OpenStack 2015.1.0 (Kilo) Release Notes
|The Kilo release of OpenStack is dedicated to the loving memory of Chris Yeoh, who left his family and us way too soon.|
- 1 OpenStack 2015.1.0 (Kilo) Release Notes
- 1.1 General Upgrade Notes
- 1.2 OpenStack Object Storage (Swift)
- 1.3 OpenStack Compute (Nova)
- 1.4 OpenStack Image Service (Glance)
- 1.5 OpenStack Dashboard (Horizon)
- 1.6 OpenStack Identity (Keystone)
- 1.7 OpenStack Network Service (Neutron)
- 1.8 OpenStack Block Storage (Cinder)
- 1.9 OpenStack Telemetry (Ceilometer)
- 1.10 OpenStack Orchestration (Heat)
- 1.11 OpenStack Database service (Trove)
- 1.12 OpenStack Data Processing service (Sahara)
- 1.13 OpenStack Bare Metal service (Ironic)
- 1.14 OpenStack Documentation
General Upgrade Notes
OpenStack Object Storage (Swift)
Key New Features
Erasure Code (beta)
Swift now supports an erasure-code (EC) storage policy type. This allows deployers to achieve very high durability with less raw capacity as used in replicated storage. However, EC requires more CPU and network resources, so it is not good for every use case. EC is great for storing large, infrequently accessed data in a single region.
Swift's implementation of erasure codes is meant to be transparent to end users. There is no API difference between replicated storage and EC storage.
To support erasure codes, Swift now depends on PyECLib and liberasurecode. liberasurecode is a pluggable library that allows for the actual EC algorithm to be implemented in a library of your choosing.
Full docs are at http://swift.openstack.org/overview_erasure_code.html
Composite tokens allow other OpenStack services to store data in Swift on behalf of a client so that neither the client nor the service can update the data without both party's consent.
An example of this is that a user requests that Nova save a snapshot of a VM. Nova passes the request to Glance, Glance writes the image to a Swift container as a set of objects. In this case, the user cannot modify the snapshot without also having a valid token from the service. Nor can the service update the data without a valid token from the user. But the data is still stored in the user's account in Swift, which makes accounting simpler.
Full docs are at http://swift.openstack.org/overview_backing_store.html
Data placement updates for smaller, unbalanceable clusters
Swift's data placement now accounts for device weight. This allows operators to gradually add new zones and regions without immediately causing a large amount of data to be moved. Also, if a cluster is inbalanced (eg a two-zone cluster where one zone has twice the capacity of the other), Swift will more efficiently use the available space and warn when replicas are placed without enough dispersion in the cluster.
Global cluster replication improvements
Replication between regions will now only move one replica per replication run. This gives the remote region a chance to replicate internally and thus avoid more data moving over the WAN
- As a beta release, EC support is nearly fully feature complete, but it is lacking support for some features (like multi-range reads) and has not had a full performance characterization. This feature relies on ssync for durability. Deployers are urged to do extensive testing and not deploy production data using an erasure code storage policy.
As always, you can upgrade to this version of Swift with no end-user downtime
- In order to support erasure codes, Swift has a new dependency on PyECLib (and liberasurecode, transitively). Also, the minimum required version of eventlet has been raised.
OpenStack Compute (Nova)
Key New Features
- We have the first release of the next generation of the Nova API, v2.1. The v2.1 is designed to be backwards compatible with v2.0 with the addition of strong API validation. All changes to the API are discoverable via the advertised microversion. For more details see: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/api-microversions.html
- For kilo, by default we are still using v2.0 API code to server v2.0 API requests. It is hoped that in liberty that v2.1 will be used to serve requests for both v2.0 and v2.1.
- For liberty v2.0 is now frozen, and all new features will now be added into the v2.1 API using the microversions mechanism. Microversion increments released with kilo are:
- Extending the keypair API to support for x509 certificates, to be used with Windows WinRM, is one of the first API features added as a microversion in the v2.1 API.
- Exposing additional attributes in os-extended-server-attributes
- python-novaclient does not yet have support for the v2.1 API
- The policy enforcement of Nova v2.1 API get improvement.
- Policy only enforce at the entry of API.
- Without duplicated rules for single one API anymore.
- All the v2.1 API policy rule use 'os_compute_api' as prefix which distinguish with v2 API.
- Due to hard-code permission checks at db layer, part of Nova API isn't configurable by policy before. It's always required admin user. Part of Nova v2.1 API's hard-code permission checks is removed which make API policy configurable. The rest of hard-code permission checks will be removed at Liberty.
- We have reduced the data migrations that happen in the DB migration scripts, this now happens in a "lazy" way inside the DB objects code. There are nova-manage commands to help force migration of the data. For more details see: http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/flavor-from-sysmeta-to-blob.html
- Change https://review.openstack.org/#/c/97946/ adds database migration 267 which scans for null instances.uuid records and will fail if any are found since the migrate ultimately needs to make instances.uuid non-nullable and adds a UniqueConstraint on that column. A helper script is provided to search for null instances.uuid records before running the database migrations. Before running 'nova-manage db sync', run the helper script 'nova-manage db null_instance_uuid_scan' which, by default, will just search and dump results, it does not change anything. Pass the --delete option to the null_instance_uuid_scan command to automatically remove any null records were instances.uuid is null.
- A selection of performance optimisations
- We are in the process of making structural changes to the scheduler that will help improve our ability to evolve and improve scheduling. This should not be visible from an end user perspective.
- There are some initial parts of cell v2 supported added, but this feature is not yet ready to use.
- new 'nova-manage api_db sync' and 'nova-manage api_db version' commands for working with the new api database for cells, but nothing is using this database yet so it is not necessary to set it up.
- Support for generation 2 VMs: https://blueprints.launchpad.net/nova/+spec/hyper-v-generation-2-vms
- Support for SMB based volumes, to sit along side existing iSCSI volume support: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/hyper-v-smbfs-volume-support.html
- Support for x509 certificate based key pairs: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/keypair-x509-certificates.html
- Host power actions now work with Hyper-V: https://blueprints.launchpad.net/nova/+spec/hyper-v-host-power-actions
- NFV related features:
- NUMA based scheduling: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/input-output-based-numa-scheduling.html
- Pinning guest vCPUs: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/virt-driver-cpu-pinning.html
- Large page support: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/virt-driver-large-pages.html
- vhostuser VIF driver: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/libvirt_vif_vhostuser.html
- Support for running KVM on IBM System z: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/libvirt-kvm-systemz.html
- Support for parallels: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/pcs-support.html
- Support for SMB based volumes: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/libvirt-smbfs-volume-support.html
- Quiesce using QEMU guest agent: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/quiesced-image-snapshots-with-qemu-guest-agent.html
- Quobyte volume support: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/quobyte-nova-driver.html
- Support for QEMU iSCSI initiator: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/qemu-built-in-iscsi-initiator.html
- Support for Ephemeral disks: http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/vmware-ephemeral-disk-support.html
- Support fo vSAN: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/vmware-vsan-support.html
- Support for based OVA images: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/vmware-driver-ova-support.html
- Support for SPBM based storage policies: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/vmware-spbm-support.html
- Support to pass flavor capabilities to ironic: http://specs.openstack.org/openstack/nova-specs/specs/kilo/implemented/pass-flavor-capabilities-to-ironic-virt-driver.html
- Evacuate recovery code has the potential to destroy data. On nova-compute startup, instances reported by the hypervisor are examined to see if they have moved (i.e. been evacuated) from the current host during the outage. If the determination is made that they were, then they are destroyed locally. This has the potential to choose incorrectly and destroy instances unexpectedly. On libvirt-like nodes, this can be triggered by changing the system hostname. On vmware-like nodes, this can be triggered by attempting to manage a single vcenter deployment from two different hosts (with different hostnames). This will be fixed properly in Liberty, but for now deployments that wish to disable this behavior as a preventive measure can set workarounds.destroy_after_evacuate=False. NOTE: This is not a regression and has been a flaw in the design of the evacuate feature since its introduction. There is no easy fix for this, hence this workaround to limit the potential for damage. The proposed fix in liberty is here: https://review.openstack.org/#/c/161444/.
- The generate config examples possibly missing some oslo related configuration
Below are changes you should be aware of when upgrading. Where possible, The git commit hash is provided for you to find more information:
- Neutron ports are no longer deleted after your server is deleted, if you created them outside of Nova: 1153a46738fc3ffff98a1df9d94b5a55fdd58777
- EC2 API support has been deprecated, and is likely to be removed in kilo, see f098398a836e3671c49bb884b4a1a1988053f4b2
- Websocket proxies need to be upgraded in a lockstep with the API nodes, as older API nodes will not be sending the access_url when authorizing console access, and newer proxy services (this commit and onward) would fail to authorize such requests 9621ccaf05900009d67cdadeb1aac27368114a61
- After fully upgrading to kilo (i.e. all nodes are running kilo code), you should start a background migration of flavor information from its old home to its new home. Kilo conductor nodes will do this on the fly when necessary, but the rest of the idle data needs to be migrated in the the background. This is critical to complete before the Liberty release, where support for the old location will be dropped. Use "nova-manage migrate-flavor-data" to perform this transition.
- Due to the improvement on Nova v2.1 API policy enforcement. There are a lot of change happened to v2.1 API policy. Because v2.1 API didn't released before, those change won't keep back-compatible. It is better to use policy sample configuration instead of old one.
- VMware rescue VM behaviour no longer creates a new VM and instead happens in place: cd1765459a24e52e1b933c8e05517fed75ac9d41
- force_config_drive = always has been deprecated, and force_config_drive = True should be used instead: c12a78b35dc910fa97df888960ef2b9a64557254
- Running hyper-v, if you deployed code that was past this commit: b4d57ab65836460d0d9cb8889ec2e6c3986c0a9b but before this commit: c8e9f8e71de64273f10498c5ad959634bfe79975 you make have problems to manually resolve see: c8e9f8e71de64273f10498c5ad959634bfe79975
- Changed the default value of: multi_instance_display_name_template see: 609b2df339785bff9e30a9d67d5c853562ae3344
- Please use "nova-manage db null_instance_uuid_scan" to ensure the DB migrations will apply cleanly, see: c0ea53ce353684b48303fc59393930c3fa5ade58
OpenStack Image Service (Glance)
Key New Features
OpenStack Dashboard (Horizon)
Key New Features
OpenStack Identity (Keystone)
Key New Features
- Keystone now supports Hierarchical Multitenancy. Projects can be nested under other projects via the
parent_idoptional attribute when creating a project.
- TBD - More info.
- Fernet tokens - TBD - More Info
- WebSSO - TBD - More info
- Pluggable Assignment Model - TBD - More Info
- Assignment / Resource Split - TBD - More Info
- Extensions to Core functionality - TBD - More Info
- (Experimental) Per-Domain Identity Backend Configuration can be stored in SQL - TBD More Info
- Keystone-to-Keystone Identity Federation is now considered stable.
- IDP Registration - TBD - More Info
- ECP Wrapped Assertions Endpoint - TBD - More Info
- Keystone now supports OpenID Connect as a federated identity authentication mechanism.
- Trusts now support redelegation. If allowed when the trust is created, a trustee can redelegate the roles from the trust via another trust.
- It is now possible to request an explicitly unscoped token from Keystone.
- XML support in Keystone has been removed as of Kilo. When upgrading from Juno to Kilo, it is recommended that references to XML and XmlBodyMiddleware be removed from the Keystone Paste configuration. This includes removing the XML middleware filters and there references from the public_api, admin_api, api_v3, public_version_api, admin_version_api and any other pipelines that may contain the XML filters.
- SQL Schema Downgrades are no longer supported. This change is the result of evaluation that downward SQL migrations are not well tested and become increasingly difficult to support with the volume of data-change that occurs in many of the migrations.
OpenStack Network Service (Neutron)
Key New Features
- DVR now supports VLANs in addition to VXLAN/GRE
- ML2 Hierarchical Port Binding
- New LBaaS Version 2 API
- Portsecurity support for the OVS ML2 Driver
- New Plugins supported in Kilo include the following:
- A10 Networks LBaaS V2 Driver
- Brocade LBaaS V2 Driver
- Brocade ML2 driver for MLX and ICX switches
- Brocade L3 routing plugin for MLX switch
- Brocade Vyatta vRouter L3 Plugin
- Brocade Vyatta vRouter Firewall Driver
- Brocade Vyatta vRouter VPN Driver
- Cisco CSR VPNaaS Driver
- Dragonflow SDN based Distributed Virtual Router L3 Plugin
- Freescale FWaaS Driver
- Intel Mcafee NGFW FWaaS Driver
- IPSEC Strongswan VPNaaS Driver
- The Firewall-as-a-Service project is still marked as experimental for the Kilo release.
- Bug 1438819
- When a new subnet is created on an external network, all existing routers with gateways on the network will get a new address allocated from it. For IPv4 networks, this could consume the entire subnet for router gateway ports.
From Havana, Neutron no longer supported an explicit lease database (https://bugs.launchpad.net/bugs/1202392). This left dead code including unused environment variable. In order to remove the dead code (https://review.openstack.org/#/c/152398/), a change to the dhcp.filter is required, so that line:
dnsmasq: EnvFilter, dnsmasq, root, NEUTRON_NETWORK_ID=
Be replaced by:
dnsmasq: CommandFilter, dnsmasq, root
After advanced services were split into separate packages and received their own service configuration files (specifically, etc/neutron/neutron_lbaas.conf, etc/neutron/neutron_fwaas.conf and etc/neutron/neutron_vpnaas.conf), active service provider configuration can be different after upgrade (specifically, default load balancer (haproxy) and vpn (openswan) providers can be enabled for you even though you previously disabled them in neutron.conf). Please make sure you review configuration after upgrade so that it reflects the desired state of service providers.
Note: this will have no effect if the related service plugin is not loaded in neutron.conf.
- The default value of api_workers is now equal to the number of CPUs in the host. If you currently use the default, ensure you set api_workers to a reasonable number for your installation. (https://review.openstack.org/#/c/140493/)
- The neutron.allow_duplicate_networks config option is deprecated in Kilo and will be removed in Liberty where the default behavior will be to just allow multiple ports attached to an instance on the same network in Neutron. (https://review.openstack.org/163581)
- The linuxbridge agent now enables VXLAN by default (https://review.openstack.org/160826)
- neutron-ns-metadata-proxy can now be run as non-root (https://review.openstack.org/147437)
Other Notes (Deprecation/EOL etc)
- Brocade Classic plugin for Brocade's VDX/VCS series of hardware switches will be deprecated in the L-Release. The functionality provided by this plugin is now addressed by the ML2 Driver available for the VDX series of hardware. The plugin is slated for removal after this release cycle.
OpenStack Block Storage (Cinder)
Key New Features
- From this point forward any new database schema upgrades will not require restarting Cinder services right away. The services are now independent of schema upgrades. This is part one to Cinder supporting rolling upgrades!
- Ability to add/remove volumes from an existing consistency group. Read docs for more info.
- Ability to create a consistency group from an existing consistency group snapshot. Read docs for more info.
- Create more fine tuned filters/weighers to set how the scheduler will choose a volume backend. Read the docs for more info.
- Encrypted volumes can now be backed up using the Cinder backup service. Read the docs for more info.
- Ability to create private volume types. This is perfect when you want to make volume types available to only a specific tenant or to test it before making available to your cloud. To do so use the cinder type-create <name> --is-public.
- Oversubscription with thin provision is configurable. Read docs for more info.
- Ability to add descriptions to volume types. To do so use cinder type-create <name> <description>
- Cinder now can return multiple iSCSI paths information so that the connector can attach volumes even when the primary path is down (when connector's multipath feature is enabled or not enabled).
- The 'host' config option for multiple-storage backends in cinder.conf is renamed to 'backend_host' in order to avoid a naming conflict with the 'host' to locate redis. If you use this option, please ensure your configuration files are updated.
OpenStack Telemetry (Ceilometer)
Key New Features
- Support to add jitter to polling cycles to ensure pollsters are not querying service's api at the same time
- Ceilometer API RBAC support
- Improved Event support:
- Multi-pipeline support to enable unique processing and publishing of events
- Enabled ability to capture raw notification messages for auditing and postmortem analysis
- Support for persisting events into ElasticSearch
- Publishing support to database, http, file, kafa and oslo.messaging supported message queues
- Option to split off the events persistence into a separate database
- Telemetry now supports to collect and store all the event type meters as events. A new option, disable_non_metric_meters, was added to the configuration in order to provide the possibility to turn off storing these events as samples. For further information please see the Telemetry Configuration Reference
- The Administrator Guide in OpenStack Manuals was updated with a new Events section, where you can find further information about this functionality.
- Improved pipeline publishing support:
- Support to publish events and samples to Kafka or HTTP targets
- Publish data to multiple queues
- Additional meters
- memory and disk meters for Hyper-V
- disk meters for LibVirt
- power and thermal related IPMI meters, more meters from NodeManager
- ability to meter Ceph
- IPv6 support enabled in Ceilometer udp publisher and collector
- Gnocchi dispatch support for ceilometer-collector
- Self-disabled pollster mechanism
- Deprecated meters:
- The instance:<flavor> meter is deprecated in the Kilo release. In order to retrieve samples or statistics based on flavor you can use the following queries:
statistics: ceilometer statistics -m instance -g resource_metadata.instance_type
samples: ceilometer sample-list -m instance -q metadata.instance_type=<value>
- Middleware used to meter Swift was previously packaged in Ceilometer and is now deprecated. It is now separated into it's own library: ceilometermiddleware.
OpenStack Orchestration (Heat)
WIP (will move here) https://etherpad.openstack.org/p/heat-kilo-releasenotes
Key New Features
OpenStack Database service (Trove)
Key New Features
OpenStack Data Processing service (Sahara)
Key New Features
OpenStack Bare Metal service (Ironic)
Key New Features
Key New Features
- New docs.openstack.org landing page and new web design for End User Guide and Admin User Guide
- First release of the Networking Guide
- Migration to RST for End User Guide and Admin User Guide
- New specialty teams:
- Install Guides
- Networking Guide
- High Availability Guide
- Networking Guide
- User Guides (Admin and End User)
- First App Tutorial sprint
- Driver documentation clarification and connections