OpenStack Ussuri-Victoria-Wallaby版本新功能介绍

社区目标

每个Release，社区都会定义几个社区目标，期望所有项目能够实现，这有利于对OpenStack下众多的项目能够有统一整体性，而不是各自发展各自的。OpenStack 从Ussuir到Victoria到Wallaby版本，社区定义了如下几个社区目标：

• Drop Python 2.7 Support
• Migrate RBAC Policy Format from JSON to YAML
• Migrate from oslo.rootwrap to oslo.privsep

首先是移除了对Python 2.7的支持，在前几个版本，逐渐将各个项目切换到了Python 3，在U版各个项目都申明了对Python 2.7不再提供支持。其次是要将RBAC的policy文件的格式从JSON切换到YAML格式，在Q版，将默认的policy规则写到了代码中，需要定制的才需要写到配置文件中，在W版，则将policy配置文件的格式从json切换到了yaml，更加方便和友好。此外，还有将项目中需要执行root权限命令依赖的组件从oslo.rootwrap切换到了oslo.privsep，更加安全。

特性概述

整体上，这几个release没有什么新的功能推出，而是在前几个版本的基础上，进行增强和改进，主要有以下几个特点：

• 全面拥抱Python 3，各个项目逐渐移除了对Python 2的支持
• 在安全层面，都陆陆续续推进了reader只读权限的API改造
• 在T版引入multistore之后，nova, cinder等项目都得进行适配，以支持multistore
• 在硬件加速，裸机管理上持续改进，添加了更多硬件支持，并且跟nova等项目进行更好的交互集成
• 在网络层面，新增加了ovn的ML2 memchanism driver，对ovn driver进行了很多改进，目标是后续将ovn替代ovs成为默认的driver

功能盘点

Cinder

Ussuri

• 进行了很多功能上的改进，包括为某个volume type设置最大最小的size，并且可以过滤出某一个时间段内的volume列表
• 支持glance的multistore，在将volume上传到glance时，支持指定store进行上传

Victoria

• 支持设置默认的volume type，并且可以为单独的某个项目设置volume type
• 为cinder backup开发了新的压缩算法Zstandard，之前默认的压缩算法是zlib

Wallaby

• 添加了新的存储后端：Ceph iSCSI, Dell EMC PowerVault ME, KIOXIA Kumoscale, Open-E JovianDSS, and TOYOU ACS5000.
• cinder-manage命令增加了对quota的check和sync命令，用来为检查和矫正不同步的quota

Cyborg

Ussuri

• 由于nova和cyborg的集成已经完成，用户可以创建带加速器的虚拟机
• 增加了新的API，可以用来将cyborg管理的硬件列表列出来

Victoria

• 支持对带加速器的虚拟机进行Rebuild和Evacuate操作
• 支持了更多硬件加速器(Intel QAT and Inspur FPGA)

Wallaby

• 支持对带加速器的虚拟机进行 Shelve/Unshelve 操作
• 支持更多的硬件加速器（Intel NIC and Inspur NVMe SSD）

Glance

Ussuri

• 增强multistore的功能，现在可以将镜像一次上传到所有的store中，并且支持在不同的store之间拷贝镜像，可以删除单个store中的镜像
• 在glance-store中，将s3 driver又引入进来，之前是由于没人维护，所以将s3 driver删除掉了

Victoria

• 增强multistore的功能，管理员可以设置允许其他用户从其他租户拷贝镜像
• Glance 支持配置 Cinder的 mutibackend，即Glance的后端是Cinder时，可以指定Cinder的volume type

Wallaby

• 支持glance-direct的上传方式，即不需要一个所有API都可以访问到的共享存储，就可以使用 Interoperable Image Import 的镜像上传方式

Ironic

Ussuri

• 新增了硬件的retirement功能，可以让用户将某个node设置为retirement，新的调度请求就不会调度到这个节点上
• 支持了多租户模式，允许普通用户使用裸机资源

Victoria

• deploy steps的步骤进行了优化，分解成多个步骤，在部署的时候，可以支持RAID和BIOS的配置

Wallaby

• RBAC的增强，内置支持只读，普通用户，管理员三个等级的权限划分

Keystone

• 在Keystone的bootstrap阶段，已经默认将admin的role设置为 immutable

Kolla

Ussuri

• 所有的镜像，脚本，以及ansible playbook，都已经切换到Python 3，移除了对Python 2的支持
• 支持CentOS 8作为操作系统以及容器镜像，移除了对CentOS 7的支持，Train是唯一一个即支持CentOS 7和 CentOS 8的版本
• 添加了对后端API的TLS加密的支持，包括Barbican, Cinder, Glance, Heat, Horizon, Keystone, Nova and Placement
• 移除了对Ceph部署的支持，仅提供跟外部Ceph进行对接的逻辑

Victoria

• 为核心的项目添加了Docker的healthcheck
• 添加了对RabbitMQ的TLS加密支持
• 支持添加多个globals.yml，在 /etc/globals.d/目录中，可以添加多个*.yml文件，可以为特定的服务创建独立的配置文件
• 添加了 配置项 haproxy_host_ipv4_tcp_retries2，去配置TCP 重连的内核参数 ，修复了VIP漂移时，因为数据库连接没有及时释放而导致的服务故障

Wallaby

• 添加了对Prometheus 2.x的支持
• 添加了对CentOS Stream 8的支持，它可以作为操作系统以及容器镜像，从Wallaby开始，Kolla将仅支持CentOS Stream 8发行版，Victoria是唯一一个即支持CentOS Linux 8，又支持CentOS Stream 8的版本
• 为其他项目的容器添加了Docker Healthcheck
• 支持在同一个OpenStack集群中，部署多个MariaDB集群，以支持不同服务使用不同的数据库集群，提升集群的支撑能力
• 修复了一个比较严重的bug，在停掉nova_libvirt容器时，会使其上的虚拟机被Kill，见链接：LP#1941706

Neutron

Ussuri

• 新增了ovn ml2 memchanism driver，以后ovn可能取代ovs成为默认的ml2 driver
• 支持配置stateless的安全组

Victoria

• Metadata服务现在支持在IPv6环境下运行
• floatingip的port forwarding功能，目前添加到了ovn driver中

Wallaby

• 添加了一个新的网络类型 network:routed ，支持通过BGP协议下发路由
• 在SR-IOV的ml2 driver中，添加了 一个新的 网卡类型 accelerator-direct，可以创建以cyborg中管理的硬件加速器作为后端的网络端口
• Neutron RBAC默认也支持了只读，普通用户，管理员的权限管理

Nova

Ussuri

• 由于nova和cyborg的集成已经完成，用户可以创建带加速器的虚拟机
• libvirt driver现在支持带持久化内存的虚拟机进行热迁移
• RBAC的增强，内置支持只读，普通用户，管理员三个等级的权限划分

Victoria

• 支持在同一个虚拟机中，混用pin cpu和floating cpu，可以让CPU密集型的业务使用pin cpu，而其他业务使用floating cpu
• 使用Glance的multistore模式时，并且Glance的后端是RBD，nova支持 fast cloning 操作，即当在某一个sotre中，没有找到对应的镜像，那么Nova会请求Glance将镜像在store之间复制一份，避免了以前需要下载再上传的操作

Wallaby

• 支持运行中的虚拟机绑定 QoS minimum bandwidth 类型的Port

Octavia

Ussuri

• 支持CentOS 8作为amphora镜像

Victoria

• Load Balancer的监控数据现在可以上传给多个外部的系统，可以方便的跟第三方的监控系统进行集成
• 创建amphora虚拟机时，可以指定镜像的tag放到flavor中，支持使用不同的镜像创建amphora虚拟机
• Load Balancer现在支持v2版本的PROXY协议，可以获得更好的性能

Wallaby

• Load Balancer现在支持gRPC协议
• Load Balancer支持 Stream Control Transmission Protocol (SCTP) 负载均衡算法

参考资料

• https://governance.openstack.org/tc/goals/
• https://releases.openstack.org/ussuri/highlights.html
• https://releases.openstack.org/victoria/highlights.html
• https://releases.openstack.org/wallaby/highlights.html
• https://specs.openstack.org/
• https://releases.openstack.org/ussuri/index.html
• https://releases.openstack.org/victoria/index.html
• https://releases.openstack.org/wallaby/index.html

英文版

cinder

• ussuri
  • Numerous improvements in current functionality, for example, the ability to set minimum and maximum sizes for volume-types; the ability to filter the volume list using time comparison operators.
    • Support to query cinder resources filter by time comparison operators
  • Support for Glance multistore and image data colocation when uploading a volume to the Image Service.
    • Support Glance multiple stores
  • Python 2 is no longer supported. The minimum version of Python that may be used with this release is Python 3.6.
• victoria
  • Improved handling around the configured default volume-type and added new Block Storage API calls with microversion 3.62 that enable setting a project-level default volume-type for individual projects.
    • Default volume type overrides
  • Support was added to cinder backup to use the popular Zstandard compression algorithm. The cinder backup service has added support for the popular Zstandard compression algorithm. (The default is the venerable Deflate (zlib) algorithm.)
    • Support modern compression algorithms in cinder backup
• wallaby
  • Added new backend drivers: Ceph iSCSI, Dell EMC PowerVault ME, KIOXIA Kumoscale, Open-E JovianDSS, and TOYOU ACS5000. Additionally, many current drivers have added support for features exceeding the required driver functions, with revert to snapshot and backend QoS being particularly popular this cycle.
  • The cinder-manage command now includes a new quota category with two possible actions check and sync to help administrators manage out of sync quotas on long running deployments.

cyborg

• ussuri
  • Users can now launch instances with accelerators managed by Cyborg, as the Nova-Cyborg integration has been completed. See accelerator operation guide to find which instance operations are supported.
  • New APIs have been implemented to list devices managed by Cyborg and, in general, to view and manage inventory of accelerators.
• victoria
  • Users can launch instances with accelerators managed by Cyborg since Ussuri release, this release two more operations * Rebuild and * Evacuate are supported. See accelerator operation guide to find all supported operations.
  • Cyborg supported new accelerator drivers (Intel QAT and Inspur FPGA) and reached an agreement that Vendors who want to implement a new driver should at least provide a full driver report result. (Of course, providing third-party CI is more welcome.) Supported drivers https://docs.openstack.org/cyborg/latest/reference/support-matrix.html_
• wallaby
  • Users can launch instances with accelerators managed by Cyborg since Ussuri release, this release more operations such as Shelve/Unshelve are supported. See accelerator operation guide to find all supported operations.
  • Cyborg introduces more new accelerator drivers such as Intel NIC and Inspur NVMe SSD driver which allow user to boot up a VM with such device attached.

glance

• ussuri
  • Enhancement in multiple stores feature, users now can import single image in multiple stores, copy existing imgae in multiple stores and delete image from single store.
  • Introduced S3 driver for glance-store again
  • Dropped support for python 2.7
• victoria
  • Enhancement in multiple stores feature, administrator can now set policy to allow user to copy images owned by other tenants
  • Glance allow to configure cinder multi-stores, During upgrade from single cinder store to multiple cinder stores, legacy images location url will be updated to the new format with respect to the volume type configured in the stores. Legacy location url: cinder:// New location url: cinder:///
• wallaby
  • Glance now supports the glance-direct import method without needing shared storage common to all API workers. By telling each API worker the URL by which it can be reached directly (from the other workers), a shared staging directory can be avoided while still allowing users to upload their data for import. See the worker_self_reference_url config option for more details, as well as the Interoperable Image Import docs.

ironic

• ussuri
  • Support for a hardware retirement workflow to enable automation of hardware decommission in managed clouds.
  • Multitenancy concepts and additional policy options are available for non-administrator usage of Ironic.
• victoria
  • The deploy steps work has decomposed the basic deployment operation into multiple steps which can now also include steps from supported RAID and BIOS interfaces at the time of deploy.
• wallaby
  • The System scoped RBAC model is now supported by Ironic along with the admin, member, and reader roles. This work has resulted in over 1500 new unit tests being added to Ironic.

keystone

• ussuri
  • When bootstrapping a new keystone deployment, the admin role now defaults to having the “immutable” option set, which prevents it from being accidentally deleted or modified unless the “immutable” option is deliberately removed.
• victoria
• wallaby

kolla

• ussuri
  • All images, scripts and Ansible playbooks now use Python 3, and support for Python 2 has been dropped.
  • CentOS 8 is now supported as a host operating system and container image, and support for CentOS 7 has been dropped. Adds support for CentOS 8 as a host Operating System and base container image. This is the only major version of CentOS supported from the Ussuri release. The Train release supports both CentOS 7 and 8 hosts, and provides a route for migration.
  • Added initial support for TLS encryption of backend API services, providing end-to-end encryption of API traffic. Currently Barbican, Cinder, Glance, Heat, Horizon, Keystone, Nova and Placement are supported.
  • Support for deploying Ceph has been removed, after it was deprecated in Stein. Please use an external tool to deploy Ceph and integrate it with Kolla Ansible deployed OpenStack by following the external Ceph guide.
• victoria
  • Implements container healthchecks for core OpenStack services. Docker healthchecks are periodically called scripts that check health of a running service that expose health information in docker ps output and trigger a health_status event. Healthchecks are now enabled by default and can be disabled by setting enable_container_healthchecks to no in globals.yml.
  • Adds support for TLS encryption of RabbitMQ client-server communication. See blueprint for details.
  • Adds configuration options to enable backend TLS encryption from HAProxy to the Nova, Ironic, and Neutron services. When used in conjunction with enabling TLS for service API endpoints, network communcation will be encrypted end to end, from client through HAProxy to the backend service.
  • Adds support for multiple globals files. The main globals.yml file still exists. In addition to that, operators can now create a globals.d directory (next to globals.yml), where they can place any number of *.yml files, for example for specific services they want to add.
  • Adds a new flag, docker_disable_default_network, which defaults to no. Docker is using 172.17.0.0/16 by default for bridge networking on docker0, and this might cause routing problems for operator networks. Setting this flag to yes will disable Docker’s bridge networking. This feature will be enabled by default from the Wallaby 12.0.0 release.
  • Added a new haproxy configuration variable, haproxy_host_ipv4_tcp_retries2, which allows users to modify this kernel option. This option sets maximum number of times a TCP packet is retransmitted in established state before giving up. The default kernel value is 15, which corresponds to a duration of approximately between 13 to 30 minutes, depending on the retransmission timeout. This variable can be used to mitigate an issue with stuck connections in case of VIP failover, see bug 1917068 for details.
• wallaby
  • Prometheus version 2.x deployment added. This version is enabled by default and replaces a forward-incompatible version 1.x. A variable prometheus_use_v1 can be set to yes to preserve version 1.x deployment with its data. Otherwise, Prometheus will start with a new volume, ignoring all previously collected metrics.
  • Adds support for CentOS Stream 8 as a host Operating System and base container image. This is the only distribution of CentOS supported from the Wallaby release. The Victoria release will support both CentOS Linux 8 and CentOS Stream 8 hosts and images, and provides a route for migration.
  • Implemented container healthchecks for following services: aodh, barbican, blazar, cinder, cloudkitty, cyborg, designate, elasticsearch, gnocchi, haproxy, ironic, kibana, magnum, manila, octavia, redis, sahara, senlin, skydive, tacker, trove, vitrage, watcher. See blueprint
  • The Mariadb role now allows the creation of multiple clusters. This provides a benefit to operators as they are able to install and maintain several clusters at once using kolla-ansible. This is useful when deploying database clusters for cells or database clusters for services that have large demands on the database.
  • Fixes a critical bug which caused Nova instances (VMs) using libvirtd (the default/usual choice) to get killed on libvirtd (nova_libvirt) container stop (and thus any restart - either manual or done by running Kolla Ansible). It was affecting Wallaby+ on CentOS, Ubuntu and Debian Buster (not Bullseye). If your deployment is also affected, please read the referenced Launchpad bug report, comment #22, for how to fix it without risking data loss. In short: fixing requires redeploying and this will trigger the bug so one has to first migrate important VMs away and only then redeploy empty compute nodes. LP#1941706

neutron

• ussuri
  • Python 2 is no longer supported by Neutron, Python 3.6 and 3.7 are.
  • The OVN driver is now merged into Neutron repository and is one of the in-tree Neutron ML2 drivers, like linuxbridge or openvswitch. OVN driver benefits over the openvswitch driver include for example DVR with distributed SNAT traffic, distributed DHCP and possibility to run without network nodes. Other ML2 drivers are still in-tree and are fully supported. Currently default agent is still openvswitch but our plan is to make OVN driver to be the default choice in the future.
  • Support for stateless security groups has been added. Users can now create security group set as stateless which means that conntrack will not be used for any rule in that group. One port can only use stateless or stateful security groups. In some use cases stateless security groups will allow operator to choose for optimized datapath performance whereas stateful security groups impose extra processing on the system.
• victoria
  • Metadata service is now available over IPv6. Users can now use metadata service without config drive in IPv6-only networks.
  • Support for floating IPs port forwarding has been added to OVN backend. Support for Floating IP port forwarding has been added for the OVN backend. Users can now create port forwardings for Floating IPs when the OVN backend is used in Neutron.
• wallaby
  • A new subnet of type network:routed has been added. If such a subnet is used, the IPs of that subnet will be advertized with BGP over a provider network, which itself can use segments. This basically achieves a BGP-to-the-rack feature, where the L2 connectivity can be confined to a rack only, and all external routing is done by the switches, using BGP. In this mode, it is still possible to use VXLAN connectivity between the compute nodes, and only floating IPs and router gateways are using BGP routing.
  • Added support in SR-IOV agent for accelerator-direct VNIC type. This type represents a port that supports any kind of hardware acceleration and is provided by Cyborg (https://wiki.openstack.org/wiki/Cyborg). RFE: 1909100. accelerator-direct-physical is still not supported.
  • Neutron now experimentally supports new API policies with the system scope and the default roles (member, reader, admin).

nova

• ussuri
  • Python 2 is no longer supported by Nova, Python 3.6 and 3.7 are.
  • Support for creating servers with accelerator devices via Cyborg.
  • The libvirt driver now supports live migration with virtual persistent memory (vPMEM), which requires QEMU as hypervisor. In virtualization layer, QEMU will copy vpmem over the network like volatile memory, due to the typical large capacity of vPMEM, it may takes longer time for live migration.
  • The Nova policies implemented the scope concept and new default roles (admin, member, and reader) provided by keystone.
  • Further enahanced support for moving servers with minimum bandwidth guarantees.
• victoria
  • Nova supports mixing pinned and floating CPUs within the same nova server. Add the mixed instance CPU allocation policy for instance mixing with both PCPU and VCPU resources. This is useful for applications that wish to schedule the CPU intensive workload on the PCPU and the other workloads on VCPU. The mixed policy avoids the necessity of making all instance CPUs to be pinned CPUs, as a result, reduces the consuption of pinned CPUs and increases the instance density.
  • Nova supports fast cloning of Glance images from the Ceph RBD cluster even if Glance multistore configuration is used. The libvirt RBD image backend module can now handle a Glance multistore environment where multiple RBD clusters are in use across a single Nova/Glance deployment, configured as independent Glance stores. In the case where an instance is booted with an image that does not exist in the RBD cluster that Nova is configured to use, Nova can ask Glance to copy the image from whatever store it is currently in to the one that represents its RBD cluster. To enable this feature, set [libvirt]/images_rbd_glance_store_name to tell Nova the Glance store name of the RBD cluster it uses.
    • Libvirt RBD image backend support for glance multistore
• wallaby
  • Now Nova supports attaching neutron ports with QoS minimum bandwidth rules for running servers.
  • The libvrit driver now supports vDPA (vHost data path acceleration), a vendor neutral way to accelerate standard virtio device using software or hardware accelerator implementations.

octavia

• ussuri
  • Added support for CentOS 8 amphora images.
• victoria
  • Load balancer statistics can now be reported to multiple statistics drivers simultaneously and supports delta metrics. This allows easier integration into external metrics system, such as a time series database.
  • Octavia flavors for the amphora driver now support specifying the glance image tag as part of the flavor. This allows the operator to define Octavia flavors that boot alternate amphora images.
  • Load balancer pools now support version two of the PROXY protocol. This allows passing client information to member servers when using TCP protocols. PROXYV2 improves the performance of establishing new connections using the PROXY protocol to member servers, especially when the listener is using IPv6.
• wallaby
  • With the addition of ALPN and HTTP/2 support for backend pool members, Octavia now supports the gRPC protocol. gRPC enables bidirectional streaming of Protocol Buffer messages through the load balancer.
  • Octavia now supports Stream Control Transmission Protocol (SCTP) load balancing. The addition of SCTP enables new mobile, telephony, and multimedia use cases for Octavia.
  • Load balancers using the amphora provider will benefit from increased performance and scalability when using amphora images built with version 2.x of the HAProxy load balancing engine.
  • Amphora instances are now supported on AArch64/ARM64 based instances.

plancement

• ussuri
  • Python 2.7 support has been dropped. The minimum version of Python now supported by placement is Python 3.6.
• wallaby
  • The default policies provided by placement have been updated to add support for read-only roles. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies. Refer to the Keystone documentation for more information on the reason for these changes.