What’s new in RPCO v17.0 Queens#

Rackspace Private Cloud Powered By OpenStack (RPCO) Queens release v17.0 is based on the OpenStack-Ansible (OSA) project. For OSA release notes, see OpenStack-Ansible Queens Release Notes.

Major new releases of OpenStack such as v17.0 typically include many changes, enhancements, and new features. RPCO is a tested configuration of a subset of all available OpenStack services.

These release notes list some of the significant upstream OpenStack changes made since the Pike release and are provided for your awareness. It is not a statement of support. For more information about supported features and configurations, contact your Rackspace sales team or support specialist.

General changes and improvements#

  • Adds support for the horizon octavia-ui dashboard. The dashboard is automatically enabled if any octavia hosts are defined.

  • When upgrading from Pike to Queens, note the following changes to the container/ or service setup:

    • All cinder container services are consolidated into a single cinder_api_container. The previously implemented cinder_scheduler_container can be removed.

    • A new heat_api container is created with all heat services running in it. The previously implemented heat_apis_container and heat_engine_container can be removed.

    • The Ironic Conductor service has been consolidated into the ironic_api_container. The previously implemented ironic_conductor_container can be removed.

    • All nova services are consolidated into the nova_api_container. Any other nova containers can be removed.

  • A new option lxc_container_allow_restarts has been added with a default value of True. This option allows control of container restarts from common-tasks or os-lxc-container-setup.yml. To disable the auto-restart functionality, set this value to False. This option is a complement to the same option already present in the lxc_container_create role and is useful to avoid uncoordinated restarts of galera or rabbitmq containers if an LXC container configuration change requires a restart.

  • New hypervisor groups have been added to allow better definition of compute workloads. While the generic compute_hosts group still works, compute hosts can now be explicitly defined by using the groups ironic-compute_hosts, kvm-compute_hosts, lxd-compute_hosts, qemu-compute_hosts, and powervm-compute_hosts as needed.

  • Neutron connectivity agents are now deployed on bare metal within the network_hosts defined in the openstack_user_config.yml.

  • After an upgrade, neutron agent services can be run on hosts within the network_hosts group by executing the appropriate playbooks. Neutron servers are then deployed on the bare metal hosts without affecting any existing agent containers.

  • After an upgrade completes and the cluster is verified as stable, cleanup of neutron_agents containers is recommended. To do this, use the following steps:

    1. Disable the neutron agents running in the neutron_agent containers.

    2. Rebalance the agent services that target the new bare metal agents.

    3. Delete the containers.

    4. Remove the containers from inventory.

Roles changes and improvements#

  • ansible-hardening

    • The default setting for PermitRootLogin in the ssh configuration has changed from yes to without-password. This only allows ssh to be used to authenticate root via a key.

    • The PermitRootLogin setting can now be changed with the security_sshd_permit_root_login option in /etc/ssh/sshd_config. Available options are without-password, prohibit-password, forced-commands-only, yes, or no.

    • The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat® Enteprise Linux® Security Technical Implementation Guide.

  • openstack-ansible-os_designate

    • The current API is v2.

    • Support for API v1 has been removed.

  • openstack-ansible-os_glance

    • When using glance and the Network File System (NFS), the NFS mount point is now managed by using a systemd mount unit file. This change modernizes how glance is deployed when using shared storage and also ensures the deployment of glance does not make system-impacting changes to /etc/fstab.

    • API v1 is disabled by default. It is scheduled for removal in the upstream Queens release.

    • The glance-registry service is disabled by default. It is no longer required for the v2 API and will be removed in a future release.

  • openstack-ansible-os_keystone

    • The variables keystone_memcached_servers and keystone_cache_backend_argument have been deprecated in favor of keystone_cache_servers, which is a list of servers used for caching.

  • openstack-ansible-os_neutron

    • Default quotas have been changed to match upstream defaults for the following resources:

      • Networks increased from 10 to 100

      • Subnets increased from 10 to 100

      • Ports increased from 50 to 500

  • openstack-ansible-os_nova

    • The variable nova_compute_pip_packages is no longer used and has been removed.

    • The variable nova_default_schedule_zone was previously set by default to nova. This default has been removed to allow the default to be set by the nova code instead. To maintain the default availability zone of nova, set the variable as a user_variables.yml or group_vars override.

    • The Kernel Same-page Merging (KSM) configuration has been disabled by default on the Ubuntu operating system. If random access memory (RAM) is overcommitted on your hypervisor, it is recommended that nova_compute_ksm_enabled be set to True.

    • The nova_placement database that was implemented in the Ocata release of OpenStack-Ansible was never actually used due to reverts in the upstream code. The existing database should be empty and can be deleted. As a result, the following variables also no longer have any function and have been removed.

      • nova_placement_galera_user

      • nova_placement_galera_database

      • nova_placement_db_max_overflow

      • nova_placement_db_max_pool_size

      • nova_placement_db_pool_timeout

    • The variables nova_scheduler_use_baremetal_filters and nova_metadata_host have been removed to match upstream nova changes.

    • The nova_virt_types dictionary no longer needs the nova_scheduler_use_baremetal_filters and nova_firewall_driver keys.

  • rpc-ceph

    • ceph-ansible version 3.0.34 is used in this release.

    • ceph-mgr dashboard is now enabled.

Block Storage service (cinder)#

  • Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/cinder/pike.html

  • Project release notes: https://docs.openstack.org/releasenotes/cinder/queens.html

  • When using the Rados Block Device (RBD) pool exclusively for cinder, it is now possible to set rbd_exclusive_cinder_pool to True and cinder will use database information to calculate provisioned size instead of querying all volumes in the backend. This reduces the load on the Ceph cluster and on the volume service.

  • Resolves an issue with cross availability zone migrations and retypes where the destination volume retained the source volume’s availability zone, resulting in a volume where the availability zone did not match the backend. bug 1747949.

DNS as a Service (designate)#

OpenStack DNS as a Service is provided as a technical preview and is currently used with Rackspace Kubernetes-as-a-Service (KaaS) offering only.

Image service (glance)#

Orchestration service (heat)#

  • Prior version (Ocata) project release notes: https://docs.openstack.org/releasenotes/heat/pike.html

  • Project release notes: https://docs.openstack.org/releasenotes/heat/queens.html

  • The template-validate API call now returns the environment calculated by heat. This allows a preview of the merged environment when using parameter_merge_strategy prior to creating the stack.

  • Adds new resources for octavia to provide load balancing as a service (LBaaS).

  • Heat does not work with keystone identity federation. This is a known limitation; heat uses keystone trusts for deferred authentication and trusts do not work with federated keystone. For more details, see https://etherpad.openstack.org/p/pike-ptg-cross-project-federation.

  • The AWS compatible CloudWatch API has been removed. OpenStack deployments, packagers, and deployment projects that deploy or package CloudWatch should take appropriate action to remove support.

  • The following new resources have been added:

    • OS::Octavia::LoadBalancer creates and manages load balancers, which allow traffic to be directed between servers.

    • OS::Octavia::Listener creates and manages listeners, which represent a listening endpoint for the load balancer.

    • OS::Octavia::Pool creates and manages pools, which represent a group of nodes. Pools define the subnet where nodes reside, the balancing algorithm, and the nodes themselves.

    • OS::Octavia::PoolMember creates and manages pool members that represent a single backend node.

    • OS::Octavia::HealthMonitor creates and manages health monitors, which monitor the status of the load-balanced servers.

    • OS::Octavia::L7Policy creates and manages L7 policies.

    • OS::Octavia::L7Rule creates and manages L7 rules.

Dashboard (horizon)#

  • Prior version (Ocata) project release notes: https://docs.openstack.org/releasenotes/horizon/ocata.html

  • Project release notes: https://docs.openstack.org/releasenotes/horizon/pike.html

  • The Cinder API v3 is now used by default. API v3 was introduced in Mitaka and supports all features from API v2.

  • The keystone v3 API is now used by default.

  • Heat dashboard is now a separate project called heat-dashboard. In the future, all features and maintenance will be provided by the new project. The new project provides all features that were available in horizon in the prior release.

  • A new setting OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES was introduced to control whether the IP addresses of servers are retrieved from neutron in the project instance table. This setting mitigates a performance issue in large deployments. Setting this to False does not query neutron. Deployments without floating IP support can set this setting to False for better performance. For more detail, see bug 1722417.

Bare metal service (ironic)#

  • Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/ironic/pike.html

  • Project release notes: https://docs.openstack.org/releasenotes/ironic/queens.html

  • Ironic is in beta in this release.

  • Adds support for routed networks when using the flat network interface. This feature requires the baremetal ML2 mechanism driver and L2 agent from the networking-baremetal plugin. See the networking configuration documentation for more details.

  • The classic drivers, as well as the enabled_drivers configuration option, are now deprecated and might be removed in the Rocky v18 release. A deprecation warning will be logged for every loaded classic driver. Check the migration guide for information about how to update your nodes.

  • The [glance]swift_account option is now optional. If it is not set, the default value is calculated based on the ID of the project used to access the object store. Previously this option was required. This change does not affect using RadosGW as an object store backend.

  • If the [glance]swift_temp_url_key option is not set, Ironic now tries to fetch the key from the project used to access swift (often called service). This change does not affect using RadosGW as an object store backend.

Identity service (keystone)#

Networking service (neutron)#

Compute service (nova)#

  • Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/nova/pike.html

  • Project release notes: https://docs.openstack.org/releasenotes/nova/queens.html

  • The SSBD and VIRT-SSBD CPU flags have been added to the list of available choices for the [libvirt]/cpu_model_extra_flags configuration option. These flags are important for proper mitigation of the Spectre 3a and 4 CVEs. Note that the use of either of these flags requires other updates running below nova, including libvirt, qemu (specifically >=2.9.0 for virt-ssbd), Linux, and system firmware. For more information, see https://www.us-cert.gov/ncas/alerts/TA18-141A.

  • The latest compute API microversion supported for Queens is v2.60. Details on REST API microversions added since the 16.0.0 Pike release can be found in the REST API Version History page.

  • Cells v1 and nova-network continue to be deprecated are expected to be removed in the 18.0.0 Rocky release.

  • The libvirt and xenapi compute drivers now have experimental native support for virtual graphics processing unit (GPU) devices. See the virtual GPU admin guide for more details.

  • The libvirt compute driver now supports volume multi-attach when using the 2.60 compute API microversion. See the cinder admin guide for more details about volume multi-attach support in OpenStack.

  • The following nova-manage commands have been removed:

    • quota

    • shell

    • project

    • account

    • logs

    • host

    • agent

Load Balancing as a Service (octavia)#

OpenStack octavia is provided as a technical preview and is currently used with Rackspace Kubernetes-as-a-Service (KaaS) offering only.

Object Storage (swift)#