Current Series Release Notes

16.0.0.0b2-24

Known Issues

  • OpenStack-Ansible sets a new variable, galera_disable_privatedevices, that controls whether the PrivateDevices configuration in MariaDB’s systemd unit file is enabled.

    If the galera_server role is deployed on a bare metal host, the MariaDB default is maintained (PrivateDevices=true). If the galera_server role is deployed within a container, the PrivateDevices configuration is set to true to work around a systemd bug with a bind mounted /dev/ptmx.

    See Launchpad Bug 1697531 for more details.

  • OpenStack-Ansible sets a new variable, memcached_disable_privatedevices, that controls whether the PrivateDevices configuration in MemcacheD’s systemd unit file is enabled.

    If the memcached_server role is deployed on a bare metal host, the default is maintained (PrivateDevices=true). If the role is deployed within a container, the PrivateDevices configuration is set to true to work around a systemd bug with a bind mounted /dev/ptmx.

    See Launchpad Bug 1697531 for more details.

Deprecation Notes

  • The variable keepalived_uca_enable is deprecated, and replaced by keepalived_ubuntu_src. The keepalived_uca_enable variable will be removed in future versions of the keepalived role. The value of keepalived_ubuntu_src should be either “uca”, “ppa”, or “native”, for respectively installing from the Ubuntu Cloud archive, from keepalived stable ppa, or not installing from an external source.
  • The variable keepalived_use_latest_stable is deprecated, and replaced by keepalived_package_state. The keepalived_use_latest_stable variable will be removed in future versions of the keepalived role. The value of keepalived_package_state should be either “latest” or “present”.

16.0.0.0b2

New Features

  • Simplifies configuration of lbaas-mgmt network.
  • Adds iptables rules to block taffic from the octavia managment network to the octavia container for both ipv4 and ipv6.
  • A variable named bootstrap_user_variables_template has been added to the bootstrap-host role so the user can define the user variable template filename for AIO deployments
  • For the os_aodh role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the aodh_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_barbican role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the barbican_*_init_config_overrides variables which use the config_template task to change template defaults.
  • New variables have been added to allow a deployer to customize a ceilometer systemd unit file to their liking.
  • The task dropping the ceilometer systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • For the os_ceilometer role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ceilometer_*_init_config_overrides variables which use the config_template task to change template defaults.
  • Added cinder_auth_strategy variable to configure Cinder’s auth strategy since Cinder can work in noauth mode as well.
  • The os_ceilometer role now includes a facility where you can place your own templates in /etc/openstack_deploy/ceilometer (by default) and it will be deployed to the target host after being interpreted by the template engine. If no file is found there, the fallback of the git sourced template is used.
  • For the os_designate role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the designate_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_glance role, the systemd unit RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. This value can be adjusted by using the glance_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_gnocchi role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the gnocchi_*_init_config_overrides variables which use the config_template task to change template defaults.
  • From now on, a deployer can override any group_var in userspace, by creating a folder /etc/openstack_deploy/group_vars/. This folder has precedence over OpenStack-Ansible default group_vars, and the merge behavior is similar to Ansible merge behavior. The group_vars folder precedence can still be changed with the GROUP_VARS_PATH. Same applies for host vars.
  • The new option haproxy_backend_arguments can be utilized to add arbitrary options to a HAProxy backend like tcp-check or http-check.
  • For the os_heat role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the heat_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_ironic role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ironic_*_init_config_overrides variables which use the config_template task to change template defaults.
  • The os_keystone role will now (by default) source the keystone-paste.ini, policy.json and sso_callback_template.html templates from the service git source instead of from the role. It also now includes a facility where you can place your own templates in /etc/openstack_deploy/keystone (by default) and it will be deployed to the target host after being interpreted by the template engine.
  • For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.
  • New variables have been added to allow a deployer to customize a magnum systemd unit file to their liking.
  • The task dropping the magnum systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • For the os_magnum role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the magnum_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_neutron role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the neutron_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_nova role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the nova_*_init_config_overrides variables which use the config_template task to change template defaults.
  • New variables have been added to allow a deployer to customize a octavia systemd unit file to their liking.
  • The task dropping the octavia systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • For the os_octavia role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the octavia_*_init_overrides variables which use the config_template task to change template defaults.
  • Deployers may provide a list of custom haproxy template files to copy from the deployment host through the octavia_user_haproxy_templates variable and configure Octavia to make use of a custom haproxy template file with with octavia_haproxy_amphora_template variable.
  • For the os_sahara role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the sahara_*_init_config_overrides variables which use the config_template task to change template defaults.

  • The ability to disable the certificate validation when checking and interacting with the internal cinder endpoint has been implemented. In order to do so, set the following in /etc/openstack_deploy/user_variables.yml.

    cinder_service_internaluri_insecure: yes
  • For the os_swift role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the swift_*_init_config_overrides variables which use the config_template task to change template defaults.
  • New variables have been added to allow a deployer to customize a trove systemd unit file to their liking.
  • The task dropping the trove systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • For the os_trove role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the trove_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

  • For the os_aodh role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the aodh_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_barbican role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the barbican_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_ceilometer role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ceilometer_*_init_config_overrides variables which use the config_template task to change template defaults.
  • The following variables have been removed from the os_ceilometer role as their respective upstream files are no longer present. * ceilometer_event_definitions_yaml_overrides * ceilometer_event_pipeline_yaml_overrides
  • For the os_designate role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the designate_*_init_config_overrides variables which use the config_template task to change template defaults.
  • The endpoint which designate uses to communicate with neutron has been set to the internalURL by default. This change has been done within the template designate.conf.j2 and can be changed using the designate_designate_conf_overrides variable.
  • For the os_glance role, the systemd unit RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. This value can be adjusted by using the glance_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_gnocchi role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the gnocchi_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_heat role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the heat_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_ironic role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the ironic_*_init_config_overrides variables which use the config_template task to change template defaults.
  • If you had your own keepalived configuration file, please rename and move it to the openstack-ansible user space, for example by moving it to `/etc/openstack_deploy/keepalived/keepalived.yml`. Our haproxy playbook does not load an external variable files anymore. The keepalived variable override system has been standardised to the same method used elsewhere.
  • The keystone endpoints now have versionless URLs. Any existing endpoints will be updated.
  • For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.
  • The var lxc_container_ssh_delay along with SSH specific ping checks have been removed in favor of using Ansible’s wait_for_connection module, which will not rely on SSH to the container to verify connectivity. A new variable called lxc_container_wait_params has been added to allow configuration of the parameters passed to the wait_for_connection module.
  • The magnum client interaction will now make use of the public endpoints by default. Previously this was set to use internal endpoints.
  • The keystone endpoints for instances spawned by magnum will now be provided with the public endpoints by default. Previously this was set to use internal endpoints.
  • For the os_magnum role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the magnum_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_neutron role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the neutron_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_nova role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the nova_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_octavia role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the octavia_*_init_overrides variables which use the config_template task to change template defaults.
  • For the os_sahara role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the sahara_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_swift role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the swift_*_init_config_overrides variables which use the config_template task to change template defaults.
  • For the os_trove role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the trove_*_init_config_overrides variables which use the config_template task to change template defaults.

Deprecation Notes

  • The var lxc_container_ssh_delay along with SSH specific ping checks have been removed in favor of using Ansible’s wait_for_connection module, which will not rely on SSH to the container.

  • The upstream noVNC developers recommend that the keymap be automatically detected for virtual machine consoles. Three Ansible variables have been removed:

    • nova_console_keymap
    • nova_novncproxy_vnc_keymap
    • nova_spice_console_keymap

    Deployers can still set a specific keymap using a nova configuration override if necessary.

  • The plumgrid network provider has been removed. This is being dropped without a full deprecation cycle because the company, plumgrid, no longer exists.
  • Remove cinder_glance_api_version option due to deprecation of glance_api_version option in Cinder.
  • Remove cinder_glance_api_version option due to deprecation of glance_api_version option in Cinder.

Security Issues

  • The magnum client interaction will now make use of the public endpoints by default. Previously this was set to use internal endpoints.
  • The keystone endpoints for instances spawned by magnum will now be provided with the public endpoints by default. Previously this was set to use internal endpoints.

16.0.0.0b1

The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well.

New Features

  • CentOS7/RHEL support has been added to the ceph_client role.
  • Only Ceph repos are supported for now.
  • There is now experimental support to deploy OpenStack-Ansible on CentOS 7 for both development and test environments.
  • Experimental support has been added to allow the deployment of the OpenStack Octavia Load Balancing service when hosts are present in the host group octavia-infra_hosts.
  • New variables have been added to allow a deployer to customize a aodh systemd unit file to their liking.
  • The task dropping the aodh systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • New variables have been added to allow a deployer to customize a barbican systemd unit file to their liking.
  • The task dropping the barbican systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • The number of worker threads for neutron will now be capped at 16 unless a specific value is specified. Previously, the calculated number of workers could get too high on systems with a large number of processors. This was particularly evident on POWER systems.
  • Capping the default value for the variable aodh_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is twice the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable cinder_osapi_volume_workers to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variables glance_api_workers and glance_registry_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable gnocchi_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is twice the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variables heat_api_workers and heat_engine_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variables horizon_wsgi_processes and horizon_wsgi_threads to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable ironic_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is one fourth the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable keystone_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variables neutron_api_workers, neutron_num_sync_threads and neutron_metadata_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variables nova_wsgi_processes, nova_osapi_compute_workers, nova_metadata_workers and nova_conductor_workers to 16 when the user doesn’t configure these variables. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable repo_nginx_workers to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable sahara_api_workers to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.
  • Capping the default value for the variable swift_proxy_server_workers to 16 when the user doesn’t configure this variable and if the swift proxy is in a container. Default value is half the number of vCPUs available on the machine if the swift proxy is not in a container. Default value is half the number of vCPUs available on the machine with a capping value of 16 if the proxy is in a container.
  • New variables have been added to allow a deployer to customize a ceilometer systemd unit file to their liking.
  • The task dropping the ceilometer systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • Several configuration files that were not templated for the os_ceilometer role are now retrieved from git. The git repository used can be changed using the ceilometer_git_config_lookup_location variable. By default this points to git.openstack.org. These files can still be changed using the ceilometer_x_overrides variables.
  • New variables have been added to allow a deployer to customize a cinder systemd unit file to their liking.
  • The task dropping the cinder systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • Add support for the cinder v3 api. This is enabled by default, but can be disabled by setting the cinder_enable_v3_api variable to false.
  • For the os_cinder role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the cinder_*_init_config_overrides variables which use the config_template task to change template defaults.
  • Tags have been added to all of the common tags with the prefix “common-“. This has been done to allow a deployer to rapidly run any of the common on a need basis without having to rerun an entire playbook.
  • The COPR repository for installing LXC on CentOS 7 is now set to a higher priority than the default to ensure that LXC packages always come from the COPR repository.
  • Deployers can provide a customized login banner via a new Ansible variable: security_login_banner_text. This banner text is used for non-graphical logins, which includes console and ssh logins.
  • The Designate pools.yaml file can now be generated via the designate_pools_yaml attribute, if desired. This allows users to populate the Designate DNS server configuration using attributes from other plays and obviates the need to manage the file outside of the Designate role.
  • The galera_client role will default to using the galera_repo_url URL if the value for it is set. This simplifies using an alternative mirror for the MariaDB server and client as only one variable needs to be set to cover them both.
  • New variables have been added to allow a deployer to customize a glance systemd unit file to their liking.
  • The task dropping the glance systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • The os_gnocchi role now includes a facility where you can place your own default api-paste.ini or policy.json file in /etc/openstack_deploy/gnocchi (by default) and it will be deployed to the target host after being interpreted by the template engine.
  • New variables have been added to allow a deployer to customize a gnocchi systemd unit file to their liking.
  • The task dropping the gnocchi systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • Several configuration files that were not templated for the os_gnocchi` role are now retrieved from git. The git repository used can be changed using the ``gnocchi_git_config_lookup_location variable. By default this points to git.openstack.org. These files can still be changed using the gnocchi_x_overrides variables.
  • New variables have been added to allow a deployer to customize a heat systemd unit file to their liking.
  • The task dropping the heat systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • Allows SSL connection to Galera with SSL support. galera_use_ssl option has to be set to true, in this case self-signed CA cert or user-provided CA cert will be delivered to the container/host.
  • Implements SSL connection ability to MySQL. galera_use_ssl option has to be set to true (default), in this case playbooks create self-signed SSL bundle and sets up MySQL configs to use it or distributes user-provided bundle throughout Galera nodes.
  • Haproxy-server role allows to set up tunable parameters. For doing that it is necessary to set up a dictionary of options in the config files, mentioning those which have to be changed (defaults for the remaining ones are programmed in the template). Also “maxconn” global option made to be tunable.
  • New variables have been added to allow a deployer to customize a ironic systemd unit file to their liking.
  • The task dropping the ironic systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • New variables have been added to allow a deployer to customize a keystone systemd unit file to their liking.
  • The task dropping the keystone systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • The default behaviour of ensure_endpoint in the keystone module has changed to update an existing endpoint, if one exists that matches the service name, type, region and interface. This ensures that no duplicate service entries can exist per region.
  • Removed dependency for cinder_backends_rbd_inuse in nova.conf when setting rbd_user and rbd_secret_uuid variables. Cinder delivers all necessary values via RPC when attaching the volume, so those variables are only necessary for ephemeral disks stored in Ceph. These variables are required to be set up on cinder-volume side under backend section.
  • LXC on CentOS is now installed via package from a COPR repository rather than installed from the upstream source.
  • In the lxc_container_create role, the keys preup, postup, predown, and postdown are now supported in the container_networks dict for Ubuntu systems. This allows operators to configure custom scripts to be run by Ubuntu’s ifupdown system when network interface states are changed.
  • The variable lxc_net_manage_iptables has been added. This variable can be overridden by deployers if system wide iptables rules are already in place or managed by deployers chioce.
  • The repo server file system structure has been updated to allow for multiple Operating systems running multiple architectures to be run at the same time and served from a single server without impacting pools, venvs, wheel archives, and manifests. The new structure follows the following pattern $RELEASE/$OS_TYPE-$ARCH and has been applied to os-releases, venvs, and pools.
  • The dragonflow plugin for neutron is now available. You can set the neutron_plugin_type to ml2.dragonflow to utilize this code path. The dragonflow code path is currently experimental.
  • New variables have been added to allow a deployer to customize a neutron systemd unit file to their liking.
  • The task dropping the neutron systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • New variables have been added to allow a deployer to customize a nova systemd unit file to their liking.
  • The task dropping the nova systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • The nova-placement service is now configured by default. nova_placement_service_enabled can be set to False to disable the nova-placement service.
  • The nova-placement api service will run as its own ansible group nova_api_placement.
  • Nova cell_v2 support has been added. The default cell is cell1 which can be overridden by the nova_cell1_name. Support for multiple cells is not yet available.
  • Nova may now use an encrypted database connection. This is enabled by setting nova_galera_use_ssl to True.
  • OpenStack services have been set to communicate with RabbitMQ using SSL by default. This feature may be disabled by setting rabbit_use_ssl to false in /etc/openstack_deploy/user_variables.yml. The default behaviour will be to use a self-signed certificate for communications. This can be changed by the procedure referred to in the SSL documentation.
  • Gnocchi is now used as the default publisher.
  • In the Ocata release, Trove added support for encrypting the rpc communication between the guest DBaaS instances and the control plane. The default values for trove_taskmanager_rpc_encr_key and trove_inst_rpc_key_encr_key should be overridden to specify installation specific values.
  • Added storage policy so that deployers can override how to store the logs. per_host stores logs in a sub-directory per host. per_program stores logs in a single file per application which facilitates troubleshooting easy.
  • New variables have been added to allow a deployer to customize a sahara systemd unit file to their liking.
  • The task dropping the sahara systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • The role now supports SUSE based distributions. Required packages can now be installed using the zypper package manager.
  • The role now supports SUSE based distributions. Required packages can now be installed using the zypper package manager.
  • New variables have been added to allow a deployer to customize a swift systemd unit file to their liking.
  • The task dropping the swift systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and polute the generic systemd unit file with jinja2 variables and conditionals.
  • While default python interpreter for swift is cpython, pypy is now an option. This change adds the ability to greatly improve swift performance without the core code modifications. These changes have been implemented using the documentation provided by Intel and Swiftstack. Notes about the performance increase can be seen here.
  • Swift container-sync has been updated to use internal-client. This means a new configuration file internal-client.conf has been added. Configuration can be overridden using the variable swift_internal_client_conf_overrides.
  • Added new variable tempest_volume_backend_names and updated templates/tempest.conf.j2 to point backend_names at this variable
  • The deployer can now define an environment variable GROUP_VARS_PATH with the folders of its choice (separated by the colon sign) to define an user space group_vars folder. These vars will apply but be (currently) overriden by the OpenStack-Ansible default group vars, by the set facts, and by the user_* variables. If the deployer defines multiple paths, the variables found are merged, and precedence is increasing from left to right (the last defined in GROUP_VARS_PATH wins)
  • The deployer can now define an environment variable HOST_VARS_PATH with the folders of its choice (separated by the colon sign) to define an user space host_vars folder. These vars will apply but be (currently) overriden by the OpenStack-Ansible default host vars, by the set facts, and by the user_* variables. If the deployer defines multiple paths, the variables found are merged, and precedence is increasing from left to right (the last defined in HOST_VARS_PATH wins)

Known Issues

  • There is currently an Ansible bug in regards to HOSTNAME. If the host .bashrc holds a var named HOSTNAME, the container where the lxc_container module attaches will inherit this var and potentially set the wrong $HOSTNAME. See the Ansible fix which will be released in Ansible version 2.3.

Upgrade Notes

  • The variables cinder_sigkill_timeout and cinder_restart_wait have been removed. The previous default values have now been set in the template directly and can be adjusted by using the cinder_*_init_overrides variables which use the config_template task to change template defaults.
  • The Designate pools.yaml file can now be generated via the designate_pools_yaml attribute, if desired. This ability is toggled by the designate_use_pools_yaml_attr attribute. In the future this behavior may become default and designate_pools_yaml may become a required variable.
  • The haproxy_bufsize variable has been removed and made a part of the haproxy_tuning_params dictionary.
  • When upgrading nova the cinder catalog_info will change to use the cinderv3 endpoint. Ensure that you have upgraded cinder so that the cinderv3 endpoint exists in the keystone catalog.
  • The variable neutron_dhcp_domain has been renamed to neutron_dns_domain.
  • OpenStack services have been set to communicate with RabbitMQ using SSL by default. This feature may be disabled by setting rabbit_use_ssl to false in /etc/openstack_deploy/user_variables.yml. The default behaviour will be to use a self-signed certificate for communications. This can be changed by the procedure referred to in the SSL documentation.
  • The ceilometer-api service/container can be removed as part of O->P upgrades. A ceilometer-central container will be created to contain the central ceilometer agents.

  • The EPEL repository is now removed in favor of the RDO repository.

    This is a breaking change for existing CentOS deployments. The yum package manager will have errors when it finds that certain packages that it installed from EPEL are no longer available. Deployers may need to rebuild container or reinstall packages to complete this change.

  • A new option swift_pypy_enabled has been added to enable or disable the pypy interpreter for swift. The default is “false”.
  • A new option swift_pypy_archive has been added to allow a pre-built pypy archive to be downloaded and moved into place to support swift running under pypy. This option is a dictionary and contains the URL and SHA256 as keys.
  • The openstack_tempest_gate.sh script has been removed as it requires the use of the run_tempest.sh script which has been deprecated in Tempest. In order to facilitate the switch, the default for the variable tempest_run has been set to yes, forcing the role to execute tempest by default. This default can be changed by overriding the value to no. The test whitelist may be set through the list variable tempest_test_whitelist.
  • Gnocchi service endpoint variables were not named correctly. Renamed variables to be consistent with other roles.

Deprecation Notes

  • The cinder_keystone_auth_plugin variable has been deprecated. cinder_keystone_auth_type should be used instead to configure authentication type.
  • The neutron_keystone_auth_plugin variable has been deprecated. neutron_keystone_auth_type should be used instead to configure authentication type.
  • The swift_keystone_auth_plugin variable has been deprecated. swift_keystone_auth_type should be used instead to configure authentication type.
  • The trove_keystone_auth_plugin variable has been deprecated. trove_keystone_auth_type should be used instead to configure authentication type.
  • The aodh_keystone_auth_plugin variable has been deprecated. aodh_keystone_auth_type should be used instead to configure authentication type.
  • The ceilometer_keystone_auth_plugin variable has been deprecated. ceilometer_keystone_auth_type should be used instead to configure authentication type.
  • The gnocchi_keystone_auth_plugin variable has been deprecated. gnocchi_keystone_auth_type should be used instead to configure authentication type.
  • The octavia_keystone_auth_plugin variable has been deprecated. octavia_keystone_auth_type should be used instead to configure authentication type.
  • The variables galera_client_apt_repo_url and galera_client_yum_repo_url are deprecated in favour of the common variable galera_client_repo_url.
  • The update state for the ensure_endpoint method of the keystone module is now deprecated, and will be removed in the Queens cycle. Setting state to present will achieve the same result.
  • Several nova.conf options that were deprecated have been removed from the os_nova role. The following OpenStack-Ansible variables are no longer used and should be removed from any variable override files. * nova_dhcp_domain * nova_quota_fixed_ips * nova_quota_floating_ips * nova_quota_security_group_rules * nova_quota_security_groups
  • The ceilometer API service is now deprecated. OpenStack-Ansible no longer deploys this service. To make queries against metrics, alarms, and/or events, please use the the gnocchi, aodh, and panko APIs, respectively.
  • Removed tempest_volume_backend1_name and tempest_volume_backend1_name since backend1_name and backend2_name were removed from tempest in commit 27905cc (merged 26/04/2016)

Critical Issues

  • A bug that caused the Keystone credential keys to be lost when the playbook is run during a rebuild of the first Keystone container has been fixed. Please see launchpad bug 1667960 for more details.

Security Issues

  • The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting security_reset_perm_ownership to yes.
  • Nova may now use an encrypted database connection. This is enabled by setting nova_galera_use_ssl to True.
  • OpenStack services have been set to communicate with RabbitMQ using SSL by default. This feature may be disabled by setting rabbit_use_ssl to false in /etc/openstack_deploy/user_variables.yml. The default behaviour will be to use a self-signed certificate for communications. This can be changed by the procedure referred to in the SSL documentation.
  • The tasks that search for .shosts and shosts.equiv files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
  • The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions.
  • The cn_map permissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG.
  • The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed.

Bug Fixes

  • Metal hosts were being inserted into the lxc_hosts group, even if they had no containers (Bug 1660996). This is now corrected for newly configured hosts. In addition, any hosts that did not belong in lxc_hosts will be removed on the next inventory run or playbook call.
  • The openstack service uri protocol variables were not being used to set the Trove specific uris. This resulted in ‘http’ always being used for the public, admin and internal uris even when ‘https’ was intended.

Other Notes

  • From now on, external repo management (in use for RDO/UCA for example) will be done inside the pip-install role, not in the repo_build role.

15.0.0.0rc1

New Features

  • Deployers can set openstack_host_nf_conntrack_max to control the maximum size of the netfilter connection tracking table. The default of 262144 should be increased if virtual machines will be handling large amounts of concurrent connections.
  • Added support for ironic-OneView drivers. Check the documentation on how to enable them.
  • Neutron SR-IOV can now be optionally deployed and configured. For details about the what the service is and what it provides, see the SR-IOV Installation Guide for more information.
  • CentOS7/RHEL support has been added to the os_designate role.