The Big Picture

With OpenStack 2026.1 "Gazpacho" out the door on April 1st, the community spent this week pivoting hard toward two things: the virtual Project Teams Gathering (April 20-24) and the start of the 2026.2 "Hibiscus" cycle. TC chair Goutham Pacha Ravi's weekly summary set the tone, noting Gazpacho landed over ten thousand merged changes from more than 500 contributors — a third straight cycle of growth in both code and people. Underneath the celebration, though, this was a heavy security week: two OpenStack Security Advisories went out, one of them a Keystone privilege-escalation flaw with a real CVE number. Operators should read the Security section first.

Security

Two advisories landed, both worth immediate attention.

OSSA-2026-005 / CVE-2026-33551 (Keystone) is the more serious of the pair. Reported by Maxence Bornecque of Orange Cyberdefense, the flaw lets a user holding only a restricted application credential and the reader role create an EC2/S3 credential that inherits the parent user's full S3 permissions — effectively bypassing the restrictions on the app credential. Only deployments combining restricted application credentials with the EC2/S3 compatibility API (swift3 / s3api) are affected. Affected Keystone ranges are >=14.0.0 <26.1.1, plus 27.0.0, 28.0.0, and 29.0.0. Patches are posted for caracal, dalmatian, epoxy, flamingo, gazpacho, and hibiscus; a courtesy backport exists for unmaintained/2024.1. Patch this one.

OSSA-2026-006 (Skyline Console, CVE pending) is a DOM-based XSS reported by Myunghyun Lee (Team Open the Window). The instance console log viewer rendered log content via document.write() without escaping, so an attacker who can influence a VM's console output could execute script in an admin's browser. Affected: skyline-console <5.0.1, ==6.0.0, ==7.0.0. Fixes are merged across dalmatian, epoxy, flamingo and are included in gazpacho (8.0.0). Until you upgrade, the advisory recommends avoiding the "View Full Log" feature for instances whose console output may be attacker-influenced. The MITRE CVE request was filed March 25 and is still pending.

Releases & Announcements

The R-24 release countdown for Hibiscus has begun, with Thierry Carrez confirming the cycle targets a final release on September 30, 2026. The Gazpacho retrospective also surfaced on OpenInfra Live, with a two-part series (April 2 and April 9) including a deep dive into Ironic features. On the infrastructure side, the OpenDev team had a Gerrit upgrade to 3.12 scheduled for April 12 — check the announcement for behavioral changes before pushing reviews.

Development & Technical Decisions

Venus is being retired. The TC, via Dmitriy Rabotyagov, announced the formal retirement of the Venus log-management project: no PTL for an extended period, marked Inactive since 2026.1, and excluded from that release. Master will be replaced with a placeholder and stable branches EOL-tagged. The door remains open if anyone wants to revive it.

A performance regression in oslo.messaging is the standout operator report. Max Lamprecht traced a ~0.5s-per-RPC-call slowdown after upgrading to 2024.2 — manifesting as volume-attachment API calls jumping from 0.4s to 2.3s and nova-metadata lookups from 0.28s to 2.04s — to a time.sleep(0.5) introduced in oslo.messaging >= 14.8.0 (review 894731). The suggestion is to only apply the sleep when heartbeat_in_pthread=True is set. If you run 2024.2, watch this thread.

Ceph encryption gap. Ravi Sasi Tilak laid out a concrete, well-researched problem: Cinder LUKS encryption runs at the QEMU layer (not librbd), costing 60-80% IOPS, while librbd-native LUKS has no external key-manager integration. There's no clean path today for per-tenant keys plus KMS plus acceptable performance on Ceph RBD — an open architectural question the community has yet to answer.

Brian Haley (Neutron PTL) wants to remove Nova-network compatibility from OpenStackClient (review 981613), but it's blocked with a -2 because some clouds (Rackspace was named) may still rely on it. He's soliciting input on whether ~13 years post-Neutron is long enough to call it obsolete. Stephen Finucane separately flagged that a typed-dependency bump (oslotest, testtools) is breaking mypy gates across many SDK and Oslo deliverables; hold your rechecks until testtools 2.7.0 and the related fixes merge.

Elsewhere: a fresh Keystone-rewrite debate resurfaced ahead of the PTG, with Rabotyagov arguing any Rust reimplementation should go through the emerging-project process as a separate identity project rather than a Keystone replacement, and questioning whether a heterogeneous language helps when features could simply land in the existing Python Keystone.

Heads Up / Action Needed

• Hold rechecks on SDK/Oslo projects until the testtools/oslotest typing fixes merge.
• Patch Keystone for CVE-2026-33551 and upgrade Skyline Console for OSSA-2026-006.
• PTG logistics: the schedule is filling fast on the PTGbot site, registration is free, and the TC is asking teams to front-load cross-project sessions on Monday/Tuesday (eventlet removal, SRBAC, QA, Oslo, SIGs). Cross-project placeholders are forming for Ironic+Neutron (Tue), Ironic+Nova (Thu), and Manila+Nova VirtioFS.
• Operators' Forum: the TC hosts an Operators' Hour on Monday April 20 at 1700 UTC, with a follow-up Ops Radio Hour on Friday April 24 at 1300 UTC. Add topics to the etherpad even if you can't attend live.
• Manila core changes: Carlos Silva nominated Anoop Shukla and Maurice Escher to manila-core, and moved Haixin and Victoria Martinez to inactive status.

Community & Events

Beyond the PTG drumbeat, Glance is considering a blueprint for object-storage-backed backup-volume images, and Ildikó Vancsa announced LFX Insights can now filter metrics by OpenStack project team via repository groups (using projects.yaml as the source mapping) — progress on the long-running dashboard complaints. Several teams (Octavia, Horizon, Neutron drivers) cancelled meetings ahead of the PTG.