2026.1 Series Release Notes

26.0.0.0rc1

New Features

  • Added support for auto as a valid value for the gateway_ip property in the OS::Neutron::Subnet resource. This allows Heat templates to explicitly specify auto. Note that auto can only be used during subnet creation; it is not supported when updating an existing subnet.

  • Stack abandon action is now convergence aware. When convergence engine is enabled, abandoning a stack now uses the convergence workflow for resource cleanup, allowing for better parallelism and consistency with other stack operations. Physical resources are retained (not deleted) while Heat’s database records are cleaned up through the convergence flow.

  • Stack check action is now convergence aware. When convergence is enabled, stack check will traverse through all resources using the convergence engine instead of the legacy sequential approach. This allows check to continue processing remaining resources even if some resources fail their check, providing a complete picture of the stack’s health.

  • Stack snapshot and restore actions are now convergence aware. Snapshots are integrated into the convergence dependency graph, enabling non-blocking snapshot deletion during stack delete operations. This improves performance by allowing snapshot cleanup to be processed in parallel with the convergence workflow rather than blocking the entire operation.

  • Stack suspend and resume actions are now convergence aware. These actions are fully supported by convergence mode.

  • The block_device_mapping_v2 property of the OS::Nova::Server resource now supports the volume_type parameter. This allows users to specify the Cinder volume type when creating volumes from images, snapshots, or blank sources during server creation, eliminating the need to create separate OS::Cinder::Volume resources.

    This feature requires Nova API microversion 2.67 or later. When using volume_type with an older Nova API version, Heat will return a validation error.

  • The OS::Neutron::RBACPolicy resource now supports additional object types beyond network and qos_policy, including security_group, address_scope, and subnetpool.

    All new object types support the access_as_shared action.

Upgrade Notes

  • The RPC API version has been bumped to 1.37 for the engine service and 1.6 for the worker service to support the convergence-aware stack check feature. Operators performing rolling upgrades should ensure all heat services are upgraded together.

  • A new database table resource_snapshot has been introduced to store per-resource snapshot data for convergence mode. This table is automatically created during database migration.

Deprecation Notes

  • The [ec2authtoken] auth_uri option was deprecated in favor of keystoneauth options added to the same section.

  • The [ec2authtoken] allowed_auth_uris option was deprecated in favor of new [ec2authtoken] clouds options and [ec2authtoken.<name>] sections.

  • The following options in the [ec2authtoken] section have been deprecated.

    • ca_file: Use cafile

    • cert_file: Use certfile

    • key_file: Use keyfile

  • The OS::Vitrage::Template resource is now deprecated. The vitrage project was marked inactive.

Bug Fixes

  • The Keystone v3 ec2token end point requires authenticated access. The Heat ec2token filter now requires Keystone auth settings to be able to verify EC2 credentials. For single cloud mode the ec2token filter will look in the [ec2authtoken] section of the heat configuration for keystone authentication settings.

    In multicloud mode keystone auth settings must be supplied in configuration file sections names [ec2authtoken.<name>] . The [ec2authtoken] clouds option should be also configured to define the list of names.

    Note that ec2token request will be sent without authentication if the legacy settings (auth_uri and allowed_auth_uris) are still used.

  • The disk_bus property of OS::Nova::Server resource’s block_device_mapping_v2 now accepts ‘sata’ as a valid value. The SATA disk bus was added to Nova in the Queens release. See story 2011600.

  • Fixed an issue where long error messages from external services (such as Nova errors containing large base64-encoded user_data) would exceed MySQL’s TEXT column limit (65,535 bytes) when being stored in the status_reason field. This caused database constraint violations that left resources in inconsistent states with unreleased locks, preventing stack DELETE operations from completing. The database layer now truncates status_reason to 65,535 bytes when using MySQL to prevent this issue. See story 2011188.

25.0.0

Upgrade Notes

  • All wsgi application implementations using eventlet for heat-api, heat-api-cfn and heat-all are removed as a precusror to dropping eventlet usage from heat.

  • Integration with monasca has been removed because the monasca project was retired. Because of the removal, the following resource types are no longer supported and now hidden.

    • OS::Monasca::AlarmDefinition

    • OS::Monasca::Notifications

    Also, the options in [clients_monasca] section have been removed.

  • Support for Python 3.9 has been removed. Now Python 3.10 is the minimum version supported.

Deprecation Notes

  • The heat-api console script and the heat-api-cfn console script, which are used to launch standalone api services, have been deprecated and will be removed in a future release. It is now highly recommended to Use the wsgi scripts (or wsgi applications directly) instead.

  • The legacy engine has been deprecated and convergence engine will be the only supported engine. Due to this deprecation, the following options have been deprecated.

    • [DEFAULT] convergence_engine

    • [DEFAULT] enable_stack_abandon

    • [DEFAULT] enable_stack_adopt

  • The root_app_factory composite factory has been deprecated, because it is equivalent the urlmap factory from paste. Replace usage in api-paste.ini in case the file is modified to use customized pipelines.

Bug Fixes

  • Enable the creation of an OS::Neutron::VPNService resource, and an OS::Neutron::IPsecSiteConnection resource that depends on it, within the same stack.

24.0.0

New Features

  • A new module, heat.wsgi, has been added as a place to gather WSGI application objects. This is intended to ease deployment by providing a consistent location for these objects. For example, if using uWSGI then instead of:

    [uwsgi]
wsgi-file = /bin/heat-api

    You can now use:

    [uwsgi]
module = heat.wsgi.api:application

    This also simplifies deployment with other WSGI servers that expect module paths such as gunicorn.

  • The new resources, OS::Octavia::AvailabilityZoneProfile and OS::Octavia::AvailabilityZone, are added. These resource types allow an operator to create Octavia availabilityzone profile and availabilityzone. A created OS::Octavia::AvailabilityZone resource can be referred by the availability_zone property of OS::Octavia::LoadBalancer resources.

  • Added the tenant_id property to the following resources. This property allows admin users to create these resources in specific tenants.

    • OS::Neutron::ProviderNet

    • OS::Neutron::Router

  • Added attributes property to resource type OS::Designate::Zone. It can be any key:value pairs of information about this zone including the pool where the user wants to place the zone used by scheduler.

  • The new [DEFAULT] max_cinder_api_microversion option has been added. This option overrides the maximum API microversion supported by Cinder, which is detected automatically by default.

  • The OS::Cinder::Volume resource type now supports extending volumes in use. Note that this requires that Cinder supports API microversion 3.42 or later.

Upgrade Notes

  • OS::Manila::Share attribute export_locations will now be a list of export paths

Deprecation Notes

  • The heat-all console script has been deprecated and will be removed in a future release.

Bug Fixes

  • Fixed the consistent type mismatch error caused by creating or updating a stack with files stored in OpenStack Swift containers, using the files_container parameter. Now file content is always decoded and can be used as a string value.

  • Changed type of the following parameters from integer to string, to correctly parse micro versions with trailing zero (e.g. 2.20).

    • [DEFAULT] max_nova_api_microversion

    • [DEFAULT] max_ironic_api_microversion

  • OS::Manila::Share attribute export_locations will now be a list of export paths

23.0.0

New Features

  • Add to OS::Designate::RecordSet new types: CAA, CERT, NAPTR.

  • Fixed the OS::Heat::UpdateWaitConditionHandle resource type, which caused stack update to fail consistently.

  • The following parameters have been added, to define timeout in internal HTTP requests.

    • [DEFAULT] metadata_put_timeout

    • [DEFAULT] template_fetch_timeout

    • [ec2authtoken] timeout

Upgrade Notes

  • Python 3.8 support was dropped. The minimum version of Python now supported is Python 3.9.

  • Integration with sahara has been removed because the sahara project has been retired. Because of the removal, the following resource types are no longer supported and now hidden.

    • OS::Senlin::Cluster

    • OS::Senlin::Node

    • OS::Senlin::Policy

    • OS::Senlin::Profile

    • OS::Senlin::Receiver

    Also, the options in [clients_sahara] section have been removed.

  • Default value of the [DEFAULT] hidden_stack_tags option has been updated and now stacks with the data-processing-cluster tag is not hidden by default.

  • Integration with senlin has been removed because the senlin project has been retired. Because of the removal, the following resource types are no longer supported and now hidden.

    • OS::Senlin::Cluster

    • OS::Senlin::Node

    • OS::Senlin::Policy

    • OS::Senlin::Profile

    • OS::Senlin::Receiver

    Also, the options in [clients_senlin] section have been removed.

22.0.0

New Features

  • Add OS::Aodh::PrometheusAlarm resource to enable autoscaling with Prometheus instead of Gnocchi.

  • Heat now supports limiting number of software configs, software deployments, stack snapshots which users can create, by the following config options. These limits are not enforced for users with admin role.

    • [DEFAULT] max_software_configis_per_tenant

    • [DEFAULT] max_software_deployments_per_tenant

    • [DEFAULT] max_snapshots_per_stack

Upgrade Notes

  • The heat-manage migrate_properties_data command is deprecated and is now a no-op. It will be removed in a future release.

  • Now heat enables the API policies (RBAC) new defaults and scope by default. The default value of config options [oslo_policy] enforce_scope and [oslo_policy] enforce_new_defaults have been changed from False to True.

  • The OS::Glance::Image type is now hidden.

  • Now the following limits are enforced by default, unless a request user has admin role.

    • Maximum number of software configs per project is 4096

    • Maximum number of software deployments per project is 4096

    • Maximum number of stack snapshots per tenant is 32

    Set the following options in case the limits should be increased. Limits can be disabled by setting -1 to these options.

    • [DEFAULT] max_software_configis_per_tenant

    • [DEFAULT] max_software_deployments_per_tenant

    • [DEFAULT] max_snapshots_per_stack

  • The [DEFAULT] onready option has been removed. This option has had no effect.

Deprecation Notes

  • The following resources have been deprecated, because monasca, sahara and senlin were marked inactive and will not get deliverables for the 2024.1 release. These resources will be removed in 23.0.0 release.

    • OS::Monasca::*

    • OS::Sahara::*

    • OS::Senlin::*

21.0.0

New Features

  • Heat policies have been modified to isolate the system and project level APIs policy. Because of this change, system users will not be allowed to perform any operations on project level resources.

Upgrade Notes

  • The following resources types are now hidden. Neutron LBaaS v2 was already retired thus these resource types can no longer be used.

    • OS::Neutron::LBaaS::LoadBalancer

    • OS::Neutron::LBaaS::Listener

    • OS::Neutron::LBaaS::Pool

    • OS::Neutron::LBaaS::PoolMember

    • OS::Neutron::LBaaS::HealthMonitor

    • OS::Neutron::LBaaS::L7Policy

    • OS::Neutron::LBaaS::L7Rule

  • The database migration engine has changed from sqlalchemy-migrate to alembic. For most deployments, this should have minimal to no impact and the switch should be mostly transparent. The main user-facing impact is the change in schema versioning. While sqlalchemy-migrate used a linear, integer-based versioning scheme, which required placeholder migrations to allow for potential migration backports, alembic uses a distributed version control-like schema where a migration’s ancestor is encoded in the file and branches are possible. The alembic migration files therefore use a arbitrary UUID-like naming scheme and the heat-manage db_sync command now expects such an version when manually specifying the version that should be applied. For example:

    $ heat-manage db_sync c6214ca60943

    Attempting to specify an sqlalchemy-migrate-based version will result in an error.

20.0.0.0rc1

Bug Fixes

  • Honor hidden parameter in get stack environment API. Now values passed to hidden parameters are replaced by ‘**’, similarly to the other APIs such as show stack details API.

19.0.0.0rc1

New Features

  • OS::Neutron::FloatingIPPortForward added. This feature allows an operator to create port-forwarding rules in Neutron for their floating ips.

  • Adding REBUILD option for user_data_update_policy so that changes to user_data can be updated instead of a new create.

  • Adds the ‘availability_zone_hints’ property for the OS::Neutron::Router, OS::Neutron::Net and OS::Neutron::ProviderNet resources.

  • Added OS::Neutron::QoSMinimumPacketRateRule resource to support minimum_packet_rate_rule in Neutron QoS. This resource depends on Neutron API extension qos-pps-minimum and according to the default policy it is admin-only.

Upgrade Notes

  • The remaining deprecated parameters for Cloud Watch API have been removed.

  • Python 3.6 & 3.7 support has been dropped. The minimum version of Python now supported is Python 3.8.

Other Notes

  • Allow Heat resources to accept more than one required_service_extension. For cases where a resource required multiple service extensions. A developer can now provide a list of those extensions.

18.0.0

Upgrade Notes

  • Support for Block Storage API v2 has been removed.

Bug Fixes

  • Now the [DEFAULT] shared_services_types option includes volumev3 service type by default.

17.0.0.0rc1

Prelude

Add the ability to specify extra_properties for Glance images. This is useful for example when using secure boot and are required to have specific properties defined on the Glance images.

New Features

  • Add availabilty_zone parameter to OS::Octavia::LoadBalancer

  • extra_properties key added to the OS::Glance::WebImage type. This parameter takes a map value such as ‘{“hw_firmware_type”: “uefi”, “os_secure_boot”: “required”}’

Upgrade Notes

  • The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way.

Deprecation Notes

  • Use of JSON policy files was deprecated by the oslo.policy library during the Victoria development cycle. As a result, this deprecation is being noted in the Xena cycle with an anticipated future removal of support by oslo.policy. As such operators will need to convert to YAML policy files. Please see the upgrade notes for details on migration of any custom policy files.

16.0.0

Prelude

There was a mismatch between the way heat create role behaved with the templates or with the openstack CLI on what relates to the default domain if the domain is not specified on both cases the CLI will not assign on to the created new role but the heat templates will assign the “default” domain

New Features

  • The lb_algorithm property of OS::Octavia::Pool resource now supports SOURCE_IP_PORT option required for Octavia OVN provider driver.

  • Add new properties backups and to backups_gigabytes resource OS::Cinder::Quota. These properties can be updated without replacement.

  • The wallaby template version introduces a new 2-argument form of the if function. This allows users to specify optional property values, so that when the condition is false Heat treats it the same as if no value were specified for the property at all. The behaviour of existing templates is unchanged, even after updating the template version to wallaby.

  • Now the OS::Neutron::Port type supports the no_fixed_ips property, which allows users to create a network port without any fixed ips.

  • Adds a new segments attribute to the OS::Neutron::ProviderNet resource. The attribute resolves the segments of the network.

  • The default policies provided by heat api have been updated to add support for default roles and system scope. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies.

    Refer to the Keystone documentation for more information on the reason for these changes.

  • Operators can now set a separate stacks:update_no_change policy for PATCH updates that don’t modify the stack, independently of the existing stacks:update_patch policy.

  • The OS::Glance::WebImage resource type now supports an active property to allow administrators to deactivate and reactivate the Image. Images remain active by default.

  • The OS::Glance::WebImage resource type now supports a members property for managing a list of other tenants with access to the Image.

  • A new OS::Vitrage::Template resource is added to configure and create a Vitrage template. The Vitrage template can be used, for example, for executing a Mistral healing workflow in case there is an alarm on an instance.

Deprecation Notes

  • The old default policy rules have been deprecated for removal in Xena cycle.

Critical Issues

  • Templates that creates roles but does not specify the domain will not get a “default” domain from now on. To have a domain added to your new role it needs to be assigned in the template.

Bug Fixes

  • Oslo db config is able to control wrap_db_retry call in heat. We remove hard coded settings for wrap_db_retry and use following configs from oslo_db instead. * database.db_max_retries * database.db_retry_interval * database.db_inc_retry_interval * database.db_max_retry_interval So database cofig can now control db retries. Please reference [1] for what each config options can do. [1] https://opendev.org/openstack/oslo.db/src/branch/master/oslo_db/options.py

  • The ordering in the list of segments returned by OS::Neutron::Net resources is not predictable. Stack updates changeing attributes of the network can cause the list of segments to shift.

    The ordering is now slightly more predictable, segments with name=``None`` are now placed first in the list. This doesn’t guarantee the order, but typically only the segment implicitly created by neutron has no name attribute set. The template author should ensure other segments on the network does have a name set, so that the implicit segment will always be index 0. Resolving attributes of the implcitly created segment on the network resource can then predictibly happen using index 0. See bug: 1894920.

15.0.0

New Features

  • Added dns_domain property to resource type OS::Neutron::ProviderNet. This specifies the DNS domain to use when publishing DNS records for ports on this network.

  • Added propagate_uplink_status property to resource type OS::Neutron::Port. This resource depends on Neutron API extension uplink-status-propagation and the default is False. If this property is set to True, the VF link state can follow that of PF.

Upgrade Notes

  • Manila resources now use the ‘sharev2’ endpoint and API version ‘2.13’.

Deprecation Notes

  • The OS::Designate::Zone resource type’s masters property is now known as primaries. Existing templates will continue to work.

Bug Fixes

  • The OS::Heat::Delay resource type is now usable.

  • OS::Manila::Share now properly supports ‘cephx’ as a value for property ‘{“access_rules”: [{“access_type”: “”}]}’.

14.0.0

New Features

  • Add support for OS::Octavia::Flavor and OS::Octavia::FlavorProfile resources and add flavor parameter in OS::Octavia::LoadBalancer, allowing users to configure Load Balancer capabilities.

  • Add tty property to OS::Zun::Container. This property allows users to open the TTY of the container.

  • Introduce a Vitrage client plugin module that will be used by the Vitrage resources.

  • Operators can now apply different authorization policies to each action supported by the action API (actions:suspend for suspend, actions:resume for resume, actions:check for check, actions:cancel_update for cancel operation and roll back, and actions:cancel_without_rollback for cancel operation without rolling back). The default for each is to use the existing actions:action rule that was previously the only way to specify policy for actions.

  • The OS::Trove::Cluster resource type now supports specifying an availability zone.

  • Properties of the VPNaaS OS::Neutron::IKEPolicy resource can now be updated in place.

  • New resource OS::Neutron::ExtraRouteSet is added to manage extra routes of a Neutron router.

  • New resource OS::Neutron::QoSMinimumBandwidthRule to support minimum_bandwidth_rules in Neutron QoS. This resource depends on Neutron API extension qos-bw-minimum-ingress and according to the default policy it is admin-only.

  • Support tls_enabled property for the resource OS::Octavia::Pool, the property is allowed to be updated as well. The property ‘tls_enabled’ was introduced in Octavia since Stein release. The default value is False if it is not specified in Heat template.

  • New resource OS::Octavia::Quota is added to enable an admin to manage Octavia service quotas for a specific project.

  • Support allowed_cidrs property for the resource OS::Octavia::Listener, the property is allowed to be updated as well. The property ‘allowed_cidrs’ was introduced in Octavia since Train release. The default value is empty list if it is not specified in Heat template.

  • Supports user, group, role and project lookup across domains. Added domain parameter to keystone lookup functions. Heat templates now support user{domain}, group{domain}, role{domain} and project{domain} to support cross domain lookup. Keystone constrains will also work across domain.

  • Heat can now support software deployments with CoreOS by passing a CoreOS Ignition config in the user_data property for an OS::Nova::Server resource when the user_data_format is set to SOFTWARE_CONFIG.

  • Introduce a Ironic client plugin module that will be used by the Ironic’s resources. Support only ironicclient version >=2.8.0 to get allocation functionality support.

  • New resource type OS::Ironic::Port is now supported in orchestration service.

  • Support shared services in multi region mode. The services are declared in a list in config. shared_services_types=image, volume, volumev2.

  • Add group property to OS::Heat::MultipartMime. This allow you to set group for entire multipart cofig resource like group property in OS::Heat::SoftwareConfig. Aware that, you must make sure all configs in MultipartMime works with group. Default value is Heat::Ungrouped.

Upgrade Notes

  • We have change some log pathes as below * Migrate heat.engine.clients.keystoneclient to heat.engine.clients.os.keystone.heat_keystoneclient * remove heat.all * remove heat.api * remove heat.api.cfn * remove heat.engine

  • Nova has removed api extension support and its api bindings. Heat has now removed support for extensions from nova client plugin and the resource plugins using it.

Deprecation Notes

  • file injection is deprecated in compute api. Deprecating injected_files, injected_file_content_bites, and injected_file_path_bytes properties accordingly in OS::Nova::Quota resource.

  • The accessIPv4 and accessIPv6 attributes of the OS::Nova::Server resource are now deprecated, since Nova returns empty values for them. Use the addresses attribute instead to get IP addresses.

  • Unsupported contrib resource OS::Neutron::ExtraRoute is deprecated in favor of OS::Neutron::ExtraRouteSet on all OpenStack clouds where Neutron extension extraroute-atomic is available.

Critical Issues

  • Python 2 is no longer supported. This release runs only on Python 3 and is tested only on Python 3.6 and 3.7.

Bug Fixes

  • The behavior of get_resource on an OS::Heat::InstanceGroup resource has changed. Previously it returned the physical resource name (i.e. the name of the nested Heat stack which implemented the group). It will now return the UUID of the nested stack if available. This will also apply to any resource type that inherits from OS::Heat::AutoScalingGroup, OS::Heat::InstanceGroup, and AWS::AutoScaling::AutoScalingGroup.

  • Empty string passing in for volume availability_zone can be correctly handled now. For this case, it’s same as no AZ set, so the default AZ in cinder.conf will be used.

  • On clouds where Keystone usernames are case-insensitive, Heat will now allow usernames with any case as property and parameter values where a Keystone user is expected (i.e. a keystone.user custom constraint applies). Previously the case had to match the case with which the name was stored in Keystone, even if Keystone itself was case-insensitive.

  • The firewall_rules property of the OS::Neutron::FirewallPolicy resource type is now optional.

13.0.0.0rc1

New Features

  • OS::Aodh::LBMemberHealthAlarm resource plugin is added to manage Aodh loadbalancer_member_health alarm.

  • Added a new config option server_keystone_endpoint_type to specify the keystone authentication endpoint (public/internal/admin) to pass into cloud-init data. If left unset the original behavior should remain unchanged.

    This feature allows the deployer to unambiguously specify the keystone endpoint passed to user provisioned servers, and is particularly useful where the deployment network architecture requires the heat service to interact with the internal endpoint, but user provisioned servers only have access to the external network.

    For more information see http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002925.html

  • Support tags property for the resource OS::Octavia::PoolMember, the property is allowed to be updated as well. The resource tag was introduced in Octavia since Stein release, do not specify tags in Heat template if you are using the previous versions.

  • The OS::Neutron::QosBandwidthLimitRule resource type now supports an optional direction property, allowing users to set the ingress bandwidth limit in a QoS rule. Previously only the egress bandwidth limit could be set.

  • Added new config option [DEFAULT]allow_trusts_redelegation (False by default). When enabled and reauthentication_auth_method is set to trusts, Heat will always create trusts with enabled redelegation, for both trusts used for long running stacks and for trusts used for deferred authentication.

Upgrade Notes

  • When loading a Resource plugin, the attribute schema is now validated in the same way that the properties schema is. Third-party resource plugins should be tested to check that they still comply.

  • multiattach` property in OS::Cinder::Volume is now hidden. Please use multiattach key in metadata property of OS::Cinder::VolumeType instead.

  • Designate project had removed v1 api support since stable/queens. Heat has now removed support for v1 resources OS::Designate::Domain and OS::Designate::Record completely and replaced them with placeholders for existing templates with those resources. The designate.domain custom constraint has also been removed.

Security Issues

  • With both reauthentication_auth_method set to trusts and allow_trusts_redelegation set to True (new config option, False by default), Heat will always create trusts with enabled redelegation, for both trusts used for long running stacks and for trusts used for deferred authentication. This have security implications and is only recommended when Heat is set to use trust and you experience problems with other services Heat consumes that also require to create trusts from token being passed by Heat (examples are Aodh and Heat running in another region).

Bug Fixes

  • Non-ASCII text that appears in parameter constraints (e.g. in the description of a constraint, or a list of allowed values) will now be handled correctly when generating error messages if the constraint is not met.

  • OS::Neutron::Port resources will now be replaced when the mac_address property is modified. Neutron is unable to update the MAC address of a port once the port is in use.

Other Notes

12.0.0.0rc1

Prelude

Added new tool heat-status upgrade check.

New Features

  • Add multiple OpenStack orchestration support - User can now use OS::Heat::Stack to create stack in another OpenStack cloud. Must provide properties credential_secret_id in context. Remote stack resource will get authentication information from cloud credential to refresh context before calling stack create.

  • A new OS::Blazar::Host resource is added to manage compute hosts for the lease/reservation in OpenStack.

  • A new OS::Blazar::Lease resource is added to manage reservations for specific type/amount of cloud resources in OpenStack.

  • Add rbac_policy and subnetpool support for OS::Neutron::Quota resource.

  • Add UDP to supported protocols for Octavia.

  • A new OS::Neutron::TaaS::TapService resource is added to support a Tap Service in the Neutron Tap-as-a-service plugin.

  • A new OS::Neutron::TaaS::TapFlow resource is added to support a Tap Flow in the Neutron Tap-as-a-service plugin.

  • Add a new OS::Glance::WebImage resource supporting the web-download import of Glance v2.

  • New framework for heat-status upgrade check command is added. This framework allows adding various checks which can be run before a Heat upgrade to ensure if the upgrade can be performed safely.

  • New resource OS::Neutron::L2GatewayConnection to allow management of Neutron Layer2 Gateway Connection. This resource provides capability to connect a Neutron network to a Layer2 Gateway. The resource depends on the Neutron l2-gateway extension.

  • New resource OS::Neutron::L2Gateway to allow management of Neutron Layer2 Gateway. This resource provides life-cycle management of layer2 gateway instances. The resource depends on the Neutron l2-gateway extension.

  • Add tags support for ProviderNet resource

  • Add ca_cert and insecure properties for OS::Heat::Stack resource type. The ca_cert is the contents of a CA Certificate file that can be used to verify a remote cloud or region’s server certificate. insecure is boolean option, CA cert will be use if we didn’t setup insecure flag.

Upgrade Notes

  • The distribution name has been changed from “heat” to “openstack-heat” so that we can publish packages to pypi.org. This may have an effect on downstream package builds if they rely on asking setuptools to determine the package name.

  • New config max_nova_api_microversion to set the maximum nova API microversion for nova client plugin. If``max_nova_api_microversion`` is set, any nova features supported with microversion number above max_nova_api_microversion will not be available.

  • Operator can now use new CLI tool heat-status upgrade check to check if Heat deployment can be safely upgraded from N-1 to N release.

Deprecation Notes

  • personality property of OS::Nova::Server is now deprecated, please use user_data or metadata instead. If that property really required, use config max_nova_api_microversion to set the maximum nova API microversion <2.57 for nova client plugin to support personality property.

Bug Fixes

  • We now allowed global admins to operate software deployment and software config resources from other projects.

  • Heat can now perform a stack update to roll back to a previous version of a resource after a previous attempt to create a replacement for it failed (provided that convergence is enabled). This allows the user to recover a stack where a resource has been inadvertantly replaced with a definition than can never succeed because it conflicts with the original. Previously this required automatic rollback to be enabled, or the user had to update the stack with a non-conflicting definition before rolling back to the original.

11.0.0.0rc1

Prelude

Heat current bug/blueprint reports have migrated from Launchpad to storyboard. If you would like to create a new story (a bug or a blueprint), please file it under the Heat project. This change applies to all heat projects/repos.

New Features

  • Add a new property networks to resource OS::Zun::Container. This property is an ordered list of nics to be added to this container, with information about connected networks, fixed ips, and port. This property can be updated without replacement.

Upgrade Notes

  • The ceilometer client plugin is no longer provided, due to the Ceilometer API no longer being available from Queens and the python-ceilometerclient library being unmaintained.

Bug Fixes

  • Previously, when deleting a convergence stack, the API call would return immediately, so that it was possible for a client immediately querying the status of the stack to see the state of the previous operation in progress or having failed, and confuse that with a current status. (This included Heat itself when acting as a client for a nested stack.) Convergence stacks are now guaranteed to have moved to the DELETE_IN_PROGRESS state before the delete API call returns, so any subsequent polling will reflect up-to-date information.

  • Previously, the suspend, resume, and check API calls for all stacks, and the update, restore, and delete API calls for non-convergence stacks, returned immediately after starting the stack operation. This meant that for a client reading the state immediately when performing the same operation twice in a row, it could have misinterpreted a previous state as the latest unless careful reference were made to the updated_at timestamp. Stacks are now guaranteed to have moved to the IN_PROGRESS state before any of these APIs return (except in the case of deleting a non-convergence stack where another operation was already in progress).

11.0.0.0b3

New Features

  • A new OS::Heat::Delay resource type allows users to work around thundering herd issues in large templates by adding a random delay (with configurable jitter) into the workflow.

  • Adds a new attribute segments to the OS::Neutron::Net resource. The attribute resolves the network segments on the network. The attribute is useful when migrating from a non routed provider network to a routed provider network. The example below show how to migrate an existing subnet to one that is associated with the segment:

    TestSubnet:
  type: OS::Neutron::Subnet
  name: the_subnet
  properties:
    segment: {get_attr: [the_network, segments, 0, id]}

  • Added network attribute to OS::Neutron::Port resource. The new attribute returns the neutron network that owns the port. The following examples demonstrate some (not all) possible expressions. (Obtains the network, the MTU (Maximum transmission unit), the network tags and finally the l2_adjacency property):

    {get_attr: [<port>, network]}
{get_attr: [<port>, network, mtu]}
{get_attr: [<port>, network, tags]}
{get_attr: [<port>, network, l2_adjacency]}

  • Adds network to the addresses attribute of OS::Nova::Server resource. This enables resolving the network properties for the server resource.

  • Adds subnets to the addresses attribute of OS::Nova::Server resource. This enables resolving the subnet properties for the server resource which brings parity with OS::Neutron::Port’s subnets attribute.

  • Adds support to update the segment_id of OS::Neutron::Subnet resource. This enables migration from non routed network to a routed network.

  • Added stack API support to provide a swift container that contains the child templates and environment files. All files would be fetched and used (if required), unless they are superceded by files in files map.

Upgrade Notes

  • Resource type OS::Magnum::Bay is now hidden, please use OS::Magnum::Cluster instead.

  • Resource type OS::Magnum::BayModele is now hidden, please use OS::Magnum::ClusterTemplate instead.

  • Resource type OS::Nova::FloatingIP is now hidden, please use OS::Neutron::FloatingIP instead.

  • Resource type OS::Nova::FloatingIPAssociation is now hidden, please use OS::Neutron::FloatingIPAssociation instead.

Other Notes

  • Introduce a Blazar client plugin module that will be used by Blazar resources.

11.0.0.0b1

Upgrade Notes

  • The database upgrade for Heat Queens release drops ‘watch_rule’ and ‘watch_data’ tables from the heat database.

Security Issues

  • Passwords generated by the OS::Heat::RandomString resource may have had less entropy than expected, depending on what is specified in the character_class and character_sequence properties. This has been corrected so that each character present in any of the specified classes or sequences now has an equal probability of appearing at each point in the generated random string.

10.0.0.0rc1

Prelude

Note that Heat is compatible with OpenStack Identity federation, even when using Keystone trusts. It should work after you enable Federation and build the auto-provisioning map with the heat service user in Keystone. Auto-provisioning has been available in Keystone since the Ocata release.

New Features

  • Added hostname, hints, security_groups, and mounts properties to Zun Container resources.

Upgrade Notes

  • The OS::Heat::HARestarter resource type is no longer supported. This resource type is now hidden from the documentation. HARestarter resources in stacks, including pre-existing ones, are now only placeholders and will no longer do anything. The recommended alternative is to mark a resource unhealthy and then do a stack update to replace it. This still correctly manages dependencies but, unlike HARestarter, also avoid replacing dependent resources unnecessarily. An example of this technique can be seen in the autohealing sample templates at https://git.openstack.org/cgit/openstack/heat-templates/tree/hot/autohealing

  • The AWS compatible CloudWatch API, deprecated since long has been finally removed. OpenStack deployments, packagers, and deployment projects which deploy/package CloudWatch should take appropriate action to remove support.

Security Issues

  • Heat no longer uses standard Python RNG when generating values for OS::Heat::RandomString resource, and instead relies on system’s RNG for that.

Other Notes

  • The old Heat Tempest plugin heat_tests has been removed and replaced by a separate Tempest plugin named heat, in the heat-tempest-plugin repository (https://git.openstack.org/cgit/openstack/heat-tempest-plugin). Functional tests that are appropriate for the Tempest environment have been migrated to the new plugin. Other functional tests remain behind in the heat repository.

10.0.0.0b3

New Features

  • Adds new resources for octavia lbaas service.

  • New resource OS::Octavia::LoadBalancer is added to create and manage Load Balancers which allow traffic to be directed between servers.

  • New resource OS::Octavia::Listener is added to create and manage Listeners which represent a listening endpoint for the Load Balancer.

  • New resource OS::Octavia::Pool is added to create and manage Pools which represent a group of nodes. Pools define the subnet where nodes reside, the balancing algorithm, and the nodes themselves.

  • New resource OS::Octavia::PoolMember is added to create and manage Pool members which represent a single backend node.

  • New resource OS::Octavia::HealthMonitor is added to create and manage Health Monitors which watch status of the Load Balanced servers.

  • New resource OS::Octavia::L7Policy is added to create and manage L7 Policies.

  • New resource OS::Octavia::L7Rule is added to create and manage L7 Rules.

  • Heat now support policy in code, which means if you didn’t modify any of policy rules, you won’t need to add rules in the policy.yaml or policy.json file. Because from now, heat keeps all default policies under heat/policies. You can still generate and modify a policy.yaml file which will override policy rules in code if those rules appear in the policy.yaml file.

  • Add tags parameter for create and update keystone projects. Defined comma deliniated list will insert tags into newly created or updated projects.

  • OS::Heat::ResourceGroup now supports a removal_policies_mode property. This can be used to optionally select different behavior on update where you may wish to overwrite vs append to the current policy.

  • Allow to set networks of instances for OS::Trove::Cluster resource.

Upgrade Notes

  • Default policy.json file is now removed as we now generate the default policies in code. Please be aware that when using that file in your environment. You still can generate a policy.yaml file if that’s required in your environment.

Deprecation Notes

  • Threshold alarm which uses ceilometer API is deprecated in aodh since Ocata. Please use OS::Aodh::GnocchiAggregationByResourcesAlarm in place of OS::Aodh::Alarm.

Bug Fixes

  • Force delete the nova instance. If a resource is related with a nova instance which is in ‘SOFT_DELETED’ status, the resource can’t be deleted, when nova config ‘reclaim_instance_interval’. so, force-delete the nova instance, and then all the resources are related with the instance would be processed properly.

10.0.0.0b2

New Features

  • Adds REST api support to cancel a stack create/update without rollback.

  • The template validate API call now returns the Environment calculated by heat - this enables preview of the merged environment when using parameter_merge_strategy prior to creating the stack

  • Added a new schema property tags, to parameters, to categorize parameters based on features.

Deprecation Notes

  • The SSL middleware heat.api.middleware.ssl:SSLMiddleware that has been deprecated since 6.0.0 has now been removed, check your paste config and ensure it has been replaced by oslo_middleware.http_proxy_to_wsgi instead.

  • The heat.resource_type custom constraint has been removed. This constraint never actually worked.

10.0.0.0b1

New Features

  • All developer, contributor, and user content from various guides in openstack-manuals has been moved in-tree and are published at https://docs.openstack.org/heat/pike/.

Known Issues

  • Heat does not work with keystone identity federation. This is a known limitation as heat uses keystone trusts for deferred authentication and trusts don’t work with federated keystone. For more details check https://etherpad.openstack.org/p/pike-ptg-cross-project-federation.

Deprecation Notes

  • Hidden Designate resource plugins OS::Designate::Domain and OS::Designate::Record. To use OS::Designate::Zone and OS::Designate::RecordSet instead.

Bug Fixes

  • Add attribute schema to OS::Keystone::Project. This allow get_attr function can work with project resource.

Other Notes

  • Intrinsic function plugins will now be passed a StackDefinition object instead of a Stack object. When accessing resources, the StackDefinition will return ResourceProxy objects instead of Resource objects. These classes replicate the parts of the Stack and Resource APIs that are used by the built-in Function plugins, but authors of custom third-party Template/Function plugins should audit them to ensure they do not depend on unstable parts of the API that are no longer accessible. The StackDefinition and ResourceProxy APIs are considered stable and any future changes to them will go through the standard deprecation process.

9.0.0.0rc1

New Features

  • Add converge parameter for stack update (and update preview) API. This parameter will force resources to observe the reality of resources before actually update it. The value of this parameter can be any boolean value. This will replace config flag observe_on_update in near future.

9.0.0.0b3

Prelude

Magnum recently changed terminology to more intuitively convey key concepts in order to align with industry standards. “Bay” is now “Cluster” and “BayModel” is now “ClusterTemplate”. This release deprecates the old names in favor of the new.

New Features

  • The ‘contains’ function was added, which checks whether the specified value is in a sequence. In addition, the new function can be used as a condition function.

  • A new OS::Zun::Container resource is added that allows users to manage docker containers powered by Zun. This resource will have an ‘addresses’ attribute that contains various networking information including the neutron port id. This allows users to orchestrate containers with other networking resources (i.e. floating ip).

  • New resource OS::Neutron::Trunk is added to manage Neutron Trunks.

  • A new property, deployment_swift_data is added to the OS::Nova::Server and OS::Heat::DeployedServer resources. The property is used to define the Swift container and object name that is used for deployment data for the server. If unset, the fallback is the previous behavior where these values will be automatically generated.

  • OS::Magnum::Cluster resource plugin added to support magnum cluster feature, which is provided by magnum cluster API.

  • OS::Magnum::ClusterTemplate resource plugin added to support magnum cluster template feature, which is provided by magnum clustertemplates API.

  • Added new section permutations for repeat function, to decide whether to iterate nested the over all the permutations of the elements in the given lists. If ‘permutations’ is not specified, we set the default value to true to compatible with before behavior. The args have to be lists instead of dicts if ‘permutations’ is False because keys in a dict are unordered, and the list args all have to be of the same length.

  • Two new policies soft-affinity and soft-anti-affinity have been supported for the OS::Nova::ServerGroup resource.

  • Resource attributes are now stored at the time a resource is created or updated, allowing for fast resolution of outputs without having to retrieve live data from the underlying physical resource. To minimise compatibility problems, the behaviour of the show attribute, the with_attr option to the resource show API, and stacks that do not yet use the convergence architecture (due to the convergence_engine being disabled at the time they were created) is unchanged - in each of these cases live data will still be returned.

  • Support to managing rbac policy for ‘qos_policy’ resource, which allows to share Neutron qos policy to subsets of tenants.

Deprecation Notes

  • Magnum terminology deprecations * OS::Magnum::Bay is now deprecated, should use OS::Magnum::Cluster instead * OS::Magnum::BayModel is now deprecated, should use OS::Magnum::ClusterTemplate instead Deprecation warnings are printed for old usages.

Critical Issues

  • Since Aodh drop support for combination alarm, therefore OS::Aodh::CombinationAlarm is now mark as hidden resource with directly inheriting from None resource which will make the resource do nothing when handling any actions (other than delete). And please don’t use it. Old resource which created with that resource type still able to delete. It’s recommand to switch that resource type ASAP, since we will remove that resource soon.

9.0.0.0b2

New Features

  • The list_concat_unique function was added, which behaves identically to the function list_concat to concat several lists using python’s extend function and make sure without repeating items.

  • The list_concat function was added, which concats several lists using python’s extend function.

  • Allow to set or update the tags for OS::Neutron::Router resource.

  • A new OS::Mistral::ExternalResource is added that allows users to manage resources that are not known to Heat by specifying in the template Mistral workflows to handle actions such as create, update and delete.

  • New item key ‘allocate_network’ of ‘networks’ with allowed values ‘auto’ and ‘none’ for OS::Nova::Server, to support ‘Give Me a Network’ nova feature. Specifying ‘auto’ would auto allocate a network topology for the project if there is no existing network available; Specifying ‘none’ means no networking will be allocated for the created server. This feature requires nova API micro version 2.37 or later and the auto-allocated-topology API is available in the Neutron networking service.

  • A new openstack client plugin to use python-openstacksdk library and a neutron.segment custom constraint.

  • A new OS::Neutron:Segment resource to create routed networks. Availability of this resource depends on availability of neutron segment API extension.

  • Resource OS::Neutron::Subnet now supports segment optional property to specify a segment.

  • Resource OS::Neutron::Net now supports l2_adjacency atribute on whether L2 connectivity is available across the network or not.

  • ParameterGroups section is added to the nested stacks, for the output of the stack validate templates.

  • Allow to set or update the tags for OS::Neutron::Net resource.

  • Allow to set or update the tags for OS::Neutron::Port resource.

  • Allow to set or update the tags for OS::Neutron::Subnet resource.

  • Allow to set or update the tags for OS::Neutron::SubnetPool resource.

Deprecation Notes

  • nova-network is no longer supported in OpenStack. Please use OS::Neutron::FloatingIPAssociation and OS::Neutron::FloatingIP in place of OS::Nova::FloatingIPAssociation and OS::Nova::FloatingIP

  • The AWS::EC2::EIP domain is always assumed to be ‘vpc’, since nova-network is not supported in OpenStack any longer.

  • The ‘attachments’ attribute of OS::Cinder::Volume has been deprecated in favor of ‘attachments_list’, which has the correct type of LIST. This makes this data easier for end users to process.

Other Notes

  • Introduce a Zun client plugin module that will be used by the Zun’s resources that are under development.

  • Now heat keystone user name charaters limit increased from 64 to 255. Any extra charaters will lost when truncate the name to the last 255 charaters.

9.0.0.0b1

New Features

  • Supports to get the webmks console url for OS::Nova::Server resource. And this requires nova api version equal or greater than 2.8.

  • The Pike version of HOT (2017-09-01) adds a make_url function to simplify combining data from different sources into a URL with correct handling for escaping and IPv6 addresses.

Bug Fixes

  • ‘CEPHFS’ can be used as a share protocol when using OS::Manila::Share resource.

8.0.0.0b3

New Features

  • Designate v2 resource plugins OS::Designate::Zone and OS::Designate::RecordSet are newly added.

  • A new resource plugin OS::Keystone::Domain is added to support the lifecycle of keystone domain.

  • New resource OS::Neutron::Quota is added to manage neutron quotas.

  • A new resource OS::Sahara::Job has been added, which allows to create and launch sahara jobs. Job can be launched with resource-signal.

  • Custom constraints for all sahara resources added - sahara.cluster, sahara.cluster_template, sahara.data_source, sahara.job_binary, sahara.job_type.

  • OS::Nova::Server now supports ephemeral_size and ephemeral_format properties for block_device_mapping_v2 property. Property ephemeral_size is integer, that require flavor with ephemeral disk size greater that 0. Property ephemeral_format is string with allowed values ext2, ext3, ext4, xfs and ntfs for Windows guests; it is optional and if has no value, uses default, defined in nova config file.

Deprecation Notes

  • Designate v1 resource plugins OS::Designate::Domain and OS::Designate::Record are deprecated.

8.0.0.0b2

New Features

  • OS::Aodh::CompositeAlarm resource plugin is added to manage Aodh composite alarm, aim to replace OS::Aodh::CombinationAlarm which has been deprecated in Newton release.

  • The resource mark unhealthy command now accepts either a logical resource name (as it did previously) or a physical resource ID to identify the resource to be marked unhealthy.

  • New OS::Zaqar::Subscription and OS::Zaqar::MistralTrigger resource types allow users to attach to Zaqar queues (respectively) notifications in general, and notifications that trigger Mistral workflow executions in particular.

8.0.0.0b1

New Features

  • OS::Cinder::QoSAssociation resource plugin is added to support cinder QoS Specs Association with Volume Types, which is provided by cinder qos-specs API extension.

  • New resource OS::Nova::Quota is added to enable an admin to manage Compute service quotas for a specific project.

7.0.0.0rc1

New Features

  • Adds optional section conditions for hot template ( heat_template_version.2016-10-14) and Conditions for cfn template (AWSTemplateFormatVersion.2010-09-09).

  • Adds some condition functions, like equals, not, and and or, these condition functions can be used in conditions section to define one or more conditions which are evaluated based on input parameter values provided when a user creates or updates a stack.

  • Adds optional section condition for resource and output definitions. Condition name defined in conditions and condition functions can be referenced in this section, in order to conditionally create resources or conditionally give outputs of a stack.

  • Adds function if to return corresponding value based on condition evaluation. This function can be used to conditionally set the value of resource properties and outputs.

  • OS::Cinder::QoSSpecs resource plugin added to support cinder QoS Specs, which is provided by cinder qos-specs API extension.

  • cinder.qos_specs constraint added to support to validate QoS Specs attribute.

  • New resource OS::Cinder::Quota is added to manage cinder quotas. Cinder quotas are operational limits to projects on cinder block storage resources. These include gigabytes, snapshots, and volumes.

7.0.0.0b3

Prelude

Previously ‘parameters’ and ‘parameter_defaults’ specified in an environment file used to overwrite their existing values.

Previously the event list REST API call only returned events for the specified stack even when that stack contained nested stack resources. This meant that fetching all nested events required an inefficient recursive client-side implementation.

Support external resource reference in template.

New Features

  • Supports internal DNS resolution and integration with external DNS services for neutron resources. Template authors can use the dns_name and dns_domain properties of neutron resource plugins for this functionality.

  • A new ‘parameter_merge_strategies’ section can be added to the environment file, where ‘default’ and/or parameter specific merge strategies can be specified.

  • Parameters and parameter defaults specified in the environment file would be merged as per their specified strategies.

  • The event list GET REST API call now has a different behaviour when the ‘nested_depth’ parameter is set to an integer greater than zero. The response will contain all events down to the requested nested depth.

  • When ‘nested_depth’ is set the response also includes an extra entry in the ‘links’ list with ‘rel’ set to ‘root_stack’. This can be used by client side implementations to detect whether it is necessary to fall back to client-side recurisive event fetching.

  • Add external_id attribute for resource to reference on an exists external resource. The resource (with external_id attribute) will not able to be updated. This will keep management rights stay externally.

  • This feature only supports templates with version over 2016-10-14.

  • Add map_replace function, that takes 2 arguments an input map and a map containing a keys and/or values map. key/value substitutions on the input map are performed based on the mappings passed in keys and values.

  • Add yaql function, that takes 2 arguments expression of type string and data of type map and evaluates expression on a given data.

Upgrade Notes

  • New config section volumes with new config option [volumes]backups_enabled (defaults to True). Operators that do not have Cinder backup service deployed in their cloud are encouraged to set this option to False.

Bug Fixes

  • Allow to configure Heat service to forbid creation of stacks containing Volume resources with deletion_policy set to Snapshot when there is no Cinder backup service available.

7.0.0.0b2

New Features

  • Add optional ‘period’ property for Monasca Notification resource. The new added property will now allow the user to tell Monasca the interval in seconds to periodically invoke a webhook until the ALARM state transitions back to an OK state or vice versa. This is useful when the user wants to create a stack which will automatically scale up or scale down more than once if the alarm state continues to be in the same state. To conform to the existing Heat autoscaling behaviour, we manually create the monasca notification resource in Heat with a default interval value of 60.

7.0.0.0b1

New Features

  • Add template_dir to config. Normally heat has template directory /etc/heat/templates. This change makes it more official. In the future, it is possible to implement features like access templates directly from global template environment.

  • Adds new ‘max_server_name_length’ configuration option which defaults to the prior upper bound (53) and can be lowered by users (if they need to, for example due to ldap or other internal name limit restrictions).

  • OS::Glance::Image resource plug-in is updated to support tagging when image is created or updated as part of stack.

  • OS::Monasca::AlarmDefinition and OS::Monasca::Notification resource plug-ins are now supported by heat community as monasca became offcial OpenStack project.