Victoria Series Release Notes

5.0.0

New Features

  • Add programming method to Deployable API. This method supports dynamic programming of Intel FPGAs. And it requires Intel OPAE(Open Programmable Acceleration Engine).

  • Add project_id for Accelerator Requests (arq) PATCH API from microversion 2.1 in order to control operations of accelerator requests with different roles.

  • The inspur-fpga-driver-proposal spec provides the first proposal of an inspur fpga driver. Currently only discover operation is supported, the program function and virtualization will be supported in Wallaby.

  • The cyborg-intel-qat-driver-proposal spec defines the Intel QAT accelerator driver managed by Cyborg. Intel QAT card is an accelerator that can accelerate encrytion and compression/decompression operation in data center. It also support SR-IOV technology, each physical card can be virtualized into mulitiple VFs.

  • In the Victoria release, cyborg introduced the new scoped RBAC policy authorization for API access, and partially implemented the blueprints. What implemented are new default rules in base policy and device_profile policy.

    During the development period(victoria and wallaby releases), the new and old policy will both work because a deployment sets cyborg.conf [oslo_policy] enforce_scope = False as the default set. Although users can set cyborg.conf [oslo_policy] enforce_scope = True by default in their deployment, if they want to ignore old rules and support new rules only. After we implement all the features, we’ll give two cycles transition period for operators. For specification of new policy, please refer to policy default refresh.

    • Scope

      Cyborg introduced scope_type to protect each policy. Cyborg support two types of sope_type with their combination. ['system'], ['project'] and ['system', 'project'].

      To know each policy scope_type, please refer the Policy Reference

      This feature is disabled by default can be enabled via config option [oslo_policy]enforce_scope in cyborg.conf

      • New Defaults Configuration

      Policies are default to Admin, Member and Reader roles. Old roles are also supproted. You can switch to new defaults via config option [oslo_policy]enforce_new_defaults in cyborg.conf file.

    • New Base policy roles

      Cyborg introduced seven basic roles based on the new defaults combined with different scope_types.

      • project_reader

      • project_member

      • project_admin

      • system_admin

      • system_reader

      • system_admin_or_owner

      • system_or_project_reader

    • New Defaults for device_profile APIs

      Rewrite check string(authorization rules) using new personas for device profile APIs.

      Add checkstr=base.PROJECT_READER_OR_SYSTEM_READER and deprecated checkstr=base.deprecated_default for

      • cyborg:device_profile:get_one

      • cyborg:device_profile:get_all

      Add check_str=base.SYSTEM_ADMIN and deprecated check_str=base.deprecated_is_admin for

      • cyborg:device_profile:create

      Add check_str=base.SYSTEM_ADMIN and deprecated base.deprecated_default for

      • cyborg:device_profile:delete

    • Added policy configuration guide on cyborg doc page

      Please refer to policy configuration guide

Upgrade Notes

  • The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Cyborg policy new defaults since 5.0.0 and current default value of [oslo_policy] policy_file config option (policy.json) does not work when policy.json is generated by oslopolicy-sample-generator tool. Refer to bug 1875418 for more details. Also check oslopolicy-convert-json-to-yaml tool to convert the JSON to YAML formatted policy file in backward compatible way.

  • cyborg.image.download.modules extension point and support for allow_direct_url_schemes configuration setting, which have been deprecated since the Queens release, have been removed.

Deprecation Notes

  • The old basic personas below are marked as deprecated rules in base policy.

    • public_api

    • allow

    • deny

    • admin_api

    • is_admin

    • admin_or_owner

    • admin_or_user

  • Intel OPAE driver dependency is removed from the devstack installation dependencies due to the following reasons: 1) In the kolla cyborg-agent image we install OPAE, but OPAE is not available for CentOS 8 for the moment. This will make the cyborg-agent image unbuildable in Ussuri. 2) In devstack, due to the fact that OPAE packages depend on libjson0, which is not available after Ubuntu 16.04, so cyborg can’t be installed on Ubuntu higher than 16.04 now(unless disable dependency manually). Moreover,from cyborg’s perspective, it does not need to contain any hardware driver dependency, we can assume the admin should know about it and install the correct version.