Ussuri Release Highlights

Ussuri Release Highlights


These are significant changes reported directly from the project teams and have not been processed in any way. Some highlights may be more significant than others. Please do not take this list as a definitive set of highlights for the release until the OpenStack Foundation marketing staff have had a chance to compile a more accurate message out of these changes.



  • Numerous improvements in current functionality, for example, the ability to set minimum and maximum sizes for volume-types; the ability to filter the volume list using time comparison operators.

  • Support for Glance multistore and image data colocation when uploading a volume to the Image Service.

  • Added some new backend drivers, and many current drivers have added support for more features.



  • Users can now launch instances with accelerators managed by Cyborg, as the Nova-Cyborg integration has been completed. See accelerator operation guide to find which instance operations are supported.

  • New APIs have been implemented to list devices managed by Cyborg and, in general, to view and manage inventory of accelerators.

  • Cyborg has laid the foundations for providing backwards compatibility in future releases by adopting microversions in v2 API.

  • The Cyborg client is now based on OpenStack SDK and supports most Version 2 APIs.

  • Improved quality overall by adding more unit/functional tests and by reducing technical debt.



  • Enhancement in multiple stores feature, users now can import single image in multiple stores, copy existing imgae in multiple stores and delete image from single store.

  • New import plugin to decompress the image

  • Introduced S3 driver for glance-store again



  • This release mainly focuses on bug fixes and improvements from the maintenance perspective including deprecations of old features, cleanup of deprecated features, integration test coverage improvements, migration to mock usage in unit tests and so on.

  • Horizon and all horizon plugins now support Django 2.2 which is the only supported LTS of Django. Django is a framework which horizon depends on. Note that python 2.7 is no longer supported and we have enter into the python3 era.

  • A couple of feature gaps in keystone support are implemented: a feature to allow users to change expired password including first login, password lock option in the user panel, and a support of access rules for application credentials.



  • Support for scoped introspection rules which allow to have (and keep) rules per node subsets, such as different hardware deliveries.

  • Support for a hardware retirement workflow to enable automation of hardware decommission in managed clouds.

  • Multitenancy concepts and additional policy options are available for non-administrator usage of Ironic.

  • Addition of authentication of interactions between Ironic and its remote agent enabling deployment over untrusted networks.

  • UEFI and device selection is now available for Software RAID.



  • The user experience for creating application credentials and trusts has been greatly improved when using a federated authentication method. Federated users whose role assignments come from mapped group membership will have those group memberships persisted for a configurable TTL after their token expires, during which time their application credentials will remain valid.

  • Keystone to Keystone assertions now contain the user’s group memberships on the keystone Identity Provider which can be mapped to group membership on the keystone Service Provider.

  • Federated users can now be given concrete role assignments without relying on the mapping API by allowing federated users to be created directly in keystone and linked to their Identity Provider.

  • When bootstrapping a new keystone deployment, the admin role now defaults to having the “immutable” option set, which prevents it from being accidentally deleted or modified unless the “immutable” option is deliberately removed.

  • Keystonemiddleware no longer supports the Identity v2.0 API, which was removed from keystone in previous release cycles.



  • All images, scripts and Ansible playbooks now use Python 3, and support for Python 2 has been dropped.

  • Added support for CentOS 8 hosts and images.

  • Added initial support for TLS encryption of backend API services, providing end-to-end encryption of API traffic. Currently Barbican, Cinder, Glance, Heat, Horizon, Keystone, Nova and Placement are supported.

  • Added support for deployment of Open Virtual Network (OVN) and integration of it with Neutron.

  • Added support for deployment of Zun CNI (Container Networking Interface) components allowing Docker with containerd to support Zun capsules (pods).

  • Added support for Elasticsearch Curator to help manage clustered log data.

  • Added components necessary to use Mellanox networking devices with Neutron.

  • Streamlined configuration of external Ceph integration, making it easy to go from Ceph-Ansible-deployed Ceph cluster to enabling it in OpenStack.



  • Support for IPv6.

  • DPDK support for nested setups and various other DPDK and SR-IOV improvements.

  • Multiple fixes related to NetworkPolicy support.



  • Support Helm v3 to install all magnum installed charts. Support for Helm v2 client will be removed in X release.

  • A new config option post_install_manifest_url is added to support installing cloud provider/vendor specific manifest after deploying a kuberbetes cluster.

  • A new --merge-labels boolean flag can be used to merge user labels at cluster/nodegroup scope with cluster template/cluster labels.

  • Cloud admin users now can do rolling upgrade on behalf of end users to do urgent security patching.

  • Magnum now cascade deletes all the load balancers before deleting the cluster, not only including load balancers for the cluster services and ingresses, but also those for Kubernetes API/etcd endpoints.

  • Magnum supports updating the k8s cluster health status via the Magnum cluster update API so that a controller (e.g. magnum-auto-healer) running inside the k8s cluster can call the Magnum update API to update the cluster health status.



  • Share groups have graduated from being an experimental feature to being generally available. Starting with API version 2.55, the X-OpenStack-Manila-API-Experimental header is no longer required to create/update/delete share group types, group specifications, group quotas and share groups themselves.

  • Shares can be created from snapshots across storage pools when compatible. This new feature allows better utilization of back end resources by spreading workloads that were previously confined to the back end that hosted the snapshot.

  • New quota control mechanisms have been introduced to constrain projects and their users to the number and size of share replicas they can create.

  • It is now possible to query asynchronous user messages with time intervals.



  • The OVN driver is now merged into Neutron repository and is one of the in-tree Neutron ML2 drivers, like linuxbridge or openvswitch. OVN driver benefits over the openvswitch driver include for example DVR with distributed SNAT traffic, distributed DHCP and possibility to run without network nodes. Other ML2 drivers are still in-tree and are fully supported. Currently default agent is still openvswitch but our plan is to make OVN driver to be the default choice in the future.

  • Support for stateless security groups has been added. Users can now create security group set as stateless which means that conntrack will not be used for any rule in that group. One port can only use stateless or stateful security groups. In some use cases stateless security groups will allow operator to choose for optimized datapath performance whereas stateful security groups impose extra processing on the system.

  • Role Based Access Control (RBAC) for address scopes and subnet pools has been added. Address scopes and subnet pools are usually defined by operators and exposed to users. This change allows operators to use more granular access controls on address scopes and subnet pools.

  • Support for tagging resources during creation has been added in Neutron API. User can now set tags for resources like e.g. ports directly in POST requests. This will improve the performance of kubernetes network operations a lot. The number of API calls which e.g. Kuryr has to send to Neutron are greatly reduced.





  • Octavia now supports deploying load balancers in specific availability zones. This allows the deployment of load balancing capabilities to edge environments.

  • The Octavia amphora driver has added a technology preview feature that improves control plane resiliency. Should a control plane host go down during a load balancer provisioning operation, an alternate controller can resume the in-process provisioning and complete the request.

  • Users can now specify the TLS ciphers acceptable for listeners and pools. This allows load balancers to enforce security compliance requirements.



  • Ceph Octopus support

  • MariaDB upgraded to 10.4 release

  • Added Centos 8 support

  • Added Ubuntu Focal support

Puppet Openstack


  • Puppet OpenStack can now bootstrap Keystone using an admin password instead of using the legacy admin token.



  • Added a new system-namespace for Swift containers and objects.

  • Added a new Swift object-versioning API using the new namespace.

  • Added support for S3 versioning using the new API.

  • Added the ability to use SIGUSR1 to perform “seamless” reloads, where the WSGI server socket never stops accepting connections.





  • Added a new webhook API and a new audit type EVENT. Now Watcher user can create audit with EVENT type and the audit will be triggered by webhook API.

  • The building of the compute (Nova) data model will be done using the decision engine threadpool, thereby, significantly reducing the total time required to build it.



  • Support querying queues with ‘with_count’ to return the amount of the queues. Help users to quickly get the exact total number of queues which they own.

  • Introduce new resource called Topic which is a concept from SNS. User can send message to a Topic and then subscribers will get the message according to different protocols like http, email, sms, etc.



  • Starting from this release, Zun adds support for CRI-compatible runtime. Zun uses CRI runtime to realize the concept of capsule (pod). As a result, users can use Zun API to create pods in Kata container via a CRI runtime.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.