Latest issue · May 23, 2026
Stackers Digest — May 23, 2026
The Big Picture
A quieter, deployment-flavored week on the lists, bracketed by a holiday-shortened calendar in Europe and dominated by two threads worth your attention: a new Ironic CVE, and OVHcloud arriving on-list to propose building VPC, VPNaaS and WAFaaS services upstream from the start. Kolla-Ansible operators were the most vocal group of the week, with a cluster of practical questions about TLS rotation, inventories, and low-downtime upgrades. The Technical Committee continues its steady march toward the 2026.2 "Hibiscus" release, now 19 weeks out.
Security
Ironic ships another DoS fix (OSSA-2026-013 / CVE-2026-44919). Jay Faulkner announced a denial-of-service flaw in Ironic's image-handling path: an authenticated, authorized user can request a deployment pointing at a special file such as file:///dev/zero, and Ironic's auto-checksum behavior will happily try to checksum it, pinning a conductor thread. Repeated requests exhaust the conductor thread pool until the service is restarted. The bug was introduced as a follow-up softening of CVE-2024-47211, and was reported by Erichen of the Institute of Computing Technology, Chinese Academy of Sciences. Affected ranges are Ironic >=23.0.4 <29.0.6, >=30.0.0 <32.0.2, and >=33.0.0 <35.0.2; patches are posted across every supported branch from 2025.1/epoxy through 2026.2/hibiscus plus the bugfix branches. If you run Ironic with users who can write to node.instance_info, patch promptly.
This is the third Ironic advisory in roughly two weeks (following last week's RCE and the iDRAC molds credential-forwarding issue). Operators should treat Ironic patching as an active, ongoing task rather than a one-off.
Releases & Announcements
There were no coordinated release announcements this week. The TC's weekly summary (R-19) from Goutham Pacha Ravi noted no new governance changes merged, but flagged a batch of in-flight proposals from Stephen Finucane reworking the Python Testing Interface (PTI) — covering dependency groups, release notes, and the Python testing guide. If you maintain tox configuration in your repos, these are worth reviewing before they land.
Development & Technical Decisions
OVHcloud wants to build VPC, VPNaaS and WAFaaS upstream. The most strategically interesting thread came from Xavier Nicolle, who leads OVHcloud's Public Cloud Infrastructure team. He posted an umbrella message — followed by a dedicated thread on the first topic — announcing engineering work in three areas the team wants to do upstream from day one. The headline piece is a VPC object service, codenamed "Orion." OVHcloud's framing is deliberately conservative: a router stays a router, Neutron keeps owning the networking implementation, and Orion would own only the VPC object itself as a first-class, cross-region-aware resource so that VPC peering between regions finally has a natural home. The scope is the familiar hyperscaler primitive set: route tables, NAT gateways, private DNS, security groups, floating IPs, and load-balancer integration. The team is explicitly asking the community two things: which in-flight specs or retired projects they should join rather than restart, and whether the tenant-facing surface belongs on a provider API, a new OpenStack-side surface, or somewhere else — the point they say they are least sure about. The other two topics (a modern VPNaaS and a WAFaaS) are promised in follow-up threads. This is a rare, well-telegraphed offer of upstream engineering effort from a major public cloud; Neutron and Octavia contributors should engage early.
Cinder grows its core team. Jon Bernard opened nominations for two new Cinder cores — Erlon R. Cruz and Anthony Gamboa — citing consistent, well-explained review feedback and strong PTG/midcycle presence. Both threads follow the usual one-week lazy-consensus window. Separately, Erlon Cruz and Pure Storage's Brian continued the os-brick discussion on avoiding redundant rescans on target-driven-rescan arrays, with Erlon asking other storage vendors to weigh in on whether an opt-in mechanism would benefit them and how much it actually speeds up attachments.
Untrusted image handling, continued. Dan Smith carried forward the broader debate (running across recent weeks) about safer handling of untrusted disk images than qemu-img, making the point that Glance never needs to stage an image on disk to inspect it — it can examine the stream as it proxies to the backing store and abort a bad qcow2 after a few KiB.
Nova core-team capacity. René Ribaud, wearing both PTL and contributor hats, continued an open and notably candid thread re-evaluating his own candidacy for Nova core, using it to surface a broader point: Nova has a review-capacity challenge and could benefit from a more deliberate approach to growing the core team.
Heads Up / Action Needed
- Gate blockage: Ghanshyam Maan and melanie witt reported the Tempest gate is blocked — the
tempest-slow-py3job is failing 100% ontest_server_volume_attachment, which is also taking downnova-next. A bug (Launchpad #2153382) is filed; hold rechecks until it's fixed. This touches Cinder, Nova, and QA. - Cinder core votes close after one week — speak up if you have objections to the Cruz or Gamboa nominations.
- PTI governance patches need maintainer eyes if your repo manages its own tox config.
Community & Events
A long European holiday weekend thinned the calendar: the Neutron drivers and CI meetings (May 22 and 25), the Octavia weekly, and the Nova upstream meeting (May 25) were all cancelled. Jay Faulkner published a video summary of Ironic's 2026.2 PTG work items on the G-Research OSS YouTube channel. The Public Cloud SIG met on May 20 — chair Kees Meijs was travelling to the SCS Summit in Berlin and floated "coping with zero-day exploits" as a discussion topic, a fitting note given the week's Ironic advisory. On the operator front, kolla-ansible questions dominated: TLS certificate rotation with moving VIPs, lowest-downtime VM upgrades from 2025.1 to 2025.2 (with a reminder to do the redis-to-valkey migration first), inventory/group-vars layout, and several documentation-clarity complaints that may be worth filing as docs bugs.