Ocata Series Release Notes

4.1.4-8

Bug Fixes

  • Fixed a bug where –live-restore was passed to Docker daemon causing the swarm init to fail. Magnum now ensures the –live-restore is not passed to the Docker daemon if it’s default in an image.

4.1.2

New Features

  • Keystone URL used by Cluster Templates instances to authenticate is now configurable with the trustee_keystone_interface parameter which default to public.

4.1.1

Upgrade Notes

  • To let clusters communicate directly with OpenStack service other than Magnum, in the trust section of magnum.conf, set cluster_user_trust to True. The default value is False.

Security Issues

  • Every magnum cluster is assigned a trustee user and a trustID. This user is used to allow clusters communicate with the key-manager service (Barbican) and get the certificate authority of the cluster. This trust user can be used by other services too. It can be used to let the cluster authenticate with other OpenStack services like the Block Storage service, Object Storage service, Load Balancing etc. The cluster with this user and the trustID has full access to the trustor’s OpenStack project. A new configuration parameter has been added to restrict the access to other services than Magnum.

Bug Fixes

  • Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have to be re-created to benefit from this fix. Part of this fix is the newly introduced setting cluster_user_trust in the trust section of magnum.conf. This setting defaults to False. cluster_user_trust dictates whether to allow passing a trust ID into a cluster’s instances. For most clusters this capability is not needed. Clusters with registry_enabled=True or volume_driver=rexray will need this capability. Other features that require this capability may be introduced in the future. To be able to create such clusters you will need to set cluster_user_trust to True.

4.1.0

New Features

  • Secure etcd cluster for swarm and k8s. Etcd cluster is secured using TLS by default. TLS can be disabled by passing –tls-disabled during cluster template creation.

4.0.0

Prelude

Magnum’s keypair-override-on-create blueprint [1] allows for optional keypair value in ClusterTemplates and the ability to specify a keypair value during cluster creation.

Currently, the swarm and the kubernetes drivers use a dedicated cinder volume to store the container images. It was been observed that one cinder volume per node is a bottleneck for large clusters.

New Features

  • Added parameter in cluster-create to specify the keypair. If keypair is not provided, the default value from the matching ClusterTemplate will be used.

  • Keypair is now optional for ClusterTemplate, in order to allow Clusters to use keypairs separate from their parent ClusterTemplate.

  • Magnum now support OSProfiler for HTTP, RPC and DB request tracing. User can enable OSProfiler via Magnum configuration file in ‘profiler’ section.

  • This release introduces ‘quota’ endpoint that enable admin users to set, update and show quota for a given tenant. A non-admin user can get self quota limits.

  • Add microversion 1.5 to support rotation of a cluster’s CA certificate. This gives admins a way to restrict/deny access to an existing cluster once a user has been granted access.

  • This release introduces ‘stats’ endpoint that provide the total number of clusters and the total number of nodes for the given tenant and also overall stats across all the tenants.

  • Update Swarm default version to 1.2.5. It should be the last version since Docker people are now working on the new Swarm mode integrated in Docker.

Deprecation Notes

  • –keypair-id parameter in magnum CLI cluster-template-create has been renamed to –keypair.

Bug Fixes

  • Make the dedicated cinder volume per node an opt-in option. By default, no cinder volumes will be created unless the user passes the docker-volume-size argument.