Chapter 4. Technical Notes

This chapter supplements the information contained in the text of Red Hat OpenStack Platform "Stein" errata advisories released through the Content Delivery Network.

4.1. RHEA-2019:2811 — RedHat OpenStack Platform 15 general availability advisory

The enhancements and bug fixes contained in this section are addressed by advisory RHEA-2019:2811. Further information about this advisory is available at link: https://access.redhat.com/errata/RHEA-2019:2811

Changes to the ansible-role-tripleo-modify-image component:

  • In Red Hat OpenStack Platform 15, the director parameter used during overcloud container preparation, deltarpm, has been renamed to, drpm. (BZ#1689913)

Changes to the distribution component:

  • Skydive is a network analysis service that was designated as Technology Preview support in Red Hat OpenStack Platform 14. In RHOSP 15, Skydive has been removed. (BZ#1749427)

Changes to the Networking component:

  • In Red Hat OpenStack Platform 15, the Kuryr-Kubernetes container network interface (CNI) plug-in is highly available (active/passive mode). (BZ#1579371)

Changes to the openstack-barbican component:

  • With this technology preview, it is possible to configure Barbican through Director to store secrets using the ATOS Trustway Proteccio NetHSM. This is mediated through the Barbican PKCS#11 back-end plugin.

    The technology preview is provided in the following packages: openstack-barbican tripleo-heat-templates (BZ#1624490)

  • With this technology preview, it is possible to configure Barbican through Director to store secrets using the nCipher NetShield Connect NetHSM. This is mediated through the Barbican PKCS#11 back-end plugin.

    The Technology Preview is provided in the following packages: openstack-barbican tripleo-heat-templates (BZ#1624491)

Changes to the openstack-cinder component:

  • In Red Hat OpenStack Platform 15, if the back end driver supports it, you can now simultaneously attach a volume to multiple machines for both the Block Storage service (cinder) and the Compute service (nova). This feature addresses the use case for clustered application workloads that typically requires active/active or active/standby scenarios. (BZ#1661022)
  • The Block Storage service (cinder) command, "snapshot-manageable-list," now lists the snapshots on the back end for Red Hat Ceph RADOS block devices (RBD). (BZ#1613038)

Changes to the openstack-ironic component:

  • A new Red Hat OpenStack Platform Bare Metal service (ironic) driver for XClarity managed Lenovo devices is available. The xclarity driver provides more reliable operation on Lenovo devices managed with XClarity, and opportunities for additional vendor-specific features in the future. (BZ#1526109)
  • Red Hat OpenStack Platform Bare Metal service (ironic) now has a BIOS management interface, with which you can inspect and modify a device’s BIOS configuration.

    In Red Hat OpenStack Platform 15, the Bare Metal service supports BIOS management capabilities for data center devices that are Redfish API compliant. The Bare Metal service implements Redfish calls through the Python library, Sushy. (BZ#1593758)

Changes to the openstack-neutron component:

  • Red Hat OpenStack Platform deployments that use the Linux bridge ML2 driver and agent are unprotected against Address Resolution Protocol (ARP) spoofing. The version of Ethernet bridge frame table administration (ebtables) that is part of Red Hat Enterprise Linux 8 is incompatible with the Linux bridge ML2 driver.

    The Linux Bridge ML2 driver and agent were deprecated in Red Hat OpenStack Platform 11, and should not be used.

    Red Hat recommends that you use instead the ML2 Open Virtual Network (OVN) driver and services, the default deployed by the Red Hat OpenStack Platform director. (BZ#1713329)

Changes to the openstack-nova component:

  • In earlier Red Hat OpenStack Platform versions, the RHOSP Compute service (nova) diagnostics command returned an "IndexError" on compute instances that used VFIO interfaces.

    In RHOSP 15, this problem has been addressed. The diagnostics command now retrieves interface data directly from the guest XML, and appropriately adds NICs to the diagnostics object. (BZ#1649688)

Changes to the openstack-sahara component:

  • In Red Hat Open Stack Platform 15, the Data Processing service (sahara) plug-ins have been decoupled and are now installed as libraries.

    To obtain newer versions of Data Processing service plug-ins, you no longer have to upgrade RHOSP. Instead, install the newest version of the desired plug-in. (BZ#1547728)

Changes to the openstack-tripleo-common component:

  • In Red Hat OpenStack Platform 15, Red Hat OpenStack director (TripleO) no longer supports deploying Red Hat OpenShift Container Platform 3.11 clusters on bare metal nodes using the OpenShift installation playbooks (provided in the openshift-ansible package) and Orchestration service (heat) templates.

    To deploy OpenShift 3.11 on bare metal nodes, use the OpenShift installation playbooks exclusively without Orchestration service templates. You can provision Red Hat Enterprise Linux on bare metal nodes using Red Hat OpenStack Platform with the Bare Metal service (ironic) or by performing a manual installation. (BZ#1702694)

Changes to the openstack-tripleo-heat-templates component:

  • In Red Hat OpenStack Platform 15, which depends on Red Hat Enterprise Linux 8, there is a new default Time service, chrony.

    With this switch, Red Hat highly recommends that you use multiple Network Time Protocol (NTP) servers for both the undercloud and overcloud deployments. (BZ#1535066)

  • You can now configure automatic restart of VM instances on a Compute node if the compute node reboots without first migrating the instances.

    With the following two new parameters, you can configure the Red Hat OpenStack Platform Compute service (nova) and the libvirt-guests agent to shut down VM instances gracefully and start them when the Compute node reboots:

    • NovaResumeGuestsStateOnHostBoot (True or False)
    • NovaResumeGuestsShutdownTimeout (default, 300s) (BZ#1585012)
  • The Shared File Systems service (manila) API now runs behind the Apache HTTP Server (httpd). The Apache error and access logs from the Shared File Systems service are available in /var/log/containers/httpd/manila-api on all the nodes that run the manila API container.

    The log location of the main API service (manila-api) has not changed, and continues to be written on each node in /var/log/containers/manila/. (BZ#1585835)

  • Red Hat OpenStack Platform undercloud networks are now layer 3 (L3) capable. This enhancement enables all segments to use one network, and alleviates the need for service net map overrides.

    This enhancement is important for Red Hat OpenStack Platform edge computing sites that deploy roles in different sites and make service net map overrides unwieldy. (BZ#1601576)

  • In Red Hat OpenStack Platform 15, a new role and environment file have been added to enable the undercloud to deploy an all-in-one overcloud node that contains both the controller services and compute services. The new role and the new environment file are named, respectively, roles/Standalone.yaml and environments/standalone/standalone-overcloud.yaml.

    Because this new architecture does not yet support high availability, Red Hat cannot guarantee zero down time during RHOSP 15 updates and upgrades. For this reason, Red Hat highly recommends that you properly back up your system. (BZ#1626139)

  • Using the Red Hat OpenStack Platform director, you can now configure the Image service (glance) to have an optional local image cache. You turn on the image cache, by setting the “GlanceCacheEnabled” property to True.

    A typical use case for the image cache is edge computing. Because the Image service resides at central site, you can deploy and enable the image cache at remote sites and save bandwidth and reduce the Image service’s boot time. (BZ#1635862)

  • With Red Hat OpenStack Platform director you can now configure different availability zones for Block Storage service (cinder) volume back ends. Director has a new parameter, CinderXXXAvailabilityZone, where XXX is associated with a specific back end. (BZ#1636179)
  • Previously, when using TLS Everywhere, your controller node was required to access IdM through the ctlplane network. As a result, if traffic was routed through a different network, then the overcloud deployment process would fail due to getcert errors. To address this, IdM enrolment has been moved into a composable service that runs within host_prep_tasks; this runs at the start of the deployment phase. Note that the script will simply exit if the instance has already been enrolled in IdM. (BZ#1661635)
  • In earlier releases of Red Hat OpenStack Platform, when these conditions were true:

    • The option, reclaim_instance_interval, was greater than zero.
    • The option, delete_on_termination, was set to true.
    • The instance which is booted from the volume was deleted.

      Then, after the "reclaim_instance_interval" passed, the volume on which the instance was booted, incorrectly displayed a status of "attached" and "in-use".

      In RHOSP 15, the workaround is to do the following:

      1. In the Compute service configuration file, nova.conf, add a user/project configuration to the group, cinder.
      2. When the context is is_admin, connect to the Block Storage service (cinder) API, authenticating with nova.conf and without using a token. (BZ#1691839)
  • Because Red Hat Ceph Storage 4 is at beta when Red Hat OpenStack Platform 15 is at GA, a new configuration option has been added to RHOSP 15 to prevent any accidental deployments of Red Hat Ceph Storage 4 Beta in a production environment.

    The new Orchestration service (heat) configuration option, EnableRhcs4Beta, is set by default to "False", and therefore prevents director from deploying Red Hat Ceph Storage 4 Beta by accident. (BZ#1722036)

  • When the “live_migration_wait_for_vif_plug” flag and OVN are enabled, the Red Hat OpenStack Platform Compute service (nova) times out, because the “network-vif-plugged” event never occurs.

    The workaround is to disable the “live_migration_wait_for_vif_plug” flag. Disabling this flag does not impact the live migration feature.

    When OVN is used, the default is: live_migration_wait_for_vif_plug = false. (BZ#1722041)

  • In earlier Red Hat OpenStack Platform versions, when you deployed the Block Storage service (cinder) on a NetApp back end server, director warned you that deprecated parameters were specified.

    In RHOSP 15, these deprecated director parameters have been updated to align with the latest NetApp driver settings. A new parameter, CinderNetappPoolNameSearchPattern, replaces, CinderNetappStoragePools. The deprecated parameter, CinderNetappEseriesHostType, has been removed. (BZ#1595543)

  • Red Hat OpenStack Platform director now has the ability to control Block Storage service (cinder) snapshots on NFS back ends. A new director parameter, CinderNfsSnapshotSupport, has a default value of True. (BZ#1633146)
  • In Red Hat OpenStack Platform 15, the Image service (glance) is automatically configured for any glance-import execution to convert imported images into RAW format when Red Hat Ceph Storage is used as the backend for the Image service. (BZ#1666529)
  • In Red Hat OpenStack Platform 15, you can specify MTU (maximum transmission unit) settings for each network, and RHOSP will automatically write those settings to the network interface configuration templates. MTU values should be set in the network_data.yaml file.

    This enhancement alleviates the step of manually updating the network templates for each role, and reduces the likelihood of manual entry errors. (BZ#1240852)

Changes to the puppet component:

  • In Red Hat OpenStack Platform 15, director uses version 5.5 of Puppet. (BZ#1619762)

Changes to the puppet-manila component:

  • The Shared File Systems service (manila) API now supports Transport Layer Security (TLS) endpoints on the internal API network, through SSL/TLS certificates. The Shared File Systems service is automatically secured when you opt to secure Red Hat OpenStack Platform during deployment. (BZ#1484601)

Changes to the puppet-nova component:

  • In Red Hat OpenStack Platform 15, you are now able to customize libvirt NFS mount options for Block Storage service (cinder) volumes, using the configuration setting, nfs_mount_options.

    Here is an example:

    parameter_defaults: ComputeExtraConfig: nova::compute::libvirt::nfs_mount_options: "vers=4.2,lookupcache=pos" (BZ#1715094)

Changes to the puppet-tripleo component:

  • In Red Hat OpenStack Platform 15, the monitoring agent, Sensu client service, is deprecated.

    In a future Red Hat OpenStack Platform version, the Sensu client service will be removed. (BZ#1676951)

Changes to the python-cinder-tests-tempest component:

  • Before this update, Cinder consistency group tests failed because the tests used non-admin credentials. This update configures the tests to use admin credentials, allowing the consistency group tests to succeed. (BZ#1622968)

Changes to the python-networking-ovn component:

  • This update fixes a bug that caused live migrations to fail.

    Before the update, with OVN enabled, a live migration could get stuck waiting for Neutron to send vif_plugged notifications.

    This update emits the vif_plugged notification under specific conditions, allowing the live migration to pass. (BZ#1743231)

Changes to the python-novajoin component:

  • As a technology preview in Red Hat OpenStack Platform 15, the novajoin service tech uses the new, versioned format of notifications sent by the Compute service (nova).

    To enable the new format, set the value of the new configuration setting, configuration_format, to "versioned." The default value for configuration_format is "unversioned". * In a future version of RHOSP, unversioned notifications will be deprecated. (BZ#1624486)

  • As a technology preview in Red Hat OpenStack Platform 15, the novajoin service uses the Python 3 runtime. (BZ#1624488)

Changes to the python-paunch component:

  • With Paunch you can now manage container memory consumption using three new attributes: mem_limit, memswap_limit, and mem_swappiness. (BZ#1647057)

Changes to the python-tripleoclient component:

  • In some earlier Red Hat OpenStack Platform versions, the following validations were not working:

    • neutron-sanity-check
    • rabbitmq-limits
    • undercloud-process-count
    • undercloud-tokenflush
    • undercloud-heat-purge-deleted

      In RHOSP 15, this problem has been corrected. A new director CLInow allows you to run the earlier listed validations through Red Hat Ansible Automation directly from the Undercloud machine. (BZ#1730073)

  • Because Red Hat Ceph Storage 4 is at beta when Red Hat OpenStack Platform 15 is at GA, a new configuration option has been added to RHOSP 15 to prevent any accidental deployments of Red Hat Ceph Storage 4 Beta in a production environment.

    The new Orchestration service (heat) configuration option, EnableRhcs4Beta, is set by default to "False", and therefore prevents director from deploying Red Hat Ceph Storage 4 Beta by accident. (BZ#1740715)

  • Red Hat OpenStack Platform (RHOSP) does not yet support upgrading to version 15 from earlier RHOSP versions. Support for upgrading will be added to a future update of RHOSP 15. (BZ#1741244)

4.2. RHBA-2020:0643 — RedHat OpenStack Platform 15 maintenance release advisory

The enhancements and bug fixes contained in this section are addressed by advisory RHBA-2020:0643. Further information about this advisory is available at link: https://access.redhat.com/errata/RHBA-2020:0643-05

ansible-role-tripleo-modify-image

There is a known issue when building container images with buildah. The default format for the image is OCI, but podman 1.6.x contains stricter restrictions about container format metadata. As a result, containers that you push to the undercloud registry can fail if they were originally in OCI format.

The workaround is to use the --format docker option to build images in docker format instead of OCI format, and you can push the containers to the undercloud registry successfully.

diskimage-builder

Previously, the nouveau kernel module was included in initramfs and conflicted with the nVidia vGPU drivers. As a result, the boot process could hang on RHOSP RHEL8 compute nodes with nVidia vGPU cards and drivers installed.

With this update, nouveau is explicitly omitted from the RHOSP initramfs.

openstack-tripleo-heat-templates

Previously, there was a change to the log parameter in the podman interface that introduced an issue with tripleo-heat-templates, which caused updates to fail.

With this update, the issue has been resolved and updates pass successfully.
The Compute services (nova) can fail to deploy because the nova_wait_for_compute_service script is unable to query the Nova API. If you use a remote container image registry outside of the undercloud, the Nova API service might not finish deploying in time.

The workaround is to rerun the deployment command, or to use a local container image registry on the undercloud.
Previously, changing the default membership role from Member to member caused ceph-rgw to deny access to standard users because keystone roles are case insensitive, but ceph-rgw role matching is case sensitive. As a result, users with the member role could not access ceph-rgw.

With this update, ceph-rgw accepts users with both Member and member roles.
Previously, deploying the stack with all networks disabled failed because the 'cloud_name_{{network.name_lower}}' property was defined for disabled networks.

With this update, the 'cloud_name_{{network.name_lower}}' property is no longer added for disabled networks and deployments are successful.
With this update, the credentials that you supply in the ContainerImageRegistryCredentials parameter pass to ceph-ansible automatically if the registry name matches the registry name in the ceph_namespace parameter.
In Red Hat OpenStack Platform (RHOSP) 15, the rhel-registration pre-deployment script has been removed because it is not compatible with RHEL8. Use the Ansible-based overcloud registration method instead:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/15/html/advanced_overcloud_customization/ansible-based-registration

openstack-tripleo-image-elements

Previously, the default NIC naming changed to use non-persistent node names such as ethXX instead of consistent names like enoX, ensXfY, ensX. As a result, the NIC names present in the introspection data did not match the overcloud NIC names.

With this update, the setting net.ifnames=0 has been removed from grub-config in the overcloud image and the introspection data contains consistent NIC names.

openstack-tripleo-validations

Previously, the default values for dhcp_start and dhcp_end in the undercloud.conf file did not provide enough IP addresses to pass tripleo validation and the ctlplane-ip-range validation failed.

With this update, the IP range is larger and validation passes successfully.

os-net-config

Previously, routes on SR-IOV PF interfaces were not set properly and these routes were ignored.

With this update, routes for SR-IOV PF interfaces function correctly.