Queens Series Release Notes


Bug Fixes

  • Erroneously, availability_zone for host aggregate resource types was considered mandatory in heat templates.

    Behaviour has been adjusted to bring this in line with the CLI and GUI, in which it is optional.


Bug Fixes

  • Previously, when deleting a convergence stack, the API call would return immediately, so that it was possible for a client immediately querying the status of the stack to see the state of the previous operation in progress or having failed, and confuse that with a current status. (This included Heat itself when acting as a client for a nested stack.) Convergence stacks are now guaranteed to have moved to the DELETE_IN_PROGRESS state before the delete API call returns, so any subsequent polling will reflect up-to-date information.

  • Previously, the suspend, resume, and check API calls for all stacks, and the update, restore, and delete API calls for non-convergence stacks, returned immediately after starting the stack operation. This meant that for a client reading the state immediately when performing the same operation twice in a row, it could have misinterpreted a previous state as the latest unless careful reference were made to the updated_at timestamp. Stacks are now guaranteed to have moved to the IN_PROGRESS state before any of these APIs return (except in the case of deleting a non-convergence stack where another operation was already in progress).


Security Issues

  • Passwords generated by the OS::Heat::RandomString resource may have had less entropy than expected, depending on what is specified in the character_class and character_sequence properties. This has been corrected so that each character present in any of the specified classes or sequences now has an equal probability of appearing at each point in the generated random string.



Note that Heat is compatible with OpenStack Identity federation, even when using Keystone trusts. It should work after you enable Federation and build the auto-provisioning map with the heat service user in Keystone. Auto-provisioning has been available in Keystone since the Ocata release.

New Features

  • Added hostname, hints, security_groups, and mounts properties to Zun Container resources.

  • Adds REST api support to cancel a stack create/update without rollback.

  • All developer, contributor, and user content from various guides in openstack-manuals has been moved in-tree and are published at https://docs.openstack.org/heat/pike/.

  • The template validate API call now returns the Environment calculated by heat - this enables preview of the merged environment when using parameter_merge_strategy prior to creating the stack

  • Adds new resources for octavia lbaas service.

  • New resource OS::Octavia::LoadBalancer is added to create and manage Load Balancers which allow traffic to be directed between servers.

  • New resource OS::Octavia::Listener is added to create and manage Listeners which represent a listening endpoint for the Load Balancer.

  • New resource OS::Octavia::Pool is added to create and manage Pools which represent a group of nodes. Pools define the subnet where nodes reside, the balancing algorithm, and the nodes themselves.

  • New resource OS::Octavia::PoolMember is added to create and manage Pool members which represent a single backend node.

  • New resource OS::Octavia::HealthMonitor is added to create and manage Health Monitors which watch status of the Load Balanced servers.

  • New resource OS::Octavia::L7Policy is added to create and manage L7 Policies.

  • New resource OS::Octavia::L7Rule is added to create and manage L7 Rules.

  • Added a new schema property tags, to parameters, to categorize parameters based on features.

  • Heat now support policy in code, which means if you didn’t modify any of policy rules, you won’t need to add rules in the policy.yaml or policy.json file. Because from now, heat keeps all default policies under heat/policies. You can still generate and modify a policy.yaml file which will override policy rules in code if those rules appear in the policy.yaml file.

  • Add tags parameter for create and update keystone projects. Defined comma deliniated list will insert tags into newly created or updated projects.

  • OS::Heat::ResourceGroup now supports a removal_policies_mode property. This can be used to optionally select different behavior on update where you may wish to overwrite vs append to the current policy.

  • Allow to set networks of instances for OS::Trove::Cluster resource.

Known Issues

  • Heat does not work with keystone identity federation. This is a known limitation as heat uses keystone trusts for deferred authentication and trusts don’t work with federated keystone. For more details check https://etherpad.openstack.org/p/pike-ptg-cross-project-federation.

Upgrade Notes

  • The OS::Heat::HARestarter resource type is no longer supported. This resource type is now hidden from the documentation. HARestarter resources in stacks, including pre-existing ones, are now only placeholders and will no longer do anything. The recommended alternative is to mark a resource unhealthy and then do a stack update to replace it. This still correctly manages dependencies but, unlike HARestarter, also avoid replacing dependent resources unnecessarily. An example of this technique can be seen in the autohealing sample templates at https://git.openstack.org/cgit/openstack/heat-templates/tree/hot/autohealing

  • Default policy.json file is now removed as we now generate the default policies in code. Please be aware that when using that file in your environment. You still can generate a policy.yaml file if that’s required in your environment.

  • The AWS compatible CloudWatch API, deprecated since long has been finally removed. OpenStack deployments, packagers, and deployment projects which deploy/package CloudWatch should take appropriate action to remove support.

Deprecation Notes

  • Threshold alarm which uses ceilometer API is deprecated in aodh since Ocata. Please use OS::Aodh::GnocchiAggregationByResourcesAlarm in place of OS::Aodh::Alarm.

  • Hidden Designate resource plugins OS::Designate::Domain and OS::Designate::Record. To use OS::Designate::Zone and OS::Designate::RecordSet instead.

  • The SSL middleware heat.api.middleware.ssl:SSLMiddleware that has been deprecated since 6.0.0 has now been removed, check your paste config and ensure it has been replaced by oslo_middleware.http_proxy_to_wsgi instead.

  • The heat.resource_type custom constraint has been removed. This constraint never actually worked.

Security Issues

  • Heat no longer uses standard Python RNG when generating values for OS::Heat::RandomString resource, and instead relies on system’s RNG for that.

Bug Fixes

  • Force delete the nova instance. If a resource is related with a nova instance which is in ‘SOFT_DELETED’ status, the resource can’t be deleted, when nova config ‘reclaim_instance_interval’. so, force-delete the nova instance, and then all the resources are related with the instance would be processed properly.

  • Add attribute schema to OS::Keystone::Project. This allow get_attr function can work with project resource.

Other Notes

  • Intrinsic function plugins will now be passed a StackDefinition object instead of a Stack object. When accessing resources, the StackDefinition will return ResourceProxy objects instead of Resource objects. These classes replicate the parts of the Stack and Resource APIs that are used by the built-in Function plugins, but authors of custom third-party Template/Function plugins should audit them to ensure they do not depend on unstable parts of the API that are no longer accessible. The StackDefinition and ResourceProxy APIs are considered stable and any future changes to them will go through the standard deprecation process.

  • The old Heat Tempest plugin heat_tests has been removed and replaced by a separate Tempest plugin named heat, in the heat-tempest-plugin repository (https://git.openstack.org/cgit/openstack/heat-tempest-plugin). Functional tests that are appropriate for the Tempest environment have been migrated to the new plugin. Other functional tests remain behind in the heat repository.