Zed Series Release Notes¶
15.6.0-9¶
Bug Fixes¶
Fixes a bug where swtpm and swtpm-tools deb packages are missing in ‘nova-compute’ and ‘nova-libvirt’ containers which keeps ‘nova-compute’ container from starting when operator enables TPM support in Nova. LP#2062572
Apache services like Keystone now started with correct unicode locale. Keystone under Apache on Ubuntu will fail with a UnicodeEncodeError when LDAP driver and DEBUG are enabled. LP#2076453
Fixes a bug where the
rsync
RPM package was missing in theswift-base
container. See bug 2062072 for details.
15.4.0¶
Bug Fixes¶
The Nova API container extended startup script has been updated to only sync the local Nova cell. This resolves an error that would occur when the Nova database password changes. More details can be found on this bug report.
15.3.0¶
Bug Fixes¶
Fixes missing way for kolla-toolbox to be built offline. LP#2020761
Adds missing grafana-opensearch-datasource plugin to the list of plugins in the docker image.
Fix container restart conditions to be tolerant of missing optional source and/or destination files. For more details, see the following bug report
15.1.0¶
Bug Fixes¶
Fixes an issue where the script
kolla_ensure_openvswitch_configured
in theopenvswitch-db-server
image would ignore errors encountered while configuring bridges and ports. LP#1999778
15.0.0¶
Prelude¶
Support for binary images got removed in Zed. Users are requested to migrate to source based images.
Rocky Linux 9 is now supported as a base container image.
New Features¶
Updates Alertmanager version to 0.24.0.
Adds support for TPM emulation in Nova (via “swtpm”).
Adds OpenSearch and OpenSearch Dashboards images.
Updates the OpenStack exporter for Prometheus to version 1.6.0.
Adds
prometheus-ovn-exporter
image.
Quiet mode (enabled with
--quiet
argument) can be combined with--logs-dir
option now. Console output will be quiet as expected while building output will be stored in separate log files.
Added an
--repos-yaml
argument to allow user to provide own file with definitions of external package repositories. Useful for those building in offline environments with set of internal mirrors.
Upgrade Notes¶
Change
kolla_version
label to git sha-1 hash if images are built with kolla from git repository.
To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE environment variables in kolla-built containers has been dropped. Now, only the single trusted path of
/var/lib/kolla/config_files/config.json
will be utilised for loading container config. We believe this is a reasonable tradeoff as these environment variables were not used by any known downstream and potential users in the wild can easily adapt as this does not limit the functionality per se, only making it stricter as to where the config can come from.
- Prometheus services were updated to following versions:
blackbox_exporter -> 0.22.0
elasticsearch_exporter -> 1.5.0
haproxy_exporter -> 0.13.0
memcached_exporter_version -> 0.10.0
mysqld_exporter -> 0.14.0
node_exporter -> 1.4.0
prometheus -> 2.38.0
prometheus_cadvisor -> 0.45.0
prometheus_libvirt_exporter -> 2.3.2
prometheus_msteams -> 1.5.1
prometheus_mtail -> v3.0.0-rc50
Default base distribution has been changed from CentOS Stream to Rocky Linux.
Removes images for
monasca
,kafka
,storm
andzookeeper
, since support for them has been dropped in Kolla-Ansible in Zed release. Prometheus + Grafana + Fluentd + OpenSearch remain as the primary monitoring, logging and alerting stack in Kolla.
elasticsearch
,kibana
andlogstash
images have been dropped. Zed release brings in support foropensearch
andopensearch-dashboards
but there’s no equivalent forlogstash
.
Python 3.6 & 3.7 support has been dropped. The minimum version of Python now supported is Python 3.8.
The
qdrouterd
image has been dropped.
etcd
is now installed from the upstream binaries published to github rather than via the OS package manager. This aligns the etcd version across all distributions for compatibility.
Kolla Build no longer prepends the base (distro) name to image names. Instead, the user is able to choose any prefix they wish via the
image_name_prefix
setting.
The updated OpenStack exporter for Prometheus uses the latest Nova API microversion by default, resulting in changes to existing metrics. To keep existing behaviour, set
prometheus_openstack_exporter_compute_api_version
to2.1
.
RabbitMQ version has been updated to 3.10 (together with Erlang to 25).
The Debian and Ubuntu images use rabbitmq from cloudsmith and erlang from Team RabbitMQ PPA now. Operators might want to mirror/proxy those new sources as they provides the correct set of packages unlike the previous combination.
Ansible in
kolla-toolbox
container has been upgraded to 2.13 version.
Deprecation Notes¶
The
hacluster-pcs
image has been deprecated for removal in the Antelope release.
Use of
install_type
argument is now deprecated. We no longer support other values thansource
therefore handling of argument was dropped. Please update your scripts as it will be removed in Antelope cycle.
Security Issues¶
Fixes a hypothetical security issue related to privilege escalation via rootwrap/privsep. A potential vulnerable service could previously allow writes to its rootwrap/privsep config and thus allow for more commands to be run with root privileges via rootwrap/privsep. For a succesful attack, this would also require the service to allow to run arbitrary commands via rootwrap/privsep. Thus far, no such vulnerabilities have been reported and thus this fix is simply strengthening the container images against such an issue in the future. LP#1874298
Fixes CVE-2022-38060, a sudo privilege escalation vulnerability. LP#1985784
Bug Fixes¶
The
apt-get update
command by default didn’t fail on erroneous source repositories, it show the warning ‘W: Some index files failed to download. They have been ignored, or old ones used instead.’ and continue to work. This causes some containers (eg. rabbitmq, kolla-toolbox) successfully built, but makes them inconsistent because the official Ubuntu repository contains packages with the same names. Now we useapt-get -eany update
command to stop building with an error in such cases.
Fixes CentOS builds of Skydive SEGV on startup. Skydive versions prior to 0.28.0 panic on newer versions of libc. This especially affects Centos 8. LP#1940862
Fixes an issue building images that use a source with a
type
ofgit
, when using a git that includes the fix for CVE-2022-24765 (2.35.2 or later). By default, this includes thegnocchi-base
image, but may include other images with a non-default configuration. LP#837710
Fixes the Debian and Ubuntu images to use rabbitmq from cloudsmith and erlang from Team RabbitMQ PPA so that the images are still buildable and use proper versions.
Fixes an issue with Swift deployment via Kolla Ansible caused by the fix to CVE-2022-38060. The kolla-toolbox container now have its own sudoers secure_path configuration which allows the necessary binaries to execute.
Other Notes¶
Added ‘–retry 5’ to curlrc to improve curl downloads during image builds.