Stackers Network

May 09, 2026

Stackers Network Digest — May 09, 2026

33 threads · 61 messages · openstack-announce, openstack-discuss

The Big Picture

This was a heavy security week: five OpenStack Security Advisories landed in a single window, hitting Ironic (three times), Cyborg, and Horizon. If you read nothing else, read the Security section and check your exposure. Beyond that, the week was shaped by the aftermath of the Hibiscus PTG — work-item docs, survey follow-ups, and governance cleanup — plus a strong run of operator-focused architecture discussions on bare-metal networking, storage encryption overhead, and storage design. The 2026.2 "Hibiscus" cycle is at R-21/R-20, with milestone-1 approaching.

Security

A remarkable concentration of advisories, all worth triaging against your deployment:

  • Ironic — iDRAC molds credential forwarding (OSSA-2026-010 / CVE-2026-42997). Reported by the Metal3.io Security Team (Dmitry Tantsur, Tuomo Tanskanen). When importing an iDRAC configuration mold, a user can cause Ironic to forward authorization — a time-limited Keystone token granting access to everything Ironic is authorized for, or configured molds-storage credentials — to an arbitrary, user-controlled, unvalidated URL. The attacker must already be authenticated with clean/deploy permissions. The molds feature was deprecated in 2024.1 and removed during 2026.2 development; patches span 2023.1 through 2026.1.
  • Cyborg — multiple access-control flaws (OSSA-2026-011 / CVE-2026-40213, CVE-2026-40214). Reported by Sean Mooney (Red Hat). Default policy on device/deployable/attribute endpoints uses an unconditional allow, granting any authenticated user access regardless of role or scope; separately, Accelerator Request (ARQ) resources lack project-ownership enforcement, letting any user enumerate, delete, or manipulate other projects' ARQs. All Cyborg deployments are affected. Patches are posted across epoxy, flamingo, and gazpacho.
  • Horizon — unauthenticated session flood (OSSA-2026-009 / CVE-2026-43002). Reported by Erichen (Institute of Computing Technology, Chinese Academy of Sciences). The login view stores a post-login redirect URL in a server-side session before authentication, so repeated requests to /auth/login/?next=URL each spawn a persistent session entry and can exhaust the backend (Memcached/Redis/DB), evicting legitimate sessions and locking out admins. This is a regression of CVE-2014-8124, introduced in Horizon 25.6.0, and affects only the 2026.1 (Gazpacho) series with default session config. Patch: review 986834.

That's three Ironic-adjacent CVEs in close succession (the other two land in next week's window), reinforcing that bare-metal operators need to stay on top of patching.

A bigger question behind the CVEs. Michael Still opened a thread arguing that the steady stream of qemu-img vulnerabilities — he lists five recent OSSAs — suggests the "patch gaps as we find them" strategy isn't paying off. His proposal, "Instar," offloads untrusted-image processing into a locked-down KVM guest with a custom VMM that has no filesystem or network access, leaning on hardware isolation for memory safety and sandboxing. (He notes Claude Code wrote most of it.) It sparked an extended design discussion. Separately, Sylvain Bauza and John Garbutt pruned inactive members from the nova-coresec team — a reminder that security-response groups need active maintenance.

Development & Technical Decisions

Bare-metal VXLAN networking. Doug Goldstein laid out a substantive design proposal for multi-fabric / disjoint VNI-pool VXLAN support in Neutron. Today Ironic+Neutron work well for flat and VLAN networks (Metal³ being a downstream success), but Neutron's VXLAN model assumes a seamless overlay over a fully-connected underlay — which isn't reality in spine-leaf bare-metal environments where the underlay itself is being provisioned. Progress exists (a documented EVPN-VXLAN model and a generic L2VNI mechanism driver in networking-baremetal), but multi-fabric and fabric-to-fabric EVPN type-5 routing are gaps. Goldstein shared draft design docs and is clearly looking for collaborators.

Storage encryption overhead, quantified. A detailed benchmark from rsasitilak0987 (correcting an earlier flawed run) compared plain vs. QEMU-LUKS vs. librbd-LUKS volumes with CPU pinning. The finding: at small block sizes the difference is noise, but at 1M block sizes the QEMU encryption path loses ~43% on reads and ~23% on writes, while librbd-LUKS stays within a few percent of plain — because QEMU encrypts serially on one thread while librbd parallelizes per-object. The poster is seeking direction on moving Cinder/Nova toward the librbd path for encrypted volumes.

RBAC global auditor/reader. Franciszek Przewoźny and Julia Kreger continued a thread on a system-scoped read-only "auditor/reader" persona for cross-project audit access — the same idea the TC is tracking as likely post-goal Keystone work. Notably, openstack-exporter can already consume system-scoped roles, so the gap is mostly on the OpenStack side.

pbr at runtime. Doug Goldstein proposed dropping pbr as a runtime dependency (keeping it for builds), since pbr.version.VersionInfo() is now mostly a wrapper around importlib.metadata and OpenStack code paths use helpers that drop the git-commit info pbr provides. fungi and clarkb noted pbr.json still carries git metadata importlib wouldn't — a genuine tradeoff, deferred to the list for broader discussion.

Other operator threads of note: a kolla-ansible multinode deployment where core services silently weren't deploying; Instance OS-disk corruption on host failure via Masakari/nova-evacuate and RBD locks (raising whether STONITH is effectively required); and advice-seeking on operating heterogeneous storage (mixed FC/Ceph connectivity breaking resize/evacuate).

Heads Up / Action Needed

  • Secure RBAC — enforce_scope removal: Ghanshyam Maan explicitly tagged the five lagging projects — Cinder, Tacker, Aetos, Aodh, Barbican — that still have enforce_scope disabled. The flag is slated for removal at milestone-2 (July 3); those teams must get policy/code/tests green with scope enforcement. Test patches are already pushed.
  • Release notes job change: Stephen Finucane warned that build-openstack-releasenotes is switching to invoke tox like every other docs job. Should be a no-op if your repo has a working releasenotes tox testenv — verify yours does.
  • Release countdown R-20 (Thierry Carrez) is out; milestone deadlines are firming up.

Community & Events

PTG follow-through dominated: Ironic published its 2026.2 work-items spec (Jay Faulkner, with a video summary on the GR-OSS YouTube channel), and Allison Price kicked off revamping the OpenStack User Survey, collecting feedback through mid-July for the August update and calling for volunteers. Michał Nasiadka formally proposed reviving the Ansible SIG — co-chairing with Dmitriy Rabotyagov and Doug Goldstein — to rescue the largely unmaintained ansible-collections-openstack collection that both Kolla and OpenStack-Ansible depend on. The TC echoed the concern, noting tagged Galaxy releases are stalled and only Artem Goncharov remains active on it. Oslo core-group membership is being reviewed (Herve Beraud), and the Tacker IRC meeting was skipped for Japanese holidays. The bi-weekly Public Cloud SIG met May 6.