Zed Series Release Notes

18.0.0.0b1-313

New Features

• New variables have been added to manage used cache backends:

  • openstack_cache_backend: defines driver, that will be used for caching. Default: oslo_cache.memcache_pool

  • openstack_cache_backend_map: maps selected backend to the oslo driver that should be installed and configured for it.

• The service updates for keystone will now be executed through delegation to the keystone_service_setup_host which, by default, is localhost (the deploy host). Deployers can opt to rather change this to the utility container by implementing the following override in user_variables.yml.

  keystone_service_setup_host: "{{ groups['utility_all'][0] }}"
  

• The keystone role now supports the option keystone_use_uwsgi, which will allow deployers the ability to run keystone via uWSGI without needing the apache webserver. When the keystone_use_uwsgi option is enabled, it will setup the uWSGI process on port 5000.

• Added support for using mod_auth_openidc instead of shibboleth as a service provider for supporting users who have a preference to use OIDC for federation. Mod_auth_openidc is the apache module that is recommended in the keystone documentation for implementing openidc. Added a variable to called apache_mod to keystone_sp, if left undefined shibboleth will continue to be installed by default provided keystone_sp is not empty. Mod_auth_openidc will not be installed unless it is spelled correctly, any misspellings will result in a shibboleth install. Note that installing shibboleth on Debian based metal distro deployments may break services that depend on libcurl4, as shib2 requires libcurl3, and they are unable to coexist. This can be resolved when there is a shib3 package available in a future release of Ubuntu/Debian. There is currently no support for simultaneous use of shibboleth2 and mod_auth_openidc.

• The role now supports using the distribution packages for the OpenStack services instead of the pip ones. This feature is disabled by default and can be enabled by simply setting the keystone_install_method variable to distro.

• Support separate oslo.messaging services for RPC and Notifications to enable operation of separate and different messaging backend servers in keystone.

Upgrade Notes

• Application credentials are now enabled by default as a keystone authentication method. If deployments do not wish to enable application credentials then the existing keystone_auth_methods variable can be overidden with the required set of authentication methods.

• The following keystone role variables were previously deprecated, and are now removed. Replacement variables were introduced in the Xena release. keystone_database_pool_timeout keystone_database_max_pool_size keystone_database_idle_timeout

• The keystone installation now uses ansible-role-pki to create and install a server certificate for Apache when keystone_ssl is true. The same role is also used to create a CA certificate and key for SAML federation when keystone_idp is populated by the deployer. For an existing keystone SAML setup the certificate and key will be re-created which may be undesirable, unless the existing ones are first copied to the relevant directories in /etc/openstack_deploy/pki/roots on the deploy host. The variables keystone_ssl_self_signed_regen and keystone_ssl_self_signed_subject are removed and are replaced with equivalent functionality via the new keystone_pki_* variables.

• Keystone now uses common uwsgi role for uWSGI deployment. Along with that variable keystone_services has been extended with required arguments for uWSGI. If you override this variable locally make sure to update it’s structure accordingly.

• Keystone OIDC parameter ‘oidc_redirect_uri’ is replaced with ‘oidc_redirect_path’. This parameter no longer needs to be set explicitly unless you run additional services which may collide with the default on the same port as Keystone. Your OIDC provider may need to be updated to reflect this change in redirect URI which defaults to the Keystone public URL plus the path /oidc_redirect.

• The tasks creating a keystone service user have been removed, along with related variables keystone_service_user_name and keystone_service_password. This user can be deleted in existing deployments.

Deprecation Notes

• For consistency reasons, the following variables were deprecated in favor of the new ones in a standardized format used in other repositories. keystone_database_pool_timeout -> keystone_db_pool_timeout keystone_database_max_pool_size -> keystone_db_max_pool_size keystone_database_idle_timeout -> keystone_db_connection_recycle_time However, they will be supported until next Yoga release.

• keystone_database_min_pool_size was deprecated as it’s deprecated in oslo.db

• The log path, /var/log/keystone is no longer used to capture service logs. All logging for the Keystone service will now be sent directly to the systemd journal.

• The variable keystone_requires_pip_packages is no longer required and has therefore been removed.

• We removed multiple web server support for keystone and left only Apache since nginx is missing features required for federation setup. With this change following variables are deprecated and have no effect:

  • keystone_web_server

  • keystone_centos_nginx_mirror

  • keystone_centos_nginx_key

  • keystone_nginx_access_log_format_combined

  • keystone_nginx_access_log_format_extras

  • keystone_nginx_ports

  • keystone_nginx_extra_conf

  Nginx web server will be removed and replaced with Apache during upgrade.

• The variable keystone_external_ssl was deprecated and is no longer used. You still can control if communication between HAProxy and Keystone should be covered with TLS through keystone_ssl or haproxy_ssl/haproxy_ssl_all_vips for communication between clients and HAProxy on frontend.

• The rabbitmq server parameters have been replaced by corresponding oslo.messaging RPC and Notify parameters in order to abstract the messaging service from the actual backend server deployment. - keystone_oslomsg_rpc_servers replaces keystone_rabbitmq_servers - keystone_oslomsg_rpc_port replaces keystone_rabbitmq_port - keystone_oslomsg_rpc_use_ssl replaces keystone_rabbitmq_use_ssl - keystone_oslomsg_rpc_userid replaces keystone_rabbitmq_userid - keystone_oslomsg_rpc_vhost replaces keystone_rabbitmq_vhost - keystone_oslomsg_notify_servers replaces keystone_rabbitmq_telemetry_servers - keystone_oslomsg_notify_port replaces keystone_rabbitmq_telemetry_port - keystone_oslomsg_notify_use_ssl replaces keystone_rabbitmq_telemetry_use_ssl - keystone_oslomsg_notify_userid replaces keystone_rabbitmq_telemetry_userid - keystone_oslomsg_notify_vhost replaces keystone_rabbitmq_telemetry_vhost

• The variable ‘keystone_ssl_cipher_suite’ is deprecated in favour of ‘keystone_ssl_cipher_suite_tls12’ which will continue to manage configuration of ciphers for TLS v1.2 and earlier.

Security Issues

• The default TLS verion has been set to TLS1.2. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the keystone_ssl_protocol variable.

Bug Fixes

• Fixes use of Apache mod_auth_openidc on Ubuntu Jammy where a new OIDCXForwardedHeaders configuration option is required.

• Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc if >= v2.4.9 including on Ubuntu Jammy.

• For deployers using Keystone as an OIDC-based Service Provider there has been a spelling fix for the OIDCScope setting. Please use keystone_sp.trusted_idp_list.0.oidc_scope instead of keystone_sp.trusted_idp_list.0.idc_scope.

• The conditional that determines whether the sso_callback_template.html file is deployed for federated deployments has been fixed.

Other Notes

• When running keystone with apache(httpd) all apache logs will be stored in the standard apache log directory which is controlled by the distro specific variable keystone_apache_default_log_folder.

• The keystone role can now has the ability to run a minimal uWSGI process for keystone when the option keystone_use_uwsgi is set true. This feature provides operators the ability to run a minimal install without apache. While the minimal deployment is functional, it is not featureful. Things like modshib and oath are not supported when running the minimal setup.

18.0.0.0b1

Upgrade Notes

• In order to collect the default files used for various templates, the implementation has been changed from using a git source to rather using the built-in templates from the venv build based on the setup.cfg file. As such, the following variables have been removed.

  • keystone_git_config_lookup_location

  • keystone_paste_git_file_path

  • keystone_sso_callback_git_file_path

  Instead, a location on the deployment host where the venv defaults are stored is now configurable using the variable keystone_config_cache_path which defaults to cache/keystone in the deploy user home directory. This location is used as a template source when deploying the file to the target host.

17.0.0.0rc1

Deprecation Notes

• The variables keystone_memcached_servers and keystone_cache_backend_argument have been deprecated in favor of keystone_cache_servers, a list of servers for caching purposes.

17.0.0.0b2

Security Issues

• The following headers were added as additional default (and static) values. X-Content-Type-Options nosniff, X-XSS-Protection “1; mode=block”, and Content-Security-Policy “default-src ‘self’ https: wss:;”. Additionally, the X-Frame-Options DENY header was added, defaulting to DENY. You may override the header via the keystone_x_frame_options variable.

17.0.0.0b1

New Features

• Extra headers can be added to Keystone responses by adding items to keystone_extra_headers. Example:

  keystone_extra_headers:
    - parameter: "Access-Control-Expose-Headers"
      value: "X-Subject-Token"
    - parameter: "Access-Control-Allow-Headers"
      value: "Content-Type, X-Auth-Token"
    - parameter: "Access-Control-Allow-Origin"
      value: "*"
  

16.0.0.0b3

Upgrade Notes

• Keystone now uses uWSGI exclusively (instead of Apache with mod_wsgi) and has the web server acting as a reverse proxy. The default web server is now set to Nginx instead of Apache, but Apache will automatically used if federation is configured.

Deprecation Notes

• The variables keystone_apache_enabled and keystone_mod_wsgi_enabled have been removed and replaced with a single variable keystone_web_server to optionally set the web server used for keystone.

• Remove keystone_rpc_backend option due to deprecation of rpc_backend option in oslo.messaging.

16.0.0.0b2

New Features

• New variables have been added to allow a deployer to customize a keystone systemd unit file to their liking.

• The task dropping the keystone systemd unit files now uses the config_template action plugin allowing deployers access to customize the unit files as they see fit without having to load extra options into the defaults and pollute the generic systemd unit file with jinja2 variables and conditionals.

• The os_keystone role will now (by default) source the keystone-paste.ini, policy.json and sso_callback_template.html templates from the service git source instead of from the role. It also now includes a facility where you can place your own templates in /etc/openstack_deploy/keystone (by default) and it will be deployed to the target host after being interpreted by the template engine.

• For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.

Upgrade Notes

• The keystone endpoints now have versionless URLs. Any existing endpoints will be updated.

• For the os_keystone role, the systemd unit TimeoutSec value which controls the time between sending a SIGTERM signal and a SIGKILL signal when stopping or restarting the service has been reduced from 300 seconds to 120 seconds. This provides 2 minutes for long-lived sessions to drain while preventing new ones from starting before a restart or a stop. The RestartSec value which controls the time between the service stop and start when restarting has been reduced from 150 seconds to 2 seconds to make the restart happen faster. These values can be adjusted by using the keystone_*_init_config_overrides variables which use the config_template task to change template defaults.

16.0.0.0b1

New Features

• Capping the default value for the variable keystone_wsgi_processes to 16 when the user doesn’t configure this variable. Default value is half the number of vCPUs available on the machine with a capping value of 16.

Critical Issues

• A bug that caused the Keystone credential keys to be lost when the playbook is run during a rebuild of the first Keystone container has been fixed. Please see launchpad bug 1667960 for more details.

15.0.0.0b2

New Features

• The os_keystone role now performs a rolling upgrade without downtime during installation. The process for rolling upgrades is documented here.

15.0.0.0b1

Upgrade Notes

• The variables keystone_requirements_git_repo and keystone_requirements_git_install_branch have been removed in favour of using the URL/path to the upper-constraints file using the variable pip_install_upper_constraints instead.

14.0.0.0rc1

New Features

• Introduced option to deploy Keystone under Uwsgi. A new variable keystone_mod_wsgi_enabled is introduced to toggle this behavior. The default is true which continues to deploy with mod_wsgi for Apache. The ports used by Uwsgi for socket and http connection for both public and admin Keystone services are configurable (see also the keystone_uwsgi_ports dictionary variable). Other Uwsgi configuration can be overridden by using the keystone_uwsgi_ini_overrides variable as documented under “Overriding OpenStack configuration defaults” in the OpenStack-Ansible Install Guide. Federation features should be considered _experimental_ with this configuration at this time.

• Introduced option to deploy Keystone behind Nginx. A new variable keystone_apache_enabled is introduced to toggle this behavior. The default is true which continues to deploy with Apache. Additional configuration can be delivered to Nginx through the use of the keystone_nginx_extra_conf list variable. Federation features are not supported with this configuration at this time. Use of this option requires keystone_mod_wsgi_enabled to be set to false which will deploy Keystone under Uwsgi.

14.0.0.0b3

New Features

• CentOS7/RHEL support has been added to the os_keystone role.

• The os_keystone role now supports the ability to configure whether apt/yum tasks install the latest available package, or just ensure that the package is present. The default action is to ensure that the latest package is present. The action taken may be changed to only ensure that the package is present by setting keystone_package_state to present.

Upgrade Notes

• The variable keystone_apt_packages has been renamed to keystone_distro_packages.

• The variable keystone_idp_apt_packages has been renamed to keystone_idp_distro_packages.

• The variable keystone_sp_apt_packages has been renamed to keystone_sp_distro_packages.

• The variable keystone_developer_apt_packages has been renamed to keystone_developer_mode_distro_packages.

• The os_keystone role always checks whether the latest package is installed when executed. If a deployer wishes to change the check to only validate the presence of the package, the option keystone_package_state should be set to present.

14.0.0.0b2

New Features

• Added keystone_apache_custom_log_format tunable for changing CustomLog format. Default is “combined”.

Upgrade Notes

• Installation of keystone and its dependent pip packages will now only occur within a Python virtual environment. The keystone_venv_enabled variable has been removed.

Security Issues

• The admin_token_auth middleware presents a potential security risk and will be removed in a future release of keystone. Its use can be removed by setting the keystone_keystone_paste_ini_overrides variable.

  keystone_keystone_paste_ini_overrides:
    pipeline:public_api:
      pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
    pipeline:admin_api:
      pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
    pipeline:api_v3:
      pipeline: cors sizelimit osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
  

14.0.0.0b1

New Features

• Apache MPM tunable support has been added to the os-keystone role in order to allow MPM thread tuning. Default values reflect the current Ubuntu default settings:

  keystone_httpd_mpm_backend: event
  keystone_httpd_mpm_start_servers: 2
  keystone_httpd_mpm_min_spare_threads: 25
  keystone_httpd_mpm_max_spare_threads: 75
  keystone_httpd_mpm_thread_limit: 64
  keystone_httpd_mpm_thread_child: 25
  keystone_httpd_mpm_max_requests: 150
  keystone_httpd_mpm_max_conn_child: 0