sed s/2023.1/2024.1

Author: Alex-Welsh

.github/workflows/stackhpc-all-in-one.yml

@@ -81,9 +81,9 @@ jobs:
       KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }}
       KAYOBE_IMAGE: ${{ inputs.kayobe_image }}
       # NOTE(upgrade): Reference the PREVIOUS release here.
-      PREVIOUS_KAYOBE_IMAGE: ghcr.io/stackhpc/stackhpc-kayobe-config:stackhpc-zed
+      PREVIOUS_KAYOBE_IMAGE: ghcr.io/stackhpc/stackhpc-kayobe-config:stackhpc-2023.1
       # NOTE(upgrade): Reference the PREVIOUS release branch here.
-      PREVIOUS_BRANCH: stackhpc/zed
+      PREVIOUS_BRANCH: stackhpc/2023.1
     steps:
       - name: Install Package
         uses: ConorMacBride/install-package@main

.github/workflows/stackhpc-build-kayobe-image.yml

@@ -8,7 +8,7 @@ on:
   push:
     branches:
       # NOTE(upgrade): Reference only the current release branch here.
-      - stackhpc/2023.1
+      - stackhpc/2024.1
 
   workflow_call:
     inputs:

.github/workflows/stackhpc-promote.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       # NOTE(upgrade): Reference only the current release branch here.
-      - stackhpc/2023.1
+      - stackhpc/2024.1
 jobs:
   promote:
     name: Trigger Pulp promotion workflows

.readthedocs.yaml

@@ -13,7 +13,7 @@ build:
     python: "3.7"
   jobs:
     post_checkout:
-      - git remote set-branches origin master stackhpc/2023.1 stackhpc/zed stackhpc/yoga stackhpc/xena stackhpc/wallaby
+      - git remote set-branches origin master stackhpc/2024.1 stackhpc/2023.1 stackhpc/zed stackhpc/yoga stackhpc/xena stackhpc/wallaby
       - git fetch --unshallow
 
 # Build documentation in the doc/source/ directory with Sphinx

doc/source/conf.py

@@ -29,8 +29,8 @@
 # -- StackHPC Kayobe configuration --------------------------------------
 # Variables to override
 
-current_series = "2023.1"
-previous_series = "zed"
+current_series = "2024.1"
+previous_series = "2023.1"
 branch = f"stackhpc/{current_series}"
 
 # Substitutions loader

doc/source/contributor/environments/ci-aio.rst

@@ -30,7 +30,7 @@ Download the setup script:
 
 .. parsed-literal::
 
-   wget https://raw.githubusercontent.com/stackhpc/stackhpc-kayobe-config/stackhpc/2023.1/etc/kayobe/environments/ci-aio/automated-setup.sh
+   wget https://raw.githubusercontent.com/stackhpc/stackhpc-kayobe-config/stackhpc/2024.1/etc/kayobe/environments/ci-aio/automated-setup.sh
 
 Change the permissions on the script:
 

doc/source/contributor/package-updates.rst

@@ -7,13 +7,13 @@ This section describes the Release Train process of creating new package reposit
 Preparations
 ============
 
-1. Before building images, you should check for any outstanding PRs into the earliest supported release. Below are the links for the 2023.1 (Antelope) branches.
+1. Before building images, you should check for any outstanding PRs into the earliest supported release. Below are the links for the 2024.1 (Caracal) branches.
 
- kayobe-config: https://github.com/stackhpc/stackhpc-kayobe-config/pulls?q=is%3Apr+is%3Aopen+base%3Astackhpc%2F2023.1
+ kayobe-config: https://github.com/stackhpc/stackhpc-kayobe-config/pulls?q=is%3Apr+is%3Aopen+base%3Astackhpc%2F2024.1
 
- kolla: https://github.com/stackhpc/kolla/pulls?q=is%3Apr+is%3Aopen+base%3Astackhpc%2F2023.1
+ kolla: https://github.com/stackhpc/kolla/pulls?q=is%3Apr+is%3Aopen+base%3Astackhpc%2F2024.1
 
- kolla-ansible: https://github.com/stackhpc/kolla-ansible/pulls?q=is%3Apr+is%3Aopen+base%3Astackhpc%2F2023.1
+ kolla-ansible: https://github.com/stackhpc/kolla-ansible/pulls?q=is%3Apr+is%3Aopen+base%3Astackhpc%2F2024.1
 
  You should also check any referenced source trees in etc/kayobe/kolla.yml.
 

doc/source/operations/upgrading.rst

@@ -35,193 +35,26 @@ Notable changes in the |current_release| Release
 There are many changes in the OpenStack |current_release| release described in
 the release notes for each project. Here are some notable ones.
 
-Systemd container management
-----------------------------
-
-Containers deployed by Kolla Ansible are now managed by Systemd. Containers log
-to journald and have a unit file in ``/etc/systemd/system`` named
-``kolla-<container name>-container.service``. Manual control of containers
-should be performed using ``systemd start|stop|restart`` etc. rather than using
-the Docker CLI.
-
-Secure RBAC
------------
-
-Secure Role Based Access Control (RBAC) is an ongoing effort in OpenStack, and
-new policies have been evolving alongside the deprecated legacy policies.
-Several projects have changed the default value of the ``[oslo_policy]
-enforce_new_defaults`` configuration option to ``True``, meaning that the
-deprecated legacy policies are no longer applied. This results in more strict
-policies that may affect existing API users. The following projects have made
-this change:
-
-* Glance
-* Nova
-
-Some things to watch out for:
-
-* Policies may require the ``member`` role rather than the deprecated
-  ``_member_`` and ``Member`` roles.
-* Application credentials may need to be regenerated to grant any roles
-  required by the secure RBAC policies.
-* Application credentials generated before the existence of any implicit roles
-  will not be granted those roles. This may include the ``reader`` role, which
-  is referenced in some of the new secure RBAC policies. This issue has been
-  seen in app creds generated in the Yoga release. See `Keystone bug 2030061
-  <https://bugs.launchpad.net/keystone/+bug/2030061>`_.
-
-  While the Keystone docs suggest that the ``member`` role should imply the
-  ``reader`` role, it has been seen at a customer that newly-generated app
-  creds in the Antelope release may need both the ``member`` and ``reader``
-  role specified.
-
-  Here are some SQL scripts you can call to first see if any app creds are
-  affected, and then add the reader role where needed. It is recommended to
-  `backup the database
-  <https://docs.openstack.org/kayobe/latest/administration/overcloud.html#performing-database-backups>`__
-  before running these.
-
-  .. code-block:: sql
-
-     docker exec -it mariadb bash
-     mysql -u root -p  keystone
-     # Enter the database password when prompted.
-
-     SELECT application_credential.internal_id, role.id AS reader_role_id
-     FROM application_credential, role
-     WHERE role.name = 'reader'
-     AND NOT EXISTS (
-         SELECT 1
-         FROM application_credential_role
-         WHERE application_credential_role.application_credential_id = application_credential.internal_id
-         AND application_credential_role.role_id = role.id
-     );
-
-     INSERT INTO application_credential_role (application_credential_id, role_id)
-     SELECT application_credential.internal_id, role.id
-     FROM application_credential, role
-     WHERE role.name = 'reader'
-     AND NOT EXISTS (
-         SELECT 1
-         FROM application_credential_role
-         WHERE application_credential_role.application_credential_id = application_credential.internal_id
-         AND application_credential_role.role_id = role.id
-     );
-
-* If you have overwritten ``[auth] tempest_roles`` in your Tempest config, such
-  as to add the ``creator`` role for Barbican, you will need to also add the
-  ``member role``. eg:
-
-  .. code-block:: ini
-
-     [auth]
-     tempest_roles = creator,member
-* To check trusts for the _member_ role, you will need to list the role
-  assignments in the database, as only the trustor and trustee users can show
-  trust details from the CLI:
-
-  .. code-block:: console
-
-     openstack trust list
-     docker exec -it mariadb bash
-     mysql -u root -p  keystone
-     # Enter the database password when prompted.
-     SELECT * FROM trust_role WHERE trust_id = '<trust-id>' AND role_id = '<_member_-role-id>';
-* Policies may require the ``reader`` role rather than the non-standardised
-  ``observer`` role. The following error was observed in Horizon: ``Policy doesn’t allow os_compute_api:os-simple-tenant-usage:show to be performed``,
-  when the user only had the observer role in the project. It is best to keep the observer role until all projects have the ``enforce_new_defaults``
-  config option set. A one liner is shown below (or update your projects config):
-
-  .. code-block:: console
-
-     openstack role assignment list --effective --role observer -f value -c User -c Project | while read line; do echo $line | xargs bash -c 'openstack role add --user $1 --project $2 reader' _; done
-
-OVN enabled by default
-----------------------
-
-OVN is now enabled by default in StackHPC Kayobe Configuration.  This change
-was made to align with our standard deployment configuration.
-
-There is currently not a tested migration path from OVS to OVN on a running
-system. If you are using a Neutron plugin other than ML2/OVN, set
-``kolla_enable_ovn`` to ``false`` in ``etc/kayobe/kolla.yml``.
-
-For new deployments using OVN, see
-:kolla-ansible-doc:`reference/networking/neutron.html#ovn-ml2-ovn`.
-
-Kolla config merging
---------------------
-
-The Antelope release introduces Kolla config merging between Kayobe
-environments and base configurations. Before Antelope, any configuration under
-``$KAYOBE_CONFIG_PATH/kolla/config`` would be ignored when any Kayobe
-environment was activated.
-
-In Antelope, the Kolla configuration from the base will be merged with the
-environment. This can result in significant changes to the Kolla config. Take
-extra care when creating the Antelope branch of the kayobe-config and always
-check the config diff.
+TODO
+----
 
 Known issues
 ============
 
-* Rebuilds of servers with volumes are broken if there are any Nova compute
-  services running an older release, including any that are down. Old compute
-  services should be removed using ``openstack compute service delete``, then
-  remaining compute services restarted. See `LP#2040264
-  <https://bugs.launchpad.net/nova/+bug/2040264>`__.
-
-* The OVN sync repair tool removes metadata ports, breaking OVN load balancers.
-  See `LP#2038091 <https://bugs.launchpad.net/neutron/+bug/2038091>`__.
-
-* When you try to generate config before the 2023.1 upgrade (i.e. using 2023.1
-  Kolla-Ansible but still running Zed kolla-toolbox), it will fail on Octavia.
-  This patch is needed to fix this:
-  https://review.opendev.org/c/openstack/kolla-ansible/+/905500
-
-* If you run ``kayobe overcloud service upgrade`` twice, it will cause shard
-  allocation to be disabled in OpenSearch. See `LP#2049512
-  <https://bugs.launchpad.net/kolla-ansible/+bug/2049512>`__ for details.
-
-  You can check if this is affecting your system with the following command. If
-  ``transient.cluster.routing.allocation.enable=none`` is present, shard
-  allocation is disabled.
-
-  .. code-block:: console
-
-     curl http://<controller-ip>:9200/_cluster/settings
-
-  For now, the easiest way to fix this is to turn allocation back on:
-
-  .. code-block:: console
-
-     curl -X PUT http://<controller-ip>:9200/_cluster/settings -H 'Content-Type:application/json' -d '{"transient":{"cluster":{"routing":{"allocation":{"enable":"all"}}}}}'
-
-* Docker log-opts are currently not configured in Antelope. You will see these
-  being removed when running a host configure in check+diff mode. See bug for
-  details (fix released):
-  https://bugs.launchpad.net/ansible-collection-kolla/+bug/2040105
-
-* /etc/hosts are not templated correctly when running a host configure with
-  ``--limit``. To work around this, run your host configures with
-  ``--skip-tags etc-hosts``. If you do need to change ``/etc/hosts``, for
-  example with any newly-added hosts, run a full host configure afterward with
-  ``--tags etc-hosts``. See bug for details (fix released):
-  https://bugs.launchpad.net/kayobe/+bug/2051714
+* None!
 
 Security baseline
 =================
 
-As part of the Zed and Antelope releases we are looking to improve the security
+As part of the Caracal release we are looking to improve the security
 baseline of StackHPC OpenStack deployments. If any of the following have not
-been done, they should ideally be completed before the upgrade begins,
-otherwise afterwards.
+been done, they should be completed before the upgrade begins.
 
 .. TODO: Add these when docs exist
 
    * Enable `host firewalling <TODO>`_
-   * Enable `Center for Internet Security (CIS) compliance <TODO>`_
 
+* Enable `Center for Internet Security (CIS) compliance <../configuration/security-hardening.rst>`_
 * Enable TLS on the :kayobe-doc:`public API network
   <configuration/reference/kolla-ansible.html#tls-encryption-of-apis>`
 * Enable TLS on the `internal API network <../configuration/vault.html>`_

doc/source/release-notes.rst

@@ -1,6 +1,6 @@
 ====================================
-2023.1 Antelope Series Release Notes
+2024.1 Antelope Series Release Notes
 ====================================
 
 .. release-notes::
-   :branch: stackhpc/2023.1
+   :branch: stackhpc/2024.1

doc/source/usage.rst

@@ -16,7 +16,7 @@ when used with Kayobe's :kayobe-doc:`multiple environments
 <multiple-environments>` feature.
 
 This configuration should be consumed using the `StackHPC Kayobe fork
-<https://github.com/stackhpc/kayobe/tree/stackhpc/2023.1>`__, which includes
+<https://github.com/stackhpc/kayobe/tree/stackhpc/2024.1>`__, which includes
 backported support for Ansible collections.
 
 New deployments

etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh

@@ -10,8 +10,8 @@
 set -eu
 
 BASE_PATH=~
-KAYOBE_BRANCH=stackhpc/2023.1
-KAYOBE_CONFIG_BRANCH=stackhpc/2023.1
+KAYOBE_BRANCH=stackhpc/2024.1
+KAYOBE_CONFIG_BRANCH=stackhpc/2024.1
 KAYOBE_ENVIRONMENT=aufn-ceph
 
 PELICAN_HOST="10.0.0.34 pelican pelican.service.compute.sms-lab.cloud"

etc/kayobe/environments/ci-aio/automated-setup.sh

@@ -3,8 +3,8 @@
 set -eux
 
 BASE_PATH=~
-KAYOBE_BRANCH=stackhpc/2023.1
-KAYOBE_CONFIG_BRANCH=stackhpc/2023.1
+KAYOBE_BRANCH=stackhpc/2024.1
+KAYOBE_CONFIG_BRANCH=stackhpc/2024.1
 KAYOBE_AIO_LVM=true
 
 if [[ ! -f $BASE_PATH/vault-pw ]]; then

etc/kayobe/kolla-image-tags.yml

@@ -4,25 +4,5 @@
 # where the key is the OS distro and the value is the tag to deploy.
 kolla_image_tags:
   openstack:
-    rocky-9: 2023.1-rocky-9-20240202T105928
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240129T151608
-  haproxy_ssh:
-    rocky-9: 2023.1-rocky-9-20240205T162323
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240221T133905
-  heat:
-    rocky-9: 2023.1-rocky-9-20240319T134201
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240319T134201
-  horizon:
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240402T104530
-  letsencrypt:
-    rocky-9: 2023.1-rocky-9-20240205T162323
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240221T133905
-  magnum:
-    rocky-9: 2023.1-rocky-9-20240422T152338
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240422T152338
-  neutron:
-    rocky-9: 2023.1-rocky-9-20240202T145927
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240221T103817
-  grafana:
-    rocky-9: 2023.1-rocky-9-20240313T165255
-    ubuntu-jammy: 2023.1-ubuntu-jammy-20240313T165255
+    rocky-9: 2024.1-rocky-9-placeholder
+    ubuntu-jammy: 2024.1-ubuntu-jammy-placeholder

releasenotes/source/2024.1.rst

@@ -0,0 +1,6 @@
+===================================
+2024.1 Caracal Series Release Notes
+===================================
+
+.. release-notes::
+   :branch: stackhpc/2024.1

releasenotes/source/index.rst

@@ -7,6 +7,7 @@ Contents
 .. toctree::
    :maxdepth: 2
 
+   2024.1
    2023.1
    zed
    yoga

requirements.txt

@@ -1,3 +1,3 @@
-kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/2023.1
+kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/2024.1
 ansible-modules-hashivault>=5.2.1
 jmespath

tox.ini

@@ -20,7 +20,7 @@ commands =
 allowlist_externals = rm
 skip_install = true
 deps =
-  -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2023.1}
+  -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2024.1}
   -r{toxinidir}/releasenotes/requirements.txt
 commands =
   rm -rf releasenotes/build/html
@@ -30,7 +30,7 @@ commands =
 allowlist_externals = rm
 skip_install = true
 deps =
-    -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2023.1}
+    -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2024.1}
     -r{toxinidir}/doc/requirements.txt
 commands =
   rm -rf doc/build/html