Stackers Network

May 23, 2026

Stackers Network Digest — May 23, 2026

30 threads · 84 messages · openstack-announce, openstack-discuss

The Big Picture

The week's headline item is a fresh Ironic security advisory (OSSA-2026-013 / CVE-2026-44919) with patches across every supported branch, alongside a notable strategic signal from OVHcloud, which has opened upstream discussions about contributing a VPC object service, modern VPNaaS, and WAFaaS. Meanwhile, the Tempest / nova-next gate is fully blocked, Cinder is growing its core team, and operators — particularly new kolla-ansible adopters — flooded the list with deployment, TLS, and upgrade questions.

Security

OSSA-2026-013 / CVE-2026-44919 — Jay Faulkner published an advisory for a denial-of-service in Ironic's image handling. An authenticated user with permission to write node.instance_info can request deployment of a special file path such as file:///dev/zero; auto-checksum runs before the path check, consuming a conductor thread. Repeated requests exhaust the conductor pool until the service is restarted. The flaw was introduced as a softening of CVE-2024-47211. Affected versions: Ironic >=23.0.4 <29.0.6, >=30.0.0 <32.0.2, >=33.0.0 <35.0.2. Patches are available for everything from Antelope through 2026.2/Hibiscus — operators should pull the fix for their branch from the advisory thread. Credit to Erichen of the Institute of Computing Technology, Chinese Academy of Sciences.

Heads Up / Action Needed

  • Tempest / Cinder / Nova gates blocked. Ghanshyam Maan reported that tempest-slow-py3 is failing 100% on test_server_volume_attachment, and Melanie Witt confirmed nova-next is failing for the same reason. Hold rechecks until bug 2153382 is fixed.
  • Cinder core nominations open one week. Jon Bernard proposed both Erlon R. Cruz and Anthony Gamboa for Cinder core. Objections welcome on-list before the additions are made.
  • TC governance reviews pending. The TC weekly summary highlights a batch of PTI rework patches from Stephen Finucane covering dependency groups, release notes, and the Python testing guide — project maintainers managing tox configs should review the governance changes.
  • Meeting cancellations around the May 25 holiday: Nova upstream meeting, Neutron Drivers (May 22) and CI (May 25), and the next Octavia weekly are all cancelled.

Development & Technical Decisions

OVHcloud signals significant upstream contributions

Xavier Nicolle, unit lead for OVHcloud Public Cloud Infrastructure, posted an umbrella thread outlining three engineering efforts they want to do upstream from the start:

  1. A VPC object service (codename "Orion") — a first-class VPC primitive that Neutron would consume, with cross-region peering as a key driver. The standard hyperscaler primitive set is in scope (route tables, NAT gateways, private DNS, security groups, observability, multi-region). A dedicated follow-up thread asks the community to point out in-flight specs to join rather than restart, and for feedback on whether the tenant-facing surface should be provider-specific or an OpenStack-side API.
  2. A modern VPNaaS — citing the gap between historical Neutron VPNaaS and current tenant expectations.
  3. WAFaaS — aligned with Octavia and Neutron.

This is one of the more substantive new upstream commitments from a major operator in some time; Neutron and Octavia teams will want to engage early.

Cinder / os-brick: avoiding redundant rescans

Erlon Cruz restarted discussion on a Pure-Storage-proposed opt-in to skip redundant SCSI rescans on target-driven-rescan arrays. Erlon wants vendor input and concrete attachment-time measurements before any default behavior change — arguing LUN provisioning, not the rescan, usually dominates attach latency.

Nova: secure handling of untrusted disk images

Dan Smith continued an architectural discussion about whether qemu-img is the right tool for untrusted images, noting that Glance can already use oslo.utils format_inspector to validate streams in flight (a few KiB into a qcow2 upload to Swift/RBD is enough to reject a bad image) without ever staging the file to disk. The thread is exploratory rather than a settled direction.

Nova core team growth

PTL René Ribaud opened a thoughtful thread about his own candidacy for Nova core, explicitly separating his PTL and contributor hats, and using the moment to call for a broader reflection on deliberately growing the core reviewer team to address review capacity.

Devstack / Ceph

First-time contributor Ondrej Vaško is looking for reviews on a devstack-plugin-ceph fix that repairs the RadosGW code path and adds Ceph version selection — motivated by Velero plugin integration testing.

Operator Discussions

Kolla-ansible dominated operator traffic this week, mostly driven by Johannes Kastl's homelab adoption journey:

  • TLS certificate rotation with Let's Encrypt: how to distribute renewed certs across HAProxy/Keepalived nodes when the external VIP floats. Existing kolla-ansible Let's Encrypt support appears HTTP-01 only; the consensus pointer was to the TLS admin docs and the haproxy cert update script.
  • Inventory layout and host_vars/group_vars conventions — flagged as a documentation gap worth a bug.
  • Single-node 2026.1 on Rocky 10.1 failing because nova-compute won't register due to nova_libvirt errors.
  • Multinode groups (deployment, monitoring) — operators want high-level documentation of what each group actually does.

Taavi Ansperr's low-downtime upgrade question (2025.1 → 2025.2 with VMs kept alive via drain + --limit, including the Redis-to-Valkey migration) is a useful read for anyone planning a summer upgrade. Separately, a Cinder + Huawei OceanStor 5310 iSCSI integration thread and a multi-pool Ceph cinder.conf issue (fixed in kolla-ansible 20.0.0 via per-backend pool configuration) round out the storage-side traffic.

On the openstack-ansible side, operators are asking how to add new network ranges to an existing cluster and how to re-run deployment after editing openstack_user_config.yml.

Community & Events

  • Ironic 2026.2 PTG work items are now summarized as a video on the G-Research OSS YouTube channel.
  • TC weekly summary (R-19 to Hibiscus) from Goutham Pacha Ravi notes that the Ansible SIG leadership change (Michal Nasiadka as co-chair) reached lazy consensus, Venus retirement and Vitrage deprecation are blocked by CI's empty-repo check (the TC plans to take ACLs and clear them, with retirement docs to be updated by Dmitriy Rabotyagov), and that python-tempestconf will stay in the openinfra namespace despite the broader refstack/interop wind-down. SRBAC's "global reader/auditor" persona is confirmed out-of-scope for the current goal and pushed to future Keystone work.
  • The Public Cloud SIG met on May 20 (meetpad), with zero-day exploit handling floated as a discussion topic. Several attendees were travelling to the SCS Summit in Berlin.
  • Neutron's bug deputy report for May 11–17 flags one high-severity TaaS OVS agent bug (#2152829) and a cluster of issues around the new BGP feature being worked by Eduardo Olivares and Jakub Libosvar.