OSISM 7.1.0 released

With the subsequent minor releases to Release 6 of the SCS IaaS reference implementation OSISM 7 we’ve managed to get lots of good continous changes out of the door. Among other reasons the recent security advisory CVE-2024-32498 caused further updates and fixes, so the 7.0.6 has become a 7.1.0. Thanks to the OpenStack Vulnerability Management Team and our colleagues from OSISM we were able to provide updated containers for the SCS IaaS Reference Implementation in time for the responsible disclosure of CVE-2024-32498. In the aftermath of the disclosure and fixes a set of redefined patches were merged and backported upstream in OpenStack, these are part of the 7.1.0 release of OSISM as well.

• The OpenStack service images for Octavia, Nova, Glance, Cinder and Magnum have been rebuilt. Upgrades of those services are recommended. No upgrades of other OpenStack and associated infrastructure services such as MariaDB or RabbitMQ are required.

  • The Nova, Glance, and Cinder images have been rebuilt because of a critical security issues. Further details can be found in security advisory OSSA-2024-001: Arbitrary file access through custom QCOW2 external data and in SCS blog post SCS Security Advisory on arbitrary file access through QCOW2 external data file (CVE-2024-32498). This upgrade is important. If a hotfix for this problem has already been deployed in advance, the parameters added for this in environments/kolla/images.yml must be removed again.

  • The Octavia images have been rebuilt to fix an issue with the removal of leftover OVN LB HM ports (osism/issues#921). If this is not relevant, the upgrade can be skipped.

  • The Magnum images have been rebuild to bump the versions of the included Magnum Cluster API plugins and to make the use of the Cilium CNI possible. If this is not relevant, the upgrade can be skipped.

  • When upgrading the Octavia, Nova, Glance, Cinder and Magnum API services, there is a short downtime of the APIs. This downtime is usually less than 1 minute.

Aside from these very promiment features, there are several areas that have seen improvements and additions. Following featues have been added to the OSISM manager:

• https://osism.tech/docs/guides/configuration-guide/configuration-repository/#locks
• generic is the new default group for all plays
• old wrapper scripts (e.g. osism-generic) are not longer copied by default
• New manager service: Kubernetes (can be enabled with enable_osism_kubernetes in environments/manager/configuration.yml)
• Use of config context of the netbox for host vars

From the upstream kolla-ansible project, which has seen a fair share of contributions made possible by the funding through SCS, we’re now able to consume the following new features:

• Parameters to disable Horizon backend & frontend
• Incremental MariaDB database backups
• org.opencontainers.image.version label now used for service versions
• haproxy_socket_level_admin = “yes” by default

As part of our tender for software defined storage we’re working together with colleagues from B1 Systems on bringing rook into OSISM as the successor of ceph-ansible for managing ceph deployments. The 7.1.0 release contains a technical preview for deployments with rook,

Last, but certainly not least the documentation has been improved and new documentation has been added:

• https://osism.tech/docs/guides/operations-guide/ceph/#remove-a-single-osd-node
• https://osism.tech/docs/guides/operations-guide/network/
• https://osism.tech/docs/guides/configuration-guide/openstack/#example-for-the-use-of-name-based-endpoints

All the gory details about 7.1.0 can be read upon in the excellent OSISM release notes.

About the author