Newton Series Release Notes


New Features

  • Add Support of LBaaS v2, LBaaS v1 is removed by neutron community in Newton release. Until now, LBaaS v1 was used by all clusters created using magnum. This release adds support of LBaaS v2 for all supported drivers.

Upgrade Notes

  • To let clusters communicate directly with OpenStack service other than Magnum, in the trust section of magnum.conf, set cluster_user_trust to True. The default value is False.

Security Issues

  • Every magnum cluster is assigned a trustee user and a trustID. This user is used to allow clusters communicate with the key-manager service (Barbican) and get the certificate authority of the cluster. This trust user can be used by other services too. It can be used to let the cluster authenticate with other OpenStack services like the Block Storage service, Object Storage service, Load Balancing etc. The cluster with this user and the trustID has full access to the trustor’s OpenStack project. A new configuration parameter has been added to restrict the access to other services than Magnum.

Bug Fixes

  • Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have to be re-created to benefit from this fix. Part of this fix is the newly introduced setting cluster_user_trust in the trust section of magnum.conf. This setting defaults to False. cluster_user_trust dictates whether to allow passing a trust ID into a cluster’s instances. For most clusters this capability is not needed. Clusters with registry_enabled=True or volume_driver=rexray will need this capability. Other features that require this capability may be introduced in the future. To be able to create such clusters you will need to set cluster_user_trust to True.


Magnum’s bay-to-cluster blueprint [1] required changes across much of its codebase to align to industry standards. To support this blueprint, certain group and option names were changed in configuration files [2]. See the deprecations section for more details. [1] [2]

Magnum service type and mission statement was changed [1].

Change service type from “Container service” to “Container Infrastructure Management service”. In addition, the mission statement is changed to “To provide a set of services for provisioning, scaling, and managing container orchestration engines.”

The intend is to narrow the scope of the Magnum project to focus on integrating container orchestration engines (COEs) with OpenStack. API features intended to uniformly create, manage, and delete individual containers across any COE will be removed from Magnum’s API, and will be re-introduced as a separate project called Zun.


New Features

  • Add flannel’s host-gw backend option. Magnum deploys cluster over a dedicated neutron private network by using flannel. Flannel’s host-gw backend gives the best performance in this topopolgy (private layer2) since there is no packet processing overhead, no reduction to MTU, scales to many hosts as well as the alternatives. The label “flannel_use_vxlan” was repurposed when the network driver is flannel. First, rename the label flannel_use_vxlan to flannel_backend. Second, redefine the value of this label from “yes/no” to “udp/vxlan/host-gw”.
  • Add support for a new OpenSUSE driver for running k8s cluster on OpenSUSE. This driver is experimental for now, and operators need to get it from /contrib folder.
  • Add configuration for overlay networks for the docker network driver in swarm. To use this feature, users need to create a swarm cluster with network_driver set to ‘docker’. After the cluster is created, users can create an overlay network (docker network create -d overlay mynetwork) and use it when launching a new container (docker run –net=mynetwork …).
  • Auto generate name for cluster and cluster-template. If users create a cluster/cluster-template without specifying a name, the name will be auto-generated.
  • Decouple the hard requirement on barbican. Introduce a new certificate store called x509keypair. If x509keypair is used, TLS certificates will be stored at magnum’s database instead of barbican. To do that, set the value of the config cert_manager_type as x509keypair.
  • Decouple the hard requirement on neutron-lbaas. Introduce a new property master_lb_enabled in cluster template. This property will determines if a cluster’s master nodes should be load balanced. Set the value to false if neutron-lbaas is not installed.
  • Emit notifications when there is an event on a cluster. An event could be a status change of the cluster due to an operation issued by end-users (i.e. users create, update or delete the cluster). Notifications are sent by using oslo.notify and PyCADF. Ceilometer can capture the events and generate samples for auditing, billing, monitoring, or quota purposes.
  • Enable Mesos cluster to export more slave flags via labels in cluster template. Add the following labels: mesos_slave_isolation, mesos_slave_image_providers, mesos_slave_work_dir, and mesos_slave_executor_environment_variables.
  • Integrate Docker Swarm Fedora Atomic driver with the Block Storage Service (cinder). The rexray volume driver was added based on rexray v0.4. Users can create and attach volumes using docker’s navive client and they will authenticate using the per cluster trustee user. Rexray can be either added in the Fedora Atomic image or can be used running in a container.

Upgrade Notes

  • Magnum now support SSL for API service. User can enable SSL for API via new 3 config options ‘enabled_ssl’, ‘ssl_cert_file’ and ‘ssl_key_file’.
  • Change default API development service from wsgiref simple_server to werkzeug for better supporting SSL.
  • All container/pod/service/replication controller operations were removed. Users are recommended to use the COE’s native tool (i.e. docker, kubectl) to do the equivalent of the removed operations.

Deprecation Notes

  • The ‘bay’ group has been renamed to ‘cluster’ and all options in the former ‘bay’ group have been moved to ‘cluster’.
  • The ‘bay_heat’ group has been renamed to ‘cluster_heat’ and all options in the former ‘bay_heat’ group have been moved to ‘cluster_heat’.
  • The ‘bay_create_timeout’ option in the former ‘bay_heat’ group has been renamed to ‘create_timeout’ inside the ‘cluster_heat’ group.
  • The ‘baymodel’ group has been renamed to ‘cluster_template’ and all options in the former ‘baymodel’ group have been moved to ‘cluster_template’.

Security Issues

  • Fix global stack list in periodic task. In before, magnum’s periodic task performs a stack-list operation across all tenants. This is disabled by Heat by default since it causes a security issue. At this release, magnum performs a stack-get operation on each Heat stack by default. This might not be scalable and operators have an option to fall back to stack-list by setting the config periodic_global_stack_list to True (False by default) and updating the heat policy file (usually /etc/heat/policy.json) to allow magnum list stacks.


New Features

  • Add docker-storage-driver parameter to baymodel to allow user select from the supported drivers. Until now, only devicemapper was supported. This release adds support for OverlayFS on Fedora Atomic hosts with kernel version >= 3.18 (Fedora 22 or higher) resulting significant performance improvement. To use OverlayFS, SELinux must be enabled and in enforcing mode on the physical machine, but must be disabled in the container. Thus, if you select overlay for docker-storage-driver SELinux will be disable inside the containers.
  • Current implementation of magnum bay operations are synchronous and as a result API requests are blocked until response from HEAT service is received. This release adds support for asynchronous bay operations (bay-create, bay-update, and bay-delete). Please note that with this change, bay-create, bay-update API calls will return bay uuid instead of bay object and also return HTTP status code 202 instead of 201. Microversion 1.2 is added for new behavior.
  • Add Microversion 1.3 to support Magnum bay rollback, user can enable rollback on bay update failure by setting ‘OpenStack-API-Version’ to ‘container-infra 1.3’ in request header and passing ‘rollback=True’ param in bay update request.

Upgrade Notes

  • Magnum bay operations API default behavior changed from synchronous to asynchronous. User can specify OpenStack-API-Version 1.1 in request header for synchronous bay operations.
  • Magnum default service type changed from “container” to “container-infra”. It is recommended to update the service type at Keystone service catalog accordingly.