Release Notes

Development Release

v5.0.0-beta.1-173

New Features

  • Add specific helm-toolkit patch on 0.2.78. This will allow DB drop and init job compatible with SQLAlchemy 2.0

  • The Keystone role now supports additional parameters when creating the Keycloak realm to allow for the configuration of options such as password policy, brute force protection, and more.

  • Add glance_image_tempfile_path variable to allow users for changing the temporary path for downloading images before uploading them to Glance.

  • Keycloak is now configured to have the token-exchange and the admin-fine-grained-authz features enabled to allow for use of the OAuth Token Exchange protocol.

  • The Keystone role now supports configuring multi-factor authentication for the users within the Atmosphere realm.

  • Add support for Neutron policy check when perform port update with add address pairs. This will add a POST method /address-pair. It will check if both ports (to be paired) are created within same project. With this check, we can give non-admin user to operate address pair binding without risk on expose resource to other projects.

  • Introduced a new Rust-based binary ovsinit which focuses on handling the migration of IP addresses from a physical interface to an OVS bridge during the Neutron or OVN initialization process.

  • Adding basic Atmosphere upgrade process.

  • It is now possible to configure DPDK interfaces using the interface names in addition to possibly being able to use the pci_id to ease deploying in heterogeneous environments.

  • All roles that deploy Ingress resources as part of the deployment process now support the ability to specify the class name to use for the Ingress resource. This is done by setting the <role>_ingress_class_name variable to the desired class name.

  • Introduced the ability to specify a prefix for image names. This allows for easier integration with image proxies and caching mechanisms, eliminating the need to maintain separate inventory overrides for each image.

  • It’s now possible to use the default TLS certificates configured within the ingress by using the ingress_use_default_tls_certificate variable which will omit the tls section from any Ingress resources managed by Atmosphere.

  • The Barbican role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Storpool driver has been updated from the Bobcat release to the Caracal release.

  • The Cinder role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Designate role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • Applied the same pod affinity rules used for OVN NB/SB sts’s to northd deployment and changed the default pod affinity rules from preferred during scheduling to required during scheduling.

  • The ovn-northd service did not have liveness probes enabled which can result in the pod failing readiness checks but not being automatically restarted. The liveness probe is now enabled by default which will restart any stuck ovn-northd processes.

  • The Glance role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Heat role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Horizon role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Ironic role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Keystone role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Magnum role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Manila role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Neutron role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Nova role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Octavia role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • Neutron now supports using the built-in DHCP agent when using OVN (Open Virtual Network) for cases when DHCP relay is necessary.

  • The Placement role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The ovn-controller image is now being pre-pulled on the nodes prior to the Helm chart being deployed. This will help reduce the time it takes to switch over to the new version of the ovn-controller image.

  • The Staffeln role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

Known Issues

  • The MTU for the metadata interfaces for OVN was not being set correctly, leading to a mismatch between the MTU of the metadata interface and the MTU of the network. This has been fixed with a Neutron change to ensure the neutron:mtu value in external_ids is set correctly.

Upgrade Notes

  • Bump OVN from 24.03.1-44 to 24.03.2.34.

  • Upgrade Cluster API driver for Magnum to 0.26.0.

Security Issues

  • The Horizon service now runs as the non-privileged user horizon in the container.

  • The Horizon service ALLOWED_HOSTS setting is now configured to point to the configured endpoints for the service.

  • The CORS headers are now configured to only allow requests from the configured endpoints for the service.

Bug Fixes

  • The [privsep_osbrick]/helper_command configuration value was not configured in both of the Cinder and Nova services, which lead to the inability to run certain CLI commands since it instead tried to do a plain sudo instead. This has been fixed by adding the missing helper command configuration to both services.

  • The dmidecode package which is required by the os-brick library for certain operations was not installed on the images that needed it, which can cause NVMe-oF discovery issues. The package has been added to all images that require it.

  • The [cinder]/auth_type configuration value was not set resulting in the entire Cinder section not being rendered in the configuration file, it is now set to password which will fully render the Cinder section for OpenStack Nova.

  • The nova user within the nova-ssh image was missing the SHELL build argument which would cause live & cold migrations to fail, this has been resolved by adding the missing build argument.

  • During a Neutron or OVN initialization process, the routes assigned to the physical interface are now removed and added to the OVS bridge to maintain the connectivity of the host.

  • The Cluster API driver for Magnum has been bumped to 0.26.2 to address bugs around cluster deletion.

  • The Open vSwitch version has been bumped to 3.3.0 in order to resolve packet drops include Packet dropped. Max recirculation depth exceeded. log messages in the Open vSwitch log.

  • This fix introduces a kernel option to adjust aio-max-nr, ensuring that the system can handle more asynchronous I/O events, preventing VM startup failures related to AIO limits.

  • Fixed an issue where the neutron-ironic-agent service failed to start.

  • When use OVS with DPDK, by default both OVS and OVN run with root user, this may cause issue that QEMU can’t write vhost user socket file in openvswitch runtime directory (/run/openvswitch). This has been fixed by config Open vSwitch and OVN componments to run with non root user id 42424 which is same with QEMU and other OpenStack services inside the container.

  • The CI tooling for pinning images has been fixed to properly work after a regression caused by the introduction of the atmosphere_image_prefix variable.

  • The documentation for using the vTPM was pointing to the incorrect metadata properties for images. This has been corrected to point to the correct metadata properties.

  • Fix two redundant securityContext problems in statefulset-compute-ironic.yaml template.

  • The Cluster API driver for Magnum is now configured to use the internal endpoints by default in order to avoid going through the ingress and leverage client-side load balancing.

Other Notes

  • The documentation has been updated to include release notes for all of the current supported Atmosphere releases.

  • The Atmosphere collection now uses the new major version of the OpenStack collection as a dependency.

  • The upload jobs have been removed from the gate pipeline and replaced by the same build jobs since we use the intermediate registry to store the images.

  • The project has adopted the use of reno for release notes, ensuring that all changes include it from now on to ensure proper release notes.

  • The heavy CI jobs are now skipped when release notes are changed.

  • The image build process has been refactored to use docker-bake which allows us to use context/built images from one target to another, allowing for a much easier local building experience. There is no functional change in the images.

  • The images now use the uv tool to create the virtual environment which is faster and more reliable than the previous method.

OpenStack Dalmatian (2024.2)

v5.0.0-beta.1-171

New Features

  • Add specific helm-toolkit patch on 0.2.78. This will allow DB drop and init job compatible with SQLAlchemy 2.0

  • The Keystone role now supports additional parameters when creating the Keycloak realm to allow for the configuration of options such as password policy, brute force protection, and more.

  • Add glance_image_tempfile_path variable to allow users for changing the temporary path for downloading images before uploading them to Glance.

  • The Keystone role now supports configuring multi-factor authentication for the users within the Atmosphere realm.

  • Add support for Neutron policy check when perform port update with add address pairs. This will add a POST method /address-pair. It will check if both ports (to be paired) are created within same project. With this check, we can give non-admin user to operate address pair binding without risk on expose resource to other projects.

  • Introduced a new Rust-based binary ovsinit which focuses on handling the migration of IP addresses from a physical interface to an OVS bridge during the Neutron or OVN initialization process.

  • It is now possible to configure DPDK interfaces using the interface names in addition to possibly being able to use the pci_id to ease deploying in heterogeneous environments.

  • All roles that deploy Ingress resources as part of the deployment process now support the ability to specify the class name to use for the Ingress resource. This is done by setting the <role>_ingress_class_name variable to the desired class name.

  • Introduced the ability to specify a prefix for image names. This allows for easier integration with image proxies and caching mechanisms, eliminating the need to maintain separate inventory overrides for each image.

  • It’s now possible to use the default TLS certificates configured within the ingress by using the ingress_use_default_tls_certificate variable which will omit the tls section from any Ingress resources managed by Atmosphere.

  • The Barbican role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Storpool driver has been updated from the Bobcat release to the Caracal release.

  • The Cinder role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Designate role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • Applied the same pod affinity rules used for OVN NB/SB sts’s to northd deployment and changed the default pod affinity rules from preferred during scheduling to required during scheduling.

  • The ovn-northd service did not have liveness probes enabled which can result in the pod failing readiness checks but not being automatically restarted. The liveness probe is now enabled by default which will restart any stuck ovn-northd processes.

  • The Glance role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Heat role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Horizon role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Ironic role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Keystone role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Magnum role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Manila role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Neutron role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Nova role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Octavia role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • Neutron now supports using the built-in DHCP agent when using OVN (Open Virtual Network) for cases when DHCP relay is necessary.

  • The Placement role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The ovn-controller image is now being pre-pulled on the nodes prior to the Helm chart being deployed. This will help reduce the time it takes to switch over to the new version of the ovn-controller image.

  • The Staffeln role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

Known Issues

  • The MTU for the metadata interfaces for OVN was not being set correctly, leading to a mismatch between the MTU of the metadata interface and the MTU of the network. This has been fixed with a Neutron change to ensure the neutron:mtu value in external_ids is set correctly.

Upgrade Notes

  • Bump OVN from 24.03.1-44 to 24.03.2.34.

  • Upgrade Cluster API driver for Magnum to 0.26.0.

Security Issues

  • The Horizon service now runs as the non-privileged user horizon in the container.

  • The Horizon service ALLOWED_HOSTS setting is now configured to point to the configured endpoints for the service.

  • The CORS headers are now configured to only allow requests from the configured endpoints for the service.

Bug Fixes

  • The [privsep_osbrick]/helper_command configuration value was not configured in both of the Cinder and Nova services, which lead to the inability to run certain CLI commands since it instead tried to do a plain sudo instead. This has been fixed by adding the missing helper command configuration to both services.

  • The dmidecode package which is required by the os-brick library for certain operations was not installed on the images that needed it, which can cause NVMe-oF discovery issues. The package has been added to all images that require it.

  • The [cinder]/auth_type configuration value was not set resulting in the entire Cinder section not being rendered in the configuration file, it is now set to password which will fully render the Cinder section for OpenStack Nova.

  • The nova user within the nova-ssh image was missing the SHELL build argument which would cause live & cold migrations to fail, this has been resolved by adding the missing build argument.

  • During a Neutron or OVN initialization process, the routes assigned to the physical interface are now removed and added to the OVS bridge to maintain the connectivity of the host.

  • The Cluster API driver for Magnum has been bumped to 0.26.2 to address bugs around cluster deletion.

  • The Open vSwitch version has been bumped to 3.3.0 in order to resolve packet drops include Packet dropped. Max recirculation depth exceeded. log messages in the Open vSwitch log.

  • This fix introduces a kernel option to adjust aio-max-nr, ensuring that the system can handle more asynchronous I/O events, preventing VM startup failures related to AIO limits.

  • Fixed an issue where the neutron-ironic-agent service failed to start.

  • When use OVS with DPDK, by default both OVS and OVN run with root user, this may cause issue that QEMU can’t write vhost user socket file in openvswitch runtime directory (/run/openvswitch). This has been fixed by config Open vSwitch and OVN componments to run with non root user id 42424 which is same with QEMU and other OpenStack services inside the container.

  • The CI tooling for pinning images has been fixed to properly work after a regression caused by the introduction of the atmosphere_image_prefix variable.

  • The documentation for using the vTPM was pointing to the incorrect metadata properties for images. This has been corrected to point to the correct metadata properties.

  • Fix two redundant securityContext problems in statefulset-compute-ironic.yaml template.

  • The Cluster API driver for Magnum is now configured to use the internal endpoints by default in order to avoid going through the ingress and leverage client-side load balancing.

Other Notes

  • The documentation has been updated to include release notes for all of the current supported Atmosphere releases.

  • The Atmosphere collection now uses the new major version of the OpenStack collection as a dependency.

  • The upload jobs have been removed from the gate pipeline and replaced by the same build jobs since we use the intermediate registry to store the images.

  • The project has adopted the use of reno for release notes, ensuring that all changes include it from now on to ensure proper release notes.

  • The heavy CI jobs are now skipped when release notes are changed.

  • The image build process has been refactored to use docker-bake which allows us to use context/built images from one target to another, allowing for a much easier local building experience. There is no functional change in the images.

OpenStack Caracal (2024.1)

v4.3.0

New Features

  • The Keystone role now supports additional parameters when creating the Keycloak realm to allow for the configuration of options such as password policy, brute force protection, and more.

  • Add glance_image_tempfile_path variable to allow users for changing the temporary path for downloading images before uploading them to Glance.

  • The Keystone role now supports configuring multi-factor authentication for the users within the Atmosphere realm.

  • Introduced a new Rust-based binary ovsinit which focuses on handling the migration of IP addresses from a physical interface to an OVS bridge during the Neutron or OVN initialization process.

  • All roles that deploy Ingress resources as part of the deployment process now support the ability to specify the class name to use for the Ingress resource. This is done by setting the <role>_ingress_class_name variable to the desired class name.

  • It’s now possible to use the default TLS certificates configured within the ingress by using the ingress_use_default_tls_certificate variable which will omit the tls section from any Ingress resources managed by Atmosphere.

  • The Barbican role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Storpool driver has been updated from the Bobcat release to the Caracal release.

  • The Cinder role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Designate role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • Applied the same pod affinity rules used for OVN NB/SB sts’s to northd deployment and changed the default pod affinity rules from preferred during scheduling to required during scheduling.

  • The Glance role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Heat role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Horizon role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Ironic role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Keystone role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Magnum role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Manila role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Neutron role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Nova role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Octavia role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Placement role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

  • The Staffeln role now allows users to configure the priorityClassName and the runtimeClassName for all of the different components of the service.

Known Issues

  • The MTU for the metadata interfaces for OVN was not being set correctly, leading to a mismatch between the MTU of the metadata interface and the MTU of the network. This has been fixed with a Neutron change to ensure the neutron:mtu value in external_ids is set correctly.

Upgrade Notes

  • Upgrade Cluster API driver for Magnum to 0.26.0.

Security Issues

  • The Horizon service now runs as the non-privileged user horizon in the container.

  • The Horizon service ALLOWED_HOSTS setting is now configured to point to the configured endpoints for the service.

  • The CORS headers are now configured to only allow requests from the configured endpoints for the service.

Bug Fixes

  • During a Neutron or OVN initialization process, the routes assigned to the physical interface are now removed and added to the OVS bridge to maintain the connectivity of the host.

  • The Cluster API driver for Magnum has been bumped to 0.26.2 to address bugs around cluster deletion.

  • Updated Manila to utilize device UUIDs instead of device names for mounting operations. This change ensures consistent device identification and prevents device name conflicts that could occur after rebooting the Manila server.

  • Fix two redundant securityContext problems in statefulset-compute-ironic.yaml template.

Other Notes

  • The Atmosphere collection now uses the new major version of the OpenStack collection as a dependency.

v4.2.12

New Features

  • The ovn-northd service did not have liveness probes enabled which can result in the pod failing readiness checks but not being automatically restarted. The liveness probe is now enabled by default which will restart any stuck ovn-northd processes.

  • Neutron now supports using the built-in DHCP agent when using OVN (Open Virtual Network) for cases when DHCP relay is necessary.

Upgrade Notes

  • Bump OVN from 24.03.1-44 to 24.03.2.34.

Bug Fixes

  • The [privsep_osbrick]/helper_command configuration value was not configured in both of the Cinder and Nova services, which lead to the inability to run certain CLI commands since it instead tried to do a plain sudo instead. This has been fixed by adding the missing helper command configuration to both services.

  • The dmidecode package which is required by the os-brick library for certain operations was not installed on the images that needed it, which can cause NVMe-oF discovery issues. The package has been added to all images that require it.

  • The nova user within the nova-ssh image was missing the SHELL build argument which would cause live & cold migrations to fail, this has been resolved by adding the missing build argument.

  • This fix introduces a kernel option to adjust aio-max-nr, ensuring that the system can handle more asynchronous I/O events, preventing VM startup failures related to AIO limits.

  • The Cluster API driver for Magnum is now configured to use the internal endpoints by default in order to avoid going through the ingress and leverage client-side load balancing.

v4.2.11

New Features

  • Add specific helm-toolkit patch on 0.2.78. This will allow DB drop and init job compatible with SQLAlchemy 2.0

Bug Fixes

  • The Open vSwitch version has been bumped to 3.3.0 in order to resolve packet drops include Packet dropped. Max recirculation depth exceeded. log messages in the Open vSwitch log.

Other Notes

  • The image build process has been refactored to use docker-bake which allows us to use context/built images from one target to another, allowing for a much easier local building experience. There is no functional change in the images.

v4.2.10

New Features

  • Add support for Neutron policy check when perform port update with add address pairs. This will add a POST method /address-pair. It will check if both ports (to be paired) are created within same project. With this check, we can give non-admin user to operate address pair binding without risk on expose resource to other projects.

  • Introduced the ability to specify a prefix for image names. This allows for easier integration with image proxies and caching mechanisms, eliminating the need to maintain separate inventory overrides for each image.

  • The ovn-controller image is now being pre-pulled on the nodes prior to the Helm chart being deployed. This will help reduce the time it takes to switch over to the new version of the ovn-controller image.

Bug Fixes

  • Fixed an issue where the neutron-ironic-agent service failed to start.

  • When use OVS with DPDK, by default both OVS and OVN run with root user, this may cause issue that QEMU can’t write vhost user socket file in openvswitch runtime directory (/run/openvswitch). This has been fixed by config Open vSwitch and OVN componments to run with non root user id 42424 which is same with QEMU and other OpenStack services inside the container.

  • The CI tooling for pinning images has been fixed to properly work after a regression caused by the introduction of the atmosphere_image_prefix variable.

  • The documentation for using the vTPM was pointing to the incorrect metadata properties for images. This has been corrected to point to the correct metadata properties.

Other Notes

  • The project has adopted the use of reno for release notes, ensuring that all changes include it from now on to ensure proper release notes.

  • The heavy CI jobs are now skipped when release notes are changed.

OpenStack Bobcat (2023.2)

v3.3.0

New Features

  • Introduced a new Rust-based binary ovsinit which focuses on handling the migration of IP addresses from a physical interface to an OVS bridge during the Neutron or OVN initialization process.

  • The Storpool driver has been updated from the Antelope release to the Bobcat release.

Known Issues

  • The MTU for the metadata interfaces for OVN was not being set correctly, leading to a mismatch between the MTU of the metadata interface and the MTU of the network. This has been fixed with a Neutron change to ensure the neutron:mtu value in external_ids is set correctly.

Upgrade Notes

  • Upgrade Cluster API driver for Magnum to 0.26.0.

Bug Fixes

  • During a Neutron or OVN initialization process, the routes assigned to the physical interface are now removed and added to the OVS bridge to maintain the connectivity of the host.

  • The Cluster API driver for Magnum has been bumped to 0.26.2 to address bugs around cluster deletion.

  • Updated Manila to utilize device UUIDs instead of device names for mounting operations. This change ensures consistent device identification and prevents device name conflicts that could occur after rebooting the Manila server.

v3.2.12

New Features

  • The ovn-northd service did not have liveness probes enabled which can result in the pod failing readiness checks but not being automatically restarted. The liveness probe is now enabled by default which will restart any stuck ovn-northd processes.

  • Neutron now supports using the built-in DHCP agent when using OVN (Open Virtual Network) for cases when DHCP relay is necessary.

Upgrade Notes

  • Bump OVN from 24.03.1-44 to 24.03.2.34.

Bug Fixes

  • The [privsep_osbrick]/helper_command configuration value was not configured in both of the Cinder and Nova services, which lead to the inability to run certain CLI commands since it instead tried to do a plain sudo instead. This has been fixed by adding the missing helper command configuration to both services.

  • The dmidecode package which is required by the os-brick library for certain operations was not installed on the images that needed it, which can cause NVMe-oF discovery issues. The package has been added to all images that require it.

  • The nova user within the nova-ssh image was missing the SHELL build argument which would cause live & cold migrations to fail, this has been resolved by adding the missing build argument.

  • This fix introduces a kernel option to adjust aio-max-nr, ensuring that the system can handle more asynchronous I/O events, preventing VM startup failures related to AIO limits.

  • The Cluster API driver for Magnum is now configured to use the internal endpoints by default in order to avoid going through the ingress and leverage client-side load balancing.

v3.2.11

New Features

  • Add specific helm-toolkit patch on 0.2.78. This will allow the database drop and init jobs to be compatible with SQLAlchemy 2.0

Bug Fixes

  • The Open vSwitch version has been bumped to 3.3.0 in order to resolve packet drops include Packet dropped. Max recirculation depth exceeded. log messages in the Open vSwitch log.

Other Notes

  • The image build process has been refactored to use docker-bake which allows us to use context/built images from one target to another, allowing for a much easier local building experience. There is no functional change in the images.

v3.2.10

New Features

  • Add support for Neutron policy check when perform port update with add address pairs. This will add a POST method /address-pair. It will check if both ports (to be paired) are created within same project. With this check, we can give non-admin user to operate address pair binding without risk on expose resource to other projects.

  • Introduced the ability to specify a prefix for image names. This allows for easier integration with image proxies and caching mechanisms, eliminating the need to maintain separate inventory overrides for each image.

  • The ovn-controller image is now being pre-pulled on the nodes prior to the Helm chart being deployed. This will help reduce the time it takes to switch over to the new version of the ovn-controller image.

Security Issues

  • Update update_port:fixed_ips policy for neutron policy server check to stay with RBAC rule. This issue is not affect much on service security as policy update_port:fixed_ips always comes next to update_port, but still we should honor SRABC design to add role member check on.

Bug Fixes

  • Fixed an issue where the neutron-ironic-agent service failed to start.

  • When use OVS with DPDK, by default both OVS and OVN run with root user, this may cause issue that QEMU can’t write vhost user socket file in openvswitch runtime directory (/run/openvswitch). This has been fixed by config Open vSwitch and OVN componments to run with non root user id 42424 which is same with QEMU and other OpenStack services inside the container.

  • The CI tooling for pinning images has been fixed to properly work after a regression caused by the introduction of the atmosphere_image_prefix variable.

  • The documentation for using the vTPM was pointing to the incorrect metadata properties for images. This has been corrected to point to the correct metadata properties.

Other Notes

  • The project has adopted the use of reno for release notes, ensuring that all changes include it from now on to ensure proper release notes.

  • The heavy CI jobs are now skipped when release notes are changed.

OpenStack Antelope (2023.1)

v2.2.12

New Features

  • Introduced a new Rust-based binary ovsinit which focuses on handling the migration of IP addresses from a physical interface to an OVS bridge during the Neutron or OVN initialization process.

Upgrade Notes

  • Upgrade Cluster API driver for Magnum to 0.26.0.

Bug Fixes

  • During a Neutron or OVN initialization process, the routes assigned to the physical interface are now removed and added to the OVS bridge to maintain the connectivity of the host.

  • The Cluster API driver for Magnum has been bumped to 0.26.2 to address bugs around cluster deletion.

v2.2.11

New Features

  • The ovn-northd service did not have liveness probes enabled which can result in the pod failing readiness checks but not being automatically restarted. The liveness probe is now enabled by default which will restart any stuck ovn-northd processes.

  • Neutron now supports using the built-in DHCP agent when using OVN (Open Virtual Network) for cases when DHCP relay is necessary.

Upgrade Notes

  • Bump OVN from 24.03.1-44 to 24.03.2.34.

Bug Fixes

  • The [privsep_osbrick]/helper_command configuration value was not configured in both of the Cinder and Nova services, which lead to the inability to run certain CLI commands since it instead tried to do a plain sudo instead. This has been fixed by adding the missing helper command configuration to both services.

  • The dmidecode package which is required by the os-brick library for certain operations was not installed on the images that needed it, which can cause NVMe-oF discovery issues. The package has been added to all images that require it.

  • The nova user within the nova-ssh image was missing the SHELL build argument which would cause live & cold migrations to fail, this has been resolved by adding the missing build argument.

  • This fix introduces a kernel option to adjust aio-max-nr, ensuring that the system can handle more asynchronous I/O events, preventing VM startup failures related to AIO limits.

  • The Cluster API driver for Magnum is now configured to use the internal endpoints by default in order to avoid going through the ingress and leverage client-side load balancing.

v2.2.10

New Features

  • Add specific helm-toolkit patch on 0.2.78. This will allow DB drop and init job compatible with SQLAlchemy 2.0

  • Add support for Neutron policy check when perform port update with add address pairs. This will add a POST method /address-pair. It will check if both ports (to be paired) are created within same project. With this check, we can give non-admin user to operate address pair binding without risk on expose resource to other projects.

  • Introduced the ability to specify a prefix for image names. This allows for easier integration with image proxies and caching mechanisms, eliminating the need to maintain separate inventory overrides for each image.

  • The ovn-controller image is now being pre-pulled on the nodes prior to the Helm chart being deployed. This will help reduce the time it takes to switch over to the new version of the ovn-controller image.

Bug Fixes

  • The Open vSwitch version has been bumped to 3.3.0 in order to resolve packet drops include Packet dropped. Max recirculation depth exceeded. log messages in the Open vSwitch log.

  • Fixed an issue where the neutron-ironic-agent service failed to start.

  • When use OVS with DPDK, by default both OVS and OVN run with root user, this may cause issue that QEMU can’t write vhost user socket file in openvswitch runtime directory (/run/openvswitch). This has been fixed by config Open vSwitch and OVN componments to run with non root user id 42424 which is same with QEMU and other OpenStack services inside the container.

  • The CI tooling for pinning images has been fixed to properly work after a regression caused by the introduction of the atmosphere_image_prefix variable.

  • The documentation for using the vTPM was pointing to the incorrect metadata properties for images. This has been corrected to point to the correct metadata properties.

Other Notes

  • The project has adopted the use of reno for release notes, ensuring that all changes include it from now on to ensure proper release notes.

  • The heavy CI jobs are now skipped when release notes are changed.

  • The image build process has been refactored to use docker-bake which allows us to use context/built images from one target to another, allowing for a much easier local building experience. There is no functional change in the images.

OpenStack Zed

v1.13.12

New Features

  • Introduced a new Rust-based binary ovsinit which focuses on handling the migration of IP addresses from a physical interface to an OVS bridge during the Neutron or OVN initialization process.

Upgrade Notes

  • Upgrade Cluster API driver for Magnum to 0.26.0.

Bug Fixes

  • During a Neutron or OVN initialization process, the routes assigned to the physical interface are now removed and added to the OVS bridge to maintain the connectivity of the host.

  • The Cluster API driver for Magnum has been bumped to 0.26.2 to address bugs around cluster deletion.

v1.13.11

New Features

  • The ovn-northd service did not have liveness probes enabled which can result in the pod failing readiness checks but not being automatically restarted. The liveness probe is now enabled by default which will restart any stuck ovn-northd processes.

  • Neutron now supports using the built-in DHCP agent when using OVN (Open Virtual Network) for cases when DHCP relay is necessary.

Bug Fixes

  • The [privsep_osbrick]/helper_command configuration value was not configured in both of the Cinder and Nova services, which lead to the inability to run certain CLI commands since it instead tried to do a plain sudo instead. This has been fixed by adding the missing helper command configuration to both services.

  • The dmidecode package which is required by the os-brick library for certain operations was not installed on the images that needed it, which can cause NVMe-oF discovery issues. The package has been added to all images that require it.

  • The nova user within the nova-ssh image was missing the SHELL build argument which would cause live & cold migrations to fail, this has been resolved by adding the missing build argument.

  • This fix introduces a kernel option to adjust aio-max-nr, ensuring that the system can handle more asynchronous I/O events, preventing VM startup failures related to AIO limits.

  • The Cluster API driver for Magnum is now configured to use the internal endpoints by default in order to avoid going through the ingress and leverage client-side load balancing.

v1.13.10

New Features

  • Add specific helm-toolkit patch on 0.2.78. This will allow DB drop and init job compatible with SQLAlchemy 2.0

  • Add support for Neutron policy check when perform port update with add address pairs. This will add a POST method /address-pair. It will check if both ports (to be paired) are created within same project. With this check, we can give non-admin user to operate address pair binding without risk on expose resource to other projects.

  • Introduced the ability to specify a prefix for image names. This allows for easier integration with image proxies and caching mechanisms, eliminating the need to maintain separate inventory overrides for each image.

  • The ovn-controller image is now being pre-pulled on the nodes prior to the Helm chart being deployed. This will help reduce the time it takes to switch over to the new version of the ovn-controller image.

Bug Fixes

  • Fixed an issue where the neutron-ironic-agent service failed to start.

  • When use OVS with DPDK, by default both OVS and OVN run with root user, this may cause issue that QEMU can’t write vhost user socket file in openvswitch runtime directory (/run/openvswitch). This has been fixed by config Open vSwitch and OVN componments to run with non root user id 42424 which is same with QEMU and other OpenStack services inside the container.

  • The CI tooling for pinning images has been fixed to properly work after a regression caused by the introduction of the atmosphere_image_prefix variable.

  • The documentation for using the vTPM was pointing to the incorrect metadata properties for images. This has been corrected to point to the correct metadata properties.

Other Notes

  • The project has adopted the use of reno for release notes, ensuring that all changes include it from now on to ensure proper release notes.

  • The heavy CI jobs are now skipped when release notes are changed.

  • The image build process has been refactored to use docker-bake which allows us to use context/built images from one target to another, allowing for a much easier local building experience. There is no functional change in the images.