Current Series Release Notes

21.0.0-25

Upgrade Notes

  • The designate-api service has been migrated from eventlet to use native Python threading.

    The default number of API threads has been reduced from 1000 to 100 to reflect the change from eventlet greenthreads to native OS threads.

  • Operators should migrate to deploying the Designate API using a WSGI server such as uwsgi or mod_wsgi. This has been the recommended deployment method and is the default in DevStack. The designate-api command will continue to work until the planned removal, but operators are encouraged to migrate to uwsgi deployment as soon as possible.

    See the DevStack configuration at devstack/lib/designate and devstack/files/wsgi/designate-api-wsgi for an example of uwsgi deployment.

  • Complete removal of eventlet from Designate. All services now use native Python threading via oslo.service’s threading backend.

  • Updated oslo.service dependency to >=4.2.0 with the [threading] extra, which is required for the threading backend support.

  • Default thread counts have been adjusted to reduce potential memory issues with Python native threads compared to eventlet greenthreads.

  • The NSD4 backend has been migrated from eventlet to native Python socket/ssl libraries. SSL certificate verification is now configurable and enabled by default.

    New configuration options:

    • verify_ssl: Enable/disable SSL certificate verification (default: true)

    • check_hostname: Enable/disable hostname checking (default: true)

    • ca_certs: Path to CA certificate bundle (default: system CA bundle)

    Breaking Change: Deployments using self-signed certificates must explicitly disable verification or add certificates to the system trust store.

    Configure these options in your pools.yaml file under the NSD4 target’s options section, then run designate-manage pool update. To maintain previous insecure behavior:

    targets:
  - type: nsd4
    options:
      host: 192.0.2.2
      port: 8952
      verify_ssl: false
      check_hostname: false

    Deployments with properly signed certificates require no configuration changes.

  • The designate-central service has been migrated from eventlet to native Python threading.

    Configuration Changes:

    • The default value for [service:central] threads has been reduced from 1000 to 100 to better align with native OS thread resource usage.

    Notable Changes:

    • Blacklist regex timeout mechanism updated to be compatible with native threading.

Deprecation Notes

  • The designate-api service and the designate.api.service module are deprecated and will be removed in a future release. The WSGIService class relies on oslo_service.wsgi and oslo_service.sslutils, which will be removed in oslo.service 2026.2 as part of the eventlet removal effort.

Security Issues

  • The NSD4 backend now defaults to secure SSL certificate verification. Previously, certificate verification and hostname checking were unconditionally disabled.