What's new in RPCO v17.0 Queens#
Rackspace Private Cloud Powered By OpenStack (RPCO) Queens release v17.0 is based on the OpenStack-Ansible (OSA) project. For OSA release notes, see OpenStack-Ansible Queens Release Notes.
Major new releases of OpenStack such as v17.0 typically include many changes, enhancements, and new features. RPCO is a tested configuration of a subset of all available OpenStack services.
These release notes list some of the significant upstream OpenStack changes made since the Pike release and are provided for your awareness. It is not a statement of support. For more information about supported features and configurations, contact your Rackspace sales team or support specialist.
General changes and improvements#
- Adds support for the horizon
octavia-uidashboard. The dashboard is automatically enabled if any octavia hosts are defined.
- When upgrading from Pike to Queens, note the following changes to the container/ or service setup:
- All cinder container services are consolidated into a single
cinder_api_container. The previously implemented
cinder_scheduler_containercan be removed.
- A new
heat_apicontainer is created with all heat services running in it. The previously implemented
heat_engine_containercan be removed.
- The Ironic Conductor service has been consolidated into the
ironic_api_container. The previously implemented
ironic_conductor_containercan be removed.
- All nova services are consolidated into the
nova_api_container. Any other nova containers can be removed.
- A new option
lxc_container_allow_restartshas been added with a default value of
True. This option allows control of container restarts from
os-lxc-container-setup.yml. To disable the auto-restart functionality, set this value to
False. This option is a complement to the same option already present in the
lxc_container_createrole and is useful to avoid uncoordinated restarts of
rabbitmqcontainers if an LXC container configuration change requires a restart.
- New hypervisor groups have been added to allow better definition of compute workloads. While the generic
compute_hostsgroup still works, compute hosts can now be explicitly defined by using the groups
- Neutron connectivity agents are now deployed on bare metal within the
network_hostsdefined in the
- After an upgrade, neutron agent services can be run on hosts within the
network_hostsgroup by executing the appropriate playbooks. Neutron servers are then deployed on the bare metal hosts without affecting any existing agent containers.
- After an upgrade completes and the cluster is verified as stable, cleanup of
neutron_agentscontainers is recommended. To do this, use the following steps:
- Disable the neutron agents running in the
- Rebalance the agent services that target the new bare metal agents.
- Delete the containers.
- Remove the containers from inventory.
Roles changes and improvements#
- The default setting for
sshconfiguration has changed from
without-password. This only allows
sshto be used to authenticate
rootvia a key.
PermitRootLoginsetting can now be changed with the
/etc/ssh/sshd_config. Available options are
- The tasks within the
ansible-hardeningrole are now based on Version 1, Release 3 of the Red Hat® Enteprise Linux® Security Technical Implementation Guide.
- The current API is v2.
- Support for API v1 has been removed.
- When using glance and the Network File System (NFS), the NFS mount point is now managed by using a
systemdmount unit file. This change modernizes how glance is deployed when using shared storage and also ensures the deployment of
glancedoes not make system-impacting changes to
- API v1 is disabled by default. It is scheduled for removal in the upstream Queens release.
glance-registryservice is disabled by default. It is no longer required for the v2 API and will be removed in a future release.
- The variables
keystone_cache_backend_argumenthave been deprecated in favor of
keystone_cache_servers, which is a list of servers used for caching.
- Default quotas have been changed to match upstream defaults for the following resources:
- Networks increased from 10 to 100
- Subnets increased from 10 to 100
- Ports increased from 50 to 500
- The variable
nova_compute_pip_packagesis no longer used and has been removed.
- The variable
nova_default_schedule_zonewas previously set by default to
nova. This default has been removed to allow the default to be set by the nova code instead. To maintain the default availability zone of
nova, set the variable as a
- The Kernel Same-page Merging (KSM) configuration has been disabled by default on the Ubuntu operating system. If random access memory (RAM) is overcommitted on your hypervisor, it is recommended that
nova_compute_ksm_enabledbe set to
nova_placementdatabase that was implemented in the Ocata release of OpenStack-Ansible was never actually used due to reverts in the upstream code. The existing database should be empty and can be deleted. As a result, the following variables also no longer have any function and have been removed.
- The variables
nova_metadata_hosthave been removed to match upstream
nova_virt_typesdictionary no longer needs the
ceph-ansibleversion 3.0.34 is used in this release.
ceph-mgr dashboardis now enabled.
Block Storage service (cinder)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/cinder/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/cinder/queens.html
- When using the Rados Block Device (RBD) pool exclusively for cinder, it is now possible to set
Trueand cinder will use database information to calculate provisioned size instead of querying all volumes in the backend. This reduces the load on the Ceph cluster and on the volume service.
- Resolves an issue with cross availability zone migrations and retypes where the destination volume retained the source volume’s availability zone, resulting in a volume where the availability zone did not match the backend. bug 1747949.
DNS as a Service (designate)#
OpenStack DNS as a Service is provided as a technical preview and is currently used with Rackspace Kubernetes-as-a-Service (KaaS) offering only.
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/designate/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/designate/queens.html
- v1 API has been removed. Any tooling that uses the v1 API must be reworked to use the v2 API.
Image service (glance)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/glance/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/glance/queens.html
- The current version of the Images API supplied by glance is introduced as version 2.6. This includes the new API calls introduced on an experimental basis in the Pike release.
- The Glance Registry Service and its APIs are officially deprecated in this release and are subject to removal at the beginning of the ‘S’ development cycle, in accordance with the OpenStack standard deprecation policy.
Orchestration service (heat)#
- Prior version (Ocata) project release notes: https://docs.openstack.org/releasenotes/heat/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/heat/queens.html
template-validateAPI call now returns the environment calculated by heat. This allows a preview of the merged environment when using
parameter_merge_strategyprior to creating the stack.
- Adds new resources for octavia to provide load balancing as a service (LBaaS).
- Heat does not work with keystone identity federation. This is a known limitation; heat uses keystone trusts for deferred authentication and trusts do not work with federated keystone. For more details, see https://etherpad.openstack.org/p/pike-ptg-cross-project-federation.
- The AWS compatible CloudWatch API has been removed. OpenStack deployments, packagers, and deployment projects that deploy or package CloudWatch should take appropriate action to remove support.
- The following new resources have been added:
OS::Octavia::LoadBalancercreates and manages load balancers, which allow traffic to be directed between servers.
OS::Octavia::Listenercreates and manages listeners, which represent a listening endpoint for the load balancer.
OS::Octavia::Poolcreates and manages pools, which represent a group of nodes. Pools define the subnet where nodes reside, the balancing algorithm, and the nodes themselves.
OS::Octavia::PoolMembercreates and manages pool members that represent a single backend node.
OS::Octavia::HealthMonitorcreates and manages health monitors, which monitor the status of the load-balanced servers.
OS::Octavia::L7Policycreates and manages L7 policies.
OS::Octavia::L7Rulecreates and manages L7 rules.
- Prior version (Ocata) project release notes: https://docs.openstack.org/releasenotes/horizon/ocata.html
- Project release notes: https://docs.openstack.org/releasenotes/horizon/pike.html
- The Cinder API v3 is now used by default. API v3 was introduced in Mitaka and supports all features from API v2.
- The keystone v3 API is now used by default.
- Heat dashboard is now a separate project called
heat-dashboard. In the future, all features and maintenance will be provided by the new project. The new project provides all features that were available in horizon in the prior release.
- A new setting
OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSESwas introduced to control whether the IP addresses of servers are retrieved from neutron in the project instance table. This setting mitigates a performance issue in large deployments. Setting this to
Falsedoes not query neutron. Deployments without floating IP support can set this setting to
Falsefor better performance. For more detail, see bug 1722417.
Bare metal service (ironic)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/ironic/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/ironic/queens.html
- Ironic is in beta in this release.
- Adds support for routed networks when using the
flatnetwork interface. This feature requires the
baremetalML2 mechanism driver and L2 agent from the networking-baremetal plugin. See the networking configuration documentation for more details.
- The classic drivers, as well as the
enabled_driversconfiguration option, are now deprecated and might be removed in the Rocky v18 release. A deprecation warning will be logged for every loaded classic driver. Check the migration guide for information about how to update your nodes.
[glance]swift_accountoption is now optional. If it is not set, the default value is calculated based on the ID of the project used to access the object store. Previously this option was required. This change does not affect using
RadosGWas an object store backend.
- If the
[glance]swift_temp_url_keyoption is not set, Ironic now tries to fetch the key from the project used to access swift (often called
service). This change does not affect using
RadosGWas an object store backend.
Identity service (keystone)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/keystone/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/keystone/queens.html
- You can now create Application Credentials, a new keystone resource that can provide an application with the means to get a token from keystone with a preset scope and role assignments. To authenticate with an application credential, an application can use the normal token API with the
application_credentialauthentication method. For more information, see https://blueprints.launchpad.net/keystone/+spec/application-credentials.
Networking service (neutron)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/neutron/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/neutron/queens.html
- In order to reduce the time spent processing security group updates in the L2 agent,
conntrackdeletion is now performed in a set of worker threads instead of the main agent thread.
Compute service (nova)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/nova/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/nova/queens.html
VIRT-SSBDCPU flags have been added to the list of available choices for the
[libvirt]/cpu_model_extra_flagsconfiguration option. These flags are important for proper mitigation of the Spectre 3a and 4 CVEs. Note that the use of either of these flags requires other updates running below nova, including libvirt, qemu (specifically >=2.9.0 for
virt-ssbd), Linux, and system firmware. For more information, see https://www.us-cert.gov/ncas/alerts/TA18-141A.
- The latest compute API microversion supported for Queens is v2.60. Details on REST API microversions added since the 16.0.0 Pike release can be found in the REST API Version History page.
nova-networkcontinue to be deprecated are expected to be removed in the 18.0.0 Rocky release.
xenapicompute drivers now have experimental native support for virtual graphics processing unit (GPU) devices. See the virtual GPU admin guide for more details.
libvirtcompute driver now supports volume multi-attach when using the 2.60 compute API microversion. See the cinder admin guide for more details about volume multi-attach support in OpenStack.
- The following
nova-managecommands have been removed:
Load Balancing as a Service (octavia)#
OpenStack octavia is provided as a technical preview and is currently used with Rackspace Kubernetes-as-a-Service (KaaS) offering only.
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/octavia/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/octavia/queens.html
failoversub-resource for the Amphora API has been added. Each amphora can be triggered to failover by sending a PUT with an empty body to the resource
/v2.0/octavia/amphorae/<uuid>/failover. It causes the amphora to be recycled and replaced in the same way as a health-triggered failover.
Object Storage (swift)#
- Prior version (Pike) project release notes: https://docs.openstack.org/releasenotes/swift/pike.html
- Project release notes: https://docs.openstack.org/releasenotes/swift/queens.html
- Added symlink objects support.