Stackers Network

May 02, 2026

Stackers Network Digest — May 02, 2026

35 threads · 65 messages · openstack-announce, openstack-discuss

The Big Picture

With the Hibiscus PTG behind it, the community spent this week digesting the outcomes: a wave of detailed PTG summaries from Nova, the TC, Glance, Tacker, Cyborg, Watcher, and the cross-project eventlet-removal team set the technical agenda for the 2026.2 cycle. Two things demand immediate operator attention, though — an Ironic command-injection CVE that finally got its number, and a coordinated push to prune stale project security teams across OpenStack. Most regular meetings were still in post-PTG recovery mode (Horizon, Kolla, OpenStack-Ansible, Manila all skipped a week).

Security

OSSA-2026-008 / CVE-2026-42510 — Command Injection in Ironic IPMI consoles. Originally published April 27 with a pending CVE, the advisory got errata-1 on April 30 once CVE-2026-42510 was assigned. A project manager marked as a node's node.owner can inject arbitrary commands that the conductor executes on console activation. The good news: no console backends are enabled by default — only installations that set [conductor]/enabled_console_interfaces to ipmitool-shellinabox or ipmitool-socat are vulnerable. Affected Ironic ranges: >=4.3.0 <26.1.6, >=27.0.0 <29.0.5, >=30.0.0 <32.0.1, >=33.0.0 <35.0.1. Patches span Dalmatian through Gazpacho (with courtesy backports to unmaintained Antelope/Caracal). Note: ipmitool-shellinabox is already slated for removal for lack of upstream security support, so operators are urged to stop using it now. Credit to Dmitry Tantsur and Tuomo Tanskanen of the Metal3.io Security Team.

Coresec teams need pruning. Goutham Pacha Ravi (TC chair) raised an uptick in private security-bug reports and called PTLs and security liaisons to clean up Launchpad "core security" groups, which should be a subset of active Gerrit cores. He named specifics: oslo-coresec has lost half its active members, designate-coresec and swift-coresec are bloated with long-inactive people, and unanswered tags on embargoed bugs are a real risk. This is framed as ongoing role hygiene, not a one-time sweep — and it complements Daniel Bengtsson's parallel proposal to review Oslo core-group memberships generally.

Releases & Announcements

The PTG summaries are the substance of the week. Highlights:

  • Nova (2026.2 Hibiscus). The Gazpacho retrospective reported 11 blueprints accepted / ~9.33 implemented (84%) plus 28+ bugfixes — better predictability from accepting fewer, smaller tasks. The team locked a schedule: Spec Review Days May 21 & June 4, Soft Spec Freeze May 28, Hard Spec Freeze June 11, M2 July 2, Feature Freeze at M3 August 27, release end-of-September/early-October. A key clarification: the soft/hard spec freezes now explicitly cover specless blueprints too. Cross-project work with Cinder on assisted volume extend for file-based (NFS) drivers is on the docket.
  • Eventlet removal crossed a milestone: Designate, Neutron, and Cyborg completed full migration in Gazpacho, joining Octavia, Mistral, Ironic, Heat, and Barbican — eight projects now fully eventlet-free. Nova has five of seven services defaulting to threading (console proxies for noVNC/spice/serial are the remaining holdouts); Watcher switched all components to threading by default. Eventlet now supports Python 3.14, and oslo.service added multiprocessing spawn support. Watcher set its own eventlet code removal for early 2027.1 (~November 2026).
  • Glance plans to parallelize multi-store image imports, stop storing S3 credentials in image locations (security), keep Zip/LHA decompression as second-class to gzip, and finish its own eventlet exit.
  • Tacker, Cyborg, and Watcher all posted their cycle plans; Watcher additionally agreed to defer Prometheus removal to stay aligned with Cloudkitty/Aodh and to add a lightweight Aetos test job.

Development & Technical Decisions

Several governance and policy threads advanced. Ghanshyam Maan revived two long-standing RBAC items: a call for a volunteer to build a global auditor (system-level reader) role in Keystone, and a plan to finally remove the enforce_scope config option this cycle (it was meant to go in 2025.2). Operators surfaced concrete bugs worth tracking: an intermittent nova-live-migration-ceph CI failure tied to the ceph orchestrator module (LP 2149965); a Horizon/Neutron dashboard bug where the enable_dhcp checkbox falsely shows true; an Octavia member-add KeyError on Kolla 2025.1; a designate/neutron floating-IP release issue; and a thoughtful operator report of OS-disk corruption on instances after host evacuation (Kolla 2024.1, Ceph RBD), asking whether evacuation timing or Ceph tuning is to blame — an open question with no resolution yet.

Heads Up / Action Needed

  • Nova spec deadlines are firm: Spec Review Days May 21 / June 4, Soft Spec Freeze May 28, Hard Spec Freeze June 11 — and they now cover specless blueprints.
  • Ubuntu 26.04 released April 29, unblocking broader Python 3.14 testing across projects; the eventlet team is asking teams to enable 3.14 jobs to validate compatibility.
  • University Partnership Program still wants 2–4 mentored projects on the etherpad by May 6 (Carnegie Mellon summer cohort starts the week of May 11).
  • Stop using the Ironic ipmitool-shellinabox console interface — it's scheduled for removal and is the vector for CVE-2026-42510.

Community & Events

The TC resumed its regular IRC schedule (April 28) and posted its Hibiscus PTG summary covering university partnerships, community goals, Launchpad hygiene, and a Security SIG/VMT briefing. The Ops Radio Hour recapped its PTG session — communication-channel fragmentation and documentation discoverability were recurring concerns — with the next gathering set for May 29 at 1300 UTC. Outreachy work is underway (an Ironic intern corrected a mis-filed project submission), and Neutron refreshed its tap-as-a-service core group, adding Miro Tomaska and retiring several inactive members.