Stackers Network

May 16, 2026

Stackers Network Digest — May 16, 2026

24 threads · 83 messages · openstack-announce, openstack-discuss

The Big Picture

One thread dominated the week: a formal proposal to make Rust an official OpenStack language, driven by the argument that Keystone has become a scaling bottleneck. With 32 messages and 16 participants, it was by far the most active discussion and touches a strategic nerve about OpenStack's future architecture. Alongside it, security was again front and center — a fresh Ironic remote-code-execution advisory landed, and the community continued a substantive conversation about how to actually work on embargoed security fixes. The TC marked milestone-1 of the 2026.2 "Hibiscus" cycle (now ~20 weeks out) and pushed the Secure RBAC goal toward a concrete deadline.

Security

Ironic RCE when the Anaconda driver is enabled (OSSA-2026-012 / CVE-2026-44916). Jay Faulkner announced a vulnerability reported by Dmitry Tantsur (Red Hat) and Tuomo Tanskanen (Ericsson) of the Metal3.io Security Team: users who can set node.instance_info['ks_template'] can achieve remote code execution on the ironic-conductor process, because the kickstart template is rendered without sandboxing. Default configurations are not vulnerable — the risk exists only where operators have enabled the anaconda deploy interface via [conductor]/enabled_deploy_interfaces and allow untrusted users to modify node.instance_info. Affected ranges span Ironic >=17.0.0 <26.1.7 and several later bands; patches are posted from 2025.1/epoxy through 2026.1/gazpacho plus bugfix branches. Note that 2023.2/bobcat and 2024.2/dalmatian are EOL and received no patches.

How do we even work on security fixes? Artem Goncharov opened a thoughtful, well-attended thread on the chronic friction of security work: you can't realistically run all test suites locally before an embargoed change merges, and preparing backports across stable branches is, in his words, "like a chess game." He floated the idea of Gerrit private changes — pushing a fix visible only to a controlled set of users — so the normal cherry-pick-and-see-conflicts workflow could be used while keeping the work embargoed, with the open question of how to safely run Zuul jobs against private changes. Worth following if you do VMT or coresec work.

PQC and TLS hardening momentum. Barbican PTL Mauricio Harley announced a new #openstack-pqc channel (OFTC/Matrix) to coordinate Post-Quantum Cryptography migration across Barbican, Keystone, Castellan, Oslo, openstacksdk and others — tracking the RSA/DSA → ML-KEM/ML-DSA transition and upstream pyca/cryptography support. Separately, Julia Kreger proposed adding TLS version and cipher controls to Ironic, asking whether the default should be TLS 1.3 for the API, JSON-RPC, and IPA paths, while leaving Redfish BMC access without a default (since vendors still lean on TLS 1.2/1.1).

Development & Technical Decisions

Rust as an official language. JP Jung's Step-1 use-case proposal makes a pointed argument: Keystone sits in the hot path of every API call, and token validation, policy evaluation, and crypto are CPU-bound — exactly where Python (and the GIL) hurt. The pitch leans on the community-wide Eventlet Removal Initiative (a major Hibiscus effort), notes asyncio doesn't help CPU-bound work, and argues that WSGI fundamentally can't do application-level mTLS, which regulated operators (PCI-DSS 4.0, NIST 800-207) increasingly need. The thread cites the 2017 precedent of approving Go for Swift and argues Rust over Go specifically. With 16 participants, this is very much an open debate, not a settled decision — but it's the clearest signal yet that Keystone performance is being treated as a strategic problem rather than a tuning exercise. This is a TC-track conversation (the formal two-step language-addition process); contributors with strong views should weigh in now.

Untrusted disk images, continued. Artem Goncharov and others kept refining last week's discussion (kicked off by Michael Still's "Instar" experiment) about whether there's a fundamentally safer approach to processing untrusted images than qemu-img.

OVS-to-OVN migration tooling. Eduardo Morais proposed contributing a migration utility to Kolla-Ansible for transitioning deployments from OVS to OVN — a recurring operator pain point. Aydin Tabatabaei separately proposed native Dell Unity Cinder-backend support in Kolla-Ansible and raised that VLAN provider networks (network_vlan_ranges) aren't enabled by default in ml2_conf.ini, offering three approaches and asking the team's preference.

AI in the review loop. Richard Cruise described a set of AI-assisted agents (bug triage, reproduction, fix proposal, code review, CI failure analysis) built model-agnostically, and announced he's trialing the code-review agent posting feedback to Gerrit under his own name, clearly labeled as AI-generated and with voting disabled. This dovetails with the OpenInfra contributor/maintainer survey results Ildiko Vancsa shared, which found maintainers cautiously adopting AI while review attention remains the single biggest pain point across nearly every project.

Heads Up / Action Needed

  • Secure RBAC deadline: Ghanshyam Maan posted a plan to remove the enforce_scope config option by milestone-2 (July 3). Five projects still have it disabled — Cinder, Tacker, Aetos, Aodh, and Barbican — and need to fix policy/code/tests before then. Maintainers of those projects: this is your action item.
  • Neutron split-services regression: Lajos Katona is helping triage DHCP/L3 agent MessagingTimeout errors under the new neutron-rpc-server split in 2026.1, with eventlet monkey-patch warnings appearing in logs — file a Launchpad bug if you hit it.
  • VirtualPDU is being retired (Ironic ecosystem); tracking etherpad and retirement patches are up.
  • Nova patches seeking owners: Pavlo Shchelokovskyy offered to pick up the local-disk-encryption patch chain; an Ampere contributor is working on AARCH64 SMBIOS export so cloud-init detects OpenStack.

Community & Events

The Cinder Festival of Reviews ran Friday, May 15. The Horizon weekly meeting on May 20 was cancelled (PTO). On governance, the TC confirmed Venus retirement and Vitrage deprecation are proceeding, the PQC Migration pop-up team proposal merged, and Sylvain Bauza's TaCT SIG agentic-workflows repo merged — though his separate AGENTS.md community-goal proposal was abandoned after Gerrit pushback, with consensus that agentic tooling should stay opt-in and informal. Kolla core/reviewer membership changes also continued, with Michal Arbet gracefully accepting a downgrade after a stretch of heavy downstream operational work.