Pike Series Release Notes

5.0.2

Security Issues

  • Add new configuration option openstack_ca_file in the drivers section to pass the CA bundle used for the OpenStack API. Setting this file and setting verify_ca to true will result to all requests from the cluster nodes to the OpenStack APIs to be verified.

Bug Fixes

  • [bug 1663757] A configuration parameter, verify_ca, was added to magnum.conf with a default value of True and passed to the heat templates to indicate whether the cluster nodes validate the Certificate Authority when making requests to the OpenStack APIs (Keystone, Magnum, Heat). This parameter can be set to False to disable CA validation if you have self-signed certificates for the OpenStack APIs or you have your own Certificate Authority and you have not installed the Certificate Authority to all nodes.

  • From now on, server names are prefixed with the cluster name. The cluster name is truncated to 30 characters, (‘_’, ‘.’) are mapped to ‘-’ and non alpha-numeric characters are removed to ensure FQDN compatibility.

  • Fixed a bug where –live-restore was passed to Docker daemon causing the swarm init to fail. Magnum now ensures the –live-restore is not passed to the Docker daemon if it’s default in an image.

5.0.1

New Features

  • Add swarm-mode driver based on fedora-atomic. Users can select the swarm-mode COE by using the coe field in cluster-template. This is a new driver, it is recommended to let magnum create a private-network and security groups per cluster.

5.0.0

New Features

  • Include kubernetes dashboard in kubernetes cluster by default. Users can use this kubernetes dashboard to manage the kubernetes cluster. Dashboard can be disabled by setting the label ‘kube_dashboard_enabled’ to false.

  • Includes a monitoring stack based on cAdvisor, node-exporter, Prometheus and Grafana. Users can enable this stack through the label prometheus_monitoring. Prometheus scrapes metrics from the Kubernetes cluster and then serves them to Grafana through Grafana’s Prometheus data source. Upon completion, a default Grafana dashboard is provided.

  • Add support to store the etcd configuration in a cinder volume. k8s_fedora_atomic accepts a new label etcd_volume_size defining the size of the volume. A value of 0 or leaving the label unset means no volume should be used, and the data will go to the instance local storage.

  • Support different volume types for the drivers that support docker storage in cinder volumes. swarm_fedora_atomic and k8s_fedora_atomic accept a new label to specify a docker_volume_type.

  • Keystone URL used by Cluster Templates instances to authenticate is now configurable with the trustee_keystone_interface parameter which default to public.

Upgrade Notes

  • To let clusters communicate directly with OpenStack service other than Magnum, in the trust section of magnum.conf, set cluster_user_trust to True. The default value is False.

  • A new section is created in magnum.conf named cinder. In this cinder section, you need to set a value for the key default_docker_volume_type, which should be a valid type for cinder volumes in your cinder deployment. This default value will be used if no volume_type is provided by the user when using a cinder volume for container storage. The suggested default value the one set in cinder.conf of your cinder deployment.

Security Issues

  • Every magnum cluster is assigned a trustee user and a trustID. This user is used to allow clusters communicate with the key-manager service (Barbican) and get the certificate authority of the cluster. This trust user can be used by other services too. It can be used to let the cluster authenticate with other OpenStack services like the Block Storage service, Object Storage service, Load Balancing etc. The cluster with this user and the trustID has full access to the trustor’s OpenStack project. A new configuration parameter has been added to restrict the access to other services than Magnum.

Bug Fixes

  • Fixes CVE-2016-7404 for newly created clusters. Existing clusters will have to be re-created to benefit from this fix. Part of this fix is the newly introduced setting cluster_user_trust in the trust section of magnum.conf. This setting defaults to False. cluster_user_trust dictates whether to allow passing a trust ID into a cluster’s instances. For most clusters this capability is not needed. Clusters with registry_enabled=True or volume_driver=rexray will need this capability. Other features that require this capability may be introduced in the future. To be able to create such clusters you will need to set cluster_user_trust to True.