Current Series Release Notes

32.0.0.0rc1-142

Prelude

Added possibility for deployments on AlmaLinux 10

Group definitions for OpenStack-Ansible were changed by replacing dashes with underscores. Please check the Upgrade section for more detatails on how this affects you.

Magnum Cluster API drivers support have been promoted from the OPS repository to the os_magnum role. Please reffer to the upgrade guide <https://docs.openstack.org/openstack-ansible/2026.1/admin/upgrades/major-upgrades.html> and os_magnum documentation for more details on required steps for migration.

New Features

  • Variables _oslomsg_rpc_vhost and _oslomsg_notify_vhost for mq_setup role are now a list of mappings, which means you can manage multiple vhosts within same role include. You can provide state and name keys for vhosts. For backwards compatability variables stil can be supplied as a string but this behaviour is deprecated and will be removed in the future.

  • Usage of AlmaLinux 10 is now possible both on deploy and target nodes.

  • Ansible Core version was switched to 2.19 series.

  • Ceph-ansible branch was switched to stable-9.0.

  • Intorduced new variable nova_console_type_mapping which defines default console types per architecture. This variable is used to define the default value of nova_console_type as well as generate available nova_console_proxy_types.

  • Added coordination support to the Ceilometer service. In case zookeeper is present in deployment, service will be configured to use it for coordination. Operators are able to supply arbitrary coordination url via ceilometer_coordination_url variable.

  • With deprecation and removal of ANSIBLE_GATHER_SUBSET, a new Ansible variable osa_gather_subset was implemented to replace it. ANSIBLE_GATHER_SUBSET is still respected and is used as a fallback in case osa_gather_subset is not defined.

  • Implemented variable glusterfs_clear_peers which can be used to clean-up stale peers along with their bricks. It is useful during OS upgrades or re-installs on the peers, when glusterfs metadata is not preserved.

  • The hashi_vault backend was added to PKI role.

  • Added series of CAPI driver-specific variables to the os_magnum role in order to allow driver version selection for deployment.

  • Introduced variable magnum_k8s_driver, with possible options:

    • heat - current default, removed in 2026.2

    • azimuth - CAPI HELM driver, relying heavily on HELM charts

      which are maintained by Azimuth Cloud.

    • vexxhost - Magnum CAPI driver maintained by Vexxhost.

  • Introduced variable venv_build_requirements which contains the list of tools required to build packages, such as setuptools, wheels, pbr, etc.

  • Introduced variable venv_default_pip_build_args which contains default arguments expected by the role which are passed to pip wheel.

  • Added new configuration option horizon_keystone_prefer_domain_token that defaults to true. When multidomain support is enabled and user has any roles in a domain, Horizon will mostly attempt to use domain scope for calls to Keystone. This behavior does not work properly with some policy combinations.

  • Introduced variable neutron_ovn_log_parameters to control the log destination and verbosity for OVN service. By default logging is performed only to the journald.

  • Introduced variable pacemaker_corosync_install which allows to skip pacemaker/corosync deployment in case some other mechanism is used for masakari monitors.

  • Added support of the Direct References <https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references> for python packages defined as part of venv_pip_packages.

  • A variable post_metal_configuration_hook is introduced, which can be used to define a hookable playbook which will execute right after configuration of metal host in perfromed inside of openstack_hosts role. This might be a handy for downstream customizations to happen, as networkd, mounts, services and kernel modules are already configured at this point, but LXC containers are not yet created.

  • Support is added for the ‘reference_group’ provider_networks parameter when identifying which net_names and VLAN ranges can be accessed by specific hosts. This targets deployments which make use of external routed provider networks.

  • Added variable security_rhel7_enable_auditd that can be used to disable auditd configuration.

  • Added variable service_update_password that will control whether password should be updated, which defaults to False. This changes previous behaviour when service passwords were always updated in the keystone on role run. Please use this variable whenever you need to update a password for the service.

  • Now you can supply role as list of mappings inside _service_users, where you can supply name and state keys. State absent will result in revoking role assignment from the user.

  • Added new configuration option horizon_swift_panel_full_listing that defaults to false. To prevent Horizon from doing full listing of containers and objects in the Swift panel that can cause high resource consumption in Horizon.

  • Added a new variable trove_guest_swift_endpoint_type which is set to public by default. This intends to replace the trove_guest_swift_url variable by fetching endpoint URL from keystone, rather then have it defined inside of guests config.

  • Introduced variable galera_transaction_isolation which is effective only for MariaDB >= 11.1. Defaults to READ-COMMITTED.

  • Updates OVN to version 26.03 for RHEL.

  • RabbitMQ was upgraded to version 4.2.7.

Known Issues

  • Octavia coordination and jobboard are disabled due to ZooKeeper instability (ConnectionLoss and session expiration issues) until the problem is resolved. Redis can be used as an alternative backend if coordination is required.

  • A known issue exists in Horizon where user sessions may be unexpectedly invalidated due to internal memoization and cache handling behavior.

    As a temporary mitigation, operators may configure Horizon to use the cookie-based session backend by setting the horizon_session_engine option to django.contrib.sessions.backends.signed_cookies instead of a memcached session storage backend.

Upgrade Notes

  • os_cinder role uses an upstream version of resource_filters.json, and local template is no longer part of the role. All overrides defined through cinder_resource_filters_overrides are applied on top of the upstream version.

  • In order to configure SPICE frontend/backend on the loadbalancer use nova_console_type_mapping instead of nova_console_type.

    For example:

    nova_console_type_mapping:
  x86_64: spice
  ppc64le: novnc
  aarch64: serialconsole

    Variable nova_console_type is compute-specific and is not used to calculate configuration for the Load Balancer.

  • The legacy service: wrapper in haproxy_service_configs is no longer supported. Only the flat service definition format is accepted. Ensure all service entries are updated before upgrading.

  • OVN version for EL-based distros is upgraded to 25.09

  • Due to OVN packaging specifics on EL-based distros, in order to perform the upgrade of packages, OVN needs to be uninstalled first. This process may lead to connectivity issues on workloads, so needs to be performed with caution.

  • In order to ensure consistent behavior for connection towards LXC hosts, a new variable physical_host_addr has been added to openstack_inventory.json for all LXC containers. This variable points to the ansible_host address of parent LXC host, and will be used by connection plugin.

  • Group metering-group_container has been renamed to ceilometer_compute_container for general consistency across group naming logic

  • All OpenStack-Ansible groups, conf.d and openstack_user_config.yml definitions were renamed by replacing all existing dashes with underscores. This change was made in order to comply with Ansible groups naming convention, which has been introduced back in Ansible 2.8. While old definitions should work after the upgrade, it is still recommended to replace group names with underscores inside of the openstack_user_config.yml and conf.d files, as well as the openstack_inventory.json, as the dynamic_inventory will not perform the conversion. Please note, that old group names can be also referenced in openstack_user_config.yml inside of the``provider_networks`` -> group_binds. So please ensure, that network bindings are also updated and contain group names only with underscores in their names. Ansible will issue a warning in case invalid group names are present in the openstack_inventory.json, but will proceed with the replacement of dashes with underscores. You can ignore these warning messages and return the previous behavior by adding ANSIBLE_TRANSFORM_INVALID_GROUP_CHARS=ignore to /etc/openstack_deploy/user.rc or silence warnings and accept conversion to the new group names by adding ANSIBLE_TRANSFORM_INVALID_GROUP_CHARS=silently to the /etc/openstack_deploy/user.rc. Change of the value for ANSIBLE_TRANSFORM_INVALID_GROUP_CHARS may affect environments, where deploy hosts are also used actively to run 3rd party Ansible roles and playbooks. You can read more about the variable and it’s effect on Ansible Community Documentation

  • In case you was already using Magnum CAPI functionality prior to this release, you will need to take several extra steps in order to migrate from standalone OPS repository to the integrated way of deploying supporting k8s cluster and CAPI drivers. Please reffer to the upgrade guide and os_magnum role documentation for more details.

  • The new default value for manila_service_type was set to ‘shared-file-system’, to align with official manila service type.

  • The new default value for manila_enable_v2_api was set to false due to the removal of v1 API. manila_service_* variables are referring to v2 API now. It means that ‘sharev2’ endpoint will disappear after the upgrade. Set manila_enable_v2_api to true to keep it present in service catalog.

  • MariaDB version is upgraded to 11.8.8.

  • Group names for Octavia were changed by replacing dashes with underscores in order to align with all other services. Following changes in group names were made:

    • octavia-api -> octavia_api

    • octavia-worker -> octavia_worker

    • octavia-housekeeping -> octavia_housekeeping

    • octavia-health-manager -> octavia_health_manager

  • Variables _oslomsg_configure_rpc and _oslomsg_configure_notify renamed to _oslomsg_rpc_configure and _oslomsg_notify_configure corresponsively to align variables naming convention in the role.

    Old variable names are not used or respected anymore.

  • It is recommended to replace all packages containing #egg fragemnt with Direct References <https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references> during the upgrade.

  • Note that ‘reference_group’ in provider_networks now impacts Neutron agent configuration. If net_names or VLAN ranges are defined alongside a ‘reference_group’, these will only be applied to hosts which exist in the ‘reference_group’. If ‘reference_group’ was not used previously then the behaviour will be unchanged. This only applies to ‘flat’ or ‘vlan’ network types.

  • Variable glance_digest_algorithm has been removed and has no effect anymore.

  • Support for Glance API v1 has been removed.

  • Variable nova_oslomsg_heartbeat_in_pthread has been removed and has no effect anymore.

  • Variable cinder_oslomsg_heartbeat_in_pthread has been removed and has no effect anymore.

  • Variable neutron_oslomsg_heartbeat_in_pthread has been removed and has no effect anymore.

  • Support for novajoin-tempest-plugin has been removed.

  • Glance scrub_time parameter has been removed.

  • Support for zaqar-tempest-plugin has been removed.

  • Glance API can now be run only with uWSGI mode. In case you currently run Glance in eventlet mode, it will be switched to uWSGI during the upgrade.

  • Format of the trove_guest_ssh_security_group_extra_rules has changed. Now, according to it’s name, the variable expects to recieve a list of rules, which will be added to the Trove management security group.

  • From now own trove_guest_swift_url default value is an empty string. Is this case, swift_url will be ommited from guest agent config, and replaced with a swift_endpoint_type value instead, which is defined via trove_guest_swift_endpoint_type.

  • During upgrade of RabbitMQ to 4.2 series, a migration from mnesia to khepri database is going to be perofromed through enabling khepri_db feature flag. You can learn more details about the migration in RabbitMQ Documentation

Deprecation Notes

  • Definition of variables _oslomsg_rpc_vhost and _oslomsg_notify_vhost as a string is deprecated in favor of list of mappings.

  • Magnum Heat driver has been deprecated by the community in 2025.1 and is removed early in 2026.2 release. Current release (2026.1) is the last release where Heat driver is available, and operators should consider migration to one of the CAPI drivers available.

  • Due to the removal of v1 API, manila_service_* variables are referring to v2 API now. manila_service_v2_* variables are not needed anymore and they are considered as deprecated:

    • manila_enable_v2_api

    • manila_service_v2_name

    • manila_service_v2_port

    • manila_service_v2_proto

    • manila_service_v2_type

    • manila_service_v2_description

    • manila_service_v2_publicuri

    • manila_service_v2_publicurl

    • manila_service_v2_adminuri

    • manila_service_v2_adminurl

    • manila_service_v2_internaluri

    • manila_service_v2_internalurl

  • Variables _oslomsg_configure_rpc and _oslomsg_configure_notify are deprecated in favor of _oslomsg_rpc_configure and _oslomsg_notify_configure.

  • Using #egg= fragments as part of the path for venv_pip_packages is deprecated and will be removed in the future.

  • Variable glance_use_uwsgi was removed and has no effect anymore.

  • Variable rabbitmq_gpg_keys was removed and does not have any effect anymore. GPG keys defenition are part of rabbitmq_repo and rabbitmq_erlang_repo for both Debian and RedHat.

  • The configuration option swift_allow_versions is deprecated and removed.

  • Swift role, configuration option expiring_objects_account_name are deprecated and removed.

Bug Fixes

  • Fixed creation of OS::Cinder::Volume with constrained cinder.vtype using Heat through update of resource_filters.json for Cinder.

  • Logic of defining and configuration of all available console types has been revamped and improved, to ensure that consoles will be configured based of available compute architectures in the deployment.

  • Fixed Horizon returning HTTP 500 when a memcached node becomes unreachable. Horizon session cache now bypasses dead nodes instead of raising a connection error, keeping the dashboard operational.

  • Usage of custom zookeeper_cluster_address_hostvars_key has been fixed for the zookeeper role. Previously it still attempted to use ansible_host variable in multiple places.

  • Fixes regression, where connection to LXC hosts was attempted through the management network while targetting LXC containers. This was affecting deployments with split SSH and Management networks, and deploy host did not have access to the Management network.

  • SPICE console deployment is fixed for Nova. See LP: #2142716

  • Templating of Swift’s PYPY_GC_MIN and PYPY_GC_MIN defenition in systemd services has been fixed, and now these environment variables are respected

  • uWSGI is now listening cert installed trigger and gets restarted on TLS certificate update.

  • Skyline deployment logic for YARN builds in multinode environments has been fixed. Though, it still relies on wheels build, and may mis-behave in case of running with -e venv_wheel_build_enable=false

  • OpenStack-Ansible and venv version detection is fixed for environments which were upgraded from pre-Flamingo releases.

  • Fixed an issue in Horizon where user sessions could be unexpectedly invalidated due to memoization and cache handling when using memcached-backed session storage.

  • Behavior of nova_console_user_ssl_cert, nova_console_user_ssl_ca_cert and nova_console_user_ssl_key was fixed.

  • OVN is now properly logging to journald instead separate log files. This fixes issue with OVN log files not being managed and rotated, which leads to excessive disk consumption.

  • GPG key URLs for RabbitMQ and Erlang were updated to relevant ones for RPM-based distributions. This fixes RabbitMQ/Erlang installation for CentOS and Rocky Linux.

  • Fixed behavior of trove_guest_ssh_security_group_extra_rules, as it used to expect list of extra security groups to be defined, instead of extending management security group with user rules.

  • Different race conditions in services are fixed when keystone password is forcefully reseted. Closes Bug: #2023370

  • For MariaDB 11.1 and higher, a parameter transaction_isolation is defined explicitly and set to READ-COMMITTED in order to avoid race conditions when multiple instances of a service are trying to read at the same time.

Other Notes

  • Default value of httpd_custom_log_format has changed to include %{X-Forwarded-For}i by default. When header is not present, it will be logged as an extra "-".

  • Updated default value of keystone_apache_custom_log_format to contain the X-Forwarded-For header logging when present.

  • The python_venv_build role is not using build isolation provided by PIP for the installed packages and built wheels. The --no-build-isolation is passed to both pip install and pip wheel command. Please, ensure all required tools are present in venv_build_requirements for successfull installation.

32.0.0.0rc1

New Features

  • Added support for condition key for ceph_extra_components mapping, which could be used to define a more narrow conditions when component should be having ceph mappings.

  • Introduced variable ceph_cinder_backup_enabled which can be manually overriden to enable provisionment of Ceph client to cinder-backup service. Previously logic for this has been hardcoded and not easily overridable.

  • Added coordination support to the Aodh service. In case zookeeper is present in deployment, service will be configured to use it for coordination. Operators are able to supply arbitrary coordination url via aodh_coordination_url variable.

  • Erlang version was updated to 27.3.x series.

  • RabbitMQ version was upgraded to version 4.1.4

  • Added variable venv_install_tool which has default value of pip. You can define it to uv to leverage package installation inside of the venv using uv tool instead of pip. Wheels build and venv creation is still managed via pip and venv respectively.

Upgrade Notes

  • Variable networking_ovn_bgp_install_branch has been renamed to networking_ovn_bgp_git_install_branch in order to match existing naming convention.

  • With removal of eventlet mode for neutron-server in Neutron, the only supported mode for the service is uWSGI. All deployments using eventlet will be migrated to uWSGI mode for neutron-server. With that multiple extra mandatory services will be started together with neutron-server, like neutron-rpc-server, neutron-periodic-workers and neutron-ovn-maintenance-worker for OVN-based deployments.

Deprecation Notes

  • Variable neutron_use_uwsgi has been removed and has no effect, since eventlet mode for neutron-server has been dropped in 2025.2 (Flamingo). uWSGI is the only supported mode at the moment.

  • Variable octavia_legacy_policy was removed and has no effect anymore. In case you was using the variable and it was set to True, you can incorporate policy changes this variable was implementing to your octavia_policy_overrides. You may find rules controlled by this variable via the link

  • Remove SHOW_KEYSTONE_V2_RC config option, which was deprecated since the Stein release. It is now safe to remove this option.

Bug Fixes

  • Fixes SHA pinning and installation of ovn-bgp-agent, as SHA pinning and role were using different variable names.

  • URI to Shibboleth mirror has been fixed for EL-based distributions.

Other Notes

  • Debian/Ubuntu Repository for RabbitMQ has changed from ppa1.rabbitmq.com to deb1.rabbitmq.com and deb2.rabbitmq.com.