Xena Series Release Notes¶
Added ‘–retry 5’ to curlrc to improve curl downloads during image builds.
To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE environment variables in kolla-built containers has been dropped. Now, only the single trusted path of
/var/lib/kolla/config_files/config.jsonwill be utilised for loading container config. We believe this is a reasonable tradeoff as these environment variables were not used by any known downstream and potential users in the wild can easily adapt as this does not limit the functionality per se, only making it stricter as to where the config can come from.
Fixes CVE-2022-38060, a sudo privilege escalation vulnerability. LP#1985784
Fixes problems when running with docker-py >=6. LP#1988121
Add templating block for base image helping to customize pip settings used at build time for offline build scenario. We need some required environment variables configured at the top level for all containers, for example the variable UPPER_CONSTRAINTS_FILE used by the bifrost-deploy installation scripts. Also here we can override the address of the PyPI repository via PIP_INDEX_URL, PIP_EXTRA_INDEX_URL, and PIP_TRUSTED_HOST variables.
All Dockerfile files which uses curl to download any external files from the Internet URLs now have the corresponding version templating block which can be used to override them. Also all the ENV instructions inside these blocks converted to the ARG instructions to minimize the unneeded variables.
Fixes wrong update-alternatives usage on CentOS. LP#1936947
Updates the OpenStack exporter for Prometheus to version 1.6.0.
Added an –repos-yaml argument to allow user to provide own file with definitions of external package repositories. Useful for those building in offline environments with set of internal mirrors.
The updated OpenStack exporter for Prometheus uses the latest Nova API microversion by default, resulting in changes to existing metrics. To keep existing behaviour, set
apt-get updatecommand by default didn’t fail on erroneous source repositories, it show the warning ‘W: Some index files failed to download. They have been ignored, or old ones used instead.’ and continue to work. This causes some containers (eg. rabbitmq, kolla-toolbox) successfully built, but makes them inconsistent because the official Ubuntu repository contains packages with the same names. Now we use
apt-get -eany updatecommand to stop building with an error in such cases.
Fixes CentOS builds of Skydive SEGV on startup. Skydive versions prior to 0.28.0 panic on newer versions of libc. This especially affects Centos 8. LP#1940862
Added a container image for Prometheus libvirt exporter, to be used for monitoring deployments which provide VMs with libvirt.
Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256 mechanisms. These can be used for libvirt SASL authentication. LP#1964013
Quiet mode (enabled with
--quietargument) can be combined with
--logs-diroption now. Console output will be quiet as expected while building output will be stored in separate log files.
The Debian and Ubuntu images use rabbitmq and erlang from cloudsmith now. Operators might want to mirror/proxy this new source as it provides the correct set of packages unlike the previous combination.
Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE) vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.
Fixes an issue with Ironic deployments using UEFI and iPXE, where the default UEFI iPXE bootloader in Ironic was not available in the TFTP server. This affects all Kolla releases on CentOS, and Xena on Debian/Ubuntu. LP#1959203
glusterfs-clientin Debian and Ubuntu
manila-shareimages to support GlusterFS across supported distributions. LP#1964140
Latest version of the elasticsearch gem no longer works with older (OSS) versions of Elasticsearch. This is fixed by capping the version of the elasticsearch gem installed into the fluentd container. LP#1954759
Fixes an issue when older version of Python OpenvSwitch bindings package was used, than the running OpenvSwitch code. LP#1961874
Fix AArch64 ubuntu ironic-python-agent images UEFI PXE booting failure. Also fix x86_64 lacking of GRUB efi files issue. LP#1879265
Fixes an issue building images that use a source with a
git, when using a git that includes the fix for CVE-2022-24765 (2.35.2 or later). By default, this includes the
gnocchi-baseimage, but may include other images with a non-default configuration. LP#837710
Fixes disabling the use of the
curlrcconfiguration file in
Fixes an issue seen when using Jinja2 3.1.0.
Fixes an issue with missing Magnum Keystone auth default policy. LP#1957159
Fixes the Debian and Ubuntu images to use rabbitmq and erlang from cloudsmith so that the images are still buildable and use proper versions.
Fixes set_configs.py configuring same permission for directories and files, causing directories lacking execute permission if not set for files.
linux-firmwarepackage removed to save image size by ~500MB. LP#1926801
Fixes “Permission denied” issue for swift-recon tool that appears when swift-recon tool tries to access deafult recon_lock_path
Nova images are built without
pypowervmpackage. It is needed only for POWER architecture support (which we do not support) and breaks CentOS builds by trying to install (Python 2 only) ‘futures’ package.
nvme-clipackage is present in
nova-computeimages, as it expected by
Add masakari-dashboard to Debian binary Horizon image.
Adds the Monasca datasource plugin to the Grafana image. This allows Monasca users to visualise metrics in Grafana without using the Monasca Grafana fork.
Updates Ceph client packages in CentOS images to Pacific.
Support for Debian/Ubuntu binary (aka packaged) CloudKitty images.
Debian ‘bullseye’ is now used instead of ‘buster’. Bullseye is the current stable release of Debian. Several images gained Debian support with this move.
Adds support for the
ironic-neutron-agentimage in Debian and Ubuntu binary images. Also adds support for the
baremetalML2 driver in the
neutron-serverimage in Debian and Ubuntu binary images.
- Improve the way offline scenario are supported:
Switching dumb-init installation to distribution provided packages.
OVN images are now buildable for Debian on x86-64 architecture.
Adds proxysql image. Proxysql provides intelligent load balancing for databases.
Allow to set group for user.
cAdvisor has been updated to 0.38.7 version.
Kolla toolbox is now using ansible-core 2.11.
Format of APT keys has changed from simple list into dictionary. For
base_apt_keyswe now use name and key ids and for
remote_apt_keysnames and URLs.
This allows to instruct APT to use those keys only for their repositories instead of trusting them for all possible packages.
If you override
remote_apt_keysthen please adapt to the new format.
CentOS now uses upstream MariaDB repos (thus following the images of the other two distros). This is done to simplify MariaDB version management on Kolla side. The chosen version is synced with Debian and Ubuntu to 10.5. Operators may want to reflect this in their repo mirrors and proxies.
Debian now uses upstream MariaDB repos (thus following Ubuntu images). This is done to avoid issues like the related one and have an easy workaround of pinning to chosen MariaDB version if need arises. Operators may want to reflect this in their repo mirrors and proxies. LP#1944410
Updates the default image type to
source. Users wishing to build
binarytype images should either specify the
--type binaryCLI argument or set
kolla-build.conf. This change is to reflect the reality that source images are tested more thoroughly and we (as OpenStack community) have better control over them.
monasca-grafanaimage has been dropped because it was using several deprecated components and was not buildable. Support for
Monascadatasource was added into standard
Support for building containers for ppc64le architecture was dropped.
Support for using Red Hat Enterprise Linux as base of container images was dropped. Please migrate to using CentOS Stream 8 based images.
Gnocchiversion has been updated to
haproxypackages have been upgraded to 2.2.
Changed default of
bootstrap-serversis deploying Docker without a bridge by default since Wallaby
Neutron images now only provide
/usr/share/neutron. Custom configuration files will need to be updated.
chronyimage has been removed.
Support for panko has been removed due to upstream retirement.
Prometheus v1 image has been removed.
Tempestprojects are not OpenStack services, but clients. Its images and support have been removed since Xena cycle.
Ubuntu now uses MariaDB 10.5 to sync with Debian.
Support for building ppc64le container images has been deprecated in Wallaby cycle and got removed in Xena.
rallyimages were removed in the Xena cycle. The reason is that these are not services of an OpenStack cloud but its clients.
Fixes security issue in Prometheus as per advisory.
Adds an option to the monasca-thresh container which checks if the topology is currently submitted (KOLLA_BOOTSTRAP), with an option to kill it (TOPOLOGY_REPLACE). Topology names and various timeouts may be customized. LP#1808805
Fixes missing boto3 library required by glance_store. LP#1884259
Fixes location of monitoring_policy in Horizon, so access policy is correctly enforced. Note that by current default, admin doesn’t not have Monitoring access. LP#1928408
Fix support for kolla install in
Fixes an issue with logs going missing in the Fluentd pipeline by pinning td-agent to 4.0.* also on Debian. LP#1930867 [Debian]
Fixes an issue with logs going missing in the Fluentd pipeline by pinning td-agent to 4.0.*. LP#1930867
Fixes issues arising from the lack of Debian updates repo being enabled. LP#1931544
Fix missing default policy files for debian-binary-horizon. LP#1933759
Fixes Debian image build failure caused by the official Debian bullseye release changing the os identification. LP#1933770
Fixes user uid inconsistency beetween base and openstack-base Debian binary images. LP#1934753
Add missing pacemaker cli utils to Debian hacluster images. LP#1934788
Fixes an issue with cinder-volume missing
nvmecommands on Debian and Ubuntu. LP#1942038
Fixes kolla-toolbox ansible.log logging for different users than ansible. LP#1942846
Fixes an issue with Elasticsearch curator not working due to too new python elasticsearch library. LP#1941073
Fixes an issue with the logstash image which was incompatible with the last OSS version (7.10) of Elasticsearch. Logstash is now pinned to 7.9. LP#1941754
Debian images enable the Debian updates repo now. This is aligned with the base Debian image.
pymongoinstallation from images.