Jump to: navigation, search

ReleaseNotes/Icehouse/zh cn

< ReleaseNotes/Icehouse
Revision as of 13:22, 5 June 2014 by Zhengyue (talk | contribs) (升级说明)


OpenStack 2014.1 (Icehouse) 更新说明

Contents

综合升级说明

OpenStack对象存储 (Swift)

主要新特性

  • “被发现的能力“:一个Swift代理(proxy)服务现在默认支持(可以被关闭)响应/info请求。返回的结果包含集群的信息和集群供客户端使用的功能。这就意味着一个客户端能够和多个Swift集群通讯并且使用每一个集群包含的功能。
  • “使用通用的方式来持久化系统metadata”:Swift现在支持账户(accounts)和容器(containers)使用系统的metadata。系统的metadata提供存储内部定制的metadata,metadata关联的Swift资源在一个安全可靠的形式,而并不需要真正的通过核心的Swift服务器探测metadata。新的gatekeeper中间件阻止系统metadata由于请求或者客户端设置而泄露。
  • 账户级别的访问控制列表(ACLs)和访问控制列表(ACLs)v2版本形式:现在,账户拥有一个用于表明已授权的(HTTP请求)的头来表明访问控制列表或者其他基于账户权限访问的控制。(HTTP请求)的头的内容是一个JSON字典,被权限系统使用。参考的实现方式在TempAuth中给出。请参考详细文档:http://swift.openstack.org/overview_auth.html
  • ssync形式的对象备份 (rsync的替代方式): 一个Swift存储节点可以配置成使用Swift原生的备份传输来替代rsync。
  • 读取失败后的自动重试: 如果在一个对象存储节点上读取某一资源超时,在另一个节点重试读取。这意味着在驱动层失败时客户端请求对终端用户是不可见的。
  • 即将到来的存储策略

已知问题

升级说明

获取更详细的更新日志,请到 https://github.com/openstack/swift/blob/master/CHANGELOG ,在更新日志中了解任何可能影响升级的配置变化。

像以往一样,Swift能够零当机时间升级。

OpenStack 计算服务 (Nova)

主要新特性

支持升级

  • 支持有限功能的在线升级。需要部署人员首先更新控制节点的配置,随后逐一更新计算节点来完成云平台更新。

计算节点驱动程序更新

Hyper-V
  • 支持RDP控制台连接。
Libvirt (KVM)
  • Libvirt驱动现在支持修改内核参数启动虚拟机。如果镜像的元数据中保存了以os_command_line作为key的值的话,就将这个值作为内核参数。否则就使用默认的内核参数。
  • Libvirt驱动现在支持使用VirtIO SCSI (virtio-scsi)替代 VirtIO Block (virtio-blk)来提供虚拟机对块设备的访问。Virtio SCSI是一个半虚拟化控制器驱动,它被设计作为 VirtIO Block的未来继承者,并且将提供更高的性能和更好的扩展性作为目标。
  • The Libvirt Compute driver now supports adding a Virtio RNG device to compute instances to provide increased entropy. Virtio RNG is a paravirtual random number generation device. It allows the compute node to provide entropy to the compute instances in order to fill their entropy pool. The default entropy device used is /dev/random, however use of a physical hardware RNG device attached to the host is also possible. The use of the Virtio RNG device is enabled using the hw_rng property in the metadata of the image used to build the instance.
  • Libvirt驱动现在允许配置虚拟机使用非默认的视频驱动。这就允许了视频驱动模式的不同规范,不同大小的视频内存和不同个数的头部。通过镜像元数据中的hw_video_model, hw_video_vramhw_video_head字段来设置这些值。 目前支持的视频驱动模式包括:vga, cirrus, vmvga, xenqxl.。
  • Libvirt驱动添加了加密狗的支持。加密狗设备采用 i6300esb。可以通过将镜像的元数据中的hw_watchdog_action属性或者配额的额外属性设置为‘enable’来启用这项特性。Supported hw_watchdog_action property values, which denote the action for the watchdog device to take in the event of an instance failure, are poweroff, reset, pause, and none.
  • 使用Libvirt驱动创建的虚拟机现在禁用了High Precision Event Timer (HPET)。在启用这个选项的Windows虚拟机中,负载较重时会发生时钟偏移现象。
  • Libvirt驱动现在支持虚拟机创建时等待Neutron事件以提高可靠性。这需要一个相对新版本的Neutron能共发送这样的事件,也需要避免虚拟机等待网络就绪和管道之间的竞争。
VMware
  • VMware计算驱动现在支持调用虚拟机诊断API。通过试用命令"nova diagnostics INSTANCE" 来开始诊断。
  • VMware计算驱动支持由ISO镜像创建虚拟机。
  • The VMware Compute drivers now support the aging of cached images.
XenServer
  • All XenServer specific configuration items have changed name, and moved to a [xenserver] section in nova.conf. While the old names will still work in this release, the old names are now deprecated, and support for them could well be removed in a future release of Nova.
  • Added initial support for PCI passthrough
  • Maintained group B status through the introduction of the XenServer CI
  • Improved support for ephemeral disks (including migration and resize up of multiple ephemeral disks)
  • Support for vcpu_pin_set, essential when you pin CPU resources to Dom0
  • Numerous performance and stability enhancements

API

  • 在OpenStack计算服务中,V3版本API不在支持OS-DCF:diskConfigAPI属性。
  • 当前计算API同时支持XML和JSON两种格式。对XML的支持现在已经被废弃了,在将来的版本中会彻底淘汰。
  • 计算API新提供了彻底清除停用了的计算节点的机制。在之前尽管已经停用了计算服务或者重新分配了系统,计算节点仍然会被列出来。这项功能由ExtendedServicesDelete API扩展实现。
  • 将V3 API中的admin_actions插件按照逻辑分解为多个插件,这样就使得管理员可以选择性的启用当前插件中的某些功能。
  • 当OpenStack网络服务(Neutron)进行认证时,计算服务使用tenant_id替代了tenant_name。这项改进支持了V3版本的认证服务中的tenant_name不唯一的特性。
  • 计算API将虚拟化管理程序的IP地址暴露出来,允许管理员执行nova hypervisor-show 命令时获取该属性。

Scheduler

  • 调度器现在包含了一个缓存调度器驱动的原生实现。缓存调度器利用现有的工具申请调度过滤器和权重计算,但是缓存住可用主机。当用户向缓存调度器发请求时,调度器尝试缓存中的可用主机来进行调度,这样来提高调度性能。
  • 新引入了AggregateImagePropertiesIsolation这个调度过滤器。这个过滤器基于带有命名空间属性的镜像和主机集群的匹配来调度虚拟机 。对于所有镜像,那些不属于任何集群的物理主机仍然可以被认作是可用的调度目标。计算服务中新的配置键:aggregate_image_properties_isolation_namespaceaggregate_image_properties_isolation_separator用于过滤器决定检查镜像的哪个属性。
  • OpenStack计算服务的权重计算标准化:
  • 现在调度器支持服务器组。anti-affinity 和affinity 过滤器是被支持的。即部署的服务器将根据预定义的策略来进行调度。

其他特性

  • 密钥对的创建和删除都会产生通知。
  • 计算节点在进行以下操作时会产生通知:启用、禁用、开机、关机、重启、进入维护模式和退出维护模式。
  • 计算服务现在可以由服务关闭请求优雅的退出,但是在服务退出前允许正在处理的请求处理完毕。
  • 计算服务可以根据配置选项中的running_deleted_instance_action键的值来确定在先前被删除了的虚拟机再次启动时执行什么操作。添加了一个新的shutdown 值。这个值可以由管理员选择使虚拟机保持在这个状态。
  • 计算服务默认不在启用文件注入。推荐的替代方案是在虚拟机启动时采用ConfigDrive和元数据服务器设备。可以通过修改配置文件中的inject_keyinject_partition 键的值并重启服务来启用文件注入。 文件注入机制在将来的版本中可能被废弃。
  • 为了保证配置文件中的所有配置组可以采用描述性的命名,以使 /etc/nova/nova.conf保持预期的格式,做了相关的修改。一些用于驱动的特定标志,包括用于Libvirt驱动的标志,移到了独立的配置组中。

已知问题

  • 计算服务具备使用其他组件新版本API的特性,但是在Icehouse版本中只有一下API版本是经过测试的:
    • Keystone v2
    • Cinder v1
    • Glance v1

升级说明

  • Scheduler and weight normalization (https://review.openstack.org/#/c/27160/): In previous releases the Compute and Cells scheduler used raw weights (i.e. the weighers returned any value, and that was the value used by the weighing proccess).
    • If you were using several weighers for Compute:
      • If several weighers were used (in previous releases Nova only shipped one weigher for compute), it is possible that your multipliers were inflated artificially in order to make an important weigher prevail against any other weigher that returned large raw values. You need to check your weighers and take into account that now the maximum and minimum weights for a host will always be 1.0 and 0.0.
    • If you are using cells:
      • nova.cells.weights.mute_child.MuteChild: The weigher returned the value mute_weight_value as the weight assigned to a child that didn't update its capabilities in a while. It can still be used, but will have no effect on the final weight that will be computed by the weighing process, that will be 1.0. If you are using this weigher to mute a child cell you need to adjust the mute_weight_multiplier.
      • nova.cells.weights.weight_offset.WeightOffsetWeigher introduces a new configuration option offset_weight_multiplier. This new option has to be adjusted. In previous releases, the weigher returned the value of the configured offset for each of the cells in the weighing process. While the winner of that process will still be the same, it will get a weight of 1.0. If you were using this weigher and you were relying in its value to make it prevail against any other weighers you need to adjust its multiplier accordingly.
  • An early Docker compute driver was included in the Havana release. This driver has been moved from Nova into its own repository. The new location is http://git.openstack.org/cgit/stackforge/nova-docker
  • https://review.openstack.org/50668 - The compute_api_class configuration option has been removed.
  • https://review.openstack.org/#/c/54290/ - The following deprecated configuration option aliases have been removed in favor of their new names:
    • service_quantum_metadata_proxy
    • quantum_metadata_proxy_shared_secret
    • use_quantum_default_nets
    • quantum_default_tenant_id
    • vpn_instance_type
    • default_instance_type
    • quantum_url
    • quantum_url_timeout
    • quantum_admin_username
    • quantum_admin_password
    • quantum_admin_tenant_name
    • quantum_region_name
    • quantum_admin_auth_url
    • quantum_api_insecure
    • quantum_auth_strategy
    • quantum_ovs_bridge
    • quantum_extension_sync_interval
    • vmwareapi_host_ip
    • vmwareapi_host_username
    • vmwareapi_host_password
    • vmwareapi_cluster_name
    • vmwareapi_task_poll_interval
    • vmwareapi_api_retry_count
    • vnc_port
    • vnc_port_total
    • use_linked_clone
    • vmwareapi_vlan_interface
    • vmwareapi_wsdl_loc
  • The PowerVM driver has been removed: https://review.openstack.org/#/c/57774/
  • The keystone_authtoken defaults changed in nova.conf: https://review.openstack.org/#/c/62815/
  • libvirt lvm names changed from using instance_name_template to instance uuid (https://review.openstack.org/#/c/76968). Possible manual cleanup required if using a non default instance_name_template.
  • rbd disk names changed from using instance_name_template to instance uuid. Manual cleanup required of old virtual disks after the transition. (TBD find review)
  • Icehouse brings libguestfs as a requirement. Installing icehouse dependencies on a system currently running havana may cause the havana node to begin using libguestfs and break unexpectedly. It is recommended that libvirt_inject_partition=-2 be set on havana nodes prior to starting an upgrade of packages on the system if the nova packages will be updated last.
  • Creating a private flavor now adds access to the tenant automatically. This was the documented behavior in Havana, but the actual mplementation in Havana and previous versions of Nova did not add the tenant automatically to private flavors.
  • Nova previously included a nova.conf.sample. This file was automatically generated and is no longer included directly. If you are packaging Nova and wish to include the sample config file, see etc/nova/README.nova.conf for instructions on how to generate the file at build time.
  • Nova now defaults to requiring an event from Neutron when booting libvirt guests. If you upgrade Nova before Neutron, you must disable this feature in Nova until Neutron supports it by setting vif_plugging_is_fatal=False and vif_plugging_timeout=0. Recommended order is: Nova (with this disabled), Neutron (with the notifications enabled), and then enable vif_plugging_is_fatal=True with the default value of vif_plugging_timeout.
  • Nova supports a limited live upgrade model for the compute nodes in Icehouse. To do this, upgrade controller infrastructure (everthing except nova-compute) first, but set the [upgrade_levels]/compute=icehouse-compat option. This will enable Icehouse controller services to talk to Havana compute services. Upgrades of individual compute nodes can then proceed normally. When all the computes are upgraded, unset the compute version option to retain the default and restart the controller services.
  • The following configuration options are marked as deprecated in this release. See nova.conf.sample for their replacements. [GROUP]/option
    • [DEFAULT]/rabbit_durable_queues
    • [rpc_notifier2]/topics
    • [DEFAULT]/log_config
    • [DEFAULT]/logfile
    • [DEFAULT]/logdir
    • [DEFAULT]/base_dir_name
    • [DEFAULT]/instance_type_extra_specs
    • [DEFAULT]/db_backend
    • [DEFAULT]/sql_connection
    • [DATABASE]/sql_connection
    • [sql]/connection
    • [DEFAULT]/sql_idle_timeout
    • [DATABASE]/sql_idle_timeout
    • [sql]/idle_timeout
    • [DEFAULT]/sql_min_pool_size
    • [DATABASE]/sql_min_pool_size
    • [DEFAULT]/sql_max_pool_size
    • [DATABASE]/sql_max_pool_size
    • [DEFAULT]/sql_max_retries
    • [DATABASE]/sql_max_retries
    • [DEFAULT]/sql_retry_interval
    • [DATABASE]/reconnect_interval
    • [DEFAULT]/sql_max_overflow
    • [DATABASE]/sqlalchemy_max_overflow
    • [DEFAULT]/sql_connection_debug
    • [DEFAULT]/sql_connection_trace
    • [DATABASE]/sqlalchemy_pool_timeout
    • [DEFAULT]/memcache_servers
    • [DEFAULT]/libvirt_type
    • [DEFAULT]/libvirt_uri
    • [DEFAULT]/libvirt_inject_password
    • [DEFAULT]/libvirt_inject_key
    • [DEFAULT]/libvirt_inject_partition
    • [DEFAULT]/libvirt_vif_driver
    • [DEFAULT]/libvirt_volume_drivers
    • [DEFAULT]/libvirt_disk_prefix
    • [DEFAULT]/libvirt_wait_soft_reboot_seconds
    • [DEFAULT]/libvirt_cpu_mode
    • [DEFAULT]/libvirt_cpu_model
    • [DEFAULT]/libvirt_snapshots_directory
    • [DEFAULT]/libvirt_images_type
    • [DEFAULT]/libvirt_images_volume_group
    • [DEFAULT]/libvirt_sparse_logical_volumes
    • [DEFAULT]/libvirt_images_rbd_pool
    • [DEFAULT]/libvirt_images_rbd_ceph_conf
    • [DEFAULT]/libvirt_snapshot_compression
    • [DEFAULT]/libvirt_use_virtio_for_bridges
    • [DEFAULT]/libvirt_iscsi_use_multipath
    • [DEFAULT]/libvirt_iser_use_multipath
    • [DEFAULT]/matchmaker_ringfile
    • [DEFAULT]/agent_timeout
    • [DEFAULT]/agent_version_timeout
    • [DEFAULT]/agent_resetnetwork_timeout
    • [DEFAULT]/xenapi_agent_path
    • [DEFAULT]/xenapi_disable_agent
    • [DEFAULT]/xenapi_use_agent_default
    • [DEFAULT]/xenapi_login_timeout
    • [DEFAULT]/xenapi_connection_concurrent
    • [DEFAULT]/xenapi_connection_url
    • [DEFAULT]/xenapi_connection_username
    • [DEFAULT]/xenapi_connection_password
    • [DEFAULT]/xenapi_vhd_coalesce_poll_interval
    • [DEFAULT]/xenapi_check_host
    • [DEFAULT]/xenapi_vhd_coalesce_max_attempts
    • [DEFAULT]/xenapi_sr_base_path
    • [DEFAULT]/target_host
    • [DEFAULT]/target_port
    • [DEFAULT]/iqn_prefix
    • [DEFAULT]/xenapi_remap_vbd_dev
    • [DEFAULT]/xenapi_remap_vbd_dev_prefix
    • [DEFAULT]/xenapi_torrent_base_url
    • [DEFAULT]/xenapi_torrent_seed_chance
    • [DEFAULT]/xenapi_torrent_seed_duration
    • [DEFAULT]/xenapi_torrent_max_last_accessed
    • [DEFAULT]/xenapi_torrent_listen_port_start
    • [DEFAULT]/xenapi_torrent_listen_port_end
    • [DEFAULT]/xenapi_torrent_download_stall_cutoff
    • [DEFAULT]/xenapi_torrent_max_seeder_processes_per_host
    • [DEFAULT]/use_join_force
    • [DEFAULT]/xenapi_ovs_integration_bridge
    • [DEFAULT]/cache_images
    • [DEFAULT]/xenapi_image_compression_level
    • [DEFAULT]/default_os_type
    • [DEFAULT]/block_device_creation_timeout
    • [DEFAULT]/max_kernel_ramdisk_size
    • [DEFAULT]/sr_matching_filter
    • [DEFAULT]/xenapi_sparse_copy
    • [DEFAULT]/xenapi_num_vbd_unplug_retries
    • [DEFAULT]/xenapi_torrent_images
    • [DEFAULT]/xenapi_ipxe_network_name
    • [DEFAULT]/xenapi_ipxe_boot_menu_url
    • [DEFAULT]/xenapi_ipxe_mkisofs_cmd
    • [DEFAULT]/xenapi_running_timeout
    • [DEFAULT]/xenapi_vif_driver
    • [DEFAULT]/xenapi_image_upload_handler

OpenStack 镜像服务 (Glance)

主要新特新

已知问题

升级说明

  • Glance使用oslo.messaging替代了原来的通知代码,推荐使用 `notification_driver` + `transport_url`的配置组合。以前的配置选项 'notifier_strategy'已经被废弃了,但仍然可以使用。

OpenStack 操作界面 (Horizon)

主要新特性

多语言支持

  • 由于I18nTeam的努力, Horizon现在可以支持Hindi, German 和Serbian语言。 对于Australian English, British English, Dutch, French, Japanese, Korean, Polish, Portuguese, Simplified Chinese, Traditional Chinese, Spanish 和Russian也进行了更新。

Nova

  • 在线迁移的支持
  • HyperV终端的支持
  • 硬盘配置选项的支持
  • 对于aggregates和availability zones支持的改进。
  • 支持轻松的设置配额的额外属性

Cinder

  • Cinder 视图的基于角色访问
  • v2 API 的支持
  • 支持卷扩展

Neutron

  • 支持路由规则 -- 显示neutron返回的路由规则。

Swift

  • 支持公共容器的创建和连接
  • 支持伪目录的显式创建

Heat

  • 更新现有stack的能力
  • 模板校验
  • 支持添加环境文件

Ceilometer

管理员可以按项目查看每天的服务使用情况。

用户体验增强

  • 扩展性更强的导航
    • 主界面和面板导航由标签式导航升级为可折叠的。 仪表盘和面板组的导航是可扩展的和可分解的. 这项改变可以支持添加更多的仪表盘和在仪表盘中添加更多的项目。
  • 页面引导
    • Horizon现在在需要多个步骤完成的过程中添加了向导。现在这项特性在创建网络的操作中应用了。
  • 表格行内编辑
    • 表格可以支持在表格区域内编辑,这就不需要打开更多的独立表单。这项特性的第一个例子是管理员->项目面板。
  • 自助密码更改
    • 由于认证API (Keystone)V3版本的增强,用户现在可以自己修改自己的密码,而不需要管理员权限。这个功能以前只能用v2.0的认证API。
  • 服务器端的表格过滤
    • 表格现在随用户选择可以容易的连接到底层的API调用,而不仅仅是在页面内测搜索。

框架

  • JavaScript
    • 为了提供更好的用户体验,Horizon采用AngularJS作为JavaScript的主框架。访问Horizon要求浏览器支持JavaScript。Juno版本将有更多特性。
      • 在Horizon增加可重用的图标组件
      • 集成Jasmine测试库
  • 全面支持Django 1.6
  • 插件式架构
    • Horizon现在拥有动态加载/卸载操作界面、面板组和面板的特性。只需在启用目录添加一个文件,加载到Horizon中的项目是可以修改的。无需修改Django的配置文件。
  • 集成测试框架
    • Horizon现在可以在Devstack系统中运行集成测试。虽然是一个有限的测试套件,但是是一个巨大的进步。

已知问题

如果在认证API V3版本中使用多域支持,用户将无法管理除默认域意外的其他域内的资源。

升级说明

浏览器需要支持JavaScript。

"can_set_password" 选项的默认值是False。这意味着除非将其设置为True,否则将无法再创建虚拟机时设定管理员密码。并不是所有的虚拟化管理程序都支持这一特性,这就会使用户迷惑,另外一个更安全的设置/获取密码的方式正在审查中(请看 LP#1291006)。

"can_set_mountpoint" 选项默认为False, 如果希望添加卷的挂载点选项的话,需要将其设置为True。当前只有Xen虚拟化管理程序支持这一特性 (请看LP#1255136)。

OpenStack 身份认证 (Keystone)

主要新特性

  • New v3 API features
    • /v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation).
    • POST /v3/users/{user_id}/password allows API users to update their own passwords (see documentation).
    • GET v3/auth/token?nocatalog allows API users to opt-out of receiving the service catalog when performing online token validation (see documentation).
    • /v3/regions provides a public interface for describing multi-region deployments (see documentation).
    • /v3/OS-SIMPLECERT/ now publishes the certificates used for PKI token validation (see documentation).
    • /v3/OS-TRUST/trusts is now capable of providing limited-use delegation via the remaining_uses attribute of trusts.
  • The assignments backend (the source of authorization data) has now been completely separated from the identity backend (the source of authentication data). This means that you can now back your deployment's identity data to LDAP, and your authorization data to SQL, for example.
  • The token KVS driver is now capable of writing to persistent Key-Value stores such as Redis, Cassandra, or MongoDB.
  • Keystone's driver interfaces are now implemented as Abstract Base Classes (ABCs) to make it easier to track compatibility of custom driver implementations across releases.
  • Keystone's default etc/policy.json has been rewritten in an easier to read format.
  • Notifications are now emitted in response to create, update and delete events on roles, groups, and trusts.
  • Custom extensions and driver implementations may now subscribe to internal-only event notifications, including disable events (which are only exposed externally as part of update events).
  • Keystone now emits Cloud Audit Data Federation (CADF) event notifications in response to authentication events.
  • Additional plugins are provided to handle external authentication via REMOTE_USER with respect to single-domain versus multi-domain deployments.
  • policy.json can now perform enforcement on the target domain in a domain-aware operation using, for example, %(target.{entity}.domain_id)s.
  • The LDAP driver for the assignment backend now supports group-based role assignment operations.
  • Keystone now publishes token revocation events in addition to providing continued support for token revocation lists. Token revocation events are designed to consume much less overhead (when compared to token revocation lists) and will enable Keystone eliminate token persistence during the Juno release.
  • Deployers can now define arbitrary limits on the size of collections in API responses (for example, GET /v3/users might be configured to return only 100 users, rather than 10,000). Clients will be informed when truncation has occurred.
  • Lazy translation has been enabled to translating responses according to the requested Accept-Language header.
  • Keystone now emits i18n-ready log messages.
  • Collection filtering is now performed in the driver layer, where possible, for improved performance.

已知特性

  • Bug 1291157: If using the OS-FEDERATION extension, deleting an Identity Provider or Protocol does not result in previously-issued tokens being revoked. This will not be fixed in the stable/icehouse branch.
  • Bug 1308218: Duplicate user resources may be returned in response to GET /v2.0/tenants/{tenant_id}/users

升级说明

  • The v2 API has been prepared for deprecation, but remains stable in the Icehouse release. It may be formally deprecated during the Juno release pending widespread support for the v3 API.
  • Backwards compatibility for keystone.middleware.auth_token has been removed. auth_token middleware module is no longer provided by Keystone itself, and must be imported from keystoneclient.middleware.auth_token instead.
  • The s3_token middleware module is no longer provided by Keystone itself, and must be imported from keystoneclient.middleware.s3_token instead. Backwards compatibility for keystone.middleware.s3_token will be removed in Juno.
  • The default token duration has been reduced from 24 hours to just 1 hour. This effectively reduces the number of tokens that must be persisted at any one time, and (for PKI deployments) reduces the overhead of the token revocation list.
  • keystone.contrib.access.core.AccessLogMiddleware has been deprecated in favor of either the eventlet debug access log or Apache httpd access log and may be removed in the K release.
  • keystone.contrib.stats.core.StatsMiddleware has been deprecated in favor of external tooling and may be removed in the K release.
  • keystone.middleware.XmlBodyMiddleware has been deprecated in favor of support for "application/json" only and may be removed in the K release.
  • A v3 API version of the EC2 Credential system has been implemented. To use this, the following section needs to be added to keystone-paste.ini:
[filter:ec2_extension_v3]
paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory

... and ec2_extension_v3 needs to be added to the pipeline variable in the [pipeline:api_v3] section of keystone-paste.ini.

  • etc/policy.json updated to provide rules for the new v3 EC2 Credential CRUD as show in the updated sample policy.json and policy.v3cloudsample.json
  • Migration numbers 38, 39 and 40 move all role assignment data into a single, unified table with first-class columns for role references.
  • TODO: deprecations for the move to oslo-incubator db
  • A new configuration option, mutable_domain_id is false by default to harden security around domain-level administration boundaries. This may break API functionality that you depended on in Havana. If so, set this value to true and please voice your use case to the Keystone community.
  • TODO: any non-ideal default values that will be changed in the future
  • Keystone's move to oslo.messaging for emitting event notifications has resulted in new configuration options which are potentially incompatible with those from Havana (TODO: enumerate old/new config values)

OpenStack 网络服务 (Neutron)

主要新特性

During Icehouse cycle the team focused on stability and testing of the Neutron codebase. Many of the existing plugins and drivers were revised to address know performance and stability issues.

New Drivers/Plugins

  • IBM SDN-VE
  • Nuage
  • OneConvergence
  • OpenDaylight

New Load Balancing as a Service Drivers

  • Embrane
  • NetScaler
  • Radware

New VPN Driver

  • Cisco CSR

已知问题

  • When activating the new Nova callback functionality, the nova_url configuration should contain the version in the URL. For example: "http://127.0.0.1:8774/v2"
  • Midokura maintains its own MidoNet Icehouse plugin in an external public repository. The plugin can be found here: https://github.com/midokura/neutron. Please contact Midokura for more information (info@midokura.com)
  • Schema migrations when Advance Service Plugins are enabled might not properly update the schema for all configurations. Please test the migration on a copy of the database prior to executing on a live database. The Neutron team will address this as part of the first stable update.

升级说明

  • The OVS plugin and Linux Bridge plugin are deprecated and should not be used for deployments. The ML2 plugin combines OVS and Linux Bridge support into one plugin. A migration script has been provided for Havana deployments looking to convert to ML2. The migration does not have a rollback capability, so it is recommended the migration be tested on a copy of the database prior to running on a live system.
  • The Neutron team has extended support for legacy Quantum configuration file options for one more release. The Icehouse release is final release that these options will be supported. Deployers are encouraged update configurations to use the proper Neutron options.
  • XML support in the API is deprecated. Users and deployers should migrate to JSON for API interactions as soon as possible since the XML support will be retired in a future release.

OpenStack Block Storage (Cinder)

主要新特性

  • 修改已有卷的类型的能力(retype)
  • 新增卷元数据,以支持Cinder备份对象
  • 实现API服务的多个workers
  • 新增删除配额的能力
  • 新增导入/导出备份的能力
  • 为卷挂载/卸载时的自动FC分区增加光纤通道域管理器
  • 卷类型加密升级的能力
  • 挂载/卸载时的Ceilometer消息收集

新的后端驱动/插件

  • EMC VMAX/VNX SMI-S FC Driver
  • EMC VNX iSCSI Direct Driver
  • HP MSA 2040
  • IBM SONAS and Storwize V7000 Unified Storage Systems
  • NetApp ESeries

已知问题

  • Reconnect on failure for multiple servers always connects to first server (Bug: #1261631)
  • Storwize/SVC driver crashes when check volume copy status (Bug: #1304115)
  • Glance API v2 not supported (Bug: #1308594)
  • It is recommended you leave Cinder v1 enabled as Nova does not know how to talk to v2.

升级说明

  • Force detach API call is now an admin only call and no longer the policy default of admin and owner. Force detach requires clean up work by the admin, in which the admin would not know when an owner did this operation.
  • Simple/Chance scheduler have been deprecated. The filter scheduler should be used instead for similar functionality. Just set your cinder.conf with scheduler_driver=cinder.scheduler.filter_scheduler.FilterScheduler
  • hp3par_domain config option was deprecated in Havana release not officially removed. It does nothing.

OpenStack Telemetry (Ceilometer)

主要新特性

  • 添加API
    • 查询meters、samples、alarms时,支持复杂组合条件查询
    • 新增capabilities API,用于描述数据存储驱动所能提供的能力
    • 统计接口增加'聚集'的选择参数,支持方差和标准差函数
    • 直接访问样本数据不需要与特定meter耦合
    • 新增StackTach风格的事件API
  • 告警方面的改进
    • 告警中新增时间限制参数,可以根据每天或每周灵活的设置告警时限
    • 排除那些计数异常低的样本与弱数据点
    • 对于磁盘和网络增加基于速率的计量,以适用于阈值类型的告警
  • 集成 touch-points
    • 从收集器中将通知代理分离出来,以单独负责处理外部通知
    • 为插件化的资源发现重新设计了pipeline的配置
    • 对原生通知负载的可配置化,以StackTach的风格实现
  • 存储驱动
    • 各个特性的实现在HBase 、SQLAlchemy 和DB2驱动中接近均等
    • 优化资源查询
    • 在HBase驱动中,增加对告警的支持
  • 指标的新来源
    • Neutron中SDN控制器的北向API
    • VMware vCenter Server API
    • 裸物理机的SNMP进程
    • OpenDaylight REST APIs

已知问题

升级说明

  • 启动升级后,已存在的collector服务会添加一个新的notification代理
  • MongoDB 存储驱动现在需要安装2.4及以上版本的MongoDB (havana发布版本MongoDB的版本下限是2.2), 详见 upgrade instructions.

OpenStack Orchestration (Heat)

主要新特性

  • HOT templates: The HOT template format is now supported as the recommended format for authoring heat templates.
  • OpenStack resources: There is now sufficient coverage of resource types to port any template to native OpenStack resources
  • Software configuration: New API and resources to allow software configuration to be performed using a variety of techniques and tools
  • Non-admin users: It is now possible to launch any stack without requiring admin user credentials. See the upgrade notes on enabling this by configuring stack domain users.
  • Operator API: Cloud operators now have a dedicated admin API to perform operations on all stacks
  • Autoscaling resources: OS::Heat::AutoScalingGroup and OS::Heat::ScalingPolicy now allow the autoscaling of any arbitrary collection of resources
  • Notifications: Heat now sends RPC notifications for events such as stack state changes and autoscaling triggers
  • Heat engine scaling: It is now possible to share orchestration load across multiple instances of heat-engine. Locking is coordinated by a pluggable distributed lock, with a SQL based default lock plugin.
  • File inclusion with get_file: The intrinsic function get_file is used by python-heatclient and heat to allow files to be attached to stack create and update actions, which is useful for representing configuration files and nested stacks in separate files.
  • Cloud-init resources: The OS::Heat::CloudConfig and OS::Heat::MultipartMime
  • Stack abandon and adopt: It is now possible to abandon a stack, which deletes the stack from Heat without deleting the actual OpenStack resources. The resulting abandon data can also be used to adopt a stack, which creates a new stack based on already existing OpenStack resources. Adopt should be considered an experimental feature for the Icehouse release of Heat.
  • Stack preview: The stack-preview action returns a list of resources which are expected to be created if a stack is created with the provided template
  • New resources: The following new resources are implemented in this release:

已知问题

  • Any error during a stack-update operation (for example from a transient cloud error, a heat bug, or a user template error) can lead to stacks going into an unrecoverable error state. Currently it is only recommended to attempt stack updates if it is practical to recover from errors by deleting and recreating the stack.
  • The new stack-adopt operation should be considered an experimental feature
  • CFN API returns HTTP status code 500 on all errors (bug 1291079)
  • Deleting stacks containing volume attachments may need to be attempted multiple times due to a volume detachment race (bug 1298350)

升级说明

Please read the general notes on Heat's security model.

See the sections below on Deferred authentication method and Stack domain users.

废弃的资源

以下资源在这次发布中被废弃,将来可能会彻底移除:

Deferred authentication method

The default deferred_auth_method of password is deprecated as of Icehouse, so although it is still the default, deployers are strongly encouraged to move to using deferred_auth_method=trusts, which is planned to become the default for Juno. This model has the following benefits:

  • It avoids storing user credentials in the heat database
  • It removes the need to provide a password as well as a token on stack create
  • It limits the actions the heat service user can perform on a users behalf.

To enable trusts for deferred operations:

  • Ensure the keystone service heat is configured to use has enabled the OS-TRUST extension
  • Set deferred_auth_method = trusts in /etc/heat/heat.conf
  • Optionally specify the roles to be delegated to the heat service user (trusts_delegated_roles in heat.conf, defaults to heat_stack_owner which will be referred to in the following instructions. You may wish to modify this list of roles to suit your local RBAC policies)
  • Ensure the role(s) to be delegated exist, e.g heat_stack_owner exists when running keystone role-list
  • All users creating heat stacks should possess this role in the project where they are creating the stack. A trust will be created by heat on stack creation between the stack owner (user creating the stack) and the heat service user, delegating the heat_stack_user role to the heat service user, for the lifetime of the stack.

See this blog post for further details.

Stack domain users

To enable non-admin creation of certain resources there is some deployment time configuration required to create a keystone domain and domain-admin user, otherwise Heat will fall back to the previous behavior, but this fallback behavior may not be available in Juno.

 $OS_TOKEN refers to a token, e.g the service admin token or some other valid token for a user with sufficient roles to create users and domains.
 $KEYSTONE_ENDPOINT_V3 refers to the v3 keystone endpoint, e.g http://<keystone>:5000/v3 where <keystone> is the IP address or resolvable name for the keystone service

Steps in summary:

  • Create a "heat" keystone domain using python-openstackclient (the keystoneclient CLI interface does not support domains)
   openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_ENDPOINT_V3 --os-identity-api-version=3 domain create heat --description "Owns users and projects created by heat"

This returns a domain ID, referred to as $HEAT_DOMAIN_ID below

  • Create a domain-admin user for the "heat" domain
   openstack --os-token $OS_TOKEN --os-url=$KEYSTONE_ENDPOINT_V3 --os-identity-api-version=3 user create --password $PASSWORD --domain $HEAT_DOMAIN_ID heat_domain_admin --description "Manages users and projects created by heat"
   

This returns a user ID, referred to as $DOMAIN_ADMIN_ID below

  • Make the user a domain admin by adding the admin role for the domain
   openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-identity-api-version=3 role add --user $DOMAIN_ADMIN_ID --domain $HEAT_DOMAIN_ID admin
  • Update heat.conf with the domain ID and the username/password for the domain-admin user
   stack_domain_admin_password = <password>
   stack_domain_admin = heat_domain_admin
   stack_user_domain = <domain id returned from domain create above>

See this blog post for full details details.

OpenStack Database service (Trove)

主要新特性

  • User/Schema management
    • Users can do CRUD management on MYSQL Users and Schemas through the Trove API
  • Flavor / Cinder Volume resizes
    • Resize up/down the flavor that defines the Trove instance
    • Resize up the optional Cinder Volume size if the datastore requires a larger volume
  • Multiple datastore support
    • Full feature support for MySQL and Percona
    • Experimental (not full feature) support for MongoDB, Redis, Cassandra, and Couchbase
  • Configuration groups
    • Define a set of configuration options to attach to new or existing instances
  • Backups and Restore
    • Executes native backup software on a datastore, and steam the output to a swift container
    • Full and incremental backups
  • Optional DNS support via designate
    • Flag to define whether to provision DNS for an instance

已知问题

None yet

升级说明

  • Trove Conductor is a new daemon to proxy database communication from guests. It needs to be installed and running.
  • new Datastores feature requires operators to define (or remove) the datastores your installation will support
  • new Configuration Groups feature allows operators to define a subset of configuration options for a particular datastore

OpenStack 文档

主要新特性