Skip to main content

Release Notes for SCS Release 3

(Release Date: 2022-09-21)

Scope

Main goals for Release 3 (R3) were user federation, increase in deployment and upgrade velocity by improving automated test coverage as well as bringing disk encryption based on tang from the state of a technical preview to be fully supported.

Component Versions and User-visible improvements (highlights)

New Features (Highlights)

Operator focused improvements

  • Work is underway to supersede openstack-health-monitor with a comprehensive approach using scenarios with ansible playbooks that has been developed and used by T-Systems for their Open Telekom Cloud. Meanwhile, openstack-health-monitor has seen the addition of data collection with telegraf and influxdb as well as a good dashboard with grafana.

  • We have used our keystone to keycloak federation to use keycloak as identity broker to federate identities from other (SCS) clouds' keycloaks. This works well for the Web-Interface; we have still some work to do to also make it smooth also for API/CLI usage. We have documented the current status

  • We believe that Gaia-X self-descriptions should also contain a description of technical properties of services; higher-level services and workloads can than declare their requirements and be matched against lower level services / platforms. In good platforms, most (or all) technical properties are discoverable. In the Gaia-X Hackathon #4, we have worked on a demonstrator that characterizes some aspects of an OpenStack-based IaaS platform and which produces self-descriptions that can be submitted to the Gaia-X trust service, pass the tests and you can be awared a verifiable credential. Code is available in the gx-self-description-generator repo

SCS Developer focused improvements (testbed and k8s cluster management)

  • Following significant discussions on how to standardize our cluster management solution, there is a draft concept as part of R3 now, which will be further worked on during the R4 cycle. See Cluster standardization section of the release notes from k8s-cluster-api-provider. While our reference implementation uses the concepts and code from k8s cluster API on top of our SCS reference implementation (OpenStack automated by OSISM), we want to assure that non-OpenStack IaaS and solutions that diverge from cluster-API have the possibility to be SCS compliant.

  • Workload clusters managed by our SCS cluster management solutions can now much more easily receive k8s version upgrades, as the cluster-template no longer needs to be touched for this. There is an Upgrade Guide available now.

  • LUKS encryption is now documented and enabled in the testbed by default.

  • Further noteworthy improvements to testbed:

    • Public DNS for testbed is now available (testbed.osism.xyz), allowing to access services via TLS protected by a wildcard CA certificate.
    • The wireguard VPN service is deployed in the testbed by default.

An overview over the used software versions is available from the OSISM release repository as input for a complete SBOM. This allows to e.g. investigate the contents of the used (v4.0.0) images.

Upgrade/Migration notes

Cluster Management

Upgrade from R2 to R3 for cluster management and clusters: See k8s-cluster-api-provider Release Notes for more details. There is an Upgrade Guide written specifically to address the steps needed for upgrading your cluster management and the workload clusters.

OSISM

  • In environments/kolla/secrets.yml the parameter neutron_ssh_key must be added.

    neutron_ssh_key:
    private_key:
    public_key:

    The ssh key can be generated as follows: ssh-keygen -t rsa -b 4096 -N "" -f id_rsa.neutron -C "" -m PEM

Removals

  • The Cockpit service has been removed.

Deprecations

Deprecations happen according to our deprecation policy.

  • Linux bridge support has been deprecated by the Neutron team and marked as experimental. If Linux bridge is used in deployments, migrating to OpenVSwitch is recommended.
  • Debian dropped hddtemp (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002484), therefore the hddtemp service will be removed from the next OSISM release, as there is no package available for Ubuntu 22.04.
  • Heat will no longer be offered by default in the testbed in the future
  • The following services are currently not used and are deprecated and scheduled for removal as of now: Falco, Jenkins, Rundeck, Lynis, Trivy
  • The docker-compose CLI will be removed and replaced by the new compose plugin for Docker. docker-compose is then no longer available and docker compose must be used instead
  • The cleanup-elasticsearch playbook is deprecated. In the future, the elasticsearch-curator service (part of Kolla) has to be used for Elasticsearch cleanup.
  • All osism- scripts on the manager are deprecated and will be replaced by the new OSISM CLI. The scripts will be removed in the next release

Security Fixes

No severe security issues need to be highlighted since Release 2. However, by updating to the latest stable version of the integrated open source components, we benefit from the upstream security fixes and thus recommend to upgrade all SCS environments. Please note that Release 2 maintenance by the SCS project team will end by the end of October.

Resolved Issues

  • Certificates in k8s clusters are subject to expiration - typically after one year. We ensure these are renewed on control-plane upgrades, but operators may need manual attention in case upgrades are not performed for extended periods of time. This is documented in the k8s-cluster-api-provider's Maintenance and Troubleshooting Guide.

Standards Conformance

The clusters created with our cluster-API cluster management solution pass the CNCF conformance tests as reported by sonobuoy.

The OpenStack layer passes the OIF trademark tests, so cloud providers leveraging the stack should easily be able to achieve the "OpenStack powered compute" trademark certification.

Our partner plusserver has achieved a BSI C5 security certification for their SCS implementation pluscloud open.

We are working within Gaia-X to further the power of Gaia-X self-descriptions and are closely working with the GXFS project to jointly deliver a standard toolbox for Gaia-X compliant infrastructure and service offerings.

The SCS standards for flavor naming and image metadata are largely unchanged since R1. We have however made progress in our reference implementation fully implementing them without any further tweaks. The conformance test for the flavor naming has seen minor improvements; a conformance test for the image metadata has been added.

Release Tagging

See Release Numbering scheme -- unchanged from R0. We have added the tag v4.0.0 to the relevant repositories to designate the SCS_RELEASE_R3.

Note that we will release R4 (v5.0.0) in March 2023 and stop providing maintenance updates for R3 at the end of April 2023.

List of known issues & restrictions in R3

  • Distributed Virtual Routing (DVR) is not officially supported by OSISM, not tested and not recommended.

Contributing

We appreciate contribution to strategy and implementation, please join our community -- or just leave input on the github issues and PRs. Have a look at our How to contribute page.

Thanks

The work for R3 has been done by many contributors from our community. We have not collected detailed stats that would split out the individual contributor's and companies shares ... we may do so in the future. We are grateful to have such an active and engaged community that has done so much work! Thanks to our contributors!

Of course we are leveraging a huge amount of open source technology that has been created by our friends in other communities, many of which are part of the CNCF, Linux Foudation, OIF, and others. We participate and contribute where we can and definitely want to acknowledge the great work that we build upon.