[release-announce] kolla-ansible 15.2.0 (zed)
no-reply at openstack.org
no-reply at openstack.org
Thu Jul 13 16:11:32 UTC 2023
We enthusiastically announce the release of:
kolla-ansible 15.2.0: Ansible Deployment of Kolla containers
This release is part of the zed stable release series.
The source is available from:
https://opendev.org/openstack/kolla-ansible
Download the package from:
https://tarballs.openstack.org/kolla-ansible/
Please report issues through:
https://bugs.launchpad.net/kolla-ansible/+bugs
For more details, please see below.
15.2.0
^^^^^^
New Features
************
* Since CVE-2022-29404 is fixed the default value for the
LimitRequestBody directive in the Apache HTTP Server has been
changed from 0 (unlimited) to 1073741824 (1 GiB). This limits the
size of images (for example) uploaded in Horizon. Now this limit can
be configured via "horizon_httpd_limitrequestbody". LP#2012588
* etcd is now exposed internally via HAProxy on "etcd_client_port".
* Added two new flags to alter behaviour in RabbitMQ: *
*rabbitmq_message_ttl_ms*, which lets you set a TTL on messages. *
*rabbitmq_queue_expiry_ms*, which lets you set an expiry time on
queues. See https://www.rabbitmq.com/ttl.html for more information
on both.
* The config option *rabbitmq_ha_replica_count* is added, to allow
for changing the replication factor of mirrored queues in RabbitMQ.
While the flag is unset, the queues are mirrored across all nodes
using "ha-mode":"all". Note that this only has an effect if the flag
` om_enable_rabbitmq_high_availability` is set to *True*, as
otherwise queues are not mirrored.
* The config option *rabbitmq_ha_promote_on_shutdown* has been
added, which allows changing the RabbitMQ definition *ha-promote-on-
shutdown*. By default *ha-promote-on-shutdown* is "when-synced". We
recommend changing this to be "always". This basically means we
don't mind losing some messages, instead we give priority to
rabbitmq availability. This is most relevant when restarting
rabbitmq, such as when upgrading. Note that setting the value of
this flag, even to the default value of "when-synced", will cause
RabbitMQ to be restarted on the next deploy. For more details please
see: https://www.rabbitmq.com/ha.html#cluster-shutdown
* Services using etcd3gw via tooz now use etcd via haproxy. This
removes a single point of failure, where we hardcoded the first etcd
host for backend_url.
Upgrade Notes
*************
* Default tags of "neutron_tls_proxy" and "glance_tls_proxy" have
been changed to "haproxy_tag", as both services are using "haproxy"
container image. Any custom tag overrides for those services should
be altered before upgrade.
Security Issues
***************
* The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
commands now creates or updates passwords.yml with correct
permissions. Also they display warning message about incorrect
permissions.
Bug Fixes
*********
* The precheck for RabbitMQ failed incorrectly when
"kolla_externally_managed_cert" was set to "true". LP#1999081
* Fixes removal of Elasicsearch and Kibana loadbalancer configs
during migration to Opensearch, when those services are running on a
dedicated monitoring node.
* Fixes create sasl account before config file is ready. LP#2015589
* Set correct permissions for opensearch-dashboard data location
*LP#2020152 https://bugs.launchpad.net/kolla-ansible/+bug/2020152*
* The flags "--db-nb-pid" and "--db-sb-pid" have been corected to be
" --db-nb-pidfile" and "--db-sb-pidfile" respectively. See here for
reference: https://github.com/ovn-
org/ovn/blob/6c6a7ad1c64a21923dc9b5bea7069fd88bcdd6a8/utilities/ovn-
ctl#L1045 LP#2018436
* Configuration of service user tokens for all Nova and Cinder
services is now done automatically, to ensure security of block-
storage volume data.
See LP#[2004555] for more details.
* Fixes deployment when using Ansible check mode. LP#2002661
* Fixes the incorrect endpoint URLs and service type information for
the Cyborg service in the Keystone. LP#2020080
* Set the etcd internal hostname and cacert for tls internal enabled
deployments. This allows services to work with etcd when
coordination is enabled for TLS interal deployments. Without this
fix, the coordination backend fails to connect to etcd and the
service itself crashes.
* Fixes opensearch migration process. Including case when
elasticsearch is located in regular folder instead of docker volume.
Furthermore it now has checks if there is data to migrate.
* When upgrading or deploying RabbitMQ, the policy *ha-all* is
cleared if *om_enable_rabbitmq_high_availability* is set to *false*.
Changes in kolla-ansible 15.1.0..15.2.0
---------------------------------------
073a2f7d1 opensearch-dashboard: fix permissions
fc861e74a Fix Bifrost: remove an extra curly bracket
99511eede Fix the Cyborg service
635330912 Fix passwords.yml permissions
fc61357af docs: Fix note block
88f80d07f docs: Remove redundant section about vagrant-vbguest
aa99d2c9a Correct [pci] syntax in Nova SRIOV documentation
5ed259ec0 Fix the fluentd regexp to collect the logs
a662bd896 opensearch: alter path after using rpm/deb packaging
275b9f681 Fix Bash variable expansion issues in openrc file
efe6650d0 always add service_user section to nova.conf
36f35d1b2 Correct ovn-ctl --db-nb-pidfile usage in templates
1ed6464c9 Designate: provide certificates file to use for neutron client requests
5f01fa1d5 Fix faulty precheck for RabbitMQ
423a42c65 Add precheck to fail if RabbitMQ HA needs configuring
602876011 Update notes about CentOS support
4c63d0edf cli: fix find globals.d
3dfca54df Remove RabbitMQ ha-all policy when not required
228ff5744 Fix create sasl account before config file is ready
c78f8569b Fix maximum width of the DIB Multiline-YAML
f764be111 opensearch: default dashboards tag to opensearch_tag
89d9a0c43 Fix merge action plugins verbose output
b892a569f Add note about removing leading tabs in ceph.conf files
fdf471697 Add flags for RabbitMQ message TTL & queue expiry
84e783f19 Fix deploy/genconfig in check mode
a73e41168 Fix elasticsearch to opensearch migration
328737a0e Fix removal of Elasicsearch and Kibana loadbalancer configs
baa2076fc nova: Fix live migration on RHEL9 derivatives
dceb3a5a5 Add LimitRequestBody configuration for Horizon
743d1af89 Add flag to change RabbitMQ ha-mode definition
300f58471 RabbitMQ: Support setting ha-promote-on-shutdown
033da7aa3 Pin zun jobs to Docker 20
6cea19e30 cloudkitty: set cafile for fetcher_keystone
347b27cf7 ironic: fix dev mode for inspector
887ed175a Set the etcd internal hostname and cacert for tls internal enabled deployments
c0a6271e7 hacluster: Use nodename to align with nova service names
cef0e0060 Default neutron_tls_proxy and glance_tls_proxy to haproxy_tag
9e87a24f9 Use loadbalancer to connect to etcd
fd4b9051b CI: Pin ansible-lint to <6.13.0
f2da37f13 Put etcd behind HTTP loadbalancer
829e83ca7 docs: fix information about libvirt SASL auth
39e178990 CI: Avoid running tgtd if BASE_DISTRO is rocky
Diffstat (except docs and test files)
-------------------------------------
ansible/action_plugins/merge_configs.py | 10 ++-
ansible/action_plugins/merge_yaml.py | 27 ++++++--
ansible/group_vars/all.yml | 1 +
ansible/roles/bifrost/tasks/config.yml | 1 +
ansible/roles/bifrost/tasks/deploy-servers.yml | 2 +-
ansible/roles/cinder/templates/cinder.conf.j2 | 8 ++-
.../roles/cloudkitty/templates/cloudkitty.conf.j2 | 1 +
ansible/roles/common/templates/admin-openrc.sh.j2 | 30 ++++-----
.../common/templates/conf/input/00-global.conf.j2 | 4 +-
ansible/roles/cyborg/defaults/main.yml | 8 +--
ansible/roles/cyborg/templates/cyborg.conf.j2 | 2 +-
.../roles/designate/templates/designate.conf.j2 | 1 +
ansible/roles/etcd/defaults/main.yml | 8 ++-
ansible/roles/etcd/tasks/loadbalancer.yml | 7 ++
ansible/roles/glance/defaults/main.yml | 3 +-
.../roles/hacluster/tasks/bootstrap_service.yml | 8 +--
.../hacluster/templates/hacluster_corosync.conf.j2 | 2 +-
ansible/roles/horizon/templates/horizon.conf.j2 | 3 +
ansible/roles/ironic/defaults/main.yml | 4 +-
ansible/roles/ironic/tasks/clone.yml | 3 +-
.../ironic/templates/ironic-inspector.conf.j2 | 3 +-
ansible/roles/keystone/tasks/config.yml | 1 +
ansible/roles/mariadb/tasks/lookup_cluster.yml | 1 +
ansible/roles/neutron/defaults/main.yml | 3 +-
ansible/roles/nova-cell/handlers/main.yml | 14 +++-
.../roles/nova-cell/tasks/get_cell_settings.yml | 1 +
.../nova-cell/tasks/wait_discover_computes.yml | 1 +
ansible/roles/nova-cell/templates/nova.conf.j2 | 13 ++++
ansible/roles/nova-cell/templates/sshd_config.j2 | 3 +
ansible/roles/nova/templates/nova.conf.j2 | 13 ++++
.../roles/octavia/templates/octavia-openrc.sh.j2 | 16 ++---
ansible/roles/opensearch/defaults/main.yml | 2 +-
ansible/roles/opensearch/tasks/upgrade.yml | 77 +++++++++++++++++++---
.../templates/opensearch-dashboards.json.j2 | 19 ++++--
.../roles/opensearch/templates/opensearch.json.j2 | 2 +-
.../templates/opensearch_dashboards.yml.j2 | 2 +-
ansible/roles/ovn-db/templates/ovn-nb-db.json.j2 | 2 +-
ansible/roles/ovn-db/templates/ovn-sb-db.json.j2 | 2 +-
ansible/roles/rabbitmq/defaults/main.yml | 15 +++++
ansible/roles/rabbitmq/tasks/deploy.yml | 4 ++
ansible/roles/rabbitmq/tasks/precheck.yml | 28 ++++++++
.../roles/rabbitmq/tasks/remove-ha-all-policy.yml | 29 ++++++++
ansible/roles/rabbitmq/tasks/upgrade.yml | 4 ++
.../roles/rabbitmq/templates/definitions.json.j2 | 4 +-
ansible/site.yml | 5 ++
.../reference/storage/external-ceph-guide.rst | 8 +++
kolla_ansible/cmd/genpwd.py | 19 +++++-
kolla_ansible/cmd/mergepwd.py | 24 ++++++-
kolla_ansible/cmd/readpwd.py | 19 +++++-
kolla_ansible/cmd/writepwd.py | 10 +++
lint-requirements.txt | 2 +-
...-horizon-limitrequestbody-4f79433fa2cf1f6d.yaml | 9 +++
.../notes/bug-1999081-769f1012263a48fd.yaml | 6 ++
.../notes/bug-2006764-0b647c45b9258542.yaml | 6 ++
.../notes/bug-2015589-94427c14cd857c98.yaml | 5 ++
.../notes/bug-2020152-165c87048d92dedb.yaml | 5 ++
...-ctl-pid-flag-in-template-d915fe4b71548da0.yaml | 8 +++
.../notes/cve-2023-2088-51e7e050be2139bf.yaml | 9 +++
.../etcd-tcp-loadbalancer-08d9332ee3be9a8b.yaml | 4 ++
.../notes/fix-check-mode-1f37ab5507c98954.yaml | 5 ++
.../notes/fix-cyborg-service-5bc5bf8748daf504.yaml | 6 ++
...-etcd-coordination-config-b1c9f900ef13be13.yaml | 8 +++
.../fix-opensearch-migration-1d0ff64400a9a073.yaml | 6 ++
...passwords-yml-permissions-ca73638b71aeadf4.yaml | 7 ++
...sage-ttl-and-queue-expiry-c163a370708f5b20.yaml | 7 ++
...change-replication-factor-321c2f9e08e7d179.yaml | 9 +++
...mq-ha-promote-on-shutdown-9099c6643f2d0cce.yaml | 13 ++++
...-policy-when-not-required-81dcf64542c4805f.yaml | 5 ++
...s-proxies-use-haproxy-tag-aa030b5e5df6fbf0.yaml | 8 +++
...r-for-etcdgw-coordination-6704a8b1389bbabe.yaml | 6 ++
tools/kolla-ansible | 2 +-
tools/validate-all-file.py | 4 ++
zuul.d/base.yaml | 2 +
zuul.d/jobs.yaml | 9 +++
zuul.d/project.yaml | 1 +
86 files changed, 603 insertions(+), 110 deletions(-)
Requirements updates
--------------------
diff --git a/lint-requirements.txt b/lint-requirements.txt
index 1b0057f49..0f255aa34 100644
--- a/lint-requirements.txt
+++ b/lint-requirements.txt
@@ -2 +2 @@ ansible>=4,<6 # GPLv3
-ansible-lint>=6.0.0,<7.0.0 # MIT
+ansible-lint>=6.0.0,<6.13.0 # MIT
More information about the Release-announce
mailing list