolla-toolbox.json.j2   |   4 +-
ansible/roles/cyborg/templates/cyborg.conf.j2      |   2 +-
ansible/roles/elasticsearch/defaults/main.yml      |   2 +-
ansible/roles/grafana/defaults/main.yml            |   3 +
ansible/roles/grafana/handlers/main.yml            |   4 +-
.../roles/haproxy/templates/haproxy_main.cfg.j2    |   2 -
ansible/roles/keystone/defaults/main.yml           |  14 +++
ansible/roles/keystone/tasks/config.yml            |   1 +
.../keystone/templates/fernet-healthcheck.sh.j2    |   6 ++
.../keystone/templates/fernet-node-sync.sh.j2      |  32 +++---
ansible/roles/keystone/templates/fernet-push.sh.j2 |  16 +++
.../keystone/templates/keystone-fernet.json.j2     |   6 ++
ansible/roles/manila/defaults/main.yml             |   7 ++
ansible/roles/manila/tasks/deploy.yml              |   5 -
ansible/roles/manila/tasks/fix_cephfs_owner.yml    |  85 ----------------
.../roles/manila/templates/manila-share.conf.j2    |   8 +-
ansible/roles/mariadb/defaults/main.yml            |  11 +--
ansible/roles/mariadb/handlers/main.yml            |   6 ++
ansible/roles/mariadb/tasks/config.yml             |   1 +
ansible/roles/mariadb/tasks/main.yml               |   6 +-
ansible/roles/mariadb/templates/galera.cnf.j2      |   2 +-
ansible/roles/mariadb/templates/mariadb.json.j2    |   2 +-
ansible/roles/memcached/defaults/main.yml          |  14 +++
ansible/roles/memcached/handlers/main.yml          |   1 +
ansible/roles/memcached/tasks/check-containers.yml |   1 +
ansible/roles/monasca/tasks/upgrade.yml            |   1 +
ansible/roles/neutron/tasks/config-host.yml        |   1 -
ansible/roles/neutron/tasks/rolling_upgrade.yml    |   2 +-
ansible/roles/neutron/templates/dhcp_agent.ini.j2  |   2 +
ansible/roles/neutron/templates/l3_agent.ini.j2    |   2 +
ansible/roles/nova-cell/defaults/main.yml          |  26 ++++-
ansible/roles/nova/templates/nova.conf.j2          |   5 +-
ansible/roles/octavia/tasks/prepare.yml            |   2 +-
ansible/roles/ovn/tasks/bootstrap.yml              |   1 +
ansible/roles/placement/tasks/config.yml           |   2 +-
ansible/roles/prometheus/tasks/config.yml          |   1 -
.../bootstrap-servers.rst                          |   2 +
.../reference/networking/neutron-extensions.rst    |  10 ++
.../reference/networking/provider-networks.rst     |  21 ----
.../orchestration-and-nfv/tacker-guide.rst         |  27 ++---
.../reference/storage/external-ceph-guide.rst      |  14 +++
etc/kolla/globals.yml                              |   9 +-
.../notes/bug-1939883-dbfca874b138cfe9.yaml        |   6 ++
.../notes/bug-1941940-c63265ea6ea2f594.yaml        |  11 +++
.../notes/bug-1944114-fa2a266c014c64a9.yaml        |   5 +
.../notes/bug-1945070-965635387a8581f9.yaml        |   6 ++
.../notes/bug-1945453-c410cc090cb85feb.yaml        |  16 +++
.../notes/bug-1947485-d059864252fb1813.yaml        |   7 ++
.../notes/bug-1947534-bf3b5ed19473015f.yaml        |   6 ++
.../notes/bug-1947589-52e7a6fa5d82e7fa.yaml        |   6 ++
.../notes/bug-1948835-51b15ddbef04d307.yaml        |   6 ++
.../notes/bug-1948979-aaf2a93cc016ffb1.yaml        |   5 +
.../notes/bug-1949260-34d82ecd677dd8ff.yaml        |   5 +
.../notes/bug-1953367-61591a7f3ecf28ce.yaml        |   7 ++
...ix-nova-api-log-file-name-9a377525e73012de.yaml |   7 ++
.../notes/disable-firewall-1e1955168c717cb5.yaml   |   6 ++
...-start-first-node-timeout-f9a6149cc68153a5.yaml |  10 ++
...hecks-for-keystone-fernet-a63033e2b95ecb2f.yaml |   6 ++
...ealthchecks-for-memcached-807b9036c3c92596.yaml |   6 ++
...-for-nova-spicehtml5proxy-a9cf93c15c0a8966.yaml |   6 ++
.../notes/kolla-ansible-diff-50de16722aa155dc.yaml |   5 +
.../notes/security-log4j-1be047799f8e590a.yaml     |   5 +
.../support-manila-wallaby-2e29e866af0d6287.yaml   |  15 +++
tools/kolla-ansible                                |  20 +++-
84 files changed, 691 insertions(+), 279 deletions(-)

More information about the Release-announce mailing list