OMI Release V2.1.0: Core Updates

Updated on May 8, 2024 by Rafael Ramos

Key changes & Improvements

Significantly improved RabbitMQ stability

Previously, any network disruption or high load on a control node could trigger problems with RabbitMQ, which required manual intervention to fix. This typically manifested as instances failing to provision, or actions failing to complete properly. RabbitMQ-dependent services are now able to operate properly even in a degraded state with one control node fully down, making simplified evacuation procedures possible.

 

Barbican Key Manager

The OpenStack Barbican service has been added, which allows securely storing secrets (such as private keys, certificates, passwords, etc.). This enables the use of LUKS-encrypted volumes and TLS-terminated Load Balancers.

 

Automatic image conversion to RAW

Base OS images that are uploaded in QCOW2 and other disk formats are now automatically converted to RAW. This allows for more efficient storage within the Ceph storage cluster, especially when multiple instances use the same image, or when snapshots are used extensively. Having the source images in RAW format allows Cinder to provision volumes based on those images almost instantly, whereas previously it required a time-intensive copying process that would sometimes fail when provisioning multiple instances simultaneously, or when using large base images (such as Windows VMs).

 

Neutron VPNaaS

The Neutron VPNaaS plugin has been added. This allows creating site-to-site VPN tunnels between OpenStack networks and remote networks using industry-standard protocols like IPSEC and IKE.

 

TRIM-enabled volumes by default

Instances created from our stock OS images will now use the virtio-scsi driver by default, enabling instances to take advantage of TRIM support in Ceph RBD. This means that Ceph is able to reclaim space from files and data deleted from VM filesystems, making more effecient use of cluster storage space.

 

Improved live-migration and scheduling support

By default, instances will now use a more compatible CPU model to enable live migration between machines using different CPUs. In addition, users can now utilize the Soft Affinity and Soft Anti-Affinity group types when provisioning their own clusters using VMs.

 

Full Changelog

Added

  • [Kolla-Ansible] Enable Barbican, including keymanager support for Cinder, Nova, and Octavia
    • Allows the use of encrypted volumes, secret storage, and TERMINATED_HTTPS-type Load Balancers
  • [Kolla-Ansible] glance: enable Glance Image Interoperability features
    • Provides automatic image decompression and conversion from QCOW2 (and other formats) to RAW
    • Fixes timeouts when provisioning multiple instances simultaneously
    • Enables lower disk usage for derived images and snapshots
  • [Kolla-Ansible] neutron: enable Neutron VPNaaS plugin
  • [Kolla-Ansible] Automates installation of externally provided SSL certificates
  • [Kolla-Ansible] globals: Use pod-local docker registry for Kolla container images
  • [Heat-Ansible] glance-images: Rocky Linux 8, Rocky Linux 9, and Debian 12 (bookworm) images added to default deployment

Changes & Bug Fixes

  • [Kolla-Ansible] Track upstream to v14.9.0
    • horizon: mitigates CVE-2022-29404 by setting the LimitRequestBody option to 20 GiB
    • cinder: mitigates CVE-2023-2088 by enabling service tokens by default for Nova, Cinder, and Glance
    • rabbitmq: improved HA support
    • See full release notes
  • [Kolla-Ansible] rabbitmq: enable HA mode flags
    • Allows automatic and graceful recovery from most network-related issues and node reboots
    • In combination with upgraded oslo_messaging: fixes issues with RMQ connectivity after a control node has crashed or lost network connectivity
  • [Kolla-Ansible] rabbitmq: enable the RabbitMQ Prometheus plugin
  • [Kolla-Ansible] octavia: implement new ovslinkset script to manage the o-hm0 Octavia bridge interface
    • Improves reliability of the Octavia bridge interface
    • Ensures o-hm0 is automatically brought online after a reboot or Docker service restart
  • [Kolla-Ansible] libvirt: update cpu_model and model flags to enable broad live-migration support across different CPU platforms
  • [Kolla-Ansible] nova: set volume_clear_size option to only clear first 10 GiB of LVM volumes after deletion
    • Solves issue where deleting large LVM volumes results in timeout errors
  • [Kolla-Ansible] nova: enable Soft (Anti-)Affinity filters for nova-scheduler
  • [Kolla-Ansible] telegraf: removed from default deployment (was not in use)
  • [Kolla] neutron-l3-agent: default image now includes downgraded libreswan version that is comptible with the included ipsec version
  • [Kolla] horizon: updated Horizon image to resolve “missing port” bug in Octavia dashboard Load Balancer creation modal dialog affecting Chrome 114+
  • [Kolla] all: all images now include version 12.13.1 of oslo_messaging, which fixes issues with downed RabbitMQ nodes causing the communication thread to hang
    • Ensures proper operation of all Openstack services, even with a reduced number of operational control nodes
  • [Ceph-Ansible] sets rgw_keystone_make_new_tenants option to true
    • Ensures proper configuration for combined S3 and Swift operation via RGW
  • [Heat-Ansible] glance-images: update Fedora CoreOS to version 38
  • [Heat-Ansible] glance-images: sets image properties to enable virtio-scsiqemu_guest_agent, and rescue devices on stock images by default
    • Instances provisioned from our stock images will now be able to use TRIM, ensuring cluster disk space is reclaimed when deleting files and data on instance images and volumes
    • Instances can now use freezefs (ensures snapshot integrity), password reset, and similar integrations by installing the qemu-guest-agent on their instances
    • Stock Ubuntu, CentOS, and Rocky images can be used as Rescue images with the ‘Rescue Instance’ feature of Nova