The Block Storage service can now be configured to use Google Cloud Storage for storing volume backups. This feature presents an alternative to the costly maintenance of a secondary cloud simply for disaster recovery.

The Shared File System service (manila) is still included as a Technology Preview. With this release, you can test the service with the following drivers:

The new CephFS native driver allows the Shared File System service to export shared CephFS file systems to guests through the Ceph network protocol. Instances must have a Ceph client installed to mount the file system. The CephFS file system is included in Red Hat Ceph Storage 2.0 as a technology preview as well.

Objects can now be stored encrypted form (using AES in CTR mode with 256-bit keys). This provides options for protecting objects and maintaining security compliance in Object Storage clusters.

OpenDaylight Beryllium SR2 is now available on this release as a Technology Preview.

This release includes a version of the keycloak-httpd-client-install package. This package provides a command-line tool that helps configure the Apache mod_auth_mellon SAML Service Provider as a client of the Keycloak SAML IdP.

OpenStack Compute includes the concept of Cells, provided by the nova-cells package, for dividing computing resources. For more information about Cells, see Schedule Hosts and Cells.

Alternatively, Red Hat OpenStack Platform also provides fully supported methods for dividing compute resources in Red Hat OpenStack Platform; namely, Regions, Availability Zones, and Host Aggregates. For more information, see Manage Host Aggregates.

Distributed Virtual Routing (DVR) allows you to place L3 Routers directly on Compute nodes. As a result, instance traffic is directed between the Compute nodes (East-West) without first requiring routing through a Network node. Instances without floating IP addresses still route SNAT traffic through the Network node.

Red Hat OpenStack Platform 8 includes a Technology Preview of DNS-as-a-Service (DNSaaS), also known as Designate. DNSaaS includes a REST API for domain and record management, is multi-tenanted, and integrates with OpenStack Identity Service (keystone) for authentication. DNSaaS includes a framework for integration with Compute (nova) and OpenStack Networking (neutron) notifications, allowing auto-generated DNS records. In addition, DNSaaS includes integration support for PowerDNS and Bind9.

The Object Storage service includes an EC storage policy type for devices with massive amounts of data that are infrequently accessed. The EC storage policy uses its own ring and configurable set of parameters designed to maintain data availability while reducing cost and storage requirements (by requiring about half of the capacity of triple-replication). Because EC requires more CPU and network resources, implementing EC as a policy allows you to isolate all the storage devices associated with your cluster's EC capability.

The OpenStack File Share Service provides a seamless and easy way to provision and manage shared file systems in OpenStack. These shared file systems can then be used (mounted) securely to instances. The File Share Service also allows for robust administration of provisioned shares, providing the means to set quotas, configure access, create snapshots, and perform other useful admin tasks.

The Firewall-as-a-Service plug-in adds perimeter firewall management to OpenStack Networking (neutron). FWaaS uses iptables to apply firewall policy to all virtual routers within a project, and supports one firewall policy and logical firewall instance per project. FWaaS operates at the perimeter by filtering traffic at the OpenStack Networking (neutron) router. This distinguishes it from security groups, which operate at the instance level.

Operational Tools are logging and monitoring tools which facilitate troubleshooting. With a centralized, easy-to-use analytics and search dashboard, troubleshooting is simplified, and features such as service availability checking, threshold alarm management, and collecting and presenting data using graphs are available.

VPN-as-a-Service allows you to create and manage VPN connections in OpenStack.

Rally is a benchmarking tool that automates and unifies multi-node OpenStack deployment, cloud verification, benchmarking and profiling. It can be used as a basic tool for an OpenStack CI/CD system that would continuously improve its SLA, performance and stability. It consists of the following core components:

The Data Plane Development Kit (DPDK) consists of a set of libraries and user-space drivers for fast packet processing, enabling applications to perform their own packet processing directly to/from the NIC, delivering up to wire speed performance for certain use cases. In addition, OVS+DPDK significantly improves the performance of Open vSwitch while maintaining its core functionality. It enables the packet switching from the host’s physical NIC to the application in the guest instance (and between guest instances) to be handled almost entirely in user-space.

In this release, the OpenStack Networking (neutron) OVS plugin was updated to support OVS+DPDK back end configuration. OpenStack projects can now use the neutron API to provision networks, subnets and other networking constructs, while using OVS+DPDK to gain improved network performance for instances.

Red Hat OpenStack Platform 8 now includes a technology preview of integration with the OpenDaylight SDN controller. OpenDaylight is a flexible, modular, and open SDN platform that supports many different applications. The OpenDaylight distribution included with Red Hat OpenStack Platform 8 is limited to the modules required to support OpenStack deployments using OVSDB NetVirt, and is based on the upstream Beryllium version. The following packages provide the Technology Preview: opendaylight, networking-odl

Integration of real time KVM with the Compute service further enhances the vCPU scheduling guarantees that CPU pinning provides by reducing the impact of CPU latency resulting from causes such as kernel tasks running on host CPUs. This functionality is crucial to workloads such as network functions virtualization (NFV), where reducing CPU latency is highly important.

The Red Hat OpenStack Platform director has the ability to integrate services from OpenStack's containerization project (kolla) into the Overcloud's Compute nodes. This includes creating Compute nodes that use Red Hat Enterprise Linux Atomic Host as a base operating system and individual containers to run different OpenStack services.

With this update, the LBaaS dashboard was moved out of horizon, and is now a separate plugin.
As a result, you can install the LBaaS dashboard using `yum install neutron-lbaas-ui`. You will need to restart httpd to apply the change.

This release now includes a Technology Preview version of the keycloak-httpd-client-install package. This package provides a command-line tool that helps configure the Apache mod_auth_mellon SAML Service Provider as a client of the Keycloak SAML IdP.

Previously, the RPM for `mariadb-galera` included a step to generate TLS certificates for use in Galera SSL communication.  However, when the installed RPMs were used with containers that were then replicated, the TLS certificates themselves would be replicated as well. Consequently, copies of a container would contain a TLS certificate identical to the original, creating a security condition if these certificates were actually used. 
With this update, the RPM package no longer generates the certificates.  
As a result, no certificate is generated which may be present in a container. Certificates can be generated manually if SSL configuration of Galera is needed. Note that Red Hat OpenStack director currently does not configure Galera for SSL.

OpenDaylight Beryllium SR2 is now available on this release as a Technology Preview.

This rebase package includes aodh updates under version openstack-aodh-2.0.1-3.el7ost.
For the full list of changes, please refer to the upstream release notes: http://docs.openstack.org/releasenotes/aodh/mitaka.html#id2

This update provides a client for the Aodh API. The client consists of a Python API, which is available in the "aodhclient" module, and a command-line script, which is installed as the "aodh" command. Both the Python API and the command-line script implement the entire Aodh API.

This aodh rebase package includes a notable fix under version openstack-aodh-2.0.1-1.el7ost:

* Bug 1575530 - Update was added to fix and improve the partition coordinator, making sure that input tasks can be correctly distributed to partition members.

Previously, when creating an alarm of type `gnocchi_aggregation_by_metrics_threshold`, the evaluator would throw an error, causing an exception.
This update addresses this issue by setting `needed_overlap` to always apply on aggregation.

Prior to this update, composite alarms continued to send notifications on each refresh. This resulted in unnecessary notifications appearing in the log files.
This update addresses this by no longer sending notifications on each alarm refresh.

Previously, gnocchi-dispatcher options were not present in `ceilometer.conf` by default. Consequently, the options had to be manually added. With this update, the gnocchi-dispatcher options are included by default when ceilometer is installed.

Prior to this update, events could not be filtered by time-based fields.
Consequently, `le` and `ge` queries did not work on time-based fields.
This update adds new query operators, with the result that the `le` and `ge` operators should now work on time-based queries.

Telemetry (ceilometer) dbsync creates an old alarming table, as a result of still running the `sqlalchemy-migrate` code. Consequently, Aodh dbsync sees no reference to Alembic, and has SQLAlchemy create the necessary tables. However, the tables are already present, so nothing is done, and the database is stamped to the latest version of Aodh Alembic.
You can avoid this issue by not creating alarm tables in ceilometer dbsync.

This update adds RPM requirements to ensure that the required python libraries for the Google Cloud backup driver are present.

Previously, python-taskflow was missing a dependency on a suitable version of python-networkx.
Consequently, `cinder create volume` did not function as expected.
With this update, python-taskflow package has the correct dependencies, and `cinder create volume` works as expected.

This openstack-gnocchi rebase package adds notable updates under version: openstack-gnocchi-2.1.1-1.el7ost
For more information, see the upstream release milestone: https://launchpad.net/gnocchi/+milestone/2.1.1

When multiple environment files are specified, they are combined in the engine instead of the client. This provides heat enough information to correctly orchestrate a stack.

Using the resource registry in the environment, a user can set a hook which will pause delete actions on these resources. This allows users to take specific actions when a resource is deleted, and perform extra validation when critical elements are removed. As a result, when a resource with a pre-delete hook is about to be deleted, Heat will pause until the resource is signaled with {'unset_hook': 'pre-delete'} as data.

Previously, the iPXE driver had a conditional that prevented nodes from being configured with UEFI boot mode. Consequently, iPXE driver users could not configure their nodes with UEFI and were forced to use the BIOS instead.
With this update, the conditional was removed, and users of the iPXE driver can now deploy their nodes in UEFI mode.

This enhancement adds manual cleaning, which allows operators to move a node directly into a cleaning state, from a manageable state.
This was added because operators may run cleaning steps for various reasons, including: Building RAID, erasing devices, among others.
As a result, operators are now able to use the OpenStack Bare Metal (ironic) API to manually start the cleaning process for the ironic nodes, choosing exactly which steps should be run.

This enhancement adds support for in-band cleaning of the iSCSI drivers. Cleaning steps, such as disk erase, and in-band RAID configuration, among others, can now be performed on the nodes using the drivers. 
The running of cleaning steps allows for improved security when recycling the nodes in ironic, allowing you  to erase all the data from previous tenants and/or run checks to see if the machine wasn't compromised.
As a result, drivers, such as pxe_ipmitool, pxe_drac, pxe_iboot, pxe_ilo, pxe_amt, pxe_wol, among others, can now run in-band cleaning steps.

Previously, `ipset` was not declared as a dependency of the Open vSwitch (OVS) and Linux Bridge neutron agents. However, ipset is a dependency of the openstack-neutron package, and this would result in nodes that had the packages for the Open vSwitch or Linux Bridge agent installed, but did not have `openstack-neutron` installed. The L2 agents required ipset for configuration of security groups.
With this update, ipset is a dependency of the openstack-openvswitch-agent, and the openstack-linuxbridge-agent packages depend on ipset.

Previously, the openstack-neutron-common package did not require the shadow-utils package. This prevented the 'neutron' user from being created when the openstack-neutron-common package was installed, resulting in neutron being unable to execute commands on hypervisors. With this update, the openstack-neutron-common package now requires the shadow-utils package, and the 'neutron' user is correctly created.

Previously, when bridge ports were missing for br-int and br-tun during agent startup, it checked for the patch ports `int-br-ex` and `phy-br-ex` before adding them. However, the function used to check their existence was get_port_ofport(), which retried the check because of the @_ofport_retry decoration.
Consequently, this caused the restart to become unnecessarily slow because of the retries. 
With this update,  the existence of ports is checked with port_exists() instead of get_port_ofport(). As a result, no slowdown occurs on startup when the bridge ports are missing for br-int and br-tun.

With this update, the openstack-nova package is now re-based to upstream version 13.1.0.

Previously, when booting instances, the nova API automatically added a default security group if nothing was specified, which should not be done on a network with option 'port_security_enabled=False'
Consequently, the boot process would fail for users booting an instance that was attached to a network with port security disabled. 
With this update, nova no longer adds a default security group to a port created for an instance on a network with port_security_enabled=False 
As a result, the boot process works as expected, and the port attached to the instance does not have a default security group attached.

NOTE: a known bug in the dashboard still indicates that a default security group is attached to the instance, but this only occurs during the first attempt at booting the instance.

With serial_console enabled, repeatedly starting and stopping an instance eventually caused the compute service to run out of ports. When this occurred, attempting to start an instance resulted in a 'SocketPortRangeExhaustedException' error, preventing instances from being started. This was because while the compute service creates a port when an instance is started (as opposed to created), it only releases a port when an instance is deleted (as opposed to stopped).

In this update, the method that destroys the guest from a libvirt perspective now also releases serial ports. This ensures that a serial port is released as soon as it is no longer required by an instance, thereby making the port available again.

When creating snapshots, the compute API now omits disk format and container format details from the image API request. This helps ensure that the driver will use the correct snapshot image format. This, in turn, prevents snapshots from failing with a BadRequest if its image is converted to a format other than what the base image uses.

Previously, under BZ#1332599, a regression was discovered which caused an instance to lose its serial ports after a hard-reboot Consequently, it was not possible to connect to the instance through a serial console. This issue occurred during a hard-reboot process, because the serial ports on a host were released, but since the domain XML was still defining them, the process to acquire ports on the host during the boot was not executed. 
To address this issue, nova will now undefine the domain from libvirt after having destroyed it.

When assigning an SR-IOV Virtual Function (VF) device to an instance, its corresponding Physical Function (PF) device is correctly masked as unavailable in the database. However, in past releases, deleting the instance did not update the PF as available. As a result, PCI devices were never released from the database after instances which used them were deleted. 

With this update, nova now maintains an in-memory tree of PCI devices, then periodically flushes it into the database. This helps update the database on information about available devices.

In previous releases, the systemd unit file for openstack-nova-compute was missing a required dependency on libvirtd. As such, restarting openstack-nova-compute failed whenever libvirtd was not already running. This update adds the dependency.

With this enhancement, the act of evacuating instances with pinned CPUs can result in these instances being hosted on a hypervisor which already handles instances with the same pinning configuration.
This was added because the resource tracker does not track CPU pinning for instances on hosts.
As a result, a condition has been added to the NUMATopologyFilter filter, which passes on hosts which already manage an instance with same CPU pinning configuration as the instance being evacuated.

Previously, Packstack tried to create a gnocchi database when ceilometer installation was disabled. As a result, disabling ceilometer caused Packstack installations to fail, as some parameters required for creating a gnocchi database were not passed. With this release, Packstack no longer attempts to create a gnocchi database if ceilometer is disabled.

Previously, iPXE would freeze during HTTP download resulting in the Bare Metal Provisioning (ironic) service to hang. 

This update makes sure that iPXE retries to boot from the network in case of a failure. The '--timeout' option can be used to avoid an unlimited freeze. As a result, a freeze does not occur during the HTTP download.

The service providers responsible for configuring VPNaaS and LBaaS created additional files that were never included in the service startup. This prevented neutron-server from starting if LBaaS was enabled.

Previously, the LBaaS service config provider was updated to put service providers directly into /etc/neutron/neutron.conf. Updating VPNaaS to do the same would have caused it to overwrite the 'service_provider' value set by LBaaS, or vice-versa. So to address this, this update moves the 'neutron_config' provider from ini_setting to openstackconfig and adds a variable to neutron::server to manage service providers. This, in turn, prevents VPNaaS and LBaaS from overwriting each others' service_provider values. As a result, enabling LBaaS no longer prevents neutron-server from starting.

The Ceph puppet module (puppet-ceph) did not update CephX keyrings when the caps parameter for a key were changed. This caused overcloud upgrades to fail, as caps to operate on the new 'metrics' pool were not added to the CephX keyring. 

With this update, puppet-ceph regenerates the virsh secret or updates its key if either 'rbd_keyring' or 'linvirt_rbd_secret_uuid' change. This ensures that the CephX keyring is updated as required when secrets or caps change.

Previously, the absence of SELinux policy that allowed the Compute API to be started in WSGI with Apache resulted in an AVC in the audit.log.

With this update, Compute is able to bond to the HTTP's port and runs without errors when started in WSGI with Apache.

Previously, running the Block Storage API in WSGI with Apache and SELinux in the 'enforce' mode resulted in an AVC, as SELinux prevented the '/usr/sbin/httpd' from access to the '/var/log/cinder/cinder-api.log' file.

With this update, 'httpd' is allowed access to the Block Storage API log file. As a result, the Block Storage API in WSGI runs without AVCs.

This enhancement adds improved replica placement, and protection from duplicated assignments.
This was added because, in the traditional Swift layout, the act of accidentally assigning two replicas of a partition to the same device resulted in a silent reduction of durability.
As a result, duplicate assignments are prevented, thereby adhering to calculated guarantees. However, since this requires the number of devices to be no less than the number of replicas, it is possible for certain incorrect old rings to be considered invalid. Consequently, it is still possible to have the number of zones be smaller than the number of replicas.

This enhancement adds the ability to tell the container or account server to reverse the object listings. This capability allows you to break out versioned objects in middleware. 
As a result, the internal architecture is reorganized for safety reasons; in addition, reverse listings are available to client applications, if needed.

Alarms created with the type 'gnocchi-resource-threshold' had empty fields for the 'project_id' and 'user_id' fields. 

With this update, when alarms are created with type 'gnocchi-resource-threshold', the 'project_id' and 'user_id' fields are populated.

The python-colorama package has been added to Red Hat OpenStack Platform 9.
This package is an install dependency for python-gabbi, which in turn is required by openstack-gnocchi.
As a result, openstack-gnocchi and python-gabbi install without dependency errors.

The Time Series Database-as-a-Service (gnocchi) Ceph storage driver had a dependency on the 'python-cradox' library, resulting in a gnocchi with a Ceph back end to fail. 

With this update, the 'python-cradox' is installed by the 'openstack-puppet-modules' package. The 'python-cradox' is a Python library for the Ceph librados library which uses 'cython' instead of 'ctypes'. As a result, the Time Series Database-as-a-Service with a Ceph back end will run without errors.

With this update, the API part for using the Ceilometer alarm API has been added to Horizon. It enables future developments to use the API. However, at present, there is no GUI front end for this API.

This update adds support for Cinder volume encryption to Horizon, which enables administrators to manage encrypted volume types from the GUI. As a result, volume types can now be added, modified, and deleted using Horizon.

With this update, the 'python-django-horizon' packages have been rebased to version 9.0.1. 

Some of the highlights addressed by this rebase are as follows:
* Fix workflow bug in "Create Network"
* Fix existing metadata display in metadata widget
* Various localisation fixes

The 'stack-delete' command displayed information about the heat stack immediately after requesting the delete. Deleting a heat stack is an asynchronous operation so the display status may not have yet changed to 'DELETE_IN_PROGRESS', and users may find this confusing.

The 'stack-delete' command now returns nothing, which is consistent with other OpenStack services delete commands.

This release includes updates from oslo.concurrency 3.7.1, which places new process limits required to address security vulnerability CVE-2015-5162. See https://bugs.launchpad.net/ossa/+bug/1449062 for details about the vulnerability and fix.

The python-wsgi_intercept package has been added to Red Hat OpenStack Platform 9.
This package is an install dependency for python-gabbi, which in turn is required by openstack-gnocchi. 
As a result, openstack-gnocchi and python-gabbi install without dependency errors.

The ironic-inspector was not included in the Keystone endpoint catalog in the Undercloud. This meant you could not discover the API endpoints for ironic-inspector through the catalog. This fix adds the ironic-inspector API endpoints to the Keystone catalog. You can now discover the ironic-inspector API endpoints through the catalog.

Slow environments experienced timeouts when Glance tried to communicate with Swift as a backend. This caused some Glance operations, such as image uploads, to fail. This fix increases the Swift proxy server's default node_timeout value to 60 seconds. This increases the reliability of Glance image uploads on slow environments using Swift as an image storage backend.

The ipxe-bootimages RPM was not included in the repository for the director. This caused failure during director installation. This update adds the package to the director's repository. The RPM is now included as a part of the director's installation.

Almost all the Overcloud Pacemaker resources depended on the Keystone resource. This meant restarting the Keystone resource after a configuration change would restart all dependent resources, which was disruptive. This fix introduces a fake openstack-core that the Overcloud Pacemaker resources (including keystone) use as a dependency. This means restarting the Keystone resource no longer causes any disruption to other services.

The ManagementNetValueSpecs parameter used the wrong type (string) in the director's Heat templates. This caused Overcloud deployments containing the Management network to fail with the following error:

"Property error: resources.ManagementNetwork.properties.ManagementNetValueSpecs: Value must be a string".

This fix changes the data type of ManagementNetValueSpecs from string to json. The error no longer appears.

In previous releases of Heat, domain resources were created before /etc/heat/heat.conf was configured on the overcloud. However, domain resources depended on settings from that file; as such, these resources were not created correctly, preventing users from creating heat stacks. Users had to manually restart the Pacemaker Heat Engine resource to work around the problem.

This release corrects the sequence of steps for deploying the Heat service, thereby fixing the problem.

Old versions of the puppet-ceph-external.yaml Heat environment file are not supported anymore. A newer version of this file is shipped with the 9.0 templates and must be used instead. Any customizations made to the old puppet-ceph-external.yaml file must be ported into the newer version.

This patch updates the Help URL on the dashboard. The URL now points to the Official Red Hat OpenStack Platform documentation instead of the OpenStack upstream documentation.

The default newtork-isolation.yaml file contained values that conflicted with default network-management.yaml file in the director's Heat templates. If you included the network-isolation.yaml file after the network-management.yaml when creating an Overcloud, the deployment deactivates the Management network. This update refactors these files to avoid conflicts. Now the deployment processes both the network-management.yaml and network-isolationl.yaml in any order without conflict.

The Overcloud uses a fake openstack-core resource to replace keystone (now accessed through httpd). However, the Overcloud did not create openstack-core when using an external load balancer. This caused puppet to fail when creating Pacemaker constraints that required openstack-core. This fix ensures creation of the openstack-core resource for any deployment configuration. The deployment succeeds and creates the needed constraints.

OpenStack Platform 9 deployments require an additional CephX key for the "client.openstack" user. However, the director's command line client does not generate this key for existing deployments and updates the "ceph.openstack" keyring with an empty secret. Before upgrading, generate a new CephX key and pass it to the deployment using the CephClientKey parameter in an environment file. For example:

  parameter_defaults:
    CephClientKey: 'my_cephx_key'

Generate the new key with the following command:

$ ceph-authtool --gen-print-key

The "os-collect-config" service on the Overcloud restarted on an RPM update. This caused Overcloud updates to fail. This fix changes the behavior so that "os-collect-config" does not restart on an RPM update. The Overcloud updates now succeed after an update of "os-collect-config". Note that "os-collect-config" gracefully restarts itself when "os-refresh-config" runs, so the restart on update is not required.