2025.1 Series Release Notes

16.1.1-1

Security Issues

  • Under TLS with ssl_ca_file, oslo.messaging validated the broker certificate chain but did not verify the RabbitMQ broker hostname. A man-in-the-middle attacker with a certificate trusted by that CA could impersonate the broker.

    The RabbitMQ driver now verifies the broker hostname when ssl_ca_file is set and [oslo_messaging_rabbit] ssl_enforce_hostname_verification is enabled. Using ssl=true without ssl_ca_file still does not verify the broker hostname.

    The ssl_enforce_hostname_verification option defaults to false to preserve existing behavior until operators opt in. When enabled together with ssl_ca_file, hostname verification is enforced for RabbitMQ TLS connections.

    For transport URLs with multiple brokers and hostname verification enabled, Kombu 5.2.0 or newer substitutes the active broker hostname for TLS. Older Kombu versions log a warning and use the first configured broker hostname as a best effort; operators should upgrade Kombu or use a certificate (SAN or wildcard) that covers all configured broker hostnames.

16.1.1

Bug Fixes

  • Fixes delayed metrics processing in services using eventlet, caused by mixing a native thread with an eventlet-patched queue. See bug 2098714 for details.

  • Bug 2131652: Fixed ignorance of Precondition Failed error by rabbitmq driver so that the error is properly raised to clients.

  • Fixes a bug where calling some OpenStack utilites, such as nova-manage, within podman containers would fail when using Queue Manager. LP#2091703

16.1.0

New Features

  • Add a new option named kombu_reconnect_splay under oslo_messaging_rabbit that could be used to add an extra random delay before any reconnection when a recoverable error occur. This delay is set to 0 by default so the original behavior is not changed.

16.0.0

Upgrade Notes

  • The deprecated [oslo_messaging_rabbit] rabbit_use_ssl option has been removed. Use the ssl option instead.

  • The following deprecated options in [oslo_messaging_rabbit] section have been removed. Use the ones without kombu_ prefix.

    • kombu_ssl_version

    • kombu_ssl_keyfile

    • kombu_ssl_certfile

    • kombu_ssl_ca_certs

  • The following options are no longer loaded from the [DEFAULT] section. Use the [oslo_messaging_rabbit] section instead.

    • amqp_auto_delete

    • kombu_reconnect_delay

    • rabbit_login_method

    • rabbit_retry_backoff

    • rabbit_ha_queues

    • rpc_conn_pool_size

  • The following deprecated options have been removed. Use the equivalent options in the [oslo_messaging_notifications] secion instead.

    • [DEFAULT] notification_driver

    • [DEFAULT] notification_transport_url

    • [DEFAULT] notification_topics

    • [DEFAULT] routing_config

  • The deprecated [rpc_notifier2] topics option has been removed. Use the [oslo_messaging_notifications] topics option instead.

  • The following deprecated options in the [oslo_messaging_kafka] section have been removed.

    • pool_size

    • conn_pool_min_size

    • conn_pool_ttl

Deprecation Notes

  • Eventlet usages are deprecated and the removal of Eventlet from OpenStack is planned, for this reason the Eventlet executor is deprecated. Start migrating your stack to the threading executor. Please also start considering removing your internal Eventlet usages.

  • The executor parameter of the MessageHandlingServer class is now deprecated and planned for removal. The Eventlet executor is deprecated. Only the threading executor will remains available so the executor parameter is useless.

15.0.0

Upgrade Notes

  • The AMQP1 driver, which was deprecated in 14.1.0 was removed, due to limited usage and lack of support on recent distributions. Use any of the other supported driver, such as RabbitMQ or Kafka.

  • Support for Python 3.8 has been removed. Now the minimum python version supported is 3.9 .