2026.1 Gazpacho Series Release Notes¶
stackhpc/18.4.0.32¶
New Features¶
Uses the StackHPC Ironic fork to include diskless boot support and architecture-specific virtual media ESP bootloader selection.
stackhpc/18.4.0.30¶
New Features¶
Bumps Ceph to Squid v19.2.4.
stackhpc/18.4.0.28¶
New Features¶
Adds Cinder support for VAST storage backends and Manila support for VAST multitenancy.
stackhpc/18.4.0.27¶
Security Issues¶
Fixes CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001 and CVE-2026-44394 with updated Keystone images.
stackhpc/18.4.0.26¶
New Features¶
Adds Rocky Linux
aarch64all-in-one CI jobs.
stackhpc/18.4.0.24¶
New Features¶
The smartmon exporter now treats historical SMART temperature and airflow threshold breaches as non-critical when calculating the smartmon_device_smart_healthy metric. This prevents disks with only a past over-temperature event from being reported as actively unhealthy.
A new smartmon_device_historical_temperature_failure metric is exported so these historical temperature or airflow threshold breaches can still be viewed and alerted on separately as a warning if required.
stackhpc/18.4.0.21¶
Bug Fixes¶
Support use of
pulp_enable_tlsin combination with the newerpulpcollection by configuringrequeststo useCAbundle where internalPKIis configured.
stackhpc/18.4.0.20¶
New Features¶
Updates to IPA image selection to continue using the CentOS Stream 9 images with Rocky 10, until Rocky 10 IPA images are stable.
IPA building now uses the Kayobe
ipa_build_distroandipa_build_releaseoverrides to build, in preparation for building pure Rocky IPA images.
stackhpc/18.4.0.18¶
Bug Fixes¶
Fix for pulp artifact promotion playbook following on from updates to pulp.squeezer collection - the
base_pathattribute cannot be used when querying a file distribution.
stackhpc/18.4.0.14¶
Bug Fixes¶
Updates Nova container images to fix LP#2140347, where persistent disk detach could incorrectly log a failure warning.
stackhpc/18.4.0.13¶
New Features¶
Adds support for the Rocky Linux security repository. This repository is disabled by default, like in Rocky Linux. It can be enabled by setting
dnf_enable_rocky_securitytotrue.
stackhpc/18.4.0.11¶
New Features¶
Container images for Epoxy can now be built on Rocky 10.
stackhpc/18.4.0.10¶
New Features¶
Added four playbooks for migrating secret store from Hashicorp Vault to OpenBao.
vault-bao-migration-seed.ymldoes Vault to OpenBao migration on seed node. This is single node migration, so API calls to seed secret-store can be disruptive for short period of time.vault-bao-migration-overcloud.ymldoes Vault to OpenBao migration on overcloud. (Default: controller nodes) This is HA migration, so no downtime is expected.vault-bao-migration-change-config.ymlautomatically update SKC to target OpenBao. It is recommended to use this playbook after all Vault deployments are migrated to OpenBao.vault-bao-migration-all.ymlruns all other three playbooks in order.As Hashicorp Vault will no longer be supported from OpenStack 2026.1, it is strongly recommended to migrate to OpenBao before upgrading.
stackhpc/18.4.0.9¶
New Features¶
The
pulp.squeezercollection has been updated to the latest version (0.3.0), with dependencies added and updated as required. Thestackhpc.pulpcollection has also been updated to it’s latest version (0.6.0). Combined, these two updates drastically improve the time taken for artifacts to be pushed to and pulled from Ark.
Upgrade Notes¶
New versions of
pulp.squeezer(0.3.0) andstackhpc.pulp(0.6.0) are available, these collections and their dependencies can be updated by running a control host bootstrap.
stackhpc/18.4.0.7¶
Bug Fixes¶
DNF repository URLs now use
$basearchinstead ofkolla_base_archso hosts and build containers resolve the repository architecture locally.
stackhpc/18.4.0.3¶
Security Issues¶
Bumps repository versions to includes fixes for CVE-2026-31431 (Copy Fail).
stackhpc/18.4.0.2¶
New Features¶
Adds support for syncing
x86_64andaarch64RPM repositories from StackHPC Ark into local Pulp usingstackhpc_pulp_rpm_architectures.
stackhpc/18.4.0.1¶
New Features¶
Added support for DOCA OFED on Rocky Linux 9
aarch64.
stackhpc/18.1.0.266¶
New Features¶
Adds a
stackhpc_enable_ceph_cow_optimisationsfeature flag to enable copy on write optimisations when using Ceph. Please see theCopy on write optimisationssection under Configuraton Guide > Cephadm and Kayobe in the documentation.The feature is currently opt-in. Note the documented permissions for the images pool for the Cinder user have been adjusted to make this easier to apply for future deployments.
stackhpc/18.1.0.265¶
New Features¶
Update squid-proxy seed image to one that provides Squid 6.10. This version Squid does not support the dns_v4_first configuration directive, so operators using walled-garden networking should ensure that DNS AAAA records returned from the DNS server correspond to routable IPv6 addresses.
stackhpc/18.1.0.264¶
New Features¶
CIS benchmark hardening has been implemented for Rocky 10 using the RHEL10-CIS role. Rules overridden have been mapped to the overrides previously used for Rocky 9.
stackhpc/18.1.0.260¶
Bug Fixes¶
Fixes an issue where Ironic would not be enabled after including
baremetalmixin in the configuration.
stackhpc/18.1.0.259¶
Upgrade Notes¶
In ML2/OVS deployments, Neutron security group rules will now be installed in nftables to align with the behaviour from the
2024.1release. If you are running a2025.1release older than this one, please run the following commands after upgrading the Neutron containers to avoid conflicts between iptables-legacy and iptables-nft rules (this operation will cause downtime):kayobe playbook run \ $KAYOBE_CONFIG_PATH/ansible/fixes/flush-iptables-legacy.yml \ $KAYOBE_CONFIG_PATH/ansible/fixes/rabbitmq-reset.ymlYou can check if Neutron has installed legacy iptables rules by running:
iptables-save-legacy | grep neutronIf you are upgrading directly to this release or a newer one, no action is required.
Bug Fixes¶
Fixed an issue where Neutron security group rules were being created as legacy iptables rules instead of nftables rules. The expected behaviour is that these rules are created using the iptables-nft compatibility package, matching the behaviour introduced in the
2024.1release.
stackhpc/18.1.0.258¶
New Features¶
Add Rocky Linux 9 and Rocky Linux 10
aarch64overcloud host image build and promotion support. The architecture consumed from Ark can be selected withstackhpc_overcloud_host_image_arch.
stackhpc/18.1.0.257¶
New Features¶
Add support for building
multipathdKolla container images.
stackhpc/18.1.0.256¶
New Features¶
Added support for building Rocky Linux 9 Ironic Python Agent (IPA) images for the
aarch64architecture in the IPA image CI workflow. The resulting images are published under a separateaarch64Ark path and can be selected in configuration withstackhpc_ipa_arch. Rocky Linux 9 now also has a separatestackhpc_rocky_9_ipa_image_version_aarch64version pin for theaarch64IPA image.
stackhpc/18.1.0.251¶
Bug Fixes¶
Updates Magnum to a newer Epoxy release version following critical bugs merged & backported. Also, updates Helm version to latest (4.1.4).
stackhpc/18.1.0.244¶
Security Issues¶
Fixes CVE-2026-33551 with updated Keystone images
stackhpc/18.1.0.243¶
Bug Fixes¶
Updates Neutron images to fix support for trunks on bond ports when using Dell OS10 switches.
stackhpc/18.1.0.242¶
Bug Fixes¶
Reduce the maximum number of PULP_CONTENT_WORKERS and PULP_API_WORKERS to 12 to prevent connection starvation on seed hosts with more than 12 cpu threads.
stackhpc/18.1.0.238¶
New Features¶
Added the
baremetalmixin environment. This is an opt-in feature. Please see the docs for more details.
stackhpc/18.1.0.234¶
New Features¶
The Octavia Amphora image was rebuilt and now uses Ubuntu 24.04 LTS instead of Ubuntu 22.04 LTS.
stackhpc/18.1.0.232¶
New Features¶
Host images for Rocky Linux 10 can now be built in the 2025.1 release
Upgrade Notes¶
Updates stackhpc-image-elements to v1.6.6
stackhpc/18.1.0.229¶
Bug Fixes¶
Ensure that seed hosts using Podman pull seed container images using their fully-qualified name, rather than their short-name.
Ensure that the
container_engine variableis respected when runningpre.yamlandpost.yamlfor seed containers.
Replace instances of
kolla_container_enginewithcontainer_engine.
stackhpc/18.1.0.223¶
New Features¶
Added Rocky Linux 10 repositories for 2025.1 release
stackhpc/18.1.0.221¶
Bug Fixes¶
Fixed an issue with the get-nvme-drives playbook where it would fail if no NVMe drives were present.
stackhpc/18.1.0.215¶
Bug Fixes¶
stackhpc/18.1.0.214¶
Bug Fixes¶
Fixes CI multiarch manifest creation by setting
pipefailin the manifest script. Failures fromdocker manifest createordocker manifest pushnow fail the job even when piped totee.
stackhpc/18.1.0.212¶
New Features¶
New logic for installing grafana plugins. When building you can pass a variable
grafana_plugins_appendthat contains a list of plugins you want to install. This will be appended to the default list of plugins. The existing method of overwriting thegrafana_plugins_installblock still works.
stackhpc/18.1.0.208¶
Bug Fixes¶
Fixes an issue where the Octavia health worker gets stuck in an infinite loop if the connection to the database is interrupted. See LP#2129562 for more details. Also pulls in other fixes from the upstream stable/2025.1 branch for Octavia. See: https://github.com/stackhpc/octavia/pull/59
stackhpc/18.1.0.207¶
Bug Fixes¶
Updates Nova container images on Rocky Linux 9 to resolve the following issue:
operation failed: guest CPU doesn't match specification: missing features: pdcm.
stackhpc/18.1.0.203¶
Bug Fixes¶
Fixes an issue with Ironic rebuilds when the client was using Nova Compute API version >= 2.93. This caused servers to enter into the error state when a rebuild was requested. See LP#2127017 for more details.
stackhpc/18.1.0.199¶
Security Issues¶
Fixes OSSA-2026-002 / CVE-2026-24708 with updated
nova-computecontainer images.
stackhpc/18.1.0.188¶
New Features¶
Adds a basic NGS driver for Dell SONiC switches.
stackhpc/18.1.0.187¶
Security Issues¶
Rebuilds all container images to address OpenSSL vulnerabilities, including CVE-2025-15467.
stackhpc/18.1.0.186¶
New Features¶
Adds an extra delay after reboot in the
maintenance/reboot.ymlplaybook to ensure hosts can be reached reliably. The default delay is 5 seconds and can be customised with thepost_reboot_delay_svariable.
stackhpc/18.1.0.184¶
Security Issues¶
Bumps Rocky Linux 9.7 packages to address CVE-2025-68285 in Ceph client session initialization in the Linux kernel.
stackhpc/18.1.0.183¶
New Features¶
Adds a definition for
NVIDIA H200 NVLto thestackhpc_gpu_data.
stackhpc/18.1.0.181¶
Bug Fixes¶
Rebuilds nova and neutron images to bring in upstream fixes to networking-mlnx agent. Please see stackhpc/networking-mlnx#9 for more details.
stackhpc/18.1.0.172¶
New Features¶
os-capacity v0.7 provides aarch64 container builds.
Bug Fixes¶
os-capacity v0.7 includes memory leak fixes.
stackhpc/18.1.0.171¶
New Features¶
Added support for Rocky Linux 9.7, including host packages and a full container image refresh.
9.7 is now the default release for Rocky Linux.
Upgrade Notes¶
The upgrade to DOCA 3.2.1 is required for Rocky Linux 9.7.
stackhpc/18.1.0.167¶
New Features¶
Adds networking-generic-switch support for bond interfaces in trunk mode on Arista switches.
stackhpc/18.1.0.163¶
Bug Fixes¶
Fix missing NTP configuration for infrastructure VMs. Operators should run
kayobe infra vm host configure --tags ntp.
stackhpc/18.1.0.158¶
Bug Fixes¶
Fixes an issue with blackbox exporter endpoint generation when prometheus server and blackbox exporter are not colocated.
stackhpc/18.1.0.156¶
Bug Fixes¶
The RHEL9 CIS Rule 1.2.2 has been disabled, to stop globally enabling gpgchecks on all yum repos. This fixes an issue where custom repos would have the check incorrectly enabled, even when explicitly configured not to.
stackhpc/18.1.0.146¶
Bug Fixes¶
The default Rocky 9 overcloud host image has been updated to include upstream package repos out of the box
stackhpc/18.1.0.141¶
New Features¶
Add playbooks and configuration to enable the easy deployment of Pulp with TLS support in combination with certificates generated via OpenBao.
stackhpc/18.1.0.135¶
New Features¶
Adds a mixin environment that includes policy overrides to enable a
baremetaluserrole, that is able to create servers on specific baremetal nodes, with specific IP addresses on a shared network.
stackhpc/18.1.0.124¶
Bug Fixes¶
CIS hardening playbook skips service accounts that do not exist on the host (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.
stackhpc/18.1.0.123¶
New Features¶
Updates the
stackhpc.cephadmAnsible collection to version1.22.0, pulling in Tentacle support and recent fixes.
stackhpc/18.1.0.111¶
New Features¶
Changed the IPA (Ironic Python Agent) image compression algorithm from the default
gziptozstd. This improves provisioning performance by reducing the size of the IPA boot ISO transferred from the Ironic conductor to the baremetal nodes.
stackhpc/18.1.0.103¶
New Features¶
Added a playbook for unsealing secret store deployed at CI runners (Hosts in github-runners or gitlab-runners inventory group). To run CI after rebooting CI runners, secret store needs to be unsealed using this playbook.
stackhpc/18.1.0.102¶
Bug Fixes¶
Fixes Rocky Linux host image builds not using repositories from Ark.
stackhpc/18.1.0.101¶
Bug Fixes¶
Updated the OVN chassis priority fix playbook to detect the northbound database leader via
ovs-appctl cluster/status, ensuring only the true leader runs the priority alignment.
stackhpc/18.1.0.99¶
Security Issues¶
Security fixes for bug 2119646: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization.
stackhpc/18.1.0.95¶
Bug Fixes¶
Rebuilt Magnum containers to include fix for clusters failing to create when referencing template by name.
See bug #2121213 for more details.
stackhpc/18.1.0.89¶
New Features¶
Add support for building
iscsidKolla container images.
stackhpc/18.1.0.88¶
New Features¶
Added a new alert
RadosGWUsageExporterNotServingMetrics, which will fire when the RadosGW Usage Exporter fails to serve RGW metrics for more than 5 minutes.
stackhpc/18.1.0.81¶
Bug Fixes¶
Fixes a regression where the checksums files for artifacts uploaded to Ark would not include the filename. This was causing Bifrost to fail when validating the checksums for overcloud host images.
stackhpc/18.1.0.79¶
Upgrade Notes¶
The playbooks under
etc/kayobe/ansiblehave been subdivided into different categories to make them easier to navigate. This change may result in merge conflicts where playbooks have been edited downstream, and broken hooks where symlinks have been used.To mitigate the impact of these changes, two scripts have been added to help fix broken links.
tools/get-new-playbook-path.shreturns the new category of a given playbook, andtools/magic-symlink-fix.shattempts to fix any broken symlinks in the kayobe configuration.
stackhpc/18.1.0.78¶
New Features¶
Adds burn-in element to Ironic Python Agent to support Ironic burn-in capability.
stackhpc/18.1.0.77¶
Bug Fixes¶
Bump kayobe-automation to include fix that runs kayobe commands from the directory specified in
KAYOBE_CONFIG_PATH.
stackhpc/18.1.0.73¶
New Features¶
Added support for building overcloud host images from Pulp package mirrors. This feature can be toggled with the flag
stackhpc_build_overcloud_image_from_pulp_package_mirrors. By default, this feature is enabled in theci-builderenvironment and disabled otherwise. StackHPC overcloud host images will now be built with packages from Ark.
stackhpc/18.1.0.71¶
New Features¶
Add definitions for
NVIDIA A30andNVIDIA H100Lto thestackhpc_gpu_datafor easy deployment of such GPUs.
stackhpc/18.1.0.64¶
New Features¶
Updated OVN to 24.03.6-22 for Rocky Linux 9 in 2025.1. For details, see the following changelogs:
stackhpc/18.1.0.61¶
New Features¶
Updated the Kayobe and Kolla-Ansible version checks to support pinning to branches or a specific commit.
stackhpc/18.1.0.60¶
Bug Fixes¶
Bumps the radosgw_usage_exporter image to v0.1.4 to fix an issue where the exporter would crash if it was unable to gather user info from the RGW.
stackhpc/18.1.0.56¶
Bug Fixes¶
Ubuntu Noble rabbitmq image rebuild with correct Erlang PPA suite for Erlang 26/27 from “jammy” to “noble”. Followed upstream [1]. [1] https://review.opendev.org/c/openstack/kolla/+/959426
stackhpc/18.1.0.55¶
Bug Fixes¶
Switch aarch64 Erlang RPMs to versioned erlang-26 and erlang-27 COPR repositories to support RabbitMQ 4.0/4.1 and align with Kolla [1]. x86_64 remains unchanged. [1] https://review.opendev.org/c/openstack/kolla/+/959323
stackhpc/18.1.0.53¶
New Features¶
Updates Cephadm Ansible collection to the latest 1.21.0 version. Refer to release notes for the list of changes: https://github.com/stackhpc/ansible-collection-cephadm/releases
stackhpc/18.1.0.52¶
Bug Fixes¶
This update addresses a packaging issue introduced with Ubuntu Noble. The default Apt repository sources now use .sources files in deb822 format, stored under /etc/apt/sources.list.d/ubuntu.sources. The change ensures that all build sources, regardless of format are correctly removed during cleanup.
stackhpc/18.1.0.47¶
Bug Fixes¶
Fixed broken panels in the project metrics Grafana dashboard by updating the Prometheus Libvirt exporter and editing the dashboard queries.
The exporter was updated from
v1.6.0tov2.2.0. A full breakdown of changes can be found here
stackhpc/18.1.0.45¶
Bug Fixes¶
The
RabbitMQTooMuchReadyprometheus alert has been removed.Since migrating to durable queues, messages are sent to all receivers, but only one will respond. This results in high numbers of messages staying in the ready state. The messages will be deleted automatically once they hit resource limits. This appears to have no noticeable impact on CPU, memory, or disk usage, so the alert is not needed.
stackhpc/18.1.0.37¶
New Features¶
Use upstream source of Magnum for Kolla container image build. The StackHPC downstream Magnum repository was for keeping Heat driver support. As Heat support was deprecated, there’s no need to build Magnum from downstream source.
stackhpc/18.1.0.32¶
New Features¶
Updated the version of magnum-capi-helm driver to 1.3.0. For the list of features and fixes see its release notes.
stackhpc/18.1.0.27¶
New Features¶
Refreshed all container image tags for both Rocky and Ubuntu. This applies recent kolla build changes, so that aarch64 images are available for Rocky 9, and RabbitMQ now uses version 4.1.
stackhpc/18.1.0.25¶
New Features¶
Support OpenStack upgrade from 2024.1 to 2025.1.
Added RabbitMQ 4.1 support. StackHPC Kayobe Config now deploys RabbitMQ 4.1 by default.
stackhpc/18.1.0.24¶
New Features¶
The container-image CI workflow now builds Rocky Linux 9 images for the
aarch64architecture (in addition toamd64) and publishes a multi-architecture manifest for each tag. This enables the same image tag to be pulled seamlessly on both x86-64 and ARM64 hosts.
stackhpc/18.1.0.22¶
New Features¶
Bumps Ceph to Squid v19.2.3.
stackhpc/18.1.0.16¶
New Features¶
Merged OpenBao playbooks and Hashicorp Vault playbooks. They starts with the prefix “secret-store”. By default, the playbooks will deploy OpenBao. To use Hashicorp Vault, set
stackhpc_ca_secret_store: vault.
stackhpc/18.1.0.12¶
New Features¶
Added support for DOCA OFED on Rocky Linux 9.6 at version
2.9.3. The package versions for Rocky 9.4 and 9.5 remain unchanged, using2.9.1.
Increase the number of retries when waiting for Pulp to become ready. This is to avoid issues with Pulp taking longer than expected to start up.
The radosgw-usage-exporter is now put behind HAProxy. To facilitate this,
stackhpc_radosgw_usage_exporter_porthad been renamed tostackhpc_radosgw_usage_exporter_backend_port(it remains 9242) andstackhpc_radosgw_usage_exporter_frontend_port(defaults to 9240) has been introduced.
Add support of the operator supplying the rated DWPD value for NVMe drives. There is a playbook
get-nvme-drives.ymlthat will populate a new section in thestackhpc-monitoring.ymlfile with drive model names for NVMes in the cloud. The operator can then fill in the rated DWPD values for each drive.
Add support for syncing
neutron-bgp-dragentimage intoPulp.
Bug Fixes¶
Fixes an issue where the external Grafana endpoint would be added to Prometheus Blackbox Exporter config, even when
enable_grafana_externalwas disabled.
Fix Kayobe version checks that were failing on multiuser Ansible control hosts.
Ensure that the correct tag is used for
OpenBaorepository inPulp.
Fixes an issue where object storage metrics were missing from Prometheus by putting the radosgw-usage-exporter behind HAProxy.
Minor issue with RabbitMQ dashboard panel showing no data with default scrape settings.
stackhpc/18.1.0.11¶
Bug Fixes¶
Removed
egrepusage from scripts. Instances have been replaced withgrep -E. This resolves the warningegrep: warning: egrep is obsolescent; using grep -E.
stackhpc/18.1.0.7¶
New Features¶
Added repo definitions for ProxySQL for AlmaLinux 9 in pulp. ProxySQL container images for Rocky Linux 9 are now built using version controlled packages from Ark.
stackhpc/18.1.0.5¶
New Features¶
The Seed Pulp container version has been bumped from
3.43.1to3.81.0.
stackhpc/18.1.0.2¶
New Features¶
Ansible dependencies have been bumped to the latest available versions. This includes:
stackhpc.cephadm-1.19.1->1.19.3ansible-lockdown.rhel9_cis-1.3.1->v1.3.4geerlingguy.pip-2.2.0->3.1.0monolithprojects.github_actions_runner-1.18.5->1.25.1geerlingguy.docker- unpinned ->stackhpc/7.0.1.1ansible-modules-hashivault-5.2.1->5.3.0
ansible-lockdown.ubuntu22_cishas been replaced withansible-lockdown.ubuntu24_cis, which is pinned to1.0.1.
stackhpc/18.0.0.4¶
New Features¶
Added support for Rocky Linux 9.6, including host packages and a full container image refresh.
Upgrade Notes¶
9.6 is now the default release for Rocky Linux.
stackhpc/18.0.0.1¶
New Features¶
Updates OpenSearch to 2.11.1.
Bumped pulp repo versions for Q2 2024 Bumped Kolla image tags for Q2 2024 Bumped prometheus server from 2.38.0 to 2.51.1 Bumped prometheus alertmanager from 0.24.0 to 0.26.0 Bumped prometheus blackbox exporter from 0.23.0 to 0.25.0 Bumped prometheus cadvisor exporter from 0.48.0 to 0.49.1 Bumped prometheus haproxy exporter from 0.13.0 to 0.15.0 Bumped prometheus memcached exporter from 0.10.0 to 0.14.3 Bumped prometheus msteams from 1.5.1 to 1.5.2 Bumped prometheus mtail from 3.0.0-rc50 to 3.0.0-rc53 Bumped prometheus mysqld exporter from 0.15.0 to 0.15.1 Bumped prometheus node exporter from 1.4.0 to 1.7.0 Bumped prometheus openstack exporter from 1.6.0 to 1.7.0 Bumped prometheus ovn exporter from 1.0.6 to 1.0.7 Bumped opensearch from 2.11.1-1 to 2.13.0-1 (Rocky Linux 9) Bumped opensearch from 2.12.0 to 2.13.0 (Ubuntu Jammy) Bumped grafana from 10.1.5-1 to 10.4.2-1 (Rocky Linux 9) Bumped grafana from 10.4.0 to 10.4.2 (Ubuntu Jammy)
Added two alerts (warning and critical) that are triggered when the ratio of (free_swap_space / total_swap_space) is below thresholds. Each threshold can be modified by altering value of
alertmanager_node_free_swap_warning_threshold_ratioandalertmanager_node_free_swap_critical_threshold_ratio.Currently this solution has limitation of having one-size fits all policy. This can cause unwanted alerts for the hosts which utilise swap heavily Therefore it is recommended to tune the thresholds or apply silence rules for the needs.
Add
blazarproject Kolla container images.Blazaris a resource reservation service for OpenStack.Blazarenables users to reserve a specific type/amount of resources for a specific time period and it leases these resources to users based on their reservations.
Adds
casocontainer images.cASOis an is an accounting reporter that supports Cloud Accounting Usage Records. For more information, see the upstream docs. Note that this container does not exist in upstream Kolla and is maintained downstream by StackHPC.
Adds code to the globals.yml file to add endpoints for the ceph_mgr_exporter. If ceph is configured correctly, managers will be under the mgrs inventory group. If this group is empty, then the variable will just be empty (the KA default). This also requires setting
kolla_enable_prometheus_ceph_mgr_exportertotrue.
A confirmation prompt has been added to
reboot.ymlto help avoid rebooting the wrong hosts by mistake. This check can be skipped by settingconfirm_reboot: true.
Adds NVMe and S.M.A.R.T utilities to the overcloud host image built by DIB.
Add optional support for relabelling network devices in Prometheus. Use network names as defined in kayobe, instead of network device names. Reuse of device names within an environment is not supported.
Adds support for deploying GitHub runners and creating GitHub workflows for use within Kayobe Automation. Two playbooks and their requirements have been added to ansible/ in addition to the relevant groups defined with some useful default variables where appropriate. Finally, documentation has been added to cover how to deploy these runners and workflows.
The playbook
hotfix-containers.ymlhas been added. This allows arbitrary files to be copied into, and/or arbitrary commands to be executed within, overcloud containers.
Support for Ubuntu 22.04 Jammy Jellyfish repositories have been added to the Yoga Release.
Adds support for Let’s Encrypt external account binding (EAB).
Set monitoring services be enabled by default in the
ci-multinodeenvironment.
Add additional Tempest tests plugins covering; Barbican, Cinder, Cloudkitty, Designate, Glance, Ironic, Keystone, Magnum, Manila, Neutron and Octavia. Add load lists for the new Tempest plugins. Use docker-rally v2.0.1.
Add support for deploying
OpenBaoacross theseedandovercloudhosts for the purpose of internal and backend TLS generation.
Add support for highly available Raft when using OpenBao on overcloud hosts.
OpenSearchcontainer images have been added.
Add playbook to install pre-commit hooks and register them with git. The hooks currently configured to be installed will check yaml syntax, fix new line at end of file and remove excess whitespace. This is currently opt-in which can be achieved by running install-pre-commit-hooks playbook.
Adds RADOS Gateway usage exporter support.
To deploy the exporter, set the variable
stackhpc_enable_radosgw_usage_exporterto true. Then run playbookdeploy-radosgw-usage-exporter.yml. A certificate path needs to be set tostackhpc_radosgw_usage_exporter_cacertif internal TLS is enabled.
Added the
rekey-hosts.ymlplaybook to automatically rotate the SSH keys on all hosts.
Add the package repository configuration required for Rocky Linux 9 support.
Add CI for Rocky 9 hosts.
Added support for Rocky Linux 9.2 repositories and made 9.2 the default version.
Added support for Rocky Linux 9.3 repositories and Kolla containers. Made 9.3 the default version for Rocky Linux.
Updated Rocky Linux 9.2 pulp repo versions. Added Rocky Linux 9.3 pulp repo versions. Rebuilt Kolla containers with Rocky Linux 9.3.
Added support for Rocky Linux 9.4 repositories and Kolla containers. Made 9.4 the default version for Rocky Linux.
Updated Rocky Linux 9.3 pulp repo versions. Added Rocky Linux pulp repo versions. Rebuilt Kolla containers with Rocky 9.4.
Add support for a basic user for Pulp operations instead of using the admin user for usage. Can be enabled by setting pulp_stack_password.
Added support for Ubuntu 24.04 Noble Numbat as a host operating system. Repositories and configuration for Ubuntu Noble have been added.
Adds support for using a VMs as compute and controller nodes in the
ci-multinodeenvironment by dynamically setting the MTU of the networks in networks.yml and removing the static definition of the network interfaces for the compute and controller groups.
Add Wazuh deployment playbook.
Adds an alert to check that there is exactly one active router on ML2/OVS based deployments.
Adds utility playbooks to build and rotate amphora images. For more details check out the Octavia section of the Operator Guide included in the documentation.
Adds support for Ubuntu Jammy and Rocky 9 to the CIS benchmark hardening playbook:
cis.yml. This playbook will need to be manually applied.
Adds a hook to automatically run the CIS benchmark hardening playbooks as part of host configure. This is guarded by the
stackhpc_enable_cis_benchmark_hardening_hookconfiguration option and is disabled by default.
Adds kolla config merging options to the
Kolla custom config generationsection ofetc/kayobe/kolla.yml.
Adds alerts for software raid failures.
Brings in new neutron container images to add batching support to Networking Generic Switch. This is opt in via the
ngs_batch_requestsconfiguration option and only affects Ironic deployments that use Networking Generic Switch. See the following PR for more details.
Adds the
networking-mlnxmechanism driver to the Neutron Server container andebrctlutility to the Nova Compute container. This allows you to use thekolla_enable_neutron_mlnxfeature flag.
Updates neutron containers to contain a version of networking-generic-switch with support for trunk ports when using DellOS 10 or Cisco switches. See this PR for more details.
Updates neutron containers to contain a version of networking-generic-switch with support for DellOS 10. See this PR for more details.
Improvements to the ci-aio automated deployment script to allow the script to successfully run on LVM-based images.
Added a script to the AIO environment that can be used to quickly deploy an AIO for testing.
Added a custom policy to Ironic that allows users with the admin role to list all baremetal nodes. This is required at sites where baremetal provisioning targets a specific node, as we need to look up the node’s uuid to pass as the hypervisor hostname.
Adds time information to tasks using the ansible.posix.profile_tasks callback.
Adds some basic tuning of Ansible, including use of 20 forks, enabling SSH pipelining, YAML-formatted output, and disabling fact variable injection.
A default firewall configuration is now included on an opt-in basis. The rules are defined under
etc/kayobe/inventory/group_vars/all/firewall. More information can be found here
Added Blackbox monitoring for backend endpoints by default. Note that this configuration will only work if the Blackbox exporters have access to the backend endpoints.
Prometheus Alertmanager has been updated to
0.28.1. This release includes support for Microsoft Teams notifications.
Updates the StackHPC Cephadm Ansible collection from 1.18.0 to 1.19.1.
Bump Ceph to v19.2.1.
Bumped Horizon kolla image Bumped Grafana from 10.1.5-1 to 10.4.2-1 (CentOS & Rocky Linux) Bumped Grafana from 10.4.1 to 10.4.2 (Ubuntu) Bumped Prometheus-msteams from 1.5.0 to 1.5.2
Updates Magnum CAPI Helm driver version to v0.11.0
Updates Magnum CAPI Helm driver version to v0.12.0
Updates Magnum CAPI Helm driver version to v0.13.0
Updated OpenvSwitch to 3.3.4-115 and OVN to 24.03.5-88 for Rocky Linux 9 in Caracal. For details, see the following changelogs:
Kolla Toolbox, Manila, Neutron, Nova, and Octavia containers received updates on both Rocky Linux 9 and Ubuntu. Only the Rocky Linux 9 images include the new OVS versions.
Upgrades the redfish exporter container image to the v2.x series.
Adds support for lenovo hardware to the redfish exporter dashboard.
Adds the
stackhpcredfish_exporter_scrape_interval,stackhpc_os_capacity_scrape_interval, andstackhpc_prometheus_openstack_exporter_intervalconfiguration variables.
magnum container now has capi driver
Bumped the base image for Ubuntu 22.04 containers.
Additionally bumped Nova, Neutron and Octavia images for both Rocky and Ubuntu.
Add
kolla_ceph_conf_appendconfiguration option to specify a string to be appended to all ceph.conf files gathered from a ceph cluster usingkayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm-gather-keys.yml.
Adds support for using Ceph HAProxy and Keepalived images stored in Pulp. This is enabled automatically if
stackhpc_sync_ceph_imagesis set totrue.
Adds two new custom playbooks for placing Ceph hosts into and removing them from maintenance:
ceph-enter-maintenance.ymlceph-exit-maintenance.yml
Added support for the Squid release of Ceph.
The Cephadm pre and post commands now support default commands with the variables
cephadm_commands_pre_defaultandcephadm_commands_post_default. As such, any extra commands should be added to the variablescephadm_commands_pre_extraandcephadm_commands_post_extra.
Adds a new
diagnostics.ymlplaybook that collects diagnostic information from hosts. The diagnostics are aggregated to a directory ($PWD/diagnostics/by default) on localhost. The diagnostics include:Docker container logs
Kolla configuration files
Log files
The collected diagnostic information contains sensitive information such as passwords in configuration files.
The Heat OpenStack service is now disabled by default.
The Ironic Prometheus Exporter is now disabled by default as redfish exporter is preferred. If you need to use the Ironic Prometheus Exporter, you can enable it by setting the kolla_enable_ironic_prometheus_exporter option to true.
Using DOCA LTS 2.9.1.
DOCA workflows updated to build kernel modules only, relying on Release Train synchronisation of DOCA upstream for userspace packages.
Improved documentation now including DOCA install playbook.
Local Pulp syncs for DOCA/DOCA kernel module repository.
The Docker CE package for Ubuntu has been bumped from
5:24.0.6-1to5:25.0.0-1This is a side effect of separating out the repos for Docker CE for Ubuntu Jammy/Focal.
Adds a panel in the Hardware Overview dashboard to show DWPD (Drive writes per day) for NVMEs. This is calculated by dividing the total bytes written in the past 24 hours by the drive capacity. This is currently only supported on NVMEs.
Adds alerts that will fire after 1 DWPD is sustained for 7 days, and a critical alert if 1 DWPD is sustained for 30 days.
Provide ELRepo 9, which in turn provides packages to support be2net and mpt3sas hardware. Configuration of ELRepo 9 is disabled by default and may be enabled by setting dnf_install_elrepo_9: true.
Enable building of the
Neutron BGP Dragentcontainer image.
Mariabackup is now enabled by default.
The flag
om_enable_rabbitmq_high_availabilityis now set totrue. Adds tags for new RabbitMQ containers to update to RabbitMQ version 3.9.22.
Adds an
etcdKolla container image. This can be used for OpenStack service coordination as a tooz backend, or for batched processing of switch configuration in Networking Generic Switch (this requires a downstream NGS patch).
Adds drive temperatures to the table on the hardware overview dashboard and a timeseries to show the temperature over time.
Adds picker to hardware overview dashboard to select a specific host to show drive information for.
Adds a new Prometheus alert
FluentdBufferTooLargewhich is raised when the total size of queue buffers grows above 128 MiB.
Added a templated set of default Prometheus Blackbox exporter endpoints.
Openstack dashboard is now used as default Grafana dashboard.
Adds support for synchronising HashiCorp Consul and Vault images to a local Pulp registry.
The StackHPC overcloud host images have been rebuilt using new packages for the Caracal release.
Adds a new build workflow to Release Train for building IPA images, and deployment for Release Train IPA images to Bifrost and Ironic inspector.
Release Train IPA is enabled by default.
Configures the Ironic Python Agent with useful settings for inspection, such as the
extra-hardwareandmellanoxelements.
ironic-prometheus-exportercontainer image has been added and enabled by default when kolla_enable_ironic and kolla_enable_prometheus are true (following upstream defaults).
StackHPC Kayobe Configuration container images for CI/CD with Kayobe Automation are now published to GitHub Container Registry (GHCR) at ghcr.io/stackhpc/stackhpc-kayobe-config. The image is tagged with the name of the release branch, e.g.
stackhpc/yoga.
Workflow to update Kolla dependencies (Kayobe, Kolla and Kolla-Ansible) to the latest tag available in the StackHPC branch via CI.
Added playbooks to check the installed Kayobe/Kolla-Ansible versions against the expected versions in Kayobe configuration. These checks will run on Kayobe bootstrap, host and service operations.
Adds a new variable
stackhpc_pulp_sync_for_local_container_buildwhich, when set totrue, configures the local Pulp server to sync all package repositories required for building kolla containers on a local kolla build host.
Rocky images have been rebuilt and are now based on Rocky 9.3.
Allow Kolla dependency updates on non-default branches.
Enable TLS for the Seed Pulp service. Set
pulp_enable_tls: trueand provide paths to a TLS certificate and key usingpulp_cert_pathandpulp_key_pathrespectively.
The Openstack Dashboard in Grafana now includes logs from Openstack services.
Adds a standard LVM configuration that is compatible with the new overcloud host image.
magnum-capi-helmdriver has been updated to 1.1.0. Please see magnum-capi-helm release notes for changes.
Adds the new magnum-capi-helm out of tree driver (see here https://github.com/stackhpc/magnum-capi-helm) into release train magnum containers
adds helm client into magnum container
Adds support for Manila in the ci-multinode environment using the CephFS native backend. This is disabled by default, but can be enabled by setting the following variables in the kayobe configuration: kolla_enable_manila: true kolla_enable_manila_backend_cephfs_native: true
Updated the documentation for the ci-multinode to include instructions on how to set up and test Magnum.
Added support for Wazuh in the ci-multinode environment.
Adds a new Prometheus alert
HostNetworkBondDegradedwhich will be raised when at least one bond member is down.
Adds a new Prometheus alert
HostNetworkBondSingleLinkwhich will be raised when a bond is configured with only one member. This can happen when NetworkManager detects that a bond member is down at boot time. This alert can be disabled by settingalertmanager_warn_network_bond_single_linktofalse.
Neutron containers are now built from our StackHPC fork.
Updates Prometheus Node exporter to version 1.5.0.
Adds NTP alerts to prometheus alertmanager.
Nvmemon now reports physical size of the disk.
Adds alerts for Octavia load balancers and amphorae. Alerts are triggered when load balancers enter the ERROR or DEGRADED states, or when amphorae enter the ERROR state.
Adds a new Grafana dashboard for Octavia. This dashboard is used to monitor the load balancers as well as the amphorae.
Implement an OFED workflow that builds kernel modules to support OFED drivers in release train kernels and upload OFED kernel/userspace drivers to Ark.
This patch adds OpenStack Capacity metrics and exporters to StackHPC Kayobe Config. This includes a deployment playbook, Prometheus scrape jobs and HAProxy configurations to support this change.
Adds support for providing a CA certificate for OpenStack Capacity exporter.
Automatic deployment for OpenStack Capacity via a Kayobe service deploy hook using kolla admin credentials.
Per OSD usage metrics are now available in the OSDs dashboard. The dashboard now includes a new section that displays a histogram of of the utilization of each OSD in the cluster. This can be useful for identifying OSDs that are outliers in terms of utilization, and may need to be rebalanced. Additionally, there is a histogram displaying the usage of the bluestoreDB for each OSD.
Adds a standard overcloud Diskimage Builder (DIB) host image configuration.
Adds
ethtoolandpciutilsto the overcloud host disk image.
OVNversion in Rocky Linux 9 container images has been updated to24.03(latest LTS).
Add support for deploying OVN SB Relays, this can be enabled by setting
kolla_enable_ovn_sb_db_relayinkolla.ymltotrue. To use this featurestackhpc/16.4.0.5version ofstackhpc/kayobeandstackhpc/18.4.0.6version ofstackhpc/kolla-ansibleis required.
Open vSwitch has been pinned to the latest LTS release (3.3) in Ubuntu Noble container images.
Added templates and a playbook to simplify configuration of PCI passthrough GPUs. GPU types can be mapped to inventory groups with the
gpu_group_mapvariable, which will configure the host and Nova automatically. A list of supported GPUs can be found inetc/kayobe/stackhpc-compute.ymlunderstackhpc_gpu_data.
Removed custom Kolla configuration files that have since been updated upstream.
Removed Kolla build configuration pins to use versions from upstream. This change affects
prometheus-v2-server(2.54.1 -> 2.55.1), andprometheus-memcached-exporter(0.14.4 -> 0.15.0).prometheus-blackbox-exporterhas also been unpinned, but the version remains the same.
All Ansible dependencies are now pinned to specific versions. The
stackhpc.vxlanrole is pinned to 1.1.0, andansible-role-dockeris pinned to stackhpc/7.0.1.1.
Bumps the Prometheus container images to bring in Prometheus v3.
Prebuilt overcloud host images can now be pulled from Ark using the stackhpc_download_overcloud_host_images variable. The image is selected based on os_distribution and os_release.
Adds a custom playbook (
pulp-auth-proxy.yml) for deploying an authenticating proxy for Pulp. This can be used when building container images to avoid leaking credentials for package repositories into the built images or their metadata.
Allows to synchronise a custom list of containers to Pulp using the
stackhpc_pulp_repository_container_repos_extraandstackhpc_pulp_distribution_container_extravariables.
Added a new playbook pulp_sync_publish_promote that can be used to sync, publish and promote all repositories in a single step, as well as sync and publish container repos. If you do not want to promote repos then run with
-e repo_promote_production=false.
Raises an alert when the count of RabbitMQ ready messages increases above a threshold.
Added a script to automate RabbitMQ quorum queue migrations.
Bumps the RabbitMQ container image tag to upgrade RabbitMQ to v4.0
Adapt threshold of RabbitMQ connection alert based on the size of the deployment to avoid spurious alerts.
Added a new script,
rabbitmq-queue-migration.sh, which will migrate to the new RabbitMQ durable queues. This is intended for use prior to an upgrade to Epoxy.
Re-enable Pulp Ubuntu repositories.
Adds support for deploying a Prometheus Redfish exporter container on the seed. This can be used to query the overcloud BMCs via their redfish interfaces to produce various metrics relating to the hardware, and system health.
Package repositories and container images for CentOS Stream based deployments have been updated. Key packages to note are:
Kernel
version: 4.18.0
release: 448.el8
Libvirt
version: 8.0.0
release: 6.module_el8.7.0+1140+ff0772f9
OVS
version: 2.17.0
release: 71.el8s
OVN
version: 22.09.0
release: 11.el8s
Container images for Ubuntu based deployments have been updated. Key packages to note are:
Libvirt
version: 8.0.0
release: 1ubuntu7.4~cloud0
OVS
version: 2.17.3
release: 0ubuntu0.22.04.1~cloud0
OVN (unchanged since last container build)
version: 22.03.0
release: 0ubuntu1~cloud0
Disable the CIS hardening rule
*_rule_5_4_3_2to preventTMOUTfrom being applied which can disrupt a development environment as it closesTMUXpanes and servers and may close active ssh session.
Rocky Linux 9 image has been rebuilt with missing base packages (e.g. microcode_ctl) by installing ‘Minimal Install’ DNF group. Also cloud-init from CentOS 9 Stream has been installed with NetworkManager support.
Added support for Rocky Linux 9.5, including host packages and a full container image refresh.
Made 9.5 the default release for Rocky Linux.
Sync Rocky Linux 8.7 RPM repositories to local Pulp servers.
Enables SMART monitoring. Manual action is required, please see the monitoring documentation for the procedure.
The smartmon-tools playbook now ensures that the cron service is running as in some cases it may not be running by default.
Split cephadm_commands into cephadm_commands_pre and cephadm_commands_post commands. This allows the user to run commands that must be run before the rest of the post-deployment configuration, as well as commands that rely on resources created by the post-deployment config.
Adds a new
stackhpc-openstack-tests.ymlplaybook that executes tests in the StackHPC OpenStack Tests repository. Both the playbook and tests are currently experimental, and are currently targeting only an all-in-one CI use case.
Added a new group variable -
stackhpc_repos_enabled- for unified control over usage of StackHPC Release Train package repositories. This makes it easier to set which hosts do or do not pull packages from release train.
Added the
stop-openstack-services.ymlplaybook, which can be used to stop OpenStack services across the overcloud.
Supports adding CA certificates to the Tempest container trust store.
The default Tempest concurrency has been increased from 2 to 16. This is often easily achievable in production systems.
OVN has been pinned to the latest LTS release (24.03) in Ubuntu Noble container images.
Refreshed all Ubuntu host package versions and contianer images for December 2024.
Use the StackHPC fork for building Blazar images with customizations to support flavor-based reservation.
Updates Grafana to 9.4.7 version.
The HAProxy dashboard and alerts have been updated to use the new metrics source in Kolla Ansible. For further details see here.
Upgrades kayobe-automation submodule to
7676aa8.Upgrades kayobe-workflows collection to
v1.1.0.Kayobe-automation config-diff now runs in parallel and generates both the old and new configuration at the same time. This should improve config-diff wait times.
Add support for the pulp-sync-content run book.
Updates Magnum CAPI Helm driver version to OpenDev v1.0.0
Updated OpenvSwitch to 3.3.0-88 and OVN to 24.03.5-14 for Rocky Linux 9 in Caracal. For details, see the following changelogs:
Kolla Toolbox, Manila, Neutron, Nova, and Octavia containers received updates on both Rocky Linux 9 and Ubuntu. Only the Rocky Linux 9 images include the new OVS versions.
Updates Prometheus to version 2.55.1.
Upgrades Pulp from
3.21to3.22.
Disables Pulp analytics.
Sets Pulp worker based on available CPU cores. This may improve performance when pulling container images to many hosts simultaneously.
Upgrades Pulp from
3.22to3.23.
Upgrades Pulp from
3.23to3.24.
Restrict the content that is synced to the client by using include tags. This feature ensures that the tags as defined within
kolla-image-tags.ymlare synced.
Allow for easy customisation of the number of expected RabbitMQ nodes when evaluating the alert RabbitMQNodeDown. It is set by the alertmanager_number_of_rabbitmq_nodes which defaults to the number of controllers. This is benefical for deployments that do not use a standard three node setup.
Adds support for package repository snapshots via Pulp. A local Pulp server is deployed on the seed, which syncs package repositories and container images from the StackHPC Ark Pulp server. Control plane servers pull packages and container images from the local Pulp server.
The EPEL package repository is disabled by default. It may be enabled by setting
dnf_enable_epeltotrue.
Uses StackHPC source code repositories for kolla, kolla-ansible, and bifrost.
Supports Kolla CentOS Stream 8 source container images.
Adds custom playbooks for compute host maintenance:
nova-compute-drain.ymlnova-compute-disable.ymlnova-compute-enable.ymlreboot.yml
Upgrades the version of wazuh-ansible to v4.10.0. This brings in the SCA CIS checks for Rocky Linux 9 by default.
Wazuh can now de deployed with additional custom SCA policies. Just add the policy file(s) to the directory
{{ kayobe_env_config_path }}/wazuh/custom_sca_policies.
Adds a custom playbook to run the Anomaly Detection Visualiser (ADVise),
advise-run.yml.
Adds a custom playbook to reset the RabbitMQ cluster and restart OpenStack services that use it,
rabbitmq-reset.yml.
Adds a custom playbook to configure swap,
swap.yml.
Adds the Kayobe Automation Git repository as a submodule, and provides some basic configuration for it in an
.automation.confdirectory.
Adds support for deploying a Squid caching proxy as a custom container on the seed.
Enables Elasticsearch, Grafana, Kibana, Prometheus by default. Provides standard dashboards for Grafana and alerting rules for Prometheus.
Bumped Horizon kolla image Bumped Grafana from 10.1.5-1 to 10.4.2-1 (Rocky Linux) Bumped Grafana from 10.4.1 to 10.4.2 (Ubuntu) Bumped Prometheus-msteams from 1.5.1 to 1.5.2
Known Issues¶
Generate backend TLS files for network hosts. This fixes backend TLS configuration for deployments where some API services are running on network hosts.
Backend Blackbox monitoring will not work if the exporter does not have access to the backend OpenStack endpoints. This usually happens when separate monitoring nodes are deployed. In this case, move the Blackbox exporter to the Haproxy group, remove the endpoints from etc/kayobe/kolla/inventory/group_vars/prometheus-blackbox-exporter, or silence the alerts permanently.
The Ironic Prometheus Exporter has been (temporarily) disabled. See bug for details: https://bugs.launchpad.net/kolla-ansible/+bug/2062401
Magnum has been pinned to the Antelope release due to an issue upstream in Caracal. See here for more details.
Upgrade Notes¶
Ensure that your deployment has only one nova-compute-ironic service running per conductor group. See the operations / nova-compute-ironic doc for further details.
Kolla config merging is enabled by default in the Antelope release of Kayobe. This was quite an extensive change and whilst backwards compatbility was one of the goals, there may be some situations where refactoring of your Kolla config will be necessary. Extra care should be taken if you are using the multiple environments feature. It is recommended that you carefully check the diff in the resultant Kolla configuration by following these steps to check for missing config or duplicated config options. The
kolla_openstack_custom_config_environment_merging_enabledoption can be set toFalseto revert back to the old behaviour.
Bifrost Ironic debug logging is now disabled by default. Change
ironic_debugtotrueto revert.
The
prometheus_blackbox_exporter_endpoints_customvariable has been renamed tostackhpc_prometheus_blackbox_exporter_endpoints_customto avoid conflits with an upstream Kolla-Ansible var of the same name.
Rebuilt all kolla and package repo tags to bring in kernel fixes and apply CentOS image build customisations that were previously being ignored.
CentOS Stream 8 snapshots have been bumped and new container images are available. Make sure to sync these into your local pulp. The yum repositories must be reconfigured to exclude a buggy version of iptables. To do this use:
kayobe overcloud service reconfigure -kt none -t dnf.
CentOS Extras has been replaced with CentOS Extras Common. You may need to use the
--allowerasingoption with DNF if you have packages installed from the old repo. This is a one time only thing and on the next package update you can drop this argument.
Updates default Ceph images to v17.2.7 for Quincy.
Bumped focal package versions due to unmet depenencies
Updates Consul to 1.16.4 and Vault to 1.14.8.
Updates Consul to 1.16.3 and Vault to 1.14.6.
Brings in a change for cloudkitty-dashboard, which includes the option to attach pre/postfix to the rate value.
Updates Magnum CAPI Helm driver version to v0.11.0
Bumps octavia container versions
Bumped rocky 9 package versions due to missing snapshot
Increases default
os_capacity_scrape_intervalto5m. If you already customise this please move to the newstackhpc_os_capacity_scrape_intervalvariable.
container tags for magnum capi changes
Updates the
stackhpc.cephadmcollection to version1.18.0.
Updates Ceph Pacific container image to v16.2.11.
Automatically install Quincy if the node is running Ubuntu 22.04, else install Pacific.
Bumps the default Ceph Reef container image to
v18.2.7.
Updates the default version of Ceph to Reef. The following container tags are used for Ceph:
ceph:v18.2.4haproxy:2.6keepalived:2.2.4
Squid has become the default release of Ceph. The new default image tag is
v19.2.0.
Increase stackhpc.cephadm collection to version 1.12.2.
To match the new CIS benchmark defaults on Ubuntu, you should remove the
ipv6.disable=1kernel command line option. If you wish to carry on with the current settings, changeubtu22cis_ipv6_requiredtofalse.
The Heat service is now disabled by default. This behaviour can be overriden by setting kolla_enable_heat: true in etc/kayobe/kolla.yml. It is recommended that you migrate to the CAPI Helm driver for Magnum wherever possible.
The Ironic Prometheus Exporter has been (temporarily) disabled. See bug for details: https://bugs.launchpad.net/kolla-ansible/+bug/2062401
Enables Docker live restore by default. This may be disabled by setting
docker_daemon_live_restoretofalseindocker.yml.
Support for Rocky Linux 9.1 to 9.4 has been dropped. Hosts must be updated to RL9.5 or above before upgrading to this OpenStack release.
The flag
om_enable_rabbitmq_high_availabilityis now set totrue. As this enables durable queues, RabbitMQ will need to be reset, and the services which use it restarted. Tags are added to update the RabbitMQ containers to version 3.9.22.
Enabled ML2/OVN by default. Checks preventing accidental migration from ML2/OVS were added in Kolla Ansible. If you are using a Neutron plugin other than ML2/OVN, set
kolla_enable_ovntofalse.OVN distributed FIP is disabled, to enable it set
neutron_ovn_distributed_fiptotrueinetc/kayobe/kolla/globals.yml.
Updates the Ansible configuration to fail on any unparsed inventory source. If you are using a separate Ansible configuration for Kolla Ansible, you may wish to add this setting in
etc/kayobe/kolla/ansible.cfg.
Change default values for
DIB_GRUB_TIMEOUT_STYLEandDIB_GRUB_TIMEOUT. The default value forDIB_GRUB_TIMEOUT_STYLEwill bemenuand forDIB_GRUB_TIMEOUTwill be5. Adding ConfigDrive toDIB_CLOUD_INIT_DATASOURCESvar list to fix cloud-init issue.
The overcloud host image build workflow now uploads the built image to SMS as well as ARK, allowing it to be tested both manually and through AIO CI jobs.
Kolla Ansible and Kayobe version checks are enabled by default which may fail on existing deployments using custom forks or branches for Kayobe and Kolla-Ansible. To disable version checks in configuration set
stackhpc_enable_kayobe_checkandstackhpc_enable_kolla_ansible_checkto false.
The path used to store Wazuh certificates has changed.
local_certs_pathis now set to the environment directory e.g$KAYOBE_CONFIG_PATH/environments/<environment>/wazuhor$KAYOBE_CONFIG_PATH/wazuh/if not using environments. The contents of$KAYOBE_CONFIG_PATH/ansible/wazuh/certificatesshould be moved to the new location and the empty directory should be removed.
The
local_custom_certs_pathvariable has been removed. Custom wazuh certificates should be moved to$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/if using environments, or$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificatesif not.
Configure Nova to use more modern ‘q35’ libvirt machine type rather than ‘pc’ which is considered legacy.
To deploy the OpenStack Capacity Grafana dashboard, you must define OpenStack application credential variables:
secrets_os_capacity_credential_idandsecrets_os_capacity_credential_secretas laid out in the ‘Monitoring’ documentation.You must also enable the
stackhpc_enable_os_capacityflag for OpenStack Capacity HAProxy and Prometheus configuration to be templated.You may also change the default authentication URL from the kolla_internal_fqdn and change the default OpenStack region from RegionOne with the variables:
stackhpc_os_capacity_auth_urlandstackhpc_os_capacity_openstack_region_name.To disable certificate verification for the OpenStack Capacity exporter, you can set
stackhpc_os_capacity_openstack_verifyto false.
OpenStack Capacity no longer uses application credentials. Please delete any previously generated application credentials.
Updated OVN package version from 22.06 to 22.09.
openvswitchversion has been updated to ~2.17.5 on all distributions (CentOS/Rocky9 are two patches ahead of 2.17.5). Images include fixes for CVE-2023-1668.Ubuntu repository versions for focal and ubuntu cloud archive have been updated to 20230515.
Instance labels in prometheus now use inventory hostnames rather than IPs.
RabbitMQ and Erlang packages are now all installed from the Cloudsmith
rabbitmq.commirrors since the RabbitMQpackagecloud.iois getting shut down August 18st, 2024: https://www.rabbitmq.com/blog/2024/08/11/package-repository-updates#packagecloud-will-be-discontinued-on-aug-18th-2024
The
reboot.ymlcustom Ansible playbook now defaults to reboot only one host at a time. Existing behaviour can be retained by setting ANSIBLE_SERIAL=0.
Kolla tag overrides have been refactored to allow kolla-ansible to resolve them individually by host. This means that mixed clouds can be deployed which allows for migration between distributions.
The
swap.ymlcustom playbook has been removed in favour of Kayobe’s support for configuring swap. See the Kayobe documentation for details.
Enables SELinux in permissive mode in the overcloud host image. This matches the default configuration for SELinux in StackHPC Kayobe Configuration.
Dont pull apt packages from pulp for Ubuntu Jammy until Jammy packages are published.
Dont pull ceph packages from ceph official repos for Ubuntu Jammy until Jammy packages are published.
Updates the Ansible Lockdown roles for Ubuntu and Rocky Linux to 1.4.1 and 1.3.1 respectively. See UBUNTU22-CIS and RHEL9-CIS for release notes.
Updates the smartmon-tools.yml playbook to ensure that cron is installed before attempting to configure crontab.
Update Ubuntu Jammy Zed Kolla container tags.
Updated Ubuntu package repository versions.
Deprecation Notes¶
Hashicorp Vault for TLS generation is deprecated in favour of OpenBao. The
openbaorole is now used to deploy OpenBao on the seed and overcloud hosts. New deployments should use OpenBao for TLS generation. Existing deployments using Hashicorp Vault for TLS generation should be migrated to OpenBao once migration steps are available.
Support for Rocky Linux 9.1 to 9.4 has been dropped.
Disabled building of Kolla container images for Skyline
Kayobe-automation will now automatically detect vaulted files for the purpose of config-diff therefore,
KAYOBE_CONFIG_SECRET_PATHS_EXTRAandKAYOBE_CONFIG_VAULTED_FILES_PATHS_EXTRAare no longer used
Critical Issues¶
Fixes CVE-2024-32498 with updated container images for Cinder, Glance and Nova services.
Disables password expiration and inactivity policies. This caused the kayobe and kolla service accounts to be locked out of the system. You should re-apply the CIS benchmark hardening playbook as soon as possible to avoid being locked out of your system.
Fixes CVE-2024-40767 with updated container images for Nova services.
Security Issues¶
Fixed CVE-2023-31047, CVE-2023-23969, CVE-2023-24580, CVE-2023-36053, CVE-2023-46695, CVE-2023-30861, CVE-2022-4899. CVE-2024-1135, GHSA-2m57-hf25-phgg, CVE-2023-0286, CVE-2023-50782, CVE-2024-26130 for openstack services.
Fixed CVE-2022-41723, CVE-2023-39325 (except prometheus-alertmanager, prometheus-msteams-exporter, prometheus-haproxy-exporter, prometheus-openstack-exporter. No patch available.), CVE-2021-43565, CVE-2022-27191, CVE-2022-27664, CVE-2021-38561, CVE-2022-21698, CVE-2021-4238, CVE-2022-40083, CVE-2022-41721, CVE-2021-33194, CVE-2023-2253, CVE-2023-27561, CVE-2023-28840, CVE-2024-21626, CVE-2022-32149, CVE-2023-45142, GHSA-m425-mq94-257g for prometheus server and exporters except prometheus-libvirt-exporter and prometheus-haproxy-exporter. (Source repository of each are archived and no longer maintained)
Fixed CVE-2023-39325, CVE-2023-45142, CVE-2023-47108, CVE-2023-49568, CVE-2023-49569, GHSA-9763-4f94-gfch, GHSA-m425-mq94-257g for grafana.
It is advised to redeploy service with current version of images from StackHPC Release Train.
Rebuilt Neutron containers to include fixes for OSSA-2024-005. The vulnerability allows unauthorised users to change tags on networks in Neutron.
Bumps CentOS Stream 8 snapshots to include fixes for Zenbleed (CVE-2023-20593) and Downfall (CVE-2022-40982). It is recommended that you update your OS packages and reboot into the kernel as soon as possible.
Update Horizon on Ubuntu to include apache2 package
2.4.52-1ubuntu4.8which fixes CVE-2023-31122.
Updated Horizon Kolla image to fix CVE-2024-42005
Fixed CVE-2023-31047 for Horizon. Fixed CVE-2023-49569 for Grafana. Fixed CVE-2022-40083 and CVE-2021-4238 for Prometheus-msteams.
The Rocky 8 minor version has been bumped to 8.8 and new snapshots have been created to include fixes for Zenbleed (CVE-2023-20593), Downfall (CVE-2022-40982). It is recommended that you update your OS packages and reboot into the kernel as soon as possible.
The snapshots for Rocky 9.2 have been refreshed to include fixes for Zenbleed (CVE-2023-20593), Downfall (CVE-2022-40982). It is recommended that you update your OS packages and reboot into the kernel as soon as possible.
Bumps Ubuntu repository snapshots and container images to bring in latest security patches. This includes the microcode to patch Downfall (CVE-2022-40982). Zenbleed (CVE-2023-20593) was patched in the previous snapshot bump. To apply the microcode updates, it is recommended to reboot each host after upgrading all of the packages.
Kolla container images created using the
stackhpc-container-image-build.ymlworkflow are now automatically scanned for vulnerablilities.
Fixes CVE-2024-44082 with updated container images for Ironic services. Note that Ironic Python Agent images also need to be updated to fully fix this vulnerability. If this is not possible, a new configuration option
[conductor]conductor_always_validates_imagesis available. See the OSSA-2024-003 description for more details.
Fixes OSSA-2024-004 with updated container images for Ironic.
Addresses critical vulnerability CVE-2024-36039 by bumping the PyMySQL library to 1.1.1 in all affected Kolla images. This vulnerability allows SQL injection through untrusted JSON objects.
The Heat container images are rebuilt with yaql 3.0.0 to include patch for vulnerability OSSN/OSSN-0093. It is recommended that you redeploy Heat services in your system with the current version of Heat images from StackHPC Release Train.
Updates the Rocky Linux 9 SIG Security Common repository to address CVE-2024-6409 in OpenSSH.
Enables the Rocky Linux 9 SIG Security Common repository, which provides updated OpenSSH packages addressing CVE-2024-6387 (regreSSHion). Other packages available in this repository are currently ignored.
Adds a custom Apt repository to address CVE-2024-6387 in OpenSSH.
The upgraded kayobe-workflows collection increases the version of various Actions and containers used within GitHub based workflows, including increasing Docker in Docker to version
27.3.1thus removing the vunerabilities present in24.0-git.
Fixed CVE-2023-31047 for Horizon. Fixed CVE-2023-49569 for Grafana. Fixed CVE-2022-40083 and CVE-2021-4238 for Prometheus-msteams.
Bug Fixes¶
Added
NetworkManager-config-serverpackage to Rocky Linux 9 deployment image. Which prevents NetworkManager from automatically running DHCP on unconfigured ethernet devices and allows connections with static IP addresses to be brought up even on ethernet devices with no carrier.
The grafana image now includes the gnocchixyz-gnocchi-datasource and the grafana-opensearch-datasource plugins, which are the default upstream plugins.
Adds basic support and a document explaining how to migrate to a single nova-compute-ironic instance, and how to re-deploy the instance to another machine in the event of failure. See the operations / nova-compute-ironic doc for further details.
Fixes an issue where the IPA images in Ark could not be downloaded by Bifrost, due to missing authentication parameters.
Update Bifrost container images to include a fix for DHCP-based hardware discovery from https://review.opendev.org/c/openstack/bifrost/+/902233.
Updates the
nova-compute-ironiccontainer image to fix bug 2019977, which would cause Ironic instances to fail to delete.
Fixed a syntax error in Prometheus SMART monitoring rules.
Rebuild and bump the Bifrost container for Xena to include fix for Error while running update_to_latest_versions: ‘’BIOSSetting’’ object has no attribute during Ironic database migrations on upgrade
Fixes Ceph bug #66389 causing Ubuntu Noble hosts to fail to populate OSDs, by upgrading to Ceph v19.2.1.
Fix bug 2086675: Performance regression for Glance with RBD backend.
Updates Magnum CAPI Helm driver version to v0.10.0
Fixes various issues with the redfish exporter dashboard.
Caps the number of Pulp API and content workers to 32 each to avoid errors on hosts with many CPUs.
Updated the version of magnum-capi-helm used in Magnum containers. This resolves an issue stopping non-default node groups from being deleted. See #2095539 for more details.
Fixes an issue with idempotency in the
stackhpc.ceph.cephadm_keysplugin.
Updates Cinder container images to fix bug 1823445 (
cinder.exception.MetadataCopyFailure).
IPV6 is no longer disabled by default in the Ubuntu CIS hardening. If using the old behaviour you may hit 2071443.
The CIS hardening scripts no longer change permissions of log files by default. It is preferred to configure these permissions at source i.e on whatever is creating the files. It also suffered from a time-of-check to time-of-use race condition. If you want the old behaviour you can change
rhel9cis_rule_4_2_3and/orubtu22cis_rule_4_2_3totrue.
Fixes the bulk API of CloudKitty so that it now supports the migration from Elasticsearch to OpenSearch.
Disabled custom APT configuration for non-overcloud hosts (Ubuntu Only). This resolves the issue of the seed hypervisor attempting to pull packages from the repository on the seed before it has been deployed.
Miscellaneous issues with the package-build-ofed workflow are resolved in this patchset.
Separated out repos for Docker CE for Ubuntu Jammy/Focal. This fixes a Pulp sync issue where two “identical” repository versions existed with different checksums.
Fix Kolla container image build workflow failing to find default sources.list.ubuntu. The default sources.list for ubuntu now has each for Ubuntu Jammy and Noble. This upstream change was brought by Ubuntu 24.04 support for Caracal.
Bumps Bifrost container image tags to fix bug 2072550 which adds leading and trailing whitespace for
inspection_callback_urlin httpboot config when templating.
Fixed incorrect Opensearch Dashboards Prometheus Blackbox Exporter configuration.
Fix some broken links in the docs.
Fixes Grafana panel of top Ceph pools by capacity used. This panel was only showing the most used pool instead of as many pools as configured with the
$topkvariable.
Fixes an issue where the
ceph-rgwendpoints were added to the Prometheus blackbox exporter when the Kolla loadbalancer was not in use for RGWs.
The Ceph version is now determined by
os_release, rather than Ansible facts. Using Ansible facts caused playbooks to fail when facts are not gathered.
The OpenSearch backend for CloudKitty has been fixed, so the Horizon
Ratingpanels work again.
Fixes an issue where the fix-houston.yml playbook would fail to reload systemd as the
notifystatement was incorrect.
Fix missing bracket in fluentd OpenSearch configuration causing container crashes when caso is enabled.
Fixes an issue with the growroot playbook where disks such as ‘sdp’ would become ‘sd’ due to the removal of the trailing ‘p’ when dealing with nvme devices.
Fixes the hardware overview dashboard to use the correct metric for displaying drive temps. Now uses an or to display whichever metric is compatible with the drives in the system. The two metrics are temperature_case_raw_value and temperature_celsius_raw_value.
Updates Horizon container images to fix bug 2055784, which would cause Horizon to be unable to retrieve resource providers statistics in deployments with VGPU resources.
Adds a custom
fix-houston.ymlplaybook to address dmesg errors, specifically: “tc mirred to Houston: device bond0-ovs is down”. This error typically appears when OVS HW offloading is enabled, often in conjunction with VF-LAG and ASAP^2. Detailed usage instructions are provided within the playbook’s comments. Additional context is available at the following links: LP#1899364 Kernel Patch
Restores the use of extra IPA collectors (including
extra-hardware) when using StackHPC IPA images.
Fixes an issue where setting
redfish_exporter_scrape_groupto a value other thanovercloudwould exclude those nodes from the redfish exporter scrapes.
Fixes Neutron so that load balancer FIPs are not broken on Neutron restart. See Neutron bug report.
Fixes the issue with using SAML2 federation in Keystone against NetIQ IdP.
Fixes an issue when live migrating instances to hosts with cgroups v2 enabled (Ubuntu Jammy and Rocky 9). See Nova bug report.
Fixes an issue with local image builds where kolla_tag had not been set. The error had the signature:
Fixes internet connectivity for VMs deployed in the
ci-multinodeenvironment.
Bumps Neutron container image tags to fix bug 2068644 which could prevent associating floating IPs with OVN-based load balancers.
Update neutron container images to apply keepalived PID clean up fix With this change, Neutron always deletes stale PID file if exists.
Fixes creation and failover of Octavia TLS-terminated load balancers when storing the certificate and key as a PKCS12 bundle in Barbican.
Bumps OpenSearch heap size to 8 GB, to be identical to Elasticsearch.
Changed the Prometheus job name of OS Capacity exporter to
os_capacitywhich is what Azimuth is expecting to have for cloud metrics dashboard.
Fixes creation of over 1TB memory VMs on AMD with IOMMU enabled on Rocky Linux 9.
Fixes possible templating error with PCI passthrough configuration.
Fixes a race condition when launching multiple Ironic instances in parallel (as is commonly triggered when using Terraform/OpenTofu). See Nova bug report.
Bumps the radosgw_usage_exporter tag to fix an issue where duplicate metrics could be presented to Prometheus if S3 store usage was particularly high.
Fixes issue where Netmiko devices were sending no commands to the switch since plug_bond_to_network is overridden in networking_generic_switch/devices/netmiko_devices/init.py and PLUG_BOND_TO_NETWORK to set to None. See NGS bug report.
Fixes a permission issue with node exporter’s textfile collector metrics for SMART monitoring of disk drives.
Fixes the smartmon script to be case insensitive when checking for the inital SMART info. This is to ensure that the script works correctly on systems where the output of smartctl -i is not capitalised as previously expected by the script. This leads to badly formatted .prom files which lead to node_exporter failing to scrape the file.
Fixes an issue where Squid proxy could be unable to reach external servers due to a preference of choosing IPv6 connectivity by default.
Bumps the
stackhpc_ubuntu_jammy_overcloud_host_image_versionto fix an issue whereauthorized_keysfor theubuntuuser was not populated on newly provisioned nodes. Ubuntu package snapshots are also bumped to match those used in the new host image.
Fixes an issue where HashiCorp Vault standby nodes would trigger a Prometheus alert. To apply this fix to an existing system, the HAProxy configuration for Vault (
kolla/config/haproxy/services.d/vault.cfg) must be manually updated following the Vault documentation.
When using custom SCA policies for Wazuh, the agents are now correctly configured to allow commands to be executed from the manager.
Fixes the InstanceDown alerting rule wait time to be consistent with the alert message. The alert message says “for 5 minutes” but the rule was set to wait for 1 minute.
Fixes a file descriptor leak in networking-mlnx which prevented VMs using Infiniband virtual functions from provisioning after a period of time.
Fixes
KeyError: ip_versionin networking-mlnx when used in conjuction with OVN mechanism driver.
Fixes a regression when using
growroot.ymland software raid where the playbook would fail to identify the correct disk.
Updates nova image to bring in a fix for parsing mdev uuids when using libvirt>=7.7. See bug for more details.
Fix an issue with the OSD summary pie chart not showing any data.
Fixes display of the OpenSearch cluster health in Grafana when in yellow state.
Grafana now refuses to load AngularJS plugins. As such the
grafana-piechart-panelandgnocchixyz-gnocchi-datasourceplugins have been removed from the Grafana image.
Fix Grafana HAProxy dashboard when non-default Prometheus instance labels are used.
Updates the
stackhpc.hashicorpAnsible collection to 2.5.0. This brings in an idempotency fix for generating certificates.
Bumps the Horizon container image tag to fix the Identity->Domains panel for admins when multiple Domains are in use. See patch: https://review.opendev.org/c/openstack/horizon/+/940461
Prevents raising a Ceph
PgsUncleanalert because of backfilling which can frequently happen because of normal rebalancing activities, such as use of the Ceph balancer or OSD addition.
Bumped Ironic container image tag to fix a bug where some cipher suite errors for SuperMicro hardware were not caught. See patch: https://review.opendev.org/c/openstack/ironic/+/940957
Adds Ironic images tags to fix a bug with online upgrades for Bios/Traits. See patch: https://review.opendev.org/c/openstack/ironic/+/877409
Fixes the Prometheus Blackbox Exporter backend endpoint for ironic-inspector, as this service does not support backend TLS.
Bumps Ironic containers to patch CVE-2024-44082, see OSSA-2024-003 for details.
Add unit to LowMemory alert description.
Fixes Octavia health monitors not being created on cluster spawn.
Fixes CoreDNS for Magnum clusters crashing on startup.
Allows cinder-csi nodeplugin to start on the same Magnum cluster host as cinder-csi controllerplugin.
Corrects ClusterRole rules for Magnum cluster-autoscaler, and sets cluster-autoscaler pods to use hostNetwork.
Fixes appending to ca.crt in make-cert-client.sh causing multiple identical ca certs being added into /etc/kubernetes/certs/ca.crt.
Disables metadata proxy over IPv6 inside Neutron DHCP agent to work around bug 1953165.
Fixes a Prometheus Node exporter crash which may affect nodes with AMD processors (first seen on HPE DL385).
Updates the
nova-computecontainer image to fix bug 2091033. This bug would causenova-computeto freeze, which would result in frequent monitoring alerts.
Fix for nova resize API not parsing the new flavor on resize - bug 1805969.
Fix creation of VM instances with UEFI enabled and Secure Boot disabled.
Previously
switchdevcapabilities should be configured manually by a user with admin privileges using port’s binding profile. This blocked regular users from managing ports with Open vSwitch hardware offloading as providing write access to a port’s binding profile to non-admin users introduces security risks. For example, a binding profile may contain apci_slotdefinition, which denotes the host PCI address of the device attached to the VM. A malicious user can use this parameter to passthrough any host device to a guest, so it is impossible to provide write access to a binding profile to regular users in many scenarios.This patch fixes this situation by translating VF capabilities reported by Libvirt to Neutron port binding profiles. Other VF capabilities are translated as well for possible future use. LP#2008238. LP#2020813.
Neutron ovn db sync operation will no longer removes OVN metadata ports in networks with Octavia OVN Load balancers health monitors. A maintenance task process has been added to update the existing OVN LB HM ports to the new behaviour defined. Specifically, the “device_owner” field will be updated from network:distributed to ovn-lb-hm:distributed. Additionally, the “device_id” will be populated during update action. LP#2038091.
Restores valid value for the
flavor_idlabel onopenstack_nova_server_statusPrometheus metrics.
Updates Octavia images to fix Neutron endpoint selection in the OVN provider. LP#2049551.
Updates Octavia container images to fix a maintenance task that was breaking OVN IPv4 load balancers with health monitors. LP#2072754.
Pin the OCI image tag used for the Ubuntu Focal base-image of Kolla image builds. This prevents packages in the image with the latest tag getting in front of StackHPC release-train package repositories. Ubuntu tag should be bumped when new packages are available in StackHPC release-train.
Fixes an issue with Ansible Pulp modules depending on the
pulp_gluePython library since thepulp.squeezer0.0.14 release.
Pin the OCI image tag used for the base-image of Rocky 9 Kolla image builds. This prevents packages in the image with the latest tag getting in front of StackHPC release-train package repositories.
Fixes documentation builds on Read the Docs.
Fixes “Max Inlet Temp” time series chart in Redfish dashboard. This chart could wrongly display CPU2 temperature instead of inlet temperature.
Fixes a bug where the Redfish Dashboard’s UUID changed, causing Grafana to fail to update the dashboard on deployment where the old dashboard UUID had been used previously.
Changes the duration for which redfish exporter must continually fail scrapes before triggering an alert to 15 minutes. This should hopefully reduce some alert spam.
Removes bogus ContainerVolumeUsage alert. This rule wasn’t correctly measuring container volume IO and could cause spurious alerts.
Add a new
reset-bls-entries.ymlcustom playbook which will rename existing Boot Loader Specification (BLS) entries using the current machine ID for each host. This should fix an issue with Grub not selecting the most recent kernel during boot.
Upstream package repository mirrors are now restored in Kolla container images. This makes it possible to install or update packages for debugging purposes.
Reverts “Track all interfaces in Keepalived” so only HA interfaces are tracked. This prevents L3 HA router flapping when detaching floating IP addresses, because non-HA router interfaces did not include “no_track”. Closes-Bug: #2097770
Fixed RADOS gateway usage exporter deployment failing to generate ec2 credentials for the ceph_rgw user.
Fixed RADOS gateway usage exporter not using the system trust root as its CA bundle.
Fixes synchronisation and DNF configuration of the Rocky Linux 9 CRB repository.
Fixes an issue with Kolla container image builds for Ubuntu where the release train package repositories could be behind the container image, leading to image build failures.
HAProxy alerting rules have been updated to use the server name that is down, rather than the name of the instance that reported the down server.
Fixes the issue with interface names containing dashes in Hashicorp collection.
Updates Magnum to a proper Caracal release version following critical bug upstream merged & backported. Also, updates CAPI Helm driver version to the latest (1.2.0).
The overcloud HashiCorp Vault playbooks have been modified to use the local Vault service rather than via HAProxy. This makes it possible to deploy and use Vault without HAProxy. This eliminates the previous bootstrapping issue where HAProxy needed to be deployed without TLS enabled while generating initial certificates.
Other Notes¶
deployment guide docs added for new capi driver
Reduced verbosity in etc/kayobe/pulp.yml
Changes the Grafana OpenStack dashboard to show HTTP status 300 as green instead of orange.
Adds a
ci-aioenvironment for CI testing.
Adds a
ci-builderenvironment for building Kolla container images in CI.