- openstack-discuss - lists.openstack.org

[neutron] Drivers meeting canceled Friday, November 14th
by Brian Haley 13 Nov '25

13 Nov '25

Hello Neutrinos: I am going to cancel tomorrow's Drivers meeting as I will be out. Just a reminder that our open spec list at [0]. Have a nice weekend! -Brian [0] https://review.opendev.org/q/status:open+project:openstack/neutron-specs

1 0

[OpenStack Ansible] [Deployment] Networking design issue
by holywine＠outlook.com 12 Nov '25

12 Nov '25

Hello, [Following up a previous unfinished case/task with an enhanced network] I am trying to build a minimum usable production-level cloud with OpenStack Ansible following online reference. (https://docs.openstack.org/project-deploy-guide/openstack-ansible/2025.1/) openstack-ansible version: stable/2025.1 4 servers as target hosts, all with Ubuntu 24.04LTS. Each server has two Ethernet ports enp11s0f0, enp11s0f1. All servers’ enp11s0f1 ports has a fixed public IP (10.2.46.XX/24) and has access to Internet. All servers’ enp11s0f0 ports are intended to be used for OpenStack traffic. They are assigned IP range in 172.29.XX.XX for internal use. The idea of design: 1) Infra1: Controller 1 + networking 1 2) Infra2: Controller 2 + networking 2 3) Compute 1: Compute 1 + networking 3 + storage 1 4) Compute 2: Compute 2 + networking 4 + storage 2 Reference: The network topology and the deployment configuration (including user_variables.yml and openstack_user_config.yml) for a trial run can be found: https://github.com/holywi/git-tutorial/tree/master While, with this setting the deployment always failed by reporting errors seems to be related to HAproxy. I am wondering it is related to network design and services assignment. It would be grateful if anyone can provide some comments, suggestions or some common practices for the similar case. Some questions have popped up in my mind: 1) Does it make sense to make each host to access Internet on its own? It seems possible since each server has dedicated port and Openstack can support local routers? If not, how can these servers access Internet? 2) Is it good to make all 4 hosts the HAproxy server? 3) If using an FQDN for internal_lb_vip_address (it seems to be the case in the reference config) where the DNS server is located and how to make it happen? I don't see any setting which is related to DNS and DHCP which seems to be useful as well. Highly appreciate for any feedback as a new comer for Openstack.

1 0

OpenStack Student Engagement, University Partnerships, & Mentors
by Kendall Nelson 12 Nov '25

12 Nov '25

Hello Everyone, You might have noticed a non zero number of my emails to the mailing list have to do with the University Partnership Program <https://openinfra.org/university-partnership-program/> and engaging with universities to get students involved in OpenStack (and generally open source). Usually these emails are per university/opportunity which is rather inefficient and all too often I end up being a bottleneck in the process. At the PTG, during one of the Technical Committee sessions I shared an etherpad <https://etherpad.opendev.org/p/UPP-Projects%26Mentors> that I am hoping to utilize to smooth the whole process. The intent is to collect possible projects up front that I can share with professors as they reach out to me. I take responsibility for regularly auditing the project list so it doesn't become stale. Potentially this collection + audit could be a PTG session at future PTGs, but that doesn't have to be decided now. You will notice in the etherpad, that I also have a place for just collecting folks interested in being mentors. If you don't currently have an idea for a project, but are interested in mentoring, please add your name to that section. This list will also get regularly refreshed, but I am thinking on a yearly basis instead of twice a year - that said, nothing is stopping you from adding or removing your name in between those audits. I am 100% open to feedback on this, but it will hopefully allow more folks interested in participating in the University Partnership program and help smooth out the process for involvement. If you want to get involved either as a mentor or with a specific project proposal for students, please add to the etherpad ASAP <https://etherpad.opendev.org/p/UPP-Projects%26Mentors>! I expect a round of professors reaching out in the next month for students starting their terms in early January (usually running through late May). Please let me know if you have any other questions I might have missed. And thank you to everyone that made it through this lengthy email :) -Kendall

1 0

[all][keystone] Keystone PTG summary
by Artem Goncharov 12 Nov '25

12 Nov '25

Hey guys Let us give you an update of the OpenStack Keystone future following the great PTG week we just had. Some news has already spread across the community, causing excitement and anxiety. It is not uncommon that changes cause fear. Some time ago, in the age of the Inquisition, people were even burned because of fear, misunderstanding, or questioning the rules. Let us clarify things. Nearly 13 years ago, the Identity v3 API was introduced. Since then, the world has changed dramatically. Libraries we use got abandoned, standards went legacy and replaced with new ones, ecosystem components, certain functionality is based upon are being sunsetted by OS vendors (mod_auth_mellon is archived upstream and gone in CentOS and RHEL [6]), new security vulnerabilities (classes of vulnerabilities) appear like mushrooms without us being able to address them. Cloud providers today face new challenges that were not present 10-15 years ago. Nowadays, a public cloud requires proper federation support with complete self-service. Users request passkey support, and security departments require additional hardening. These things cannot be covered in today's Keystone architecture and API version. As a result, work on an optional extension to Keystone [1] began some time ago, allowing CSPs to deploy it in parallel with the Python Keystone (of any v3 version) and access the new features. To simplify parallel deployment, it has been decided to start introducing v4 with the new features (since those ARE for cloud end-users). The work was done in Rust due to multiple factors: lack of necessary python libraries with trustable maintenance and/or licensing, necessity for enforcing security standards and practices using memory safe programming language, demand to address python ecosystem madness of past years (I guess majority would agree, that in the past few years we were mostly only chasing the python ecosystem breaking us on setuptools, eventlet, passlib, …). During the work, it became clear that implementing the mentioned features requires support of a given percentage of the existing functionality: users, groups, projects, roles, and tokens. And so it was implemented. A side effect of it became immediately visible: performance. Token check is THE most frequently called API in the OpenStack cloud. Right now, caching is used to reduce system stress. But in Rust, token decryption, without caching, is much faster than in python with caching (we expect a 2-3x faster order of magnitude). As mentioned above, new vulnerability classes and attack vectors require us to disable caching, making such an improvement highly valuable. The new stack is fully async, uses parallel DB queries, and runs background tasks for periodic cleanups, synchronization, and similar. This allows us to achieve significant performance and maintainability improvements, eliminate the old ballast, and significantly reduce transitive dependency version conflicts. Current measurements also indicate that we would likely be able to eliminate the need for caching in Keystone. For python, on the other hand, we do not have much to start with and would need to find and migrate to the new web framework, find maintained libraries with suitable licenses, and implement new features. We also need to rework the DB access patterns due to the number of bugs and the performance penalty caused by suboptimal DB access (many rows are selected multiple times during processing of a single request). With new authentication flows, we would need to do a wide security assessment of Keystone from scratch anyway. With that work in mind and facing the prospect of having a major rework in python Keystone anyway (due to the abandoned complex dependencies), we, as the Keystone team, decided to try to focus the work on the Rust implementation, making it a proper evolution of the python Keystone and building a necessary community around it. This adoption is conditional on adding new contributors to support the project. We believe this approach allows the best of both worlds: the trusted maturity of Keystone’s Python code-base, combined with the modern, high-safety, high-performance capabilities of Rust where they matter most. Logically, this raises questions, so let's try to answer some of them: 1. Rust is not officially allowed in OpenStack. How are you dealing with that - The development is now going on on GitHub outside of OpenStack governance. - We would apply for OpenStack universe inclusion. - Once the TC policy allows Rust or the overall project inclusion requirement is reworked, the project will work toward becoming the official OpenStack project. - No one in the team is willing to separate from OpenStack, but with the current policies, we have no other way. Everybody and everything in the OpenStack ecosystem would benefit from that project being official to have first-class native support of the new functionality. - Multiple CSPs expressed support for such a move, desiring to see Rust in the ecosystem for better performance, maintainability, and resource utilization - A nice coincidence is a freshly sent announcement from Debian that introduces a strong rust dependency in the packaging tooling, stating something similar to: either you work to comply with this requirement in the next 6 months or sunset the port [5]. - Rust allows cross-integration with python with a high number of cryptography and typing libraries for python written directly in Rust. We are going to be able to reuse certain pieces of python in Rust during porting and Rust in python later in the future. - Keystone is a very sensitive component and in our eyes that fully justifies use of rust to provide a much stronger security on the language level. 2. Do you deprecate python Keystone. - No - v3 is there, and we continue maintaining it - We would unlikely accept major changes - Keystonemiddleware, keystoneauth, etc, are still there. They would likely be adopted for v4 support at some point in the future (in OpenStack services, we already communicate with “external” software, so there should be no problem). Those libraries are crucial for other services and thus are there to stay while necessary. - At some point, we will no longer be able to keep it alive when abandoned dependencies are physically gone. We are not going to invest our time in maintaining the abandoned software; we do not have enough time to do so. 3. What is the community around it? - As of now, there are provisional commitments from a few vendors and CSPs to collaborate on it. - Existing software is being transferred under the openstack-experimental organization to help build the community [3]. -The initial author (gtema) personally commits to continue working on that independently of others. 4. What are the /v3 features that would go away? - OIDC federation in its current form. v4 reimplements it from scratch natively without depending on external software (mod_auth_oidc, etc) since those make self-service impossible. - Saml2, this is a legacy protocol that is very unlikely to even get fixes for security vulnerabilities, and looks to be PQC unsafe. - Oauth1. 5. What new features are there in v4? - OIDC with self-service and CLI integration - Workload federation (Zuul, GitHub, Gitlab do not need to have secrets to access OpenStack anymore) - Service accounts (many use cases, one of the prominent ones: OpenStack on Kubernetes, GitHub workflow) - Passkeys (webauthn) - SCIM - Tight Open Policy Agent integration. We plan to consider the reintroduction of central policy storage in Keystone (not enforcing, but for central storage)[4] We will use the next 2-3 months to gather interest in contributing to this approach and the new Rust-based code. There was a lot of interest in the new features listed right above during gtema’s sessions in OpenInfra Summit in October 2025. Still, it has to translate into active contributors for this effort to take off. If you have an interest in those new features, join us! We hope this clarifies the situation. Feel free to reach out with other questions. Thanks to everybody who participated in the discussions. Regards, Keystone team [1] https://github.com/gtema/keystone [2] https://www.youtube.com/watch?v=XOHYqE2HRw4&list=PLKqaoAnDyfgr91wN_12nwY321… [3] https://github.com/openstack-experimental/keystone [4] https://www.youtube.com/watch?v=_B4Zsd8RG88&list=PLKqaoAnDyfgr91wN_12nwY321… [5] https://lists.debian.org/debian-devel/2025/10/msg00285.html [6] https://access.redhat.com/solutions/2743391

10 20

[oslo][all] Proposing oslo.wsgi
by Stephen Finucane 12 Nov '25

12 Nov '25

o/ I'd like to propose the creation of a new "oslo.wsgi" project that service projects should adopt, where it makes sense to. My reasons for this proposal are three-fold: * As we've been working on the OpenAPI work for various services, we've found ourselves copy-pasting a lot of the code between these services. This has occasionally led to issues when those copies are incomplete [1][2]. Historically speaking, copy-pasting of code between services is a sure sign that this code should be generalised and placed in an oslo library * I have previously noted [3] that oslo.service contains some non- eventlet-related WSGI routing code, and there are questions around whether (a) that code should have been placed there in the first place and (b) how we can maintain that long-term once the eventlet code is removed (the 'oslo_service.wsgi' module has side effects since it imports the backend configuration stuff). * I have also raised some concerns around our use of paste.deploy and routes [1], both of which are minimally maintained nowadays. Many oslo libraries are designed to abstract their underlying libraries, allowing users to switch between e.g. different messaging backends (oslo.messaging) or caching services (oslo.cache). Taken together, I think now would be a good time to provide a new library. I have an initial prototype available [4] which is effectively just a refactoring of the code from oslo.service, but I expect to add both more functionality to this existing code from existing consumers (Nova, Manila, Cinder etc.) and to add the openapi validation machinery. I imagine longer-term, this should evolve to allow us to replace the underlying libraries. However, we should obviously not get into the business of writing our own web framework. I also don't think it would make sense for all services to adopt all aspects of this project, since not all projects have any OpenAPI efforts ongoing at the moment and not all of them use the pastedeploy-routes-webob combo. Given the above rationale and caveats, what do people think? Are there any objections to this idea? Please let me know. If there is not, I will go figure out how to get the ball rolling on this. Cheers, Stephen PS: Why oslo.wsgi instead of a more generic name like debtcollector or futurist? I don't think this library will be useful outside of OpenStack, so the oslo prefix makes sense. [1] https://review.opendev.org/c/openstack/ironic/+/963938 [2] https://review.opendev.org/c/openstack/ironic/+/960291 [3] https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack… [4] https://github.com/stephenfin/oslo.wsgi

8 13

[watcher] 2nd call for maintainers - MAAS integration
by Douglas Viroel 12 Nov '25

12 Nov '25

Hi all, The Watcher team had a session[1] during the last PTG about the impacts of service integrations that have lacked maintainers, documentation, and/or testing coverage in CI. The MAAS (Metal As A Service) integration still lacks maintainers and is impacting the eventlet removal effort within Watcher, since it contains eventlet-dependent code that requires maintenance and validation. In the 2025.2 development cycle, we had a first call for maintainers[2] and we didn't receive any feedback. This is a second call for maintainers interested in supporting MAAS in Watcher, to help fill these gaps (eventlet removal, CI testing, documentation). The Watcher team plans to *deprecate* this integration during the 2026.1 cycle if we don't find anyone to assist in maintaining it. [1] https://etherpad.opendev.org/p/watcher-2026.1-ptg#L177 [2] https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack… Thanks and regards, -- Douglas Viroel - dviroel

2 1

[Kolla-Ansible][Tacker] [VIM]Unable to find key file for VIM
by josem.arco＠uah.es 12 Nov '25

12 Nov '25

Hi All, I have installed an bare-metal server Ubuntu 24.04 with Kolla-Ansible and all-in-one with Tacker. When I register the OpenStack Vim with the CLI I have this error “Unable to find key file for VIM e255b2e2…”. I have tried with the two optios of the 'cert_verify' parameter but it doesn’t work. I have also tried to do it with Horizon and it says “Error: Failed to register VIM. Details The request you have made requires authentication.” I have followed the lastest web pages of Kolla and Tacker. Thanks in advance for your help. Jose

1 0

Add Trait requirement to running Instances
by Kees Meijs | Nefos 12 Nov '25

12 Nov '25

Hi list, We're looking for a method to add Trait requirements to already running Instances, forcing certain placement upon resize or migration of them. Is there a clean way to do this? Or is there database surgery (which is acceptable to some extend) needed, and how? Thanks! Cheers, Kees __ Kees Meijs BICT Nefos Cloud & IT <https://nefos.com/contact> Nefos IT bv Burgemeester Mollaan 34a 5582 CK Waalre - NL kvk 66494931 +31 (0)88 2088 188 <tel:+31882088188> nefos.com <https://nefos.com/contact> The information contained in this message is intended for the addressee only and may contain classified information. If you are not the addressee, please delete this message and notify the sender; you should not copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the individual(s) and not necessarily of the organization. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. No guarantee is implied that this message or any attachment is virus free or has not been intercepted and amended. General terms and conditions ("The NLdigital Terms") apply to all our products and services.

2 2

[all] PSA: requirements-check job no longer normalises underscores with hyphens
by Stephen Finucane 12 Nov '25

12 Nov '25

o/ Sean Mooney noted earlier today that watcher's requirements-check job has started failing with the following warning: Validating requirements.txt WARNING: possible mismatch found for package "microversion_parse" Attribute "package" does not match "microversion_parse" does not match "microversion-parse" Requirement(package='microversion_parse', location='', specifiers='>=0.2.1', markers='', comment='# Apache-2.0', extras=frozenset()) Requirement(package='microversion-parse', location='', specifiers='', markers='', comment='# Apache-2.0', extras=frozenset()) ERROR: Could not find a global requirements entry to match package microversion_parse. If the package is already included in the global list, the name or platform markers there may not match the local settings. This is almost certainly due to recent changes in the openstack/requirements repo to remove use of the soon-to-be-removed pkg_resources library [1]. Its replacement for this use case - packaging - does normalisation slightly differently and it seems it doesn't replace underscores with hyphens. While this could be fixed with custom normalisation in the requirements repo, I don't believe it's wise to do so as that custom normalization would need to be copied anywhere else that needs to parse OpenStack requirements.txt files and requirements more generally. I would instead encourage affected projects to fix the names used in their various requirements.txt files and use the correct PyPI names. From a quick look at failing requirements-check jobs in recent days [2], there aren't many: I see neutron has already fixed the issue [3] and I've proposed a fix for tap-as-a-service [4]. Those patches should prove how small a task this should be. Hope this helps, Stephen [1] https://review.opendev.org/c/openstack/requirements/+/960845 [2] https://zuul.opendev.org/t/openstack/builds?job_name=requirements-check&res… [3] https://review.opendev.org/c/openstack/neutron/+/965188 [4] https://review.opendev.org/c/openstack/tap-as-a-service/+/966782

2 1

List Limits returns Null in Nova Unified Limits
by Tyler Wilson 11 Nov '25

11 Nov '25

Hello All, I'm looking into testing out the Nova unified limits, however I am experiencing an odd issue where the 'limit list' returns no data. The 'limit create' and 'limit show' (with the UUID from the create command) seem to work fine. Paste data for the output is here: https://pastebin.com/sPZgZDEK I've even tried sending a GET to http://KEYSTONE_IP:5000/v3/limits with the output of [] ({"limits": [], "links": {"next": null, "self": "http://KEYSTONE_IP:5000/v3/limits", "previous": null}}) The log in keystone WSGI just shows a 200 for the GET request, not much else I could find. Should this work in the way I am expecting here? Or am I missing something? Thanks for any and all assistance!

2 5