New backend drivers were added: Yadro Tatlin Unified FC Driver, TOYOU NetStor TYDS iSCSI driver, Pure Storage FlashArray NVMe-TCP support.

New driver features were added, notably, QoS support for Fujitsu ETERNUS DX driver, replication-enabled consistency groups support for Pure Storage driver, and Active/Active support for NetApp NFS driver.

A critical security issue, CVE-2023-2088, was fixed.

Along with many bug fixes, some major ones are: fixed issues when restoring full backups to non RBD volumes, ability to restore backups into sparse volumes, restricted non-admins to create multiattach volume using the multiattach parameter, etc.

Enabled multiple rating types for the same metric for gnocchi.

Created indexes to allow SQL rewrites and optimizations

Optimized Gnocchi fetcher processing time

Complete device enable/disable feature that reserve the device using flexiable.

Complete the POC of vGPU management by Cyborg in the kolla env.

Fix bugs and doc improvement.

Added the support to configure weight for each store to get rid of the problem with existing location strategy while downloading the image from specific store when multiple stores of same type are available.

Added support for RBD driver to move images to the trash if they cannot be deleted immediately due to having snapshots.

Horizon added TOTP authentication support, allowing users to enhance their security by authenticating with Time-based One-Time Passwords.

Horizon now migrated to XStatic-JQuery-Migrate v3.3.2.1 from v1.2.1.1 to include security fixes in the latest version.

Horizon now migrated to XStatic-jQuery v3.5.1.1 from v1.12.4.1 to include security fixes in the latest version.

Ironic now has support for complex parent-child device topologies. This feature, primarily targeted at orchestration of DPUs, allows nodes to have parent/child relationships. This allows for more complex logic to be coordinated between a node and its children. When a node with children runs a step-based action, those steps can include actions to be run on the child node. See parent node documentation for more information.

Ironic now has basic support for servicing nodes. Servicing allows operators to use steps, like you would for cleaning, to perform service on deployed nodes in ACTIVE state. Previously, Ironic would not perform operations on active nodes. See Node servicing documentation for more information.

Ironic has promoted support for firmware upgrading and information to a new interface and API named FirmwareInterface. This includes new API support, at /v1/nodes/{node_ident}/firmware for getting firmware information. In addition, operators can use the csteps provided by the new FirmwareInterface their firmware upgrade process for step-based automations, such as deployment, cleaning, or servicing. While the structure and API is in place for firmware management, our first driver, for redfish hardware, is coming next release.

Additional steps for servicing, cleaning, and deployment have been added. The first new step, wait, waits for a specified amount of time or until the next heartbeat. The second new step, hold, stops evaluation of steps until the unhold verb is submitted to the provision state API for that node. When a node is held, it will be parked a new “hold” provision_state, either clean hold, deploy hold or service hold. Additionally, Ironic has added support for power control via steps named, power_on, power_off, and reboot; deployers who already have custom steps with these names must rename them. These new steps are useful for integrating with external systems that need to perform actions on a node or for orchestrating complex workflows involving child nodes.

Ironic conductor services now honor the value of [DEFAULT]/graceful_shutdown_timeout, waiting that number of seconds to complete operations before forcing them to abort.

Operators are now able to disable MD5 use to verify images in Ironic by setting [agent]/allow_md5_checksum to false. This option defaults to true to preserve existing behavior in this release; but we expect to disable MD5 support by default in a future release.

HAProxy backends now support http/2.

Let's Encrypt TLS certificate service integration with OpenStack deployment has been added.

Debian Bookworm/12 support has been added.

Podman support has been added as alternative to Docker.

Added support for ansible-core only installation.

Added support for Glance/Cinder-backup S3 backend.

Added support for using RabbitMQ Quorum queues - and this is the default now.

New container image: ironic-prometheus-exporter.

Let’s Encrypt images have been improved with orchestration scripts utilized by Kolla-Ansible automation.

magnum-cluster-api driver has been added to magnum container images.

Added support for Debian Bookworm/12 images.

Added support for Kubernetes v1.25 and v1.26.

Added support for Fedora CoreOS 37 and 38.

Added Secure RBAC implementation.

Manila shares and access rules can now be locked against deletion. A generic resource locks framework has been introduced to facilitate this. Users can also hide sensitive fields of access rules with this feature.

Shares can be backed up and restored generically with the help of the manila-data manager service. Driver-powered share backups will extend this feature in future releases.

Added new Manila drivers to support Dell PowerFlex and Dell PowerStore storage backends. The driver for PowerFlex supports managing NFS shares while the driver for PowerStore supports managing NFS and CIFS shares.

Added the NetAppAIQWeigher scheduler weigher that harnesses artificial intelligence to handle provisioning and placement decisions.

Share access rules can be filtered with rule parameters such as access_to, access_type, access_key and access_level.

Added the possibility to display the total count of snapshots when paginating snapshots.

Added share type information to notifications with oslo.messaging. It is useful for billing to be able to charge customers differently for shares of different types.

Administrators are now able to to set a maximum share extend size restriction which can be set on a per share-type granularity through the ‘provisioning:max_share_extend_size’ extra-spec.

Usage of the “manila” CLI client is discouraged in favor of the “openstack” CLI. The “manila” CLI client is deprecated and will be removed in a future release.

Limit the rate at which instances can query the metadata service in order to protect the OpenStack deployment from DoS or misbehaved instances.

The Neutron service has enabled the new API policies (RBAC) with system scope and default roles by default.

A new port hint attribute “ovs-tx-steering”, to modify the behaviour of the local Open vSwitch Userspace transmit packet steering feature.

New API which allows to define a set of security group rules to be used automatically in every new default and/or custom security group created for any project.

The Ironic driver [ironic]/peer_list configuration option has been deprecated. The Ironic driver now more closely models other Nova drivers by having a single compute have exclusive control over assigned nodes. If high availability of a single compute service is required, operators should use active/passive failover.

The legacy quota driver is now deprecated and a nova-manage limits command is provided in order to migrate the orginal limits into Keystone. We plan to change the default quota driver to the unified limits driver in an upcoming release. It is recommended that you begin planning and executing a migration to unified limits as soon as possible.

QEMU in its TCG mode (i.e. full system emulation) uses a translation block (TB) cache as an optimization during dynamic code translation. The libvirt driver can now configure the tb-cache size when the virt type is qemu. This helps running VMs with small memory size. In order to use this feature, a configuration option [libvirt]/tb_cache_size has been introduced.

Two new scheduler weighers have been introduced. One helps sorting the nodes by the number of active instances they run, the other helps sorting by the hypervisor version each compute runs. Accordingly, you can place your instances with different strategies, eg. by allocating them to more recent nodes or by reducing the number of noisy instance neighbors.

It is now possible to define different authorization policies for migration with and without a target host.

A couple of other improvements target reducing the number of bugs we have, one checking at reboot if stale volume attachments still reside and another one ensuring a strict linkage between a compute, a service and the instances it runs.

Ansible Core version is updated to 2.15 series. With that required collections were updated to the latest versions as well.

Added support for RabbitMQ quorum queues. As part of migration process to quorum queues vhost names will be changed from /<service> to <service (ie /nova -> nova). At the same time in case of continue using classic queues, their version will be changed to 2.

RabbitMQ is upgraded to 3.12 series

Added support for Debian 12 (Bookworm)

CNF auto scale via Performance Management Threshold API. Prometheus Plugin for Prometheus is also provided as for external monitoring feature.

Support multiple conductors onboarding for N-Act tacker cluster enables all conductors to download/delete VNF Package.

Revise APIs for fine-grained access control enables to add attributes for enhanced Tacker policy, convert special roles to API attributes or so.

Support Anti-Affinity rules in AZ reselection.

Terraform Infra-driver for VNF Instantiation and Termination.