Revision as of 19:27, 4 April 2012

Release Notes, Essex

<<TableOfContents()>>

New Features

OpenStack Object Storage (Swift)

swift (1.4.4)

• Expiration for objects stored
• More detail to rate limit errors
• Add man pages for swift
• Enhance tempauth to enable autocreated accounts
• System metrics work for cluster monitoring (recon) - creates zone specific stats and socket stats

swift (1.4.5)

• Better process tools for old or hung proceses
• Support marker queries in Swift CLI

swift (1.4.6)

• TempURL and FormPost middleware added
• Added memcache.conf option
• Dropped eval-based json parser fallback
• Properly lose all groups when dropping privileges
• Fix permissions when creating files
• Fixed bug regarding negative Content-Length in requests
• Consistent formatting on Last-Modified response header
• Added timeout option to swift-recon
• Allow arguments to be passed to nosetest
• Removed tools/rfc.sh
• Other minor bug fixes

swift (1.4.7)

• Improvements to account and container replication.
• Fix for account servers allowing .pending to exist before .db.
• Fixed possible key-guessing exploit in formpost.
• Fixed bug in ring builder when removing a large percentage of devices.
• Swift CLI tool now supports openstack-standard CLI flags.
• New JSON output option for swift-dispersion-report.
• Removed old stats tools.
• Other bug fixes and documentation updates.

swift (1.4.8)

• Added optional max_containers_per_account restriction
• Added alternate metadata header removal method
• Added optional name_check middleware filter
• Added support for venv-based test runs with tox
• StaticWeb behavior change with X-Web-Mode: true and non-StaticWeb-enabled containers (immediately 404s instead of passing the request on down the WSGI pipeline).
• Fixed typo in swift-dispersion-report JSON output.
• Swift-Recon-related fix to create temporary files on the same disk as their final destinations.
• Updated return codes in swift3 middleware
• Fixed swift3 middleware to allow Content-Range header in response
• Updated swift.common.client and swift CLI tool with auth 2.0 changes
• Swift CLI tool now supports common openstack auth args
• Body of HTTP responses now included in error messages of swift CLI tool
• Refactored some ring building functions for clarity and simplicity

OpenStack Compute (Nova)

Volumes

• Separate Nova Volume API
• Nexenta volume driver
• SolidFireSanISCSIDriver sub-class in san.py

Security

• More secure root wrapper

Authorization and Authentication

• Authorization - Can <user> <do something> to <some resource>?
• Enable euca-upload-bundle and euca-register through X509 Cert management
• Rewrite the keystone export to work properly

Hypervisor-specific

• KVM and Xen Disk Management Parity
• Unify a common path for VNC Consoles for XenServer or KVM
• XenAPI support for Security Groups
• Support KVM booting from ISO images
• Support for XenServer 5.6 and high availablilty networking added to DevStack
• Report capabilities to ZoneManager for KVM to match capability of XenServer
• Libvirt File Injection
• Libvirt/KVM resize
• Remove Hyper-V support
• Security group driver code for XenAPI for firewalls
• Fast image cloning support for Xenserver

API

• Separate Nova Admin API
• Console log now available through Compute API
• Return request ids in responses to enable better troubleshooting
• Refactor extensions to eliminate ExtensionMiddleware and LazySerializationMiddleware to call extensions directly
• Validate EC2 API parameters upon execution
• Improve VM state management to constrain state transitions
• Volume snapshot and backup API extension
• Separate nova metadata service
• Remove non-standard ec2 extensions for roles, user, project, vpn in an "admin" EC2 API

Network

• Changes to network representations in nova database (Untie the Nova network models)
• Move cloudpipe calls to a Compute API extension
• Support multiple floating IP ranges
• Manage DNS entries for instances, for floating IPs, for different DNS servers
• Add floating IP support to QuantumManager
• Compute Network info copy for performance improvement
• Bandwidth rate multipliers and base limits
• Add support for NAT to QuantumManager

Messaging

• RPC API implementation with Apache Qpid instead of RabbitMQ

Live migration

• Resource calculations on destination host

Orchestration and troubleshooting enhancements (for lack of a better term)

• Ensure uuids internally to references instances
• Adds ability to get the last error using a nova-manage command
• Remove callbacks from virt drivers
• Network info model for nova
• Host aggregates, a mechanism to further partitioning an availability zone, i.e. into multiple groups of hosts that share common resources like storage and network.
• Improvements for Scaling Zones
• Add Image Cache Management to Compute Nodes
• Bare-metal provisioning with Tilera tiled-processor back-end
• Optional Host and Admin VM information

Console Access to VMs

• Remove ajaxterm from nova (not secure, not maintained)

OpenStack Image Registry and Delivery (Glance)

Authorization

• Interim AuthZ service for Glance
• Protect or unprotect an image

API enhancements

• Configurable number of Glance API processes

Usability and performance improvements

• Add option to allow custom directory for data buffering
• Show progress bar for uploading an image
• Allow images to be uploaded to glance from an external location via the X-Image-Meta-Copy-From header
• Support Qpid for glance notifications over AMPQ
• Support sendfile(2) to remove userspace copying of image file data

OpenStack Dashboard (Horizon)

The Dashboard interface has improved in many ways this release.

• Localization / Internationalization enabled including a Settings page for selecting a language
• Support for managing volumes
• Enable instance detail drill down
• A Human Interface Guidelines document has been established for the Dashboard
• Migrate to novaclient from openstackx
• Add launch from volume support
• Support for pause/suspend instance
• Support for displaying an instance power state
• Offer EC2 credentials download
• Offer support for volume snapshots
• Implement in-context help

OpenStack Identity service (Keystone)

The implementation of the Identity service changed completely during the Essex release. Much of the design is precipitated from the expectation that the auth backends for most deployments will actually be shims in front of existing user systems. Documentation has been updated to support this change and migration paths are documented at http://keystone.openstack.org.

Key Highlights of the Keystone Transition

• The external API - both "admin" and "user" facing has remained stable and identical to the Diablo release. In changing the underlying implementation, we were very careful to keep external components stable to allow us to progress quickly in the future.
• The middleware components used by the other OpenStack projects were substantially rewritten to simply that code as well.
• The implementation of authorization by services was changed from a single shared secret (previously called the "admin token") to a per-service account and password credential pair.
  • this implies configuration changes into nova, glance, swift, etc. specifically around the api-paste.ini files, where new values are now defined for those credentials, and they are now implementable per-service.
• The Keystone service, and the middleware implementations now do considerably more logging for system administrators and openstack deployers to be able to debug authentication and authorization issues.
• Keystone now supports S3 token validation and additional Swift storage features:
  • Swift ACL is now supported, you can allow/deny different users within a tenant.
  • Anoymous access via ACL to allow public access to container.
  • Reseller accounts support to give ability to nova to access swift and have it to replace nova-objectstore.

Known Issues and Limitations for Keystone

• Using SSL certs for authorization instead of userid/credentials
• Any API to drive policy definitions around role based access controls
• Mapping identity to pre-existing LDAP backends
• User facing APIs to support (when available) identity updates (i.e. a user changing their password, or "logging out")

Known packaged distributions

OpenSUSE 12.1 / SLES11 SP2

• https://build.opensuse.org/project/show?project=isv:B1-Systems:OpenStack:release:Essex
  • https://build.opensuse.org/project/show?project=isv:B1-Systems:OpenStack:release:Essex:requirements

You can find all details about the repositories for OpenSUSE 12.1 and SLES11 SP2 on our packaging site in the wiki: Packaging/SUSE

Fedora 17 / Fedora 16 / EPEL 6

• Fedora 17 (May 2012) will ship with OpenStack Essex
• The Extra Packages for Enterprise Linux repository supporting RHEL >= 6.2 and derivatives will update from Diablo to Essex
• You can get Fedora/EPEL OpenStack package details at https://apps.fedoraproject.org/packages/s/openstack
• Install/Setup notes for Essex are at http://fedoraproject.org/wiki/Getting_started_with_OpenStack_on_Fedora_17
• An unofficial Essex repository for Fedora 16 is available at http://repos.fedorapeople.org/repos/apevec/openstack-preview/fedora-16/noarch/