Designate now provides support for Service Binding (SVCB) and HTTPS resource records, as specified in RFC 9460 and RFC 9461. These record types significantly reduce the handshake latency for new endpoint connections, resulting in improved page load performance for end-users.

Horizon now uses SDK instead of neutronclient for RBAC policies, QoS and Security groups

User Credentials details page for TOTP now displays a generated QR code to set up a new TOTP in an authentication app

Region and domain selection is now always visible on the login screen, independently of authentication methods, making multiple regions and domains setups possible.

Manila now supports bring your own key (BYOK) encryption for share servers. To achieve such behavior, the user must specify a Barbican encryption key reference in UUID format while creating shares.

The NetApp ONTAP driver now supports BYOK encryption for share servers. This functionality is only available in multitenancy mode (DHSS=True).

Added support to restoring share backups on a share different from its source.

The Dell Isilon Driver was rebranded to PowerScale.

The Dell PowerScale driver now supports thin provisioning for shares.

Neutron API, RPC, agents (metadata, DHCP, L3, etc), workers and all associated code now runs in native threading mode instead of eventlet.

A new custom API policy rule context_with_global_access has been added, which allows for roles such as auditor to be specified.

Floating IP NAT rules in OVN can now be configured as stateless with the stateless_nat_enabled option, which can potentially improve performance because it avoids conntrack.

The OVN agent has replaced the OVN Metadata Agent, the latter will be deprecated in a future release.

The libvirt guest XML now includes additional flavor and image metadata fields so that it can be used during troubleshooting or services like Ceilometer can retrieve accurate instance information directly, without performing extra Nova API calls.

Nova now supports a new default role manager which is scoped to the project level. This role is part of the standard role hierarchy supported by Keystone and allows trusted project users to perform project-level management tasks (e.g., live migration) without requiring full admin rights.

Service-to-service APIs now use the service role, reducing unnecessary privileges for cross-service communication.

Nova now supports one-time use passthrough devices. Such devices are allocated to a single instance, and when the instance is deleted, the device stays in a reserved state instead of becoming automatically available. This ensures operators can perform necessary security checks or hardware resets before reusing the device.

Completes SPICE direct consoles with USB controller config and sound device support.

Nova now supports QEMU’s memory balloon autodeflate and free page reporting features with the libvirt driver. These allow unused guest memory to be automatically released back to the hypervisor, improving memory efficiency and reducing the risk of the Out-of-Memory killer activating.

Added support for AMD Secure Encrypted Virtualization – Encrypted State (SEV-ES) with libvirt, extending confidential computing capabilities in Nova to protect guest memory and CPU register state.

Experimental feature: Nova API, metadata, and scheduler services can run in native threading mode as an alternative to eventlet. Please try it in non-production environment and share your success or failure with us on the openstack-discuss mailing list or via the Nova bug tracker.

Volume migrations now use secure Cinder operations, eliminating previous security vulnerabilities while maintaining full functionality. Undocumented and unimplemented API endpoints have been removed for improved security posture.

Operators can now skip specific optimization actions with custom status messages, providing granular control over infrastructure changes during maintenance windows.

Host Maintenance strategy now offers granular controls for live and cold migration scenarios, giving operators precise control over workload placement during maintenance.

Watcher now integrates with Prometheus through the new Aetos data source, providing secure multi-tenant monitoring with Keystone authentication and role-based access control.

Python 3.10 is now the minimum requirement, ensuring compatibility with modern OpenStack deployments and improved performance.

Optional Monasca client integration reduces dependencies on retired components without breaking existing user configurations.