Current Series Release Notes

22.0.0.0rc1-64

New Features

  • Added HAProxy HTTP health checks for Prometheus Alertmanager using the /-/healthy endpoint. HAProxy now verifies HTTP 200 responses to improve backend health detection.

  • Add support for VAST cinder driver.

  • Add support to schema_version in the federated attribute mapping API of Keystone.

  • Adds support for serving architecture-specific Ironic Python Agent images for mixed x86_64 and aarch64 iPXE deployments.

  • The nova_libvirt container’s libvirtd.conf now raises libvirt’s connection processing limits above their stock defaults, which are tuned for a multi-tenant host rather than for Kolla’s single-privileged-client pattern. max_client_requests is raised from 5 to 20 and max_workers from 20 to 50. Both are exposed as the libvirt_max_client_requests and libvirt_max_workers variables so they can be tuned further.

  • The nova_libvirt container now runs virtlogd as a sidecar alongside libvirtd, and qemu.conf is configured with stdio_handler = "logd" so that libvirt routes instance console chardevs through virtlogd. This allows guest console logs to be rotated according to /etc/libvirt/virtlogd.conf (by default 2MB per file with 3 backups), instead of growing without bound as they did when stdio_handler was set to "file".

    Note that existing instances must be hard rebooted to pick up the new console handler, as the chardev mode is fixed at qemu launch.

  • Add Alertmanager container healthcheck support.

  • Removed obsolete configuration options from the Horizon local_settings.py template:

    • TEMPLATE_DEBUG: No longer supported

    • enable_lb, enable_firewall, and enable_vpn: These keys inside OPENSTACK_NEUTRON_NETWORK are now invalid.

Upgrade Notes

  • Support for networking-infoblox, to use Infblox as neutron’s IPAM backend, has been removed. The networking-infoblox project is unmaintained.

  • The legacy upgrade method for Neutron has been removed in favour of the rolling upgrade which has been the default since Ocata. neutron_enable_rolling_upgrade should no longer be set.

  • Support for running the Neutron DHCP agent in ML2/OVN deployments (neutron_ovn_dhcp_agent) has been removed. OVN now natively answers DHCP queries for bare metal ports (port type external), so the agent is no longer needed. neutron_ovn_dhcp_agent should no longer be set.

  • The [redis:children] inventory group, redis_master_password password, and all Redis-to-Valkey migration code, which were kept for migration purposes since the Gazpacho (2026.1) release, have now been removed. Operators should remove redis_master_password from their passwords.yml file.

  • The default value of update_keystone_service_user_passwords has changed from true to false. Previously, service user passwords were updated on every reconfigure run, which invalidated existing Keystone tokens and could cause service disruptions. With the new default, passwords are only set at user creation time. Operators who wish to force password rotation on reconfigure must explicitly set update_keystone_service_user_passwords to true in globals.yml.

Bug Fixes

  • Fixes nova-compute failing to start after /var/lib/nova content has been wiped, for example following a reprovisioning. LP#2051011

  • Fixes overly restrictive permissions on certificates in /var/lib/kolla/share/ca-certificates path in containers that require access to these certificates.

  • Fixed a stray trailing quote in the barbican_api healthcheck command that caused containers to be falsely reported as unhealthy. LP#2157639

  • Fixed instance snapshot hanging indefinitely. LP#2158974

  • Fixes the Ironic temp directory causing invalid cross device links when deploying baremetal images using the virtualmedia boot interface.

  • Fixes an issue in the Docker container worker where reconfiguring containers with cpuset_cpus or cpuset_mems dimensions could fail with an IndexError when the existing container had no explicit cpuset constraint configured.

  • Fixes Prometheus blackbox exporter checks for Grafana when external Grafana access is disabled. The public Grafana endpoint is now only monitored when enable_grafana_external is enabled, while the internal endpoint continues to be monitored when appropriate.

  • Fixes the OIDCXForwardedHeaders directive in the Keystone Apache configuration. The value was previously wrapped in double quotes, which caused Apache to treat the whole list as a single argument and prevented configuring more than one forwarded header. See LP#2155147.

  • Fixed intermittent instance build failures (Cannot recv data: Input/output error during defineXML, leading to instances in ERROR state) that occurred when several instances were built concurrently. nova-compute is effectively the sole client of libvirtd, and libvirt’s default per-client request cap of 5 was being exceeded by concurrent builds plus periodic tasks, starving keepalive responses until libvirtd dropped the connection.

Other Notes

  • This release exposes additional configuration options for OpenStack Compute consoles which utilize the SPICE protocol. You can now require that such consoles use channels secured by TLS using the nova_spice_require_secure configuration option. This option defaults to false as it implies that TLS certificates have been distributed to your nova-compute nodes.