January 2026 - openstack-discuss - lists.openstack.org

[openstack][share]Openstack Workload Balancer
by Nguyễn Hữu Khôi 18 Jan '26

18 Jan '26

Hello, I have a script to make Openstack workload balance(CPU and RAM). I would like to share it. This script is not perfect but I hope it will be useful for you. https://github.com/nguyenhuukhoi/OpenstackWBalancer Nguyen Huu Khoi

1 0

[CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)
by Jeremy Stanley 16 Jan '26

16 Jan '26

==================================================================== OSSA-2026-001: Privilege Escalation via Identity Headers in External OAuth2 Tokens ==================================================================== :Date: January 15, 2026 :CVE: CVE-2026-22797 Affects ~~~~~~~ - Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1 Description ~~~~~~~~~~~ Grzegorz Grasza with Red Hat reported a vulnerability in the external_oauth2_token middleware for keystonemiddleware. This middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. Patches ~~~~~~~ - https://review.opendev.org/973499 (2024.1/caracal) - https://review.opendev.org/973497 (2024.2/dalmatian) - https://review.opendev.org/973496 (2025.1/epoxy) - https://review.opendev.org/973495 (2025.2/flamingo) - https://review.opendev.org/973494 (2026.1/gazpacho) Credits ~~~~~~~ - Grzegorz Grasza from Red Hat (CVE-2026-22797) References ~~~~~~~~~~ - https://launchpad.net/bugs/2129018 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22797 Notes ~~~~~ - The unmaintained/2024.1 branches will receive no new point releases, but patches for them are provided as a courtesy. - This bug was possible because the middleware only conditionally set certain headers (e.g., X-Is-Admin-Project was only set when the token had admin privileges), leaving spoofed values intact when conditions were not met. - The fix adds a call to remove_auth_headers() at the start of request processing to sanitize all incoming identity headers, matching the behavior of the main auth_token middleware. - The external_oauth2_token middleware was introduced in keystonemiddleware 10.0.0. -- Jeremy Stanley OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

2 2

Proposed 2026.2 "Hibiscus" release schedule
by Thierry Carrez 16 Jan '26

16 Jan '26

Hi everyone, Here is the proposed schedule for the 2026.2 "Hibiscus" release: https://review.opendev.org/c/openstack/releases/+/973377 For easier review, you can access the HTML rendering at: https://92fe49c75c4839534367-ca89416a8fe69de9445ee46610790deb.ssl.cf5.rackc… It's a 26-week-long cycle that places final release on Sep 30, 2026. Please comment on the review if you have objections to this or would like to make a case for targeting another week for the 2026.2 release. Thanks! -- Thierry Carrez (ttx)

1 0

[nova] does resize work with swap & no-swap flavor combo for image-backed server having vol attached
by tomergaurav1031＠gmail.com 16 Jan '26

16 Jan '26

Hi Team, I’ve encountered resize causing issues if source flavor has swap-disabled and target flavor have it enabled or vice-versa. It results into duplicate vdb error. Following are the steps:- 1 Create an image-backed(no volume attached) instance with flavor having swap disabled. 2 Create a volume and attach it with the instance (e.g. get attached at /dev/vdb). 3 Resize it to a bigger flavor which has swap & ephemeral enabled. 4 It results into error complaining about duplicate vdb:- libvirt.libvirtError: XML error: target 'vdb' duplicated for disk sources '/var/lib/nova/instances/1860acb4-012f-4528-b2ef-XXXXX/disk.swap' Should one not do resize with swap & no-swap flavor combo? Please provide thoughts/suggestions for the same. Thanks, Gaurav

3 4

[nova] [kolla-ansible ]help with nova image-cache cleaning interval
by garcetto 16 Jan '26

16 Jan '26

good morning, using kolla-ansible and trying to lower nova image-cache cleaning interval. I setup this value, but seems doing nothing despite the vms are deleted by far more than 600 secs, any help? where is a log of it? nano /etc/kolla/config/nova.conf " [image_cache] image_cache_manager_interval=600 remove_unused_base_images=true remove_unused_original_minimum_age_seconds=600 remove_unused_resized_minimum_age_seconds=600 " kolla-ansible -i multinode reconfigure --tags=nova thank you.

1 0

[neutron][ovn-bgp-agent] ovs bridges down causes error when configuring route table
by anas.jouhdy＠gmail.com 15 Jan '26

15 Jan '26

Hi, I am trying to use the OVN BGP agent (nb_ovn_bgp_driver with the exposing method underlay) and I would like to share a difficulty that I found, it might be related to the specific deployment that I have using Kayobe. I find that by default my openvswitch bridges appear to be down when I list them with "ip link". From what I saw in some forums this is a normal behaviour. The thing is that the OVN BGP agent uses ip link, for example here [1], to add route to a table link to these bridges and if there are down, this raise an error(pyroute2.netlink.exceptions.NetlinkError: (100, 'Network is down')). When I set the bridge state UP with "ip link" it solves the issue but this solution is not reboot persistent. Is it really a normal behaviour to have the openvswitch bridges down or is it a problem that I need to investigate on my configuration ? If this is a normal behaviour, anyone found a workaround that could be resilient in production (that is reboot persistent) ? Do not hesitate if you need more information on my configuration ! [1]: https://opendev.org/openstack/ovn-bgp-agent/src/branch/master/ovn_bgp_agent…

2 1

[cinder] festival of reviews friday 2026-01-16
by Brian Rosmaita 14 Jan '26

14 Jan '26

Hello Argonauts, This is a reminder that the twice-monthly Cinder Festival of Reviews will be held at the end of this week on Friday 16 January. who: Everyone! what: The Cinder Festival of Reviews when: Friday 16 January 2026 from 1400-1600 UTC where: videoconf info on the etherpad etherpad: https://etherpad.opendev.org/p/cinder-festival-of-reviews This recurring meeting, that happens on the first and third Friday of each month, can be placed on your calendar by using this handy ICS file: https://meetings.opendev.org/calendars/cinder-festival-of-reviews.ics See you there!

1 0

Upcoming metrics dashboard changes
by Ildiko Vancsa 14 Jan '26

14 Jan '26

Hi OpenStack community, Since the OpenInfra Foundation joined the Linux Foundation, we have been looking into opportunities to take advantage of the frameworks and tool sets that the Linux Foundation has, and some of you and your organizations are already familiar with. While the dashboards are still being built I would like to let you know that, as part of that effort, we will switch to LFX Insights[1] as the metrics dashboard for OpenInfra projects, including OpenStack, starting on __January 15, 2026.__ A couple things to note: - The new OpenStack metrics dashboard[2] is already available, but it is __still under active construction.__ - The set of metrics that is displayed on the new dashboard will not be identical with the metrics on the dashboard provided by Bitergia. - LFX Insights does not display affiliation information for individuals who are listed on the dashboard as contributors, for privacy reasons. However, if you already have an LF account[3], you will be able to check and update your affiliation information. Or, you can create a new LF account[4]. - You can learn more about the dashboard in the LFX Insights documentation[5]. - If your organization is an OpenInfra Foundation / Linux Foundation member already, the LF Organization Dashboard[6] is also available for a more company-centric view. The OpenStack Bitergia metrics dashboard[7] remains available __until January 14, 2026.__ Please let me know if you have any questions. Best Regards, Ildikö [1] https://insights.linuxfoundation.org/ [2] https://insights.linuxfoundation.org/project/OpenStack/ [3] https://openprofile.dev/ [4] https://docs.linuxfoundation.org/lfx/sso/create-an-account [5] https://insights.linuxfoundation.org/docs/introduction/what-is-insights/ [6] https://lfx.linuxfoundation.org/tools/organization-dashboard/ [7] https://openstack.biterg.io/ ——— Ildikó Váncsa Director of Community OpenInfra Foundation

4 7

[dev][ops][tc] Taking OpenStack to the Next Level in 2026
by Jeremy Stanley 13 Jan '26

13 Jan '26

At the informal OpenInfra Governing Board get-together in France immediately before the Summit, directors talked about how they might "drive projects to the next level." In a follow-up thread on the public board mailing listi[*], Julia posited: > If we perform a risk assessment ourselves, what social and > technical aspects would come to mind? How can we move those items > forward? This was delegated to the foundation staff, whose executive management chose it as one of our three goals[**] for 2026: "Elevate OpenInfra projects to their next level" To this end, community managers and other staff have collaborated to draft areas of focus for ourselves with associated success measurements relevant to each OpenInfra Project. In the case of OpenStack, this is what we came up with: "Lowering the barriers to participate in OpenStack through clear and visible avenues and forums to get involved and collaborate, increased reviewer bandwidth and efficiency, and simplified user survey." The idea is that the foundation staff, through a multi-pronged approach, can coordinate a number of initiatives we've got underway for the year such as closer collaboration between operator-oriented groups and SIGs, continuation of the Bridging the Gap effort, planned improvements to www.openstack.org content, and giving the User Survey a much needed tune-up. Efficacy will be determined in various ways including impact on code review response times, sharing/adoption of more efficient communication behaviors across teams, cross-pollination in operator activities, increased feedback from surveys, and more effective reliance on relevant sections of the website. I'm bringing this draft plan to the mailing list to solicit community feedback, in preparation for an upcoming presentation to the board of directors. Keep in mind that the point of this exercise is to better use my time and the time of my colleagues on the staff of the OpenInfra Foundation in service of OpenStack, not to make more work for leaders and project maintainers nor to set technical direction as that's not our place. I just want to make sure that this plan is sensible and doesn't conflict with community expectations, while putting our limited resources into the right activities. If anyone has concerns or improvements to suggest please feel free to follow up in this thread or voice them to me directly (ideally over the coming week), or to your representatives on the OpenInfra Governing Board (who will be the ones to ultimately approve what we come up with). As always, thanks for everything you do in the name of OpenStack! [*] https://lists.openinfra.org/archives/list/foundation-board@lists.openinfra.… [**] https://lists.openinfra.org/archives/list/foundation@lists.openinfra.org/th… -- Jeremy Stanley

1 0

[openstack-ansible] : Galera DB backup on Epoxy release
by keshav bareja 13 Jan '26

13 Jan '26

Hi Team We have recently upgraded to the Openstack-ansible Epoxy [2025.1] release. In this release Galera mariadb is upgraded to MariaDB 11.4.8. We have a daily DB backup crontab setup for the backup and before the Epoxy release we were using the below command to take the backup and now it doesn't work anymore. mysqldump --opt --all-databases > "openstack_$(date +'%Y-%m-%d_%H-%M-%S').sql" Can you please recommend the way to take the Galera DB backup now? I can see the command mariadb-dump, can we use the options below? mariadb-dump \ --all-databases \ --single-transaction \ --quick \ --skip-lock-tables \ --skip-add-locks \ --routines \ --events \ --triggers \ > "openstack_$(date +'%Y-%m-%d_%H-%M-%S').sql" Regards Keshav

2 3