Yoga Series Release Notes

14.12.0-15

Bug Fixes

  • Fixes an issue with Neutron OVN metadata agent when running on hosts using Ubuntu Jammy 22.04. LP#1995735

  • Apache services like Keystone now started with correct unicode locale. Keystone under Apache on Ubuntu will fail with a UnicodeEncodeError when LDAP driver and DEBUG are enabled. LP#2076453

  • Fixes a bug where the rsync RPM package was missing in the swift-base container. See bug 2062072 for details.

14.12.0

Bug Fixes

  • The Nova API container extended startup script has been updated to only sync the local Nova cell. This resolves an error that would occur when the Nova database password changes. More details can be found on this bug report.

14.11.0

Bug Fixes

  • Fixes missing way for kolla-toolbox to be built offline. LP#2020761

  • Fixes an issue with Elasticsearch curator not working due to too new python elasticsearch-curator library not compatible with Elasticsearch version 7. LP#2028048

  • Adds missing grafana-opensearch-datasource plugin to the list of plugins in the docker image.

  • Fix container restart conditions to be tolerant of missing optional source and/or destination files. For more details, see the following bug report

14.10.0

New Features

  • CentOS Stream 9 is now buildable in addition to CentOS Stream 8.

  • Adds OpenSearch and OpenSearch Dashboards images.

  • Adds Rocky Linux 9 support.

14.9.0

Bug Fixes

  • Fixes an issue where the script kolla_ensure_openvswitch_configured in the openvswitch-db-server image would ignore errors encountered while configuring bridges and ports. LP#1999778

14.7.0

Bug Fixes

  • Fixes an issue with Swift deployment via Kolla Ansible caused by the fix to CVE-2022-38060. The kolla-toolbox container now have its own sudoers secure_path configuration which allows the necessary binaries to execute.

Other Notes

  • Added ‘–retry 5’ to curlrc to improve curl downloads during image builds.

14.5.0

Upgrade Notes

  • To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE environment variables in kolla-built containers has been dropped. Now, only the single trusted path of /var/lib/kolla/config_files/config.json will be utilised for loading container config. We believe this is a reasonable tradeoff as these environment variables were not used by any known downstream and potential users in the wild can easily adapt as this does not limit the functionality per se, only making it stricter as to where the config can come from.

Security Issues

  • Fixes CVE-2022-38060, a sudo privilege escalation vulnerability. LP#1985784

14.4.0

Bug Fixes

  • Fixes problems when running with docker-py >=6. LP#1988121

14.2.0

New Features

  • Updates the OpenStack exporter for Prometheus to version 1.6.0.

  • Added an –repos-yaml argument to allow user to provide own file with definitions of external package repositories. Useful for those building in offline environments with set of internal mirrors.

Upgrade Notes

  • The updated OpenStack exporter for Prometheus uses the latest Nova API microversion by default, resulting in changes to existing metrics. To keep existing behaviour, set prometheus_openstack_exporter_compute_api_version to 2.1.

Bug Fixes

  • The apt-get update command by default didn’t fail on erroneous source repositories, it show the warning ‘W: Some index files failed to download. They have been ignored, or old ones used instead.’ and continue to work. This causes some containers (eg. rabbitmq, kolla-toolbox) successfully built, but makes them inconsistent because the official Ubuntu repository contains packages with the same names. Now we use apt-get -eany update command to stop building with an error in such cases.

  • Fixes CentOS builds of Skydive SEGV on startup. Skydive versions prior to 0.28.0 panic on newer versions of libc. This especially affects Centos 8. LP#1940862

14.1.0

New Features

  • Updates Alertmanager version to 0.24.0.

Upgrade Notes

  • The Debian and Ubuntu images use rabbitmq and erlang from cloudsmith now. Operators might want to mirror/proxy this new source as it provides the correct set of packages unlike the previous combination.

Bug Fixes

  • Fixes the Debian and Ubuntu images to use rabbitmq and erlang from cloudsmith so that the images are still buildable and use proper versions.

14.0.0

Prelude

Binary images are deprecated in Yoga and any support for them will be removed in the next cycle. Users are requested to migrate to source based images.

New Features

  • Added a container image for Prometheus libvirt exporter, to be used for monitoring deployments which provide VMs with libvirt.

  • Adds containers for integration with Let’s Encrypt.

  • Updates Prometheus Alertmanager version to 0.23.0.

  • Adds a base_pip_conf templating block for the base image, helping to customize pip settings used at build time for offline build scenarios. We need some required environment variables configured at the top level for all containers, for example the variable UPPER_CONSTRAINTS_FILE used by the bifrost-deploy installation scripts. Also here we can override the address of the PyPI repository via PIP_INDEX_URL, PIP_EXTRA_INDEX_URL, and PIP_TRUSTED_HOST variables.

  • Adds Cyrus SASL packages necessary for the DIGEST-MD5 and SCRAM-SHA-256 mechanisms. These can be used for libvirt SASL authentication. LP#1964013

  • OVN images are now buildable for Debian on x86-64 architecture.

  • Adds prometheus-msteams image, which can be used to forward Prometheus Alertmanager notifications to Microsoft Teams.

  • Quiet mode (enabled with --quiet argument) can be combined with --logs-dir option now. Console output will be quiet as expected while building output will be stored in separate log files.

  • Removes InfluxDB datasource plugin from Grafana image as it is now natively supported.

  • Adds a new enabled option to each source definition. This allows sources, plugins or additions for each source image to be disabled individually. This may be used to reduce image sizes, or restrict the dependencies necessary to build images.

Upgrade Notes

  • Updates Debian images to install libvirt 8 and QEMU 6.2.

  • Support for building vmtp has been dropped per the mailing list notice. The vmtp project is no longer buildable, is outside of the OpenStack namespace and looks plain abandoned. See the mailing list notice

  • All Dockerfile files which uses curl to download any external files from the Internet now have a corresponding version templating block which can be used to override them. Also all the ENV instructions inside these blocks converted to the ARG instructions to minimize the unneeded variables.

  • RabbitMQ version has been updated to 3.9 (together with Erlang to 24).

Deprecation Notes

  • The qdrouterd image is deprecated and will be removed in the Zed cycle. It is supported only by CentOS.

Security Issues

  • Adds mitigation for Apache Log4j 2 Remote Code Execution (RCE) vulnerabilities CVE-2021-44228 and CVE-2021-45046 to Apache Storm.

Bug Fixes

  • Fixes wrong update-alternatives usage on CentOS. LP#1936947

  • Fixes an issue with cinder-volume missing lsscsi and nvme commands on Debian and Ubuntu. LP#1942038

  • CentOS nova-compute image has linux-firmware package removed to save image size by ~500MB. LP#1926801

  • Fluentd on CentOS on aarch64 is no longer missing the grok-parser plugin. LP#1955889

  • Fixes an issue with Ironic deployments using UEFI and iPXE, where the default UEFI iPXE bootloader in Ironic was not available in the TFTP server. This affects all Kolla releases on CentOS, and Xena on Debian/Ubuntu. LP#1959203

  • Installs glusterfs-client in Debian and Ubuntu manila-share images to support GlusterFS across supported distributions. LP#1964140

  • Latest version of the elasticsearch gem no longer works with older (OSS) versions of Elasticsearch. This is fixed by capping the version of the elasticsearch gem installed into the fluentd container. LP#1954759

  • Fixes an issue when older version of Python OpenvSwitch bindings package was used, than the running OpenvSwitch code. LP#1961874

  • Fixes “Permission denied” issue for swift-recon tool that appears when swift-recon tool tries to access deafult recon_lock_path

  • Fix AArch64 ubuntu ironic-python-agent images UEFI PXE booting failure. Also fix x86_64 lacking of GRUB efi files issue. LP#1879265

  • Fixes an issue building images that use a source with a type of git, when using a git that includes the fix for CVE-2022-24765 (2.35.2 or later). By default, this includes the gnocchi-base image, but may include other images with a non-default configuration. LP#837710

  • Fixes disabling the use of the curlrc configuration file in healthcheck_curl. LP#1967272

  • Fixes an issue with missing Magnum Keystone auth default policy. LP#1957159

  • Nova images are built without pypowervm package. It is needed only for POWER architecture support (which we do not support) and breaks CentOS builds by trying to install (Python 2 only) ‘futures’ package.

  • Ensures the nvme-cli package is present in nova-compute images, as it expected by os-brick.

  • Fixes set_configs.py configuring same permission for directories and files, causing directories lacking execute permission if not set for files.

Other Notes

  • Images now have MariaDB 10.6.

  • kolla-toolbox and all images derived from openstack-base one have basic Python packages (pip, wheel, setuptools) upgraded to latest versions.