- When using Neutron extension 'port_security' and booting an instance on a network with 'port_security_enabled=False' the Nova API response says there is a 'default' security group attached to the instance which is incorrect. However when listing security groups for the instance there are none listed, which is correct. The API response will be fixed separately with a microversion.
- The ``record`` configuration option for the console proxy services (like VNC, serial, spice) is changed from boolean to string. It specifies the filename that will be used for recording websocket frames.
- The qemu-img tool now has resource limits applied which prevent it from using more than 1GB of address space or more than 2 seconds of CPU time. This provides protection against denial of service attacks from maliciously crafted or corrupted disk images.
- A new REST API to cancel an ongoing live migration has been added in microversion 2.24. Initially this operation will only work with the libvirt virt driver.
- It is possible to call attach and detach volume API operations for instances which are in shelved and shelved_offloaded state. For an instance in shelved_offloaded state Nova will set to None the value for the device_name field, the right value for that field will be set once the instance will be unshelved as it will be managed by a specific compute manager.
- It is possible to block live migrate instances with additional cinder volumes attached. This requires libvirt version to be >=1.2.17 and does not work when live_migration_tunnelled is set to True.
- When RBD is used for ephemeral disks and image storage, make snapshot use Ceph directly, and update Glance with the new location. In case of failure, it will gracefully fallback to the "generic" snapshot method. This requires changing the typical permissions for the Nova Ceph user (if using authx) to allow writing to the pool where vm images are stored, and it also requires configuring Glance to provide a v2 endpoint with direct_url support enabled (there are security implications to doing this). See http://docs.ceph.com/docs/master/rbd/rbd-openstack/ for more information on configuring OpenStack with RBD.
- Added support for CPU thread policies, which can be used to control how the libvirt virt driver places guests with respect to CPU SMT "threads". These are provided as instance and image metadata options, 'hw:cpu_thread_policy' and 'hw_cpu_thread_policy' respectively, and provide an additional level of control over CPU pinning policy, when compared to the existing CPU policy feature. These changes were introduced in commits '83cd67c' and 'aaaba4a'.
- Add support for enabling discard support for block devices with libvirt. This will be enabled for Cinder volume attachments that specify support for the feature in their connection properties. This requires support to be present in the version of libvirt (v1.0.6+) and qemu (v1.6.0+) used along with the configured virtual drivers for the instance. The virtio-blk driver does not support this functionality.
- A disk space scheduling filter is now available, which prefers compute nodes with the most available disk space. By default, free disk space is given equal importance to available RAM. To increase the priority of free disk space in scheduling, increase the disk_weight_multiplier option.
- The os-instance-actions methods now read actions from deleted instances. This means that 'GET /v2.1/{tenant-id}/servers/{server-id}/os-instance-actions' and 'GET /v2.1/{tenant-id}/servers/{server-id}/os-instance-actions/{req-id}' will return instance-action items even if the instance corresponding to '{server-id}' has been deleted.
- When booting an instance, its sanitized 'hostname' attribute is now used to populate the 'dns_name' attribute of the Neutron ports the instance is attached to. This functionality enables the Neutron internal DNS service to know the ports by the instance's hostname. As a consequence, commands like 'hostname -f' will work as expected when executed in the instance. When a port's network has a non-blank 'dns_domain' attribute, the port's 'dns_name' combined with the network's 'dns_domain' will be published by Neutron in an external DNS as a service like Designate. As a consequence, the instance's hostname is published in the external DNS as a service. This functionality is added to Nova when the 'DNS Integration' extension is enabled in Neutron. The publication of 'dns_name' and 'dns_domain' combinations to an external DNS as a service additionally requires the configuration of the appropriate driver in Neutron. When the 'Port Binding' extension is also enabled in Neutron, the publication of a 'dns_name' and 'dns_domain' combination to the external DNS as a service will require one additional update operation when Nova allocates the port during the instance boot. This may have a noticeable impact on the performance of the boot process.
- The libvirt driver now has a live_migration_tunnelled configuration option which should be used where the VIR_MIGRATE_TUNNELLED flag would previously have been set or unset in the live_migration_flag and block_migration_flag configuration options.
- For the libvirt driver, by default hardware properties will be retrieved from the Glance image and if such haven't been provided, it will use a libosinfo database to get those values. If users want to force a specific guest OS ID for the image, they can now use a new glance image property ``os_distro`` (eg. ``--property os_distro=fedora21``). In order to use the libosinfo database, you need to separately install the related native package provided for your operating system distribution.
- Added a ``nova-manage db online_data_migrations`` command for forcing online data migrations, which will run all registered migrations for the release, instead of there being a separate command for each logical data migration. Operators need to make sure all data is migrated before upgrading to the next release, and the new command provides a unified interface for doing it.
- Remove ``onSharedStorage`` parameter from server's evacuate action in microversion 2.14. Nova will automatically detect if the instance is on shared storage. Also adminPass is removed from the response body which makes the response body empty. The user can get the password with the server's os-server-password action.
- A new service.status versioned notification has been introduced. When the status of the Service object is changed nova will send a new service.update notification with versioned payload according to bp versioned-notification-api. The new notification is documented in http://docs.openstack.org/developer/nova/notifications.html
- Two new policies soft-affinty and soft-anti-affinity have been implemented for the server-group feature of Nova. This means that POST /v2.1/{tenant_id}/os-server-groups API resource now accepts 'soft-affinity' and 'soft-anti-affinity' as value of the 'policies' key of the request body.
- In Nova Compute API microversion 2.19, you can specify a "description" attribute when creating, rebuilding, or updating a server instance. This description can be retrieved by getting server details, or list details for servers.
Refer to the Nova Compute API documentation for more information.
Note that the description attribute existed in prior Nova versions, but was set to the server name by Nova, and was not visible to the user. So, servers you created with microversions prior to 2.19 will return the description equals the name on server details microversion 2.19.
- As part of refactoring the notification interface of Nova a new config option 'notification_format' has been added to specifies which notification format shall be used by nova. The possible values are 'unversioned' (e.g. legacy), 'versioned', 'both'. The default value is 'both'. The new versioned notifications are documented in http://docs.openstack.org/developer/nova/notifications.html
- Upon first startup of the scheduler service in Mitaka, all defined aggregates will have UUIDs generated and saved back to the database. If you have a significant number of aggregates, this may delay scheduler start as that work is completed, but it should be minor for most deployments.
- During an upgrade to Mitaka, operators must create and initialize a database for the API service. Configure this in [api_database]/connection, and then run ``nova-manage api_db sync``
- We can not use microversion 2.25 to do live-migration during upgrade, nova-api will raise bad request if there is still old compute node in the cluster.
- For Liberty compute nodes, the disk_allocation_ratio works as before, you must set it on the scheduler if you want to change it. For Mitaka compute nodes, the disk_allocation_ratio set on the compute nodes will be used only if the configuration is not set on the scheduler. This is to allow, for backwards compatibility, the ability to still override the disk allocation ratio by setting the configuration on the scheduler node. In Newton, we plan to remove the ability to set the disk allocation ratio on the scheduler, at which point the compute nodes will always define the disk allocation ratio, and pass that up to the scheduler. None of this changes the default disk allocation ratio of 1.0. This matches the behaviour of the RAM and CPU allocation ratios.
- Support for Windows / Hyper-V Server 2008 R2 has been deprecated in Liberty (12.0.0) and it is no longer supported in Mitaka (13.0.0). If you have compute nodes running that version, please consider moving the running instances to other compute nodes before upgrading those to Mitaka.
- The libvirt driver will now correct unsafe and invalid values for the live_migration_flag and block_migration_flag configuration options. The live_migration_flag must not contain VIR_MIGRATE_SHARED_INC but block_migration_flag must contain it. Both options must contain the VIR_MIGRATE_PEER2PEER, except when using the 'xen' virt type this flag is not supported. Both flags must contain the VIR_MIGRATE_UNDEFINE_SOURCE flag and not contain the VIR_MIGRATE_PERSIST_DEST flag.
- The libvirt driver has changed the default value of the 'live_migration_uri' flag, that now is dependent on the 'virt_type'. The old default 'qemu+tcp://%s/system' now is adjusted for each of the configured hypervisors. For Xen this will be 'xenmigr://%s/system', for kvm/qemu this will be 'qemu+tcp://%s/system'.
- In order to make project_id optional in urls, we must constrain the set of allowed values for project_id in our urls. This defaults to a regex of ``[0-9a-f\-]+``, which will match hex uuids (with / without dashes), and integers. This covers all known project_id formats in the wild.
If your site uses other values for project_id, you can set a site specific validation with ``project_id_regex`` config variable.
- The old neutron communication options that were slated for removal in Mitaka are no longer available. This means that going forward communication to neutron will need to be configured using auth plugins.
- A new ``use_neutron`` option is introduced which replaces the obtuse ``network_api_class`` option. This defaults to 'False' to match existing defaults, however if ``network_api_class`` is set to the known Neutron value Neutron networking will still be used as before.
- The FilterScheduler is now including disabled hosts. Make sure you include the ComputeFilter in the ``scheduler_default_filters`` config option to avoid placing instances on disabled hosts.
- For backward compatible support the setting ``CONF.vmware.integration_bridge`` needs to be set when using the Neutron NSX|MH plugin. The default value has been set to ``None``.
- XenServer hypervisor type has been changed from ``xen`` to ``XenServer``. It could impact your aggregate metadata or your flavor extra specs if you provide only the former.
- The glance xenserver plugin has been bumped to version 1.3 which includes new interfaces for referencing glance servers by url. All dom0 will need to be upgraded with this plugin before upgrading the nova code.
- It is now deprecated to use [glance] api_servers without a protocol scheme (http / https). This is required to support urls throughout the system. Update any api_servers list with fully qualified https / http urls.
- Deprecate ``compute_stats_class`` config option. This allowed loading an alternate implementation for collecting statistics for the local compute host. Deployments that felt the need to use this facility are encoraged to propose additions upstream so we can create a stable and supported interface here.
- Deprecate the ``db_driver`` config option. Previously this let you replace our SQLAlchemy database layer with your own. This approach is deprecated. Deployments that felt the need to use the facility are encourage to work with upstream Nova to address db driver concerns in the main SQLAlchemy code paths.
- The host, port, and protocol options in the [glance] configuration section are deprecated, and will be removed in the N release. The api_servers value should be used instead.
- Deprecate the use of nova.hooks. This facility used to let arbitrary out of tree code be executed around certain internal actions, but is unsuitable for having a well maintained API. Anyone using this facility should bring forward their use cases in the Newton cycle as nova-specs.
- Deprecate ``security_group_api`` configuration option. The current values are ``nova`` and ``neutron``. In future the correct security_group_api option will be chosen based on the value of ``use_neutron`` which provides a more coherent user experience.
- Deprecate the ``vendordata_driver`` config option. This allowed creating a different class loader for defining vendordata metadata. The default driver loads from a json file that can be arbitrarily specified, so is still quite flexible. Deployments that felt the need to use this facility are encoraged to propose additions upstream so we can create a stable and supported interface here.
- The configuration option ``api_version`` in the ``ironic`` group was marked as deprecated and will be removed in the future. The only possible value for that configuration was "1" (because Ironic only has 1 API version) and the Ironic team came to an agreement that setting the API version via configuration option should not be supported anymore. As the Ironic driver in Nova requests the Ironic v1.8 API, that means that Nova 13.0.0 ("Mitaka") requires Ironic 4.0.0 ("Liberty") or newer if you want to use the Ironic driver.
- The ``network_device_mtu`` option in Nova is deprecated for removal since network MTU should be specified when creating the network with nova-network. With Neutron networks, the MTU value comes from the ``segment_mtu`` configuration option in Neutron.
- The old top-level resource ``/os-migrations`` is deprecated, it won't be extended anymore. And migration_type for /os-migrations, also add ref link to the /servers/{uuid}/migrations/{id} for it when the migration is an in-progress live-migration. This has been added in microversion 2.23.
- Deprecate ``volume_api_class`` and ``network_api_class`` config options. We only have one sensible backend for either of these. These options will be removed and turned into constants in Newton.
- Option ``memcached_servers`` is deprecated in Mitaka. Operators should use oslo.cache configuration instead. Specifically ``enabled`` option under [cache] section should be set to True and the url(s) for the memcached servers should be in [cache]/memcache_servers option.
.._`incompatible with recent eventlet releases`: https://bugs.launchpad.net/nova/+bug/1443910
.._`use the Tooz library to track service liveliness`: http://specs.openstack.org/openstack/nova-specs/specs/liberty/approved/service-group-using-tooz.html
- In a race condition if base image is deleted by ImageCacheManager while imagebackend is copying the image to instance path, then the instance goes in to error state. In this case when libvirt has changed the base file ownership to libvirt-qemu while imagebackend is copying the image, then we get permission denied error on updating the file access time using os.utime. Fixed this issue by updating the base file access time with root user privileges using 'touch' command.
- When plugging virtual interfaces of type vhost-user the MTU value will not be applied to the interface by nova. vhost-user ports exist only in userspace and are not backed by kernel netdevs, for this reason it is not possible to set the mtu on a vhost-user interface using standard tools such as ifconfig or ip link.
- The service subcommand of nova-manage is deprecated. Use the nova service-* commands from python-novaclient instead or the os-services REST resource. The service subcommand will be removed in the 14.0 release.
- The Neutron network MTU value is now used when plugging virtual interfaces in nova-compute. If the value is 0, which is the default value for the ``segment_mtu`` configuration option in Neutron before Mitaka, then the (deprecated) ``network_device_mtu`` configuration option in Nova is used, which defaults to not setting an MTU value.
- The sample policy file shipped with Nova contained many policies set to ""(allow all) which was not the proper default for many of those checks. It was also a source of confusion as some people thought "" meant to use the default rule. These empty policies have been updated to be explicit in all cases.
Many of them were changed to match the default rule of "admin_or_owner" which is a more restrictive policy check but does not change the restrictiveness of the API calls overall because there are similar checks in the database already.
This does not affect any existing deployment, just the sample file included for use by new deployments.
- Nova's EC2 API support which was deprecated in Kilo (https://wiki.openstack.org/wiki/ReleaseNotes/Kilo#Upgrade_Notes_2) is removed from Mitaka. This has been replaced by the new ec2-api project (http://opendev.org/openstack/ec2-api/).