Current Series Release Notes¶
--task-logoption has been added to the
nova-manage db archive_deleted_rowsCLI. When
task_logtable records will be archived while archiving the database. The
--task-logoption works in conjunction with
--beforeif operators desire archiving only records that are older than
updated_atfield is used by
--task-log --before <date>to determine the age of a
task_logrecord for archival.
task_logdatabase table contains instance usage audit records if
nova-computehas been configured with
[DEFAULT]instance_usage_audit = True. This will be the case if OpenStack Telemetry is being used in the deployment, as the option causes Nova to generate audit data that Telemetry then retrieves from the server usage audit log API .
Historically, there has been no way to delete
task_logtable records other than manual database modification. Because of this,
task_logrecords could pile up over time and operators are forced to perform manual steps to periodically truncate the
As part of the fix for bug 1910466, code that attempted to optimize VM CPU thread assignment based on the host CPU topology as it was determined to be buggy, undocumented and rejected valid virtual CPU topologies while also producing different behavior when CPU pinning was enabled vs disabled. The optimization may be reintroduced in the future with a more generic implementation that works for both pinned and unpinned VMs.
A vulnerability in the console proxies (novnc, serial, spice) that allowed open redirection has been patched. The novnc, serial, and spice console proxies are implemented as websockify servers and the request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format:
which if visited, will redirect a user to example.com.
The novnc, serial, and spice console proxies will now reject requests that pass a redirection URL beginning with “//” with a 400 Bad Request.
In this release OVS port creation has been delegated to os-vif when the
openvswitchsecurity group firewall drivers are enabled in Neutron. Those options, and others that disable the
hybrid_plugmechanism, will now use os-vif instead of libvirt to plug VIFs into the bridge. By delegating port plugging to os-vif we can use the
isolate_vifconfig option to ensure VIFs are plugged securely preventing guests from accessing other tenants’ networks before the neutron ovs agent can wire up the port. See bug #1734320 for details. Note that OVN, ODL and other SDN solutions also use
hybrid_plug=falsebut they are not known to be affected by the security issue caused by the previous behavior. As such the
isolate_vifos-vif config option is only used when deploying with ml2/ovs.
Improved detection of anti-affinity policy violation when performing live and cold migrations. Most of the violations caused by race conditions due to performing concurrent live or cold migrations should now be addressed by extra checks in the compute service. Upon detection, cold migration operations are automatically rescheduled, while live migrations have two checks and will be rescheduled if detected by the first one, otherwise the live migration will fail cleanly and revert the instance state back to its previous value.
Bug 1851545, wherein unshelving an instance with SRIOV Neutron ports did not update the port binding’s
pci_slotand could cause libvirt PCI conflicts, has been fixed.
Constraints in the fix’s implementation mean that it only applies to instances booted after it has been applied. Existing instances will still experience bug 1851545 after being shelved and unshelved, even with the fix applied.
The nova libvirt driver supports two independent features, virtual CPU topologies and virtual NUMA topologies. Previously, when
hw:cpu_max_threadswere specified for pinned instances (
hw:cpu_policy=dedicated) without explicit
hw:cpu_threadsextra specs or their image equivalent, nova failed to generate a valid virtual CPU topology. This has now been fixed and it is now possible to use max CPU constraints with pinned instances. e.g. a combination of
hw:cpu_policy=dedicatedcan now generate a valid topology using a flavor with 8 vCPUs.
In this release we delegate port plugging to os-vif for all OVS interface types. This allows os-vif to create the OVS port before libvirt creates a tap device during a live migration therefore preventing the loss of the MAC learning frames generated by QEMU. This resolves a long-standing race condition between Libvirt creating the OVS port, Neutron wiring up the OVS port and QEMU generating RARP packets to populate the vswitch MAC learning table. As a result this reduces the interval during a live migration where packets can be lost. See bug #1815989 for details.
To fix device detach issues in the libvirt driver the detach logic has been changed from a sleep based retry loop to waiting for libvirt domain events. During this change we also introduced two new config options to allow fine tuning the retry logic. For details see the description of the new