OpenStack Upgrade - Stein

[JacquesMrz]

Upgrade off all our OpenStack infrastructure from Newton to Stein version.

BHS1 - Done

[Mickael-Roger]

Stein seems now unmainted. Why not upgrading to a more recent version like Ussuri or Victoria ?

[JacquesMrz]

Stein is the stable version we target. Bigger the gap between two OpenStack version is, bigger the effort/risk is.
We currently run Newton version, Stein version allows us to contain the refactoring effort. In other words, small steps allow us to maintain quality and stability.
As soon as Stein upgrade is over, we will start to work on the next version upgrade ==> OpenStack upgrade is an endless stream.

[telenieko]

Stein is the stable version we target. Bigger the gap between two OpenStack version is, bigger the effort/risk is.
As soon as Stein upgrade is over, we will start to work on the next version upgrade ==> OpenStack upgrade is an endless stream.

I see the point about going one version at a time, but given that event when Stein lands it will be 5 versions behind... If OVH already has the next step in mind (to which version the next jump will be), maybe a new issue can be opened so at least we know what to expect.

Note that this issue is now in Backlog, so Stein is not to be expected atleast untill Fall 2021? By then Wallaby should be out and Stein probably EOL.

[karljohns0n]

I see that BHS6 (vps) has been upgraded to Stein so I guess BHS public cloud will follow?

http://travaux.ovh.net/?do=details&id=52713&

[telenieko]

Note that this issue is now in Backlog, so Stein is not to be expected atleast untill Fall 2021? By then Wallaby should be out and Stein probably EOL.

This issue is now in the Prioritized list, but now another OpenStack version is out (Xena) and Yoga will be out by next quarter.

So...
can OVH provide some roadmap or expectation on OpenStack version availability?

[ZuSe]

@mhurtrel

I would also be really interested in this. We are also facing issues with our API-Clients and Security Certificates.
When can we expect OVH to run one of the newer versions which is not considered EOL?

[b3n4kh]

We as well could love an update on this issue. Especially on the question what / when the next update from Stein onward will follow, since it is expected to be EOL soon as well.

[JacquesMrz]

Hi all,

Here is the planning of our coming upgrades from Newton to Stein.

Status | OpenStack Region | Detailed impact

DONE | UK1 | https://public-cloud.status-ovhcloud.com/incidents/mltz6rv3fpt5
DONE | WAW1 | https://public-cloud.status-ovhcloud.com/incidents/8brj06qwy9k7
DONE | BHS3 | https://public-cloud.status-ovhcloud.com/incidents/19jqwv15m4kx
DONE | DE1 | https://public-cloud.status-ovhcloud.com/incidents/nvf2n04xby4g
DONE | BHS5 | https://public-cloud.status-ovhcloud.com/incidents/ndlqlxcmf8hj
DONE | GRA11 | https://public-cloud.status-ovhcloud.com/incidents/4dpczcr5frzm
DONE | GRA1 | https://public-cloud.status-ovhcloud.com/incidents/fr5vwjy08bwv
DONE | GRA3 | https://public-cloud.status-ovhcloud.com/incidents/6fh4b3x6plh2
DONE | SBG5 | https://public-cloud.status-ovhcloud.com/incidents/82d1l1ktrs41
DONE | GRA5 | https://public-cloud.status-ovhcloud.com/incidents/4btdf7vg8v98
GRA7 | -
SYD | -
SGP1 | -

[b3n4kh]

@JacquesMrz much apprichiate this list helps a lot! Do you happen to know the release schedule / current release of GRA9 as well?

[formax68]

Hello, any update on the upgrade status? As per OVH support, we cannot update security groups until the upgrade is finished.

[maxdelorme]

Could you explain me why the region SBG5 which has been migrating to Stein cf (https://public-cloud.status-ovhcloud.com/incidents/82d1l1ktrs41) has still no security groups, no port security enable ?
In the page : https://docs.ovh.com/gb/en/public-cloud/firewall_security_pci/ we can read

Once a region will be upgraded to OpenStack Stein release, if you want to use firewall rules on private networks you will have to set the “port security” property as “True”.

When I try to set enable port_security, I got

openstack port set --enable-port-security 44ef02bc-xxxx-xxxx-8e2d-60047b0176f6
HttpException: 403: Client Error for url: https://network.compute.sbg5.cloud.ovh.net/v2.0/ports/44ef02bc-01b9-489c-8e2d-60047b0176f6, (rule:update_port and rule:update_port:port_security_enabled) is disallowed by policy

[JacquesMrz]

Coucou @maxdelorme ,

Even if SBG5 is running on OpenStack Stein, we need to update openvswitch so you will be able to use Security Groups.
As soon as it will be possible, "port_security_enabled" will be set as "True" by default.
For the moment it is possible to set "port_security_enabled" as "True" only in SBG7 & GRA9 regions.

[desaintmartin]

Dear @JacquesMrz, do you have an ETA for the openvswitch update?

[rgdev]

@JacquesMrz Any news on this ? Lack of security group management is a pretty big deal.

[maxdelorme]

@JacquesMrz I confirm that not be able to use security group on OpenStack is a pretty big security issue !

[maxdelorme]

according to this links upgrade to openvswitch is done on many regions

• [Scheduled] [GRA3/GRA5/GRA11][Public Cloud] - Upgrade Open vSwitch

The scheduled maintenance has been completed.
May 23, 08:12 UTC

• [Scheduled] [DE1/WAW1][Public Cloud] - Upgrade Open vSwitch

The scheduled maintenance has been completed.
May 23, 08:00 - 08:12 UTC

• [Scheduled] [GRA1/GRA7/SBG5][Public Cloud] - Upgrade Open vSwitch

The scheduled maintenance has been completed.
May 23, 08:12 UTC

[maxdelorme]

I confirm that I can now set Security Groups on SBG5 region (enable security port before) and also that port_security_enabled is true by default

[desaintmartin]

I see that upgrade of GRA7 has been completed a few hours ago: https://public-cloud.status-ovhcloud.com/incidents/1s899p8kmt01.

Is there a link to upgrade IaC / provisionning scripts to Stein? Will we need to explicitly define port for each instance (like defined in https://blog.ledez.net/computing/ovh-openstack-stein-port-security-with-terraform-en/)?