Stackers Network

April 18, 2026

Stackers Network Digest — April 18, 2026

37 threads · 87 messages · openstack-announce, openstack-discuss

The Big Picture

This was the calm-before-the-storm week: the entire community was packing its bags for the 2026.2 "Hibiscus" Virtual PTG, which kicked off Monday, April 20 and ran through Friday, April 24. Nearly every project team — Nova, Neutron, Kolla, Cinder, Tacker, Masakari, Keystone, Watcher — canceled its regular meeting and pointed people at PTG etherpads instead. So the most consequential threads of the week were the ones that set the agenda for those sessions, plus two security advisories and a project deprecation that operators should not miss.

The single most-discussed thread, by a wide margin, was Sean Mooney's proposal for a minimal "agentic coding scaffold" for OpenStack projects (25 messages across 8 people, tagged tc/tact-sig). The idea is a lightweight, cross-project convention for supporting AI coding assistants in repositories, with early implementations already up for review in Nova and the Watcher Dashboard. Sean deliberately floated it ahead of the PTG to gather feedback, and it became one of the AI-governance topics the TC slated for its Friday session. This dovetails with the OpenInfra Foundation's contributor and maintainer surveys, which now include questions about AI tool usage and its impact on review workflows — those surveys close April 30, so fill them out if you contributed to or core-reviewed Gazpacho.

Security

Two advisories landed, both worth immediate attention:

  • OSSA-2026-007 (Keystone, CVE pending): The LDAP identity backend does not correctly interpret the enabled attribute when user_enabled_invert is False (the default). The result is that users disabled in LDAP can still authenticate — a real authn bypass for anyone running the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation. Affects Keystone >=8.0.0 <25.0.1, >=26.0.0 <26.1.1, >=27.0.0 <27.0.1, >=28.0.0 <28.0.1. Patches are merged for Dalmatian, Epoxy, Flamingo, and Gazpacho (the fix is already in the 29.0.0 release). Reported independently by Benedikt Trefzer (Cirrax) and Andrew Bogott (Wikimedia). Workaround: set user_enabled_invert=True with an inverted-semantics attribute like nsAccountLock.

  • The Vitrage project deprecation (below) and an OVN security-group note that surfaced the following week are also brewing; operators of OVN deployments should watch for OSSN-0095.

Development & Technical Decisions

Python 3.14 / eventlet runway. Sean Mooney shared a "hacky" but working way to do early Python 3.14 Tempest testing by optionally using uv in DevStack to provide a portable interpreter and isolated venvs. A DNM patch pinning Python 3.14 already passed tempest-multinode-full-py3 and swift-dsvm-functional — a meaningful cross-section — though several jobs still hit a known pickle issue in Nova's noVNC proxy. Teams are encouraged to file their own DNM smoke-test patches now to get a baseline ahead of Ubuntu 26.04.

Stop overriding install_command in tox.ini. Stephen Finucane's PSA: use the [testenv] constraints option instead of -c in deps or overriding install_command. The old approaches break with tox-uv (no pip in the venv) and don't apply constraints consistently. He points to the Nova and Cinder patches as templates and recommends giving tox-uv a try for the performance win.

Storage and data-protection ideas. Two notable Cinder threads opened: a proposal to add a Changed Block Tracking (CBT) interface for backup drivers (leveraging Ceph rbd diff and NetApp SnapDiff instead of full-volume SHA256 scans), and a report that Cinder encryption happens at the QEMU layer rather than librbd, with significant overhead — Brian Rosmaita flagged both as good PTG topics. Operators also raised a serious nova-api performance regression after a Caracal→Epoxy upgrade, traced to the new response_body_schema/query_schema validators being hammered by haproxy health checks; disabling those validators restored usability.

Heads Up / Action Needed

  • 2024.2 Dalmatian goes End of Life in ~2 weeks. The release team will tag 2024.2-eol on the tips of stable/2024.2 and then delete those branches. Land any final Dalmatian backports now (topic: dalmatian-eol).
  • Vitrage is being deprecated. The TC formally decided to deprecate Vitrage (no PTL, marked Inactive since 2026.1, excluded from the 2026.1 release). The master branch will be replaced with a placeholder. Critically, several xstatic libraries under Vitrage governance — dagre, dagre-d3, graphlib, lodash, moment — are deprecated alongside it; the Venus dashboard appears to depend on some. If your project consumes these, contact the TC immediately.
  • Zun is shipping broken for 2026.1. Dmitriy Rabotyagov warned that Zun relies on the legacy oslo.db engine facade, which was removed in 2026.1; a fix patch has sat unreviewed for a month. The Zun team needs to merge/backport it.
  • neutron-l2gw needs a Gazpacho release. Thomas Goirand reports 21.0.0 unit tests loop for hours, while tip of master works fine — a tag is requested.

Community & Events

The TC continued cleaning up Launchpad tracker hygiene (12 project teams still owned by individuals rather than ~openstack-admins) and switched governance tracking from Gerrit topics to hashtags. On the ops side, an Ops Radio Hour was set for April 24 (focused on OpenStack observability) as part of the PTG, with a recurring slot pencilled in for May 29. On packaging, RDO confirmed its pivot to containers: no further Epoxy RPMs and none for Hibiscus unless volunteers step up, with Source-to-Image containers planned for Hibiscus — 16+ volunteers (Rocky Linux, CERN, INFN, CSC Finland, and others) have signed on to help bootstrap. Core-team motion continued too, with Manila finalizing its core refresh and nominations open in Ironic (Clif Houck) and OpenStack-Helm (Mathieu Gagné).