With the subsequent minor releases to Release 6 of the SCS IaaS reference implementation OSISM 7 we've managed
to get lots of good continous changes out of the door.
Among other reasons the recent security advisory CVE-2024-32498 caused
further updates and fixes, so the 7.0.6 has become a 7.1.0.
Thanks to the OpenStack Vulnerability Management Team and our colleagues from OSISM we were able to
provide updated containers for the SCS IaaS Reference Implementation in time for the responsible disclosure of CVE-2024-32498.
In the aftermath of the disclosure and fixes a set of redefined patches were merged and backported upstream in OpenStack,
these are part of the 7.1.0 release of OSISM as well.
- The OpenStack service images for Octavia, Nova, Glance, Cinder and Magnum have been rebuilt.
Upgrades of those services are recommended. No upgrades of other OpenStack
and associated infrastructure services such as MariaDB or RabbitMQ are required.- The Nova, Glance, and Cinder images have been rebuilt because of a critical security
issues. Further details can be found in security advisory
OSSA-2024-001: Arbitrary file access through custom QCOW2 external data
and in SCS blog post
SCS Security Advisory on arbitrary file access through QCOW2 external data file (CVE-2024-32498). This upgrade is important. If a hotfix for this problem has already
been deployed in advance, the parameters added for this inenvironments/kolla/images.yml
must be removed again. - The Octavia images have been rebuilt to fix an issue with the removal of leftover OVN LB HM ports
(osism/issues#921). If this is not relevant, the
upgrade can be skipped. - The Magnum images have been rebuild to bump the versions of the included Magnum Cluster API plugins
and to make the use of the Cilium CNI possible. If this is not relevant, the upgrade can be skipped. - When upgrading the Octavia, Nova, Glance, Cinder and Magnum API services, there is a short downtime
of the APIs. This downtime is usually less than 1 minute.
- The Nova, Glance, and Cinder images have been rebuilt because of a critical security
Aside from these very promiment features, there are several areas that have seen improvements and additions.
Following featues have been added to the OSISM manager:
- https://osism.tech/docs/guides/configuration-guide/configuration-repository/#locks
- generic is the new default group for all plays
- old wrapper scripts (e.g. osism-generic) are not longer copied by default
- New manager service: Kubernetes (can be enabled with enable_osism_kubernetes in environments/manager/configuration.yml)
- Use of config context of the netbox for host vars
From the upstream kolla-ansible project, which has seen a fair share of contributions made possible by the funding through SCS, we're now able to consume the following new features:
- Parameters to disable Horizon backend & frontend
- Incremental MariaDB database backups
- org.opencontainers.image.version label now used for service versions
- haproxy_socket_level_admin = "yes" by default
As part of our tender for software defined storage we're working together with colleagues from B1 Systems on bringing
rook into OSISM as the successor of ceph-ansible for managing ceph deployments. The 7.1.0 release contains a technical preview for deployments with rook,
Last, but certainly not least the documentation has been improved and new documentation has been added:
- https://osism.tech/docs/guides/operations-guide/ceph/#remove-a-single-osd-node
- https://osism.tech/docs/guides/operations-guide/network/
- https://osism.tech/docs/guides/configuration-guide/openstack/#example-for-the-use-of-name-based-endpoints
All the gory details about 7.1.0 can be read upon in the excellent OSISM release notes.