Zed Series Release Notes¶
Fixes missing way for kolla-toolbox to be built offline. LP#2020761
Adds missing grafana-opensearch-datasource plugin to the list of plugins in the docker image.
Fix container restart conditions to be tolerant of missing optional source and/or destination files. For more details, see the following bug report
Fixes an issue where the script
openvswitch-db-serverimage would ignore errors encountered while configuring bridges and ports. LP#1999778
Support for binary images got removed in Zed. Users are requested to migrate to source based images.
Rocky Linux 9 is now supported as a base container image.
Updates Alertmanager version to 0.24.0.
Adds support for TPM emulation in Nova (via “swtpm”).
Adds OpenSearch and OpenSearch Dashboards images.
Updates the OpenStack exporter for Prometheus to version 1.6.0.
Quiet mode (enabled with
--quietargument) can be combined with
--logs-diroption now. Console output will be quiet as expected while building output will be stored in separate log files.
--repos-yamlargument to allow user to provide own file with definitions of external package repositories. Useful for those building in offline environments with set of internal mirrors.
kolla_versionlabel to git sha-1 hash if images are built with kolla from git repository.
To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE environment variables in kolla-built containers has been dropped. Now, only the single trusted path of
/var/lib/kolla/config_files/config.jsonwill be utilised for loading container config. We believe this is a reasonable tradeoff as these environment variables were not used by any known downstream and potential users in the wild can easily adapt as this does not limit the functionality per se, only making it stricter as to where the config can come from.
- Prometheus services were updated to following versions:
blackbox_exporter -> 0.22.0
elasticsearch_exporter -> 1.5.0
haproxy_exporter -> 0.13.0
memcached_exporter_version -> 0.10.0
mysqld_exporter -> 0.14.0
node_exporter -> 1.4.0
prometheus -> 2.38.0
prometheus_cadvisor -> 0.45.0
prometheus_libvirt_exporter -> 2.3.2
prometheus_msteams -> 1.5.1
prometheus_mtail -> v3.0.0-rc50
Default base distribution has been changed from CentOS Stream to Rocky Linux.
Removes images for
zookeeper, since support for them has been dropped in Kolla-Ansible in Zed release. Prometheus + Grafana + Fluentd + OpenSearch remain as the primary monitoring, logging and alerting stack in Kolla.
logstashimages have been dropped. Zed release brings in support for
opensearch-dashboardsbut there’s no equivalent for
Python 3.6 & 3.7 support has been dropped. The minimum version of Python now supported is Python 3.8.
qdrouterdimage has been dropped.
etcdis now installed from the upstream binaries published to github rather than via the OS package manager. This aligns the etcd version across all distributions for compatibility.
Kolla Build no longer prepends the base (distro) name to image names. Instead, the user is able to choose any prefix they wish via the
The updated OpenStack exporter for Prometheus uses the latest Nova API microversion by default, resulting in changes to existing metrics. To keep existing behaviour, set
RabbitMQ version has been updated to 3.10 (together with Erlang to 25).
The Debian and Ubuntu images use rabbitmq from cloudsmith and erlang from Team RabbitMQ PPA now. Operators might want to mirror/proxy those new sources as they provides the correct set of packages unlike the previous combination.
kolla-toolboxcontainer has been upgraded to 2.13 version.
hacluster-pcsimage has been deprecated for removal in the Antelope release.
install_typeargument is now deprecated. We no longer support other values than
sourcetherefore handling of argument was dropped. Please update your scripts as it will be removed in Antelope cycle.
Fixes a hypothetical security issue related to privilege escalation via rootwrap/privsep. A potential vulnerable service could previously allow writes to its rootwrap/privsep config and thus allow for more commands to be run with root privileges via rootwrap/privsep. For a succesful attack, this would also require the service to allow to run arbitrary commands via rootwrap/privsep. Thus far, no such vulnerabilities have been reported and thus this fix is simply strengthening the container images against such an issue in the future. LP#1874298
Fixes CVE-2022-38060, a sudo privilege escalation vulnerability. LP#1985784
apt-get updatecommand by default didn’t fail on erroneous source repositories, it show the warning ‘W: Some index files failed to download. They have been ignored, or old ones used instead.’ and continue to work. This causes some containers (eg. rabbitmq, kolla-toolbox) successfully built, but makes them inconsistent because the official Ubuntu repository contains packages with the same names. Now we use
apt-get -eany updatecommand to stop building with an error in such cases.
Fixes CentOS builds of Skydive SEGV on startup. Skydive versions prior to 0.28.0 panic on newer versions of libc. This especially affects Centos 8. LP#1940862
Fixes an issue building images that use a source with a
git, when using a git that includes the fix for CVE-2022-24765 (2.35.2 or later). By default, this includes the
gnocchi-baseimage, but may include other images with a non-default configuration. LP#837710
Fixes the Debian and Ubuntu images to use rabbitmq from cloudsmith and erlang from Team RabbitMQ PPA so that the images are still buildable and use proper versions.
Fixes an issue with Swift deployment via Kolla Ansible caused by the fix to CVE-2022-38060. The kolla-toolbox container now have its own sudoers secure_path configuration which allows the necessary binaries to execute.
Added ‘–retry 5’ to curlrc to improve curl downloads during image builds.