- OpenStack-announce - lists.openstack.org

[all][elections][tc] 2024.2 Dalmatian Technical Committee Election Results
by Ian Y. Choi 04 Apr '24

04 Apr '24

Please join me in congratulating the 5 newly elected members of the Technical Committe (TC). Amy Marrich (spotz) Goutham Pacha Ravi (gouthamr) Dmitriy Rabotyagov (noonedeadpunk) Artem Goncharov (gtema) (replacing Sylvain Bauza - bauzas as per the TC resolution) [1] Slawek Kaplonski (slaweq) Full results: https://civs1.civs.us/cgi-bin/results.pl?id=E_f8044ce7af316bf3 Election process details and results are also available here: https://governance.openstack.org/election/ Note that we encountered a situation where not all members as elected could be seated which requires TC resolution. More details on the resolution are explained in [1], and thank you all for the understanding and support in resolving this matter. Thank you to all of the candidates, having a good group of candidates helps engage the community in our democratic process. Thank you to all who voted and who encouraged others to vote. We need to ensure your voice is heard. Thank you for another great round. [1] https://governance.openstack.org/tc/resolutions/20240322-adjudication-of-20…

1 0

OpenStack 2024.1 Caracal is officially released!
by Elõd Illés 03 Apr '24

03 Apr '24

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2024.1 Caracal, which conclude the 2024.1 Caracal development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/caracal/ Congratulations to all of the teams who have contributed to this release! Our next production cycle, 2024.2 Dalmatian, has already started. We will meet at the virtual Project Team Gathering, April 8-12, 2024, to plan the work for the upcoming cycle. I hope to see you there! Thanks, Előd Illés on behalf of the OpenStack Release Management team

1 0

[all][elections][ptl] 2024.2 Dalmatian: PTL Election Conclusion & Results
by Ian Y. Choi 24 Mar '24

24 Mar '24

Thank you to the electorate, to all those who voted and to all candidates who put their name forward for Project Team Lead (PTL) in this election. A healthy, open process breeds trust in our decision making capability. Thank you to all those who make this process possible. Now for the results of the PTL election process, please join me in extending congratulations to the following PTLs: * Adjutant - Dale Smith (dalees) * Barbican - Grzegorz Grasza (xek) * Blazar - Pierre Riteau (priteau) * Cinder - Jon Bernard () * Cloudkitty - Rafael Weingartner () * Cyborg - alex song (songwenping) * Designate - Michael Johnson (johnsom) * Glance - Pranali Deore (pdeore) * Heat - Takashi Kajinami (tkajinam) * Horizon - Tatiana Ovchinnikova (tmazur) * Ironic - Riccardo Pittau (rpittau) * Keystone - Dave Wilde (d34dh0r53) * Kolla - Michal Nasiadka (mnasiadka) * Magnum - Jake Yip (jakeyip) * Manila - Carlos Silva (carloss) * Masakari - sam sue () * Mistral - axel vanzaghi () * Monasca - Hasan Acar () * Neutron - Brian Haley (haleyb) * Nova - Sylvain Bauza (bauzas) * Octavia - Gregory Thiemonge (gthiemonge) * OpenStack Helm - Vladimir Kozhukalov (kozhukalov) * OpenStackAnsible - Dmitriy Rabotyagov (noonedeadpunk) * OpenStackSDK - Artem Goncharov (gtema) * Puppet OpenStack - Takashi Kajinami (tkajinam) * Quality Assurance - Martin Kopec (kopecmartin) * Rally - Andrey Kurilin (andreykurilin) * Storlets - Takashi Kajinami (tkajinam) * Sunbeam - Hemanth Nakkina () * Swift - Tim Burke (timburke) * Tacker - Yasufumi Ogawa (yasufum) * Telemetry - Erno Kuvaja (jokke_) * Venus - Eric Zhang () * Vitrage - Dmitriy Rabotyagov (noonedeadpunk) * Zaqar - Hao Wang (wanghao) * Zun - Hongbin Lu () Elections: no election required. For remaining projects (without PTL candidates), TC will work on the appointment. Election process details and results are also available here: https://governance.openstack.org/election/ Thank you to all involved in the PTL election process, Ian Y. Choi, on behalf of the OpenStack Technical Election Officials

1 0

OSSN-0093: Unresolved Vulnerability in OpenStack Murano
by Jeremy Stanley 14 Mar '24

14 Mar '24

OSSN-0093 Unresolved Vulnerability in OpenStack Murano ### Summary ### A severe security vulnerability in all versions of the Murano service will be disclosed at a later date. Murano is an inactive project[*], so no fix is currently under development for this vulnerability. It is strongly recommended that any OpenStack deployments disable or fully remove Murano, if installed, at the earliest opportunity. This security note will be amended at the time of public disclosure to include further details and context, but action should be taken as soon as possible in order to minimize the risk it poses. [*] https://governance.openstack.org/tc/reference/emerging-technology-and-inact… ### Affected Services / Software ### - murano: all versions ### Discussion ### This security note is a redacted placeholder, and will be amended with complete details once the associated bug report becomes public. ### Recommended Actions ### Disable the Murano service in, or fully remove it from, all OpenStack deployments at the earliest opportunity. ### Credits ### Not yet disclosed. ### Contacts / References ### Authors: - Jeremy Stanley, OpenStack Vulnerability Coordinator This OSSN: https://wiki.openstack.org/wiki/OSSN/OSSN-0093 Original bug: https://launchpad.net/bugs/2048114 (not yet public) Mailing List : [security-sig] openstack-discuss(a)lists.openstack.org -- Jeremy Stanley, OpenStack Vulnerability Coordinator

1 1

OpenStack 2023.2 Bobcat is officially released!
by Herve Beraud 04 Oct '23

04 Oct '23

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2023.2 Bobcat, which conclude the Bobcat development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/ <https://releases.openstack.org/bobcat/> bobcat <https://releases.openstack.org/bobcat/>/ <https://releases.openstack.org/bobcat/> Congratulations to all of the teams who have contributed to this release! Our next production cycle, 2024.1 Caracal, has already started. We will meet remotely, from October 23-27, 2023, at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, -- Hervé Beraud Senior Software Engineer at Red Hat irc: hberaud https://github.com/4383/

1 0

[all][elections][ptl] Project Team Lead Election Conclusion and Results
by Tony Breeds 21 Sep '23

21 Sep '23

Thank you to the electorate, to all those who voted and to all candidates who put their name forward for Project Team Lead (PTL) in this election. A healthy, open process breeds trust in our decision making capability thank you to all those who make this process possible. Now for the results of the PTL election process, please join me in extending congratulations to the following PTLs: * Adjutant : Dale Smith * Barbican : Grzegorz Grasza * Blazar : Pierre Riteau * Cinder : Rajat Dhasmana * Cloudkitty : Rafael Weingartner * Designate : Michael Johnson * Freezer : ge cong * Glance : Pranali Deore * Heat : Takashi Kajinami * Horizon : Vishal Manchanda * Ironic : Jay Faulkner * Keystone : Dave Wilde * Kolla : Michal Nasiadka * Kuryr : Roman Dobosz * Magnum : Jake Yip * Manila : Carlos Silva * Masakari : sam sue * Murano : Rong Zhu * Neutron : Brian Haley * Nova : Sylvain Bauza * Octavia : Gregory Thiemonge * OpenStack Charms : Felipe Reyes * OpenStack Helm : Vladimir Kozhukalov * OpenStackAnsible : Dmitriy Rabotyagov * OpenStackSDK : Artem Goncharov * Puppet OpenStack : Takashi Kajinami * Quality Assurance : Martin Kopec * Solum : Rong Zhu * Storlets : Takashi Kajinami * Swift : Tim Burke * Tacker : Yasufumi Ogawa * Telemetry : Erno Kuvaja * Vitrage : Dmitriy Rabotyagov * Watcher : chen ke * Zaqar : Hao Wang * Zun : Hongbin Lu Elections: * OpenStack_Helm: https://civs1.civs.us/cgi-bin/results.pl?id=E_3cf498bb10adc5b8 Election process details and results are also available here: https://governance.openstack.org/election/ Thank you to all involved in the PTL election process, Yours Tony.

1 0

[all][elections][tc] Technical Committee Election Results
by Tony Breeds 21 Sep '23

21 Sep '23

Please join me in congratulating the 4 newly elected members of the Technical Committe (TC). Dan Smith (dansmith) Jens Harbott (frickler) Ghanshyam Mann (gmann) Jay Faulkner (JayF) Full results: https://civs1.civs.us/cgi-bin/results.pl?id=E_36ebf2eba022aded Election process details and results are also available here: https://governance.openstack.org/election/ Thank you to all of the candidates, having a good group of candidates helps engage the community in our democratic process. Thank you to all who voted and who encouraged others to vote. We need to ensure your voice is heard. Thank you for another great round. Yours Tony.

1 0

[OSSA-2023-003] cinder, glance_store, nova, os-brick: Unauthorized volume access through deleted volume attachments (CVE-2023-2088)
by Jeremy Stanley 10 May '23

10 May '23

============================================================================ OSSA-2023-003: Unauthorized volume access through deleted volume attachments ============================================================================ :Date: May 10, 2023 :CVE: CVE-2023-2088 Affects ~~~~~~~ - Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0 - Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1 - Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0 - Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2 Description ~~~~~~~~~~~ An unauthorized access to a volume could occur when an iSCSI or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host. **Scope:** Only deployments with iSCSI or FC volumes are affected. However, the fix for this issue includes a configuration change in Nova and Cinder that may impact you on your next upgrade regardless of what backend storage technology you use. See the *Configuration change* section below, and item 4(B) in the *Patches and Associated Deployment Changes* for details. This data leak can be triggered by two different situations. **Accidental case:** If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the situation up properly. Instead of force-detaching the compute node device, Nova ignores the error, assuming the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance. **Intentional case:** A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects. Configuration Change -------------------- To prevent the intentional case, the Block Storage API provided by Cinder must only accept attachment delete requests from Nova for instance-attached volumes. A complicating factor is that Nova deletes an attachment by making a call to the Block Storage API on behalf of the user (that is, by passing the user's token), which makes the request indistinguishable from the user making this request directly. The solution is to have Nova include a service token along with the user's token so that Cinder can determine that the detach request is coming from Nova. The ability for Nova to pass a service token has been supported since Ocata, but has not been required until now. Thus, deployments that are not currently sending service user credentials from Nova will need to apply the relevant code changes and also make configuration changes to solve the problem. Patches and Associated Deployment Changes ----------------------------------------- Given the above analysis, a thorough fix must include the following elements: 1. The os-brick library must implement the ``force`` option for fibre channel, which which has only been available for iSCSI until now (covered by the linked patches). 2. Nova must call os-brick with the ``force`` option when disconnecting volumes from deleted instances (covered by the linked patches). 3. In deployments where Glance uses the cinder glance_store driver, glance must call os-brick with the ``force`` option when disconnecting volumes (covered by the linked patches). 4. Cinder must distinguish between safe and unsafe attachment delete requests and reject the unsafe ones. This part of the fix has two components: a. The Block Storage API will return a 409 (Conflict) for a request to delete an attachment if there is an instance currently using the attachment, **unless** the request is being made by a service (for example, Nova) on behalf of a user (covered by the linked patches). b. In order to recognize that a request is being made by a service on behalf of a user, Nova must be configured to send a service token along with the user token. If this configuration change is not made, the cinder change will reject **any** request to delete an attachment associated with a volume that is attached to an instance. Nova must be configured to send a service token to Cinder, and Cinder must be configured to accept service tokens. This is described in the following document and **IS NOT AUTOMATICALLY APPLIED BY THE LINKED PATCHES:** (Using service tokens to prevent long-running job failures) https://docs.openstack.org/cinder/latest/configuration/block-storage/servic… The Nova patch mentioned in step 2 includes a similar document more focused on Nova: doc/source/admin/configuration/service-user-token.rst 5. The cinder glance_store driver does not attach volumes to instances; instead, it attaches volumes directly to the Glance node. Thus, the Cinder change in step 4 will recognize an attachment-delete request coming from Glance as safe and allow it. (Of course, we expect that you will have applied the patches in steps 1 and 3 to your Glance nodes.) Errata ~~~~~~ An additional nova patch is required to fix a minor regression in periodic tasks and some nova-manage actions (errata 1). Also a patch to tempest is needed to account for behavior changes with fixes in place (errata 2). Patches ~~~~~~~ - https://review.opendev.org/882836 (2023.1/antelope cinder) - https://review.opendev.org/882851 (2023.1/antelope glance_store) - https://review.opendev.org/882858 (2023.1/antelope nova) - https://review.opendev.org/882859 (2023.1/antelope nova errata 1) - https://review.opendev.org/882843 (2023.1/antelope os-brick) - https://review.opendev.org/882835 (2023.2/bobcat cinder) - https://review.opendev.org/882834 (2023.2/bobcat glance_store) - https://review.opendev.org/882847 (2023.2/bobcat nova) - https://review.opendev.org/882852 (2023.2/bobcat nova errata 1) - https://review.opendev.org/882840 (2023.2/bobcat os-brick) - https://review.opendev.org/882876 (2023.2/bobcat tempest errata 2) - https://review.opendev.org/882869 (Wallaby nova) - https://review.opendev.org/882870 (Wallaby nova errata 1) - https://review.opendev.org/882839 (Xena cinder) - https://review.opendev.org/882855 (Xena glance_store) - https://review.opendev.org/882867 (Xena nova) - https://review.opendev.org/882868 (Xena nova errata 1) - https://review.opendev.org/882848 (Xena os-brick) - https://review.opendev.org/882838 (Yoga cinder) - https://review.opendev.org/882854 (Yoga glance_store) - https://review.opendev.org/882863 (Yoga nova) - https://review.opendev.org/882864 (Yoga nova errata 1) - https://review.opendev.org/882846 (Yoga os-brick) - https://review.opendev.org/882837 (Zed cinder) - https://review.opendev.org/882853 (Zed glance_store) - https://review.opendev.org/882860 (Zed nova) - https://review.opendev.org/882861 (Zed nova errata 1) - https://review.opendev.org/882844 (Zed os-brick) Credits ~~~~~~~ - Jan Wasilewski from Atman (CVE-2023-2088) - Gorka Eguileor from Red Hat (CVE-2023-2088) References ~~~~~~~~~~ - https://launchpad.net/bugs/2004555 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2088 Notes ~~~~~ - Limited Protection Against Accidents... If you are only concerned with protecting against the accidental case described earlier in this document, steps 1-3 above should be sufficient. Note, however, that only applying steps 1-3 leaves your cloud wide open to the intentional exploitation of this vulnerability. Therefore, we recommend that the full fix be applied to all deployments. - Using Configuration as a Short-Term Mitigation... An alternative approach to mitigation can be found in OSSN-0092 https://wiki.openstack.org/wiki/OSSN/OSSN-0092 - The stable/xena and stable/wallaby branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy where available. OSSA History ~~~~~~~~~~~~ - 2023-05-10 - Errata 2 - 2023-05-10 - Errata 1 - 2023-05-10 - Original Version -- Jeremy Stanley OpenStack Vulnerability Management Team

1 0

Re: [openstack-announce] [ptl][tc][winstackers] Final call for Winstackers PTL and maintainers
by Ghanshyam Mann 13 Apr '23

13 Apr '23

Thanks, James for describing the Winstacjers project (Window support in OpenStack) situation. I am forwarding it to openstack-announce ML also for a wider audience. Ref: https://lists.openstack.org/pipermail/openstack-discuss/2023-April/033342.h… -gmann ---- On Thu, 13 Apr 2023 07:54:12 -0700 James Page wrote --- > Hi All > > As announced by Lucian last November (see [0]) Cloudbase Solutions are no longer in a position to maintain support for running OpenStack on Windows and have also ceased operation of their 3rd party CI for the windows support across a number of OpenStack projects. > This situation has resulted in the Winstackers project becoming PTL-less for the 2023.2 cycle with no volunteers responding to the TC's call to fill this role and take this feature in OpenStack forward (see [1]). > This is the final call for any maintainers to step forward if this feature is important to them in OpenStack. > The last user survey in 2022 indicated that 2% of respondents were running on Hyper-V so this might be important enough to warrant a commitment from someone operating OpenStack on Windows to maintain these features going forward. > Here is a reminder from Lucian's original email on the full list of projects which are impacted in some way: * nova hyper-v driver - in-tree plus out-of-tree compute-hyperv driver* os-win - common Windows library for Openstack* neutron hyperv ml2 plugin and agent* ovs on Windows and neutron ovs agent support* cinder drivers - SMB and Windows iSCSI* os-brick Windows connectors - iSCSI, FC, SMB, RBD* ceilometer Windows poller* manila Windows driver* glance Windows support* freerdp gateway > The lack of 3rd party CI for testing all of this really needs to be addressed as well. > If no maintainers are forthcoming between now and the next PTG in June the TC will need to officially retire the project and start the process of removing support for Windows across the various projects that support this operating system in some way - either directly or through the use of os-win. > For clarity this call refers to the use of the Hyper-V virtualisation driver and associated Windows server components to provide WIndows based OpenStack Hypervisors and does not relate to the ability to run Windows images as guests on OpenStack. > Regards > James > [0] https://lists.openstack.org/pipermail/openstack-discuss/2022-November/03104… https://lists.openstack.org/pipermail/openstack-discuss/2023-March/032888.h…

1 0

[all][tc][vitrage] Final call for Vitrage project maintainers
by Ghanshyam Mann 13 Apr '23

13 Apr '23

Hello Everyone, You might have noticed that the Vitrage project is leaderless in this cycle[1]. Eyal, who was the previous PTL and the only maintainer of this project for more than two years[2], will not be able to continue in this project[3]. We thank and appreciate all previous maintainers' work on this project. This is the final call for maintainers. If anyone is using or interested in this project, this is the right time to step up and let us know in this email or IRC(OFTC) #openstack-tc channel. If there is no response by the end of April 2023, we will discuss the retirement of this project. [1] https://etherpad.opendev.org/p/2023.2-leaderless [2] https://www.stackalytics.io/?module=vitrage-group&release=wallaby [3] https://lists.openstack.org/pipermail/openstack-discuss/2023-April/033333.h… -gmann

1 0