The latest release of Atmosphere, now supporting the OpenStack Dalmatian, features a suite of enhancements. Key updates include a new streamlined upgrade process, advanced Keystone role configurations for Keycloak realms, and enhanced Neutron policy checks for address pair management. Additionally, significant security upgrades have been implemented for the Horizon service, alongside performance improvements in networking with OVN and DPDK interface configurations.
We are pleased to introduce Atmosphere v5.0.0, the latest upgrade to our cloud infrastructure platform. This release is a major step forward in our commitment to boost performance, security, and manageability for our users. With a focus on technical excellence, this new release brings an array of advanced features designed to streamline operations, fortify security protocols, and provide more granular control over cloud environments. These updates reflect our commitment to delivering a robust and sophisticated cloud solution that meets the evolving needs of modern enterprises and developers.
Let's dive in and explore the new features and improvements that Atmosphere v5.0.0 brings to the table:
Key Highlights
Commitment to OpenStack Evolution Atmosphere v5.0.0 proudly supports the latest OpenStack Dalmatian release (2024.2), reflecting our steadfast commitment to delivering timely updates and keeping our cloud infrastructure in sync with the most current OpenStack version.
Basic Atmosphere Upgrade Process
Enables users to seamlessly upgrade to the latest version, integrating new features and addressing previous issues without starting anew.
Keystone Role Enhancements for Keycloak Realm
Improves security by offering configurable password policies and brute force protection, key for safeguarding user management.
Support for Neutron with OVN Using Built-in DHCP Agent
Offers greater flexibility and simplification of network management for scenarios requiring DHCP relay.
Horizon Service Security Improvements
Enhances cloud security by running the Horizon service as a non-privileged user and tightening the ALLOWED_HOSTS and CORS configurations.
Bug Fixes for Open vSwitch and Cluster API Driver for Magnum
Addresses critical networking and container orchestration stability issues, ensuring reliable infrastructure operations.
Atmosphere v5.0.0 brings a host of new features aimed at enhancing performance, simplifying configuration, and fortifying the security of our cloud services. From the ability to specify image name prefixes for streamlined proxy integration to implementing default TLS certificates for ingress, these updates represent our commitment to innovation and user-centric development.
New features
- Helm-toolkit patch added
This patch enables compatibility with SQLAlchemy 2.0, allowing database drop and initialization tasks to be performed more easily. - Keystone role enhancements
New parameters for creating a Keycloak realm, allowing the configuration of password policies, brute force protection, and more. glance_image_tempfile_path variable
Users can now change the temporary path for downloading images before they are uploaded to the Glance service.- Keycloak is now configured to have the
token-exchange and the admin-fine-grained-authz features enabled to allow for use of the OAuth Token Exchange protocol, which means finer administrative authorization controls. - Multi-factor authentication in Keystone
Adds the ability to configure additional authentication methods for increased security. - Neutron policy check for address pairs
This enhancement involves a new POST method/address-pair, which verifies that both ports being paired are from the same project. This verification allows non-administrative users to manage address pair bindings securely, ensuring that resources are not inadvertently exposed to other projects. - Rust-based binary
ovsinit
A new tool for transitioning IP addresses to an OVS bridge during Neutron or OVN initialization. - Atmosphere upgrade process
Basic instructions and tools for upgrading Atmosphere software. - DPDK Interface Configuration Flexibility
Users now have the option to configure DPDK interfaces by their names, in addition to using pci_id, making deployments smoother in environments with varied hardware setups. Ingress Resource Class Specification
Deployment scripts for Ingress resources across all roles have been improved to allow the specification of class names, enhancing manageability by setting the <role>_ingress_class_name variable.- Image Name Prefix Specification
Users can now define a prefix for image names, facilitating seamless integration with image proxies and caching systems and reducing the need for separate inventory configurations - Default
TLS Certificates Utilization
The ingress can now utilize default TLS certificates by setting the ingress_use_default_tls_certificate variable, which simplifies Ingress resource setup by omitting the TLS section. - Service Role Configuration Enhancements
Multiple service roles, including Barbican, Cinder, Designate, Glance, Heat, Horizon, Ironic, Keystone, Magnum, Manila, Neutron, Nova, Octavia, Placement, and Staffeln, now support the configuration of priorityClassName and runtimeClassName, offering prioritization and runtime management for various service components. - Storpool Driver Update
The driver has been upgraded to align with the Caracal release, enhancing storage integration and performance. - Pod Affinity Rules in OVN
The pod affinity rules for OVN northbound and southbound stateful sets have been extended to the northd deployment, shifting from preferred to required during scheduling for better pod placement control. - Liveness Probes for
ovn-northd
Liveness probes have been enabled for the ovn-northd service to ensure automatic restarting of processes that fail readiness checks, increasing service resilience. - DHCP Agent Support in Neutron with OVN
Neutron now supports the use of its built-in DHCP agent in conjunction with OVN, facilitating scenarios requiring DHCP relay. - Pre-pulled
ovn-controller Image
The ovn-controller image is now pre-pulled on nodes before deploying the Helm chart, reducing the time required for updating to the new version of the image.
Further refining the user experience, we have enabled the configuration of priority and runtime classes across a wide range of service roles. This allows for more nuanced control and optimization of resources, ensuring that each component of the service operates with the efficiency and priority it requires. Moreover, the update to the Storpool driver and the introduction of liveness probes for the ovn-northd service underscore our dedication to system stability and reliability.
Our team is always ready to assist you in navigating these enhancements and ensuring you get the most out of your Atmosphere experience.
Known issues
- MTU Mismatch in OVN Metadata Interfaces
Previously, the MTU settings for OVN metadata interfaces were incorrect, causing discrepancies with the network MTU. A Neutron update now ensures that the neutron:mtu value is accurately set in external_ids.
Upgrade Notes
- OVN Version Update
OVN has been upgraded from version 24.03.1-44 to 24.03.2.34 for enhanced network functionality and performance. - Magnum Cluster API Driver Update
The Cluster API driver for Magnum has been upgraded to version 0.26.0, offering better orchestration and management of containerized applications.
Security Issues
- Non-Privileged Horizon Service
The Horizon service has been updated to run as a non-privileged user within the container, improving the security posture of the service. - Restricted
ALLOWED_HOSTS in Horizon
The ALLOWED_HOSTS setting in the Horizon service is now explicitly set to the configured service endpoints, tightening security against host header attacks. - Configured CORS Headers
CORS headers have been configured to permit requests solely from the service's configured endpoints, enhancing the security against cross-origin threats.
The latest update to Atmosphere addresses a range of bug fixes that enhance the stability and functionality of the platform. Critical updates have been made to service configurations, package installations, and command execution capabilities, ensuring smoother operations across Cinder, Nova, and Neutron services. Additionally, improvements in image handling and kernel settings have been implemented to optimize system performance and prevent common virtual machine startup issues.
Bug Fixes
- CLI Command Execution in Cinder and Nova
The missing [privsep_osbrick]/helper_command configuration has been added, resolving the issue that prevented certain CLI commands from running in the Cinder and Nova services. dmidecode Package Installation
The dmidecode package, necessary for certain os-brick library operations, is now properly installed on all required images, addressing NVMe-oF discovery issues.- Cinder Authentication Configuration
The [cinder]/auth_type configuration value has been set to password, ensuring the Cinder section is correctly rendered in the OpenStack Nova configuration file. nova-ssh Image Build Argument
The missing SHELL build argument for the nova user has been added to the nova-ssh image, fixing issues with live and cold migrations.- Neutron/OVN Route Management
During initialization, routes from the physical interface are now correctly transferred to the OVS bridge, preserving host connectivity. - Magnum Cluster API Driver Update
The Cluster API driver for Magnum has been updated to version 0.26.2, addressing cluster deletion bugs. - Open vSwitch Version Upgrade
Open vSwitch has been upgraded to version 3.3.0 to resolve issues with packet drops and recirculation depth errors. - Kernel AIO Option Adjustment
A kernel option (aio-max-nr) has been adjusted to allow for handling more asynchronous I/O events, preventing VM startup failures due to AIO limits. neutron-ironic-agent Service Start Fix
An issue preventing the neutron-ironic-agent service from starting has been resolved.- Non-Root User Configuration for OVS and OVN with DPDK
Open vSwitch and OVN components now run with a non-root user ID (42424) to align with QEMU and other OpenStack services, fixing vhost user socket file write issues. - CI Tooling for Image Pinning
A regression in the CI tooling for pinning images, caused by the introduction of the atmosphere_image_prefix variable, has been corrected. - vTPM Documentation Correction
The documentation has been updated to reference the correct metadata properties for using the vTPM. - Redundant SecurityContext in Ironic Template Fix
Two redundant securityContext issues in the statefulset-compute-ironic.yaml template have been fixed. - Internal Endpoints for Magnum Cluster API Driver
The Cluster API driver for Magnum now uses internal endpoints by default, avoiding ingress and benefiting from client-side load balancing.
Other Notes
- Documentation Update
Release notes have been comprehensively updated to reflect all currently supported Atmosphere versions, providing users with detailed information on changes and new features - OpenStack Collection Dependency
The Atmosphere collection has transitioned to using the latest major version of the OpenStack collection, ensuring compatibility and leveraging the most recent updates from the OpenStack ecosystem. - CI/CD Pipeline Optimization
Upload jobs within the gate pipeline have been eliminated in favor of build jobs, optimizing the CI/CD process by utilizing an intermediate registry for image storage. - Release Notes Management with Reno
The project has integrated reno, a release notes management tool, to systematically document all changes, guaranteeing thorough and consistent release notes for future updates. - CI Job Streamlining
Resource-intensive continuous integration (CI) jobs are now bypassed for changes to release notes, enhancing the efficiency of the development pipeline. - Image Build Process with
Docker-bake
The image build workflow has been revamped using docker-bake, enabling the reuse of context and built images across different targets, which simplifies and accelerates local image building without affecting functionality. - Virtual Environment Creation with UV Tool
A new tool, uv, has been adopted for creating virtual environments within images, offering a faster and more dependable alternative to previous methods.
As we conclude our exploration of Atmosphere v5.0.0, we trust that this array of updates, security enhancements, and crucial bug resolutions will markedly improve your cloud infrastructure usage. Our dedication to thorough documentation, streamlined processes, and the adoption of the latest tools ensures a robust and efficient cloud environment. We encourage our users to follow the progress of Atmosphere to leverage the full potential of these updates.
If you require support or are interested in trying Atmosphere, reach out to us. Our team is prepared to assist you in harnessing the power of these new features and ensuring that your cloud infrastructure remains at the forefront of innovation and reliability.
Keep an eye out for future developments as we continue to support and advance your experience with Atmosphere.
