Rocky Series Release Notes


Security Issues

  • An open redirect has been fixed, that could redirect users to arbitrary addresses from certain views by specifying a “next” parameter in the URL. Now the redirect will only work if the target URL is in the same domain, and uses the same protocol.


Upgrade Notes

  • publicize_image policy now has the same name both for image create and edit features and corresponds to the same one in Glance. If you changed the policy name manually to get feature working you have to rollback your changes before Horizon update.

Bug Fixes

  • [bug:1859041] image:publicize_image policy is renamed to publicize_image to be the same as Glance has.


Bug Fixes

  • [bug:1840465] Fixed a bug where listing security groups did not work if one or more security groups had no rules in them.


Bug Fixes

  • Fixed a bug where non-admin users would be shown the “Change Password” button for users listed under the Identity panel.

  • [bug:1544703] Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO deployments where network segmentation is used per security requirement. In this case, the controllers are not reachable from public network. Therefore, user’s browser will not be able to access OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint.


New Features

  • Added server groups and server group members quota management. Users can specify their values when creating or modifying project information, and users can also change their quota default values on the Admin-> System-> Defaults page.

  • DEFAULT_SERVICE_REGIONS can now take ‘*’ as a key which serves either as a fallback service region, or the default region if no other keys are set.

  • [blueprint ng-server-groups] This blueprint add angular server groups panel below the Project->Compute panel group. The panel turns on if Nova API extension ‘ServerGroups’ is available. It displays information about server groups. The details page for each server group also shows information about instances of that server group. Supported actions: create, delete.

  • [blueprint ng-users] AngularJS-based Users panel is added. The features in the legacy panel are almost implemented. The Users panel now may be configured to use either the legacy or AngularJS-based codes. The ANGULAR_FEATURES setting now allows for a users_panel. If set to True, then the AngularJS-Based Users panel will be used, while the Django version will be used if set to False. Default value for users_panel is False, due to lack of extensional buttons, i.e. for showing password and adding project, see also [bug/1733271].

  • Floating IP can be released when it is disassociated from a server. “Release Floating IP” checkbox is now available in “Disassociate Floating IP” form.

  • [bug:1755339] (for horizon plugin developers) A new plugin option ADD_XSTATIC_MODULES is now available and horizon plugins can add extra xstatic modules via the horizon plugin “enabled” file. For more detail, see ADD_XSTATIC_MODULES description in Pluggable Panels and Groups in horizon documentation.

  • Security groups now can be specified when creating a port. When the port security is enabled, the security groups tab will be displayed in create port workflow.

  • “Interfaces” tab is added to the instance detail page. The new tab shows a list of ports attached to an instance. Users now have an easy way to access the list of ports of the instance and edit security groups per port. In addition, “Edit Port Security Groups” menu is added as an action of the instance table.

  • Support has been added to set and display DNS attributes for Floating IPs (DNS Name and DNS Domain). These attributes are only available if Neutron has the dns-integration extension enabled.

  • [blueprint:cinder-generic-volume-groups] Cinder generic groups is now supported. Consistency groups views will be disabled if the generic group support is available. User is able to create generic groups and snapshots now.

    Note that operators need to create at least one group type so that users can use the generic group feature. Otherwise, it might be better to disable the group and group snapshot panels by the horizon plugin enabled files.

  • [bug:1690433] “Get me a network” feature provided by nova and neutron is now exposed in the launch server form. This feature will sets up a neutron network topology for a project if there is no network in the project. It simplifies the workflow when launching a server. In the horizon support, when there is no network which can be used for a server, a dummy network named ‘auto_allocated_network’ is shown in the network choices. The feature is disabled by default because it requires preparations in your neutron deployment. To enable it, set enable_auto_allocated_network in OPENSTACK_NEUTRON_NETWORK to True.

  • [bug:1746754] (for horizon plugin developers) Django tab is now pluggable and horizon plugins can add extra tab(s) to an existing tab provided by horizon or other horizon plugins. Extra tabs can be added via the horizon plugin “enabled” file. For more detail, see EXTRA_TABS description in Pluggable Panels and Groups of the horizon documentation.

  • Quota information panel and forms are now tabbified per back-end service.

    • Admin -> Defaults -> Default Quotas table

    • Admin -> Defaults -> Update Defaults form

    • Identity -> Projects -> Modify Quotas form

  • [blueprint:horizon-plugin-tab-for-info-and-quotas] (for horizon plugin developers) Django workflow step is now pluggable and horizon plugins can add extra step(s) to an existing workflow provided by horizon or other horizon plugins. Extra steps can be added via the horizon plugin “enabled” file. For more detail, see EXTRA_TABS description in Pluggable Panels and Groups of the horizon documentation.

  • [bug:1742332] Description for security group rule is supported.

  • Added support for Swift object copy as one of row actions. Destination container must exist in advance. To avoid overwriting an existing object, you cannot copy an object if a specified destination object already exists.

Known Issues

  • [bug/1733271] Users panel has Angularized, but buttons showing passwords is not implemented, i.e. for Password, Confirm Password and Admin password. Also, button adding project for selection of Primary Project is not implemented.

Upgrade Notes

  • [bug:1772345] DEFAULT_SERVICE_REGIONS no longer overrides the cookie value from services_region. This fixes the UX where a user controlled value keeps being overridden by a setting and changes DEFAULT_SERVICE_REGIONS to act as a default (as the name implies) per endpoint if the cookie is not set rather than an override. The cookie will still be overridden when it is for a region not present in the user’s current catalog, so this will still handle the original multi-keystone case that requried the introduction of DEFAULT_SERVICE_REGIONS.

  • simple_ip_management setting in HORIZON_CONFIG was dropped. This actually has no meaning after nova-network support was dropped in Pike. If you use this setting to hide Disassociate Floating IP button in the instance table, use the policy file instead.

  • Add OPENSTACK_KEYSTONE_BACKEND manually into REST_API_REQUIRED_SETTINGS on, if your deployment uses Angularized identity panels and needs to enable can_edit_* settings in OPENSTACK_KEYSTONE_BACKEND.

  • The deprecated feature of “Edit Flavor” was deleted Historically, Horizon has provided the ability to edit Flavors by deleting and creating a new one with the same information. This is not supported in the Nova API and causes unexpected issues and breakages.

  • Django 2.0 support is added as experimental. Support for Django 1.10 or older releases is dropped. Django 1.11 (LTS) is still the primary supported Django version.

  • The following deprecated settings have been dropped.


    • CUSTOM_THEME_PATH and DEFAULT_THEME_PATH (both deprecated in Mitaka): Use AVAILABLE_THEMES instead.

    • OPENSTACK_TOKEN_HASH_ENABLED (deprecated in Mitaka): PKI tokens currently work with hashing (before Ocata) and Keystone already dropped PKI token support in Ocata.

    • TOKEN_DELETION_DISABLED (deprecated in Ocata): It was not marked as deprecated in the horizon documentation, but this had no effect since Ocata release.

  • The “Quotas” tab in the “Create Project” form was split out into a new separate form “Modify Quotas”. Quotas for a new project need to be configured from “Modify Quotas” action after creating a new project.

  • Remove deprecated Cinder API V1 support. Cinder V1 API was deprecated for a while and removed in Queens release. If you need to enable Cinder support you should update the OPENSTACK_API_VERSIONS configuration option to use Cinder V2 or V3 API.

Deprecation Notes

  • [bug:1763204] Use of this ‘djano.wsgi’ file has been deprecated since the Rocky release in favor of ‘’ in the ‘openstack_dashboard’ module. This file is a legacy naming from before Django 1.4 and an importable ‘’ is now the default. This file will be removed in the T release cycle.

Bug Fixes

  • Do not redirect to the /identity tab admin users on login. Now user_home config options works in the same way for all users. [bug/1778006]

  • [bug:1746706] Fixed a bug the navigation menu and breadcrumb list are not reproduced properly when reloading or opening Angular-based detail page directly.

  • [bug:1779268] Supported can_edit_* settings in Angularized identity panels. To enable this settings in Angularized identity panels, add OPENSTACK_KEYSTONE_BACKEND into REST_API_REQUIRED_SETTINGS on For more detail, see REST_API_REQUIRED_SETTINGS in horizon settings documentation.

  • Fix an error on image description field when it is changed in the Angularized panel [:bug: 1779879]

Other Notes

  • Deprecated function fix_auth_url_version is removed from openstack_auth library. fix_auth_url_version_prefix function should be used instead of it.

  • UpdateAction is deprecated in Newton and removed now. You should not use inline edit functionality in your plugins anymore.