Current Series Release Notes¶
22.0.0.0rc1-64¶
New Features¶
Added HAProxy HTTP health checks for Prometheus Alertmanager using the
/-/healthyendpoint. HAProxy now verifies HTTP 200 responses to improve backend health detection.
Add support for VAST cinder driver.
Add support to
schema_versionin the federated attribute mapping API of Keystone.
Adds support for serving architecture-specific Ironic Python Agent images for mixed x86_64 and aarch64 iPXE deployments.
The
nova_libvirtcontainer’slibvirtd.confnow raises libvirt’s connection processing limits above their stock defaults, which are tuned for a multi-tenant host rather than for Kolla’s single-privileged-client pattern.max_client_requestsis raised from 5 to 20 andmax_workersfrom 20 to 50. Both are exposed as thelibvirt_max_client_requestsandlibvirt_max_workersvariables so they can be tuned further.
The
nova_libvirtcontainer now runsvirtlogdas a sidecar alongsidelibvirtd, andqemu.confis configured withstdio_handler = "logd"so that libvirt routes instance console chardevs throughvirtlogd. This allows guest console logs to be rotated according to/etc/libvirt/virtlogd.conf(by default 2MB per file with 3 backups), instead of growing without bound as they did whenstdio_handlerwas set to"file".Note that existing instances must be hard rebooted to pick up the new console handler, as the chardev mode is fixed at qemu launch.
Add Alertmanager container healthcheck support.
Removed obsolete configuration options from the Horizon
local_settings.pytemplate:TEMPLATE_DEBUG: No longer supportedenable_lb,enable_firewall, andenable_vpn: These keys insideOPENSTACK_NEUTRON_NETWORKare now invalid.
Upgrade Notes¶
Support for networking-infoblox, to use Infblox as neutron’s IPAM backend, has been removed. The networking-infoblox project is unmaintained.
The legacy upgrade method for Neutron has been removed in favour of the rolling upgrade which has been the default since Ocata.
neutron_enable_rolling_upgradeshould no longer be set.
Support for running the Neutron DHCP agent in ML2/OVN deployments (
neutron_ovn_dhcp_agent) has been removed. OVN now natively answers DHCP queries for bare metal ports (port typeexternal), so the agent is no longer needed.neutron_ovn_dhcp_agentshould no longer be set.
The
[redis:children]inventory group,redis_master_passwordpassword, and all Redis-to-Valkey migration code, which were kept for migration purposes since the Gazpacho (2026.1) release, have now been removed. Operators should removeredis_master_passwordfrom theirpasswords.ymlfile.
The default value of
update_keystone_service_user_passwordshas changed fromtruetofalse. Previously, service user passwords were updated on every reconfigure run, which invalidated existing Keystone tokens and could cause service disruptions. With the new default, passwords are only set at user creation time. Operators who wish to force password rotation on reconfigure must explicitly setupdate_keystone_service_user_passwordstotrueinglobals.yml.
Bug Fixes¶
Fixes
nova-computefailing to start after/var/lib/novacontent has been wiped, for example following a reprovisioning. LP#2051011
Fixes overly restrictive permissions on certificates in
/var/lib/kolla/share/ca-certificatespath in containers that require access to these certificates.
Fixed a stray trailing quote in the
barbican_apihealthcheck command that caused containers to be falsely reported as unhealthy. LP#2157639
Fixed instance snapshot hanging indefinitely. LP#2158974
Fixes the Ironic temp directory causing invalid cross device links when deploying baremetal images using the virtualmedia boot interface.
Fixes an issue in the Docker container worker where reconfiguring containers with
cpuset_cpusorcpuset_memsdimensions could fail with anIndexErrorwhen the existing container had no explicit cpuset constraint configured.
Fixes Prometheus blackbox exporter checks for Grafana when external Grafana access is disabled. The public Grafana endpoint is now only monitored when
enable_grafana_externalis enabled, while the internal endpoint continues to be monitored when appropriate.
Fixes the
OIDCXForwardedHeadersdirective in the Keystone Apache configuration. The value was previously wrapped in double quotes, which caused Apache to treat the whole list as a single argument and prevented configuring more than one forwarded header. See LP#2155147.
Fixed intermittent instance build failures (
Cannot recv data: Input/output errorduringdefineXML, leading to instances inERRORstate) that occurred when several instances were built concurrently. nova-compute is effectively the sole client oflibvirtd, and libvirt’s default per-client request cap of 5 was being exceeded by concurrent builds plus periodic tasks, starving keepalive responses untillibvirtddropped the connection.
Other Notes¶
This release exposes additional configuration options for OpenStack Compute consoles which utilize the SPICE protocol. You can now require that such consoles use channels secured by TLS using the
nova_spice_require_secureconfiguration option. This option defaults tofalseas it implies that TLS certificates have been distributed to yournova-computenodes.