From d4cbea695144f30382fc3f4dea7f2660eff719de Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 2 Nov 2023 12:38:24 +0000 Subject: [PATCH] docs: Add notable changes in upgrade notes for Antelope --- doc/source/operations/upgrading.rst | 46 +++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/doc/source/operations/upgrading.rst b/doc/source/operations/upgrading.rst index 30c2f02fa..3a70b8eb4 100644 --- a/doc/source/operations/upgrading.rst +++ b/doc/source/operations/upgrading.rst @@ -38,9 +38,55 @@ the release notes for each project. Here are some notable ones. Systemd container management ---------------------------- +Containers deployed by Kolla Ansible are now managed by Systemd. Containers log +to journald and have a unit file in ``/etc/systemd/system`` named +``kolla--container.service``. Manual control of containers +should be performed using ``systemd start|stop|restart`` etc. rather than using +the Docker CLI. + Secure RBAC ----------- +Secure Role Based Access Control (RBAC) is an ongoing effort in OpenStack, and +new policies have been evolving alongside the deprecated legacy policies. +Several projects have changed the default value of the ``[oslo_policy] +enforce_new_defaults`` configuration option to ``True``, meaning that the +deprecated legacy policies are no longer applied. This results in more strict +policies that may affect existing API users. The following projects have made +this change: + +* Glance +* Nova + +Some things to watch out for: + +* Policies may require the ``member`` role rather than the deprecated + ``_member_`` and ``Member`` roles. +* Application credentials may need to be regenerated to grant any new roles. + This may include the implicit ``reader`` role. + +OVN enabled by default +---------------------- + +OVN is now enabled by default in StackHPC Kayobe Configuration. Additionally, +OVN distributed floating IPs are enabled by default. This change was made to +align with our standard deployment configuration. + +If you are using a Neutron plugin other than ML2/OVN, set ``kolla_enable_ovn`` +to ``false`` in ``etc/kayobe/kolla.yml``. + +Known issues +============ + +* Rebuilds of servers with volumes are broken if there are any Nova compute + services running an older release, including any that are down. Old compute + services should be removed using ``openstack compute service delete``, then + remaining compute services restarted. See `LP#2040264 + `__. + +* The OVN sync repair tool removes metadata ports, breaking OVN load balancers. + See `LP#2038091 `__. + Security baseline =================